-
Notifications
You must be signed in to change notification settings - Fork 1.6k
Supported Signatures
devttys0 edited this page Oct 30, 2024
·
4 revisions
Binwalk supports a wide variety of file and data signatures; these can be viewed at any time by running:
$ binwalk --list
------------------------------------------------------------------------------------------------------------------------
Signature Description Signature Name Extraction Utility
------------------------------------------------------------------------------------------------------------------------
7-zip archive data 7zip 7z
AES S-Box aes_sbox None
Android sparse image android_sparse Built-in
Apple Disk iMaGe dmg dmg2img
APple File System apfs 7zzs
Arcadyan obfuscated LZMA arcadyan Built-in
Autel obfuscated firmware autel Built-in
BIN firmware header binhdr None
BTRFS file system btrfs None
bzip2 compressed data bzip2 Built-in
CFE bootloader cfe None
CHK firmware header chk None
compress'd data compressd 7z
Copyright text copyright None
CPIO ASCII archive cpio 7z
CramFS filesystem cramfs 7z
CRC32 polynomial table crc32 None
Debian package file deb None
Device tree blob (DTB) dtb dtc
DLOB firmware header dlob None
DOS Master Boot Record mbr Built-in
eCos kernel exception handler ecos None
EFI Global Partition Table efigpt 7z
ELF binary elf None
EXT filesystem ext tsk_recover
FAT file system fat tsk_recover
GIF image gif Built-in
GPG signed file gpg_signed Built-in
gzip compressed data gzip Built-in
HP Printer Job Language data pjl None
Intel serial flash for PCH ROM pchrom uefi-firmware-parser
ISO9660 primary volume iso9660 tsk_recover
JBOOT firmware header jboot_arm None
JBOOT SCH2 header jboot_sch2 Built-in
JBOOT STAG header jboot_stag None
JFFS2 filesystem jffs2 jefferson
JPEG image jpeg Built-in
Linux kernel ARM64 boot image linux_arm64_boot_image None
Linux kernel boot image linux_boot_image None
Linux kernel version linux_kernel vmlinux-to-elf
LUKS header luks None
LZ4 compressed data lz4 lz4
LZFSE compressed data lzfse lzfse
LZMA compressed data lzma Built-in
LZO compressed data lzop lzop
Microsoft Cabinet archive cab cabextract
Motorola S-record srecord srec2bin
Motorola S-record (generic) srecord_generic srec2bin
NTFS partition ntfs tsk_recover
OpenSSL encryption openssl None
PackImg firmware header packimg None
Pcap-NG capture file pcapng Built-in
PDF document pdf None
PEM certificate pem_certificate Built-in
PEM private key pem_private_key Built-in
PEM public key pem_public_key Built-in
PNG image png Built-in
POSIX tar archive tarball tar
QNX IFS image qnx_ifs dumpifs
RAR archive rar unrar
RIFF image riff Built-in
RomFS filesystem romfs Built-in
RSA encrypted session key rsa None
RTK firmware header rtk None
SEAMA firmware header seama None
SHA256 hash constants sha256 None
SquashFS file system squashfs sasquatch
SVG image svg Built-in
TP-Link firmware header tplink None
TP-Link RTOS firmware tplink_rtos None
TRX firmware image trx Built-in
UBI image ubi ubireader_extract_images
UBIFS image ubifs ubireader_extract_files
UEFI capsule image uefi_capsule uefi-firmware-parser
UEFI PI firmware volume uefi_pi_volume uefi-firmware-parser
uImage firmware image uimage Built-in
VxWorks symbol table vxworks_symtab Built-in
VxWorks WIND kernel version wind_kernel None
Windows CE binary image wince Built-in
Windows PE binary pe None
XZ compressed data xz Built-in
YAFFSv2 filesystem yaffs unyaffs
ZIP archive zip 7z
Zlib compressed file zlib Built-in
ZSTD compressed data zstd zstd
------------------------------------------------------------------------------------------------------------------------
Total signatures: 85
Extractable signatures: 57
Note
When run in a terminal, signatures displayed in yellow are prone to false positives, and by default, only searched for
at the beginning of each file.
Tip
To search for all signatures at all file offsets, use the --search-all command line option.