TransWikia.com

Can't seem to figure out what this binary is

Reverse Engineering Asked by n0pe on January 12, 2021

I’ve downloaded the firmware for my router and ran binwalk on it:

root@max-VirtualBox:~/src/wrt54g-4.21.5# binwalk firmware.bin 

DECIMAL     HEX         DESCRIPTION
-------------------------------------------------------------------------------------------------------
32          0x20        TRX firmware header, little endian, header size: 28 bytes,  image size: 3362816 bytes, CRC32: 0xE3ABE901 flags/version: 0x10000
60          0x3C        gzip compressed data, was "piggy", from Unix, last modified: Tue Feb  7 21:40:02 2012, max compression
700660      0xAB0F4     Squashfs filesystem, little endian, version 2.0, size: 2654572 bytes,  502 inodes, blocksize: 65536 bytes, created: Tue Feb  7 21:43:28 2012

So it looks like we have a simple header, some compressed data and a squashfs filesystem. I extracted the compressed data into a file called piggy.

I ran binwalk again on piggy and got the following:

root@max-VirtualBox:~/src/wrt54g-4.21.5/piggy# binwalk piggy

DECIMAL     HEX         DESCRIPTION
-------------------------------------------------------------------------------------------------------
1304240     0x13E6B0    Linux kernel version "2.4.20 (crazy@sw1) (gcc version 3.2.3 with Broadcom modificatio 3.2.3 with Broadcom modifications) #3 Wed Feb 8 11:39:49 HKT 2ons) #3 Wed Feb 8 11:39:49 HKT 20122012"
1563820     0x17DCAC    LZMA compressed data, properties: 0x04, dictionary size: 16777216 bytes, uncompressed size: 117440512 bytes
1567553     0x17EB41    LZMA compressed data, properties: 0x02, dictionary size: 2097152 bytes, uncompressed size: 524288 bytes
1606440     0x188328    LZMA compressed data, properties: 0x01, dictionary size: 16777216 bytes, uncompressed size: 50331648 bytes

So we have a Linux kernel and come LZMA compressed data. Rerunning binwalk with the -e flag automatically extracts the compressed sections out for me.

However, this is where I’m stuck.

Once I’ve got these three compressed sections, I can’t uncompress them with unlzma, 7zr or anything. The file utility says they’re still data objects too.

I’m new to this so any guidance would be appreciated. Where should I go from here?

disassemblyfirmware

One Answer

The LZMA results in the Linux kernel are likely false positives. FWIW, the latest version of binwalk (from github repo) does a much better job of filtering out LZMA false positives.

Where you go from here depends on what you want to do, but for Linux based firmware most of the interesting applications and logic are in user space, so you will probably want to extract the SquashFS file system and start taking a look at the executables, scripts and configuration files there.

Answered by devttys0 on January 12, 2021

Add your own answers!

Ask a Question

Get help from others!

Recent Questions

Recent Answers

© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP