Reverse Engineeringfirmwarebinaryanalysisextractionsignaturesentropy

Binwalk

Binwalk is a tool for searching binary images for embedded files and executable code, particularly designed for analyzing firmware images. It uses libmagic signatures and includes custom signatures for firmware-specific content like compressed files, kernels, and filesystems.

Description

Binwalk is a specialized tool library for analyzing binary blobs and executable code, with a focus on identifying embedded files within firmware images. It leverages the libmagic library used by the Unix file utility and extends it with custom magic signatures optimized for firmware analysis, covering compressed/archived files, firmware headers, Linux kernels, bootloaders, filesystems, and more.

The tool supports multiple analysis modes including signature scanning, disassembly, entropy analysis, and automatic extraction of embedded content. It's particularly valuable for reverse engineering firmware from IoT devices, routers, and embedded systems where multiple file types and compressed data are layered within a single binary image.

Binwalk provides both command-line and Python library interfaces, making it suitable for both manual analysis and automated scripts. The package includes an empty binary wrapper since the core functionality is delivered through the python3-binwalk library dependency.

How It Works

Binwalk scans binary files using magic signatures from libmagic and its custom firmware-specific signature file to identify embedded files, headers, and code patterns. It supports signature-based detection (-B), raw byte sequence matching (-R), opcode scanning (-A), and disassembly with capstone (-Y). For extraction, it automatically recognizes and decompresses known file types, supports recursive matryoshka extraction (-M), and can execute custom commands for specific signature types (-D). Entropy analysis (-E) helps identify compressed or encrypted regions, while binary diffing (-W) compares multiple files.

Installation

bash

sudo apt install binwalk

Flags

-B, --signatureScan target file(s) for common file signatures

-e, --extractAutomatically extract known file types

-E, --entropyCalculate file entropy

-Y, --disasmIdentify the CPU architecture of a file using the capstone disassembler

-A, --opcodesScan target file(s) for common executable opcode signatures

-R, --raw=<str>Scan target file(s) for the specified sequence of bytes

-M, --matryoshkaRecursively scan extracted files

-W, --hexdumpPerform a hexdump / diff of a file or files

Examples

Run a file signature scan on the given firmware file to identify embedded headers, kernels, compressed data, and filesystems

binwalk -B ddwrt-linksys-wrt1200ac-webflash.bin

Display the full help menu showing all available options and usage information

binwalk -h

Automatically extract all known file types found within the firmware image

binwalk -e firmware.bin

Calculate and display the entropy graph for the firmware to identify compressed or encrypted regions

binwalk -E firmware.bin

Perform signature scan and automatically extract all identified file types

binwalk -B -e firmware.bin

Identify CPU architecture using capstone disassembly analysis

binwalk -Y firmware.bin

Recursively scan and extract files (matryoshka mode) from firmware archives

binwalk -M -e firmware.bin

Updated 2026-04-16kali.org ↗