LinuxCommandLibrary
GitHub F-Droid Google Play Store

binwalk

Analyze and extract firmware images

TLDR

Scan firmware for signatures
$ binwalk [firmware.bin]
copy
Extract embedded files
$ binwalk -e [firmware.bin]
copy
Entropy analysis
$ binwalk -E [firmware.bin]
copy
Recursive extraction
$ binwalk -Me [firmware.bin]
copy
Carve known and unknown contents to disk
$ binwalk -c [firmware.bin]
copy
List supported signatures and extractors
$ binwalk -L
copy

SYNOPSIS

binwalk [options] file...

DESCRIPTION

binwalk is a firmware analysis tool for searching binary images for embedded files and executable code. It identifies file signatures, compressed data, filesystems, and other patterns commonly found in firmware images.The tool is essential for reverse engineering, security research, and firmware modification.As of version 3 (released 2024), binwalk was completely rewritten in Rust for greatly improved scanning speed, fewer false positives, and more built-in extractors. Several options from the older Python implementation (such as --dd, --hexdump, --raw, and --disasm) were removed or replaced.

PARAMETERS

-e, --extract

Automatically extract known file types
-M, --matryoshka
Recursively scan extracted files
-c, --carve
Carve both known and unknown file contents to disk
-E, --entropy
Generate an entropy graph (rendered with Plotly)
-p, --png
Save the entropy graph as a PNG file
-a, --search-all
Search for all signatures at all offsets
-d, --directory path
Extract files and folders to a custom directory
-t, --threads count
Manually specify the number of threads to use
-y, --include signatures
Only scan for the given signatures
-x, --exclude signatures
Do not scan for the given signatures
-l, --log file
Log JSON results to a file ('-' for stdout)
-L, --list
List supported signatures and extractors
-s, --stdin
Read data from standard input
-q, --quiet
Suppress normal stdout output
-v, --verbose
During recursive extraction, display all results

FEATURES

- File signature identification- Embedded filesystem detection- Compression detection- Entropy visualization- Automatic extraction- Custom signature support- Plugin system

WORKFLOW

$ # Scan firmware
binwalk firmware.bin

# Extract all files
binwalk -e firmware.bin

# Recursive extraction
binwalk -Me firmware.bin

# Entropy analysis (finds compressed/encrypted regions)
binwalk -E firmware.bin

# Extract into a custom directory
binwalk -e -d extracted/ firmware.bin
copy

COMMON FINDINGS

- Filesystem images (squashfs, cramfs, jffs2)- Bootloaders (U-Boot, LILO)- Kernels (Linux, VxWorks)- Compressed data (gzip, lzma, zlib)- Certificates and keys

CAVEATS

Extraction may not work for custom formats. Encrypted sections appear as high entropy. Some signatures produce false positives. Requires appropriate tools for extraction (sasquatch, jefferson, etc.). Large firmware images slow to process.

HISTORY

binwalk was created by Craig Heffner around 2010 for reverse engineering and analyzing firmware images from embedded devices. It is now maintained by ReFirmLabs. Version 3, a full rewrite in Rust, debuted in 2024.

SEE ALSO

foremost(1), strings(1), file(1), dd(1), hexdump(1)

RESOURCES

Source code · Homepage

Copied to clipboard
Kai

AltStyle によって変換されたページ (->オリジナル) /