This work addresses the challenge of applying equivalence class partitioning—a testing requirement under ISO 26262—to legacy embedded firmware in the absence of complete specification documents. The authors propose a binary-level method that automatically infers output-oriented equivalence classes by reconstructing control flow and performing guided symbolic execution to analyze function behavior. Execution paths are clustered based on observable outputs, such as return values and output parameters, and the resulting equivalence classes are represented in a human-readable form to support test design. To the best of the authors’ knowledge, this is the first approach capable of inferring equivalence classes directly from binaries without source code or documentation for safety-critical embedded software. Industrial case studies demonstrate that the inferred classes align closely with expert expectations and offer both high readability and practical utility, effectively aiding functional comprehension and compliance testing of legacy firmware.

Equivalence class partitioning is a well-established test design technique mandated by safety standards such as ISO~26262 for systematic testing of safety software. In industrial practice, however, its application to legacy undocumented embedded firmware is often hindered by incomplete or outdated functional specifications. This paper proposes a binary-level methodology for inferring output-oriented equivalence classes directly from compiled firmware, without relying on source-level annotations or external documentation. The approach combines control-flow reconstruction and guided symbolic execution to analyze individual functions and group execution paths according to indistinguishable observable behavior, including return values and output parameters. An optional post-processing step produces human-readable representations to support comprehension and documentation. The methodology is evaluated in an industrial automotive context through a practitioner-based study assessing correctness and interpretability. Results indicate strong alignment with expert expectations and a positive perception of readability and usefulness for supporting function understanding and test design. These findings demonstrate the feasibility and practical relevance of binary-level equivalence class inference for systematic testing of legacy undocumented safety-embedded software.