Binwalk is a tool for searching a given binary image for embedded files and executable code. Specifically, it is designed for identifying files and code embedded inside of firmware images. Binwalk uses the libmagic library, so it is compatible with magic signatures created for the Unix file utility.
git clone https://github.com/devttys0/binwalk.git
cd binwalk
sudo python3 setup.py install
If you are running python 2.x
sudo apt-get install python-lzma
USAGE
binwalk [OPTIONS] [FILE1] [FILE2] [FILE3] …
$ binwalk firmware.bin
If only based on the signature match, then some file types cannot be accurately identified. So the detection of these types of signature files needs a specific plug-in with (through the plug-in to achieve) if not enabled will greatly increase the scan time and take up a lot of memory.
For example, when scanning the zlib compression package, you need to use zlib plug-in:
$ binwalk --enable-plugin=zlib firmware.bin
Filter Function
The -y option only includes the matching results for the specified search text. The search string (text) should use lowercase, including regular expressions, and you can specify multiple -Y options. The following search results contain only the results of the search in the text “file system”.
$ binwalk -y filesystem firmware.bin
The -x option is to exclude the specified text (or string) that matches the rule in the search results. The search string (text) should use lowercase, including regular expressions, and you can specify multiple -X options. The following example will exclude the “jffs2” string when searching:
$ binwalk -x jffs2 firmware.bin
You can combine the -y and -x options.
Example: The following search results contain the results of the search in the text “file system” and exclude the jffs2 string result.
$ binwalk -y filesystem -x jffs2 firmware.bin
Extracting files
Manually extract files
Binwalk can extract the data and find the use of the – dd option in the target file to specify the extraction rule. The format used to extract the specified rule is:
<type>:<extension>[:<command>]
type is the lowercase string described in the signature (supports regular expressions)
extension is the file extension used when saving data to disk
command is an optional command execution statement when the data has been saved to disk
By default, unless the alternate file name specifies a signature condition unexpected, the file name is a hexadecimal offset signature found.
The following example demonstrates how to use the – dd option to extract any ‘zip’ signature containing the string ‘zip archive extension’ and then execute the “decompression” command to specify the extraction rule. You can specify multiple -dd options:
Note that the use of placeholders such as “%e”: This placeholder will be replaced with the relative path of the extracted file when the command is executed.
Automated extraction
The -e option can be used to perform automatic data extraction based on the extraction of the default extract.conf file specified in the rule:
$ binwalk -e firmware.bin
The extraction options work the same way except that you must specify a path for a custom extraction rule file:
Many times, the extracted data may need further binwalk analysis. To help automate, binwalk can recursively scan the extracted data and create files with external decompression or extraction tools that specify the -M option with the -e option:
$ binwalk -Me firmware.bin
Opcode
When you use the A option in Binwalk, you can scan various frame opcodes that are usually associated with a function
$ binwalk -A firmware.bin
Compare function
Binwalk can generate hexadecimal dumps and differences for one or more files. In the file the same byte is the green display, the difference is red, blue, said only some of the different parts of the file.
In addition to the above-mentioned signature-based scan, binwalk can perform an intelligent string analysis of the target file, although it is not a completely replaceable Unix strings, binwalk filters out the most “garbage” strings by applying some very simple validation rules, And ignore some non-sequential data blocks
$ binwalk -S firmware.bin
Entropy analysis
Binwalk can entropy the target file for the target file to generate the original entropy data and/or the data represented by the plot of the graph:
$ binwalk -E firmware.bin
Signature or string analysis, and can be combined with entropy analysis. For example, the following command scans the scan results on the target file, executable code, and entropy graphs:
$ binwalk -AE firmware.bin
heuristic
Identify unknown compression/encryption based on entropy heuristics (implies -E)
Identify unknown compression/encryption based on entropy heuristics (implies -E)
Note that this scan requires two cycles (one for initial entropy analysis, and the second for more closely heuristic analysis), which takes some time to complete, especially if the target file is particularly costly to spend more time.
Plugin
Use the –list-plugins option to get a list of names and attributes of the binwalk plugins that you can use:
$ binwalk --list-plugins
Enable plug-in
Some plugins are disabled by default. These plugins can be enabled with the option –enable-plugin option
$ binwalk --enable-plugin=foo firmware.bin
Disable plug-in
Some plugins are enabled by default. These plugins can be disabled with the –diable-plugin option
Or, all plugins can be disabled using this –disable-plugins option:
$ binwalk --disable-plugins firmware.bin
Logging function
The Binwalk log output is usually very large.
The -f option allows you to specify a log file. It should be noted that if the -Q option is not specified, the result will be printed to stdout and the log file.
$ binwalk -f binwalk.log firmware.bin
The log file can be saved in CSV format
$ binwalk -f binwalk.log --csv firmware.bin
Upgrade function
Through the magic files and configuration files, plus the use of-u option binwalk rely on svn check-in function easily upgrade to the latest version (requires root privileges to update)
