build-dependencies on debian
debhelper (>= 9),
python-all-dev,
dh-autoreconf,

runtime deps
${python:Depends}, ${shlibs:Depends}, ${misc:Depends}, python-pyqtgraph,
python-matplotlib,
python-pyqtgraph,
python-magic,
mtd-utils,
zlib1g-dev,
liblzma-dev,
ncompress,
gzip,
bzip2,
tar,
arj,
p7zip,
p7zip-full,
openjdk-7-jdk | openjdk-8-jdk,
libfuzzy-dev,
libmagic-dev

is that correct? if I understand correctly the libraries so are searched on the path /usr/lib at runtime, but will it pick only the so symlink (the -dev package) or the real library?
libfuzzy.so libfuzzy.so.2 libfuzzy.so.2.0.0

the first libfuzzy.so belong to libfuzzy-dev, while the others to the libfuzzy2 one

Unable to use this version of binwalk. Getting those errors:
WARNING: Error loading plugin 'lzmamod.py': [Errno 13] Permission denied
The files concerned are:
'zlibvalid.py'
'tar.py'
'cpio.py'
'lzmamod.py'
'compressd.py'

This is for the ArchAssault project, we would like to see if we can get this new version released asap.

Latest 2.0.0 version with python-pyqtgraph, python-pydeep, python-opengl, python-magic

writing byte-compilation script '/tmp/tmppsod3twp.py'
/usr/bin/python -O /tmp/tmppsod3twp.py
File "/binwalk/pkg/binwalk/usr/lib/python3.4/site-packages/binwalk/libs/pyqtgraph/graphicsItems/tests/ViewBox.py", line 45
print "link views match:", viewsMatch()
^
SyntaxError: invalid syntax

I had to patch the makefile to get it to install in a fakeroot as it installs to /usr by default.

--- Makefile.orig 2014-07-26 17:21:03.872987035 -0400
+++ Makefile 2014-07-26 17:21:44.969019430 -0400
@@ -3,6 +3,7 @@
export SONAME=-soname
export SOEXT=so
export prefix=/usr
+export DESTDIR=""
export exec_prefix=${prefix}
export LIBDIR=${exec_prefix}/lib
export INSTALL_OPTIONS=-m644
@@ -22,7 +23,7 @@
ifeq ($(strip $(prefix)),)
PREFIX=""
else

• PREFIX="--prefix=$(prefix)"
• PREFIX="--prefix=$(DESTDIR)$(prefix)"
  endif

.PHONY: all install build deps clean uninstall
@@ -30,7 +31,7 @@
all: build

install: build

• $(PYTHON) ./setup.py install $(PREFIX)
• $(PYTHON) ./setup.py install $(PREFIX) --optimize=1

build:
if [ "$(BUILD_C_LIBS)" -eq "1" ]; then make -C $(SRC_C_DIR); fi

Thanks
Arch3y

Migrated from issue 73 on old googlecode site: https://code.google.com/p/binwalk/issues/detail?id=73

This is something I know you are aware of.

If not porting this to newer versions, please substitute the first line on every file to point to python2 executable so that people with both python2 and 3 can use python3 as default but be able to run this tool.

!/usr/bin/env python

should be

!/usr/bin/env python2

Is this posible?

(sorry if this submits twice, Github is being weird)

With recursively extracting a firmware image I noticed a recurring pattern of files being identified as containing deflate streams a single byte apart, e.g.:

$ binwalk -MerX ./_DB849F.extracted/_D2.extracted/_3E.extracted/2D1
Scan Time:     2014-08-25 07:27:51
Target File:   ./_DB849F.extracted/_D2.extracted/_3E.extracted/2D1
MD5 Checksum:  82aafd83cffb268ab5cafedf152f9e92

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
60            0x3C            Raw deflate compression stream, uncompressed size >= 33787
61            0x3D            Raw deflate compression stream, uncompressed size >= 33787

One such file (the one from this example) is uuencoded here; doesn't look very compressed to me.

This was done with binwalk cloned from git about an hour ago.

Inside an update zip for a Sony car head deck, http://www.sony.com.au/support/download/553228

The only detection from update.bin is:

5683379 0x56B8B3 XBE, Microsoft Xbox executable, signed

Which seems unlikely!

My friend devttys0,

Could you help me with this problem,
When i tryed extract the folders at my frimware(cramfs file) all the modules have no data. They appear to be the correct size but when looked at via hex editor have no data at all. https://github.com/timigo/Firmware/blob/master/Firmware_MG.bin is the unextracted original firmware file. The cramfs file of firmware fails to extract any non-corrupt modules. Please help me to extract this cramfs of firmware i need edit some pastes this firmware. Thanks.

The new 3D visualization option requires python-opengl (for Debian derivatives), easy_install should include something like apt-get install python-opengl (or download directly using pip).

$ binwalk --3D firm.bin
Unexpected error: No module named OpenGL.GL

$ sudo apt-get install python-opengl

$ binwalk --3D firm.bin
Generating data points for firm.bin
Generating plot points from 1378803 data points
Calculating weight...
Weight: 3
Generating graph from 1616 plot points
[20:41:33]

In addition to that, I didn't have OpenGL drivers on my virtual machine and had to install "nvidia-current" package (Nvidia gfx card) for the 3D visualization to work.

