| name | firmware-extraction |
| description | Firmware extraction and filesystem analysis for IoT devices. Use when analyzing firmware binaries, extracting filesystems with binwalk, identifying firmware format/structure, locating key files after extraction, or performing initial reconnaissance on router/camera/IoT firmware images. Triggers on tasks involving .bin/.img/.trx/.chk firmware files. |
Firmware Extraction
Extract and analyze IoT device firmware to identify the filesystem structure and locate security-relevant files.
Workflow
- Identify firmware format (
file, binwalk scan)
- Extract filesystem (
binwalk -eM)
- Analyze entropy for encryption/compression (
binwalk -E)
- Map filesystem structure and locate key targets
- Begin targeted file analysis
Quick Start
binwalk firmware.bin
binwalk -eM firmware.bin
binwalk -E firmware.bin
dd if=firmware.bin of=extracted.squashfs bs=1 skip=<offset> count=<size>
Key Target Files After Extraction
| Priority | Path Pattern | What to Look For |
|---|
| 1 | /etc/passwd, /etc/shadow | Hardcoded credentials |
| 2 | /usr/sbin/httpd, /usr/bin/goahead | Web server binaries |
| 3 | /www/cgi-bin/, /www/*.cgi | CGI scripts (command injection) |
| 4 | /etc/*.conf, /etc/config/ | Service configurations |
| 5 | /lib/*.so, /usr/lib/*.so | Shared libraries |
| 6 | /sbin/, /usr/sbin/ | Network service daemons |
| 7 | /etc/init.d/, /etc/rc.d/ | Startup scripts (backdoor indicators) |
Filesystem Types
- SquashFS (most common):
unsquashfs to extract, check compression type
- JFFS2:
jefferson or jffs2dump for extraction
- CramFS:
cramfsck to extract
- UBIFS:
ubireader_extract_files for NAND flash images
- YAFFS2:
unyaffs for extraction
Encrypted/Obfuscated Firmware
When entropy analysis shows high entropy (>0.9) across the entire image:
- Check for known encryption schemes (e.g., D-Link DES, Netgear AES)
- Search for decryption routines in bootloader sections
- Use
firmware-mod-kit or vendor-specific tools
- Check
scripts/detect_encryption.py for automated detection
References
- Detailed extraction techniques: See references/advanced-extraction.md for handling non-standard formats
- Decryption script: Run
scripts/detect_encryption.py against firmware to identify encryption scheme