Introduction to Binwalk – One of my favorite tools!

Introduction to Binwalk – Firmware Analysis Tool – Penetration Testing


Binwalk is a tool for searching a given binary image for embedded files and executable code. Specifically, it is designed for identifying files and code embedded inside of firmware images. Binwalk uses the libmagic library, so it is compatible with magic signatures created for the Unix file utility. 


git clone
cd binwalk
sudo python install

If you are running python 2.x
sudo apt-get install python-lzma


binwalk [OPTIONS] [FILE1] [FILE2] [FILE3] …

$ binwalk firmware.bin

If only based on the signature match, then some file types can not be accurately identified. So the detection of these types of signature files needs a specific plug-in with (through the plug-in to achieve) if not enabled will greatly increase the scan time and take up a lot of memory.

For example, when scanning zlib compression package, you need to use zlib plug-in:

$ binwalk –enable-plugin=zlib firmware.bin

Filter Function

The -y option only includes the matching results for the specified search text. The search string (text) should use lowercase, including regular expressions, and you can specify multiple -Y options. The following search results contain only the results of the search in the text “file system”.

$ binwalk -y filesystem firmware.bin

The -x option is to exclude the specified text (or string) that matches the rule in the search results. The search string (text) should use lowercase, including regular expressions, and you can specify multiple -X options. The following example will exclude the “jffs2” string when searching:

$ binwalk -x jffs2 firmware.bin

You can combine the -y and -x options.

Example: The following search results contain the results of the search in the text “file system” and exclude the jffs2 string result.

$ binwalk -y filesystem -x jffs2 firmware.bin

Extracting files

Manually extract files

Binwalk can extract the data and find the use of the – dd option in the target file to specify the extraction rule. The format used to extract the specified rule is:


type is the lowercase string described in the signature (supports regular expressions)

extension is the file extension used when saving data to disk

command is an optional command execution statement when the data has been saved to disk

By default, unless the alternate file name specifies a signature condition unexpected, the file name is a hexadecimal offset signature found.

The following example demonstrates how to use the – dd option to extract any ‘zip’ signature containing the string ‘zip archive extension’ and then execute the “decompression” command to specify the extraction rule. You can specify multiple -dd options:

$ binwalk –dd=’zip archive:zip:unzip %e’ firmware.bin

Note that the use of placeholders such as “%e”: This placeholder will be replaced with the relative path of the extracted file when the command is executed.

Automated extraction

The -e option can be used to perform automatic data extraction based on the extraction of the default extract.conf file specified in the rule:

$ binwalk -e firmware.bin

The extraction options work the same way except that you must specify a path for a custom extraction rule file:

$ binwalk -e firmware.bin

$ binwalk –extract=./my_extract.conf firmware.bin

Recursive extraction

Many times, the extracted data may need further binwalk analysis. To help automate, binwalk can recursively scan the extracted data and create files with external decompression or extraction tools that specify the -M option with the -e option:

$ binwalk -Me firmware.bin


When you use the A option in Binwalk, you can scan various frame opcodes that are usually associated with a function

$ binwalk -A firmware.bin

Compare function

Binwalk can generate hexadecimal dumps and differences for one or more files. In the file the same byte is the green display, the difference is red, blue, said only some of the different parts of the file.

$ binwalk -W firmware1.bin firmware2.bin firmware3.bin


In addition to the above-mentioned signature-based scan, binwalk can perform an intelligent string analysis of the target file, although it is not a completely replaceable Unix strings, binwalk filters out the most “garbage” strings by applying some very simple validation rules, And ignore some non-sequential data blocks

$ binwalk -S firmware.bin

Entropy analysis

Binwalk can entropy the target file for the target file to generate the original entropy data and/or the data represented by the plot of the graph:

$ binwalk -E firmware.bin

Signature or string analysis, and can be combined with entropy analysis. For example, the following command scans the scan results on the target file, executable code, and entropy graphs:

$ binwalk -AE firmware.bin


Identify unknown compression/encryption based on entropy heuristics (implies -E)

Identify unknown compression/encryption based on entropy heuristics (implies -E)

Note that this scan requires two cycles (one for initial entropy analysis, and the second more closely heuristic analysis), which takes some time to complete, especially if the target file is particularly costly to spend more time.


Use the –list-plugins option to get a list of names and attributes of the binwalk plugins that you can use:

$ binwalk –list-plugins

Enable plug-in

Some plugins are disabled by default. These plugins can be enabled with the option –enable-plugin option

$ binwalk –enable-plugin=foo firmware.bin

Disable plug-in

Some plugins are enabled by default. These plugins can be disabled with the –diable-plugin option

$ binwalk –disable-plugin=foo firmware.bin

Or, all plugins can be disabled using this –disable-plugins option:

$ binwalk –disable-plugins firmware.bin

Logging function

The Binwalk log output is usually very large.

The -f option allows you to specify a log file. It should be noted that if the -Q option is not specified, the result will be printed to stdout and the log file.

$ binwalk -f binwalk.log firmware.bin

The log file can be saved in CSV format

$ binwalk -f binwalk.log –csv firmware.bin

Upgrade function

Through the magic files and configuration files, plus the use of-u option binwalk rely on svn check-in function easily upgrade to the latest version (requires root privileges to update)

$ sudo binwalk -u

The post Introduction to Binwalk – Firmware Analysis Tool appeared first on Penetration Testing.

Leave a Reply

Your email address will not be published. Required fields are marked *