Binwalk — Firmware Analysis Tool
Binwalk is a fast, easy to use tool for analyzing
and extracting firmware images
Firmware Analysis Tool
Binwalk is:
Binwalk can:
- Find and extract interesting files / data from binary images
- Find and extract raw compression streams
- Identify opcodes for a variety of architectures
- Perform data entropy analysis
- Diff an arbitrary number of files
Binwalk supports Python 2.7 – 3.x. Although most systems have Python2.7 set as their default Python interpreter, binwalk does run faster in Python3.
Installation
Installation follows the typical Python installation procedure:
# Python2.7 $ sudo python setup.py install
# Python3.x $ sudo python3 setup.py install
[adsense size='1']
Dependencies
Besides a Python interpreter, there are no installation dependencies for binwalk. All dependencies are optional run-time dependencies, and unless otherwise specified, are available from most Linux package managers.
Although all binwalk run-time dependencies are optional, the python-lzma module is highly recommended for improving the reliability of signature scans. This module is included by default in Python3, but must be installed separately for Python2.7:
$ sudo apt-get install python-lzma
Binwalk uses pyqtgraph to generate graphs and visualizations, which requires the following:
# Python2.7 $ sudo apt-get install libqt4-opengl python-opengl python-qt4 python-qt4-gl python-numpy python-scipy python-pip $ sudo pip install pyqtgraph
# Python3.x $ sudo apt-get install libqt4-opengl python3-opengl python3-pyqt4 python3-pyqt4.qtopengl python3-numpy python3-scipy python3-pip $ sudo pip3 install pyqtgraph [adsense size='1']
Binwalk’s --disasm option requires the Capstone disassembly framework and its corresponding Python bindings:
$ wget https://www.capstone-engine.org/download/2.1.2/capstone-2.1.2.tgz $ tar -zxvf capstone-2.1.2.tgz $ (cd capstone-2.1.2 && ./make.sh && sudo make install) $ (cd capstone-2.1.2/bindings/python && sudo python ./setup.py install)
Binwalk relies on multiple external utilties in order to automatically extract/decompress files and data:
# Install standard extraction utilities $ sudo apt-get install mtd-utils gzip bzip2 tar arj lhasa p7zip p7zip-full cabextract cramfsprogs cramfsswap squashfs-tools
# Install sasquatch to extract non-standard SquashFS images $ sudo apt-get install zlib1g-dev liblzma-dev liblzo2-dev $ git clone https://github.com/devttys0/sasquatch $ (cd sasquatch && make && sudo make install)
# Install unstuff (closed source) to extract StuffIt archive files $ wget -O - https://my.smithmicro.com/downloads/files/stuffit520.611linux-i386.tar.gz | tar -zxv $ sudo cp bin/unstuff /usr/local/bin/
Usage
Basic usage is simple:
$ binwalk firmware.bin DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 0 0x0 TRX firmware header, little endian, header size: 28 bytes, image size: 14766080 bytes, CRC32: 0x6980E553 flags: 0x0, version: 1 28 0x1C LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 5494368 bytes 2319004 0x23629C Squashfs filesystem, little endian, version 4.0, compression: xz, size: 12442471 bytes, 3158 inodes, blocksize: 131072 bytes, blocksize: 131072 bytes, created: 2014-05-21 22:38:47
[adsense size='1']
For additional examples and descriptions of advanced options check wiki page:
[adsense size='1']
Gloss