Binwalk

Binwalk Description

Binwalk is a fast and easy-to-use tool for analyzing, reverse engineering, and extracting firmware images.

In addition to firmware, Binwalk can scan files and filesystem images to find many different built-in file types and filesystems.

Binwalk contains a large number of signatures of various files, thanks to which the program can find embedded files. Binwalk can be used to identify file types without extensions.

By default, Binwalk shows the offset at which the filesystem or files are found, and there are options to extract the included file from the firmware image or filesystem.

Binwalk is able to calculate the entropy of file sections and builds a graph of entropy – this can help not to miss an interesting section if the signature search missed it.

GitHub: https://github.com/ReFirmLabs/binwalk

Author: Craig Heffner, ReFirmLabs

License: MIT

Binwalk Help

Usage:

binwalk [OPTIONS] [FILE1] [FILE2] [FILE3] ...

Options:

Disassembly Scan Options:
    -Y, --disasm                 Identify the CPU architecture of a file using the capstone disassembler
    -T, --minsn=<int>            Minimum number of consecutive instructions to be considered valid (default: 500)
    -k, --continue               Don't stop at the first match

Signature Scan Options:
    -B, --signature              Scan target file(s) for common file signatures
    -R, --raw=<str>              Scan target file(s) for the specified sequence of bytes
    -A, --opcodes                Scan target file(s) for common executable opcode signatures
    -m, --magic=<file>           Specify a custom magic file to use
    -b, --dumb                   Disable smart signature keywords
    -I, --invalid                Show results marked as invalid
    -x, --exclude=<str>          Exclude results that match <str>
    -y, --include=<str>          Only show results that match <str>

Extraction Options:
    -e, --extract                Automatically extract known file types
    -D, --dd=<type[:ext[:cmd]]>  Extract <type> signatures (regular expression), give the files an extension of <ext>, and execute <cmd>
    -M, --matryoshka             Recursively scan extracted files
    -d, --depth=<int>            Limit matryoshka recursion depth (default: 8 levels deep)
    -C, --directory=<str>        Extract files/folders to a custom directory (default: current working directory)
    -j, --size=<int>             Limit the size of each extracted file
    -n, --count=<int>            Limit the number of extracted files
    -r, --rm                     Delete carved files after extraction
    -z, --carve                  Carve data from files, but don't execute extraction utilities
    -V, --subdirs                Extract into sub-directories named by the offset

Entropy Options:
    -E, --entropy                Calculate file entropy
    -F, --fast                   Use faster, but less detailed, entropy analysis
    -J, --save                   Save plot as a PNG
    -Q, --nlegend                Omit the legend from the entropy plot graph
    -N, --nplot                  Do not generate an entropy plot graph
    -H, --high=<float>           Set the rising edge entropy trigger threshold (default: 0.95)
    -L, --low=<float>            Set the falling edge entropy trigger threshold (default: 0.85)

Binary Diffing Options:
    -W, --hexdump                Perform a hexdump / diff of a file or files
    -G, --green                  Only show lines containing bytes that are the same among all files
    -i, --red                    Only show lines containing bytes that are different among all files
    -U, --blue                   Only show lines containing bytes that are different among some files
    -u, --similar                Only display lines that are the same between all files
    -w, --terse                  Diff all files, but only display a hex dump of the first file

Raw Compression Options:
    -X, --deflate                Scan for raw deflate compression streams
    -Z, --lzma                   Scan for raw LZMA compression streams
    -P, --partial                Perform a superficial, but faster, scan
    -S, --stop                   Stop after the first result

General Options:
    -l, --length=<int>           Number of bytes to scan
    -o, --offset=<int>           Start scan at this file offset
    -O, --base=<int>             Add a base address to all printed offsets
    -K, --block=<int>            Set file block size
    -g, --swap=<int>             Reverse every n bytes before scanning
    -f, --log=<file>             Log results to file
    -c, --csv                    Log results to file in CSV format
    -t, --term                   Format output to fit the terminal window
    -q, --quiet                  Suppress output to stdout
    -v, --verbose                Enable verbose output
    -h, --help                   Show help output
    -a, --finclude=<str>         Only scan files whose names match this regex
    -p, --fexclude=<str>         Do not scan files whose names match this regex
    -s, --status=<int>           Enable the status server on the specified port

-B, --signature

This performs a signature analysis of the specified files; if no other analysis options are specified, this is the default.

