Binwalk - Firmware-Analysetool¶
✅ Alle Binwalk-Befehle in die Zwischenablage kopiert!
Binwalk ist ein leistungsstarkes Firmware-Analysetool, das für die Analyse, Reverse Engineering und Extraktion von Firmware-Images entwickelt wurde. Es wird häufig in der IoT-Sicherheitsforschung, Embedded-Systems-Analyse und digitalen Forensik eingesetzt, um Dateisignaturen zu identifizieren, eingebettete Dateien zu extrahieren und die Firmware-Struktur zu analysieren.
Grundlegende Verwendung¶
Einfache Firmware-Analyse¶
Ausführliche Ausgabe¶
Datei-Signatur-Analyse¶
Signatur-Scanning¶
Benutzerdefinierte Signaturen¶
Datei-Extraktion¶
Grundlegende Extraktion¶
Selektive Extraktion¶
Erweiterte Extraktionsoptionen¶
Entropie-Analyse¶
Grundlegende Entropie-Analyse¶
Entropie-Visualisierung¶
Entropie-Interpretation¶
Offset- und Längensteuerung¶
Arbeiten mit Offsets¶
Hexadezimale und Dezimale Offsets¶
Vergleich und Differenzierung¶
Datei-Vergleich¶
Versions-Analyse¶
Erweiterte Analysefunktionen¶
Disassemblierung und Code-Analyse¶
Dateisystem-Analyse¶
Kompressionsanalyse¶
Plugin-System¶
Plugin-Verwaltung¶
Benutzerdefinierte Plugins```bash¶
Basic signature scanning¶
binwalk firmware.bin binwalk router_firmware.bin binwalk iot_device.bin
Analyze multiple files¶
binwalk *.bin binwalk firmware1.bin firmware2.bin firmware3.bin
Recursive directory scanning¶
binwalk -r /path/to/firmware/ binwalk -r ./firmware_samples/
### Verbose Output
```bash
# Verbose mode for detailed information
binwalk -v firmware.bin
# Quiet mode (minimal output)
binwalk -q firmware.bin
# Show only specific types
binwalk -B firmware.bin # Show only file signatures
binwalk -E firmware.bin # Show only entropy analysis
File Signature Analysis¶
Signature Scanning¶
# Standard signature scanning
binwalk firmware.bin
# Detailed signature analysis
binwalk -B firmware.bin
# Show raw signature data
binwalk -R firmware.bin
# Architecture analysis
binwalk -A firmware.bin
# Compression analysis
binwalk -C firmware.bin
Custom Signatures¶
# Use custom signature file
binwalk -f custom_signatures.txt firmware.bin
# Use custom magic file
binwalk -m custom_magic firmware.bin
# Combine multiple signature sources
binwalk -f sig1.txt -f sig2.txt firmware.bin
File Extraction¶
Basic Extraction¶
# Extract all identified files
binwalk -e firmware.bin
# Extract with matryoshka (recursive extraction)
binwalk -Me firmware.bin
# Extract to specific directory
binwalk -e -C /tmp/extracted firmware.bin
# Preserve symbolic links during extraction
binwalk -e --preserve-symlinks firmware.bin
Selective Extraction¶
# Extract specific file types
binwalk -D "jpeg image:jpg" firmware.bin
binwalk -D "zip archive:zip" firmware.bin
binwalk -D "gzip compressed:gz" firmware.bin
# Extract everything with dd
binwalk --dd=".*" firmware.bin
# Extract with custom rules
binwalk -D "filesystem:fs" firmware.bin
Advanced Extraction Options¶
# Extract with size limits
binwalk -e -M 10000000 firmware.bin # Max 10MB files
# Extract with depth limits
binwalk -e -d 3 firmware.bin # Max depth of 3
# Extract with specific tools
binwalk -e --run-as=root firmware.bin
Entropy Analysis¶
Basic Entropy Analysis¶
# Generate entropy graph
binwalk -E firmware.bin
# Save entropy data to file
binwalk -E -J firmware.bin
# Entropy analysis with custom block size
binwalk -E -K 1024 firmware.bin
# Fast entropy analysis
binwalk -E -F firmware.bin
Entropy Visualization¶
# Generate entropy plot
binwalk -E -N firmware.bin
# High-resolution entropy analysis
binwalk -E -H firmware.bin
# Entropy analysis with markers
binwalk -E -B firmware.bin
Entropy Interpretation¶
# Analyze encryption/compression patterns
binwalk -E -v firmware.bin
# Compare entropy across files
binwalk -E firmware1.bin firmware2.bin
# Entropy analysis with offset
binwalk -E -O 0x1000 firmware.bin
Offset and Length Control¶
Working with Offsets¶
# Start analysis at specific offset
binwalk -O 0x1000 firmware.bin
binwalk -O 4096 firmware.bin
# Analyze specific length
binwalk -L 0x10000 firmware.bin
binwalk -L 65536 firmware.bin
# Combine offset and length
binwalk -O 0x1000 -L 0x5000 firmware.bin
