SPI 103: Firmware Analysis
Now that we've successfully dumped the . bin file from the SPI flash chip, the next step is to analyze it. This process helps uncover the contents of the firmware like file systems, configuration files, scripts, and potentially sensitive data.
In this post, we'll take a look at:
- How to identify the type of firmware
- Extracting readable content manually
- Using Binwalk to explore and unpack the firmware
- Using Firmwalker for automated inspection
Step 1: Basic File Identification
Before doing any advanced analysis, we identify what type of file we're dealing with using the file
command:
file TL-WR840N.bin
This gives us a basic classification whether it's just data, a compressed archive, or contains a known file system like SquashFS.

This means the file does not have a standard file header recognized by file. We’ll need deeper inspection.
Step 2: Extracting Readable Strings
Sometimes firmware contains plain-text strings (e.g., usernames, URLs, or paths). To extract them:
strings TL-WR840N.bin | less
This will give you readable content embedded in the binary, including references to:
- BusyBox (a lightweight Linux utility often used in embedded systems)
- Default IP addresses like
192.168.0.1
- Filesystem paths like
/etc/config/ or /bin/sh
These are strong indicators that this binary includes a Linux-based embedded firmware.

Step 3: Exploring with Binwalk
Next, we use Binwalk, a powerful tool to locate and extract embedded filesystems from binary blobs.
Install Binwalk (if not already installed):
sudo apt install binwalk
Run Binwalk:
binwalk TL-WR840N.bin

Step 4: Extracting Files
To extract these embedded filesystems automatically:
binwalk -e TL-WR840N.bin
This creates a directory like _TL-WR840N.bin.extracted/
containing the extracted filesystem. You can explore it using normal commands:
cd _TL-WR840N.bin.extracted
ls
Then navigate the file system structure:
cd squashfs-root
ls
Look for directories like /etc, /www,
or /bin.

Step 5: Manual File System Browsing
Once extracted, you can:
Look inside configuration files:
cat etc/passwd
cat etc/shadow
Check for scripts:
ls bin/
ls sbin/
What You Can Do with /etc/passwd
- View User Accounts: See all users defined in the firmware (e.g., root, admin, nobody).
- Check Default Access: Find system accounts that might allow login or remote access.
- Explore Privileges: Identify which users have root (UID 0) or shell access.
- Analyze for Hardcoded Users: Look for unusual or hidden accounts that could be backdoors.
- Support Custom Firmware Builds: Add or remove users if you're modifying the firmware.
Note: The file may not contain password hashes those are usually in /etc/shadow
.
Step 6: Automated Analysis with Firmwalker
If you want a quick automated overview, use Firmwalker, a script that scans extracted firmware directories for interesting files like:
- Passwords
- SSH keys
- URLs
- Configuration files
Run Firmwalker
Once you’ve extracted the root filesystem using Binwalk:
git clone https://github.com/craigz28/firmwalker.git
cd firmwalker
./firmwalker.sh ../_TL-WR840N.bin.extracted/squashfs-root
This outputs a categorized list of findings, like:
- Passwords found in config
- Web server scripts
- Shell commands and busybox usage
- Network configuration
Conclusion
In this final post, we explored how to dig into a raw firmware dump using both manual and automated tools. With tools like strings
, binwalk
, and firmwalker
, you now know how to:
- Identify file systems and binaries inside firmware
- Extract and explore embedded Linux filesystems
- Look for sensitive or useful information inside the dump