Greetings,

This was found using binwalk version 1.2.2-1:
When running a python 'service' from /etc/init.d and I have issues calling the following command in the python service:

cmd = os.popen("binwalk -W {0} {1} > /apps/working/binwalk/diff/output.txt".format(new_robj[1], new_robj[2]))

The error I get is:
<open file 'binwalk -W /apps/working/binwalk/diff/cmos_custom.dump /apps/working/binwalk/diff/GOLD_cmos_custom.dump > /apps/working/binwalk/diff/output.txt', mode 'r' at 0x7fb7db9116f0>
Traceback (most recent call last):
File "/usr/local/bin/binwalk", line 593, in
main()
File "/usr/local/bin/binwalk", line 195, in main
config = binwalk.Config()
File "/usr/local/lib/python2.7/dist-packages/binwalk/config.py", line 68, in init
self.paths['user'][self.BINWALK_MAGIC_FILE] = self._user_path(self.BINWALK_MAGIC_DIR, self.BINWALK_MAGIC_FILE)
File "/usr/local/lib/python2.7/dist-packages/binwalk/config.py", line 138, in _user_path
return self._file_path(os.path.join(self.user_dir, self.BINWALK_USER_DIR, subdir), basename)
File "/usr/lib/python2.7/posixpath.py", line 77, in join
elif path == '' or path.endswith('/'):
AttributeError: 'NoneType' object has no attribute 'endswith'

Currently if you run binwalk -e on a file containing jpeg files, binwalk will create an empty folder.

To actually extract the files you have to make a dummy entry in ~/.binwalk/config/extract.conf, like:

jpeg:jpg:echo

Would it be possible to either make -e extract all recognizable file types or provide a new option which does this?

I download wrt120n from http://downloads.linksys.com/downloads/firmware/1224646102739/FW_WRT120N_1.0.07.002_US.bin

I have this problem....
there is a full dump as follows：

Ubuntu@Ubuntu:~/Firmware$ binwalk FW_WRT120N_1.0.07.002_US.bin

DECIMAL HEXADECIMAL DESCRIPTION

1041408 0xFE400 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 1420202 bytes

Ubuntu@Ubuntu:~/Firmware$ binwalk -I FW_WRT120N_1.0.07.002_US.bin
DECIMAL HEXADECIMAL DESCRIPTION

3081 0xC09 JFFS2 filesystem, little endian, invalid, invalid invalid
6074 0x17BA Foscam WebUI filesystem, checksum: 0xBF36, invalid first file name length, first file name: "fu%5t\013\230\205f=\355C\260\263\367s\272\231\030\227s\247X\353\204Lxa\030\363wW\3568\226\327\240)\024\214@\255\314N\035\263\302\237\217+w\022\340+\301%\213=\317\303\346!^"
9615 0x258F JFFS2 filesystem, big endian, invalid, invalid

Binwalk can't extract filesystem from the WRT120N.
Any ideas?
thanks

The parameters are used if they were enabled/disabled, but they are actually passed/not-passed.

I'll probably send a patch to fix that later, but in the mean time be warned.

Further reference: https://www.flameeyes.eu/autotools-mythbuster/autoconf/arguments.html

Hey,
Need to add to the INSTALL file a dependency of libtool which is not automatically installed in make time.

The firmware file https://github.com/Lightsword1942/jungo-image/blob/master/4.0.16.1.56.0.10.11.6-MI424WR.rmt for the MI424-WR Actiontec router appears unable to decompress. https://github.com/Lightsword1942/jungo-image/tree/master/_4.0.16.1.56.0.10.11.6-MI424WR.rmt.extracted

installer does not chmod and move the lib files after compiling them
also
sudo ldconfig

Binwalk extracts a ton of JFFS2 images from this firmware, even if -y jffs2 is specified on the command line. Seems to be due to zlib compression being identified in between multiple JFFS2 node headers.

Firmware: http://t.co/Hxn5wwX5Nl

-small fix: it cannot be RC and RU at the same time
-added detection for dev builds
-added detection for alias names
-added support for WWAN Firmware detection (4G devices)
-added support for bootloaders
-get the build date when it is stored as string (older firmware versions)

0    string            ELSF              LANCOM firmware header,
>22  string            x                 model: "%s",
>18  string            x                 firmware version: "%.4s",
>12  ubyte             255               Rel,
>12  ubyte             253               alpha,
>12  ubyte             220               PR,
>12  ubyte             >0
>>12 ubyte             <220              RC%d,
>12  ubyte             >220
>>12 ubyte             <237              RU{math:%d-220},
>12  ubyte             0                 dev
>17  ubyte             >0
>>17 ubyte             x                 build %d
#get build date
>7   ubyte             !63
#date is stored as string
>>7  string            x                 ("%.8s")

0    string            ELSO              LANCOM OEM file

0    string            ELSB              LANCOM firmware loader,
>22  string            x                 model: "%s",
>18  string            x                 loader version: "%.4s",


0    string            ELSC              LANCOM WWAN firmware
>4   ubyte             3
>>5  beshort           0
>>7  string            x                 %s

0 string               ELSP                LANCOM file entry
>202 string            @(RECENT_FIRMWARE)/ \b, file name:
>>221 string           x                   "%s"
>>221 string           x                   {file-name:%s}
>(198.L+202) belong    2
>>(198.L+206) belong   x                   \b, file size: %d bytes
>>(198.L+206) belong   x                   {file-size:%d}
>(198.L+202) belong    3
>>&4 string            @(RECENT_FIRMWARE)/ \b, alias:
>>&23 string           x                   "%s"
>>&(&0.L(0)) belong    x
>>>&4 belong           x                   \b, file size: %d bytes

Btw. how to get the extraction to work properly for the files in the ELSP sections?

