«
Expand/Collapse
49 items tagged "firmware"
Related tags:
security [+],
classic [+],
chaos communication congress [+],
reverse engineering [+],
password [+],
custom firmware [+],
Hardware [+],
vxworks [+],
usb [+],
travis goodspeed [+],
tag [+],
security vulnerabilities [+],
security model [+],
samsung [+],
radio [+],
ps3 [+],
proxbrute [+],
passwords [+],
os security [+],
open source [+],
network [+],
malware [+],
lecture [+],
kindle [+],
jonathan voris [+],
john heasman [+],
jailbreak [+],
intel machines [+],
hp printers [+],
hp firmware [+],
home [+],
hex format [+],
entertainment [+],
efipw [+],
device [+],
controller [+],
card access control systems [+],
card access control [+],
bug [+],
black hat [+],
binary transfers [+],
attiny [+],
apple efi [+],
apple [+],
hacks [+],
yves alexis [+],
yealink [+],
wireless radio [+],
winxp [+],
western digital [+],
web applications [+],
web [+],
wasn [+],
vulnerability [+],
vulnerabilities [+],
usb interface [+],
usa [+],
update [+],
unbrick [+],
unauthorized access [+],
u s robotics [+],
tv models [+],
troughton [+],
transmitter [+],
touch [+],
tool [+],
time capsule [+],
time [+],
than [+],
synology [+],
storage blocks [+],
storage [+],
steven troughton [+],
station [+],
stable version [+],
soho routers [+],
slides [+],
slider [+],
sized music [+],
six weeks [+],
sip [+],
sid player [+],
sid [+],
service menus [+],
security hole [+],
seagate hdd [+],
seagate [+],
samsung tv [+],
samsung phones [+],
samsung firmware [+],
runtime [+],
rootkits [+],
root [+],
robots [+],
robotics [+],
ribbon controller [+],
reverse engineer [+],
repair [+],
recovery mode [+],
re engineering [+],
ralf philipp [+],
qnap [+],
proof of concept [+],
process [+],
printers [+],
practical applications [+],
playstation 3 [+],
playstation [+],
player [+],
playback [+],
phone [+],
paul [+],
paper [+],
one click [+],
nook [+],
noblenook [+],
newest [+],
network attached storage devices [+],
network attached storage [+],
nano [+],
multimeter [+],
monotribe [+],
modifying [+],
mobile device [+],
misc [+],
midi devices [+],
midi [+],
measurements [+],
markus [+],
man in the middle attack [+],
macs [+],
lg televisions [+],
lead [+],
laptop batteries [+],
laptop [+],
lan [+],
korg [+],
keyboard scan [+],
julio [+],
jtag programmer [+],
jose [+],
jenna [+],
ipw [+],
ipod nano [+],
ipod [+],
integrity verification [+],
integrity [+],
homebrew [+],
hole [+],
hardware hacking [+],
hard disk [+],
hard [+],
handhelds [+],
hacking [+],
hacker [+],
hacked [+],
goodspeed [+],
funge [+],
freescale [+],
found [+],
forgery [+],
followup [+],
fm transmitter [+],
florin [+],
firmware upgrades [+],
firmware upgrade [+],
firmware update [+],
firmware image [+],
firmware bug [+],
extensible firmware interface [+],
extensible [+],
exploiting [+],
epod [+],
engineering [+],
encryption [+],
ebay [+],
drive firmware [+],
drive [+],
dfu [+],
dell [+],
dd wrt [+],
custom [+],
craig [+],
controller firmware [+],
concept demo [+],
compatible hardware [+],
commodore epod [+],
cloud [+],
charlie miller [+],
cellphones [+],
cat and mouse game [+],
cat and mouse [+],
carbon rods [+],
carbon fiber [+],
carbon [+],
capsule [+],
bugtraq [+],
bootloaders [+],
bootloader [+],
blurry image [+],
behringer [+],
barnes [+],
backdoor [+],
arduspider [+],
arduino [+],
apple tv [+],
apple laptop [+],
android [+],
amp [+],
alexis [+],
airport base [+],
aes encryption [+],
adam outler [+],
Supporto [+],
NON [+]
-
-
12:01
»
Hack a Day
It looks like the security of the PlayStation 3 has been cracked wide open. But then again we’ve thought the same thing in the past and Sony managed to patch those exploits. The latest in the cat and mouse game is the release of the LV0 encryption codes for the PS3 console. The guys who [...]
