Binwalk is a simple Linux tool used for analysis of binary image files. Analyzing binary image files may include; reverse engineering, extracting firmware images, file systems, embedded files or executable codes from the binary images. These binary images could be from firmware of routers, IOT devices or any digital device.
To understand the way the tool works, I ran analysis on a forensic image obtained from 4GB eMMC chip off LG Smart TV. The image was obtained by chip-off forensics method and read through HancomGMD product MD-RED. From my analysis using Binwalk, it revealed the following: Squashfs filesystem, Ext4 Linux filesystem, an Ubiquiti partition header and a YAFFS filesystem.
The steps taken to achieve this is what I would like to share and described below.
LG IMAGE ANALYSIS USING BINWALK
- Install Binwalk: First run the command “apt get install binwalk” to install the tool
- Running Binwalk tool: On the LG Forensic Image (KLM4G1FETE-B041_ChipOff_20190806_ALLPART.mdf) as seen in the syntax in screen shot image below
- Outcome of Running Binwalk: Screenshots of outcome header
Showing Ubiquiti partition header, Squashfs filesystem and linux Ext4 filesystem. - Extracting the squashfs filesystem: using the dd command to copy out the Squashfs file system file from input file KLM4G1FETE-B041_Chipoff_ALLPART.mdf on offset 4718592 bit by bit to output file called KLM4G.sqfs with the syntax as seen on the screen shot below
A Squash file called KLM4G.sqfs was created which is 3.9GB - Running the unsquashfs command on the KLM4G.sqfs using the syntax below
Showing 451 inodes and 532 blocks - Outcome of unsquashfs is seen below
Uncompressed 134 files, 201 directories - Hexdump of ubiquiti filesystem: to view the partition in hexadecimal at offset 1048792 with the syntax on the screen shot to have a view of what partition contained
- YAFFS FILESYSTEM: The screenshot showing the presence of YAFFS filesystem below
WHAT IS SQUASHFS FILE SYSTEM
Squashfs is a highly compressed read-only filesystem for Linux. Squashfs compresses both files, inodes and directories, and supports block sizes up to 1Mbytes for greater compression it uses Mksquashfs and Unsquashfs utility tools for compressing files or embedding one filesystem into another or extract same from another file. For further read on Squashfs File system, its’ usage, features and the impact of compression on computer hardware and other features refer to the these
WHAT IS THE IMPLICATION OF SQUASHFS ON OUR FILE
The LG webos system files are housed in this partition file which when uncompressed is a large file with size 3.7GB. Squashfs filesystem made it possible to compress these files, this is the reason the original size of the entire image file was about 3.64G
This shows the uncompressed folder structure for the Squash-root
EXT4 LINUX FILESYSTEM
This file system supports large addressing of blocks and this file partition contains the user activities files. For further reading refer to article on ext4 filesystem
UBIQUITI PARTITION HEADER
The Ubiquiti partition header makes it possible to hold several partitions and implement hashes between the partitions. For further reading refer to this article on ubiquiti partition
YAFFS
YAFFS means Yet Another Flash File System it is implemented in NAND flash devices or embedded systems like our eMMC LG flash so that data can be written for persistent storage. For further reading refer to this article on YAFFS