Binwalk IMOU Firmware Analysis

G5 Cyber Security

4 months ago

TL;DR

This guide shows you how to use Binwalk to analyse an IMOU firmware dump and extract potentially interesting filesystems. We’ll cover initial scan, filesystem identification, extraction, and a basic look at the extracted contents.

Step 1: Install Binwalk

If you don’t have it already, install Binwalk. The installation method depends on your operating system:

Debian/Ubuntu:

sudo apt update && sudo apt install binwalk

macOS (using Homebrew):
```
brew install binwalk
```
Other systems: See the official Binwalk documentation: https://binwalk.org/

Step 2: Initial Firmware Scan

Run a basic scan on your IMOU firmware file (replace firmware.bin with the actual filename). This will identify potential signatures and compression types.

binwalk firmware.bin

Review the output carefully. Look for filesystem signatures like SquashFS, UBIFS, JFFS2, or others. Pay attention to any compressed data sections too (e.g., LZMA, gzip).

Step 3: Extract Filesystems

Use Binwalk to automatically extract the identified filesystems. The -M option tells Binwalk to attempt extraction even if signatures are overlapping.

binwalk -M firmware.bin

This will create a directory for each extracted filesystem (e.g., `firmware_squashfs`, `firmware_ubifs`). The output will tell you which filesystems were found and where they are extracted.

Step 4: Examine Extracted Filesystems

Navigate into the directories created in Step 3. Each filesystem has a different structure, so how you explore it depends on the type:

SquashFS: Mount the SquashFS image to access its contents.
```
sudo mount -o loop firmware_squashfs/firmware.sqsh /mnt
```
Then browse /mnt.
UBIFS/JFFS2: Use a tool like ubifs-tools or jffs2utils to extract the contents.
```
ubifs-dump firmware_ubifs/firmware.ubi > extracted_files
```

Step 5: Look for Interesting Files

Once you’ve mounted or extracted the filesystem, start looking for potentially interesting files:

Configuration files: Look in directories like /etc, /config.
Web interfaces: Check for HTML, JavaScript, CSS files (often in /www or similar).
Credentials: Search for files containing passwords, usernames, API keys. Use
```
strings firmware_sqsh/etc/* | grep -i password
```
.
Firmware binaries: Look for executable files and libraries.

Step 6: Further Analysis

After extracting the filesystem, you can perform more in-depth analysis:

Static analysis of binaries: Use tools like Ghidra or IDA Pro to reverse engineer firmware components.
Network traffic analysis: Monitor network communication during normal operation to identify protocols and data formats.
Vulnerability research: Search for known vulnerabilities in the identified software versions.