There seem to exist three different compressions of the firmware part "ELSF":
Firmware 1.x (ELSA): no compression
Firmware 2.x and higher: huffman
More recent firmware LZMA

And there are different cpu architectures used as well:
16x1,17xx,18xx series: Intel XScale
178X, 7100, 9100 series Freescale

Hi Binwalk team,

I'm trying do a installation of binwalk on your newer version, and until now doesn't work.
The install fail on FreeBSD 10, CentOS 6.4 and Fedora 17. But now, i will insist on CentOS 6.

The error is on CentOS says that "MAGIC_NO_CHECK_TEXT" is undeclared, and show the follow url to do a manual installation of "libmagic": ftp://ftp.astron.com/pub/file/file-5.14.tar.gz. After the download, upack, configure, make and make install, the error still the afirmation that my libmagic is old.

Fine... Which Linux or Unix Like operating system is approved by binwalk team?

I download the master branch today.

Thanks and sorry about my bad english.

Hello,

Why does deps.sh create directory /opt/firmware-mod-kit by root and will leave it writable by anyone?

if [ ! -e /opt/firmware-mod-kit ]
then
    $SUDO mkdir -p /opt/firmware-mod-kit
    $SUDO chmod a+rwx /opt/firmware-mod-kit
fi

I would restrict writing to the user who launches the script, i.e.

if [ ! -e /opt/firmware-mod-kit ]
then
    $SUDO mkdir -p /opt/firmware-mod-kit
    $SUDO chown $USER /opt/firmware-mod-kit
    $SUDO chmod o+rwx /opt/firmware-mod-kit
fi

I created a signature for LANCOM Firmware Images, but I wonder why this line does not work:

>12  byte              <220              RC%d        #bug???

The value of the Byte is 1.

Firmware files can be found here:
ftp://ftp.lancom.de/LANCOM-Releases/

0  string              ELSF              LANCOM firmware header
>18  string            x                 {raw-replace}
>12  byte              255               Rel
>12  byte              253               alpha
>12  byte              220               PR
>12  byte              <220              RC%d        #bug???
>12  byte              <237              RU(%d-220)
>17  byte              x                 Build %d
>18  string            x                 {raw-string-length:4}
>18  string            x                 {raw-string:%s}

0 string               ELSO              LANCOM OEM file

0 string               ELSP
>202 string            x                  %s

Hi
i tried without success adding some custom magic file while loading modules in python script. Currently the only way i found was to add my custom signature directly into the binwalk generic magic file.
When trying the custom magic file with binwalk using command line, parsing is giving correct detection signature.

Hi Craig, I have another suggestion for binwalk: perform directory tree diff using Fuzzy Hashing. Please check here: http://w00tsec.blogspot.com/2013/12/binwally-directory-tree-diff-tool-using.html

This would be interesting to have as a new command line switch under the Binary Diffing options, for example.

libtinfl (used by deflate plugin) segfaults if given bad data; reproducible, needs more investigation.

If libtinfl is asked to decompress a large block of invalid/corrupt deflated data, it just spins until locking up the machine.

Stems from two issues:

• Configuration shipped with ssdeep is not compatible
  • Need to autoreconf && ./configure
• Quoting of version names breaks grep statements
  • sed -e s/libmagic/libinmagic/g < ./file-"5.18"/src/Makefile >./file-"5.18"/src/mktmp

http://www.tenda.cn/uploadfile/downloads/uploadfile/201310/2013101/W311R_V5.07.17_en_03_Russai.zip

The trx header is correctly recognized. Unpack with -Me option I got three file,the latest generated file had an extension 7z, but actually cannot decompress either with 7-zip or lzma. The 1C.7z decompressing also got a warning,"the data is corrupt".
Using hex editor open the decompressed files you can say it may just all, for it included some strings seemed to be come from binary executable.
I think the firmware may have a different data structure.

I have a firmware with each file packed separately as a gzip, but the file name is offset 0x108 before the gzip magic, rather than contained in the gzip archive itself.
i.e. SWinFlash_64.exe.gz , null bytes padding, gzip archive (1F 8B 08).
The simple answer seems a negative offset but appears to not be possible? Any suggestions please ?

003A6F80   D9 75 F4 48  29 33 DF 46  93 5D 5F 58  58 58 58 58  58 58 58 58  58 58 58 58  5C 08 FC 7F  9A 3B 66 58  .u.H)3.F.]_XXXXXXXXXXXXX\....;fX
003A6FA0   00 E0 04 00  53 57 69 6E  46 6C 61 73  68 5F 36 34  2E 65 78 65  2E 67 7A 00  00 00 00 00  00 00 00 00  ....SWinFlash_64.exe.gz.........
003A6FC0   00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  ................................
003A6FE0   00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  ................................
003A7000   00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  ................................
003A7020   00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  ................................
003A7040   00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  ................................
003A7060   00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  ................................
003A7080   00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  ................................
003A70A0   00 00 00 00  00 00 00 00  C7 35 01 00  1F 8B 08 00  00 00 00 00  00 0B EC BD  7F 60 54 C5  B5 38 7E 37  .........5...............`T..8~7

The firmware file https://github.com/Lightsword1942/jungo-image/blob/master/A90-9100EM15-10_1.02.00.04.rmt for the westell 9100EM appears to have a romfs image that fails to extract. https://github.com/Lightsword1942/jungo-image/blob/master/_A90-9100EM15-10_1.02.00.04.rmt.extracted/_vmlinux.bin.extracted/rom%2048b74195.romfs

Upgrade file/python-magic to 5.14. It appears this change:

2013-01-11  14:50  Christos Zoulas <[email protected]>
        * Warn about inconsistent continuation levels.

