Firmware analysis tool — identifies and extracts embedded files, filesystems, and code in binary blobs.
Installation
Pick the install method that matches your stack. The Docker option is the cleanest for one-off scans where you don’t want to pollute your workstation.
Linux (apt)
sudo apt install binwalk
pipx
pipx install binwalk
Source (recommended for plugins)
git clone https://github.com/ReFirmLabs/binwalk && cd binwalk && python3 setup.py install
Core commands
The handful of invocations you’ll actually run on 90% of engagements:
Identify embedded structures
binwalk firmware.bin
Extract everything
binwalk -e firmware.bin
Recursive extract (filesystems)
binwalk -Me firmware.bin
Entropy analysis (find encryption)
binwalk -E firmware.bin
Custom signature
binwalk -y "TP-Link" firmware.bin
Performance optimisation
What separates a junior who runs the default invocation from a practitioner who knows the knobs:
- Recursive extract (
-Me) can balloon to GBs from a 10MB image. Use--depth=2to bound it. - Install
jefferson,ubi_reader,sasquatchfor JFFS2/UBIFS/SquashFS support — default install only handles common formats. -D ".*:smaller"dumps everything ≥ 1KB — useful first-pass on unknown firmware.--ddtakes precedence over auto-extract — define exactly what to carve.
Common pitfalls
Real failure modes that bite people on engagements. Most are recoverable; a few are reputation-damaging.
- Default signature matching has FALSE POSITIVES — random bytes can match magic numbers. Always cross-check with hexdump.
- Encrypted firmware: binwalk shows entropy 0.99+ throughout — likely AES/XOR encryption. Without key, dead end.
-Meon hostile firmware can have decompression bombs. Run in container.- Some manufacturers (TP-Link, Netgear) sign firmware — binwalk extracts but boot fails on modified images.
Modern alternatives in 2026
The ecosystem moves fast. These are tools you should at least be aware of:
- firmware-mod-kit — older, more manual control.
- unblob (ONEKEY) — newer, designed to replace binwalk.
- FACT — scalable firmware analysis platform.
India context and engagement notes
For IoT pen-tests on Indian-market devices (Mi, OnePlus, Realme TVs): binwalk + jadx + Ghidra is the kit. Most consumer firmware is signed but not encrypted — extraction works; flashing modified images requires bootloader unlock.
⚖️ Legal: Use only on systems you own or have explicit written authorisation to test. In India, unauthorised access is punishable under Section 66 of the IT Act, 2000 (up to 3 years imprisonment + fine). Pair every engagement with a signed Statement of Work or Rules of Engagement before running anything from this page.
Custom team training + practitioner advisory
Beyond the free academy — we run private workshops, vCISO advisory, and red-team exercises tailored to your stack. For Indian SMBs scaling past their first hire.