refirmlabs / binwalk Goto Github PK
View Code? Open in Web Editor NEWFirmware Analysis Tool
License: MIT License
Firmware Analysis Tool
License: MIT License
Running: Python 2.7.6
When running I get this error:
binwalk sw_nsa-2600__eng_6.1.2.0-11n
Traceback (most recent call last):
File "/usr/bin/binwalk", line 6, in
from binwalk.core.compat import user_input
ImportError: No module named core.compat
After you create a signature with a long signature description, Binwalk throws warnings indicating that the signature description will be truncated. I'd like a way to either disable truncation or configure the length at which signature descriptions are truncated.
Unable to use this version of binwalk. Getting those errors:
WARNING: Error loading plugin 'lzmamod.py': [Errno 13] Permission denied
The files concerned are:
'zlibvalid.py'
'tar.py'
'cpio.py'
'lzmamod.py'
'compressd.py'
[I] sys-apps/file ([email protected])
[I] dev-lang/python (2.7.6(2.7)@04.12.2013)
gdb --args python2.7 /usr/bin/binwalk /bin/ls
GNU gdb (Gentoo 7.7 vanilla) 7.7
Copyright (C) 2014 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later http://gnu.org/licenses/gpl.html
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-pc-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
http://bugs.gentoo.org/.
Find the GDB manual and other documentation resources online at:
http://www.gnu.org/software/gdb/documentation/.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from python2.7...(no debugging symbols found)...done.
(gdb) r
Starting program: /usr/bin/python2.7 /usr/bin/binwalk /bin/ls
warning: Could not load shared library symbols for linux-vdso.so.1.
Do you need "set solib-search-path" or "set sysroot"?
warning: File "/usr/lib64/libpython2.7.so.1.0-gdb.py" auto-loading has been declined by your `auto-load safe-path' set to "/home/avatar/Devel/NP1UD/debug-sysroot:/home/avatar:$debugdir:$datadir/auto-load".
To enable execution of this file add
add-auto-load-safe-path /usr/lib64/libpython2.7.so.1.0-gdb.py
line to your configuration file "/home/avatar/.gdbinit".
To completely disable this security protection add
set auto-load safe-path /
line to your configuration file "/home/avatar/.gdbinit".
For more information about this security protection see the
"Auto-loading safe path" section in the GDB manual. E.g., run from the shell:
info "(gdb)Auto-loading safe path"
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
[New Thread 0x7ffff6339700 (LWP 15228)]
WARNING: Failed to load plugin module 'compressd': Failed to locate library 'compress42'
WARNING: Failed to load plugin module 'zlibvalid': Failed to locate library 'tinfl'
WARNING: Failed to load plugin module 'compressd': Failed to locate library 'compress42'
WARNING: Failed to load plugin module 'zlibvalid': Failed to locate library 'tinfl'
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff5867057 in ?? () from /usr/lib64/libmagic.so.1
(gdb) bt
#0 0x00007ffff5867057 in ?? () from /usr/lib64/libmagic.so.1
#1 0x00007ffff5861143 in ?? () from /usr/lib64/libmagic.so.1
#2 0x00007ffff7e1b6e4 in ffi_call_unix64 () from /usr/lib64/libffi.so.6
#3 0x000000000000000a in ?? ()
#4 0x00007fffffff9c60 in ?? ()
#5 0x00007fffffff9bf0 in ?? ()
#6 0x00007ffff7e1b275 in ffi_call () from /usr/lib64/libffi.so.6
Backtrace stopped: previous frame inner to this frame (corrupt stack?)
I have a fail when launching
binwalk -Me foo.exe
Reversing part of the commit a78d78c do the trick.
Maybe putting a conditional import (when using with IDA) can solve the problem?
Here is the exception:
Signature Exception: global name 'hashlib' is not defined
Traceback (most recent call last):
File "/usr/local/lib/python2.7/dist-packages/binwalk/core/module.py", line 499, in main
retval = self.run()
File "/usr/local/lib/python2.7/dist-packages/binwalk/modules/signature.py", line 159, in >run
self.header()
File "/usr/local/lib/python2.7/dist-packages/binwalk/core/module.py", line 445, in header
self.config.display.header(*self.HEADER, file_name=self.current_target_file_name)
File "/usr/local/lib/python2.7/dist-packages/binwalk/core/display.py", line 65, in header
md5sum = binwalk.core.common.file_md5(file_name)
File "/usr/local/lib/python2.7/dist-packages/binwalk/core/common.py", line 67, in >file_md5
md5 = hashlib.md5()
NameError: global name 'hashlib' is not defined
The firmware file https://github.com/Lightsword1942/jungo-image/blob/master/A90-9100EM15-10_1.02.00.04.rmt for the westell 9100EM appears to have a romfs image that fails to extract. https://github.com/Lightsword1942/jungo-image/blob/master/_A90-9100EM15-10_1.02.00.04.rmt.extracted/_vmlinux.bin.extracted/rom%2048b74195.romfs
import math
def shannon_orig(data):
'''
Performs a Shannon entropy analysis on a given block of data.
