1. 安装
git clone https://github.com/devttys0/binwalk
cd binwalk
sudo python setup.py install
但是git下载超慢所以建议用下面的方式Linux 安装
sudo apt-get install binwalk
2.使用
2.1 使用binwalk工具对设备的固件进行文件组成格式的分析
binwalk *.bin
输出类似如下:
--------------------------------------------------------------------------------
218444 0x3554C CRC32 polynomial table, little endian
5947392 0x5AC000 Squashfs filesystem, little endian, version 4.0, compression:xz, size: 6939582 bytes, 945 inodes, blocksize: 262144 bytes, created: 2018-08-06 10:04:01
12964446 0xC5D25E xz compressed data
28391676 0x1B138FC JFFS2 filesystem, little endian
28838384 0x1B809F0 xz compressed data
37483840 0x23BF540 Zlib compressed data, compressed
71368704 0x4410000 UBI erase count header, version: 1, EC: 0x1, VID header offset: 0x800, data offset: 0x1000
省略了一部分,挑出代表性的内容
--------------------------------------------------------------------------------
可以输出到一个txt文件方面查看 binwalk *.bin>outstruct.txt
2.2 binwalk工具对设备的固件文件系统进行提取
binwalk -e *.bin
但是会出现错误如
WARNING: Extractor.execute failed to run external extractor 'jefferson -d '%%jffs2-root%%' '%e'': [Errno 2] No such file or directory: 'jefferson': 'jefferson'
57470232 0x36CED18 JFFS2 filesystem, little endian
57488704 0x36D3540
Make sure all of your tools are up to date and you have the necessary plugins installed. From the
https://github.com/ReFirmLabs/binwalk/blob/master/INSTALL.md
Binwalk依靠多个外部实用程序来自动提取/解压缩文件和数据:
Binwalk relies on multiple external utilties in order to automatically extract/decompress files and data:
# Install standard extraction utilities
$ sudo apt-get install mtd-utils gzip bzip2 tar arj lhasa p7zip p7zip-full cabextract cramfsprogs cramfsswap squashfs-tools sleuthkit default-jdk lzop srecord
# Install sasquatch to extract non-standard SquashFS images
$ sudo apt-get install zlib1g-dev liblzma-dev liblzo2-dev
$ git clone https://github.com/devttys0/sasquatch
$ (cd sasquatch && ./build.sh)
# Install jefferson to extract JFFS2 file systems
$ sudo pip install cstruct
$ git clone https://github.com/sviehb/jefferson
$ (cd jefferson && sudo python setup.py install)
# Install ubi_reader to extract UBIFS file systems
$ sudo apt-get install liblzo2-dev python-lzo
$ git clone https://github.com/jrspruitt/ubi_reader
$ (cd ubi_reader && sudo python setup.py install)
# Install yaffshiv to extract YAFFS file systems
$ git clone https://github.com/devttys0/yaffshiv
$ (cd yaffshiv && sudo python setup.py install)
# Install unstuff (closed source) to extract StuffIt archive files
$ wget -O - http://my.smithmicro.com/downloads/files/stuffit520.611linux-i386.tar.gz | tar -zxv
$ sudo cp bin/unstuff /usr/local/bin/
Note that for Debian/Ubuntu users, all of the above dependencies can be installed automatically using the included deps.sh
script:
$ sudo ./deps.sh
有些不需要的工具其实不必要都安上
安装时候出错
xz_wrapper.h:50:2: error: unknown type name ‘lzma_vli’
cd squashfs-tools,编辑Makefile以注释掉XZ_SUPPORT = 1行,然后尝试构建:注意此时不要直接./build.sh
进入 文件夹-tools, sudo make && make install
error :
WARNING: Extractor.execute failed to run external extractor 'ubireader_extract_files -o '%%ubifs-root%%' '%e'': [Errno 2] No such file or directory: 'ubireader_extract_files': 'ubireader_extract_files'
然后重新提取
如果还指定-M选项,Binwalk甚至会在提取文件时递归扫描文件
binwalk -Me *.bin
但是提取的时候会发现对于某些固件提取的文件超大,128M的文件竟然生成了16G的文件,后续需要更改
3binwalk IDA plugin插件工具的安装
python setup.py idainstall --idadir=/home/user/ida
卸载
python setup.py idauninstall --idadir=/home/user/ida