News

Binwalk Tutorial

0
* Firmware Analyzer, looks for header signatures…
* GET LATEST TAR.GZ AT https://code.google.com/p/binwalk/, I RENAMED MINE TO .TGZ BUT IT DOESNT MATTER AT ALL SINCE TAR.GZ AND TGZ ARE THE SAME FORMAT. THE TAR TOOL WILL STILL EXTRACT IT WITH THE SAME OPTIONS
* NOTE: ITS JUST PYTHON PROGRAM AND ALSO A PYTHON LIBRARY (THAT GETS INSTALLED WITH THE python setup.py install COMMAND)
* THE MAIN PROGRAM THAT STARTS IT IS JUST A PYTHON SCRIPT THAT CAN BE PUT ANYWHERE
* PREQS. Do one by one (do not paste in whole block, literally do one by one)
apt-get update
apt-get -y install subversion
apt-get -y install build-essential
apt-get -y install mtd-utils
apt-get -y install zlib1g-dev
apt-get -y install liblzma-dev
apt-get -y install gzip
apt-get -y install bzip2
apt-get -y install tar
apt-get -y install unrar
apt-get -y install arj
apt-get -y install p7zip
apt-get -y install openjdk-6-jdk
apt-get -y install python-magic
apt-get -y install python-matplotlib
mkdir /opt/firmware-mod-kit && chmod a+rwx /opt/firmware-mod-kit
svn checkout http://firmware-mod-kit.googlecode.com/svn/trunk /opt/firmware-mod-kit/trunk
cd /opt/firmware-mod-kit/trunk/src
./configure
make
cd –
* TO INSTALL EXTRACT TAR.GZ
mkdir ~/programs
cd ~/programs
wget https://binwalk.googlecode.com/files/binwalk-1.2.1.tar.gz    (note get latest @ https://code.google.com/p/binwalk/ -> download link)
tar -xzvf binwalk-1.2.1.tar.gz
cd binwalk-1.2.1/src
sudo python setup.py install
* NOW TO TEST IT TYPE
binwalk
* IF YOU GET HELP OUT YOU WIN
RUNNING THE BINWALK
###################
* Showing just some main features
* There are lots of ways to extract, so I combine all of the ways into a script
GET PROGRESS WHILE ITS RUNNING
===============================
* Press Enter while its running and it will output progress. You can hold the enter if you want to, but I wouldnt thats just an interruption that slows things down
GET INFORMATION ABOUT HEADERS FROM BINWALK
===========================================
binwalk firmware
binwalk –verbose firmware
ANOTHER INTERSTING OUTPUT
==========================
* Similar to running “strings file” or “od -S file” we can run:
binwalk -S file
EXTRACT OUT THE FILES
===========================================
binwalk -e firmware
binwalk –verbose firmware
* IT MAKES FOLDER: _firmware.extract
HERE ARE ALL THE EXTRACTION OPTIONS
=====================================
* For M, e,r and d You must supply the “e” always
Extraction Options:
        -D, –dd=<type:ext[:cmd]>     Extract <type> signatures, give the files an extension of <ext>, and execute <cmd>
        -e, –extract=[file]          Automatically extract known file types; load rules from file, if specified
        -M, –matryoshka              Recursively scan extracted files, up to 8 levels deep
        -r, –rm                      Cleanup extracted files and zero-size files
        -d, –delay                   Delay file extraction for files with known footers
EXTRACT AND EXTRACT DEEPER AND DEEPER
======================================
* M repeats the options next to it, and it has to come together with at least e
binwalk -Me firmware
* IT MAKES FOLDER: _firmware.extract
MY FAVORITE:
============
binwalk -Me firmware
* IT MAKES FOLDER: _firmware.extract
* AND
binwalk -Mer firmware
* IT MAKES FOLDER: _firmware.extract
HOW TO RUN ALL 7 EXTRACTIONS METHODS
=====================================
* The 7 combos are -Me, -Med, -Mer, -Merd, -e, -ed, -er, -erd in no particular order (remember -e has to be included as its the one that means extraction)
