Binwalk — Install, Use, Optimise (2026)

Manish Garg
Manish Garg Associate of (ISC)² · RingSafe
Apr 29, 2026
2 min read

Firmware analysis tool — identifies and extracts embedded files, filesystems, and code in binary blobs.

Use case: Reverse EngineeringDifficulty: IntermediateHomepage: https://github.com/ReFirmLabs/binwalk

Installation

Pick the install method that matches your stack. The Docker option is the cleanest for one-off scans where you don’t want to pollute your workstation.

Linux (apt)

sudo apt install binwalk

pipx

pipx install binwalk

Source (recommended for plugins)

git clone https://github.com/ReFirmLabs/binwalk && cd binwalk && python3 setup.py install

Core commands

The handful of invocations you’ll actually run on 90% of engagements:

Identify embedded structures

binwalk firmware.bin

Extract everything

binwalk -e firmware.bin

Recursive extract (filesystems)

binwalk -Me firmware.bin

Entropy analysis (find encryption)

binwalk -E firmware.bin

Custom signature

binwalk -y "TP-Link" firmware.bin

Performance optimisation

What separates a junior who runs the default invocation from a practitioner who knows the knobs:

  • Recursive extract (-Me) can balloon to GBs from a 10MB image. Use --depth=2 to bound it.
  • Install jefferson, ubi_reader, sasquatch for JFFS2/UBIFS/SquashFS support — default install only handles common formats.
  • -D ".*:smaller" dumps everything ≥ 1KB — useful first-pass on unknown firmware.
  • --dd takes precedence over auto-extract — define exactly what to carve.

Common pitfalls

Real failure modes that bite people on engagements. Most are recoverable; a few are reputation-damaging.

  • Default signature matching has FALSE POSITIVES — random bytes can match magic numbers. Always cross-check with hexdump.
  • Encrypted firmware: binwalk shows entropy 0.99+ throughout — likely AES/XOR encryption. Without key, dead end.
  • -Me on hostile firmware can have decompression bombs. Run in container.
  • Some manufacturers (TP-Link, Netgear) sign firmware — binwalk extracts but boot fails on modified images.

Modern alternatives in 2026

The ecosystem moves fast. These are tools you should at least be aware of:

  • firmware-mod-kit — older, more manual control.
  • unblob (ONEKEY) — newer, designed to replace binwalk.
  • FACT — scalable firmware analysis platform.

India context and engagement notes

For IoT pen-tests on Indian-market devices (Mi, OnePlus, Realme TVs): binwalk + jadx + Ghidra is the kit. Most consumer firmware is signed but not encrypted — extraction works; flashing modified images requires bootloader unlock.


⚖️ Legal: Use only on systems you own or have explicit written authorisation to test. In India, unauthorised access is punishable under Section 66 of the IT Act, 2000 (up to 3 years imprisonment + fine). Pair every engagement with a signed Statement of Work or Rules of Engagement before running anything from this page.

Want this for your team?

Custom team training + practitioner advisory

Beyond the free academy — we run private workshops, vCISO advisory, and red-team exercises tailored to your stack. For Indian SMBs scaling past their first hire.

Book team training call Replies in 4 working hrs · India-only · Senior consultants