'''
entropy = 0
if data:
for x in range(0, 256):
p_x = float(data.count(chr(x))) / len(data)
if p_x > 0:
entropy += - p_x*math.log(p_x, 2)
return (entropy / 8)
def shannon_faster(data):
entropy = 0
if data:
seen = dict(((chr(x), 0) for x in range(256)))
for byte in data:
seen[byte] += 1
length = len(data)
for x in range(0, 256):
p_x = float(seen[chr(x)]) / length
if p_x > 0:
entropy += - p_x*math.log(p_x, 2)
return entropy / 8
if __name__ == '__main__':
import time
import random
data = ''.join(chr(random.randint(0,255)) for x in xrange(1024**2))
t = time.time()
print 'ORIGINAL IMPL.'
print '... result', shannon_orig(data)
print 'time (s)', time.time() - t
print
print 'IMPROVED IMPL.'
t = time.time()
print '... result', shannon_faster(data), '(should match above)'
print 'time (s)', time.time() - t
Hi
i tried without success adding some custom magic file while loading modules in python script. Currently the only way i found was to add my custom signature directly into the binwalk generic magic file.
When trying the custom magic file with binwalk using command line, parsing is giving correct detection signature.
Hey,
Need to add to the INSTALL file a dependency of libtool which is not automatically installed in make time.
Binwalk extracts a ton of JFFS2 images from this firmware, even if -y jffs2
is specified on the command line. Seems to be due to zlib compression being identified in between multiple JFFS2 node headers.
Firmware: http://t.co/Hxn5wwX5Nl
I created a signature for LANCOM Firmware Images, but I wonder why this line does not work:
>12 byte <220 RC%d #bug???
The value of the Byte is 1.
Firmware files can be found here:
ftp://ftp.lancom.de/LANCOM-Releases/
0 string ELSF LANCOM firmware header
>18 string x {raw-replace}
>12 byte 255 Rel
>12 byte 253 alpha
>12 byte 220 PR
>12 byte <220 RC%d #bug???
>12 byte <237 RU(%d-220)
>17 byte x Build %d
>18 string x {raw-string-length:4}
>18 string x {raw-string:%s}
0 string ELSO LANCOM OEM file
0 string ELSP
>202 string x %s
Greetings,
This was found using binwalk version 1.2.2-1:
When running a python 'service' from /etc/init.d and I have issues calling the following command in the python service:
cmd = os.popen("binwalk -W {0} {1} > /apps/working/binwalk/diff/output.txt".format(new_robj[1], new_robj[2]))
The error I get is:
<open file 'binwalk -W /apps/working/binwalk/diff/cmos_custom.dump /apps/working/binwalk/diff/GOLD_cmos_custom.dump > /apps/working/binwalk/diff/output.txt', mode 'r' at 0x7fb7db9116f0>
Traceback (most recent call last):
File "/usr/local/bin/binwalk", line 593, in
main()
File "/usr/local/bin/binwalk", line 195, in main
config = binwalk.Config()
File "/usr/local/lib/python2.7/dist-packages/binwalk/config.py", line 68, in init
self.paths['user'][self.BINWALK_MAGIC_FILE] = self._user_path(self.BINWALK_MAGIC_DIR, self.BINWALK_MAGIC_FILE)
File "/usr/local/lib/python2.7/dist-packages/binwalk/config.py", line 138, in _user_path
return self._file_path(os.path.join(self.user_dir, self.BINWALK_USER_DIR, subdir), basename)
File "/usr/lib/python2.7/posixpath.py", line 77, in join
elif path == '' or path.endswith('/'):
AttributeError: 'NoneType' object has no attribute 'endswith'
http://download.qnap.com/Storage/TS-470ProTurboNAS/TS-470_20140321-4.0.6.zip
DECIMAL HEXADECIMAL DESCRIPTION
------------------ --------------------------- ------------------------------------------------- --------------------------------------------------------
95754826 0x5B51A4A Zlib header, best compression, uncompressed size >= 65859
115235038 0x6DE58DE LZMA compressed data, properties: 0x40, dictionary size: 33554432 bytes, uncompressed size: 10539368 bytes
163815163 0x9C39EFB InstallShield Cabinet archive data version 4/5,
I'm new to binwalk, so I'm not sure of the expected action. It appears the signatures were compressed into a single file? (https://github.com/devttys0/binwalk/blob/master/src/binwalk/magic/binwalk)
I was attempting to correct this warning:
/tmp/tmpD5tXtI, 4920: Warning: New continuation level 2 is more than one larger than current level 0
/tmp/tmpD5tXtI, 4924: Warning: New continuation level 2 is more than one larger than current level 0
after running the signature update, the original issue (continuation warning above) was resolved.
$ sudo binwalk -u
Updating signatures...
Update._do_update_from_svn failed to update file 'https://raw.github.com/devttys0/binwalk/master/src/binwalk/magic/zlib': HTTP Error 404: Not Found
-small fix: it cannot be RC and RU at the same time
-added detection for dev builds
-added detection for alias names
-added support for WWAN Firmware detection (4G devices)
-added support for bootloaders
-get the build date when it is stored as string (older firmware versions)
0 string ELSF LANCOM firmware header,
>22 string x model: "%s",
>18 string x firmware version: "%.4s",
>12 ubyte 255 Rel,
>12 ubyte 253 alpha,
>12 ubyte 220 PR,
>12 ubyte >0
>>12 ubyte <220 RC%d,
>12 ubyte >220
>>12 ubyte <237 RU{math:%d-220},
>12 ubyte 0 dev
>17 ubyte >0
>>17 ubyte x build %d
#get build date
>7 ubyte !63
#date is stored as string
>>7 string x ("%.8s")
0 string ELSO LANCOM OEM file
0 string ELSB LANCOM firmware loader,
>22 string x model: "%s",
>18 string x loader version: "%.4s",
0 string ELSC LANCOM WWAN firmware
>4 ubyte 3
>>5 beshort 0
>>7 string x %s
0 string ELSP LANCOM file entry
>202 string @(RECENT_FIRMWARE)/ \b, file name:
>>221 string x "%s"
>>221 string x {file-name:%s}
>(198.L+202) belong 2
>>(198.L+206) belong x \b, file size: %d bytes
>>(198.L+206) belong x {file-size:%d}
>(198.L+202) belong 3
>>&4 string @(RECENT_FIRMWARE)/ \b, alias:
>>&23 string x "%s"
>>&(&0.L(0)) belong x
>>>&4 belong x \b, file size: %d bytes
Btw. how to get the extraction to work properly for the files in the ELSP sections?
