Compare·2026-06-15

BootIntel vs Binwalk

They solve different problems. Binwalk is for static firmware extraction and signature analysis. BootIntel is for runtime boot-log analysis and CVE matching against what the device actually loads. Most teams use both, in that order.

comparisonbinwalkfirmwarestatic-analysisworkflow

Binwalk is the right answer to one question and BootIntel is the right answer to a different one. The confusion comes from both tools being labeled "firmware analysis," which is true and unhelpful — they analyze different artifacts. Here's the breakdown.

What Binwalk actually does

Binwalk takes a firmware image — usually a binary blob extracted from flash, or downloaded from a vendor's update server — and finds embedded structures inside it: file systems (squashfs, jffs2, cramfs), compressed sections, embedded ELFs, certificates, signing markers, and known constants. Its core operation is scanning a byte stream for magic numbers and validated structure headers.

# Typical Binwalk workflow:
$ binwalk firmware.bin                   # what's inside?
$ binwalk -e firmware.bin                # extract everything found
$ binwalk -A firmware.bin                # opcode/architecture detection
$ binwalk --signature --carve  fw.bin    # carve out matched regions

Output is a static catalog of what the image contains. To go further, you mount the extracted rootfs and audit files manually — typically with file, strings, checksec, and a local distro CVE matcher like cve-bin-tool.

What BootIntel actually does

BootIntel takes the boot log — the text the device emits over UART from power-on to userspace ready — and runs detection rules against it. Output: identified bootloader, kernel, init system, package versions, device family, plus a graded list of CVEs and misconfigurations found in the runtime state.

The artifact lives at a different layer. The firmware image tells you what's on the flash. The boot log tells you what the device chose to run, in what order, with what config. Vendors ship firmware images that contain unused code, alternate boot modes, and configuration that the runtime never reaches. The boot log shows the path actually taken.

Cases where Binwalk wins

  • You only have the firmware blob, not the device.
  • You want to extract the rootfs, web UI assets, hardcoded credentials in binaries, or certificates baked into the image.
  • You're analyzing a vendor update for new binaries before deploying.
  • You want opcode-level architecture detection across an unknown blob.
  • You're looking for embedded resources (HTML, scripts, configs, private keys) that ship with the firmware.

Cases where BootIntel wins

  • You have the device but don't have the firmware image (most consumer hardware, locked-down enterprise gear).
  • You want CVE matches against the versions that actually run, not the versions the firmware image suggests should run.
  • You want to catch runtime-only misconfigurations: enabled debug consoles, BOOTDELAY values, kernel command-line flags, dropbear bound to 0.0.0.0, mounted rootfs in rw on flash, exposed recovery paths.
  • You're tracking changes across firmware updates and want the before/after diff (BootIntel saves logs per device; Binwalk has no notion of device history).
  • You don't want to install a Linux toolchain or deal with squashfs dependencies just to look at one device. The browser-only Device Fingerprinter identifies bootloader + kernel + SoC in 5 seconds with no setup.

The combined workflow

Real teams use both. The natural order:

  1. Acquire — pull the firmware blob (vendor update site, or flash dump via SPI/eMMC). Run binwalk -Me to extract.
  2. Catalog — note the file system layout, compression, and embedded resources. Mount squashfs, list package versions via opkg list-installed or distro-specific equivalents.
  3. Capture — connect UART, power-cycle, save the log (or use /terminal to capture live in the browser).
  4. Analyze — BootIntel runs detectors and matches detected versions against current NVD data. Findings tie back to specific log lines for evidence.
  5. Reconcile — compare what was in the firmware (Binwalk's view) against what runs (BootIntel's view). Gaps usually mean unused code, fallback paths, or runtime override of static config.

What about cve-bin-tool and fwhunt?

Worth mentioning since they show up in adjacent searches. cve-bin-tool scans binaries for known-CVE signatures and is a natural companion to Binwalk on the static-analysis side; it answers "does this binary look like vulnerable upstream X?". fwhunt targets UEFI firmware specifically. Neither sees runtime state. If you want runtime, you still need to capture the boot log — at which point BootIntel is the easiest path to detection + CVE matching against what loaded.

Related reading

← All comparisonsTry the free terminal →
BootIntel vs Binwalk · BootIntel