RTOSploit
RTOSploit is a security testing framework purpose-built for embedded RTOS firmware. It combines static analysis, CVE correlation, vulnerability assessment, exploit and payload generation, peripheral firmware auto-rehosting, grey-box fuzzing, and automated reporting - all running entirely in software via QEMU emulation.
Install / Use
/learn @Indspl0it/RTOSploitREADME
RTOSploit is a firmware security testing framework for embedded RTOS systems. It provides static analysis, CVE correlation, vulnerability assessment, payload generation, firmware emulation, and coverage-guided fuzzing — entirely in software, no physical hardware required.
Supported RTOSes: FreeRTOS, ThreadX, Zephyr, ESP-IDF, RTEMS (detection only)
Supported Architectures: ARM Cortex-M (M0/M3/M4/M7/M33), RISC-V (RV32I/RV64), Xtensa, MIPS, AArch64
Binary Formats: ELF, Intel HEX, Motorola S-Record, Raw binary
What works on what
| Capability | Any firmware (ELF or raw .bin) | QEMU-targeted firmware | Via Unicorn + PIP | |---|---|---|---| | RTOS fingerprint | Yes (strings + symbols) | Yes | N/A | | CVE correlation | Yes (59 bundled CVEs) | Yes | N/A | | Peripheral detection | Yes (6-layer engine) | Yes | N/A | | Vulnerability scanning | Yes (15 modules, static) | Yes | N/A | | Payload/ROP generation | Yes | Yes | N/A | | Emulate and boot | No (needs matching machine) | Yes | Yes (model-free) | | Coverage-guided fuzzing | No | Yes (~3-5 exec/sec) | Yes (~200+ exec/sec) |
On real hardware: Static analysis, CVE correlation, vulnerability scanning, and payload generation work on any firmware binary. Emulation and fuzzing require either a matching QEMU machine or the Unicorn engine with Peripheral Input Playback (PIP), which drives all peripheral I/O from fuzz input without hardware models.
Table of Contents
- Purpose
- Architecture
- Features
- Installation
- Quick Start
- Emulation Engines
- CLI Reference
- Vulnerability Scanners
- Machine Configurations
- Configuration
- CI/CD Integration
- Documentation
- Development
- Troubleshooting
- Acknowledgements
- License
Purpose
Embedded RTOS firmware (FreeRTOS, ThreadX, Zephyr) runs on billions of devices — medical implants, automotive ECUs, industrial PLCs, IoT gateways — yet security testing tools for these targets are fragmented, hardware-dependent, and expensive. RTOSploit provides a software-only alternative.
Typical workflow:
- Analyze — fingerprint RTOS, version, MCU, heap allocator, MPU config, peripherals
- Correlate CVEs — match against 59 bundled vulnerabilities from NVD
- Assess vulnerabilities — run 15 vulnerability scanners (heap corruption, MPU bypass, BLE overflows)
- Generate payloads — ARM Thumb2/RISC-V shellcode, ROP chains, protocol packets
- Emulate — boot firmware in QEMU (interactive) or Unicorn (high-speed)
- Fuzz — coverage-guided fuzzing with crash deduplication and interrupt injection
- Report — SARIF for CI/CD, HTML for review
Steps 1-4 work on any firmware binary. Steps 5-7 require either a QEMU-supported machine or the Unicorn engine.
