Binary analysis and extraction using binwalk v3 (Rust rewrite). Signature scanning, entropy analysis, embedded file extraction, and binary carving.
Rust-based binary analysis tool. Identifies and extracts embedded files, filesystems, compressed blobs, and other structures from any binary.
v3 vs v2: binwalk v3 is a complete Rust rewrite. Python APIs (
binwalk.scan(), custom modules) are v2 only and do not exist in v3.
cargo install binwalk # or: apt install binwalk (may be v2 — check with binwalk -V)
binwalk firmware.bin
binwalk -e firmware.bin # extract to ./extractions/
binwalk -e -C ./out firmware.bin # extract to custom directory
binwalk -Me firmware.bin # -M = matryoshka, -e = extract
binwalk -Mev firmware.bin # add -v to see intermediate results
Results are color-coded by confidence:
| Color | Meaning |
|---|---|
| Green | High — metadata and data validated |
| Yellow | Medium — reasonable sanity checks passed |
| Red | Low — only magic bytes matched, likely false positive |
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 Linux kernel boot header
512 0x200 LZMA compressed data, properties: 0x5D
123456 0x1E240 Squashfs filesystem, little endian, version 4.0
Act on green/yellow. Treat red with skepticism, especially in high-entropy regions.
binwalk -E firmware.bin # saves entropy graph as PNG
| Pattern | Interpretation |
|---|---|
| Flat near 8 | Encrypted or compressed blob — extraction unlikely without key/decompression |
| Flat near 0 | Empty / zero-padded / erased flash |
| Fluctuating 4–7 | Typical code/data mix |
| Sharp transition | Section boundary — good extraction point |
| Repeating sawtooth | Sequential compressed chunks |
Combine with signature scan: if binwalk finds squashfs at 0x1E240, the entropy graph should show a clear transition there confirming the boundary.
binwalk -y squashfs,jffs2,cramfs firmware.bin # only these signatures
binwalk -x jpeg,png,gif firmware.bin # exclude noisy types
binwalk -L # list all supported signatures
Use -y when you know what you want. Use -x when output is noisy.
| Category | Names |
|---|---|
| Filesystems | squashfs, jffs2, cramfs, romfs, ext, ubifs |
| Compression | lzma, zlib, gzip, bzip2, lz4, xz, zstd |
| Archives | tar, zip, cpio, 7zip, rar |
| Boot/Kernel | uimage, dtb, arm, linux_kernel |
| Other | elf, certificate, private_key, pdf |
Names may vary — confirm with binwalk -L.
| Flag | Notes |
|---|---|
-a, --search-all | Checks every offset (default skips inside identified regions). Very slow, very noisy. Use only when you suspect hidden nested signatures. |
-t, --threads N | Manual thread count. Default matches CPU cores; rarely needs tuning. |
-l, --log FILE | JSON output for scripting. Inspect actual schema — fields may vary by version. |
-q, --quiet | Suppress stdout. Combine with -l for script-only usage. |
When binwalk identifies a signature but has no extractor:
# Carve from offset to end of file
dd if=firmware.bin bs=1 skip=123456 of=carved.bin
# Carve specific length
dd if=firmware.bin bs=1 skip=123456 count=65536 of=carved.bin
| Problem | Cause / Fix |
|---|---|
| Signatures found but nothing extracted | Extractor may not exist for that type. Check binwalk -L for ✓ marks. Fall back to dd carving. |
| Extraction fails silently | Missing external tools (unsquashfs, jefferson, etc.). Run with -v to see errors. |
| Too many false positives | Common in encrypted/compressed regions. Use -x to filter, focus on green/yellow results. |
| Recursive extraction stuck or huge output | Deeply nested or self-referencing archives. Run without -M first to understand structure, then extract selectively. |
| No output at all | File may be encrypted or proprietary. Run binwalk -E — flat high entropy confirms encryption. Try -a as last resort. |
| User references Python API | That's v2. Binwalk v3 is CLI and Rust library only. |