Use this option when you wish to combine the signature analysis with additional analyzers, such as --entropy:

binwalk --signature firmware.bin

DECIMAL   	HEX       	DESCRIPTION
-------------------------------------------------------------------------------------------------------------------
0         	0x0       	DLOB firmware header, boot partition: "dev=/dev/mtdblock/2"
112       	0x70      	LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 3797616 bytes
1310832   	0x140070  	PackImg section delimiter tag, little endian size: 13644032 bytes; big endian size: 3264512 bytes
1310864   	0x140090  	Squashfs filesystem, little endian, version 4.0, compression:lzma, size: 3264162 bytes,  1866 inodes, blocksize: 65536 bytes, created: Tue Apr  3 04:12:22 2012

-R, --raw=<string>

This allows you to search the specified file(s) for a custom string. The search string can include escaped octal and/or hexadecimal values.

Use this option when you need to search for a custom sequence of raw bytes:

binwalk -R "\x00\x01\x02\x03\x04" firmware.bin

DECIMAL   	HEX       	DESCRIPTION
-------------------------------------------------------------------------------------------------------------------
377654    	0x5C336   	Raw string signature

-A, --opcodes

This instructs binwalk to search the specified file(s) for executable opcodes common to a variety of CPU architectures. Note that some opcode signatures are short and thus are prone to producing false positive results.

Use this when you need to locate executable code in a file, or if you need to determine the architecture of a executable file:

binwalk -A firmware.bin

DECIMAL         HEX             DESCRIPTION
-------------------------------------------------------------------------------------------------------------------
268             0x10C           MIPS instructions, function prologue
412             0x19C           MIPS instructions, function prologue
636             0x27C           MIPS instructions, function prologue
812             0x32C           MIPS instructions, function epilogue
920             0x398           MIPS instructions, function epilogue
948             0x3B4           MIPS instructions, function prologue
1056            0x420           MIPS instructions, function epilogue
1080            0x438           MIPS instructions, function prologue
1356            0x54C           MIPS instructions, function epilogue
1392            0x570           MIPS instructions, function prologue
1836            0x72C           MIPS instructions, function epilogue
2012            0x7DC           MIPS instructions, function prologue
2260            0x8D4           MIPS instructions, function epilogue
2512            0x9D0           MIPS instructions, function prologue
2552            0x9F8           MIPS instructions, function epilogue

-m, --magic=<file>

Load an alternate magic signature file instead of the default.

Use this if you have a custom magic signature file containing signatures you want to search for:

binwalk -m ./foobar.mgc firmware.bin

DECIMAL         HEX             DESCRIPTION
-------------------------------------------------------------------------------------------------------------------
268             0x10C           Foobar
412             0x19C           Foobar
636             0x27C           Foobar

-b, --dumb

Disables "smart" signature matching.

Useful when smart signature keywords in false positive signatures cause other valid signatures to be missed (e.g., via the jump-to-offset keyword):

binwalk -b firmware.bin

-I, --invalid

Displays all results, even those marked as invalid.

Useful if you think that binwalk is treating a valid file as invalid, but can produce a lot of garbage output:

binwalk -I firmware.bin

-x, --exclude=<filter>

Excludes signatures that match the specified exclude filter. Filters are lower-case regular expressions; multiple filters may be specified.

Magic signatures whose first line matches the specified filter will not be loaded at all; thus, the use of this filter can help decrease signature scan times.

