Update 2022-09-15: This tool can be potentially used together with losetup + kpartx (see losetup). Which is a tool that makes loopback devices out of ISOs or volume files (luns, block device files, etc). Here is my article on it. First you find the magic headers for potential disk/volumes/partitions. Then you use losetup to cut out a loopback device that ignored everything before that, then use fdisk/sgdisk to analyze partitions and if found you can then consider that as your lun file for that article to cut out partitions etc into other loopback devices.
Update 2022-03-07: I wrote this article back in 2014 and have been trying to find it ever since. Just couldn’t get the search terms right. In my youthful days, I noobly called it a “firmware analyzer” when in reality it is so much more. My interpretation of if it, is its like the linux “file” command except it runs it at every byte of the file so that you can find if there is a tar, png, or whatever file deep inside of a file.
What binwalk is per kali:
https://www.kali.org/tools/binwalk
Binwalk is a tool for searching a given binary image for embedded files and executable code. Specifically, it is designed for identifying files and code embedded inside of firmware images. Binwalk uses the libmagic library, so it is compatible with magic signatures created for the Unix file utility.
My old article:
INSTALLING BINWALK
##################
* Firmware Analyzer, looks for header signatures…
* GET LATEST TAR.GZ AT https://code.google.com/p/binwalk/, I RENAMED MINE TO .TGZ BUT IT DOESNT MATTER AT ALL SINCE TAR.GZ AND TGZ ARE THE SAME FORMAT. THE TAR TOOL WILL STILL EXTRACT IT WITH THE SAME OPTIONS
* NOTE: ITS JUST PYTHON PROGRAM AND ALSO A PYTHON LIBRARY (THAT GETS INSTALLED WITH THE python setup.py install COMMAND)
* THE MAIN PROGRAM THAT STARTS IT IS JUST A PYTHON SCRIPT THAT CAN BE PUT ANYWHERE
* PREQS. Do one by one (do not paste in whole block, literally do one by one)
apt-get update
apt-get -y install subversion
apt-get -y install build-essential
apt-get -y install mtd-utils
apt-get -y install zlib1g-dev
apt-get -y install liblzma-dev
apt-get -y install gzip
apt-get -y install bzip2
apt-get -y install tar
apt-get -y install unrar
apt-get -y install arj
apt-get -y install p7zip
apt-get -y install openjdk-6-jdk
apt-get -y install python-magic
apt-get -y install python-matplotlib
mkdir /opt/firmware-mod-kit && chmod a+rwx /opt/firmware-mod-kit
svn checkout http://firmware-mod-kit.googlecode.com/svn/trunk /opt/firmware-mod-kit/trunk
cd /opt/firmware-mod-kit/trunk/src
./configure
make
cd –
* TO INSTALL EXTRACT TAR.GZ
mkdir ~/programs
cd ~/programs
wget https://binwalk.googlecode.com/files/binwalk-1.2.1.tar.gz (note get latest @ https://code.google.com/p/binwalk/ -> download link)
tar -xzvf binwalk-1.2.1.tar.gz
cd binwalk-1.2.1/src
sudo python setup.py install
* NOW TO TEST IT TYPE
binwalk
* IF YOU GET HELP OUT YOU WIN
RUNNING THE BINWALK
###################
* Showing just some main features
* There are lots of ways to extract, so I combine all of the ways into a script
GET PROGRESS WHILE ITS RUNNING
===============================
* Press Enter while its running and it will output progress. You can hold the enter if you want to, but I wouldnt thats just an interruption that slows things down
GET INFORMATION ABOUT HEADERS FROM BINWALK
===========================================
binwalk firmware
binwalk –verbose firmware
ANOTHER INTERSTING OUTPUT
==========================
* Similar to running “strings file” or “od -S file” we can run:
binwalk -S file
EXTRACT OUT THE FILES
===========================================
binwalk -e firmware
binwalk –verbose firmware
* IT MAKES FOLDER: _firmware.extract
HERE ARE ALL THE EXTRACTION OPTIONS
=====================================
* For M, e,r and d You must supply the “e” always
Extraction Options:
-D, –dd=<type:ext[:cmd]> Extract <type> signatures, give the files an extension of <ext>, and execute <cmd>
