KiloClawPowered by OpenClaw
Back to Cookbook
OpenClaw recipe

Firmware Extraction Troubleshooter

aka “Firmware Extraction Doctor (Binwalk + Friends)

Fix symlink failures, missing extractors, and incomplete filesystems

Firmware extraction fails when binwalk is missing external tools (sasquatch, cramfsck), newer extraction hardening blocks symlinks, or the workspace filesystem doesn't support them. This recipe creates a known-good extraction workspace and a dependency checklist.

House RecipeWork15 min
Try in KiloClawFree 7-day trial

PROMPT

Create a skill called "Firmware Extraction Doctor". Inputs I will provide: - OS + filesystem details (is the firmware on FAT/exFAT/NTFS/USB?) - binwalk version and exact error output - The binwalk signature scan offsets (if available) Task: 1) Determine whether failures are due to filesystem symlink limitations, missing extractors, or filesystem variants. 2) Provide the minimum commands to create a safe workspace and install missing helpers. 3) If needed, provide a manual carving plan using dd based on reported offsets. 4) Output should include a reproducibility checklist (commands + hashes + directory tree).

What this fixes

Common symptoms:

  • Binwalk fails to initialize extraction directory due to symlink creation errors
  • Warnings about symlinks pointing outside the extraction directory
  • Extraction yields empty filesystem roots (e.g., squashfs-root empty)
  • Missing external tools: `sasquatch`, `cramfsck`, etc.

Prerequisites

  • A POSIX filesystem workspace that supports symlinks (avoid FAT/exFAT/NTFS mounts)
  • `binwalk` installed
  • Ability to install external extraction helpers
  • Sufficient disk space (firmware extraction can expand significantly)

Steps and commands

  1. Create a safe workspace (important):
  • Copy the firmware into a local ext4/APFS/Linux-native directory:

`mkdir -p ~/fw && cp /path/on/usb/firmware.bin ~/fw/ && cd ~/fw`

  1. Run binwalk with recursive extraction:

`binwalk -Me firmware.bin`

  1. If binwalk fails with "Failed to create symlink ... Operation not permitted":
  • Move the workspace to a filesystem that supports symlinks and rerun.
  • In WSL, prefer `~/` (Linux filesystem), not `/mnt/c/`.
  1. Install common external extractors:
  • SquashFS tooling:

`sudo apt-get install -y squashfs-tools`

  • sasquatch (patched unsquashfs for vendor-modified variants):

`sudo apt-get install -y zlib1g-dev liblzma-dev liblzo2-dev`

`git clone https://github.com/devttys0/sasquatch && (cd sasquatch && ./build.sh)`

  • cramfs:

`sudo apt-get install -y cramfsprogs`

  1. If extraction is still incomplete:
  • Manually carve offsets using `dd` based on binwalk's signature output, then run the appropriate extractor (unsquashfs, ubireader, etc.).
  • Keep carved files as artifacts for reproducibility.

Expected outputs

  • `_firmware.bin.extracted/` directory containing carved components and filesystem roots
  • A repeatable command log showing how artifacts were produced

Common errors and troubleshooting

  • Symlink warnings ("points outside extraction directory")
  • This is binwalk's safety hardening; it may rewrite unsafe links.
  • Document it; do not disable the safety check unless you understand the risk.
  • Missing sasquatch/cramfsck
  • Install the external utility; Debian packaging may omit optional dependencies.
  • Binwalk "incomplete extraction"
  • Known issue with some filesystem variants; try alternative extractors or manual carving.

References

  • https://github.com/ReFirmLabs/binwalk/issues/942
  • https://github.com/ReFirmLabs/binwalk/issues/650
  • https://www.tarlogic.com/blog/owasp-fstm-stage-4-extracting-the-filesystem/
  • https://github.com/ReFirmLabs/binwalk/issues/290

Example inputs

  • Firmware file: firmware.bin
  • Workspace: ~/fw (ext4)
Tags:#pentesting#iot#firmware#reverse-engineering#binwalk#troubleshooting

Related Recipes

Rootless (or Almost) Network Scans in Containers

Fix raw-socket "Operation not permitted" without --privileged

Least-privilege setup for running Nmap, MASSCAN, or ZMap inside Docker/Podman/Kubernetes. Solves "requires root privileges" and "Operation not permitted" failures without reaching for --privileged. Includes fallbacks when raw sockets are unavailable.

Work10 min

AWS Cloud Audit with Prowler (Auth + AccessDenied Triage)

Stop permissions and credential errors from killing cloud assessments

Prowler scans fail or produce noisy logs because of missing read-only permissions, expired session tokens, or credentials not mounted into containers. This recipe standardizes authentication, documents required policies, and provides a repeatable triage flow for AccessDenied and InvalidClientTokenId.

Work15 min

Render Hang Triage

A playbook for "stops at the same frame" and "freeze mid-render" failures

Renders freeze at a consistent percentage or frame — often caused by a bad clip, a heavy effect, a Fusion comp issue, or "stop render on error" settings. This recipe classifies the failure pattern and gives you a structured triage plan instead of blind re-exports.

Creative3 min

Audio Input Lag Fixer

Fix a common Premiere playback-lag issue caused by audio input device settings

Severe playback lag and stutter in Premiere Pro that looks like a codec performance problem but is actually caused by audio hardware input settings. This recipe provides a quick decision tree to test and fix the issue — often resolved in under a minute by switching the default input to "No Input."

Creative3 min