There seem to exist three different compressions of the firmware part "ELSF":
Firmware 1.x (ELSA): no compression
Firmware 2.x and higher: huffman
More recent firmware LZMA
And there are different cpu architectures used as well:
16x1,17xx,18xx series: Intel XScale
178X, 7100, 9100 series Freescale
installer does not chmod and move the lib files after compiling them
also
sudo ldconfig
I have a firmware with each file packed separately as a gzip, but the file name is offset 0x108 before the gzip magic, rather than contained in the gzip archive itself.
i.e. SWinFlash_64.exe.gz , null bytes padding, gzip archive (1F 8B 08).
The simple answer seems a negative offset but appears to not be possible? Any suggestions please ?
003A6F80 D9 75 F4 48 29 33 DF 46 93 5D 5F 58 58 58 58 58 58 58 58 58 58 58 58 58 5C 08 FC 7F 9A 3B 66 58 .u.H)3.F.]_XXXXXXXXXXXXX\....;fX
003A6FA0 00 E0 04 00 53 57 69 6E 46 6C 61 73 68 5F 36 34 2E 65 78 65 2E 67 7A 00 00 00 00 00 00 00 00 00 ....SWinFlash_64.exe.gz.........
003A6FC0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................................
003A6FE0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................................
003A7000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................................
003A7020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................................
003A7040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................................
003A7060 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................................
003A7080 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................................
003A70A0 00 00 00 00 00 00 00 00 C7 35 01 00 1F 8B 08 00 00 00 00 00 00 0B EC BD 7F 60 54 C5 B5 38 7E 37 .........5...............`T..8~7
Upgrade file/python-magic to 5.14. It appears this change:
2013-01-11 14:50 Christos Zoulas <[email protected]>
* Warn about inconsistent continuation levels.
Causes this crud to output:
/tmp/tmpG0sN83, 4920: Warning: New continuation level 2 is more than one larger than current level 0
/tmp/tmpG0sN83, 4924: Warning: New continuation level 2 is more than one larger than current level 0
Hello,
Why does deps.sh create directory /opt/firmware-mod-kit by root and will leave it writable by anyone?
if [ ! -e /opt/firmware-mod-kit ]
then
$SUDO mkdir -p /opt/firmware-mod-kit
$SUDO chmod a+rwx /opt/firmware-mod-kit
fi
I would restrict writing to the user who launches the script, i.e.
if [ ! -e /opt/firmware-mod-kit ]
then
$SUDO mkdir -p /opt/firmware-mod-kit
$SUDO chown $USER /opt/firmware-mod-kit
$SUDO chmod o+rwx /opt/firmware-mod-kit
fi
lha is not in the Debian repository for stable or testing. It's also not in the repository for Ubuntu after 12.04. This causes apt-get to error and fail to install most of the non-python dependencies in the deps.sh script.
Hi,
I got the firmware for Edimax EW-7209 access point. You can find it here:
http://www.edimax.com/en/produce_detail.php?pl1_id=1&pl2_id=155&pl3_id=390&pd_id=19#03
I compiled the version 2.0.0 Beta cloned from GitHub, and added /usr/local/lib to LD_LIB_PATH.
Scanning this firmware shows two lines:
0 0x0 CSYS header, big endian, size: 65536
34836 0x8814 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 6893568 bytes
If I try to extract the LZMA data (from the created 8814.7z file), 7z utility says it is invalid. How to determine if it was a false positive as weel?
Entering "binwalk -L" shows no plugins. It is correct?
The source code for this firmware can be downloaded at the same link.
When the lib/modules folder extracts all the modules have no data. They appear to be the correct size but when looked at via hex editor have no data at all. https://github.com/Lightsword1942/jungo-image/blob/master/MI424WR-GEN3I.rmt is the unextracted original firmware file. https://github.com/Lightsword1942/jungo-image/blob/master/_MI424WR-GEN3I.rmt.extracted/_312F.extracted/489000.cramfs is the specific image that fails to extract any non-corrupt modules. I'm fairly sure there is a detection problem for the romfs image. This firmare download should contain a cramfs and a romfs image but it looks like binwalk detects 2 cramfs images instead. The cramfs images is mounted as cramfs and the romfs images is mounted as modfs.