Useful for excluding unneeded or uninteresting results:

binwalk -x 'mach-o' -x '^hp' firmware.bin # exclude HP calculator and OSX mach-o signatures

-y, --include=<filter>

Includes only signatures that match the specified include filter. Filters are lower-case regular expressions; multiple filters may be specified.

Only magic signatures whose first line matches the specified filter will be loaded; thus, the use of this filter can help decrease signature scan times.

Useful when searching only for specific signatures or types of signatures:

binwalk -y 'filesystem' firmware.bin # only search for filesystem signatures

-Y, --disasm

Attempts to identify the CPU architecture of executable code contained in a file using the capstone disassembler.

Specifying --verbose with this scan will additionally print the disassembled instructions.

Generally more robust than the simple signature analysis performed by --opcodes, but supports fewer architectures:

binwalk --disasm firmware.bin

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
428           0x1AC           MIPS executable code, 32/64-bit, little endian, at least 750 valid instructions

-T, --minsn

Set the minimum number of consecutive instructions for a --disasm result to be considered valid. The default is 500 instructions:

binwalk --minsn=1200 -Y firmware.bin

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
428           0x1AC           MIPS executable code, 32/64-bit, little endian, at least 1250 valid instructions

-k, --continue

Instruct --disasm to not stop at the first result:

binwalk --continue -Y firmware.bin

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
428           0x1AC           MIPS executable code, 32/64-bit, little endian, at least 1250 valid instructions
1048576       0x100000        MIPS executable code, 32/64-bit, little endian, at least 1250 valid instructions
...

-E, --entropy

Performs an entropy analysis on the input file(s), prints raw entropy data and generates entropy graphs.

Entropy analysis can be combined with --signature--raw, or --opcodes for a better understanding of the target file(s).

Useful for identifying sections of interesting data that a signature scan may have missed:

binwalk -E firmware.bin
DECIMAL       HEXADECIMAL     ENTROPY
--------------------------------------------------------------------------------
0             0x0             Rising entropy edge (0.983751)
1155072       0x11A000        Falling entropy edge (0.000000)
1181696       0x120800        Rising entropy edge (0.990546)
3780608       0x39B000        Falling entropy edge (0.000000)

When combined with the --verbose option, the raw entropy calculated for each data block is printed:

binwalk -E --verbose firmware.bin

DECIMAL         HEX             ENTROPY ANALYSIS
--------------------------------------------------------------------------------
0               0x0             0.964914
1024            0x400           0.978591
2048            0x800           0.973048
3072            0xC00           0.976195
4096            0x1000          0.976072
5120            0x1400          0.976734
6144            0x1800          0.976861
7168            0x1C00          0.972385
8192            0x2000          0.972518

PYTHON API WARNING: The graphing module used by binwalk (pyqtgraph) invokes os._exit upon completion; this is apparently necessary to handle various QT issues. When running binwalk from the command line, entropy analysis is always done last, causing little worry. However, if invoking entropy analysis via the API, be sure to disable graphing (--nplot) to prevent your script from exiting prematurely.

-J, --save

Automatically saves the entropy plot generated by --entropy to a PNG file instead of displaying it.

binwalk --save -E firmware.bin

-Q, --nlegend

Omits the legend from the entropy plot(s) generated by --entropy:

binwalk --entropy -Q firmware.bin

-N, --nplot

Disables graphical entropy plots for the --entropy scan.

binwalk --entropy -N firmware.bin

-H, --high=<float>

Sets the rising edge entropy trigger level. Only valid when used with --entropy. The specified value should be between 0 and 1:

binwalk --entropy -H .9 firmware.bin

-L, --low=<float>

Sets the falling edge entropy trigger level. Only valid when used with --entropy. The specified value should be between 0 and 1:

binwalk --entropy -L .3 firmware.bin

-W, --hexdump

Performs a hex dump of the input file(s) and color-codes bytes as follows:

  • Green - These bytes were the same in all files
  • Red - These bytes were different in all files
  • Blue - These bytes were only different in some files

Any arbitrary number of files may be diffed; additional useful options are --block, --offset, --length and --terse:

binwalk -W --block=8 --length=64 firmware1.bin firmware2.bin firmware3.bin

Note: if you need to page the output install the most utility since it better supports paging of colorized output.

