Radare2 MCP Tools Reference

Manage active Radare2 workspaces, persistent session life cycle, format facts, and binary layouts.

• r2_open: Loads a binary with radare2 and starts a persistent pipeline session.
• r2_close: Terminates a radare2 session and frees resources.
• r2_sessions: Lists all active radare2 sessions currently loaded by the server.
• r2_metadata: Mode-driven metadata reader supporting info, headers, version_info, entry_points, sections, relocations, resources, libraries, imports, exports, symbols, strings, and functions.
• r2_classes: Lists C++ runtime classes or inspects a targeted class layout.
• r2_vtables: Bounded native virtual method table (VMT) discovery.
• r2_types: Reads structures, unions, and typedefs configured inside radare2 typespace.
• r2_imports_grouped: Groups external imports by behavior families.
• r2_plugins: Lists active radare2 plugin engines (decompilers, assemblers, hashes).
• r2_flags: Lists flags, demangled names, and flagspaces with pagination.
• r2_lookup_address: Resolves a raw address to enclosing symbol/function.
• r2_address_info: Renders address classification metadata.
• r2_calculate: Evaluates a math or register expression.

                        {
  "tool": "r2_open",
  "arguments": {
    "binary_path": "/samples/app.bin"
  }
}
                      

Extract assembler code, decompile functions, and generate graphical control flows.

• r2_disassemble: Returns block assembly instructions with offset control.
• r2_opcodes: Structured opcode-analysis row details (instruction formats, register states).
• r2_decompile: Invokes decompilation engine (such as r2ghidra or r2dec) on target offset.
• r2_function_view: Renders a selected mode-driven function profile (signature, vars, cfg, callees, profile).
• r2_graph: Generates control flow graphs (CFGs), callgraphs, and xref graphs in JSON.

                        {
  "tool": "r2_decompile",
  "arguments": {
    "binary_path": "/samples/app.bin",
    "addr": "sym.main",
    "mode": "code"
  }
}
                      

Examine raw hex blocks, search patterns, trace stack data flow, and extract cross-references.

• r2_get_bytes: Returns raw hex bytes from a target address.
• r2_extract_bytes: Bounded byte range extractor with SHA256 hashes and optional output path.
• r2_block_hash: Computes block-level hashes (SHA256, md5) or entropy values.
• r2_pointer_scan: Memory scanner finding pointer-like references.
• r2_string_at: Decodes strings at address as ASCII, UTF-8, UTF-16, or Pascal.
• r2_find: Unified search across functions (glob), strings, imports, or bytes.
• r2_semantic_search: Opcode-type, disasm-text, wide-string, or ROP gadget search.
• r2_find_xrefs: Scans for cross-references matching a pattern.
• r2_xrefs: Traces cross-references to or from a target address.
• r2_global_xrefs: Lists paginated inventory of all global cross-references.
• r2_trace_data_flow: Traces ESIL data registers to map out function data-flow.
• r2_var_xrefs: Function variable read/write cross-references.

Extract exploit mitigation information, trace register constants, inspect driver callbacks, or execute raw commands.

• r2_security: Checksec-style hardening fields and per-section entropy.
• r2_value_trace: Traces a seeded register value through instructions to resolve constants.
• r2_path_digest: Macro path digest over a function or address range.
• r2_artifact_summary: Decodes branch artifacts (strings, callsites, unsupported branches).
• r2_field_xrefs: Maps raw memory field references with symbolic tracking.
• r2_jump_table_slices: Summarizes computed jump-table target offsets.
• r2_windows_driver_dispatch: Recovers DRIVER_OBJECT dispatch and notify callbacks.
• r2_cmd: Runs a single radare2 query command with output length limits.