If you want to analyze an unknown file for it’s content (like a Philips TV firmware image…) it may be useful to create an image out of the binary file. So you can search for patterns. Dan Kaminsky released such a tool (also referenced in the 23C3-Fudging-with-firmware-analysis speech) – but I couldn’t find it anymore. So I wrote one myself.
Here is a simple example of a text file (java source):
Now the same file gzipped:
On the first image you may see a pattern while on the second image only random garbage is visible. And random garbage often means compressed or encrypted data.
Another example of /dev/disk0s1:
No random garbage but ordered data here…
Download fwimage-v0.5.zip here (java source and binaries). This is the command line output:
1 2 3 4 5 6 7 8 9 10 11 12 13 | bash-3.2$ ./fwimage.sh fw image - binary visualizer v0.5 - michu@neophob.com - http://www.neophob.com Usage: fwimage if=IN_NAME of=OUT_FILE [x=SIZE] [mode=BW|RGB] [-nomarker] [-avg] Parameter: if=INPUT_FILE of=OUTPUT_FILE, file format is .png x=X_SIZE OF IMAGE, default is 1024 mode=BW|RGB, BW: 1:1 mapping, RGB: 1:3 mapping, default is BW -nomarker, disable marker after 1mb of data -avg, use average of INPUT_FILE as base Example: fwimage if=myimage of=pic.png x=512 mode=RGB |
The mode parameter defines the output mode. The BW mode use 1 byte per pixel while the RGB mode use 3 bytes per pixel. So the RGB mode creates smaller but more inaccurate png images.
For a more advanced visual analyzer, check out http://fantascienza.net/leonardo/ar/string_repetition_statistics/string_repetition_statistics.html
Some examples of the Philips firmware 42pfl9703h_10_fus_eng…
42pfl9703h_10_fus_eng, offset 25mb:
42pfl9703h_10_fus_eng, offset 27mb:
Some fs examples, jffs2:
squashfs4-lzma:
back in the 80′s when we were writing ‘games’ software and we needed to find a competitors sprite images in 64k of data.
We used the same system on commodore 64. load the files into video ram and the images used to pop right out.