Hexadecimal and Decimal Offsets¶
# Hexadecimal offsets
binwalk -O 0x8000 firmware.bin
# Decimal offsets
binwalk -O 32768 firmware.bin
# Large file analysis
binwalk -O 0x100000 -L 0x200000 firmware.bin
Comparison and Diffing¶
File Comparison¶
# Compare two firmware files
binwalk -W firmware1.bin firmware2.bin
# Show differences only
binwalk -K firmware1.bin firmware2.bin
# Detailed comparison
binwalk -W -v firmware1.bin firmware2.bin
Version Analysis¶
# Compare firmware versions
binwalk -W old_firmware.bin new_firmware.bin
# Identify changes between versions
binwalk -K -B old_fw.bin new_fw.bin
Advanced Analysis Features¶
Disassembly and Code Analysis¶
# Disassemble executable code
binwalk -I firmware.bin
# Architecture-specific analysis
binwalk -A -v firmware.bin
# Show instruction opcodes
binwalk -x firmware.bin
Filesystem Analysis¶
# Identify filesystem types
binwalk -y filesystem firmware.bin
# Extract filesystem structures
binwalk -e -y filesystem firmware.bin
# Analyze filesystem metadata
binwalk -y filesystem -v firmware.bin
Compression Analysis¶
# Analyze compression algorithms
binwalk -z firmware.bin
# Detailed compression information
binwalk -C -v firmware.bin
# Extract compressed data
binwalk -e -C firmware.bin
Plugin System¶
Plugin Management¶
# List available plugins
binwalk --list-plugins
# Use specific plugins
binwalk -% firmware.bin
# Plugin-specific analysis
binwalk --plugin=entropy firmware.bin
Custom Plugins¶
# Load custom plugin
binwalk --plugin-path=/path/to/plugins firmware.bin
# Multiple plugins
binwalk --plugin=plugin1 --plugin=plugin2 firmware.bin
Output and Logging¶
Output Control¶
# Save output to file
binwalk firmware.bin > analysis.txt
# Specify output directory
binwalk -o /tmp/binwalk_output firmware.bin
# Log to specific file
binwalk --log=analysis.log firmware.bin
# CSV output format
binwalk --csv firmware.bin
Formatting Options¶
# JSON output
binwalk --json firmware.bin
# Detailed verbose output
binwalk -v -B -E firmware.bin
# Minimal output
binwalk -q -B firmware.bin
Practical Analysis Workflows¶
Router Firmware Analysis¶
# Complete router firmware analysis
binwalk -Me router_firmware.bin
# Extract filesystem
binwalk -e router_firmware.bin
cd _router_firmware.bin.extracted/
# Analyze extracted files
find . -name "*.bin" -exec binwalk \\\\{\\\\} \;
# Look for configuration files
find . -name "*.conf" -o -name "*.cfg"
IoT Device Analysis¶
# IoT firmware analysis workflow
binwalk -E iot_firmware.bin # Check entropy
binwalk -B iot_firmware.bin # Identify signatures
binwalk -Me iot_firmware.bin # Extract everything
# Analyze extracted content
cd _iot_firmware.bin.extracted/
ls -la
file *
# Look for interesting files
find . -name "*.key" -o -name "*.pem" -o -name "passwd"
Embedded System Analysis¶
# Embedded system firmware analysis
binwalk -A embedded_fw.bin # Architecture analysis
binwalk -I embedded_fw.bin # Instruction analysis
binwalk -e embedded_fw.bin # Extract files
# Analyze bootloader
binwalk -O 0x0 -L 0x10000 embedded_fw.bin
# Analyze main firmware
binwalk -O 0x10000 embedded_fw.bin
Forensics and Security Analysis¶
Malware Analysis¶
# Analyze suspicious firmware
binwalk -E suspicious_firmware.bin # Check for encryption
binwalk -B suspicious_firmware.bin # Identify file types
binwalk -Me suspicious_firmware.bin # Extract all files
# Look for embedded executables
find _suspicious_firmware.bin.extracted/ -type f -executable
# Analyze entropy patterns
binwalk -E -N suspicious_firmware.bin
Backdoor Detection¶
# Look for hidden files
binwalk -R firmware.bin
# Entropy analysis for hidden data
binwalk -E -v firmware.bin
# Extract and analyze all components
binwalk -Me firmware.bin
grep -r "backdoor\|debug\|telnet" _firmware.bin.extracted/
Cryptographic Analysis¶
# Identify encrypted sections
binwalk -E firmware.bin
# Look for cryptographic signatures
binwalk -B firmware.bin|grep -i "crypt\|key\|cert"
# Extract potential key material
binwalk -D "private key:key" firmware.bin
Integration with Other Tools¶
Combining with Hexdump¶
# Analyze specific offsets found by binwalk
binwalk firmware.bin|grep "JFFS2"