-
-
10:01
»
Hack a Day
[Travis Goodspeed] continues his work at educating the masses on how to reverse engineer closed hardware devices. This time around he’s showing us how to exploit the Device Firmware Updates protocol in order to get your hands on firmware images. It’s a relatively easy technique that uses a man-in-the-middle attack to dump the firmware image [...]
-
8:01
»
Hack a Day
[Jenna] sent in a very cool bootloader she thought people might like. It’s called Micronucleus and it turns the lowly ATtiny 85 into a chip with a USB interface capable of being upgraded via a ‘viral’ uploader program. Micronucleus weighs in at just over 2 kB, making it one of the smallest USB-compatible bootloaders currently available. The [...]
-
-
9:01
»
Hack a Day
Hard drive firmware is about the last place you want to find a bug. But that turned out to be the problem with [BBfoto's] Seagate HDD which he was using in a RAID array. It stopped working completely, and he later found out the firmware has a bug that makes the drive think it’s permanently [...]
-
-
14:35
»
SecDocs
Tags:
reverse engineering embedded Event:
Chaos Communication Congress 23th (23C3) 2006 Abstract: This lecture aims at providing ideas and practical techniques about the reverse-engineering process of equipment firmware images. It touches upon data encoding, compression, bootstraps, deciphering, disassembly, and emulation. This lecture aims at providing ideas and practical techniques about the reverse-engineering process of equipment firmware images. It focuses exclusively on images susceptible to hosting an operating system of some sort. The approach taken here includes first a reminder about various data encodings for binary transfers, such as UUENCODE or Intel's HEX format. The talk goes on to further interpret the available data, would it be a bootloader, compressed or a filesystem. At this stage chunks of meaningful data should be available, in which useful information should be reachable. A more in-depth investigation is then conducted, down to executable file formats or various machine-level assembly bytes. If the operating system used was not determined before this stage, the talk mentions how to extract this information and presents which ones are likely to be found, but not necessarily well-known to the general public. Finally, a few questions about cryptography are raised, and an overview of disassembly and emulation tools is given, as they may well be the easiest ways to defeat it.
-
14:30
»
SecDocs
Tags:
reverse engineering embedded Event:
Chaos Communication Congress 23th (23C3) 2006 Abstract: This lecture aims at providing ideas and practical techniques about the reverse-engineering process of equipment firmware images. It touches upon data encoding, compression, bootstraps, deciphering, disassembly, and emulation. This lecture aims at providing ideas and practical techniques about the reverse-engineering process of equipment firmware images. It focuses exclusively on images susceptible to hosting an operating system of some sort. The approach taken here includes first a reminder about various data encodings for binary transfers, such as UUENCODE or Intel's HEX format. The talk goes on to further interpret the available data, would it be a bootloader, compressed or a filesystem. At this stage chunks of meaningful data should be available, in which useful information should be reachable. A more in-depth investigation is then conducted, down to executable file formats or various machine-level assembly bytes. If the operating system used was not determined before this stage, the talk mentions how to extract this information and presents which ones are likely to be found, but not necessarily well-known to the general public. Finally, a few questions about cryptography are raised, and an overview of disassembly and emulation tools is given, as they may well be the easiest ways to defeat it.
-
-
14:01
»
Hack a Day
[Furrteck] had a little adventure with this FM transmitter he picked up on eBay. It worked alright, but he wanted to be able to scan through the frequencies, and to have the device return to the same settings after power cycling. He cracked it open and got to work to achieve all of his goals. [...]
