GSP
Quick Navigator
Search Site

Unix VPS
A - Starter
B - Basic
C - Preferred
D - Commercial
MPS - Dedicated
Previous VPSs
* Sign Up! *

Support
Contact Us
Online Help
Handbooks
Domain Status
Man Pages

FAQ
Virtual Servers
Pricing
Billing
Technical

Network
Facilities
Connectivity
Topology Map

Miscellaneous
Server Agreement
Year 2038
Credits
 

USA Flag

 

 

Man Pages
BINBLOOM(15 Sep 2021) BINBLOOM(15 Sep 2021)

binbloom - Find firmware loading address and UDS database (if any)

binbloom [-a arch] [-b address] [-d] [-e endianness] [-f functions-file] [-t threads] [-v]

binbloom can determine an unknown binary firmware loading address (or base address) from its content based on heuristics and the target architecture characteristics (i.e. 32-bit/64-bit and endianness). If the endianness is unknown, binbloom will try to determine it.

binbloom is also able to locate any Unified Diagnostic Services (UDS) database generally used in automotive firmwares, once the loading address has been found.

Specify target architecture, must be 32 (for 32-bit architecture) or 64 (for 64-bit architecture).

Specify the base address (or loading address) to use. Use this option to enable UDS database search.

Specify target endianness, must be le for little-endian or be for big-endian.

Specify base address alignment, default is 0x1000.

Enable deep search. This search mode will consider each potential loading/base address without applying a first heuristic filter used in normal mode. This type of search takes longer to complete and requires much more computing power, it is also recommended to use multiple threads (through the -t,--threads option) to speed up the search.

Specify an external file containing known function addresses in hex (one per line) that will be used by binbloom in its base address guessing algorithm. Providing such a file may help finding the correct base address, depending on the architecture.

Specify a number of threads to use when searching for the base address. It is recommended to set this value to the number of cores minus 1 in order to get the best performances.

many times to get more information displayed.

Here are some examples showing how to use binbloom in different cases.

binbloom -a 32 firmware.bin

Binbloom will analyze firmware.bin considering a 32-bit architecture. Binbloom will guess the endianness and then find out one or more possible base addresses.

binbloom -a 32 -e le firmware.bin

Same as above, but in this example the endianness is set to little-endian.

binbloom -a 32 -e le -d -t 4 firmware.bin

Binbloom will perform a deep search considering a 32-bit little-endian architecture, and will use 4 threads to speed up this process.

binbloom -a 64 -f ./function.list firmware.bin

Binbloom will parse firmware.bin to find points of interest but also use the provided file functions.list to guess the base address.

No known bugs.

Guillaume Heilles, Damien Cauquil

2.0 binbloom man page
Search for    or go to Top of page |  Section 1 |  Main Index

Powered by GSP Visit the GSP FreeBSD Man Page Interface.
Output converted with ManDoc.