19 Responses to Binwalk v2.1.1 Stable Release

  1. Nobody says:

    Good job!
    Here I have a binfile the binwalk can not extract the gzip files…
    Very strange with a perl script it out!

    • Craig says:

      Can you provide a link to the binfile?

        • Craig says:

          It looks like binwalk is flagging the gzip flies as invalid; I’ll have to look into why. In the meantime, you can still extract them by telling binwalk to show gzip results that it thinks are invalid:

          $ binwalk big.bin -y gzip -I -e

        • Craig says:

          It looks like they put bogus date codes in the gzip header, which caused them to be flagged as invalid. With the recent updates to binwalk, this level of date validation is no longer necessary to prevent false positives anyway, so the latest code in the master branch no longer marks them as invalid (it does indicate to the end user that the dates appear bogus though).

  2. asdf says:

    Looks like binwalk have problem with di-524
    Try by yourself:

    • Craig says:

      The DI-524 revB is a strange beast: https://wikidevi.com/wiki/D-Link_DI-524_rev_B2

      It uses an AMRISC microcontroller, whose architecture/instruction set I am not familiar with, so I can’t tell you much about the firmware. What I can say about it is:

      1) This is not running Linux
      2) There are sections of the firmware that appear to be code
      3) There are sections of the firmware that appear to be compressed, but not with a compression format that I’m familiar with

      To analyze this firmware, you’d first want an AMRSIC disassembler. Then you could reverse the code to figure out the compression, decompress it, and further reverse the firmware.

  3. pant3k says:

    Could you try with this?:

    Some sources(https://forum.openwrt.org/viewtopic.php?id=353) said about i486 on this router with RDC R2600(same CPU as in DI-524 rev B4)

  4. pant3k says:

    I’m still fighting with DI-524 rev b4
    I’m almost sure that RDC 2600 it’s 16-bit x86
    Sample based on opcodes(probably i’ve done this right or not 🙂 ):
    E2=LOOP E6
    BA=MOV DX,E6FF(or FFE6)
    F7=TEST AX,D0 ???
    You can compare with examples on programming guide on similar cpu:
    So, looks like I’m on right way.

    Doing stuff like this is hard on file with mixed files.
    So…I recommend to add option to binwalk to cut-out unnecessary files(jpg,gif, etc) and on situation when we example have a.gif+unnkowfile+b.gif+unnknowfile2 it’s recommended to add something that will separate unnkowfile and unnkowfile2 or just split them.
    GIF files end’s with 00 3B (binwalk is extracting them incorrectly(goes too far))
    JPG starts with FF D8 and ends with FF D9
    It’s harder with htm and js files but with access to router it’s possible to get every html and js file and get know when they starts and ends

  5. Justin says:

    Hi Craig – great work.. have a problem with a bin file from a slingbox though! it has port 22 (dropbear) listening so I want to get into the firmware to check out if there’s a simple to crack password, but not finding any luck with binwalk – comes up blank. I’m confused! Any thoughts?
    Here’s my Q on stackexch: https://reverseengineering.stackexchange.com/questions/12267/firmware-extraction-problems-binwalk-is-blank

  6. Kelvin Ng says:

    Hi Craig,

    Are you interested in trying to extract the firmware of DIR-850L (hardware version B)? Its firmware is rather strange that its file structure does not look like the firmware of other models. binwalk does not return any result. The entropy is consistent throughout the whole file. The entropy is so high that I am quite sure that it is compressed (while for other normal D-Link firmwares, there are some parts of the file not compressed and results in a low entropy).

    The firmware of DIR-850L (hardware version A) is normal. I have also tried many other models of D-Link and their firmwares are normal as well.

    DIR-850L firmware download: http://support.dlink.com/ProductInfo.aspx?m=DIR-850L

    (Please remove the reply posted under http://www.devttys0.com/2011/08/extracting-non-standard-squashfs-images/#comment-965169 because I find posting under this post is more suitable. Also I have added more content in this reply.)

  7. Celso says:

    Hi Craig, I’m trying to open a .bin to edit and have some dificulties to do, in binwalk I have this info:

    0 0x0 TRX firmware header, little endian, image size: 884736 bytes, CRC32: 0x2E29E35E, flags: 0x0, version: 1, header size: 28 bytes, loader offset: 0x1C, linux kernel offset: 0x0, rootfs offset: 0x0

    WARNING: Internal extractor ‘<bound method LZMAModPlugin.lzma_cable_extractor of >’ failed with exception: ‘local variable ‘result’ referenced before assignment’
    28 0x1C LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 2485752 bytes

    the .bin is this one http://down.tendacn.com/uploadfile/201401/N3/US_N3V1Br_V5.07.46_en_TD.rar.

    Appreciate any help, sorry my english.

  8. Twin says:

    Hi Craig,

    Binwalk v2.1.1 on Ubuntu,for some reason it can’t fuly extract Zyxel router firmware.It extract .xml files,html doc headrs, but not the file system. Link https://www.dropbox.com/s/9665bvpff48sypx/P-2302R-P1C_3.60%28AUG.0%29C0.zip?dl=0