Below is the router's partition layout:
Wireless Broadband Router> flash
flash> layout
Flash layout:
Section 00 Type FACTORY Range 0x00000000-0x00020000 MaxSize 0x0001FF6C
Flash file: /mnt/jffs2/rg_factory
Size 0x0000040A Name 'Downloaded at: Fri Dec 14 19:15:13 2007'
Checksum 0x0000EAFF Counter 0x0000000D Start Offset 0x00000000
Section 01 Type CONF Range 0x00000000-0x00020000 MaxSize 0x0001FF6C
Flash file: /mnt/jffs2/rg_conf1
Size 0x000066C8 Name 'rg_conf'
Checksum 0x0032DC91 Counter 0x0000005F Start Offset 0x00000000
Section 02 Type CONF Range 0x00000000-0x00020000 MaxSize 0x0001FF6C
Flash file: /mnt/jffs2/rg_conf2
Size 0x000066CA Name 'rg_conf'
Checksum 0x0032C0E8 Counter 0x0000005D Start Offset 0x00000000
Section 03 Type BACKUP_CONF Range 0x00000000-0x00020000 MaxSize 0x0001FF6C
Flash file: /mnt/jffs2/backup_rg_conf
Uninitialized.
Section 04 Type IMAGE Range 0x00000000-0x00F00000 MaxSize 0x00EFFF6C
Flash file: /mnt/jffs2/openrg1.img
Size 0x0043F9F0 Name 'FEROCEON Version 4.7.5.3.31.2.14.40.19.22 Downloaded at: Fri Dec 14 19:14:20 2007'
Checksum 0x225EF815 Counter 0x0000000A Start Offset 0x00000000
Section 05 Type IMAGE Range 0x00000000-0x00F00000 MaxSize 0x00EFFF6C
Flash file: /mnt/jffs2/openrg2.img
Size 0x0043F9F0 Name 'FEROCEON Version 4.7.5.3.31.2.14.40.19.22 Downloaded at: Fri Dec 14 19:15:02 2007'
Checksum 0x225EF817 Counter 0x0000000B Start Offset 0x00000000
Section 06 Type LOG Range 0x00000000-0x00040000 MaxSize 0x0003FF6C
Flash file: /mnt/jffs2/persistent_log
Size 0x000000B3 Name 'Persistent_log'
Checksum 0x0000626E Counter 0x0000002D Start Offset 0x00000000
Total 7 sections found.
Returned 0
I'm trying to iterate over a few hundred bin files.
Traceback (most recent call last):
File "z2.py", line 66, in
File "/usr/local/lib/python2.7/dist-packages/binwalk/core/module.py", line 649, in execute
File "/usr/local/lib/python2.7/dist-packages/binwalk/core/module.py", line 665, in run
File "/usr/local/lib/python2.7/dist-packages/binwalk/core/module.py", line 680, in load
File "/usr/local/lib/python2.7/dist-packages/binwalk/core/module.py", line 706, in dependencies
File "/usr/local/lib/python2.7/dist-packages/binwalk/core/module.py", line 665, in run
File "/usr/local/lib/python2.7/dist-packages/binwalk/core/module.py", line 680, in load
File "/usr/local/lib/python2.7/dist-packages/binwalk/core/module.py", line 706, in dependencies
File "/usr/local/lib/python2.7/dist-packages/binwalk/core/module.py", line 665, in run
File "/usr/local/lib/python2.7/dist-packages/binwalk/core/module.py", line 681, in load
File "/usr/local/lib/python2.7/dist-packages/binwalk/core/module.py", line 231, in init
File "/usr/local/lib/python2.7/dist-packages/binwalk/core/plugin.py", line 207, in load_plugins
File "/usr/local/lib/python2.7/dist-packages/binwalk/core/plugin.py", line 182, in list_plugins
OSError: [Errno 24] Too many open files: '/home/XXXXX/.binwalk/plugins/'
Error in sys.excepthook:
Traceback (most recent call last):
File "/usr/lib/python2.7/dist-packages/apport_python_hook.py", line 63, in apport_excepthook
ImportError: No module named fileutils
Original exception was:
Traceback (most recent call last):
File "z2.py", line 66, in
File "/usr/local/lib/python2.7/dist-packages/binwalk/core/module.py", line 649, in execute
File "/usr/local/lib/python2.7/dist-packages/binwalk/core/module.py", line 665, in run
File "/usr/local/lib/python2.7/dist-packages/binwalk/core/module.py", line 680, in load
File "/usr/local/lib/python2.7/dist-packages/binwalk/core/module.py", line 706, in dependencies
File "/usr/local/lib/python2.7/dist-packages/binwalk/core/module.py", line 665, in run
File "/usr/local/lib/python2.7/dist-packages/binwalk/core/module.py", line 680, in load
File "/usr/local/lib/python2.7/dist-packages/binwalk/core/module.py", line 706, in dependencies
File "/usr/local/lib/python2.7/dist-packages/binwalk/core/module.py", line 665, in run
File "/usr/local/lib/python2.7/dist-packages/binwalk/core/module.py", line 681, in load
File "/usr/local/lib/python2.7/dist-packages/binwalk/core/module.py", line 231, in init
File "/usr/local/lib/python2.7/dist-packages/binwalk/core/plugin.py", line 207, in load_plugins
File "/usr/local/lib/python2.7/dist-packages/binwalk/core/plugin.py", line 182, in list_plugins
OSError: [Errno 24] Too many open files: '/home/XXXXX/.binwalk/plugins/'
XXXXX@XXXXX:~/zip$ c
build-dependencies on debian
debhelper (>= 9),
python-all-dev,
dh-autoreconf,
runtime deps
${python:Depends}, ${shlibs:Depends}, ${misc:Depends}, python-pyqtgraph,
python-matplotlib,
python-pyqtgraph,
python-magic,
mtd-utils,
zlib1g-dev,
liblzma-dev,
ncompress,
gzip,
bzip2,
tar,
arj,
p7zip,
p7zip-full,
openjdk-7-jdk | openjdk-8-jdk,
libfuzzy-dev,
libmagic-dev
is that correct? if I understand correctly the libraries so are searched on the path /usr/lib at runtime, but will it pick only the so symlink (the -dev package) or the real library?
