To contact us regarding classes or training, please email

All other correspondence should be sent through the webmaster.

28 Responses to Contact

  1. Brad Slavin says:


    My name is Brad and I am one of the co-founders of Great job on WPA, I was interested to know if you would like to be interviewed about your findings via skype for publication on

    It would give you a huge audience and the opportunity for the community to understand your finding in context and the greater ramifications of your code.

    Feel free to reach me at:


  2. Jason says:

    Hows the classes coming along? I was wondering if possible, how would i copy out a compressed lzma from a bin file which contains 4 lzma portions. Is it possible to remove each part to decompress?

  3. Danny says:

    What is Jailbroken mean? What will i get from the NEOTV if it’s jailbroken?

  4. Bastah says:

    I have three different IPTV stb for jailbreak. I can provide you with test models and I can offer some sum of money if you manage to jailbreak them. Contact me to


  5. faris says:

    Thanks for the great Blog
    am just wondering , How can i install Web-GUI Firmware or extract it’s web pages @ linux box
    How can i extract the web pages from the bin file!!!!

  6. stuntlc says:

    hello i found the firmware of a docsis 3.0 modem (cbn CH6643e ) with packetcable (phone) + wifi + usb . if i run it with binwalk i can extract everything out of the puma 5 chip and the realtek chip … i get 2 filesystems … even 2048 bit cert’s from cable labs ,… in total i found 7 cert’s x509

    if any one is interested to test out binwalk … on my firmware hit me up on twitter … i can send it to you … it’s MIPS any help would be appreciated

  7. AivarLiimets says:

    Keep up the good work!

    Do you binwalk? I do!

  8. Yanbin says:

    I have a firmware which was scanned by binwalk, nothing signature showed. can you help?

    • Simo Similar says:

      Same problem. Binwalk only found these when using -A:
      1037 0x40D ARM instructions, function prologue
      25121 0x6221 ARM instructions, function epilogue
      685398 0xA7556 ARMEB instructions, function prologue
      1720307 0x1A3FF3 ARMEB instructions, function epilogue
      from app bin and
      107224 0x1A2D8 MIPSEL instructions, function prologue
      111311 0x1B2CF MIPSEL instructions, function prologue
      203823 0x31C2F ARM instructions, function epilogue
      from kernel bin.

      Does this mean I should try and run this in some ARM emulator and try to figure what it does?

      I’m looking ZyXEL NBG4115 firmware that contains separate kernel and app bin’s.

  9. Evangelos says:


    i tried to send you an email at webmaster but i have issues with deliverability.

    Have you changed email?


  10. ApacheOmega says:

    Hello I was wondering if you or anybody could provide some book titles or video tut links on Exploiting Embedded systems Hacking.

    Thank You

  11. Jeff Fields says:

    Hey Craig, how about hacking the firmware for Dlink’s smart switches…

    Binwalk shows a listing of files which are basic HTML and JPG files, and the CGIs are on the device itself. :-/



  12. Seemant says:

    Hey man great work.

    I am stuck at emulating firmware through qemu can you help me some way..

    hope to hear you soon..

    Thanks buddy…

  13. Kamil says:

    I have some problems with binwalk and different results after extracting attempt.
    1. The target is
    2. 1st PC with latest version of binwalk (with -Me parameter) give me a result as i expected
    3. But… binwalk on 2nd PC extracted only a few files named randomly (squash) and cpio archive. There is no system file like in point 2.

    Each od PCs have latest kubuntu LTS 64bit. Why mu results are different?

  14. Ahmad says:


    I want to emulate router firmware on qemu
    but I can’t boo the kernel into qemu
    can you please show me an example you are using to emulate the full routerOS into qemu


  15. Mr-X says:

    Sir Craig,

    Good day,

    Please put some light on Dlink AP based on RTL8196d chipset
    that does not allow any trick to work on it till dated 12-feb-2015. Team Muskeet / ReVdk-3 Rev-02, AP fucker /
    wifislax 4.10.1 even Reaver Pro are failed to compromise it 🙁

    I guess they built this World Most Securest AP with your help 🙂
    to announce the world that “Wifi Hacking Was The Past”.

    B3st R3gardz,

  16. Thanks for your blog, it’s very useful. I’m just trying to learn a little more about Serial Ports.
    Your blog on Reverse Engineering Serial Ports was very useful and has worked for me on at lest one device.
    I’m trying it on a Trendnet router and I’ve gotten stuck at a point and don’t know where to go from here.

    Basically I have found what I believe to be the ground, Tx, and Rx, and I’m receiving data from the device,
    but it’s unreadable. I’ve tried your code from here:
    Still no luck, and I tried adding more Baud Rates to the array.

    At this point, I don’t know if I’m connecting to the wrong pins, if it could be some other Baud Rate,
    if I should be using another cable type, or if it could be something else.

    I’m currently using a “ttl-232r-3v3” cable.

    I’m just looking for a little direction and any advice would be great.

    Just to show more of what I’m doing and to better explain what is happening,
    I’ve made this short video for you.

    Thanks in advance.

