To contact us regarding classes or training, please email email@example.com.
All other correspondence should be sent through the webmaster.
My name is Brad and I am one of the co-founders of Netstumbler.com. Great job on WPA, I was interested to know if you would like to be interviewed about your findings via skype for publication on Netstumbler.com.
It would give you a huge audience and the opportunity for the community to understand your finding in context and the greater ramifications of your code.
Feel free to reach me at:
Hows the classes coming along? I was wondering if possible, how would i copy out a compressed lzma from a bin file which contains 4 lzma portions. Is it possible to remove each part to decompress?
What is Jailbroken mean? What will i get from the NEOTV if it’s jailbroken?
I have three different IPTV stb for jailbreak. I can provide you with test models and I can offer some sum of money if you manage to jailbreak them. Contact me to firstname.lastname@example.org
Thanks for the great Blog
am just wondering , How can i install Web-GUI Firmware or extract it’s web pages @ linux box
How can i extract the web pages from the bin file!!!!
hello i found the firmware of a docsis 3.0 modem (cbn CH6643e ) with packetcable (phone) + wifi + usb . if i run it with binwalk i can extract everything out of the puma 5 chip and the realtek chip … i get 2 filesystems … even 2048 bit cert’s from cable labs ,… in total i found 7 cert’s x509
if any one is interested to test out binwalk … on my firmware hit me up on twitter … i can send it to you … it’s MIPS any help would be appreciated
I would like to test binwalk
Keep up the good work!
Do you binwalk? I do!
I have a firmware which was scanned by binwalk, nothing signature showed. can you help?
Same problem. Binwalk only found these when using -A:
1037 0x40D ARM instructions, function prologue
25121 0x6221 ARM instructions, function epilogue
685398 0xA7556 ARMEB instructions, function prologue
1720307 0x1A3FF3 ARMEB instructions, function epilogue
from app bin and
107224 0x1A2D8 MIPSEL instructions, function prologue
111311 0x1B2CF MIPSEL instructions, function prologue
203823 0x31C2F ARM instructions, function epilogue
from kernel bin.
Does this mean I should try and run this in some ARM emulator and try to figure what it does?
I’m looking ZyXEL NBG4115 firmware that contains separate kernel and app bin’s.
i tried to send you an email at webmaster but i have issues with deliverability.
Have you changed email?
Hello I was wondering if you or anybody could provide some book titles or video tut links on Exploiting Embedded systems Hacking.
Hey Craig, how about hacking the firmware for Dlink’s smart switches…
Binwalk shows a listing of files which are basic HTML and JPG files, and the CGIs are on the device itself. :-/
Hey man great work.
I am stuck at emulating firmware through qemu can you help me some way..
hope to hear you soon..
I have some problems with binwalk and different results after extracting attempt.
1. The target is ftp://ftp2.dlink.com/PRODUCTS/DIR-825/REVC/DIR-825_REVC_FIRMWARE_3.01.ZIP
2. 1st PC with latest version of binwalk (with -Me parameter) give me a result as i expected https://raw.githubusercontent.com/kamil-HFC/binwalk-extracting/master/README.md
3. But… binwalk on 2nd PC extracted only a few files named randomly (squash) and cpio archive. There is no system file like in point 2.
Each od PCs have latest kubuntu LTS 64bit. Why mu results are different?
I want to emulate router firmware on qemu
but I can’t boo the kernel into qemu
can you please show me an example you are using to emulate the full routerOS into qemu
Please put some light on Dlink AP based on RTL8196d chipset
that does not allow any trick to work on it till dated 12-feb-2015. Team Muskeet / ReVdk-3 Rev-02, AP fucker /
wifislax 4.10.1 even Reaver Pro are failed to compromise it 🙁
I guess they built this World Most Securest AP with your help 🙂
to announce the world that “Wifi Hacking Was The Past”.
Thanks for your blog, it’s very useful. I’m just trying to learn a little more about Serial Ports.
Your blog on Reverse Engineering Serial Ports was very useful and has worked for me on at lest one device.
I’m trying it on a Trendnet router and I’ve gotten stuck at a point and don’t know where to go from here.
Basically I have found what I believe to be the ground, Tx, and Rx, and I’m receiving data from the device,
but it’s unreadable. I’ve tried your code from here: https://code.google.com/p/baudrate/
Still no luck, and I tried adding more Baud Rates to the array.
At this point, I don’t know if I’m connecting to the wrong pins, if it could be some other Baud Rate,
if I should be using another cable type, or if it could be something else.
I’m currently using a “ttl-232r-3v3” cable.
I’m just looking for a little direction and any advice would be great.
Just to show more of what I’m doing and to better explain what is happening,
I’ve made this short video for you.
Thanks in advance.
Thanks for your great site!