-G, --green

Only display lines that contain green bytes during a --hexdump:

binwalk -W --green firmware1.bin firmware2.bin firmware3.bin

-i, --red

Only display lines that contain red bytes during a --hexdump:

binwalk -W --red firmware1.bin firmware2.bin firmware3.bin

-U, --blue

Only display lines that contain blue bytes during a --hexdump:

binwalk -W --blue firmware1.bin firmware2.bin firmware3.bin

-w, --terse

When performing a --hexdump, only display a hex dump of the first file.

Useful when diffing many files that don't all fit on the screen:

binwalk -W --terse firmware1.bin firmware2.bin firmware3.bin

-e, --extract

Loads common --dd extraction rules from a predefined file and user-specific rules from ~/.config/binwalk/config/extract.conf.

binwalk -e firmware.bin

-D, --dd=<type[:ext[:cmd]]>

Extracts files identified during a --signature scan. Multiple --dd options may be specified.

  • type is a *lower case* string contained in the signature description (regular expressions are supported)
  • ext is the file extension to use when saving the data disk (default none)
  • cmd is an optional command to execute after the data has been saved to disk

By default, the file name is the hexadecimal offset where the signature was found, unless an alternate file name is specified in the signature itself.

The following example demonstrates specifying an extraction rule using the --dd option that will extract any signature that contains the string 'zip archive' with a file extension of 'zip', and subsequently execute the 'unzip' command. Additionally, PNG images are extracted as-is with a 'png' file extension.

Note the use of the '%e' placeholder. This placeholder will be replaced with the relative path to the extracted file when the unzip command is executed:

binwalk -D 'zip archive:zip:unzip %e' -D 'png image:png' firmware.bin

-M, --matryoshka

This option will recursively scan extracted files during a --signature scan. Only valid when used with --extract or --dd.

binwalk -e -M firmware.bin

-C, --directory=<str>

Set the output directory for extracted data (default: current working directory).

Only applicable when used with the --extract or --dd options:

binwalk -e --directory=/tmp firmware.bin

-d, --depth=<int>

Limit the --matryoshka recursion depth. By default, the depth is set to 8.

Only applicable when used with the --matryoshka option:

binwalk -Me -d 5 firmware.bin

-j, --size=<int>

Limit the size of data carved out of the target file(s). By default, there is no size limit.

Only valid when used with --extract or --dd.

Note that this option does not limit the size of data extracted / decompressed by external extraction utilities.

Useful when carving or extracting data from large files with limited disk space:

binwalk -e --size=0x100000 firmware.bin

-r, --rm

Cleans up zero-size files and files that couldn't be processed by extraction utilities during extraction.

Only valid when used with --extract or --dd.

Useful for cleaning up false-positive files copied out of the target file(s) during extraction:

binwalk -e -r firmware.bin

-z, --carve

Performs data carving only, does not execute external extraction utilities.

Only valid when used with --extract or --dd.

Useful for when you want to simply carve data from the target file(s), but not automatically extract / decompress that data:

binwalk -e --carve firmware.bin

-X, --deflate

Identifies probable raw deflate compressed data streams by brute-force.

Useful for recovering data from files with corrupt/modified/missing headers. May be combined with --lzma.

This scan can be slow, so it is useful to limit the scanned area with --offset and/or --length:

binwalk --deflate -o 0x100 -l 10000 firmware.bin

-Z, --lzma

Identifies probable raw LZMA compressed data streams by brute-force.

Useful for recovering data from files with corrupt/modified/missing headers. May be combined with --deflate.

