binwalk Cheat Sheet
Firmware and file analysis tool that scans for embedded files and extracts hidden archives.
Overview
binwalk identifies embedded files, compression, and filesystems inside firmware images, disk dumps, and polyglot files. Common in IoT CTFs and firmware RE before manual extraction.
Authorized testing only. Use only on systems, networks, and accounts you own or have explicit written permission to test. Unauthorized access is illegal.
Install
sudo apt install -y binwalkPython module (latest signatures)
pip install binwalkEssential commands
Signature scan
binwalk firmware.binExtract known types automatically
binwalk -e firmware.binVerbose / entropy
binwalk -v firmware.binbinwalk -E firmware.binCommon workflows
Firmware extraction —
binwalk firmware.binbinwalk -e --run-as=root firmware.bincd _firmware.bin.extracted/ls -lafile squashfs-root/*Recursive extraction —
binwalk -Me firmware.binMatryoshka / nested archives —
binwalk -e image.pngbinwalk -e _image.png.extracted/DEADBEEF.zipstrings -n 8 _image.png.extracted/*Entropy analysis (packing / encryption) —
binwalk -E -J firmware.binManual carve at offset —
binwalk firmware.bindd if=firmware.bin bs=1 skip=123456 of=carved.squashfsunsquashfs carved.squashfsFlags reference
-e | Extract files to _<input>.extracted/ |
|---|---|
-M | Recursive scan of extracted content |
-r | Include raw compression scans |
-A | Scan for architecture-specific code |
-E | Plot entropy |
-W | Save entropy as PNG |
--dd='type:ext' | Custom extraction rule |
-y | Auto-answer yes to prompts |
Tips
- Install squashfs-tools, jefferson (JFFS2), ubi_reader for common embedded FS types.
- If extraction fails, note decimal offset from binwalk and dd manually.
- Compare binwalk vs foremost — binwalk is signature-smart; foremost is blind carving.
- Run strings and file on carved segments after extraction.