Link to this headingbinwalk

Source

Entropy Graph:

binwalk -E

Check for valid bytecode:

binwalk -Y stm32f405.bin DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 0 0x0 ARM executable code, 16-bit (Thumb), little endian, at least 1079 valid instructions

Visual analysis:
https://binvis.io/#/

Link to this headingExtracting firmware

List information about binary:

binwalk --signature --term archer-c7.bin DECIMAL HEXADECIMAL DESCRIPTION ------------------------------------------------------------------------------------------ 21876 0x5574 U-Boot version string, "U-Boot 1.1.4-g4480d5f9-dirty (May 20 2019 - 18:45:16)" 21940 0x55B4 CRC32 polynomial table, big endian 23232 0x5AC0 uImage header, header size: 64 bytes, header CRC: 0x386C2BD5, created: 2019-05-20 10:45:17, image size: 41162 bytes, Data Address: 0x80010000, Entry Point: 0x80010000, data CRC: 0xC9CD1E38, OS: Linux, CPU: MIPS, image type: Firmware Image, compression type: lzma, image name: "u-boot image" 23296 0x5B00 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 97476 bytes 64968 0xFDC8 XML document, version: "1.0" 78448 0x13270 uImage header, header size: 64 bytes, header CRC: 0x78A267FF, created: 2019-07-26 07:46:14, image size: 1088500 bytes, Data Address: 0x80060000, Entry Point: 0x80060000, data CRC: 0xBB9D4F94, OS: Linux, CPU: MIPS, image type: Multi-File Image, compression type: lzma, image name: "MIPS OpenWrt Linux-3.3.8" 78520 0x132B8 LZMA compressed data, properties: 0x6D, dictionary size: 8388608 bytes, uncompressed size: 3164228 bytes 1167013 0x11CEA5 Squashfs filesystem, little endian, version 4.0, compression:xz, size: 14388306 bytes, 2541 inodes, blocksize: 65536 bytes, created: 2019-07-26 07:51:38 15555328 0xED5B00 gzip compressed data, from Unix, last modified: 2019-07-26 07:51:41

Automate Signature Extraction:

>>> binwalk --dd=".*" Archer\ C7\(EU\)_V5_211210.zip DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 0 0x0 Zip archive data, at least v1.0 to extract, name: Archer C7(EU)_V5_211210/ 54 0x36 Zip archive data, at least v2.0 to extract, compressed size: 15699953, uncompressed size: 15728401, name: Archer C7(EU)_V5_211210/c7v5_up-ver1-2-0-P1[20211210-rel51212]_2021-12-10_14.15.13.bin 15813195 0xF14A4B Zip archive data, at least v2.0 to extract, compressed size: 316289, uncompressed size: 373590, name: Archer C7(EU)_V5_211210/How to upgrade TP-LINK Wireless AC Router(New VI).pdf 16130153 0xF62069 End of Zip archive, footer length: 22 >>> ls 'Archer C7(EU)_V5_211210.zip' '_Archer C7(EU)_V5_211210.zip.extracted'

Extract Part of Binary:

>>> dd if=archer-c7.bin of=u-boot.bin.lzma bs=1 skip=23296 count=$(expr 64968 - 23296) 41162+0 records in 41162+0 records out 41162 bytes (41 kB, 40 KiB) copied, 0,0939608 s, 438 kB/s >>> dd if=archer-c7.bin of=uImage bs=1 skip=78448 count=$(expr 1167013 - 78520) 1088572+0 records in 1088572+0 records out 1088572 bytes (1,1 MB, 1,0 MiB) copied, 1,68628 s, 646 kB/s

Uncompress lzma:

>>> unlzma u-boot.bin.lzma >>> ls -l u-boot.bin -rw-rw-r-- 1 sprado sprado 97476 Fev 5 08:48 u-boot.bin

Get Boot args:

>>> strings u-boot.bin | grep bootargs bootargs bootargs=console=ttyS0,115200 board=AP152 rootfstype=squashfs init=/etc/preinit mtdparts=spi0.0:128k(factory-uboot),192k(u-boot),64k(ART),1536k(uImage),14464k@0x1e0000(rootfs) mem=128M

Identify Opcodes:

$ binwalk --opcodes Image DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 2400 0x960 MIPS instructions, function epilogue 2572 0xA0C MIPS instructions, function epilogue 2828 0xB0C MIPS instructions, function epilogue

Link to this headingExtracting Encrypted Firmware

Check older Versions to make sure that the current version has changed and is encrypted now.

Check for how the update is applied to the older unencrypted version

Link to this headingLinux mount partition from image

> fdisk ./hdd.img Command (m for help): p Disk ./hdd.img: 21.0 GB, 20971044864 bytes 255 heads, 63 sectors/track, 2549 cylinders, total 40959072 sectors Units = sectors of 1 * 512 = 512 bytes Sector size (logical/physical): 512 bytes / 512 bytes I/O size (minimum/optimal): 512 bytes / 512 bytes Disk identifier: 0x76a0ce3e Device Boot Start End Blocks Id System ./hdd.img1 * 2048 206847 102400 7 HPFS/NTFS/exFAT ./hdd.img2 206848 40955903 20374528 7 HPFS/NTFS/exFAT Command (m for help): q > sudo mount -o loop,offset=$[512 * 206848] ./hdd.img /some/path

Link to this headingRecursively Extract files

>>> binwalk -Me recursive_files.zip