LINUX - Binwalk - firmware analyzer

INSTALLING BINWALK

##################

* Firmware Analyzer, looks for header signatures...

* GET LATEST TAR.GZ AT https://code.google.com/p/binwalk/, I RENAMED MINE TO .TGZ BUT IT DOESNT MATTER AT ALL SINCE TAR.GZ AND TGZ ARE THE SAME FORMAT. THE TAR TOOL WILL STILL EXTRACT IT WITH THE SAME OPTIONS

* NOTE: ITS JUST PYTHON PROGRAM AND ALSO A PYTHON LIBRARY (THAT GETS INSTALLED WITH THE python setup.py install COMMAND)

* THE MAIN PROGRAM THAT STARTS IT IS JUST A PYTHON SCRIPT THAT CAN BE PUT ANYWHERE

* PREQS. Do one by one (do not paste in whole block, literally do one by one)

apt-get update

apt-get -y install subversion 

apt-get -y install build-essential

apt-get -y install mtd-utils 

apt-get -y install zlib1g-dev 

apt-get -y install liblzma-dev 

apt-get -y install gzip 

apt-get -y install bzip2 

apt-get -y install tar

apt-get -y install unrar

apt-get -y install arj 

apt-get -y install p7zip

apt-get -y install openjdk-6-jdk 

apt-get -y install python-magic

apt-get -y install python-matplotlib

mkdir /opt/firmware-mod-kit && chmod a+rwx /opt/firmware-mod-kit

svn checkout http://firmware-mod-kit.googlecode.com/svn/trunk /opt/firmware-mod-kit/trunk

cd /opt/firmware-mod-kit/trunk/src

./configure

make

cd -

 

* TO INSTALL EXTRACT TAR.GZ

mkdir ~/programs

cd ~/programs

wget https://binwalk.googlecode.com/files/binwalk-1.2.1.tar.gz    (note get latest @ https://code.google.com/p/binwalk/ -> download link)

tar -xzvf binwalk-1.2.1.tar.gz

cd binwalk-1.2.1/src

sudo python setup.py install

* NOW TO TEST IT TYPE

binwalk

* IF YOU GET HELP OUT YOU WIN

RUNNING THE BINWALK

###################

* Showing just some main features

* There are lots of ways to extract, so I combine all of the ways into a script

GET PROGRESS WHILE ITS RUNNING

===============================

* Press Enter while its running and it will output progress. You can hold the enter if you want to, but I wouldnt thats just an interruption that slows things down

GET INFORMATION ABOUT HEADERS FROM BINWALK

===========================================

binwalk firmware

binwalk --verbose firmware

ANOTHER INTERSTING OUTPUT

==========================

* Similar to running "strings file" or "od -S file" we can run:

binwalk -S file

EXTRACT OUT THE FILES

===========================================

binwalk -e firmware

binwalk --verbose firmware

* IT MAKES FOLDER: _firmware.extract

HERE ARE ALL THE EXTRACTION OPTIONS

=====================================

* For M, e,r and d You must supply the "e" always

Extraction Options:

        -D, --dd=<type:ext[:cmd]>     Extract <type> signatures, give the files an extension of <ext>, and execute <cmd>

        -e, --extract=[file]          Automatically extract known file types; load rules from file, if specified

        -M, --matryoshka              Recursively scan extracted files, up to 8 levels deep

        -r, --rm                      Cleanup extracted files and zero-size files

        -d, --delay                   Delay file extraction for files with known footers

EXTRACT AND EXTRACT DEEPER AND DEEPER

======================================

* M repeats the options next to it, and it has to come together with at least e

binwalk -Me firmware

* IT MAKES FOLDER: _firmware.extract

MY FAVORITE:

============

binwalk -Me firmware

* IT MAKES FOLDER: _firmware.extract

* AND

binwalk -Mer firmware

* IT MAKES FOLDER: _firmware.extract

HOW TO RUN ALL 7 EXTRACTIONS METHODS

=====================================

* The 7 combos are -Me, -Med, -Mer, -Merd, -e, -ed, -er, -erd in no particular order (remember -e has to be included as its the one that means extraction)

