Binwalk Utility Helps You Analyze and Reverse-Engineer Firmware Files

Binwalk is a “firmware analysis tool designed for analyzing, reverse engineering and extracting data contained in firmware images”.  This tool written in python supports Linux, and somewhat Mac OS X, can scan firmware files for files signature, and can be useful for hacking firmware files, and finding hidden information.

binwalk_firmware_analysis_tool
Partial output from a scan of a firmware image for file signatures

Let’s install binwalk first. It’s very easy in a Debian or Ubuntu machine, as you just have to download the package, and run a script for installation:


If you have another Linux ditributions, it’s just a little more complicated. You still need to download and extract the release package as above, but you’ll have to install the following package depending on the features your need:

  • Minimal installation – python 2.6 or greater, and  python-magic
  • To generate entropy plot graphs – python-matplotlib
  • For automated extraction:
    • Packages – mtd-utils zlib1g-dev liblzma-dev gzip bzip2 tar unrar arj p7zip p7zip-full openjdk-6-jdk
    • Build and install firmware-mod-kit

Once, this is done, run sudo python ./setup.sh install in src directory to complete the installation.

You can also checkout the latest source code from github:


Once we’ve got binwalk installed, let’s test with the firmware for SJ1000 camera.

Just running binwalk with the firmware file as argument will scan the file for known data representations.


Right, did not find much apart from a JPEG file. I tried to extract it with binwalk -e FW96650A.bin, but it just created and empty directory (_FW96650A.bin.extracted). However, I’ve tried the scan with an Android firmware (MK908 mini PC), and the scan output is extremely verbose, it will find the Linux kernel strings, and apparently list all files. There may be options to better analyze this type of firwmare, as there are many many options, and it may take a while to be familiar with the tool.

Let’s carry on with one of the other option: ASCII string scan. In theory, the same can be achieved with strings utility, but binwalk will also provide the offset for each string in the file. In the command below, S is for string scan, and -s5  sets the minimum string size to 5 characters.


Let’s plot an entropy chart. To be honest I’m not 100% sure sure how to exploit this feature, but I understand that it will help locate where useful data may be, as well as areas filled with 0xFF or 0x00 with no useful information.
binwalk_entropyBinwalk has lots of other features, and you can do things such as scanning a firmware image for executable opcodes, diffing multiple firmware headers, using a custom signature, and so on.

Share this:

Support CNX Software! Donate via cryptocurrencies, become a Patron on Patreon, or purchase goods on Amazon or Aliexpress

Radxa Orion O6 Armv9 mini-ITX motherboard
Subscribe
Notify of
guest
The comment form collects your name, email and content to allow us keep track of the comments placed on the website. Please read and accept our website Terms and Privacy Policy to post a comment.
3 Comments
oldest
newest
zoobab
11 years ago

In the same mood, you have hachoir-subfile and uwfirmforce, a quick search on my gentoo box:

* app-misc/hachoir-subfile
Available versions: ~0.5.3
Homepage: http://bitbucket.org/haypo/hachoir/wiki/hachoir-subfile http://pypi.python.org/pypi/hachoir-subfile
Description: Find subfile in any binary stream

* app-misc/uwfirmforce [1]
Available versions: 0.0.7
Homepage: http://uwfirmforce.wikidot.com
Description: uwfirmforce

Lawrence
11 years ago

Although, I usually prefer to do it manually, as the tools I’ve tried often miss the blindingly obvious stuff like gzip headers, there are a few good tools for reverse engineering.

This can be useful in the right hands –
radare – http://radare.nopcode.org/get/radare.pdf.html
arm2html – http://www.sigmaplayer.com/filebase.php?d=1&id=13&c_old=5&what=c&page=1 (assuming its still there)
file signature db – http://www.garykessler.net/library/file_sigs.html

http://www.computersolutions.cn/blog/?s=firmware has a selection of a few walkthrough’s of my detective work on various firmware.

These days, I’m concentrating more on writing my own though 😉

tiobx
tiobx
10 years ago

I am trying install Biinwalk on Portable Python 2.7 for Windows, on USB drive.
Binwalk have dependency on ssdeep-2.10, which is a binary exe (for windows).

What I dont know: where should be placed ssdeep Windows binary files, that Binwalk application can found it?

Boardcon EM3562 Rockchip RK3562 SBC with 8 analog camera inputs