Due to the various number of LZMA compression options this scan can be very slow, so it is useful to limit the scanned area with --offset and/or --length:

binwalk --lzma -o 0x100 -l 10000 firmware.bin

-P, --partial

Only search for compression streams using common compression options. Can significantly improve the speed of --lzma scans:

binwalk --partial -Z -o 0x100 -l 10000 firmware.bin

-S, --stop

When used with the --lzma and/or --deflate options, this will stop the scan after the first result is displayed:

binwalk --stop -Z firmware.bin

-l, --length=<int>

Sets the number of bytes to analyze in a target file:

binwalk --length=0x100 firmware.bin

-o, --offset=<int>

Sets the starting offset at which to begin analyzing a target file. A negative offset (distance from End-Of-File) may also be specified:

binwalk --offset=0x100 firmware.bin

-O, --base=<int>

Sets the base address for all printed offsets. This value will be added to the raw file offset of all printed results:

binwalk --base=0x80001000 firmware.bin

-K, --block=<int>

Sets the block size, in bytes, used during analysis.

When used with --entropy, this determines the size of each block analyzed during entropy analysis.

When used with --hexdump, this sets the number of bytes displayed per line in the hex output.

binwalk --diff -K 8 firmware1.bin firmware2.bin

-g, --swap=<int>

Reverses every n bytes before scanning them:

binwalk --swap=2 firmware.bin

-f, --log=<file>

Log scan results to the specified file.

Data saved to the log file will be identical to that displayed in the terminal unless --csv is specified.

Data will be saved to the log file even if --quiet is specified:

binwalk --log=binwalk.log firmware.bin

-c, --csv

Causes log data to be saved in CSV format. This option is ignored if used with --cast or --hexdump.

Only valid when combined with the --log option:

binwalk --log=binwalk.log --csv firmware.bin

-t, --term

Formats output to the current terminal window width.

Useful for making long line-wrapped output more readable:

binwalk --term firmware.bin

DECIMAL   	HEX       	DESCRIPTION
-------------------------------------------------------------------------------------------------------
0         	0x0       	DLOB firmware header, boot partition: "dev=/dev/mtdblock/2"
112       	0x70      	LZMA compressed data, properties: 0x5D, dictionary size: 33554432
                        bytes, uncompressed size: 3805904 bytes
1310832   	0x140070  	PackImg section delimiter tag, little endian size: 15741184 bytes; big
                        endian size: 3272704 bytes
1310864   	0x140090  	Squashfs filesystem, little endian, version 4.0, compression:lzma,
                        size: 3268870 bytes,  1860 inodes, blocksize: 65536 bytes, created:
                        Mon Apr 22 04:56:42 2013

-q, --quiet

Disables output to stdout.

Most convenient when used with --log or verbose scans like --entropy:

binwalk --quiet -f binwalk.log firmware.bin

-v, --verbose

Enables verbose output, including target file MD5 and scan timestamp.

If specified twice, output from external extraction utilities will be displayed if --extract has also been specified:

binwalk --verbose firmware.bin

Scan Time:     2013-11-10 21:04:04
Signatures:    265
Target File:   firmware.bin
MD5 Checksum:  6b91cdff1b4f0134b24b7041e079dd3e

DECIMAL   	HEX       	DESCRIPTION
-------------------------------------------------------------------------------------------------------------------
0         	0x0       	DLOB firmware header, boot partition: "dev=/dev/mtdblock/2"
112       	0x70      	LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 3805904 bytes
1310832   	0x140070  	PackImg section delimiter tag, little endian size: 15741184 bytes; big endian size: 3272704 bytes
1310864   	0x140090  	Squashfs filesystem, little endian, version 4.0, compression:lzma, size: 3268870 bytes,  1860 inodes, blocksize: 65536 bytes, created: Mon Apr 22 04:56:42 2013

-h, --help

Displays binwalk help output:

binwalk --help

-a, --finclude=<str>

Only scan files whose names match the given regex string. Particularly useful when combined with --matryoshka and --extract

binwalk -M -e --finclude='\.bin$' firmware.bin

-p, --fexclude=<str>

Do not scan files whose names match the given regex string. Particularly useful when combined with --matryoshka and --extract

binwalk -M -e --fexclude='\.pdf$' firmware_archive.zip

-s, --status=<int>

Enable the status server on the specified port number. The status server listens on localhost only and prints out human readable ASCII data related to the current scan status. You can connect to it with telnet, netcat, etc.

binwalk --status=8080 firmware_archive.zip

Binwalk Usage Example

Scanning Firmware

The primary - and by far the most popular - feature of binwalk is its signature scanning.