Causes this crud to output:

/tmp/tmpG0sN83, 4920: Warning: New continuation level 2 is more than one larger than current level 0
/tmp/tmpG0sN83, 4924: Warning: New continuation level 2 is more than one larger than current level 0

File in question is PANA_ESD.FRM decompressed from http://pcfdl.svrpf.jp/pc/en/bd/pwt520/UPDATE_PWT520_HW220GL_V131.exe (SFX RAR)

Binwalk's output (latest from Git at the time of this posting)

DECIMAL         HEX             DESCRIPTION
-------------------------------------------------------------------------------------------------------------------
3425351         0x344447        ELF
3775813         0x399D45        gzip compressed data, from VMS, last modified: Fri Feb  1 21:33:24 2013
19362691        0x1277383       PNG image, 435166958 x 435167496, 3-bit
19625495        0x12B7617       PNG image, 1622790752 x 4145481730, 210-bit
19695546        0x12C87BA       PNG image, 2239766254 x 2239766792, 6-bit
19721837        0x12CEE6D       PNG image, 4064297966 x 4064290824, 6-bit
19857655        0x12F00F7       PNG image, 912272630 x 2388723718, 54-bit
19954632        0x1307BC8       PNG image, 2640378862 x 2640325384, 2-bit
19959351        0x1308E37       PNG image, 1067485422 x 1067481096, 6-bit
19993353        0x1311309       PNG image, 412109038 x 412101128, 6-bit
20011792        0x1315B10       PNG image, 716188918 x 1588660230, 42-bit
22228649        0x1532EA9       TIFF image data, big-endian
22501960        0x1575A48       PNG image, 1429217518 x 1429218824, 6-bit
22570639        0x158668F       PNG image, 2108696310 x 778110982, 125-bit
22653136        0x159A8D0       PNG image, 3838842102 x 3838841352, 1-bit
22713358        0x15A940E       PNG image, 2687509742 x 2687508488, 3-bit
22721381        0x15AB365       PNG image, 763372782 x 763380744, 2-bit
22884371        0x15D3013       PNG image, 47873 x 1687818276, 8-bit/color RGBA,
22898700        0x15D680C       PNG image, 2298505966 x 2298487816, 6-bit
23343146        0x164302A       PNG image, 831804720 x 4146464774, 85-bit
23610574        0x16844CE       PNG image, 2350949110 x 3726706691, 140-bit
23650329        0x168E019       PNG image, 1581270254 x 1581262344, 6-bit
23677782        0x1694B56       PNG image, 3629132022 x 778110982, 216-bit
23696935        0x1699627       PNG image, 1368410350 x 1368402440, 6-bit
24074975        0x16F5ADF       ELF 32-bit LSB
25198157        0x1807E4D       mcrypt 2.2 encrypted data, algorithm: SAFER-SK64, mode: CFB, keymode: MD5 hash
25250984        0x1814CA8       ELF 32-bit LSB
57385354        0x36BA18A       PNG image, 534782190 x 534781448, 2-bit
57543449        0x36E0B19       Zip archive data, compressed size: 901619,  uncompressed size: 565116672, name: ""
64792096        0x3DCA620       PNG image, 3786422510 x 3786419464, 6-bit
64809832        0x3DCEB68       PNG image, 60831982 x 60833032, 6-bit colormap,
64916310        0x3DE8B56       PNG image, 1358969070 x 1358970120, 6-bit
65628883        0x3E96AD3       PNG image, 3466611438 x 3466603528, 2-bit
65765347        0x3EB7FE3       PNG image, 47873 x 242335926, 8-bit/color RGB,
65775713        0x3EBA861       PNG image, 1514185454 x 1514174472, 6-bit
65787523        0x3EBD683       PNG image, 3499105526 x 4254140422, 208-bit
65952878        0x3EE5C6E       PNG image, 4074773750 x 502335494, 242-bit
65968625        0x3EE99F1       PNG image, 4182798574 x 4182791176, 6-bit
66012131        0x3EF43E3       PNG image, 1240503278 x 1240489224, 6-bit
66209379        0x3F24663       TRX firmware header, little endian, header size: 28 bytes, image size: 293680672 bytes, CRC32: 0x3006087B flags: 0x8C20, version: 27205
66372747        0x3F4C48B       PNG image, 2556461038 x 2556443144, 6-bit
66925383        0x3FD3347       PNG image, 1387982128 x 2414686330, 8-bit/color RGBA,
66973942        0x3FDF0F6       PNG image, 1188059118 x 1188047368, 6-bit
66987049        0x3FE2429       PNG image, 2543860974 x 2543857160, 6-bit
67091879        0x3FFBDA7       PNG image, 2192599798 x 2914060294, 130-bit
67220255        0x401B31F       PNG image, 3586166766 x 3586161160, 6-bit
67231487        0x401DEFF       PNG image, 37785582 x 37779976, 6-bit/color RGB,
67258804        0x40249B4       PNG image, 2050002926 x 2049997320, 6-bit
67375487        0x404117F       PNG image, 77631470 x 77625864, 6-bit gray+alpha,
67402007        0x4047917       PNG image, 998281198 x 998275592, 6-bit
68199810        0x410A582       PNG image, 3170943214 x 3170902280, 6-bit
69724872        0x427EAC8       PNG image, 2342527866 x 95488146, 161-bit

