Part 1

In this blog post series, we will show you certain steps among with the tools used in order to conduct IoT security assessments. In this first part you will need a .bin file of a device firmware in order to continue.


Tools needed



It determines the type of a file. file makes a guess at the type of each file argument by inspecting the attributes and (for an ordinary file) reading an initial part of the file. file compares each file on the command line to templates found in a system-maintained magic file to determine their file type.




This tool makes a hexdump or do the reverse. xxd creates a hex dump of a given file or standard input. It can also convert a hex dump back to its original binary form.




A Firmware Analysis Tool. Binwalk is a simple Linux tool for analyzing binary files for embedded files and executable code. It is mostly used to extract the content of firmware images.




It prints the strings of printable characters in files. Strings, for each file given, prints the printable character sequences that are at least 4 characters long (or the number given with the options below) and are followed by an unprintable character. By default, it only prints the strings from the initialized and loaded sections of object files; for other types of files, it prints the strings from the whole file.




It is a complete framework for reverse-engineering and analysing binaries; composed of a set of small utilities that can be used together or independently from the command line. Built around a disassembler for computer software which generates assembly language source code from machine-executable code, it supports a variety of executable formats for different processors and operating systems.




It displays the contents of a file in hexadecimal, decimal, octal, or ascii. hexdump utility is a filter which displays the specified files, or standard input if no files are specified, in a user-specified format.




It is a simple bash script for searching the extracted or mounted firmware file system for things of interest such as: etc/shadow, etc/passwd, etc/ssl directory, SSL related files such as .pem, .crt, configuration files, script files, other .bin files, keywords such as admin, password, remote, etc., common web servers used on IoT devices, common binaries such as ssh, tftp, dropbear, etc., URLs, email addresses and IP addresses.


Static Analysis

Determining the File Type

file myfile.bin

Retrieving file’s Magic Bytes using xxd tool



-l <length>

stop after <length> octets.


xxd -l 4 myfile.bin

Retrieving file’s Magic Bytes using binwalk tool




Perform a hexdump / diff of a file or files.

-l <length>

Number of bytes to scan.


binwalk -W -l 100 myfile.bin

Dumping file’s Strings



-n <number>

Locate & print any NUL-terminated sequence of at

-<number> least [number] characters (default 4).


strings -n 10 myfile.bin > strings.out

Searching for non-ASCII characters




Search for Strings in the whole binary.


r2 myfile.bin

Display file’s contents in hexadecimal




Canonical hex+ASCII display. Display the input offset in hexadecimal, followed by sixteen space-separated, two column, hexadecimal bytes, followed by the same sixteen bytes in %_p format enclosed in “|” characters.


hexdump -C myfile.bin > hex.out

Analyzing Firmware architecture and its Filesystem

binwalk myfile.bin

Extracting firmware files automatically




Recursively scan extracted files


Delete carved files after extraction


Automatically extract known file types


binwalk -Mre myfile.bin

or binwalk -Me myfile.bin

Search the extracted firmware file system for goodies

./ /path/to/extracted-firmware/root/fs/

Share This

Share this post with your friends!