Skip to content

Binwalk

binwalk

Source

Entropy Graph:

binwalk -E

Check for valid bytecode:

binwalk -Y stm32f405.bin

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             ARM executable code, 16-bit (Thumb), little endian, at least 1079 valid instructions

Visual analysis:
https://binvis.io/#/

Extracting firmware

List information about binary:

binwalk --signature --term archer-c7.bin

DECIMAL       HEXADECIMAL     DESCRIPTION
------------------------------------------------------------------------------------------
21876         0x5574          U-Boot version string, "U-Boot 1.1.4-g4480d5f9-dirty (May
                              20 2019 - 18:45:16)"
21940         0x55B4          CRC32 polynomial table, big endian
23232         0x5AC0          uImage header, header size: 64 bytes, header CRC:
                              0x386C2BD5, created: 2019-05-20 10:45:17, image size:
                              41162 bytes, Data Address: 0x80010000, Entry Point:
                              0x80010000, data CRC: 0xC9CD1E38, OS: Linux, CPU: MIPS,
                              image type: Firmware Image, compression type: lzma, image
                              name: "u-boot image"
23296         0x5B00          LZMA compressed data, properties: 0x5D, dictionary size:
                              8388608 bytes, uncompressed size: 97476 bytes
64968         0xFDC8          XML document, version: "1.0"
78448         0x13270         uImage header, header size: 64 bytes, header CRC:
                              0x78A267FF, created: 2019-07-26 07:46:14, image size:
                              1088500 bytes, Data Address: 0x80060000, Entry Point:
                              0x80060000, data CRC: 0xBB9D4F94, OS: Linux, CPU: MIPS,
                              image type: Multi-File Image, compression type: lzma,
                              image name: "MIPS OpenWrt Linux-3.3.8"
78520         0x132B8         LZMA compressed data, properties: 0x6D, dictionary size:
                              8388608 bytes, uncompressed size: 3164228 bytes
1167013       0x11CEA5        Squashfs filesystem, little endian, version 4.0,
                              compression:xz, size: 14388306 bytes, 2541 inodes,
                              blocksize: 65536 bytes, created: 2019-07-26 07:51:38
15555328      0xED5B00        gzip compressed data, from Unix, last modified: 2019-07-26
                              07:51:41

Automate Signature Extraction:

>>> binwalk --dd=".*" Archer\ C7\(EU\)_V5_211210.zip 

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             Zip archive data, at least v1.0 to extract, name: Archer C7(EU)_V5_211210/
54            0x36            Zip archive data, at least v2.0 to extract, compressed size: 15699953, uncompressed size: 15728401, name: Archer C7(EU)_V5_211210/c7v5_up-ver1-2-0-P1[20211210-rel51212]_2021-12-10_14.15.13.bin
15813195      0xF14A4B        Zip archive data, at least v2.0 to extract, compressed size: 316289, uncompressed size: 373590, name: Archer C7(EU)_V5_211210/How to upgrade TP-LINK Wireless AC Router(New VI).pdf
16130153      0xF62069        End of Zip archive, footer length: 22
>>> ls
'Archer C7(EU)_V5_211210.zip'    
'_Archer C7(EU)_V5_211210.zip.extracted'

Extract Part of Binary:

>>> dd if=archer-c7.bin of=u-boot.bin.lzma bs=1 skip=23296 count=$(expr 64968 - 23296)
41162+0 records in
41162+0 records out
41162 bytes (41 kB, 40 KiB) copied, 0,0939608 s, 438 kB/s
>>> dd if=archer-c7.bin of=uImage bs=1 skip=78448 count=$(expr 1167013 - 78520)
1088572+0 records in
1088572+0 records out
1088572 bytes (1,1 MB, 1,0 MiB) copied, 1,68628 s, 646 kB/s

Uncompress lzma:

>>> unlzma u-boot.bin.lzma
>>> ls -l u-boot.bin
-rw-rw-r-- 1 sprado sprado 97476 Fev  5 08:48 u-boot.bin

Get Boot args:

>>> strings u-boot.bin | grep bootargs
bootargs
bootargs=console=ttyS0,115200 board=AP152 rootfstype=squashfs init=/etc/preinit mtdparts=spi0.0:128k(factory-uboot),192k(u-boot),64k(ART),1536k(uImage),14464k@0x1e0000(rootfs) mem=128M

Identify Opcodes:

$ binwalk --opcodes Image
DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
2400          0x960           MIPS instructions, function epilogue
2572          0xA0C           MIPS instructions, function epilogue
2828          0xB0C           MIPS instructions, function epilogue

Extracting Encrypted Firmware

Check older Versions to make sure that the current version has changed and is encrypted now.

Check for how the update is applied to the older unencrypted version

Linux mount partition from image

> fdisk ./hdd.img
Command (m for help): p

Disk ./hdd.img: 21.0 GB, 20971044864 bytes
255 heads, 63 sectors/track, 2549 cylinders, total 40959072 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x76a0ce3e

    Device Boot      Start         End      Blocks   Id  System
./hdd.img1   *        2048      206847      102400    7  HPFS/NTFS/exFAT
./hdd.img2          206848    40955903    20374528    7  HPFS/NTFS/exFAT

Command (m for help): q
> sudo mount -o loop,offset=$[512 * 206848] ./hdd.img /some/path

Recursively Extract files

>>> binwalk -Me recursive_files.zip