Skip to content
Peter Eacmen edited this page Oct 16, 2018 · 24 revisions

-B, --signature

This performs a signature analysis of the specified files; if no other analysis options are specified, this is the default.

Use this option when you wish to combine the signature analysis with additional analyzers, such as --entropy:

$ binwalk --signature firmware.bin

DECIMAL   	HEX       	DESCRIPTION
-------------------------------------------------------------------------------------------------------------------
0         	0x0       	DLOB firmware header, boot partition: "dev=/dev/mtdblock/2"
112       	0x70      	LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 3797616 bytes
1310832   	0x140070  	PackImg section delimiter tag, little endian size: 13644032 bytes; big endian size: 3264512 bytes
1310864   	0x140090  	Squashfs filesystem, little endian, version 4.0, compression:lzma, size: 3264162 bytes,  1866 inodes, blocksize: 65536 bytes, created: Tue Apr  3 04:12:22 2012

-R, --raw=<string>

This allows you to search the specified file(s) for a custom string. The search string can include escaped octal and/or hexadecimal values.

Use this option when you need to search for a custom sequence of raw bytes:

$ binwalk -R "\x00\x01\x02\x03\x04" firmware.bin

DECIMAL   	HEX       	DESCRIPTION
-------------------------------------------------------------------------------------------------------------------
377654    	0x5C336   	Raw string signature

-A, --opcodes

This instructs binwalk to search the specified file(s) for executable opcodes common to a variety of CPU architectures. Note that some opcode signatures are short and thus are prone to producing false positive results.

Use this when you need to locate executable code in a file, or if you need to determine the architecture of a executable file:

$ binwalk -A firmware.bin

DECIMAL         HEX             DESCRIPTION
-------------------------------------------------------------------------------------------------------------------
268             0x10C           MIPS instructions, function prologue
412             0x19C           MIPS instructions, function prologue
636             0x27C           MIPS instructions, function prologue
812             0x32C           MIPS instructions, function epilogue
920             0x398           MIPS instructions, function epilogue
948             0x3B4           MIPS instructions, function prologue
1056            0x420           MIPS instructions, function epilogue
1080            0x438           MIPS instructions, function prologue
1356            0x54C           MIPS instructions, function epilogue
1392            0x570           MIPS instructions, function prologue
1836            0x72C           MIPS instructions, function epilogue
2012            0x7DC           MIPS instructions, function prologue
2260            0x8D4           MIPS instructions, function epilogue
2512            0x9D0           MIPS instructions, function prologue
2552            0x9F8           MIPS instructions, function epilogue

-m, --magic=<file>

Load an alternate magic signature file instead of the default.

Use this if you have a custom magic signature file containing signatures you want to search for:

$ binwalk -m ./foobar.mgc firmware.bin

DECIMAL         HEX             DESCRIPTION
-------------------------------------------------------------------------------------------------------------------
268             0x10C           Foobar
412             0x19C           Foobar
636             0x27C           Foobar

-b, --dumb

Disables "smart" signature matching.

Useful when smart signature keywords in false positive signatures cause other valid signatures to be missed (e.g., via the jump-to-offset keyword):

$ binwalk -b firmware.bin

-I, --invalid

Displays all results, even those marked as invalid.

Useful if you think that binwalk is treating a valid file as invalid, but can produce a lot of garbage output:

$ binwalk -I firmware.bin

-x, --exclude=<filter>

Excludes signatures that match the specified exclude filter. Filters are lower-case regular expressions; multiple filters may be specified.

Magic signatures whose first line matches the specified filter will not be loaded at all; thus, the use of this filter can help decrease signature scan times.

Useful for excluding unneeded or uninteresting results:

$ binwalk -x 'mach-o' -x '^hp' firmware.bin # exclude HP calculator and OSX mach-o signatures

-y, --include=<filter>

Includes only signatures that match the specified include filter. Filters are lower-case regular expressions; multiple filters may be specified.

Only magic signatures whose first line matches the specified filter will be loaded; thus, the use of this filter can help decrease signature scan times.

