Just cut a new release of binwalk, now with Mac OSX support!
In addition to bug fixes and new magic signatures, binwalk no longer relies on the libmagic library; instead, it builds against the file utility’s source code. This removes additional dependencies for the end user, helps to resolve potential variances in libmagic’s operation between different distributions, and eases porting to systems that don’t have the libmagic library.
Lately I’ve been working on taking apart some VxWorks firmware images. Unfortunately, I could find precious little information available on the subject, so today we’ll be extracting the VxWorks kernel and application code from the WRT54Gv8 firmware image and analyzing them in IDA Pro.
The WRT54G series infamously switched from Linux to VxWorks with the release of the WRT54Gv5. Because VxWorks is a proprietary RTOS, it is a less familiar environment than a Linux based system. Even once you identify the different sections of the firmware image, there usually isn’t a standard file system full of standard ELF executables that can be automatically analyzed by a disassembler.
The overall process for reversing this firmware is pretty straight forward:
- Identify and extract actual executable code from the firmware image
- Identify the loading address for the executable code
- Load the executable code into IDA Pro at the appropriate loading address
- Augment IDA’s auto analysis with manual/scripted analysis
Debugging with JTAG or observing debug messages over a serial port can probably be substituted for steps #1 and #2, but since I don’t have any VxWorks WRT54G routers, this will be a purely firmware based analysis.
Binwalk v0.3.6 has just been released and includes improved signatures and user requested feature additions:
- Improved (again!) LZMA matching and false positive identification
- Ability to specify multiple target files on the command line
- By default all gzip and lzma signatures are enabled, and all matches marked as invalid are excluded from the results
As always, you can grab the latest version here.