-e, –extract=[file] Automatically extract known file types; load rules from file, if specified
-M, –matryoshka Recursively scan extracted files, up to 8 levels deep
-r, –rm Cleanup extracted files and zero-size files
-d, –delay Delay file extraction for files with known footers
EXTRACT AND EXTRACT DEEPER AND DEEPER
======================================
* M repeats the options next to it, and it has to come together with at least e
binwalk -Me firmware
* IT MAKES FOLDER: _firmware.extract
MY FAVORITE:
============
binwalk -Me firmware
* IT MAKES FOLDER: _firmware.extract
* AND
binwalk -Mer firmware
* IT MAKES FOLDER: _firmware.extract
HOW TO RUN ALL 7 EXTRACTIONS METHODS
=====================================
* The 7 combos are -Me, -Med, -Mer, -Merd, -e, -ed, -er, -erd in no particular order (remember -e has to be included as its the one that means extraction)
METHOD1: NEW FOLDER NAMES KEEP THE SAME NAME
———————————————
(FWNAME=”random_firmware_file”;
binwalk -Me ${FWNAME}; mv _${FWNAME}*extract* _${FWNAME}-Me;
binwalk -Med ${FWNAME}; mv _${FWNAME}*extract* _${FWNAME}-Med;
binwalk -Mer ${FWNAME}; mv _${FWNAME}*extract* _${FWNAME}-Mer;
binwalk -Merd ${FWNAME}; mv _${FWNAME}*extract* _${FWNAME}-Merd;
binwalk -e ${FWNAME}; mv _${FWNAME}*extract* _${FWNAME}-e;
binwalk -ed ${FWNAME}; mv _${FWNAME}*extract* _${FWNAME}-ed;
binwalk -er ${FWNAME}; mv _${FWNAME}*extract* _${FWNAME}-er;
binwalk -erd ${FWNAME}; mv _${FWNAME}*extract* _${FWNAME}-erd;)
METHOD2 (BETTER W/ EXAMPLE) NEW FOLDER NAMES WITH DIFFERENT NAMES
—————————————————————–
(FWNAME=”random_firmware_file”;
NEWNAME=”rfw1″;
binwalk -Me ${FWNAME}; mv _${FWNAME}*extract* _${NEWNAME}-Me;
binwalk -Med ${FWNAME}; mv _${FWNAME}*extract* _${NEWNAME}-Med;
binwalk -Mer ${FWNAME}; mv _${FWNAME}*extract* _${NEWNAME}-Mer;
binwalk -Merd ${FWNAME}; mv _${FWNAME}*extract* _${NEWNAME}-Merd;
binwalk -e ${FWNAME}; mv _${FWNAME}*extract* _${NEWNAME}-e;
binwalk -ed ${FWNAME}; mv _${FWNAME}*extract* _${NEWNAME}-ed;
binwalk -er ${FWNAME}; mv _${FWNAME}*extract* _${NEWNAME}-er;
binwalk -erd ${FWNAME}; mv _${FWNAME}*extract* _${NEWNAME}-erd;)
—EXAMPLE—
* Extracting Firmware firmware1 using all 7 methods, but renaming new folders to have the name R4223 instead
* THE BEFORE:
cd /somefolder/
ls -lish
* THE BEFORE OUTPUT OF ls -lish:
* total 53M
* 1310776 53M -rw-r–r– 1 root root 53M Jun 18 09:57 random_firmware_file
du -sh *
* THE BEFORE OUTPUT OF du -sh *:
* 53M random_firmware_file
THEN RAN THE ABOVE SCRIPT (COPY PASTE IT IN AND HIT ENTER, THE PARENTHESIS ARE GOOD THEY TELL BASH THIS IS ONE GIANT COMMAND, THE ABOVE CAN BE RAN WITHOUT THE PARENTHESIS AS WELL)
* AFTER:
ls -lish
* OUTPUT OF ls -lish:
* total 53M
* 1310776 53M -rw-r–r– 1 root root 53M Jun 18 09:57 random_firmware_file
* 1310795 4.0K drwxr-xr-x 2 root root 4.0K Jun 18 10:12 _rfw1-e
* 1310814 4.0K drwxr-xr-x 2 root root 4.0K Jun 18 10:13 _rfw1-ed
* 1310833 4.0K drwxr-xr-x 2 root root 4.0K Jun 18 10:13 _rfw1-er
* 1310834 4.0K drwxr-xr-x 2 root root 4.0K Jun 18 10:14 _rfw1-erd
* 1310728 4.0K drwxr-xr-x 4 root root 4.0K Jun 18 10:07 _rfw1-Me
* 1310749 4.0K drwxr-xr-x 4 root root 4.0K Jun 18 10:09 _rfw1-Med
* 1310770 4.0K drwxr-xr-x 4 root root 4.0K Jun 18 10:10 _rfw1-Mer
* 1310783 4.0K drwxr-xr-x 4 root root 4.0K Jun 18 10:11 _rfw1-Merd
du -sh *
* OUTPUT OF du -sh *:
* 53M random_firmware_file
* 347M _rfw1-e
* 347M _rfw1-ed
* 53M _rfw1-er
* 53M _rfw1-erd
* 347M _rfw1-Me
* 347M _rfw1-Med
* 53M _rfw1-Mer
* 53M _rfw1-Merd
SIDE NOTE:
===========
* For the above two examples dont run the scripts or binwalk extractions at the same time on the same firmware name (FWNAME) because they all make the _firmware.extracted folder, so you dont want overwrites happening.
* If your extracting the same firmware using different types of arguments at the same time, make sure your in a different directory, copy the firmware to a different directory. My script doesnt do them at the same time.
One thought on “Binwalk tutorial”