Binwalk – Firmware Photo Review of Embedded and Executable Code

RMM software

Binwalk is a tool to scan for a binary image of embedded and executable files. It is designed specifically for identifying files and embedded code inside firmware images.

Binwalk uses the libmagic library, so this is consistent with the Unix file utility’s magical signatures.

  • Author: Craig Heffner
  • License: MIT

Binwalk also consists of a custom signature report containing specialized signatures for documents typically found in firmware files such as compressed / archived files, firmware headers, Linux kernels, bootloaders, filesystems, etc.

Firmware Scanning

To list all Binwalk options – root@kali:~# binwalk -h

To scan for embedded file types and systems in the firmware – root@kali:~# binwalk src_rxfw.07a

To delete known file types from the firmware image – -e, –extract

root@kali:~# binwalk -e src_rxfw.07a

To scan the files again -M, –matryoshka

root@kali:~# binwalk -Me src_rxfw.07a

To extract from the firmware image a specific signature type

root@kali:~# binwalk -D ‘png image:png’ src_rxfw.07a

Entropical evaluation can help to discover fascinating factual parts in a firmware picture

root@kali:~# binwalk -E src_rxfw.07a

To diff the Hexdump values -W, –diff

root@kali:~# binwalk -W src_rxfw.07a

To disable and enable plugin -X, -Y.

root@kali:~# binwalk -X src_rxfw.07a

For a forensic analyst, Binwalk is a critical tool. In a forensic investigation it can be a precious device combined with other equipment.


Mark Funk
Mark Funk is an experienced information security specialist who works with enterprises to mature and improve their enterprise security programs. Previously, he worked as a security news reporter.