Home > Linux, Testing > Binwalk Utility Helps You Analyze and Reverse-Engineer Firmware Files

Binwalk Utility Helps You Analyze and Reverse-Engineer Firmware Files

November 18th, 2013 Leave a comment Go to comments

Binwalk is a “firmware analysis tool designed for analyzing, reverse engineering and extracting data contained in firmware images”.  This tool written in python supports Linux, and somewhat Mac OS X, can scan firmware files for files signature, and can be useful for hacking firmware files, and finding hidden information.

binwalk_firmware_analysis_tool

Partial output from a scan of a firmware image for file signatures

Let’s install binwalk first. It’s very easy in a Debian or Ubuntu machine, as you just have to download the package, and run a script for installation:

wget https://binwalk.googlecode.com/files/binwalk-1.2.2-1.tar.gz
tar xzvf binwalk-1.2.2-1.tar.gz
cd binwalk-1.2.2-1/src
sudo ./debian_quick_install.sh

If you have another Linux ditributions, it’s just a little more complicated. You still need to download and extract the release package as above, but you’ll have to install the following package depending on the features your need:

  • Minimal installation – python 2.6 or greater, and  python-magic
  • To generate entropy plot graphs – python-matplotlib
  • For automated extraction:
    • Packages – mtd-utils zlib1g-dev liblzma-dev gzip bzip2 tar unrar arj p7zip p7zip-full openjdk-6-jdk
    • Build and install firmware-mod-kit

Once, this is done, run sudo python ./setup.sh install in src directory to complete the installation.

You can also checkout the latest source code from github:

git clone https://github.com/devttys0/binwalk.git

Once we’ve got binwalk installed, let’s test with the firmware for SJ1000 camera.

Just running binwalk with the firmware file as argument will scan the file for known data representations.

binwalk FW96650A.bin 

DECIMAL       HEX           DESCRIPTION
-------------------------------------------------------------------------------------------------------------------
2158492       0x20EF9C      JPEG image data, JFIF standard  1.02

Right, did not find much apart from a JPEG file. I tried to extract it with binwalk -e FW96650A.bin, but it just created and empty directory (_FW96650A.bin.extracted). However, I’ve tried the scan with an Android firmware (MK908 mini PC), and the scan output is extremely verbose, it will find the Linux kernel strings, and apparently list all files. There may be options to better analyze this type of firwmare, as there are many many options, and it may take a while to be familiar with the tool.

Let’s carry on with one of the other option: ASCII string scan. In theory, the same can be achieved with strings utility, but binwalk will also provide the offset for each string in the file. In the command below, S is for string scan, and -s5  sets the minimum string size to 5 characters.

binwalk -S -s5 FW96650A.bin

DECIMAL         HEX             Strings
-------------------------------------------------------------------------------------------------------------------
80              0x50            NT96650 1000000020100701
192             0xC0            DRAMINFO
256             0x100           STRGINFO
116470          0x1C6F6         B0%HI
125959          0x1EC07         '^G   Section-%.2ld: Range[0x%08X~0x%08X] Size=0x%08X (LOAD)
126024          0x1EC48         ^R*** StackOverflow task[%d][%s] stk start[0x%08x] size[0x%08x]
126092          0x1EC8C         ^R*** Math error: type=%d name="%s" arg1=%f arg2=%f retval=%f err=%d
126164          0x1ECD4         ^R*** CPU Exception! cause=0x%08x, by [%s:0x%08x] [%c]

Let’s plot an entropy chart. To be honest I’m not 100% sure sure how to exploit this feature, but I understand that it will help locate where useful data may be, as well as areas filled with 0xFF or 0x00 with no useful information.
binwalk_entropyBinwalk has lots of other features, and you can do things such as scanning a firmware image for executable opcodes, diffing multiple firmware headers, using a custom signature, and so on.

Digg This
Reddit This
Stumble Now!
Buzz This
Vote on DZone
Share on Facebook
Bookmark this on Delicious
Kick It on DotNetKicks.com
Share on LinkedIn
Bookmark this on Technorati
Post on Twitter

  1. November 18th, 2013 at 23:00 | #1

    In the same mood, you have hachoir-subfile and uwfirmforce, a quick search on my gentoo box:

    * app-misc/hachoir-subfile
    Available versions: ~0.5.3
    Homepage: http://bitbucket.org/haypo/hachoir/wiki/hachoir-subfile http://pypi.python.org/pypi/hachoir-subfile
    Description: Find subfile in any binary stream

    * app-misc/uwfirmforce [1]
    Available versions: 0.0.7
    Homepage: http://uwfirmforce.wikidot.com
    Description: uwfirmforce

  2. November 18th, 2013 at 23:15 | #2

    Although, I usually prefer to do it manually, as the tools I’ve tried often miss the blindingly obvious stuff like gzip headers, there are a few good tools for reverse engineering.

    This can be useful in the right hands –
    radare – http://radare.nopcode.org/get/radare.pdf.html
    arm2html – http://www.sigmaplayer.com/filebase.php?d=1&id=13&c_old=5&what=c&page=1 (assuming its still there)
    file signature db – http://www.garykessler.net/library/file_sigs.html

    http://www.computersolutions.cn/blog/?s=firmware has a selection of a few walkthrough’s of my detective work on various firmware.

    These days, I’m concentrating more on writing my own though ;)

  3. tiobx
    March 21st, 2014 at 22:49 | #3

    I am trying install Biinwalk on Portable Python 2.7 for Windows, on USB drive.
    Binwalk have dependency on ssdeep-2.10, which is a binary exe (for windows).

    What I dont know: where should be placed ssdeep Windows binary files, that Binwalk application can found it?

  1. No trackbacks yet.