Binwalk can scan a firmware image for many different embedded file types and file systems; just give it a list of files to scan:

binwalk firmware.bin

DECIMAL   	HEX       	DESCRIPTION
-------------------------------------------------------------------------------------------------------------------
0         	0x0       	DLOB firmware header, boot partition: "dev=/dev/mtdblock/2"
112       	0x70      	LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 3797616 bytes
1310832   	0x140070  	PackImg section delimiter tag, little endian size: 13644032 bytes; big endian size: 3264512 bytes
1310864   	0x140090  	Squashfs filesystem, little endian, version 4.0, compression:lzma, size: 3264162 bytes,  1866 inodes, blocksize: 65536 bytes, created: Tue Apr  3 04:12:22 2012

File Extraction

You can tell binwalk to extract any files that it finds in the firmware image with the -e option:

binwalk -e firmware.bin

Binwalk will even recursively scan files as it extracts them if you also specify the -M option:

binwalk -Me firmware.bin

And if the -r option is specified, any file signatures that couldn't be extracted - or that resulted in 0-size files - will be automatically deleted:

binwalk -Mre firmware.bin

To extract one specific signature type, specify one or more -D type options:

binwalk -D 'png image:png' firmware.bin

Entropy Analysis

What happens if binwalk doesn't report any signatures? Or, how do you know binwalk didn't miss anything interesting?

Entropy analysis can help identify interesting sections of data inside a firmware image:

binwalk -E firmware.bin

HINT: You can combine other scans with the entropy scan. For example, you can combine a signature scan with an entropy scan:

binwalk -B -E firmware.bin

DECIMAL   	HEX       	DESCRIPTION
-------------------------------------------------------------------------------------------------------------------
36625     	0x8F11    	Zlib header, default compression

How to install Binwalk

Installation on Kali Linux

The program is pre-installed on Kali Linux. To install in minimal builds run:

sudo apt install binwalk

To install all recommended dependencies, run the commands:

wget https://raw.githubusercontent.com/ReFirmLabs/binwalk/master/deps.sh
sudo bash deps.sh --yes

If the previous command failed, then run the command:

sudo apt install git locales build-essential qtbase5-dev mtd-utils gzip bzip2 tar arj lhasa p7zip p7zip-full cabextract util-linux firmware-mod-kit cramfsswap squashfs-tools zlib1g-dev liblzma-dev liblzo2-dev sleuthkit default-jdk lzop cpio

Installation on Debian, Linux Mint, Ubuntu

sudo apt update
wget https://github.com/ReFirmLabs/binwalk/archive/master.zip
unzip master.zip
cd binwalk-master
sudo python setup.py uninstall
sudo python setup.py install

To install all recommended dependencies, run the command:

sudo bash deps.sh --yes

If the previous command failed, then run the command:

sudo apt install git locales build-essential qtbase5-dev mtd-utils gzip bzip2 tar arj lhasa p7zip p7zip-full cabextract util-linux firmware-mod-kit cramfsswap squashfs-tools zlib1g-dev liblzma-dev liblzo2-dev sleuthkit default-jdk lzop cpio

Installation on BlackArch

The program is pre-installed on BlackArch. To install in minimal builds run:

sudo pacman -S binwalk

To install all recommended dependencies, run the command:

sudo pacman -S python-opengl python-capstone arj cabextract cpio gzip mtd-utils p7zip squashfs-tools tar bzip2 unrar xz lhasa sleuthkit

Binwalk Screenshots

Binwalk Tutorials

Related tools

Recommended for you:

Comments are Closed

Рейтинг@Mail.ru