  17. Andrew says:

    Thanks for your great site!
    If I could ask for your expertise: I am trying to connect a joystick ( to my linux pc. The device has a serial cable it is supposed to be inserted into another joystick (a steering wheel) instead I wanted to use it directly eventually I plan to connect it to a program that I am writing which would switch desktops.
    If I connect it directly to my PC’s serial device I can sort of communicate with it, if I pound on the keyboard it returns (usually) one byte and “=\n” per byte sent. The return codes do not seem to always correspond to the state of the joysitck. It seems to be returning the same value for the same value. Once or twice I noticed that if I send a large amount of random data I can get it to hang until I switch the position of the joystick. But for the most part there seems to be nonsensical responses (same input per output regardless of state). I also tried two different serial-to-usb converters these had very different results. Under USB the device does pretty much nothing regardless of the baud rate. I have noticed that if I send an incredible amount of random kepresses I occasionally get a single unprintable character in response.
    I’m had been hoping to get a continuous stream of numbers corresponding to the state of the joystick.
    I don’t know if my direct serial connection is just showing noise, I did try a second serial to usb converter which had the same results.
    Do you have any ideas or suggesting in going forward to determining how to communicate with this device?
    Thank you!

  18. Francois says:

    Hey Graig,

    i Reverse a embedded system wat runs on Vx works.

    the system use Ethernet. its have Usb on the system.

    do you now i can use a normal Usb to ethernet adapter to use on the system?

    i cant find a adapter wich have a Vx works driver inside.

    do i need that or can i just juse a regular adapter?

    thanx!! btw thanx for your hard work of binwalk!!

  19. Kaiser says:

    Hello Craig,
    I am having a slight problem with a Billion 7800 image file. I have extracted the CFE, ROOTFS, KERNEL and TAG file from the image and have made modifications to the ROOTFS. I then repack the ROOTFS using squashfs4.3 and the Broadcom tools. After I upload the new image I get this message:

    *** Press any key to stop auto run (1 seconds) ***
    Auto run second count down: 0
    Booting from only image (0xb8010000) ...
    Code Address: 0x80010000, Entry Address: 0x8030e340
    Linux file system CRC error.  Corrupted image?

    I have tried many ways to fix this problem at first I thought it was something to do with lzma compression but that’s not it then I checked whether it had something to do with big endian and little endian so I repacked using both methods still no success.
    I saw a file in the rootfs system called cfg_checksum so possibly an algorithm that checks for any changes during boot time so deleted it and repacked the rootfs system still no luck. I am out of ideas need some help…
    Here is link to the firmware and extracted files.

  20. Mike C says:

    Any help on what to do when the firmware is encrypted? I am getting OpenSSL with Salt when i run the binwalk.

  21. Andreas Nilsen says:

    I have a router, with encrypted firmware (D-link DWR-956).
    Binwalk says it’s OpenSSL encrypted, salted.

    Anwyay, i’ve managed to get access to the serial console through the UART headers, and have access to uBoot.
    Tftp is deactivated. Any tips towards extracting the firmware?
    The bootloader in located on a 128MB NAND chip, so i cannot use my SPI reader to dump it either.

    My guess was loading the partition to memory, and then running a memory dump. But i’m unsure how to go about it, and how to get it transferred to my pc.

    Love ur blog btw!

    • Jake says:

      What options does your U-Boot build have? Uploading a kernel via serial? If so and you’re still interested, use buildroot to make a simple linux file system for your router’s architecture. Find the defconfig for your router’s Linux kernel (D-Link is pretty good about providing source code which should include that, just google it). Then, compile a Linux kernel with that filesystem linked-in as an initramfs (CONFIG_INITRAMFS_SOURCE). Upload that to U-Boot over serial. Then you should have access to the NAND as a block device, you should be good from there. (You can send it over serial with base64/zmodem/etc. or include a simple (T)FTP server with your filesystem and use that.) If you figured out your own way, I’d like to hear how.

  22. Hawkeye says:

    Please help find the vulnerability to run telnetd on the TV hisense.
    The link file extracted from the firmware of the TV hisense, which provides a means of post and get queries execute commands (emulation controller) on the network.
    I was able to unpack the firmware sections, scanned ports found only:
    8060 / tcp open unknown
    9085 / tcp open upnp TwonkyMedia UPnP (UPnP 1.0; pvConnect SDK 1.0; Twonky SDK 1.1)
    13000 / tcp open unknown
    42372 / tcp open http Mongoose httpd
    45852 / tcp open http Mongoose httpd
    And I do not know where to go …

  23. Mirko says:

    Hi my name is Mirko and I would like to ask you for help since i saw you videos and expert knowledge on signal generator mhs-5200a on yourtube.

    I have bought mhs-5200p. That is nearly identical to 5200a it only has ammplifier with it but since you are an expert i would like to know how i can boost its peformance.

    Best regards

  24. Zak says:

    Hey Craig. A few years ago i found an auth bypass vulnerability in dlink dir-655. I was wondering if you knew about this and would like to discuss.

Leave a Reply

Your email address will not be published. Required fields are marked *