-
-
21:48
»
SecDocs
Authors:
Ralf-Philipp Weinmann Tags:
backdoor embedded Event:
Chaos Communication Congress 27th (27C3) 2010 Abstract: Want to persistently backdoor a laptop? Backdooring the BIOS is out of the question since your target can dump and diff it? Planting hardware is out of the question as well? Shhhhhhh.. I have something for you: Embedded controllers are present in every modern laptop, yet their security impact has been unresearched thus far. An embedded controller has access to the complete stream of keyboard scan codes, can control fans and the battery charging process. Backdooring the embedded controller is a powerful way to plant a persistent firmware keylogger that works in a cross-platform fashion. Since ECs usually also provide battery and temperature sensor readings through ACPI, there also exists a way to funnel out the keystroke data through a low-privilege process later. Some laptops even allow EC controller firmware updates over the LAN! I will present a PoC backdoor for a widespread series of laptops and show you how to defend yourself against this attack by dumping the EC firmware yourself.
-
-
15:22
»
SecDocs
Authors:
Ang Cui Jonathan Voris Tags:
hardware hacking Event:
Chaos Communication Congress 28th (28C3) 2011 Abstract: Network printers are ubiquitous fixtures within the modern IT infrastructure. Residing within sensitive networks and lacking in security, these devices represent high-value targets that can theoretically be used not only to manipulate and exfiltrate the sensitive information such as network credentials and sensitive documents, but also as fully functional general-purpose bot-nodes which give attackers a stealthy, persistent foothold inside the victim network for further recognizance, exploitation and exfiltration. We first present several generic firmware modification attacks against HP printers. Weaknesses within the firmware update process allows the attacker to make arbitrary modifications to the NVRAM contents of the device. The attacks we present exploit a functional vulnerability common to all HP printers, and do not depend on any specific code vulnerability. These attacks cannot be prevented by any authentication mechanism on the printer, and can be delivered over the network, either directly or through a print server (active attack) and as hidden payloads within documents (reflexive attack). In order to demonstrate these firmware modification attacks, we present a detailed description of several common HP firmware RFU (remote firmware update) formats, including the general file format, along with the compression and checksum algorithms used. Furthermore, we will release a tool (HPacker), which can unpack existing RFUs and create/pack arbitrary RFUs. This information was obtained by analysis of publicly available RFUs as well as reverse engineering the SPI BootRom contents of several printers. Next, we describe the design and operation a sophisticated piece of malware for HP (P2050) printers. Essentially a VxWorks rootkit, this malware is equipped with: port scanner, covert reverse-IP proxy, print-job snooper that can monitor, intercept, manipulate and exfiltrate incoming print-jobs, a live code update mechanism, and more (see presentation outline below). Lastly, we will demonstrate a self-propagation mechanism, turning this malware into a full-blown printer worm. Using HPacker, we demonstrate the injection of our malware into arbitrary P2050 RFUs, and show how similar malware can be created for other popular HP printer types. Next, we demonstrate the delivery of this modified firmware update over the network to a fully locked-down printer. Lastly, we present an accurate distribution of all HP printers vulnerable to our attack, as determined by our global embedded device vulnerability scanner (see [1]). Our scan is still incomplete, but extrapolating from available data, we estimate that there exist at least 100,000 HP printers that can be compromised through an active attack, and several million devices that can be compromised through reflexive attacks. We will present a detailed breakdown of the geographical and organizational distribution of observable vulnerable printers in the world. *We have also unpacked several engine-control processor firmwares (different from the main SoC) and are currently attempting to locate code related to tracking dots. Perhaps we will have some results by December. In any case, HPacker will help the community to do further research in this direction, possibly allowing us to spoof / disable these yellow dots of burden.
