Now that we've successfully dumped the . bin file from the SPI flash chip, the next step is to analyze it. This process helps uncover the contents of the firmware like file systems, configuration files, scripts, and potentially sensitive data.

In this post, we'll take a look at:

• How to identify the type of firmware
• Extracting readable content manually
• Using Binwalk to explore and unpack the firmware
• Using Firmwalker for automated inspection

Step 1: Basic File Identification

Before doing any advanced analysis, we identify what type of file we're dealing with using the file command:

file TL-WR840N.bin

This gives us a basic classification whether it's just data, a compressed archive, or contains a known file system like SquashFS.

This means the file does not have a standard file header recognized by file. We’ll need deeper inspection.

Step 2: Extracting Readable Strings

Sometimes firmware contains plain-text strings (e.g., usernames, URLs, or paths). To extract them:

strings TL-WR840N.bin | less

This will give you readable content embedded in the binary, including references to:

• BusyBox (a lightweight Linux utility often used in embedded systems)
• Default IP addresses like 192.168.0.1
• Filesystem paths like /etc/config/ or /bin/sh

These are strong indicators that this binary includes a Linux-based embedded firmware.

Step 3: Exploring with Binwalk

Next, we use Binwalk, a powerful tool to locate and extract embedded filesystems from binary blobs.

Install Binwalk (if not already installed):

sudo apt install binwalk

Run Binwalk:

binwalk TL-WR840N.bin

Step 4: Extracting Files

To extract these embedded filesystems automatically:

binwalk -e TL-WR840N.bin

This creates a directory like _TL-WR840N.bin.extracted/ containing the extracted filesystem. You can explore it using normal commands:

cd _TL-WR840N.bin.extracted

ls

Then navigate the file system structure:

cd squashfs-root

ls

Look for directories like /etc, /www, or /bin.

Step 5: Manual File System Browsing

Once extracted, you can:

Look inside configuration files:

cat etc/passwd

cat etc/shadow

Check for scripts:

ls bin/

ls sbin/

What You Can Do with /etc/passwd

• View User Accounts:See all users defined in the firmware (e.g., root, admin, nobody).
• Check Default Access:Find system accounts that might allow login or remote access.
• Explore Privileges:Identify which users have root (UID 0) or shell access.
• Analyze for Hardcoded Users: Look for unusual or hidden accounts that could be backdoors.
• Support Custom Firmware Builds:Add or remove users if you're modifying the firmware.

Note: The file may not contain password hashes those are usually in /etc/shadow.

Step 6: Automated Analysis with Firmwalker

If you want a quick automated overview, use Firmwalker, a script that scans extracted firmware directories for interesting files like:

• Passwords
• SSH keys
• URLs
• Configuration files

Run Firmwalker

Once you’ve extracted the root filesystem using Binwalk:

git clone https://github.com/craigz28/firmwalker.git

cd firmwalker

./firmwalker.sh ../_TL-WR840N.bin.extracted/squashfs-root

This outputs a categorized list of findings, like:

• Passwords found in config
• Web server scripts
• Shell commands and busybox usage
• Network configuration

Conclusion

In this final post, we explored how to dig into a raw firmware dump using both manual and automated tools. With tools like strings, binwalk, and firmwalker, you now know how to:

• Identify file systems and binaries inside firmware
• Extract and explore embedded Linux filesystems
• Look for sensitive or useful information inside the dump