Binwalk is a firmware analysis tool designed for analyzing, reverse engineering and extracting data contained in firmware images.
Written primarily in Python, it is fully scriptable and easily extendable via custom signatures and plugins.
Binwalk is a tool for searching a given binary image for embedded files and executable code. Specifically, it is designed for identifying files and code embedded inside of firmware images. Binwalk uses the libmagic library, so it is compatible with magic signatures created for the Unix file utility. Binwalk also includes a custom magic signature file which contains improved signatures for files that are commonly found in firmware images such as compressed/archived files, firmware headers, Linux kernels, bootloaders, filesystems, etc.
binwalk [OPTIONS] [FILE1] [FILE2] [FILE3] ...
Signature Scan Options: -B, --signature Scan target file(s) for common file signatures Binwalk -R, --raw=<str> Scan target file(s) for the specified sequence of bytes -A, --opcodes Scan target file(s) for common executable opcodes -C, --cast Cast offsets as a given data type (use -y to specify the data type / endianess) -m, --magic=<file> Specify a custom magic file to use -b, --dumb Disable smart signature keywords Binwalk Extraction Options: -e, --extract Automatically extract known file types -D, --dd=<type:ext:cmd> Extract <type> signatures, give the files an extension of <ext>, and execute <cm d> -M, --matryoshka Recursively scan extracted files -d, --depth=<int> Limit matryoshka recursion depth (default: 8 levels deep) -j, --size=<int> Limit the size of each extracted file -r, --rm Cleanup extracted / zero-size files after extraction -z, --carve Carve data from files, but don't execute extraction utilities Entropy Analysis Options: -E, --entropy Calculate file entropy -J, --save Save plot as a PNG -N, --nplot Do not generate an entropy plot graph -Q, --nlegend Omit the legend from the entropy plot graph Fuzzy Hash Options: -F, --fuzzy Perform fuzzy hash matching on files/directories -u, --cutoff=<int> Set the cutoff percentage -S, --strings Diff strings inside files instead of the entire file -s, --same Only show files that are the same -p, --diff Only show files that are different -n, --name Only compare files whose base names are the same -L, --symlinks Don't ignore symlinks Raw Compression Options: -X, --deflate Scan for raw deflate compression streams Binary Diffing Options: -W, --hexdump Perform a hexdump / diff of a file or files -G, --green Only show lines containing bytes that are the same among all files -i, --red Only show lines containing bytes that are different among all files -U, --blue Only show lines containing bytes that are different among some files -w, --terse Diff all files, but only display a hex dump of the first file Binary Visualization Options: -3, --3D Generate a 3D binary visualization Binwalk -2, --2D Project data points onto 3D cube walls only -Z, --points=<int> Set the maximum number of plotted data points -V, --grids Display the x-y-z grids in the resulting plot Heuristic Compression Options: -H, --heuristic Heuristically classify high entropy data Binwalk -a, --trigger=<float> Set the entropy trigger level (0.0 - 1.0, default: 0.90) General Options: -l, --length=<int> Number of bytes to scan -o, --offset=<int> Start scan at this file offset -K, --block=<int> Set file block size -g, --swap=<int> Reverse every n bytes before scanning -I, --invalid Show results marked as invalid -x, --exclude=<str> Exclude results that match <str> -y, --include=<str> Only show results that match <str> -f, --log=<file> Log results to file -c, --csv Log results to file in CSV format -t, --term Format output to fit the terminal window -q, --quiet Supress output to stdout -v, --verbose Enable verbose output -h, --help Show help output
cyborg@cyborg:~$ binwalk -e DIR890LA1_FW107b09.bin DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 0 0x0 DLOB firmware header, boot partition: "dev=/dev/mtdblock/7" 116 0x74 LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 4905376 bytes 1835124 0x1C0074 PackImg section delimiter tag, little endian size: 9499136 bytes; big endian size: 15896576 bytes 1835156 0x1C0094 Squashfs filesystem, little endian, version 4.0, compression:lzma (non-standard type definition), size: 15894704 bytes, 2593 inodes, blocksize: 131072 bytes, created: Tue May 26 17:40:02 2015