-
15:07
»
SecDocs
Authors:
Ang Cui Jonathan Voris Tags:
hardware hacking Event:
Chaos Communication Congress 28th (28C3) 2011 Abstract: Network printers are ubiquitous fixtures within the modern IT infrastructure. Residing within sensitive networks and lacking in security, these devices represent high-value targets that can theoretically be used not only to manipulate and exfiltrate the sensitive information such as network credentials and sensitive documents, but also as fully functional general-purpose bot-nodes which give attackers a stealthy, persistent foothold inside the victim network for further recognizance, exploitation and exfiltration. We first present several generic firmware modification attacks against HP printers. Weaknesses within the firmware update process allows the attacker to make arbitrary modifications to the NVRAM contents of the device. The attacks we present exploit a functional vulnerability common to all HP printers, and do not depend on any specific code vulnerability. These attacks cannot be prevented by any authentication mechanism on the printer, and can be delivered over the network, either directly or through a print server (active attack) and as hidden payloads within documents (reflexive attack). In order to demonstrate these firmware modification attacks, we present a detailed description of several common HP firmware RFU (remote firmware update) formats, including the general file format, along with the compression and checksum algorithms used. Furthermore, we will release a tool (HPacker), which can unpack existing RFUs and create/pack arbitrary RFUs. This information was obtained by analysis of publicly available RFUs as well as reverse engineering the SPI BootRom contents of several printers. Next, we describe the design and operation a sophisticated piece of malware for HP (P2050) printers. Essentially a VxWorks rootkit, this malware is equipped with: port scanner, covert reverse-IP proxy, print-job snooper that can monitor, intercept, manipulate and exfiltrate incoming print-jobs, a live code update mechanism, and more (see presentation outline below). Lastly, we will demonstrate a self-propagation mechanism, turning this malware into a full-blown printer worm. Using HPacker, we demonstrate the injection of our malware into arbitrary P2050 RFUs, and show how similar malware can be created for other popular HP printer types. Next, we demonstrate the delivery of this modified firmware update over the network to a fully locked-down printer. Lastly, we present an accurate distribution of all HP printers vulnerable to our attack, as determined by our global embedded device vulnerability scanner (see [1]). Our scan is still incomplete, but extrapolating from available data, we estimate that there exist at least 100,000 HP printers that can be compromised through an active attack, and several million devices that can be compromised through reflexive attacks. We will present a detailed breakdown of the geographical and organizational distribution of observable vulnerable printers in the world. *We have also unpacked several engine-control processor firmwares (different from the main SoC) and are currently attempting to locate code related to tracking dots. Perhaps we will have some results by December. In any case, HPacker will help the community to do further research in this direction, possibly allowing us to spoof / disable these yellow dots of burden.
-
-
9:01
»
Hack a Day
[XVortex] pulled off a pretty incredible firmware hack. He managed to get a firmware upgrade for Synology running on a QNAP machine. These are both Network Attached Storage devices, but apparently the Synology firmware is better than what QNAP supplies with their offerings. The nice thing is that this is not a one-off hack. You [...]
-
-
11:01
»
Hack a Day
The Kindle Touch has been rooted! There’s a proof video embedded after the break, but the best part about this discovery is that [Yifan Lu] wrote in-depth about how he discovered and exploited a security hole in the device. The process begins by getting a dump of the firmware. If you remove the case it’s [...]
-
-
13:01
»
Hack a Day
Yesterday, Korg released a firmware update to their ribbon controller synth, the Monotribe. The firmware is just an audio file that needs to be played to the sync input of the box. [gravitronic] thought this was rather interesting, so he decided to decode the monotribe firmware. It’s the first step to custom Monotribe firmware, and [...]
-
-
14:54
»
Hack a Day
[Craig] is always keeping busy by deconstructing and poking around in various firmware images. This time around he has taken on the task of modifying the DD-WRT package, a popular replacement firmware for SOHO routers. While the firmware is released under the GPL, [Craig] cites that it’s pretty difficult to build from source. Instead, he [...]