Useful when searching only for specific signatures or types of signatures:

$ binwalk -y 'filesystem' firmware.bin # only search for filesystem signatures

-Y, --disasm

Attempts to identify the CPU architecture of executable code contained in a file using the capstone disassembler.

Specifying --verbose with this scan will additionally print the disassembled instructions.

Generally more robust than the simple signature analysis performed by --opcodes, but supports fewer architectures:

$ binwalk --disasm firmware.bin

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
428           0x1AC           MIPS executable code, 32/64-bit, little endian, at least 750 valid instructions

-T, --minsn

Set the minimum number of consecutive instructions for a --disasm result to be considered valid. The default is 500 instructions:

$ binwalk --minsn=1200 -Y firmware.bin

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
428           0x1AC           MIPS executable code, 32/64-bit, little endian, at least 1250 valid instructions

-k, --continue

Instruct --disasm to not stop at the first result:

$ binwalk --continue -Y firmware.bin

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
428           0x1AC           MIPS executable code, 32/64-bit, little endian, at least 1250 valid instructions
1048576       0x100000        MIPS executable code, 32/64-bit, little endian, at least 1250 valid instructions
...

-E, --entropy

Performs an entropy analysis on the input file(s), prints raw entropy data and generates entropy graphs.

Entropy analysis can be combined with --signature, --raw, or --opcodes for a better understanding of the target file(s).

Useful for identifying sections of interesting data that a signature scan may have missed:

$ binwalk -E firmware.bin
DECIMAL       HEXADECIMAL     ENTROPY
--------------------------------------------------------------------------------
0             0x0             Rising entropy edge (0.983751)
1155072       0x11A000        Falling entropy edge (0.000000)
1181696       0x120800        Rising entropy edge (0.990546)
3780608       0x39B000        Falling entropy edge (0.000000)

When combined with the --verbose option, the raw entropy calculated for each data block is printed:

$ binwalk -E --verbose firmware.bin

DECIMAL         HEX             ENTROPY ANALYSIS
--------------------------------------------------------------------------------
0               0x0             0.964914
1024            0x400           0.978591
2048            0x800           0.973048
3072            0xC00           0.976195
4096            0x1000          0.976072
5120            0x1400          0.976734
6144            0x1800          0.976861
7168            0x1C00          0.972385
8192            0x2000          0.972518
...

PYTHON API WARNING: The graphing module used by binwalk (pyqtgraph) invokes os._exit upon completion; this is apparently necessary to handle various QT issues. When running binwalk from the command line, entropy analysis is always done last, causing little worry. However, if invoking entropy analysis via the API, be sure to disable graphing (--nplot) to prevent your script from exiting prematurely.


-J, --save

Automatically saves the entropy plot generated by --entropy to a PNG file instead of displaying it.

$ binwalk --save -E firmware.bin

-Q, --nlegend

Omits the legend from the entropy plot(s) generated by --entropy:

$ binwalk --entropy -Q firmware.bin

-N, --nplot

Disables graphical entropy plots for the --entropy scan.

$ binwalk --entropy -N firmware.bin

-H, --high=<float>

Sets the rising edge entropy trigger level. Only valid when used with --entropy. The specified value should be between 0 and 1:

$ binwalk --entropy -H .9 firmware.bin

-L, --low=<float>

Sets the falling edge entropy trigger level. Only valid when used with --entropy. The specified value should be between 0 and 1:

$ binwalk --entropy -L .3 firmware.bin

-W, --hexdump

Performs a hex dump of the input file(s) and color-codes bytes as follows:

  • Green - These bytes were the same in all files
  • Red - These bytes were different in all files
  • Blue - These bytes were only different in some files

Any arbitrary number of files may be diffed; additional useful options are --block, --offset, --length and --terse:

$ binwalk -W --block=8 --length=64 firmware1.bin firmware2.bin firmware3.bin

Note: if you need to page the output install the most utility since it better supports paging of colorized output.


