LINUX - Binwalk - firmware analyzer

INSTALLING BINWALK
##################

* Firmware Analyzer, looks for header signatures...

* GET LATEST TAR.GZ AT https://code.google.com/p/binwalk/, I RENAMED MINE TO .TGZ BUT IT DOESNT MATTER AT ALL SINCE TAR.GZ AND TGZ ARE THE SAME FORMAT. THE TAR TOOL WILL STILL EXTRACT IT WITH THE SAME OPTIONS

* NOTE: ITS JUST PYTHON PROGRAM AND ALSO A PYTHON LIBRARY (THAT GETS INSTALLED WITH THE python setup.py install COMMAND)
* THE MAIN PROGRAM THAT STARTS IT IS JUST A PYTHON SCRIPT THAT CAN BE PUT ANYWHERE

* PREQS. Do one by one (do not paste in whole block, literally do one by one)

apt-get update
apt-get -y install subversion 
apt-get -y install build-essential
apt-get -y install mtd-utils 
apt-get -y install zlib1g-dev 
apt-get -y install liblzma-dev 
apt-get -y install gzip 
apt-get -y install bzip2 
apt-get -y install tar
apt-get -y install unrar
apt-get -y install arj 
apt-get -y install p7zip
apt-get -y install openjdk-6-jdk 
apt-get -y install python-magic
apt-get -y install python-matplotlib
mkdir /opt/firmware-mod-kit && chmod a+rwx /opt/firmware-mod-kit
svn checkout http://firmware-mod-kit.googlecode.com/svn/trunk /opt/firmware-mod-kit/trunk
cd /opt/firmware-mod-kit/trunk/src
./configure
make
cd -
 
* TO INSTALL EXTRACT TAR.GZ
mkdir ~/programs
cd ~/programs
wget https://binwalk.googlecode.com/files/binwalk-1.2.1.tar.gz    (note get latest @ https://code.google.com/p/binwalk/ -> download link)
tar -xzvf binwalk-1.2.1.tar.gz
cd binwalk-1.2.1/src
sudo python setup.py install

* NOW TO TEST IT TYPE
binwalk

* IF YOU GET HELP OUT YOU WIN

RUNNING THE BINWALK
###################

* Showing just some main features
* There are lots of ways to extract, so I combine all of the ways into a script

GET PROGRESS WHILE ITS RUNNING
===============================

* Press Enter while its running and it will output progress. You can hold the enter if you want to, but I wouldnt thats just an interruption that slows things down

GET INFORMATION ABOUT HEADERS FROM BINWALK
===========================================

binwalk firmware
binwalk --verbose firmware

ANOTHER INTERSTING OUTPUT
==========================

* Similar to running "strings file" or "od -S file" we can run:
binwalk -S file

EXTRACT OUT THE FILES
===========================================

binwalk -e firmware
binwalk --verbose firmware

* IT MAKES FOLDER: _firmware.extract

HERE ARE ALL THE EXTRACTION OPTIONS
=====================================

* For M, e,r and d You must supply the "e" always
Extraction Options:
        -D, --dd=<type:ext[:cmd]>     Extract <type> signatures, give the files an extension of <ext>, and execute <cmd>
        -e, --extract=[file]          Automatically extract known file types; load rules from file, if specified
        -M, --matryoshka              Recursively scan extracted files, up to 8 levels deep
        -r, --rm                      Cleanup extracted files and zero-size files
        -d, --delay                   Delay file extraction for files with known footers


EXTRACT AND EXTRACT DEEPER AND DEEPER
======================================

* M repeats the options next to it, and it has to come together with at least e

binwalk -Me firmware

* IT MAKES FOLDER: _firmware.extract

MY FAVORITE:
============

binwalk -Me firmware
* IT MAKES FOLDER: _firmware.extract

* AND

binwalk -Mer firmware
* IT MAKES FOLDER: _firmware.extract

HOW TO RUN ALL 7 EXTRACTIONS METHODS
=====================================

* The 7 combos are -Me, -Med, -Mer, -Merd, -e, -ed, -er, -erd in no particular order (remember -e has to be included as its the one that means extraction)


