Why use Binwalk?

Welcome to Breaking Stuff with Joe, where we explore some of the most crucial cybersecurity tools available for use in Kali Linux. In this section, we will be discussing binwalk, an analysis tool for finding executable code and embedded files inside binary files. More specifically, it is often used to find and extract firmware images from binary files. These images can be used to crack IoT devices or any device that relies on code that is embedded into hardware.

*Cybrary has a lot more to offer than this Binwalk tutorial. Signup for a free account to learn other things, like this!*

Where does Binwalk come from?

Binwalk was developed as an open source program for extracting embedded files out of firmware images. The program was developed by Craig Heffner, a Principal Reserve Engineer for ReFirm Labs. ReFirm Labs is a cybersecurity company that specializes in preventing firmware hacks, discovering firmware exploits, and providing open-source software for firmware hacking.

How to use Binwalk?

In order to properly utilize binwalk, we must first understand what firmware is. In short, firmware is software that is designed for hardware. As the name implies, it is something between hardware and software. Firmware is physically contained within the device’s hardware, and it is designed to be updated by online networks or physical media. For example, a DSLR camera contains firmware within its physical chips (hardware) for taking photos, storing them, rendering menus, interpreting physical button inputs, and navigating stored memory. In order to maintain compatibility with photo software on host computers, firmware updates can be provided over the internet and USB connections.

Installing binwalk is a non-issue; it comes pre-built within installations of Kali Linux. As per usual, consulting the manual page of the program will provide additional info on its function and optional flags. This is done using the manual command as such:

man binwalk

Alternatively, we can use the help option flag to discover more information:

binwalk –h

These flags in particular will be useful when extracting embedded files from binary files:

-B: this flag searches for common file signatures in the firmware image -e: this flag extracts all embedded files in the firmware image -S: this flag searches for a text string within the firmware image -M: this flag recursively scans the files within extracted files

Once understood, this tool is relatively simple and straightforward. In order to understand the function of binwalk, let’s take a look an example extraction of a firmware binary: Say you want to analyze or reverse engineer a firmware update file for a car’s GPS navigation system. Assume the firmware file name is “GPSNavSystem1123.bin”. We want to identify common file signatures in the firmware image, or addresses within the code that indicate well-known use-cases. In this scenario, our console command would look like this:

binwalk –B GPSNavSystem1123.bin

Once executed, the command will return a table of decimal addresses in the code along with their hexadecimal counterpart. Next to the addresses will be a short description of the code’s function. Hackers can then use these addresses to identify and tinker with the program’s code. For example, a hex editor can be used to remove essential lines of code and cause the firmware update to render the device unusable.

Teaching Assistant George Mcpherson and Vikramajeet Khatri

(Disclaimer: Breaking Stuff with Joe is a Cybrary series that will be running indefinitely. You will not earn CEU/CPE hours by watching any individual 'Breaking Stuff with Joe' episode. However, you can still earn a certificate of completion for each episode completed.)