fact_extractor icon indicating copy to clipboard operation
fact_extractor copied to clipboard

Published 20 hours ago verified publisher icon fkie-cad

Replace binwalk generic carver functionality with unblob

Open dorpvom opened this issue 2 years ago • 4 comments

dorpvom avatar Jan 23 '23 11:01 dorpvom

I can get behind this; binwalk has largely been abandoned and unblob seems to be more accurate at carving out components.

soxrok2212 avatar Jul 17 '24 05:07 soxrok2212

I can get behind this; binwalk has largely been abandoned and unblob seems to be more accurate at carving out components.

You can already use FACT and the FACT extractor with unblob as carver: A docker image based on this branch is available as tag "unblob" (see https://hub.docker.com/repository/docker/fkiecad/fact_extractor/general). So you can simply pull it with

docker pull fkiecad/fact_extractor:unblob

and if you want to use it in FACT you need to edit src/unpacker/extraction_container.py and replace fkiecad/fact_extractor with fkiecad/fact_extractor:unblob.

But be advised: unblob does not always work better than binwalk and there are many cases where files are not extracted that were extracted with binwalk as carver (e.g. whole file systems). This is also the reason we binwalk was not fully replaced with unblob in the extractor yet.

jstucke avatar Jul 17 '24 07:07 jstucke

I can get behind this; binwalk has largely been abandoned and unblob seems to be more accurate at carving out components.

FYI: There seems to be a bug in the latest version of the extractor container with unblob. It will not carve files because the CLI API/behavior changed in a way that carving files without unpacking is no longer possible in a recent version. We will push a fix to this branch soon.

edit: I have pushed a fix and the image on docker hub should also already be fixed

jstucke avatar Jul 25 '24 07:07 jstucke

Has currently problems with certain container types (which unblob will not carve because it expects a dedicated unpacker to be available for these types). Will be ready when:

  • [x] the missing container types are supported https://github.com/fkie-cad/firmware-magic-database/pull/1
  • [ ] firmware-magic-database replaces fact_helper_file https://github.com/fkie-cad/fact_extractor/pull/128
  • [ ] plugins are available for all types:
    • [ ] PK2: https://github.com/fkie-cad/fact_extractor/pull/148
    • [ ] BNEG: https://github.com/fkie-cad/fact_extractor/pull/150
    • [ ] HDR1/2: ToDo

jstucke avatar Aug 15 '24 11:08 jstucke