Binwalk - Firmware Analysis Tool

Binwalk - Firmware Analyzer

Binwalk is a firmware analysis tool designed to assist in the analysis, extraction, and reverse engineering of firmware images and other binary blobs. It is simple to use, fully scriptable and can be easily extended via custom signatures, extraction rules, and plugin modules.

It uses the libmagic library, so it is compatible with magic signatures created for the Unix file utility.

Binwalk includes a custom magic signature file which contains improved signatures for files that are commonly found in firmware images such as compressed/archived files, firmware headers, Linux kernels, bootloaders, filesystems, etc.

Note: Binwalk supports Python 2.7 - 3.x. Although most systems have Python2.7 set as their default Python interpreter, Binwalk does run faster in Python3.


First, download binwalk:
$ wget
$ unzip
Install binwalk; if you have a previously installed version of binwalk, it is suggested that you uninstall it before upgrading:
$ (cd binwalk-master && sudo python uninstall && sudo python install)
Debian users can install all optional and suggested extractors/dependencies using the included script (recommended):
$ sudo ./binwalk-master/
If you are not a Debian user, or if you wish to install only selected dependencies, see the INSTALL documentation for more details.


binwalk [OPTIONS] [FILE1] [FILE2] [FILE3] ...

Signature Scan Options:

-B, --signature              Scan target file(s) for common file signatures

-R, --raw=<str>              Scan target file(s) for the specified sequence of bytes

-A, --opcodes                Scan target file(s) for common executable opcode signatures

-m, --magic=<file>           Specify a custom magic file to use

-b, --dumb                   Disable smart signature keywords

-I, --invalid                Show results marked as invalid

-x, --exclude=<str>          Exclude results that match <str>

-y, --include=<str>          Only show results that match <str>

Extraction Options:

-e, --extract                Automatically extract known file types

-D, --dd=<type:ext:cmd>      Extract <type> signatures, give the files an extension of 
                             <ext>, and execute <cmd>

-M, --matryoshka             Recursively scan extracted files

-d, --depth=<int>            Limit matryoshka recursion depth (default: 8 levels deep)

-C, --directory=<str>        Extract files/folders to a custom directory 
                             (default: current working directory)

-j, --size=<int>             Limit the size of each extracted file

-n, --count=<int>            Limit the number of extracted files

-r, --rm                     Delete carved files after extraction

-z, --carve                  Carve data from files, but don't execute extraction 

Entropy Analysis Options:

-E, --entropy                Calculate file entropy

-F, --fast                   Use faster, but less detailed, entropy analysis

-J, --save                   Save plot as a PNG

-Q, --nlegend                Omit the legend from the entropy plot graph

-N, --nplot                  Do not generate an entropy plot graph

-H, --high=<float>           Set the rising edge entropy trigger threshold
                             (default: 0.95)

-L, --low=<float>            Set the falling edge entropy trigger threshold
                             (default: 0.85)

Binary Diffing Options:

-W, --hexdump                Perform a hexdump / diff of a file or files

-G, --green                  Only show lines containing bytes that are the same 
                             among all files

-i, --red                    Only show lines containing bytes that are different 
                             among all files

-U, --blue                   Only show lines containing bytes that are different 
                             among some files

-w, --terse                  Diff all files, but only display a hex dump of
                             the first file

Raw Compression Options:

-X, --deflate                Scan for raw deflate compression streams

-Z, --lzma                   Scan for raw LZMA compression streams

-P, --partial                Perform a superficial, but faster, scan

-S, --stop                   Stop after the first result

General Options:

-l, --length=<int>           Number of bytes to scan

-o, --offset=<int>           Start scan at this file offset

-O, --base=<int>             Add a base address to all printed offsets

-K, --block=<int>            Set file block size

-g, --swap=<int>             Reverse every n bytes before scanning

-f, --log=<file>             Log results to file

-c, --csv                    Log results to file in CSV format

-t, --term                   Format output to fit the terminal window

-q, --quiet                  Suppress output to stdout

-v, --verbose                Enable verbose output

-h, --help                   Show help output

-a, --finclude=<str>         Only scan files whose names match this regex

-p, --fexclude=<str>         Do not scan files whose names match this regex

-s, --status=<int>           Enable the status server on the specified port

No comments

Powered by Blogger.