Protecting firmware .bin from reverse engineering

HI all.

I would like to protect my .bin file after compiling process in order to avoid reverse engineering techniques ( i.e. binwalk could simply unsquash my .bin firmware and see all the file system )

Could you recommend any tools for crypting the .bin file or other techniques?

Hope my question is clear


are we to assume you'd like this;

  • throughout the image lifecycle? i.e. supported at the flashing stage by the device itself?
  • what about device backups?

in short... 'cryping the bin' unto itself would achieve very little... take a moment to consider your intent and explain in more detail what you expect to achieve...



I have my firmware.bin;
if I do binwalk -e firmware.bin I can see all the file system and the content of /etc, /www..etc
I would like to protect my firmware.bin from this kind of reverse eng.

And if I have to upgrade a device ( i.e. via sysupgrade ) I will change the sysupgrade scritp so it will firstly decrypt the firmware.bin, and then perform a sysupgrade.

Hope it is more clear now :slight_smile:

take a look at how @hnyman crypts his configs with his buildscripts...

most simple techniques will revolve around similar methodology... albeit perhaps with alternate tools, limited to what your able to have present on the router at the decryption stage.

more advanced stuff like bootstrapping cryptsetup/fs or bootloader signing are involved (and risky) processes.


Exactly what I've done on a project. You also may want to look into disabling serial console.


How did you encrypt your file?

with ccrypt?

@stangri could you provide me some details on what you did? thanks