64916310        0x3DE8B56       PNG image, 1358969070 x 1358970120, 6-bit
65628883        0x3E96AD3       PNG image, 3466611438 x 3466603528, 2-bit
65765347        0x3EB7FE3       PNG image, 47873 x 242335926, 8-bit/color RGB,
65775713        0x3EBA861       PNG image, 1514185454 x 1514174472, 6-bit
65787523        0x3EBD683       PNG image, 3499105526 x 4254140422, 208-bit
65952878        0x3EE5C6E       PNG image, 4074773750 x 502335494, 242-bit
65968625        0x3EE99F1       PNG image, 4182798574 x 4182791176, 6-bit
66012131        0x3EF43E3       PNG image, 1240503278 x 1240489224, 6-bit
66209379        0x3F24663       TRX firmware header, little endian, header size: 28 bytes, image size: 293680672 bytes, CRC32: 0x3006087B flags: 0x8C20, version: 27205
66372747        0x3F4C48B       PNG image, 2556461038 x 2556443144, 6-bit
66925383        0x3FD3347       PNG image, 1387982128 x 2414686330, 8-bit/color RGBA,
66973942        0x3FDF0F6       PNG image, 1188059118 x 1188047368, 6-bit
66987049        0x3FE2429       PNG image, 2543860974 x 2543857160, 6-bit
67091879        0x3FFBDA7       PNG image, 2192599798 x 2914060294, 130-bit
67220255        0x401B31F       PNG image, 3586166766 x 3586161160, 6-bit
67231487        0x401DEFF       PNG image, 37785582 x 37779976, 6-bit/color RGB,
67258804        0x40249B4       PNG image, 2050002926 x 2049997320, 6-bit
67375487        0x404117F       PNG image, 77631470 x 77625864, 6-bit gray+alpha,
67402007        0x4047917       PNG image, 998281198 x 998275592, 6-bit
68199810        0x410A582       PNG image, 3170943214 x 3170902280, 6-bit
69724872        0x427EAC8       PNG image, 2342527866 x 95488146, 161-bit

From the sizes and number of PNG detection I don't think the detection is right. Any ideas?

[I] sys-apps/file ([email protected])
[I] dev-lang/python (2.7.6(2.7)@04.12.2013)

gdb --args python2.7 /usr/bin/binwalk /bin/ls
GNU gdb (Gentoo 7.7 vanilla) 7.7
Copyright (C) 2014 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later http://gnu.org/licenses/gpl.html
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-pc-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
http://bugs.gentoo.org/.
Find the GDB manual and other documentation resources online at:
http://www.gnu.org/software/gdb/documentation/.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from python2.7...(no debugging symbols found)...done.
(gdb) r
Starting program: /usr/bin/python2.7 /usr/bin/binwalk /bin/ls
warning: Could not load shared library symbols for linux-vdso.so.1.
Do you need "set solib-search-path" or "set sysroot"?
warning: File "/usr/lib64/libpython2.7.so.1.0-gdb.py" auto-loading has been declined by your `auto-load safe-path' set to "/home/avatar/Devel/NP1UD/debug-sysroot:/home/avatar:$debugdir:$datadir/auto-load".
To enable execution of this file add
add-auto-load-safe-path /usr/lib64/libpython2.7.so.1.0-gdb.py
line to your configuration file "/home/avatar/.gdbinit".
To completely disable this security protection add
set auto-load safe-path /
line to your configuration file "/home/avatar/.gdbinit".
For more information about this security protection see the
"Auto-loading safe path" section in the GDB manual. E.g., run from the shell:
info "(gdb)Auto-loading safe path"
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
[New Thread 0x7ffff6339700 (LWP 15228)]
WARNING: Failed to load plugin module 'compressd': Failed to locate library 'compress42'
WARNING: Failed to load plugin module 'zlibvalid': Failed to locate library 'tinfl'
WARNING: Failed to load plugin module 'compressd': Failed to locate library 'compress42'
WARNING: Failed to load plugin module 'zlibvalid': Failed to locate library 'tinfl'

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff5867057 in ?? () from /usr/lib64/libmagic.so.1
(gdb) bt
#0 0x00007ffff5867057 in ?? () from /usr/lib64/libmagic.so.1
#1 0x00007ffff5861143 in ?? () from /usr/lib64/libmagic.so.1
#2 0x00007ffff7e1b6e4 in ffi_call_unix64 () from /usr/lib64/libffi.so.6
#3 0x000000000000000a in ?? ()
#4 0x00007fffffff9c60 in ?? ()
#5 0x00007fffffff9bf0 in ?? ()
#6 0x00007ffff7e1b275 in ffi_call () from /usr/lib64/libffi.so.6

Backtrace stopped: previous frame inner to this frame (corrupt stack?)

