Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help 
BINBLOOM(15 Sep	2021)					 BINBLOOM(15 Sep 2021)

NAME
       binbloom	- Find firmware	loading	address	and UDS	database (if any)

SYNOPSIS
       binbloom	[-a arch] [-b address] [-d] [-e	endianness] [-f	functions-
		file] [-t threads] [-v]

DESCRIPTION
       binbloom	 can  determine	an unknown binary firmware loading address (or
       base address) from its content based on heuristics and the  target  ar-
       chitecture characteristics (i.e.	 32-bit/64-bit and endianness).	If the
       endianness is unknown, binbloom will try	to determine it.

       binbloom	 is  also able to locate any Unified Diagnostic	Services (UDS)
       database	generally used in automotive firmwares,	once the  loading  ad-
       dress has been found.

   OPTIONS
       -a arch,	--arch=arch
	      Specify  target  architecture,  must be 32 (for 32-bit architec-
	      ture) or 64 (for 64-bit architecture).

       -b address, --base=address
	      Specify the base address (or loading address) to use.  Use  this
	      option to	enable UDS database search.

       -e endianness, --endian=endianness
	      Specify  target  endianness,  must be le for little-endian or be
	      for big-endian.

       -m alignment, --align=alignment
	      Specify base address alignment, default is 0x1000.

       -d, --deep
	      Enable deep search. This search mode will	consider  each	poten-
	      tial  loading/base  address  without  applying a first heuristic
	      filter used in normal mode. This type of search takes longer  to
	      complete and requires much more computing	power, it is also rec-
	      ommended	to  use	multiple threads (through the -t,--threads op-
	      tion) to speed up	the search.

       -f, --functions
	      Specify an external file containing known	function addresses  in
	      hex (one per line) that will be used by binbloom in its base ad-
	      dress guessing algorithm.	Providing such a file may help finding
	      the correct base address,	depending on the architecture.

       -t, --threads
	      Specify  a  number of threads to use when	searching for the base
	      address. It is recommended to set	this value to  the  number  of
	      cores minus 1 in order to	get the	best performances.

       Enable verbose mode, binbloom will display more information. Use	this
       option
	      many times to get	more information displayed.

EXAMPLES
       Here are	some examples showing how to use binbloom in different cases.

       binbloom	-a 32 firmware.bin

       Binbloom	 will  analyze firmware.bin considering	a 32-bit architecture.
       Binbloom	will guess the endianness and then find	out one	or more	possi-
       ble base	addresses.

       binbloom	-a 32 -e le firmware.bin

       Same as above, but in this example the endianness is set	to  little-en-
       dian.

       binbloom	-a 32 -e le -d -t 4 firmware.bin

       Binbloom	 will perform a	deep search considering	a 32-bit little-endian
       architecture, and will use 4 threads to speed up	this process.

       binbloom	-a 64 -f ./function.list firmware.bin

       Binbloom	will parse firmware.bin	to find	points of  interest  but  also
       use the provided	file functions.list to guess the base address.

BUGS
       No known	bugs.

AUTHORS
       Guillaume Heilles, Damien Cauquil

binbloom man page		      2.0		 BINBLOOM(15 Sep 2021)

Want to link to this manual page? Use this URL:
<https://man.freebsd.org/cgi/man.cgi?query=binbloom&sektion=1&manpath=FreeBSD+Ports+15.0>

home | help