The Wonderful World of MIPS

The ever-growing Internet of Things (IoT) brings a new wave of malware geared toward unfamiliar architectures. Today we take a look at how to compile, analyze, and debug MIPS-based binaries on standard x86 hardware.

Video Walkthrough



Introduction

MIPS is a Reduced Instruction Set Computer (RISC) architecture that has been a staple in residential gateways, routers, and switches since the 1980s. Because these devices are often the first line of defense in a network, they are prime targets for malware authors. This guide demonstrates how to cross-compile, run, and debug MIPS code using QEMU and Radare2.



Cross-Compiling MIPS ELF on x86

Using Kali Linux as a base, we first install the necessary cross-compilation toolchains:

apt-get install linux-libc-dev-mips-cross libc6-mips-cross libc6-dev-mips-cross \
binutils-mips-linux-gnu gcc-mips-linux-gnu g++-mips-linux-gnu

Below is a sample C program that utilizes fork(). This is excellent for practice as many MIPS debuggers struggle with process cloning.

#include <unistd.h>
#include <stdlib.h>
#include <stdio.h>

int main(){ 
    printf("PID: %d\n",getpid()); 
    printf("PPID: %d\n",getppid()); 
    int i = 0; 
    while(i < 4){
        sleep(1);
        printf("ITERATION #%d\n",i);
        i = i + 1;
    }
    fork();
    for (int w = 0; w < 10; w=w+1){
        printf("%d: %d\t%d\n",getpid(),getppid());
        sleep(1);
    }
    return 0;
}

Compile the code to MIPS-Little Endian using the following command:

mipsel-linux-gnu-gcc -xc -static -o mips-test.elf mips-test.c


Running MIPS ELF on x86

To execute the binary, we use QEMU, which offers two modes: User Mode and System Emulation.

QEMU User Mode

User mode runs a single binary natively through the command line. Use -strace to view system calls:

qemu-mipsel -strace mips-test.elf


QEMU System Emulation

For a full environment, download a MIPS Debian image and kernel. You will need to configure a bridge to enable networking. Replacing /etc/qemu-ifup with a custom script is often necessary to bridge your eth0 and tap0 interfaces correctly.



Debugging MIPS

Debugging MIPS requires specialized tools like gdb-multiarch and Radare2. Here are the most common ways to attach a debugger:

  • QEMU Stub: Launch with qemu-mipsel -g 12345 binary.elf and attach with gdb-multiarch using target remote :12345.
  • Radare2 Native: Use radare2 -a mips -b 32 -d dbg:///mips-test.elf.
  • IDA Pro: Use the Remote GDB debugger and point it to your Kali IP/Port.


Tips and Pitfalls

  • Instruction Sets: If you attach to the QEMU process directly on x86, you will see x86 instructions. You must use a GDB stub or run the debugger inside the emulated environment to see MIPS assembly.
  • Forks/Clones: Radare2 may lose control after a fork(). Manually set a breakpoint a few instructions after the fork to regain control of the child process.
  • Speed: Full system emulation is slow (~200MHz). For rapid analysis, QEMU User Mode with -strace is usually faster for initial triage.


Conclusion

While MIPS analysis can feel like "emulation inside a virtualization," mastering these tools allows you to peel back the layers of IoT malware that would otherwise remain opaque on standard x86 workstations.



Happy hunting.