http://download.qnap.com/Storage/TS-470ProTurboNAS/TS-470_20140321-4.0.6.zip

DECIMAL       HEXADECIMAL     DESCRIPTION
------------------ --------------------------- ------------------------------------------------- --------------------------------------------------------
95754826      0x5B51A4A       Zlib header, best compression, uncompressed size >= 65859
115235038     0x6DE58DE       LZMA compressed data, properties: 0x40, dictionary size: 33554432 bytes, uncompressed size: 10539368 bytes
163815163     0x9C39EFB       InstallShield Cabinet archive data version 4/5,

This https://github.com/Lightsword1942/jungo-image/blob/master/MI424-WR-0018017A3ED9.bin is a dumped image that was created using this imaging script https://github.com/Lightsword1942/jungo-image/blob/master/jungo-image-2.py binwalk does not appear to identify anything.

Ran into this error today on a fresh Kali install (1.0.5) and Python 2.7.3:

root@kali:~/Desktop# binwalk XXXXXXXXXX.bin 
Traceback (most recent call last):
  File "/usr/bin/binwalk", line 536, in <module>
    main()
  File "/usr/bin/binwalk", line 481, in main
    plugins_blacklist=plugin_blacklist)
  File "/usr/lib/pymodules/python2.7/binwalk/__init__.py", line 306, in scan
    self.plugins = Plugins(self, whitelist=plugins_whitelist, blacklist=plugins_blacklist)
NameError: global name 'Plugins' is not defined

It can be remedied by removing

/usr/lib/pymodules/python2.7/binwalk/plugins/__init__.py
/usr/lib/pymodules/python2.7/binwalk/plugins/__init__.pyc
/usr/lib/pymodules/python2.6/binwalk/plugins/__init__.py
/usr/lib/pymodules/python2.6/binwalk/plugins/__init__.pyc

I am trying to make custom signature

struct header
{
char description[12];
int32_t header_size;
int32_t image_size;
int32_t creation_date;
char magic[4]; //Magic bytes are: 'SIG0'
};

I believe that the following magic file should work, but it fails even to detect SIG0.
0 string SIG0 SIG0 firmware header,{jump-to-offset:-24}

4 string x description: "%s",
16 lelong x header size: %d,
20 lelong x size: %d,
24 ledate x date: %s

Running: Python 2.7.6
When running I get this error:

binwalk sw_nsa-2600__eng_6.1.2.0-11n
Traceback (most recent call last):
File "/usr/bin/binwalk", line 6, in
from binwalk.core.compat import user_input
ImportError: No module named core.compat

I have a fail when launching
binwalk -Me foo.exe

Reversing part of the commit a78d78c do the trick.

Maybe putting a conditional import (when using with IDA) can solve the problem?

Here is the exception:
Signature Exception: global name 'hashlib' is not defined

Traceback (most recent call last):
File "/usr/local/lib/python2.7/dist-packages/binwalk/core/module.py", line 499, in main
retval = self.run()
File "/usr/local/lib/python2.7/dist-packages/binwalk/modules/signature.py", line 159, in >run
self.header()
File "/usr/local/lib/python2.7/dist-packages/binwalk/core/module.py", line 445, in header
self.config.display.header(*self.HEADER, file_name=self.current_target_file_name)
File "/usr/local/lib/python2.7/dist-packages/binwalk/core/display.py", line 65, in header
md5sum = binwalk.core.common.file_md5(file_name)
File "/usr/local/lib/python2.7/dist-packages/binwalk/core/common.py", line 67, in >file_md5
md5 = hashlib.md5()
NameError: global name 'hashlib' is not defined

After you create a signature with a long signature description, Binwalk throws warnings indicating that the signature description will be truncated. I'd like a way to either disable truncation or configure the length at which signature descriptions are truncated.

Running ./configure I get the following error on Ubuntu 12.04:

config.status: executing libtool commands
Can't exec "libtoolize": No such file or directory at /usr/bin/autoreconf line 196.
Use of uninitialized value in pattern match (m//) at /usr/bin/autoreconf line 196.
autoreconf: Entering directory `.'
autoreconf: configure.ac: not using Gettext
autoreconf: running: aclocal -I m4
configure.ac:13: warning: macro `AM_PROG_LIBTOOL' not found in library
autoreconf: configure.ac: tracing
autoreconf: configure.ac: not using Libtool
autoreconf: running: /usr/bin/autoconf
autoreconf: running: /usr/bin/autoheader
autoreconf: running: automake --no-force
Makefile.am:9: Libtool library used but `LIBTOOL' is undefined
Makefile.am:9:   The usual way to define `LIBTOOL' is to add `LT_INIT'
Makefile.am:9:   to `configure.ac' and run `aclocal' and `autoconf' again.
Makefile.am:9:   If `LT_INIT' is in `configure.ac', make sure
Makefile.am:9:   its definition is in aclocal's search path.
autoreconf: automake failed with exit status: 1

This can be fixed installing libtoolize package.

I'm trying to iterate over a few hundred bin files.

