Clik here to view.
Exploiting Embedded Systems – Part 4
So far in this series we’ve found that we can log in to our target TEW-654TR router by either retrieving the plain text administrator credentials via TFTP, or through SQL injection in the login page....
View ArticleClik here to view.
Speaking SPI & I2C With The FT-2232
For a while now I’ve been looking for an easy way to interface with external SPI and I2C devices over USB in a manner that can be easily integrated into future projects as well as used in a simple...
View ArticleQemu vs sstrip
Qemu usually does a great job emulating embedded Linux applications, but as with anything you will occasionally run into bugs. While attempting to debug an embedded application in Qemu the other day, I...
View ArticleClik here to view.
Emulating NVRAM in Qemu
Being able to emulate embedded applications in Qemu is incredibly useful, but not without pitfalls. Probably the most common issue that I’ve run into are binaries that try to read configuration data...
View ArticleClik here to view.
Hacking the Linksys WMB54G
Today we’re going to take a look at an interesting little device, the Linksys WMB54G wireless music bridge. WMB54G This is a pretty specialized device, so it’s likely a fairly minimalistic system. Even...
View ArticleClik here to view.
Best Amazon Review Ever
If you’re going to be in Vegas for BlackHat/Defcon, be sure to check out Zach’s talk. WNDR3700 Amazon Review
View ArticleClik here to view.
Reverse Engineering a DTV Converter
I have an old DTV converter sitting around gathering dust, so I thought it would be interesting to take a look inside: Inside the DTV Converter As you can see, there’s not much there: a Thomson TV...
View ArticleClik here to view.
Exploiting a MIPS Stack Overflow
Although D-Link’s CAPTCHA login feature has a history of implementation flaws and has been proven to not protect against the threat it was intended to thwart, they continue to keep this feature in...
View ArticleClik here to view.
Jailbreaking the NeoTV
Today we’ll be jailbreaking the Netgear NTV300 set top box…with a TV remote. The Netgear NeoTV 300 Negear’s NeoTV set top boxes are designed to compete with the popular Roku, and can stream video from...
View ArticleClik here to view.
Reverse Engineering Serial Ports
Given the name of this blog and the number of requests that I’ve had, I think it’s high time we discussed serial ports; specifically, serial ports in embedded systems. My goal here is to describe the...
View ArticleClik here to view.
Differentiate Encryption From Compression Using Math
When working with binary blobs such as firmware images, you’ll eventually encounter unknown data. Particularly with regards to firmware, unknown data is usually either compressed or encrypted. Analysis...
View ArticleClik here to view.
Reverse Engineering a D-Link Backdoor
All right. It’s Saturday night, I have no date, a two-liter bottle of Shasta and my all-Rush mix-tape…let’s hack. On a whim I downloaded firmware v1.13 for the DIR-100 revA. Binwalk quickly found and...
View ArticleClik here to view.
From China, With Love
Lest anyone think that D-Link is the only vendor who puts backdoors in their products, here’s one that can be exploited with a single UDP packet, courtesy of Tenda. After extracting the latest firmware...
View ArticleClik here to view.
Reversing the WRT120N’s Firmware Obfuscation
It was recently brought to my attention that the firmware updates for the Linksys WRT120N were employing some unknown obfuscation. I thought this sounded interesting and decided to take a look. The...
View ArticleClik here to view.
Re-enabling JTAG and Debugging the WRT120N
After de-obfuscating the WRT120N’s firmware, I started taking a closer look at the code, which runs the now-defunct SuperTask! RTOS. Thanks in no small part to copious debug strings littered throughout...
View ArticleCracking Linksys “Encryption”
Perusing the release notes for the latest Linksys WRT120N firmware, one of the more interesting comments reads: Firmware 1.0.07 (Build 01) - Encrypts the configuration file. Having previously reversed...
View ArticleClik here to view.
WRT120N fprintf Stack Overflow
With a good firmware disassembly and JTAG debug access to the WRT120N, it’s time to start examining the code for more interesting bugs. As we’ve seen previously, the WRT120N runs a Real Time Operating...
View ArticleClik here to view.
Hacking the D-Link DSP-W215 Smart Plug
The D-Link DSP-W215 Smart Plug is a wireless home automation device for monitoring and controlling electrical outlets. It isn’t readily available from Amazon or Best Buy yet, but the firmware is up on...
View ArticleClik here to view.
Hacking the DSP-W215, Again
D-Link recently released firmware v1.02 for the DSP-W215 to address the HNAP buffer overflow bug in my_cgi.cgi. Although they were quick to remove the download link for the new firmware (you must “Use...
View ArticleClik here to view.
Hacking the DSP-W215, Again, Again
Here we go again…again. In the last DSP-W215 exploit, I mentioned that the exploit’s POST parameter name had to be “storage_path” in order to prevent the get_input_entries function from crashing...
View Article