Posts

BLE sniffing with UbertoothOne

Image
This time, I'd like to try monitoring smartlock's BLE packets with Ubertooth One. Smartlock  use this dongle and Ubertooth One Find BLE device  check BLE dongle is connected. ➜ ~ sudo hciconfig hci0: Type: BR/EDR Bus: USB BD Address: 00:1A:7D:DA:71:13 ACL MTU: 310:10 SCO MTU: 64:8 UP RUNNING PSCAN RX bytes:622 acl:0 sco:0 events:38 errors:0 TX bytes:952 acl:0 sco:0 commands:38 errors:0 Let's find BLE devices ➜ ~ sudo hcitool lescan LE Scan ... 30:F8:3F:06:4F:6F (unknown) 30:F8:3F:06:4F:6F (unknown) 30:F8:3F:06:4F:6F (unknown) 18:62:E4:46:60:AB (unknown) <------ 18:62:E4:46:60:AB BlueFPL <------ 30:F8:3F:06:4F:6F (unknown) 30:F8:3F:06:4F:6F (unknown) 30:F8:3F:06:4F:6F (unknown) Then, trying gatttool. Peripheral is defined by service and characteristic. Each service contains charateristics which contains data. ➜ ~ sudo gatttool -I -b 18:62:E4:46:60:AB [ ][18:62:E4:46:60:AB][LE]> connect [CON][18:62:E4:46:60:AB][LE]> primary [CON][18:

MOVAPS triggered ACCESS_VIOLATION....

Image
Hi, I met a malware which has a decryption code in it. I tried unpack on debugger but it is stucked in mid of decryption. movaps instruction triggered ACCESS_VIOLATION exception in decryption code. I doubted it might be a anti debugging technique but it seem to be not. (they are found in Windows shared libraries too) I searched about this issue.. movaps instruction is explained like this  but I don't understand the difference between the situations which can be passed or not. MOVAPS--Move Aligned Packed Single-Precision Floating-Point Values > the operand must be aligned on a 16-byte boundary http://qcd.phys.cmu.edu/QCDcluster/intel/vtune/reference/vc181.htm It is also,  > To move packed single-precision floating-point numbers to or from unaligned memory locations, use the MOVUPS instruction.    Anyway, the difference seem to be aligned/unaligned.  16 byte boundary alignment is the answer..   > which generally means that the data's memo

Firmware dumping via SPI

Image
I tried firmware dumping via SPI with Attify badge and Attify OS. Target camera is this one.. This camera seems to be famous among the IoT hackers. You would find many IoT hacking blogs about this camera. After the preview, I have extracted board. This time, I'd like to focus on Flash memory. It looks mxic mx25l12835f. From model number, we can find data-sheet. MX25L12835F . Now, let's connect flash memory pin and Attify Badge. Attify badge pin layout is.. D0 : SCK D1 : MISO  D2 : MOSI  D3 : CS  I have connected flash memory and Attify badge like this. D0 - SCLK(6) D1 - SI(5)  D2 - SO(2)  D3 - CS(1)  GND - GND(4)  3.3V - VCC(8)  3.3V - RESET(7)  3.3V - WP(3)  We dont need to connect power plug to camera. It is supplied via badge. For testing, trying spiflash.py and -i parameter. According to the python code, it returns ChipID. This command can be used for connectivity tesingt. "00 00 00" or "FF FF FF" seem to mean fai

Zigbee sniffing

Image
I bought Attify's IoT Exploit lerning kit . Since that was soooo fun, I want to show you some. Zigbee sniffing with APImote Zigbee is a global standard for wireless technology which supports low cost, highly reliable networks for device-to-device communication. In the lerning kit, APImote enables to monitor zigbee packets. Following tools are used for hands-on demo. All of these tools are included in the IoT Exploit learning kit. (Since I bought this kit in beginning of 2019, contents may be changed.) And also we can use VM image that required tools are installed. https://github.com/adi0x90/attifyos Upload code to Arduino Nano Let's upload code to Arduino Nano with Arduino IDE. It just sending text and counting up value. #include int a=0; SoftwareSerial mySerial(2,3); //RX, TX void setup(){ Serial.begin(2400); //baudrate: 2400bps } void loop(){ Serial.println("Hello!!!"); Serial.println(a); a++; } For just in case, check if it