-
-
14:01
»
Hack a Day
Relief is here from long compile times when developing firmware for your Arduino project. [Paul] was puzzled by the fact that every file used in a sketch is fully recompiled every time you hit upload–even if that file didn’t change. To make things more confusing, this behavior isn’t consistent across all Arduino compatible hardware. The [...]
-
13:05
»
Hack a Day
[Florin] picked up a cheap multimeter in order to make multiple measurements at one time. Unfortunately, he wasn’t very good at remembering to turn it off when he was finished so he burned through some batteries. Why an auto-off feature wasn’t the first thing coded into the firmware we’ll never know, but [Florin] developed his [...]
-
-
5:58
»
Hack a Day
When you think about hacking laptops, it’s highly unlikely that you would ever consider the battery as a viable attack vector. Security researcher [Charlie Miller] however, has been hard at work showing just how big a vulnerability they can be. As we have been discussing recently, the care and feeding of many batteries, big and [...]
-
-
14:01
»
Hack a Day
When we first covered [Markus]‘ portable SID player we starting dreaming about an alternative universe circa 1987 that included a pocket-sized music player called the Commodore ePod. [Markus]‘ updated firmware that connects his SID player to a PC will have to do for now, we suppose. The new firmware boots the Portable SID player as either a [...]
-
-
7:23
»
Packet Storm Security Recent Files
Whitepaper called Digging Inside VxWorks OS and Firmware - Holistic Security. VxWorks is one of the most widely accepted embedded OSes. In this paper, they have conducted a detailed study of the VxWorks OS security model and firmware in order to understand the potential impact of security vulnerabilities and weaknesses.
-
7:23
»
Packet Storm Security Misc. Files
Whitepaper called Digging Inside VxWorks OS and Firmware - Holistic Security. VxWorks is one of the most widely accepted embedded OSes. In this paper, they have conducted a detailed study of the VxWorks OS security model and firmware in order to understand the potential impact of security vulnerabilities and weaknesses.
-
-
7:01
»
Hack a Day
[Adam Outler] has been pretty heavy into mobile device hacking lately. The biggest problem with that field is recovering from back flashes or development firmware glitches. In many cases you can use a JTAG programmer to reflash stock firmware to resurrect a handset. Unfortunately you’ll be hard pressed to find a phone that comes with [...]
-
-
12:01
»
Hack a Day
After about six weeks of testing [Yifanlu] has released a stable version of the Kindle 3 firmware for use with Kindle 2 hardware. Everything seems to be working just fine with the patched firmware. We immediately jumped to the conclusion that the upgrade must run pretty slow on the older hardware. [Yifanlu] addresses that assumption [...]
-
-
8:00
»
Hack a Day
While not necessarily an easy thing to learn, the ability to reverse engineer embedded device firmware is an incredibly useful skill. Reverse engineering firmware allows you to analyze a device for bugs and vulnerabilities, as well as gives you the opportunity to add features if you happen to be so inclined. When it comes to [...]
-
-
9:09
»
Hack a Day
[Travis Goodspeed] recently tore down the Freescale MC13224 wireless radio chip in an effort to demonstrate how the device’s firmware could be read, even when locked down in “secure” mode. While you might not recognize the Freescale MC13224 radio by name alone, you are certainly familiar with some of its practical applications. Found in the [...]
-
-
15:00
»
Hack a Day
Here’s a guide for recovering protection passwords from ATA hard drives (translated). These passwords are stored in a special area of the hard disk that also contains the firmware for the device. Normally you can’t get at them but [Supersonic] walks us through a method used to grab the data off of a Western Digital [...]
-
-
13:05
»
Hack a Day
There are so many good things about [Jose Julio's] robotic spider. It’s design is dainty yet robust, and the behaviors encoded in the firmware are nothing short of spectacular. The body is built from a piece of balsa wood in between sheets of carbon fiber. The legs are carbon rods, using two servo motors for [...]