hexdump -C -s 0x40000 -n 512 firmware.bin
Using with Strings¶
# Extract strings from identified sections
binwalk -e firmware.bin
strings _firmware.bin.extracted/*|grep -i "password\|key\|admin"
Integration with File Command¶
# Verify binwalk findings
binwalk -e firmware.bin
cd _firmware.bin.extracted/
for f in *; do echo "=== $f ==="; file "$f"; done
Automation and Scripting¶
Batch Analysis Script¶
#!/bin/bash
# Automated firmware analysis script
FIRMWARE_DIR="$1"
OUTPUT_DIR="analysis_results_$(date +%Y%m%d_%H%M%S)"
mkdir -p "$OUTPUT_DIR"
for firmware in "$FIRMWARE_DIR"/*.bin; do
echo "Analyzing: $firmware"
base_name=$(basename "$firmware" .bin)
# Basic analysis
binwalk "$firmware" > "$OUTPUT_DIR/$\\\\{base_name\\\\}_analysis.txt"
# Entropy analysis
binwalk -E "$firmware" > "$OUTPUT_DIR/$\\\\{base_name\\\\}_entropy.txt"
# Extract files
binwalk -Me "$firmware" -C "$OUTPUT_DIR"
echo "Completed: $firmware"
done
echo "Analysis completed. Results in $OUTPUT_DIR"
Continuous Monitoring¶
#!/bin/bash
# Monitor directory for new firmware files
WATCH_DIR="/path/to/firmware/uploads"
ANALYSIS_DIR="/path/to/analysis/results"
inotifywait -m -e create "$WATCH_DIR" --format '%f'|while read filename; do
if [[ "$filename" == *.bin ]]; then
echo "New firmware detected: $filename"
# Wait for file to be completely uploaded
sleep 5
# Analyze the firmware
binwalk -Me "$WATCH_DIR/$filename" -C "$ANALYSIS_DIR"
# Generate report
binwalk "$WATCH_DIR/$filename" > "$ANALYSIS_DIR/$\\\\{filename\\\\}_report.txt"
echo "Analysis completed for: $filename"
fi
done
Performance Optimization¶
Large File Handling¶
# Analyze large firmware files efficiently
binwalk -q -B large_firmware.bin
# Use specific offsets for large files
binwalk -O 0x100000 -L 0x100000 large_firmware.bin
# Parallel analysis of multiple files
parallel binwalk \\\\{\\\\} ::: *.bin
Memory Management¶
# Limit memory usage for large extractions
binwalk -e -M 100000000 firmware.bin # Limit to 100MB
# Process files in chunks
split -b 50M large_firmware.bin chunk_
for chunk in chunk_*; do binwalk "$chunk"; done
Troubleshooting Common Issues¶
Extraction Problems¶
# Debug extraction issues
binwalk -e -v firmware.bin
# Force extraction with dd
binwalk --dd=".*" firmware.bin
# Check extraction dependencies
binwalk --list-plugins
Signature Recognition Issues¶
# Update signature database
binwalk --update
# Use verbose mode for debugging
binwalk -v -B firmware.bin
# Try different signature files
binwalk -f /usr/share/binwalk/magic/* firmware.bin
Performance Issues¶
# Use faster analysis options
binwalk -q -B firmware.bin
# Skip entropy analysis for speed
binwalk -B firmware.bin
# Analyze specific sections only
binwalk -O 0x10000 -L 0x50000 firmware.bin
Security Considerations¶
Safe Analysis Environment¶
# Analyze in isolated environment
docker run -v $(pwd):/data -it binwalk_container binwalk /data/firmware.bin
# Use virtual machine for analysis
# Always analyze suspicious firmware in isolated environment
Handling Malicious Firmware¶
# Analyze without extraction (safer)
binwalk -B suspicious_firmware.bin
# Limited extraction
binwalk -e -d 1 suspicious_firmware.bin
# Monitor system during analysis
# Use process monitoring tools
Fortgeschrittene Anwendungsfälle¶
Firmware-Modifikationserkennung¶
# Compare original and modified firmware
binwalk -W original_firmware.bin modified_firmware.bin
# Identify injection points
binwalk -K original_firmware.bin modified_firmware.bin
# Analyze differences
binwalk -e original_firmware.bin
binwalk -e modified_firmware.bin
diff -r _original_firmware.bin.extracted/ _modified_firmware.bin.extracted/
Lieferketten-Analyse¶
# Analyze firmware from different vendors
for vendor_fw in vendor_*.bin; do
echo "=== Analyzing $vendor_fw ==="
binwalk -B "$vendor_fw"
echo
done
# Compare firmware versions
binwalk -W firmware_v1.bin firmware_v2.bin
Forschung und Entwicklung¶
# Extract and analyze bootloaders
binwalk -O 0x0 -L 0x10000 firmware.bin
# Analyze update mechanisms
binwalk -B firmware.bin|grep -i "update\|upgrade"
# Study compression algorithms
binwalk -C -v firmware.bin