METHOD1: NEW FOLDER NAMES KEEP THE SAME NAME

---------------------------------------------

(FWNAME="random_firmware_file";

binwalk -Me ${FWNAME}; mv _${FWNAME}*extract* _${FWNAME}-Me;

binwalk -Med ${FWNAME}; mv _${FWNAME}*extract* _${FWNAME}-Med;

binwalk -Mer ${FWNAME}; mv _${FWNAME}*extract* _${FWNAME}-Mer;

binwalk -Merd ${FWNAME}; mv _${FWNAME}*extract* _${FWNAME}-Merd;

binwalk -e ${FWNAME}; mv _${FWNAME}*extract* _${FWNAME}-e;

binwalk -ed ${FWNAME}; mv _${FWNAME}*extract* _${FWNAME}-ed;

binwalk -er ${FWNAME}; mv _${FWNAME}*extract* _${FWNAME}-er;

binwalk -erd ${FWNAME}; mv _${FWNAME}*extract* _${FWNAME}-erd;)

METHOD2 (BETTER W/ EXAMPLE) NEW FOLDER NAMES WITH DIFFERENT NAMES

-----------------------------------------------------------------

(FWNAME="random_firmware_file";

NEWNAME="rfw1";

binwalk -Me ${FWNAME}; mv _${FWNAME}*extract* _${NEWNAME}-Me;

binwalk -Med ${FWNAME}; mv _${FWNAME}*extract* _${NEWNAME}-Med;

binwalk -Mer ${FWNAME}; mv _${FWNAME}*extract* _${NEWNAME}-Mer;

binwalk -Merd ${FWNAME}; mv _${FWNAME}*extract* _${NEWNAME}-Merd;

binwalk -e ${FWNAME}; mv _${FWNAME}*extract* _${NEWNAME}-e;

binwalk -ed ${FWNAME}; mv _${FWNAME}*extract* _${NEWNAME}-ed;

binwalk -er ${FWNAME}; mv _${FWNAME}*extract* _${NEWNAME}-er;

binwalk -erd ${FWNAME}; mv _${FWNAME}*extract* _${NEWNAME}-erd;)

---EXAMPLE---

* Extracting Firmware firmware1 using all 7 methods, but renaming new folders to have the name R4223 instead

* THE BEFORE:

cd /somefolder/

ls -lish

* THE BEFORE OUTPUT OF ls -lish:

* total 53M

* 1310776 53M -rw-r--r-- 1 root root 53M Jun 18 09:57 random_firmware_file

du -sh *

* THE BEFORE OUTPUT OF du -sh *:

* 53M     random_firmware_file

THEN RAN THE ABOVE SCRIPT (COPY PASTE IT IN AND HIT ENTER, THE PARENTHESIS ARE GOOD THEY TELL BASH THIS IS ONE GIANT COMMAND, THE ABOVE CAN BE RAN WITHOUT THE PARENTHESIS AS WELL)

* AFTER:

ls -lish

* OUTPUT OF ls -lish:

* total 53M

* 1310776  53M -rw-r--r-- 1 root root  53M Jun 18 09:57 random_firmware_file

* 1310795 4.0K drwxr-xr-x 2 root root 4.0K Jun 18 10:12 _rfw1-e

* 1310814 4.0K drwxr-xr-x 2 root root 4.0K Jun 18 10:13 _rfw1-ed

* 1310833 4.0K drwxr-xr-x 2 root root 4.0K Jun 18 10:13 _rfw1-er

* 1310834 4.0K drwxr-xr-x 2 root root 4.0K Jun 18 10:14 _rfw1-erd

* 1310728 4.0K drwxr-xr-x 4 root root 4.0K Jun 18 10:07 _rfw1-Me

* 1310749 4.0K drwxr-xr-x 4 root root 4.0K Jun 18 10:09 _rfw1-Med

* 1310770 4.0K drwxr-xr-x 4 root root 4.0K Jun 18 10:10 _rfw1-Mer

* 1310783 4.0K drwxr-xr-x 4 root root 4.0K Jun 18 10:11 _rfw1-Merd

du -sh *

* OUTPUT OF du -sh *:

* 53M     random_firmware_file

* 347M    _rfw1-e

* 347M    _rfw1-ed

* 53M     _rfw1-er

* 53M     _rfw1-erd

* 347M    _rfw1-Me

* 347M    _rfw1-Med

* 53M     _rfw1-Mer

* 53M     _rfw1-Merd

SIDE NOTE:

===========

* For the above two examples dont run the scripts or binwalk extractions at the same time on the same firmware name (FWNAME) because they all make the _firmware.extracted folder, so you dont want overwrites happening.

* If your extracting the same firmware using different types of arguments at the same time, make sure your in a different directory, copy the firmware to a different directory. My script doesnt do them at the same time.