-
-
4:20
»
Packet Storm Security Recent Files
ProxBrute is a custom firmware written for the proxmark3. It extends the currently available firmware (revision 465) to support brute force attacks against proximity card access control systems. This version of ProxBrute requires the knowledge of a [once] valid tag value to vertically or horizontally escalate the tag's privileges.
-
4:20
»
Packet Storm Security Misc. Files
ProxBrute is a custom firmware written for the proxmark3. It extends the currently available firmware (revision 465) to support brute force attacks against proximity card access control systems. This version of ProxBrute requires the knowledge of a [once] valid tag value to vertically or horizontally escalate the tag's privileges.
-
-
10:00
»
Hack a Day
[Steven Troughton-Smith] figured out how to push signed firmware through to the iPod Nano 6g. This is accomplished by modifying iRecovery to recognize the device on the USB after forcing a recovery mode reboot. So no, this doesn’t mean that it has been cracked since it checks the firmware you push and reboots if it’s not approved. [...]
-
-
15:00
»
Hack a Day
We love hacks that take quality products and make them better. This enhanced firmware for the VCI-100 is a great example of that. In a similar fashion as the Behringer hack, [DaveX] reverse engineer the firmware for the device and figured out a few ways to make it better. It improves the scratch controller and slider [...]
-
-
11:00
»
Hack a Day
A new project called the Unofficial Behringer Control Development Kit lets you tweak or completely replace the firmware on the popular devices. The proof of concept demo shows a custom message scrolling on the 4-character 7-segment display but you can do with the device is only limited by how well you can code for the [...]
-
-
9:00
»
Hack a Day
That is a blurry image of a Barnes & Noble Nook eReader stuck in an infinite reboot loop. This is the result of trying to downgrade the firmware to 1.0 in preparation to soft-root the device. So after a few failures the device will recover itself, right? It doesn’t look that way. No problem, don’t you [...]
-
-
13:43
»
remote-exploit & backtrack
mai avuto problemi fino ad oggi...(sempre usato bt4 non aggiornato su penna usb...oggi invece ho fatto l'hd full install ed ho fatto apt-get update && apt-get upgrade....tanto per la cronaca...)
Finito il tutto riavvio e noto che durante il boot non viene caricato il firmware della ipw2200 intel :(
Qualche idea?!?!? (che info vi servono? la scheda funge in winxp...quindi...)
-
-
16:00
»
Hack a Day
Here’s a pretty simple hack to enable playback from a USB drive on LG televisions. It only works on European hardware, the LH, LF, and some LU models. The hack consists of downgrading the firmware to version 3.15, then navigating through some service menus.
It’s not quite as hardcore as the Samsung firmware hacking, but the [...]
-
-
11:09
»
Hack a Day
[Erdem] sent us an update on his work with the SamyGO project. You may remember this Samsung TV firmware hacking initiative from our post back in October. Since then many more TV models have been added to the compatible list. They have also worked out a way to defeat the AES encryption and RSA signature [...]
-
-
14:00
»
Packet Storm Security Tools
EFIPW is a tool that can be used to decode and modify Apple EFI firmware passwords via the command line. It is designed after the non open source OFPW utility and is designed to work on Intel machines running Leopard or newer. Useful for lab deployments (setting the firmware password of machines as a post install item) and pen tests (recovering the EFI firmware password).
-
14:00
»
Packet Storm Security Recent Files
EFIPW is a tool that can be used to decode and modify Apple EFI firmware passwords via the command line. It is designed after the non open source OFPW utility and is designed to work on Intel machines running Leopard or newer. Useful for lab deployments (setting the firmware password of machines as a post install item) and pen tests (recovering the EFI firmware password).
0day.today (was: 1337day, Inj3ct0r, 1337db)
OSVDB Vulnerabilities
Exploit-DB
SecurityFocus Vulnerabilities
Bugtraq
XSSed
Sophos security news
Penetration Testing
SecuriTeam
BackTrack Linux Forums
Threatpost
carnal0wnage.attackresearch.com
Carnal0wnage
Darknet
The Exploitant
Wirevolution