-
Notifications
You must be signed in to change notification settings - Fork 1.5k
Quick Start Guide
Install required run-time dependencies:
$ sudo apt-get install libmagic1 python-lzma
Install binwalk:
$ sudo apt-get install build-essential autoconf git
$ git clone https://github.com/devttys0/binwalk
$ (cd binwalk && autoreconf && ./configure && make && sudo make install)
Install optional run-time dependencies:
# Graphing modules, for plotting entropy graphs
$ sudo apt-get install libqt4-opengl python-opengl python-qt4 python-qt4-gl python-numpy python-scipy python-pip
$ sudo pip install pyqtgraph
# The capstone disassembler engine, for disassembly-based code signatures
$ wget http://www.capstone-engine.org/download/2.1.2/capstone-2.1.2.tgz
$ tar -zxvf capstone-2.1.2.tgz
$ (cd capstone-2.1.2 && ./make.sh && sudo make install)
$ (cd capstone-2.1.2/bindings/python && sudo python ./setup.py install)
# Extraction utilities, for automated file extraction and decompression
$ sudo apt-get install mtd-utils zlib1g-dev liblzma-dev ncompress gzip bzip2 tar arj lhasa p7zip p7zip-full cabextract openjdk-6-jdk cramfsprogs cramfsswap squashfs-tools
# Sasquatch SquashFS extraction tool, for extracting non-standard SquashFS file systems
$ sudo apt-get install zlib1g-dev liblzma-dev liblzo2-dev
$ git clone https://github.com/devttys0/sasquatch
$ (cd sasquatch && make && sudo make install)
See the INSTALL documentation for more details.
The primary - and by far the most popular - feature of binwalk is its signature scanning.
Binwalk can scan a firmware image for many different embedded file types and file systems; just give it a list of files to scan:
$ binwalk firmware.bin
DECIMAL HEX DESCRIPTION
-------------------------------------------------------------------------------------------------------------------
0 0x0 DLOB firmware header, boot partition: "dev=/dev/mtdblock/2"
112 0x70 LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 3797616 bytes
1310832 0x140070 PackImg section delimiter tag, little endian size: 13644032 bytes; big endian size: 3264512 bytes
1310864 0x140090 Squashfs filesystem, little endian, version 4.0, compression:lzma, size: 3264162 bytes, 1866 inodes, blocksize: 65536 bytes, created: Tue Apr 3 04:12:22 2012
You can tell binwalk to extract any files that it finds in the firmware image with the -e
option:
$ binwalk -e firmware.bin
Binwalk will even recursively scan files as it extracts them if you also specify the -M
option:
$ binwalk -Me firmware.bin
And if the -r
option is specified, any file signatures that couldn't be extracted - or that resulted in 0-size files - will be automatically deleted:
$ binwalk -Mre firmware.bin
What happens if binwalk doesn't report any signatures? Or, how do you know binwalk didn't miss anything interesting?
Entropy analysis can help identify interesting sections of data inside a firmware image:
$ binwalk -E firmware.bin
HINT: You can combine other scans with the entropy scan. For example, you can combine a signature scan with an entropy scan:
$ binwalk -B -E fimware.bin
DECIMAL HEX DESCRIPTION
-------------------------------------------------------------------------------------------------------------------
36625 0x8F11 Zlib header, default compression