libfuzzy.so libfuzzy.so.2 libfuzzy.so.2.0.0
the first libfuzzy.so belong to libfuzzy-dev, while the others to the libfuzzy2 one
I installed binwalk according to the instructions in INSTALL, everything went fine, but when I start binwalk with a firmware file it gives me this:
WARNING: Failed to load plugin module 'compressd': Failed to locate library 'compress42'
WARNING: Failed to load plugin module 'zlibvalid': Failed to locate library 'tinfl'
WARNING: Failed to load plugin module 'compressd': Failed to locate library 'compress42'
WARNING: Failed to load plugin module 'zlibvalid': Failed to locate library 'tinfl'
Traceback (most recent call last):
File "/usr/local/lib/python2.7/dist-packages/binwalk/core/module.py", line 475, in main
self.init()
File "/usr/local/lib/python2.7/dist-packages/binwalk/modules/signature.py", line 85, in init
self.magic = binwalk.core.magic.Magic(self.mfile)
File "/usr/local/lib/python2.7/dist-packages/binwalk/core/magic.py", line 41, in init
self.libmagic = binwalk.core.C.Library("inmagic", self.LIBMAGIC_FUNCTIONS)
File "/usr/local/lib/python2.7/dist-packages/binwalk/core/C.py", line 99, in init
self.library = ctypes.cdll.LoadLibrary(self.find_library(library))
File "/usr/local/lib/python2.7/dist-packages/binwalk/core/C.py", line 137, in find_library
raise Exception("Failed to locate library '%s'" % library)
http://www.tenda.cn/uploadfile/downloads/uploadfile/201310/2013101/W311R_V5.07.17_en_03_Russai.zip
The trx header is correctly recognized. Unpack with -Me option I got three file,the latest generated file had an extension 7z, but actually cannot decompress either with 7-zip or lzma. The 1C.7z decompressing also got a warning,"the data is corrupt".
Using hex editor open the decompressed files you can say it may just all, for it included some strings seemed to be come from binary executable.
I think the firmware may have a different data structure.
Hi!
The -W option (hexdiff) doesn't work (using a current github clone):
HexDiff Exception: I/O operation on closed file
----------------------------------------------------------------------------------------------------
Traceback (most recent call last):
File "/usr/local/lib/python2.7/site-packages/binwalk/core/module.py", line 513, in main
retval = self.run()
File "/usr/local/lib/python2.7/site-packages/binwalk/modules/hexdiff.py", line 213, in run
self.diff_files(self.hex_target_files)
File "/usr/local/lib/python2.7/site-packages/binwalk/modules/hexdiff.py", line 130, in diff_files
block_data[fp] = fp.read(self.block)
File "/usr/local/lib/python2.7/site-packages/binwalk/core/common.py", line 413, in read
tmp = super(self.__class__, self).read(n-l)
ValueError: I/O operation on closed file
----------------------------------------------------------------------------------------------------
As far as I found out it's due to
module.py's next_file():
def next_file(self):
[...]
# Ensure files are close to prevent IOError (too many open files)
try:
self.previous_next_file_fp.close()
except KeyboardInterrupt as e:
raise e
except Exception:
pass
If I substitute the self.previous_next_file_fp.close() by pass or so
to deactivate the close() hexdiff seems to work fine.
Of course that's not a clean solution, but better than nothing.
Christian
Migrated from issue 73 on old googlecode site: https://code.google.com/p/binwalk/issues/detail?id=73
This is something I know you are aware of.
If not porting this to newer versions, please substitute the first line on every file to point to python2 executable so that people with both python2 and 3 can use python3 as default but be able to run this tool.
should be
Is this posible?
Stems from two issues:
ssdeep
is not compatible
autoreconf && ./configure
sed -e s/libmagic/libinmagic/g < ./file-"5.18"/src/Makefile >./file-"5.18"/src/mktmp
libtinfl (used by deflate plugin) segfaults if given bad data; reproducible, needs more investigation.