-G, --green

Only display lines that contain green bytes during a --hexdump:

$ binwalk -W --green firmware1.bin firmware2.bin firmware3.bin

-i, --red

Only display lines that contain red bytes during a --hexdump:

$ binwalk -W --red firmware1.bin firmware2.bin firmware3.bin

-U, --blue

Only display lines that contain blue bytes during a --hexdump:

$ binwalk -W --blue firmware1.bin firmware2.bin firmware3.bin

-w, --terse

When performing a --hexdump, only display a hex dump of the first file.

Useful when diffing many files that don't all fit on the screen:

$ binwalk -W --terse firmware1.bin firmware2.bin firmware3.bin

-e, --extract

Loads common --dd extraction rules from a predefined file.

$ binwalk -e firmware.bin

-D, --dd=<type[:ext[:cmd]]>

Extracts files identified during a --signature scan. Multiple --dd options may be specified.

  • type is a *lower case* string contained in the signature description (regular expressions are supported)
  • ext is the file extension to use when saving the data disk (default none)
  • cmd is an optional command to execute after the data has been saved to disk

By default, the file name is the hexadecimal offset where the signature was found, unless an alternate file name is specified in the signature itself.

The following example demonstrates specifying an extraction rule using the --dd option that will extract any signature that contains the string 'zip archive' with a file extension of 'zip', and subsequently execute the 'unzip' command. Additionally, PNG images are extracted as-is with a 'png' file extension.

Note the use of the '%e' placeholder. This placeholder will be replaced with the relative path to the extracted file when the unzip command is executed:

$ binwalk -D 'zip archive:zip:unzip %e' -D 'png image:png' firmware.bin

-M, --matryoshka

This option will recursively scan extracted files during a --signature scan. Only valid when used with --extract or --dd.

$ binwalk -e -M firmware.bin

-C, --directory=<str>

Set the output directory for extracted data (default: current working directory).

Only applicable when used with the --extract or --dd options:

$ binwalk -e --directory=/tmp firmware.bin

-d, --depth=<int>

Limit the --matryoshka recursion depth. By default, the depth is set to 8.

Only applicable when used with the --matryoshka option:

$ binwalk -Me -d 5 firmware.bin

-j, --size=<int>

Limit the size of data carved out of the target file(s). By default, there is no size limit.

Only valid when used with --extract or --dd.

Note that this option does not limit the size of data extracted / decompressed by external extraction utilities.

Useful when carving or extracting data from large files with limited disk space:

$ binwalk -e --size=0x100000 firmware.bin

-r, --rm

Cleans up zero-size files and files that couldn't be processed by extraction utilities during extraction.

Only valid when used with --extract or --dd.

Useful for cleaning up false-positive files copied out of the target file(s) during extraction:

$ binwalk -e -r firmware.bin

-z, --carve

Performs data carving only, does not execute external extraction utilities.

Only valid when used with --extract or --dd.

Useful for when you want to simply carve data from the target file(s), but not automatically extract / decompress that data:

$ binwalk -e --carve firmware.bin

-X, --deflate

Identifies probable raw deflate compressed data streams by brute-force.

Useful for recovering data from files with corrupt/modified/missing headers. May be combined with --lzma.

This scan can be slow, so it is useful to limit the scanned area with --offset and/or --length:

$ binwalk --deflate -o 0x100 -l 10000 firmware.bin

-Z, --lzma

Identifies probable raw LZMA compressed data streams by brute-force.

Useful for recovering data from files with corrupt/modified/missing headers. May be combined with --deflate.

Due to the various number of LZMA compression options this scan can be very slow, so it is useful to limit the scanned area with --offset and/or --length:

$ binwalk --lzma -o 0x100 -l 10000 firmware.bin

-P, --partial

Only search for compression streams using common compression options. Can significantly improve the speed of --lzma scans:

$ binwalk --partial -Z -o 0x100 -l 10000 firmware.bin

-S, --stop

When used with the --lzma and/or --deflate options, this will stop the scan after the first result is displayed:

$ binwalk --stop -Z firmware.bin

-l, --length=<int>

Sets the number of bytes to analyze in a target file:

$ binwalk --length=0x100 firmware.bin

-o, --offset=<int>

Sets the starting offset at which to begin analyzing a target file. A negative offset (distance from End-Of-File) may also be specified:

$ binwalk --offset=0x100 firmware.bin

-O, --base=<int>

Sets the base address for all printed offsets. This value will be added to the raw file offset of all printed results:

$ binwalk --base=0x80001000 firmware.bin

-K, --block=<int>

Sets the block size, in bytes, used during analysis.

