- 21 Eki 2015
- 477
- 1
Hello,
In this topic, we will analyze firmware software with Binwalk which is a forensic information tool. Lets start into our topic with definitions, here you are...
What Does a Binwalk tool do?
It is a tool to analyze the hexadecimal values in a firmware file. With this tool, the files that are linked to an examined file can be identified and analyzed. Information obtained after an analysis can be presented as forensic evidence in court.
What is Firmware?
It is software that specifies the functions of peripheral hardware units and ensures that these functions are properly performed. They can be found on electronic devices such as MP3 players, modems, printers. Although firmwares can be read, other than various updates, no changes are made on it afterwards.
FIRMWARE ANALYSIS WITH BINWALK TOOL
Of course, we must have a firmware file before the analysis process. You can download these firmware files from the internet in order to learn the software practically. I will use a firmware file I found on the internet while explaining the subject.
Binwalk tool is a tool that installed on linux systems. For this reason, we can proceed directly to our operations without telling the installation. First lets view the parameters you can use with the tool. In order to do that we write the following command.
Kod:
binwalk -h
Now that we have learned our parameters, we can go through the analysis process. It specifies the file I will analyze by typing the following command and initiating analysis.
Kod:
binwalk dosya/konumu/dosya_adi.bin
Here we see that the file system pointing to the address 1147023. When we look at the Description section, we can see that this address has specified the squashfs file system.
For this reason, we will try to extract the squashfs file system form the firmware. Here dd tool will allow us to extract the specified file system from the firmware. We specify our firmware with the if parameter.
We specify the new file to be created with the of parameter. We specify the address shown by the file system with the skip parameter. We also specify the block size value of the file with bs parameter.
Giving this value as 1 will ensure that the file is properly read. For this we can write our command as follows.
Kod:
dd if=firmware/dosya/konumu/dosya_adi.bin of=cikti/yolu/dosya_adi skip=1147023 bs=1
After the process is completed successfully, our output file will be created in the l0cation we specified. Now lets confirm the accuracy of the transactions. To do this, enter the following command.
Kod:
binwalk dosya/konumu/dosya_adi
As you can see above, the address of the test.squashfs file that we extracted shows 0. This is an indication that the operation was completed successfully. Now we will make the information in our new file that we created from firmware file, which is currently complex, readable.
We can use the unsquashfs tool to do this. Before installing the tool, lets install a few packages necessary for the use of the tool in our system.
Kod:
apt-get install liblzma-dev
Kod:
apt-get install subversion
Kod:
apt-get install zlib1g-dev
Kod:
apt-get install build-essential
After installing the above packages, we install our tool with the following command.
Kod:
apt-get install squashfs-tools
After installation, we provide the information in our file to be readable by entering the following command with unsquashfs tool.
Kod:
unsquashfs -i dosya/konumu/dosya_adi
After the above command, a new directory named squashfs-root will be created under our current directory. Lets go to this directory using the command below.
Kod:
cd ./squashfs-root/
Then, with the following command, lets view the files and folders in the directory.
Kod:
ls
Here we have viewed the content of the file system we image. Now we can get information about the firmware file we analyzed under the squashfs-root directory. You can also access this directory under the root directory instead of accessing it through the terminal, and view the files.
Im finishing the topic here. Thank you and I wish good forums.
Turkish Version: https://www.turkhackteam.org/adli-b...yalarini-binwalk-araci-ile-analiz-edelim.html