File in question is PANA_ESD.FRM decompressed from http://pcfdl.svrpf.jp/pc/en/bd/pwt520/UPDATE_PWT520_HW220GL_V131.exe (SFX RAR)
Binwalk's output (latest from Git at the time of this posting)
DECIMAL HEX DESCRIPTION
-------------------------------------------------------------------------------------------------------------------
3425351 0x344447 ELF
3775813 0x399D45 gzip compressed data, from VMS, last modified: Fri Feb 1 21:33:24 2013
19362691 0x1277383 PNG image, 435166958 x 435167496, 3-bit
19625495 0x12B7617 PNG image, 1622790752 x 4145481730, 210-bit
19695546 0x12C87BA PNG image, 2239766254 x 2239766792, 6-bit
19721837 0x12CEE6D PNG image, 4064297966 x 4064290824, 6-bit
19857655 0x12F00F7 PNG image, 912272630 x 2388723718, 54-bit
19954632 0x1307BC8 PNG image, 2640378862 x 2640325384, 2-bit
19959351 0x1308E37 PNG image, 1067485422 x 1067481096, 6-bit
19993353 0x1311309 PNG image, 412109038 x 412101128, 6-bit
20011792 0x1315B10 PNG image, 716188918 x 1588660230, 42-bit
22228649 0x1532EA9 TIFF image data, big-endian
22501960 0x1575A48 PNG image, 1429217518 x 1429218824, 6-bit
22570639 0x158668F PNG image, 2108696310 x 778110982, 125-bit
22653136 0x159A8D0 PNG image, 3838842102 x 3838841352, 1-bit
22713358 0x15A940E PNG image, 2687509742 x 2687508488, 3-bit
22721381 0x15AB365 PNG image, 763372782 x 763380744, 2-bit
22884371 0x15D3013 PNG image, 47873 x 1687818276, 8-bit/color RGBA,
22898700 0x15D680C PNG image, 2298505966 x 2298487816, 6-bit
23343146 0x164302A PNG image, 831804720 x 4146464774, 85-bit
23610574 0x16844CE PNG image, 2350949110 x 3726706691, 140-bit
23650329 0x168E019 PNG image, 1581270254 x 1581262344, 6-bit
23677782 0x1694B56 PNG image, 3629132022 x 778110982, 216-bit
23696935 0x1699627 PNG image, 1368410350 x 1368402440, 6-bit
24074975 0x16F5ADF ELF 32-bit LSB
25198157 0x1807E4D mcrypt 2.2 encrypted data, algorithm: SAFER-SK64, mode: CFB, keymode: MD5 hash
25250984 0x1814CA8 ELF 32-bit LSB
57385354 0x36BA18A PNG image, 534782190 x 534781448, 2-bit
57543449 0x36E0B19 Zip archive data, compressed size: 901619, uncompressed size: 565116672, name: ""
64792096 0x3DCA620 PNG image, 3786422510 x 3786419464, 6-bit
64809832 0x3DCEB68 PNG image, 60831982 x 60833032, 6-bit colormap,
64916310 0x3DE8B56 PNG image, 1358969070 x 1358970120, 6-bit
65628883 0x3E96AD3 PNG image, 3466611438 x 3466603528, 2-bit
65765347 0x3EB7FE3 PNG image, 47873 x 242335926, 8-bit/color RGB,
65775713 0x3EBA861 PNG image, 1514185454 x 1514174472, 6-bit
65787523 0x3EBD683 PNG image, 3499105526 x 4254140422, 208-bit
65952878 0x3EE5C6E PNG image, 4074773750 x 502335494, 242-bit
65968625 0x3EE99F1 PNG image, 4182798574 x 4182791176, 6-bit
66012131 0x3EF43E3 PNG image, 1240503278 x 1240489224, 6-bit
66209379 0x3F24663 TRX firmware header, little endian, header size: 28 bytes, image size: 293680672 bytes, CRC32: 0x3006087B flags: 0x8C20, version: 27205
66372747 0x3F4C48B PNG image, 2556461038 x 2556443144, 6-bit
66925383 0x3FD3347 PNG image, 1387982128 x 2414686330, 8-bit/color RGBA,
66973942 0x3FDF0F6 PNG image, 1188059118 x 1188047368, 6-bit
66987049 0x3FE2429 PNG image, 2543860974 x 2543857160, 6-bit
67091879 0x3FFBDA7 PNG image, 2192599798 x 2914060294, 130-bit
67220255 0x401B31F PNG image, 3586166766 x 3586161160, 6-bit
67231487 0x401DEFF PNG image, 37785582 x 37779976, 6-bit/color RGB,
67258804 0x40249B4 PNG image, 2050002926 x 2049997320, 6-bit
67375487 0x404117F PNG image, 77631470 x 77625864, 6-bit gray+alpha,
67402007 0x4047917 PNG image, 998281198 x 998275592, 6-bit
68199810 0x410A582 PNG image, 3170943214 x 3170902280, 6-bit
69724872 0x427EAC8 PNG image, 2342527866 x 95488146, 161-bit
64916310 0x3DE8B56 PNG image, 1358969070 x 1358970120, 6-bit
65628883 0x3E96AD3 PNG image, 3466611438 x 3466603528, 2-bit
65765347 0x3EB7FE3 PNG image, 47873 x 242335926, 8-bit/color RGB,
65775713 0x3EBA861 PNG image, 1514185454 x 1514174472, 6-bit
65787523 0x3EBD683 PNG image, 3499105526 x 4254140422, 208-bit
65952878 0x3EE5C6E PNG image, 4074773750 x 502335494, 242-bit
65968625 0x3EE99F1 PNG image, 4182798574 x 4182791176, 6-bit
66012131 0x3EF43E3 PNG image, 1240503278 x 1240489224, 6-bit
66209379 0x3F24663 TRX firmware header, little endian, header size: 28 bytes, image size: 293680672 bytes, CRC32: 0x3006087B flags: 0x8C20, version: 27205
66372747 0x3F4C48B PNG image, 2556461038 x 2556443144, 6-bit
66925383 0x3FD3347 PNG image, 1387982128 x 2414686330, 8-bit/color RGBA,
66973942 0x3FDF0F6 PNG image, 1188059118 x 1188047368, 6-bit
66987049 0x3FE2429 PNG image, 2543860974 x 2543857160, 6-bit
67091879 0x3FFBDA7 PNG image, 2192599798 x 2914060294, 130-bit
67220255 0x401B31F PNG image, 3586166766 x 3586161160, 6-bit
67231487 0x401DEFF PNG image, 37785582 x 37779976, 6-bit/color RGB,
67258804 0x40249B4 PNG image, 2050002926 x 2049997320, 6-bit
67375487 0x404117F PNG image, 77631470 x 77625864, 6-bit gray+alpha,
67402007 0x4047917 PNG image, 998281198 x 998275592, 6-bit
68199810 0x410A582 PNG image, 3170943214 x 3170902280, 6-bit
69724872 0x427EAC8 PNG image, 2342527866 x 95488146, 161-bit
From the sizes and number of PNG detection I don't think the detection is right. Any ideas?
