Quick Start Guide

Peter Wu edited this page May 20, 2016 · 14 revisions


Download binwalk:

$ wget https://github.com/devttys0/binwalk/archive/master.zip
$ unzip master.zip

Install binwalk; if you have a previously installed version of binwalk, it is suggested that you uninstall it before upgrading:

$ (cd binwalk-master && sudo python setup.py uninstall && sudo python setup.py install)

Debian users can install all optional and suggested extractors/dependencies using the included deps.sh script (recommended):

$ sudo ./binwalk-master/deps.sh

If you are not a Debian user, or if you wish to install only selected dependencies, see the INSTALL documentation for more details.

Scanning Firmware

The primary - and by far the most popular - feature of binwalk is its signature scanning.

Binwalk can scan a firmware image for many different embedded file types and file systems; just give it a list of files to scan:

$ binwalk firmware.bin

0           0x0         DLOB firmware header, boot partition: "dev=/dev/mtdblock/2"
112         0x70        LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 3797616 bytes
1310832     0x140070    PackImg section delimiter tag, little endian size: 13644032 bytes; big endian size: 3264512 bytes
1310864     0x140090    Squashfs filesystem, little endian, version 4.0, compression:lzma, size: 3264162 bytes,  1866 inodes, blocksize: 65536 bytes, created: Tue Apr  3 04:12:22 2012

File Extraction

You can tell binwalk to extract any files that it finds in the firmware image with the -e option:

$ binwalk -e firmware.bin

Binwalk will even recursively scan files as it extracts them if you also specify the -M option:

$ binwalk -Me firmware.bin

And if the -r option is specified, any file signatures that couldn't be extracted - or that resulted in 0-size files - will be automatically deleted:

$ binwalk -Mre firmware.bin

To extract one specific signature type, specify one or more -D type options:

$ binwalk -D 'png image:png' firmware.bin

Entropy Analysis

What happens if binwalk doesn't report any signatures? Or, how do you know binwalk didn't miss anything interesting?

Entropy analysis can help identify interesting sections of data inside a firmware image:

$ binwalk -E firmware.bin

Entropy analysis

HINT: You can combine other scans with the entropy scan. For example, you can combine a signature scan with an entropy scan:

$ binwalk -B -E firmware.bin

36625       0x8F11      Zlib header, default compression

Combined scan