When used with --entropy, this determines the size of each block analyzed during entropy analysis.

When used with --hexdump, this sets the number of bytes displayed per line in the hex output.

$ binwalk --diff -K 8 firmware1.bin firmware2.bin

-g, --swap=<int>

Reverses every n bytes before scanning them:

$ binwalk --swap=2 firmware.bin

-f, --log=<file>

Log scan results to the specified file.

Data saved to the log file will be identical to that displayed in the terminal unless --csv is specified.

Data will be saved to the log file even if --quiet is specified:

$ binwalk --log=binwalk.log firmware.bin

-c, --csv

Causes log data to be saved in CSV format. This option is ignored if used with --cast or --hexdump.

Only valid when combined with the --log option:

$ binwalk --log=binwalk.log --csv firmware.bin

-t, --term

Formats output to the current terminal window width.

Useful for making long line-wrapped output more readable:

$ binwalk --term firmware.bin

DECIMAL   	HEX       	DESCRIPTION
-------------------------------------------------------------------------------------------------------
0         	0x0       	DLOB firmware header, boot partition: "dev=/dev/mtdblock/2"
112       	0x70      	LZMA compressed data, properties: 0x5D, dictionary size: 33554432
                        bytes, uncompressed size: 3805904 bytes
1310832   	0x140070  	PackImg section delimiter tag, little endian size: 15741184 bytes; big
                        endian size: 3272704 bytes
1310864   	0x140090  	Squashfs filesystem, little endian, version 4.0, compression:lzma,
                        size: 3268870 bytes,  1860 inodes, blocksize: 65536 bytes, created:
                        Mon Apr 22 04:56:42 2013

-q, --quiet

Disables output to stdout.

Most convenient when used with --log or verbose scans like --entropy:

$ binwalk --quiet -f binwalk.log firmware.bin

-v, --verbose

Enables verbose output, including target file MD5 and scan timestamp.

If specified twice, output from external extraction utilities will be displayed if --extract has also been specified:

$ binwalk --verbose firmware.bin

Scan Time:     2013-11-10 21:04:04
Signatures:    265
Target File:   firmware.bin
MD5 Checksum:  6b91cdff1b4f0134b24b7041e079dd3e

DECIMAL   	HEX       	DESCRIPTION
-------------------------------------------------------------------------------------------------------------------
0         	0x0       	DLOB firmware header, boot partition: "dev=/dev/mtdblock/2"
112       	0x70      	LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 3805904 bytes
1310832   	0x140070  	PackImg section delimiter tag, little endian size: 15741184 bytes; big endian size: 3272704 bytes
1310864   	0x140090  	Squashfs filesystem, little endian, version 4.0, compression:lzma, size: 3268870 bytes,  1860 inodes, blocksize: 65536 bytes, created: Mon Apr 22 04:56:42 2013

-h, --help

Displays binwalk help output:

$ binwalk --help

-a, --finclude=<str>

Only scan files whose names match the given regex string. Particularly useful when combined with --matryoshka and --extract

$ binwalk -M -e --finclude='\.bin$' firmware.bin

-p, --fexclude=<str>

Do not scan files whose names match the given regex string. Particularly useful when combined with --matryoshka and --extract

$ binwalk -M -e --fexclude='\.pdf$' firmware_archive.zip

-s, --status=<int>

Enable the status server on the specified port number. The status server listens on localhost only and prints out human readable ASCII data related to the current scan status. You can connect to it with telnet, netcat, etc.

$ binwalk --status=8080 firmware_archive.zip

You can’t perform that action at this time.