Ran into this error today on a fresh Kali install (1.0.5) and Python 2.7.3:
root@kali:~/Desktop# binwalk XXXXXXXXXX.bin
Traceback (most recent call last):
File "/usr/bin/binwalk", line 536, in <module>
main()
File "/usr/bin/binwalk", line 481, in main
plugins_blacklist=plugin_blacklist)
File "/usr/lib/pymodules/python2.7/binwalk/__init__.py", line 306, in scan
self.plugins = Plugins(self, whitelist=plugins_whitelist, blacklist=plugins_blacklist)
NameError: global name 'Plugins' is not defined
It can be remedied by removing
/usr/lib/pymodules/python2.7/binwalk/plugins/__init__.py
/usr/lib/pymodules/python2.7/binwalk/plugins/__init__.pyc
/usr/lib/pymodules/python2.6/binwalk/plugins/__init__.py
/usr/lib/pymodules/python2.6/binwalk/plugins/__init__.pyc
Currently if you run binwalk -e
on a file containing jpeg files, binwalk
will create an empty folder.
To actually extract the files you have to make a dummy entry in ~/.binwalk/config/extract.conf
, like:
jpeg:jpg:echo
Would it be possible to either make -e
extract all recognizable file types or provide a new option which does this?
Hi Craig, I have another suggestion for binwalk: perform directory tree diff using Fuzzy Hashing. Please check here: http://w00tsec.blogspot.com/2013/12/binwally-directory-tree-diff-tool-using.html
This would be interesting to have as a new command line switch under the Binary Diffing options, for example.
Thank you for implementing {string-len} keyword. When i pushed my commit I used the following magic with multiple string-len keywords. I understand the concept of striping everything after {string-len} keyword, but probably we can do something to avoid the limitation?
4 lelong x {file-size:%d-{string-len:
20 string x \b%s}-1}
20 string x {offset-adjust:21+{string-len:%s}}
My friend devttys0,
Could you help me with this problem,
When i tryed extract the folders at my frimware(cramfs file) all the modules have no data. They appear to be the correct size but when looked at via hex editor have no data at all. https://github.com/timigo/Firmware/blob/master/Firmware_MG.bin is the unextracted original firmware file. The cramfs file of firmware fails to extract any non-corrupt modules. Please help me to extract this cramfs of firmware i need edit some pastes this firmware. Thanks.
The firmware file https://github.com/Lightsword1942/jungo-image/blob/master/4.0.16.1.56.0.10.11.6-MI424WR.rmt for the MI424-WR Actiontec router appears unable to decompress. https://github.com/Lightsword1942/jungo-image/tree/master/_4.0.16.1.56.0.10.11.6-MI424WR.rmt.extracted
This https://github.com/Lightsword1942/jungo-image/blob/master/MI424-WR-0018017A3ED9.bin is a dumped image that was created using this imaging script https://github.com/Lightsword1942/jungo-image/blob/master/jungo-image-2.py binwalk does not appear to identify anything.
Inside an update zip for a Sony car head deck, http://www.sony.com.au/support/download/553228
The only detection from update.bin is:
5683379 0x56B8B3 XBE, Microsoft Xbox executable, signed
Which seems unlikely!
This is for the ArchAssault project, we would like to see if we can get this new version released asap.
Latest 2.0.0 version with python-pyqtgraph, python-pydeep, python-opengl, python-magic
writing byte-compilation script '/tmp/tmppsod3twp.py'
/usr/bin/python -O /tmp/tmppsod3twp.py
File "/binwalk/pkg/binwalk/usr/lib/python3.4/site-packages/binwalk/libs/pyqtgraph/graphicsItems/tests/ViewBox.py", line 45
print "link views match:", viewsMatch()
^
SyntaxError: invalid syntax
I had to patch the makefile to get it to install in a fakeroot as it installs to /usr by default.
--- Makefile.orig 2014-07-26 17:21:03.872987035 -0400
+++ Makefile 2014-07-26 17:21:44.969019430 -0400
@@ -3,6 +3,7 @@
export SONAME=-soname
export SOEXT=so
export prefix=/usr
+export DESTDIR=""
export exec_prefix=${prefix}
export LIBDIR=${exec_prefix}/lib
export INSTALL_OPTIONS=-m644
@@ -22,7 +23,7 @@
ifeq (
PREFIX=""
else
.PHONY: all install build deps clean uninstall
@@ -30,7 +31,7 @@
all: build
install: build
build:
if [ "$(BUILD_C_LIBS)" -eq "1" ]; then make -C $(SRC_C_DIR); fi
Thanks
Arch3y
If libtinfl is asked to decompress a large block of invalid/corrupt deflated data, it just spins until locking up the machine.