METHOD1: NEW FOLDER NAMES KEEP THE SAME NAME
———————————————
(FWNAME=”random_firmware_file”;
binwalk -Me ${FWNAME}; mv _${FWNAME}*extract* _${FWNAME}-Me;
binwalk -Med ${FWNAME}; mv _${FWNAME}*extract* _${FWNAME}-Med;
binwalk -Mer ${FWNAME}; mv _${FWNAME}*extract* _${FWNAME}-Mer;
binwalk -Merd ${FWNAME}; mv _${FWNAME}*extract* _${FWNAME}-Merd;
binwalk -e ${FWNAME}; mv _${FWNAME}*extract* _${FWNAME}-e;
binwalk -ed ${FWNAME}; mv _${FWNAME}*extract* _${FWNAME}-ed;
binwalk -er ${FWNAME}; mv _${FWNAME}*extract* _${FWNAME}-er;
binwalk -erd ${FWNAME}; mv _${FWNAME}*extract* _${FWNAME}-erd;)
METHOD2 (BETTER W/ EXAMPLE) NEW FOLDER NAMES WITH DIFFERENT NAMES
—————————————————————–
(FWNAME=”random_firmware_file”;
NEWNAME=”rfw1″;
binwalk -Me ${FWNAME}; mv _${FWNAME}*extract* _${NEWNAME}-Me;
binwalk -Med ${FWNAME}; mv _${FWNAME}*extract* _${NEWNAME}-Med;
binwalk -Mer ${FWNAME}; mv _${FWNAME}*extract* _${NEWNAME}-Mer;
binwalk -Merd ${FWNAME}; mv _${FWNAME}*extract* _${NEWNAME}-Merd;
binwalk -e ${FWNAME}; mv _${FWNAME}*extract* _${NEWNAME}-e;
binwalk -ed ${FWNAME}; mv _${FWNAME}*extract* _${NEWNAME}-ed;
binwalk -er ${FWNAME}; mv _${FWNAME}*extract* _${NEWNAME}-er;
binwalk -erd ${FWNAME}; mv _${FWNAME}*extract* _${NEWNAME}-erd;)
—EXAMPLE—
* Extracting Firmware firmware1 using all 7 methods, but renaming new folders to have the name R4223 instead
* THE BEFORE:
cd /somefolder/
ls -lish
* THE BEFORE OUTPUT OF ls -lish:
* total 53M
* 1310776 53M -rw-r–r– 1 root root 53M Jun 18 09:57 random_firmware_file
du -sh *
* THE BEFORE OUTPUT OF du -sh *:
* 53M     random_firmware_file
THEN RAN THE ABOVE SCRIPT (COPY PASTE IT IN AND HIT ENTER, THE PARENTHESIS ARE GOOD THEY TELL BASH THIS IS ONE GIANT COMMAND, THE ABOVE CAN BE RAN WITHOUT THE PARENTHESIS AS WELL)
* AFTER:
ls -lish
* OUTPUT OF ls -lish:
* total 53M
* 1310776  53M -rw-r–r– 1 root root  53M Jun 18 09:57 random_firmware_file
* 1310795 4.0K drwxr-xr-x 2 root root 4.0K Jun 18 10:12 _rfw1-e
* 1310814 4.0K drwxr-xr-x 2 root root 4.0K Jun 18 10:13 _rfw1-ed
* 1310833 4.0K drwxr-xr-x 2 root root 4.0K Jun 18 10:13 _rfw1-er
* 1310834 4.0K drwxr-xr-x 2 root root 4.0K Jun 18 10:14 _rfw1-erd
* 1310728 4.0K drwxr-xr-x 4 root root 4.0K Jun 18 10:07 _rfw1-Me
* 1310749 4.0K drwxr-xr-x 4 root root 4.0K Jun 18 10:09 _rfw1-Med
* 1310770 4.0K drwxr-xr-x 4 root root 4.0K Jun 18 10:10 _rfw1-Mer
* 1310783 4.0K drwxr-xr-x 4 root root 4.0K Jun 18 10:11 _rfw1-Merd
du -sh *
* OUTPUT OF du -sh *:
* 53M     random_firmware_file
* 347M    _rfw1-e
* 347M    _rfw1-ed
* 53M     _rfw1-er
* 53M     _rfw1-erd
* 347M    _rfw1-Me
* 347M    _rfw1-Med
* 53M     _rfw1-Mer
* 53M     _rfw1-Merd
SIDE NOTE:
===========
* For the above two examples dont run the scripts or binwalk extractions at the same time on the same firmware name (FWNAME) because they all make the _firmware.extracted folder, so you dont want overwrites happening.
* If your extracting the same firmware using different types of arguments at the same time, make sure your in a different directory, copy the firmware to a different directory. My script doesnt do them at the same time.

AWK – missing ABS – Absolute Value

Previous article

Top 10 compressors – 7zip and nanozip – compressing with low and high ram use & highest compression algorithm for both

Next article

You may also like

Comments

Leave a reply

Your email address will not be published. Required fields are marked *

More in News