Malicious postscript code in hwp

I found a hwp(Hangul word processor) file which contains malicious postscript code. I take some analysis notes for my memo. Malicious postscript code is as following. /X240 <0632E7CB1D9F2067FDA9197F289976CC…snip…> def %kshvudgsjsye3 0 1 X240 length 1 sub % %kshvudgsjsye3 {/Y31 exch 1 2 and pop def %kshvudgsjsye3 X240 dup Y31 get <296BD6EB2CA90321BBEF5F5F4CFC10EC> Y31 15 and /Y104 8 def get xor Y31 exch put} for X240 cvx % exec I’ve googled and found some coding rules. ・Anything following a % on a postscript program line is ignored by the interpreter. ・initialize variable i with value 0 /i 0 def ・set each element of array ar to value n 0 1 ar length 1 sub {ar exch n put} for ・ exch     Exchange the top two values of stack. ・ dup      Duplicate the top element of stack. ・logical ' and ' operator. a&&b a b and ・ <hexadecimal string> cvx          makes string executable ・ <hexadecimal string> cvx exec     m

Ubuntu 16.04 + Qemu + Raspberry Pi image triggered kernel panic

I tried to boot Raspbian OS on Qemu but failed!! Ubuntu 16.04 + Qemu + Raspberry Pi image Freeing unused kernel memory: 176K (c0530000 - c055c000) Kernel panic - not syncing: Attempted to kill init! exitcode=0x00000004 I googled it and resolved.. It need to edit raspberry pi's files in .img /etc/fstab by commenting out mmcblk entries and /etc/ld.so.preload old entries. OK, lets check .img file. umiushi@umiushi-VirtualBox:~/Desktop/armv6_stretch$ file raspbian-stretch.img raspbian-stretch.img: DOS/MBR boot sector; partition 1 : ID=0xc, start-CHS (0x0,130,3), end-CHS (0x7,165,30), startsector 8192, 114688 sectors; partition 2 : ID=0x83, start-CHS (0x7,165,31), end-CHS (0x18e,97,19), startsector 122880, 6277120 sectors Then, trying fdisk command. Which sector should be mounted.. umiushi@umiushi-VirtualBox:~/Desktop/armv6_stretch$ fdisk -l ./raspbian-stretch.img Disk ./raspbian-stretch.img: 3.1 GiB, 3276800000 bytes, 6400000 sectors Units: sectors of 1 * 512 = 512 by

MBR debugging with Bochs

Image
I've tried Bochs for debugging MBR which is infected Petya just for fun. First of all, prepare disk image. $ dd if=xx.raw of=petya.img bs=512k count=20 (I've run petya on VM and convert .vmdk image into .raw image.) Setup bochsrc file like following. romimage: file=$BXSHARE/BIOS-bochs-latest vgaromimage: file=$BXSHARE/VGABIOS-lgpl-latest megs: 16 ata0: enabled=1, ioaddr1=0x1f0, ioaddr2=0x3f0, irq=14 ata0-master: type=disk, path="petya.img", mode=flat, cylinders=1, heads=16, spt=63 boot: disk vga: extension=vbe mouse: enabled=0 log: nul logprefix: %t%e%d panic: action=fatal error: action=report info: action=report debug: action=ignore Wrong cylinders, heads, spt value may be a glitch on setting up debugging environment. Now, my petya.img size is 0x7E000 bytes. (Disk image size must be multiples of 512.) 0x7E000 = 516,096 = 512*1008 It is addressed by following formula. img size = cylinders * heads * spt * 512 516,096 = 1 * 16 * 63 * 512 You need