Let’s Analyze Firmware Files With Binwalk Tool

Hello,
In this topic, we will analyze firmware software with Binwalk which is a forensic information tool. Let’s start into our topic with definitions, here you are...
What Does a Binwalk tool do?
It is a tool to analyze the hexadecimal values in a firmware file. With this tool, the files that are linked to an examined file can be identified and analyzed. Information obtained after an analysis can be presented as forensic evidence in court.
What is Firmware?
It is software that specifies the functions of peripheral hardware units and ensures that these functions are properly performed. They can be found on electronic devices such as MP3 players, modems, printers. Although firmwares can be read, other than various updates, no changes are made on it afterwards.
FIRMWARE ANALYSIS WITH BINWALK TOOL
Of course, we must have a firmware file before the analysis process. You can download these firmware files from the internet in order to learn the software practically. I will use a firmware file I found on the internet while explaining the subject.
Binwalk tool is a tool that installed on linux systems. For this reason, we can proceed directly to our operations without telling the installation. First let’s view the parameters you can use with the tool. In order to do that we write the following command.



Now that we have learned our parameters, we can go through the analysis process. It specifies the file I will analyze by typing the following command and initiating analysis.



Here we see that the file system pointing to the address “1147023”. When we look at the Description section, we can see that this address has specified the squashfs file system.
For this reason, we will try to extract the squashfs file system form the firmware. Here dd tool will allow us to extract the specified file system from the firmware. We specify our firmware with the if parameter.
We specify the new file to be created with the of parameter. We specify the address shown by the file system with the skip parameter. We also specify the block size value of the file with bs parameter.
Giving this value as 1 will ensure that the file is properly read. For this we can write our command as follows.


After the process is completed successfully, our output file will be created in the l0cation we specified. Now let’s confirm the accuracy of the transactions. To do this, enter the following command.



As you can see above, the address of the “test.squashfs” file that we extracted shows “0”. This is an indication that the operation was completed successfully. Now we will make the information in our new file that we created from firmware file, which is currently complex, readable.
We can use the unsquashfs tool to do this. Before installing the tool, let’s install a few packages necessary for the use of the tool in our system.



After installing the above packages, we install our tool with the following command.

After installation, we provide the information in our file to be readable by entering the following command with unsquashfs tool.



After the above command, a new directory named “squashfs-root” will be created under our current directory. Let’s go to this directory using the command below.



Then, with the following command, let’s view the files and folders in the directory.



Here we have viewed the content of the file system we image. Now we can get information about the firmware file we analyzed under the squashfs-root directory. You can also access this directory under the root directory instead of accessing it through the terminal, and view the files.



I’m finishing the topic here. Thank you and I wish good forums.



Turkish Version: https://www.turkhackteam.org/adli-b...yalarini-binwalk-araci-ile-analiz-edelim.html
​