Binwalk 0.3.8 has just been released. In addition to bug fixes, signature updates and speed improvements, binwalk can now also identify raw executable code for various different architectures using the -A option:
$ binwalk -A soho.bin DECIMAL HEX DESCRIPTION ------------------------------------------------------------- 132 0x84 MIPSEL function epilogue 144 0x90 MIPSEL function epilogue 176 0xB0 MIPSEL function epilogue 224 0xE0 MIPSEL function epilogue 248 0xF8 MIPSEL function prologue 432 0x1B0 MIPSEL function epilogue 440 0x1B8 MIPSEL function prologue 896 0x380 MIPSEL function epilogue 904 0x388 MIPSEL function prologue 1548 0x60C MIPSEL function epilogue 1556 0x614 MIPSEL function prologue 2128 0x850 MIPSEL function epilogue 2136 0x858 MIPSEL function prologue 2800 0xAF0 MIPSEL function epilogue 2808 0xAF8 MIPSEL function prologue 2880 0xB40 MIPSEL function epilogue 2888 0xB48 MIPSEL function prologue 3172 0xC64 MIPSEL function epilogue ... 1830540 0x1BEE8C MIPSEL function epilogue 1830584 0x1BEEB8 MIPSEL function epilogue 1830616 0x1BEED8 MIPSEL function epilogue 1830748 0x1BEF5C MIPSEL function epilogue 1830800 0x1BEF90 MIPSEL function epilogue 1830812 0x1BEF9C MIPSEL function epilogue
Grab the latest release here!
Thanks, it was really needed as a feature !
Agreed! Currently there are signatures for ARM, MIPS and PowerPC, but more will be added soon.
Thanks, nice feature!
I’ve been dreaming about printer exploitation recently, and I think it would be interesting if binwalk could support analyzing these types of firmware. Often they seem to be wrapped in Postscript files.
Here is a Xerox firmware if youre interested in looking at it. http://www.support.xerox.com/support/phaser-6120/file-redirect/enus.html?operatingSystem=winxp&fileLanguage=en&contentId=54315
This is just one example, but I think MFP’s would be cool to look at, extracting firmware, vulnerabilities. Maybe building backdoored firmware with SSH daemon and re-uploading to printer, stuff like that.
I’ve done some live analysis of printers, but haven’t done much firmware-only analysis on them. But from what I’ve seen, yes, the firmware is usually updated via PJL. Though they are usually running some non-Linux RTOS, though I believe there are some Lexmarks that run Linux.
Binwalk can easily be updated to support these types of firmware, the trick is to figure out how the firmware is constructed and what compression types and firmware layouts they use so that those signatures can be added to binwalk. I’ll take a look at the firmware image you linked to and see what I can come up with. 🙂