Traceback (most recent call last):
File "z2.py", line 66, in
File "/usr/local/lib/python2.7/dist-packages/binwalk/core/module.py", line 649, in execute
File "/usr/local/lib/python2.7/dist-packages/binwalk/core/module.py", line 665, in run
File "/usr/local/lib/python2.7/dist-packages/binwalk/core/module.py", line 680, in load
File "/usr/local/lib/python2.7/dist-packages/binwalk/core/module.py", line 706, in dependencies
File "/usr/local/lib/python2.7/dist-packages/binwalk/core/module.py", line 665, in run
File "/usr/local/lib/python2.7/dist-packages/binwalk/core/module.py", line 680, in load
File "/usr/local/lib/python2.7/dist-packages/binwalk/core/module.py", line 706, in dependencies
File "/usr/local/lib/python2.7/dist-packages/binwalk/core/module.py", line 665, in run
File "/usr/local/lib/python2.7/dist-packages/binwalk/core/module.py", line 681, in load
File "/usr/local/lib/python2.7/dist-packages/binwalk/core/module.py", line 231, in init
File "/usr/local/lib/python2.7/dist-packages/binwalk/core/plugin.py", line 207, in load_plugins
File "/usr/local/lib/python2.7/dist-packages/binwalk/core/plugin.py", line 182, in list_plugins
OSError: [Errno 24] Too many open files: '/home/XXXXX/.binwalk/plugins/'
Error in sys.excepthook:
Traceback (most recent call last):
File "/usr/lib/python2.7/dist-packages/apport_python_hook.py", line 63, in apport_excepthook
ImportError: No module named fileutils

Original exception was:
Traceback (most recent call last):
File "z2.py", line 66, in
File "/usr/local/lib/python2.7/dist-packages/binwalk/core/module.py", line 649, in execute
File "/usr/local/lib/python2.7/dist-packages/binwalk/core/module.py", line 665, in run
File "/usr/local/lib/python2.7/dist-packages/binwalk/core/module.py", line 680, in load
File "/usr/local/lib/python2.7/dist-packages/binwalk/core/module.py", line 706, in dependencies
File "/usr/local/lib/python2.7/dist-packages/binwalk/core/module.py", line 665, in run
File "/usr/local/lib/python2.7/dist-packages/binwalk/core/module.py", line 680, in load
File "/usr/local/lib/python2.7/dist-packages/binwalk/core/module.py", line 706, in dependencies
File "/usr/local/lib/python2.7/dist-packages/binwalk/core/module.py", line 665, in run
File "/usr/local/lib/python2.7/dist-packages/binwalk/core/module.py", line 681, in load
File "/usr/local/lib/python2.7/dist-packages/binwalk/core/module.py", line 231, in init
File "/usr/local/lib/python2.7/dist-packages/binwalk/core/plugin.py", line 207, in load_plugins
File "/usr/local/lib/python2.7/dist-packages/binwalk/core/plugin.py", line 182, in list_plugins
OSError: [Errno 24] Too many open files: '/home/XXXXX/.binwalk/plugins/'
XXXXX@XXXXX:~/zip$ c

I'm new to binwalk, so I'm not sure of the expected action. It appears the signatures were compressed into a single file? (https://github.com/devttys0/binwalk/blob/master/src/binwalk/magic/binwalk)

I was attempting to correct this warning:
/tmp/tmpD5tXtI, 4920: Warning: New continuation level 2 is more than one larger than current level 0
/tmp/tmpD5tXtI, 4924: Warning: New continuation level 2 is more than one larger than current level 0

after running the signature update, the original issue (continuation warning above) was resolved.

$ sudo binwalk -u
Updating signatures...
Update._do_update_from_svn failed to update file 'https://raw.github.com/devttys0/binwalk/master/src/binwalk/magic/zlib': HTTP Error 404: Not Found

Hi,

I got the firmware for Edimax EW-7209 access point. You can find it here:

http://www.edimax.com/en/produce_detail.php?pl1_id=1&pl2_id=155&pl3_id=390&pd_id=19#03

I compiled the version 2.0.0 Beta cloned from GitHub, and added /usr/local/lib to LD_LIB_PATH.

Scanning this firmware shows two lines:

DECIMAL HEXADECIMAL DESCRIPTION

0 0x0 CSYS header, big endian, size: 65536
34836 0x8814 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 6893568 bytes

If I try to extract the LZMA data (from the created 8814.7z file), 7z utility says it is invalid. How to determine if it was a false positive as weel?

Entering "binwalk -L" shows no plugins. It is correct?

The source code for this firmware can be downloaded at the same link.

In Binwalk 2.0.1 when I try to get the Entropy plot of a file it shows always this, a line on the top without axis instead of the real plot:

I installed binwalk according to the instructions in INSTALL, everything went fine, but when I start binwalk with a firmware file it gives me this:

WARNING: Failed to load plugin module 'compressd': Failed to locate library 'compress42'

WARNING: Failed to load plugin module 'zlibvalid': Failed to locate library 'tinfl'

WARNING: Failed to load plugin module 'compressd': Failed to locate library 'compress42'

WARNING: Failed to load plugin module 'zlibvalid': Failed to locate library 'tinfl'

Signature Exception: Failed to locate library 'inmagic'

Traceback (most recent call last):
File "/usr/local/lib/python2.7/dist-packages/binwalk/core/module.py", line 475, in main
self.init()
File "/usr/local/lib/python2.7/dist-packages/binwalk/modules/signature.py", line 85, in init
self.magic = binwalk.core.magic.Magic(self.mfile)
File "/usr/local/lib/python2.7/dist-packages/binwalk/core/magic.py", line 41, in init
self.libmagic = binwalk.core.C.Library("inmagic", self.LIBMAGIC_FUNCTIONS)
File "/usr/local/lib/python2.7/dist-packages/binwalk/core/C.py", line 99, in init
self.library = ctypes.cdll.LoadLibrary(self.find_library(library))
File "/usr/local/lib/python2.7/dist-packages/binwalk/core/C.py", line 137, in find_library
raise Exception("Failed to locate library '%s'" % library)

Exception: Failed to locate library 'inmagic'

Hi!