What RTOSploit does NOT do:
- Run exploits on physical hardware — this is a software-only analysis and assessment tool
- Full symbolic execution — we use lightweight register tracking, not angr-style analysis
- Linux firmware analysis — RTOS and bare-metal only
- Hardware-in-the-loop testing — no JTAG/SWD integration
Architecture
RTOSploit has two execution paths depending on the use case:
┌──────────────────────────┐
│ Firmware Binary │
│ (ELF / HEX / SREC / raw) │
└────────────┬─────────────┘
│
┌─────────────────┼─────────────────┐
▼ ▼ ▼
┌──────────────┐ ┌─────────────┐ ┌──────────────┐
│ Static │ │ CVE │ │ Vulnerability│
│ Analysis │ │ Correlation │ │ Scanners │
│ │ │ │ │ │
│ Fingerprint │ │ 59 bundled │ │ 15 modules │
│ Heap detect │ │ CVEs from │ │ FreeRTOS (6) │
│ MPU check │ │ NVD for │ │ ThreadX (3) │
│ Peripheral │ │ FreeRTOS │ │ Zephyr (6) │
│ detection │ │ ThreadX │ │ │
│ (6 layers) │ │ Zephyr │ │ + Payload │
│ │ │ ESP-IDF │ │ generation │
└──────────────┘ └─────────────┘ └──────────────┘
│ │ │
└─────────────────┼──────────────────┘
│
Works on ANY firmware ▲
─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─
Requires emulation ▼
│
┌─────────────────┼─────────────────┐
▼ ▼
┌───────────────────┐ ┌───────────────────┐
│ QEMU Engine │ │ Unicorn Engine │
│ │ │ │
│ Full system │ │ CPU-only │
│ NVIC, SysTick │ │ PIP-driven MMIO │
│ Machine-specific │ │ FERMCov coverage │
│ GDB debugging │ │ Interrupt sched. │
│ UART forwarding │ │ Snapshot/restore │
│ │ │ │
│ ~3-5 exec/sec │ │ ~200+ exec/sec │
│ │ │ │
│ For: interactive │ │ For: automated │
│ debug, QEMU- │ │ fuzzing, real │
│ targeted firmware │ │ hardware firmware │
└─────────┬─────────┘ └─────────┬─────────┘
│ │
└───────────────┬───────────────────┘
▼
┌──────────────────────────┐
│ Coverage-Guided │
│ Fuzzing Engine │
│ │
│ AFL-style edge bitmap │
│ Crash dedup (PC+CFSR) │
│ Multi-worker parallel │
│ Corpus management │
└────────────┬─────────────┘
▼
┌──────────────────────────┐
│ Post-Processing │
│ │
│ Crash triage │
│ Input minimization │
│ Coverage visualization │
└────────────┬─────────────┘
▼
┌──────────────────────────┐
│ Reporting │
│ │
│ SARIF 2.1.0 (CI/IDE) │
│ HTML (human review) │
│ JSON (API/scripting) │
└──────────────────────────┘
Features
Static Analysis
Works on any firmware binary — no QEMU, no symbols required.
| Analysis | What it finds | |----------|--------------| | RTOS Fingerprint | FreeRTOS, ThreadX, Zephyr, ESP-IDF, RTEMS — type, version, confidence | | MCU Detection | nRF52, STM32F4, ESP32, LPC, SAM, RP2040 | | Heap Allocator | FreeRTOS heap_1–heap_5, ThreadX byte pools, Zephyr slabs | | MPU Configuration | ARM Cortex-M MPU regions, executable/writable overlaps | | Peripheral Detection | 6-layer engine: symbol, string, relocation, MMIO register, binary signature, devicetree | | String Extraction | RTOS markers, SDK references, error messages |
CVE Intelligence
- 59 bundled CVEs across FreeRTOS, ThreadX, Zephyr, and ESP-IDF
- Version-aware matching with underlying RTOS lookup (ESP-IDF includes FreeRTOS CVEs)
- NVD API sync for latest vulnerabilities
- VulnRange — CTF-style CVE reproduction challenges with progressive hints
Vulnerability Assessment and Payload Generation
15 vulnerability scanner modules that detect vulnerability patterns via static analysis and generate concrete artifacts.
| Category | Count | Produces | |----------|-------|----------| | Heap Corruption | 4 | Overflow buffers, fake metadata, write primitives | | MPU Bypass | 2 | Privilege escalation payloads, ROP chains | | ISR Hijacking | 1 | Vector table redirect payloads | | BLE Exploits | 4 | Malformed advertising, L2CAP, ASCS packets | | Kernel Attacks | 2 | TCB/thread entry overwrites, syscall chains | | Reconnaissance | 2 | Userspace config detection, race conditions |
Standalone payload tools: ARM Thumb2 and RISC-V shellcode templates (NOP sled, infinite loop, MPU disable, VTOR redirect), ROP gadget finder with bad-character filtering, XOR and null-free encoders.
Firmware Emulation
Two engines for different use cases — see [Emul