If I could ask for your expertise: I am trying to connect a joystick (http://gaming.logitech.com/en-us/product/driving-force-shifter) to my linux pc. The device has a serial cable it is supposed to be inserted into another joystick (a steering wheel) instead I wanted to use it directly eventually I plan to connect it to a program that I am writing which would switch desktops.
If I connect it directly to my PC’s serial device I can sort of communicate with it, if I pound on the keyboard it returns (usually) one byte and “=\n” per byte sent. The return codes do not seem to always correspond to the state of the joysitck. It seems to be returning the same value for the same value. Once or twice I noticed that if I send a large amount of random data I can get it to hang until I switch the position of the joystick. But for the most part there seems to be nonsensical responses (same input per output regardless of state). I also tried two different serial-to-usb converters these had very different results. Under USB the device does pretty much nothing regardless of the baud rate. I have noticed that if I send an incredible amount of random kepresses I occasionally get a single unprintable character in response.
I’m had been hoping to get a continuous stream of numbers corresponding to the state of the joystick.
I don’t know if my direct serial connection is just showing noise, I did try a second serial to usb converter which had the same results.
Do you have any ideas or suggesting in going forward to determining how to communicate with this device?
i Reverse a embedded system wat runs on Vx works.
the system use Ethernet. its have Usb on the system.
do you now i can use a normal Usb to ethernet adapter to use on the system?
i cant find a adapter wich have a Vx works driver inside.
do i need that or can i just juse a regular adapter?
thanx!! btw thanx for your hard work of binwalk!!
I am having a slight problem with a Billion 7800 image file. I have extracted the CFE, ROOTFS, KERNEL and TAG file from the image and have made modifications to the ROOTFS. I then repack the ROOTFS using squashfs4.3 and the Broadcom tools. After I upload the new image I get this message:
*** Press any key to stop auto run (1 seconds) ***
Auto run second count down: 0
Booting from only image (0xb8010000) ...
Code Address: 0x80010000, Entry Address: 0x8030e340
Linux file system CRC error. Corrupted image?
I have tried many ways to fix this problem at first I thought it was something to do with lzma compression but that’s not it then I checked whether it had something to do with big endian and little endian so I repacked using both methods still no success.
I saw a file in the rootfs system called cfg_checksum so possibly an algorithm that checks for any changes during boot time so deleted it and repacked the rootfs system still no luck. I am out of ideas need some help…
Here is link to the firmware and extracted files.
Any help on what to do when the firmware is encrypted? I am getting OpenSSL with Salt when i run the binwalk.
I have a router, with encrypted firmware (D-link DWR-956).
Binwalk says it’s OpenSSL encrypted, salted.
Anwyay, i’ve managed to get access to the serial console through the UART headers, and have access to uBoot.
Tftp is deactivated. Any tips towards extracting the firmware?
The bootloader in located on a 128MB NAND chip, so i cannot use my SPI reader to dump it either.
My guess was loading the partition to memory, and then running a memory dump. But i’m unsure how to go about it, and how to get it transferred to my pc.
Love ur blog btw!
What options does your U-Boot build have? Uploading a kernel via serial? If so and you’re still interested, use buildroot to make a simple linux file system for your router’s architecture. Find the defconfig for your router’s Linux kernel (D-Link is pretty good about providing source code which should include that, just google it). Then, compile a Linux kernel with that filesystem linked-in as an initramfs (CONFIG_INITRAMFS_SOURCE). Upload that to U-Boot over serial. Then you should have access to the NAND as a block device, you should be good from there. (You can send it over serial with base64/zmodem/etc. or include a simple (T)FTP server with your filesystem and use that.) If you figured out your own way, I’d like to hear how.
Please help find the vulnerability to run telnetd on the TV hisense.
The link https://yadi.sk/d/CvrmlI_GmtiHS file extracted from the firmware of the TV hisense, which provides a means of post and get queries execute commands (emulation controller) on the network.
I was able to unpack the firmware sections, scanned ports found only:
PORT STATE SERVICE VERSION
8060 / tcp open unknown
9085 / tcp open upnp TwonkyMedia UPnP (UPnP 1.0; pvConnect SDK 1.0; Twonky SDK 1.1)
13000 / tcp open unknown
42372 / tcp open http Mongoose httpd
45852 / tcp open http Mongoose httpd
And I do not know where to go …
Hi my name is Mirko and I would like to ask you for help since i saw you videos and expert knowledge on signal generator mhs-5200a on yourtube.
I have bought mhs-5200p. That is nearly identical to 5200a it only has ammplifier with it but since you are an expert i would like to know how i can boost its peformance.
Hey Craig. A few years ago i found an auth bypass vulnerability in dlink dir-655. I was wondering if you knew about this and would like to discuss.
Your email address will not be published. Required fields are marked *