The parameters are used if they were enabled/disabled, but they are actually passed/not-passed.
I'll probably send a patch to fix that later, but in the mean time be warned.
Further reference: https://www.flameeyes.eu/autotools-mythbuster/autoconf/arguments.html
(sorry if this submits twice, Github is being weird)
With recursively extracting a firmware image I noticed a recurring pattern of files being identified as containing deflate streams a single byte apart, e.g.:
$ binwalk -MerX ./_DB849F.extracted/_D2.extracted/_3E.extracted/2D1
Scan Time: 2014-08-25 07:27:51
Target File: ./_DB849F.extracted/_D2.extracted/_3E.extracted/2D1
MD5 Checksum: 82aafd83cffb268ab5cafedf152f9e92
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
60 0x3C Raw deflate compression stream, uncompressed size >= 33787
61 0x3D Raw deflate compression stream, uncompressed size >= 33787
One such file (the one from this example) is uuencoded here; doesn't look very compressed to me.
This was done with binwalk cloned from git about an hour ago.
I download wrt120n from http://downloads.linksys.com/downloads/firmware/1224646102739/FW_WRT120N_1.0.07.002_US.bin
I have this problem....
there is a full dump as follows:
Ubuntu@Ubuntu:~/Firmware$ binwalk FW_WRT120N_1.0.07.002_US.bin
DECIMAL HEXADECIMAL DESCRIPTION
1041408 0xFE400 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 1420202 bytes
Ubuntu@Ubuntu:~/Firmware$ binwalk -I FW_WRT120N_1.0.07.002_US.bin
DECIMAL HEXADECIMAL DESCRIPTION
3081 0xC09 JFFS2 filesystem, little endian, invalid, invalid invalid
6074 0x17BA Foscam WebUI filesystem, checksum: 0xBF36, invalid first file name length, first file name: "fu%5t\013\230\205f=\355C\260\263\367s\272\231\030\227s\247X\353\204Lxa\030\363wW\3568\226\327\240)\024\214@\255\314N\035\263\302\237\217+w\022\340+\301%\213=\317\303\346!^"
9615 0x258F JFFS2 filesystem, big endian, invalid, invalid
Binwalk can't extract filesystem from the WRT120N.
Any ideas?
thanks
The new 3D visualization option requires python-opengl (for Debian derivatives), easy_install should include something like apt-get install python-opengl (or download directly using pip).
$ binwalk --3D firm.bin
Unexpected error: No module named OpenGL.GL
$ sudo apt-get install python-opengl
$ binwalk --3D firm.bin
Generating data points for firm.bin
Generating plot points from 1378803 data points
Calculating weight...
Weight: 3
Generating graph from 1616 plot points
[20:41:33]
In addition to that, I didn't have OpenGL drivers on my virtual machine and had to install "nvidia-current" package (Nvidia gfx card) for the 3D visualization to work.
Running ./configure
I get the following error on Ubuntu 12.04:
config.status: executing libtool commands
Can't exec "libtoolize": No such file or directory at /usr/bin/autoreconf line 196.
Use of uninitialized value in pattern match (m//) at /usr/bin/autoreconf line 196.
autoreconf: Entering directory `.'
autoreconf: configure.ac: not using Gettext
autoreconf: running: aclocal -I m4
configure.ac:13: warning: macro `AM_PROG_LIBTOOL' not found in library
autoreconf: configure.ac: tracing
autoreconf: configure.ac: not using Libtool
autoreconf: running: /usr/bin/autoconf
autoreconf: running: /usr/bin/autoheader
autoreconf: running: automake --no-force
Makefile.am:9: Libtool library used but `LIBTOOL' is undefined
Makefile.am:9: The usual way to define `LIBTOOL' is to add `LT_INIT'
Makefile.am:9: to `configure.ac' and run `aclocal' and `autoconf' again.
Makefile.am:9: If `LT_INIT' is in `configure.ac', make sure
Makefile.am:9: its definition is in aclocal's search path.
autoreconf: automake failed with exit status: 1
This can be fixed installing libtoolize
package.
I am trying to make custom signature
struct header
{
char description[12];
int32_t header_size;
int32_t image_size;
int32_t creation_date;
char magic[4]; //Magic bytes are: 'SIG0'
};
I believe that the following magic file should work, but it fails even to detect SIG0.
0 string SIG0 SIG0 firmware header,{jump-to-offset:-24}
4 string x description: "%s",
16 lelong x header size: %d,
20 lelong x size: %d,
24 ledate x date: %s
Hi Binwalk team,
I'm trying do a installation of binwalk on your newer version, and until now doesn't work.
The install fail on FreeBSD 10, CentOS 6.4 and Fedora 17. But now, i will insist on CentOS 6.
The error is on CentOS says that "MAGIC_NO_CHECK_TEXT" is undeclared, and show the follow url to do a manual installation of "libmagic": ftp://ftp.astron.com/pub/file/file-5.14.tar.gz. After the download, upack, configure, make and make install, the error still the afirmation that my libmagic is old.
Fine... Which Linux or Unix Like operating system is approved by binwalk team?
I download the master branch today.
Thanks and sorry about my bad english.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.