METHOD1: NEW FOLDER NAMES KEEP THE SAME NAME
---------------------------------------------

(FWNAME="random_firmware_file";
binwalk -Me ${FWNAME}; mv _${FWNAME}*extract* _${FWNAME}-Me;
binwalk -Med ${FWNAME}; mv _${FWNAME}*extract* _${FWNAME}-Med;
binwalk -Mer ${FWNAME}; mv _${FWNAME}*extract* _${FWNAME}-Mer;
binwalk -Merd ${FWNAME}; mv _${FWNAME}*extract* _${FWNAME}-Merd;
binwalk -e ${FWNAME}; mv _${FWNAME}*extract* _${FWNAME}-e;
binwalk -ed ${FWNAME}; mv _${FWNAME}*extract* _${FWNAME}-ed;
binwalk -er ${FWNAME}; mv _${FWNAME}*extract* _${FWNAME}-er;
binwalk -erd ${FWNAME}; mv _${FWNAME}*extract* _${FWNAME}-erd;)

METHOD2 (BETTER W/ EXAMPLE) NEW FOLDER NAMES WITH DIFFERENT NAMES
-----------------------------------------------------------------

(FWNAME="random_firmware_file";
NEWNAME="rfw1";
binwalk -Me ${FWNAME}; mv _${FWNAME}*extract* _${NEWNAME}-Me;
binwalk -Med ${FWNAME}; mv _${FWNAME}*extract* _${NEWNAME}-Med;
binwalk -Mer ${FWNAME}; mv _${FWNAME}*extract* _${NEWNAME}-Mer;
binwalk -Merd ${FWNAME}; mv _${FWNAME}*extract* _${NEWNAME}-Merd;
binwalk -e ${FWNAME}; mv _${FWNAME}*extract* _${NEWNAME}-e;
binwalk -ed ${FWNAME}; mv _${FWNAME}*extract* _${NEWNAME}-ed;
binwalk -er ${FWNAME}; mv _${FWNAME}*extract* _${NEWNAME}-er;
binwalk -erd ${FWNAME}; mv _${FWNAME}*extract* _${NEWNAME}-erd;)

---EXAMPLE---

* Extracting Firmware firmware1 using all 7 methods, but renaming new folders to have the name R4223 instead

* THE BEFORE:
cd /somefolder/
ls -lish
* THE BEFORE OUTPUT OF ls -lish:
* total 53M
* 1310776 53M -rw-r--r-- 1 root root 53M Jun 18 09:57 random_firmware_file
du -sh *
* THE BEFORE OUTPUT OF du -sh *:
* 53M     random_firmware_file

THEN RAN THE ABOVE SCRIPT (COPY PASTE IT IN AND HIT ENTER, THE PARENTHESIS ARE GOOD THEY TELL BASH THIS IS ONE GIANT COMMAND, THE ABOVE CAN BE RAN WITHOUT THE PARENTHESIS AS WELL)

* AFTER:
ls -lish
* OUTPUT OF ls -lish:
* total 53M
* 1310776  53M -rw-r--r-- 1 root root  53M Jun 18 09:57 random_firmware_file
* 1310795 4.0K drwxr-xr-x 2 root root 4.0K Jun 18 10:12 _rfw1-e
* 1310814 4.0K drwxr-xr-x 2 root root 4.0K Jun 18 10:13 _rfw1-ed
* 1310833 4.0K drwxr-xr-x 2 root root 4.0K Jun 18 10:13 _rfw1-er
* 1310834 4.0K drwxr-xr-x 2 root root 4.0K Jun 18 10:14 _rfw1-erd
* 1310728 4.0K drwxr-xr-x 4 root root 4.0K Jun 18 10:07 _rfw1-Me
* 1310749 4.0K drwxr-xr-x 4 root root 4.0K Jun 18 10:09 _rfw1-Med
* 1310770 4.0K drwxr-xr-x 4 root root 4.0K Jun 18 10:10 _rfw1-Mer
* 1310783 4.0K drwxr-xr-x 4 root root 4.0K Jun 18 10:11 _rfw1-Merd
du -sh *
* OUTPUT OF du -sh *:
* 53M     random_firmware_file
* 347M    _rfw1-e
* 347M    _rfw1-ed
* 53M     _rfw1-er
* 53M     _rfw1-erd
* 347M    _rfw1-Me
* 347M    _rfw1-Med
* 53M     _rfw1-Mer
* 53M     _rfw1-Merd


SIDE NOTE:
===========

* For the above two examples dont run the scripts or binwalk extractions at the same time on the same firmware name (FWNAME) because they all make the _firmware.extracted folder, so you dont want overwrites happening.

* If your extracting the same firmware using different types of arguments at the same time, make sure your in a different directory, copy the firmware to a different directory. My script doesnt do them at the same time.