The -W option (hexdiff) doesn't work (using a current github clone):

HexDiff Exception: I/O operation on closed file
----------------------------------------------------------------------------------------------------
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/site-packages/binwalk/core/module.py", line 513, in main
    retval = self.run()
  File "/usr/local/lib/python2.7/site-packages/binwalk/modules/hexdiff.py", line 213, in run
    self.diff_files(self.hex_target_files)
  File "/usr/local/lib/python2.7/site-packages/binwalk/modules/hexdiff.py", line 130, in diff_files
    block_data[fp] = fp.read(self.block)
  File "/usr/local/lib/python2.7/site-packages/binwalk/core/common.py", line 413, in read
    tmp = super(self.__class__, self).read(n-l)
ValueError: I/O operation on closed file
----------------------------------------------------------------------------------------------------

As far as I found out it's due to

module.py's next_file():

   def next_file(self):
       [...]
       # Ensure files are close to prevent IOError (too many open files)
       try:
           self.previous_next_file_fp.close()
       except KeyboardInterrupt as e:
           raise e
       except Exception:
           pass

If I substitute the self.previous_next_file_fp.close() by pass or so
to deactivate the close() hexdiff seems to work fine.

Of course that's not a clean solution, but better than nothing.

Christian

Thank you for implementing {string-len} keyword. When i pushed my commit I used the following magic with multiple string-len keywords. I understand the concept of striping everything after {string-len} keyword, but probably we can do something to avoid the limitation?

4 lelong x {file-size:%d-{string-len:
20 string x \b%s}-1}
20 string x {offset-adjust:21+{string-len:%s}}

When the lib/modules folder extracts all the modules have no data. They appear to be the correct size but when looked at via hex editor have no data at all. https://github.com/Lightsword1942/jungo-image/blob/master/MI424WR-GEN3I.rmt is the unextracted original firmware file. https://github.com/Lightsword1942/jungo-image/blob/master/_MI424WR-GEN3I.rmt.extracted/_312F.extracted/489000.cramfs is the specific image that fails to extract any non-corrupt modules. I'm fairly sure there is a detection problem for the romfs image. This firmare download should contain a cramfs and a romfs image but it looks like binwalk detects 2 cramfs images instead. The cramfs images is mounted as cramfs and the romfs images is mounted as modfs.
Below is the router's partition layout:

Wireless Broadband Router> flash

flash> layout

Flash layout:

Section 00 Type FACTORY Range 0x00000000-0x00020000 MaxSize 0x0001FF6C

Flash file: /mnt/jffs2/rg_factory

Size 0x0000040A Name 'Downloaded at: Fri Dec 14 19:15:13 2007'

Checksum 0x0000EAFF Counter 0x0000000D Start Offset 0x00000000

Section 01 Type CONF Range 0x00000000-0x00020000 MaxSize 0x0001FF6C

Flash file: /mnt/jffs2/rg_conf1

Size 0x000066C8 Name 'rg_conf'

Checksum 0x0032DC91 Counter 0x0000005F Start Offset 0x00000000

Section 02 Type CONF Range 0x00000000-0x00020000 MaxSize 0x0001FF6C

Flash file: /mnt/jffs2/rg_conf2

Size 0x000066CA Name 'rg_conf'

Checksum 0x0032C0E8 Counter 0x0000005D Start Offset 0x00000000

Section 03 Type BACKUP_CONF Range 0x00000000-0x00020000 MaxSize 0x0001FF6C

Flash file: /mnt/jffs2/backup_rg_conf

Uninitialized.

Section 04 Type IMAGE Range 0x00000000-0x00F00000 MaxSize 0x00EFFF6C

Flash file: /mnt/jffs2/openrg1.img

Size 0x0043F9F0 Name 'FEROCEON Version 4.7.5.3.31.2.14.40.19.22 Downloaded at: Fri Dec 14 19:14:20 2007'

Checksum 0x225EF815 Counter 0x0000000A Start Offset 0x00000000

Section 05 Type IMAGE Range 0x00000000-0x00F00000 MaxSize 0x00EFFF6C

Flash file: /mnt/jffs2/openrg2.img

Size 0x0043F9F0 Name 'FEROCEON Version 4.7.5.3.31.2.14.40.19.22 Downloaded at: Fri Dec 14 19:15:02 2007'

Checksum 0x225EF817 Counter 0x0000000B Start Offset 0x00000000

Section 06 Type LOG Range 0x00000000-0x00040000 MaxSize 0x0003FF6C

Flash file: /mnt/jffs2/persistent_log

Size 0x000000B3 Name 'Persistent_log'

Checksum 0x0000626E Counter 0x0000002D Start Offset 0x00000000

Total 7 sections found.

Returned 0

lha is not in the Debian repository for stable or testing. It's also not in the repository for Ubuntu after 12.04. This causes apt-get to error and fail to install most of the non-python dependencies in the deps.sh script.