Re-enabling JTAG and Debugging the WRT120N – /dev/ttyS0

After de-obfuscating the WRT120N’s firmware, I started taking a closer look at the code, which runs the now-defunct SuperTask! RTOS. Thanks in no small part to copious debug strings littered throughout the code and some leaked Atheros datasheets, I made good progress in statically disassembling the code. The next step… Continue reading

Reversing the WRT120N’s Firmware Obfuscation – /dev/ttyS0

It was recently brought to my attention that the firmware updates for the Linksys WRT120N were employing some unknown obfuscation. I thought this sounded interesting and decided to take a look. The latest firmware update for the WRT120N didn’t give me much to work with: Binwalk firmware update analysis As… Continue reading

From China, With Love – /dev/ttyS0

Lest anyone think that D-Link is the only vendor who puts backdoors in their products, here’s one that can be exploited with a single UDP packet, courtesy of Tenda. After extracting the latest firmware for Tenda’s W302R wireless router, I started looking at /bin/httpd, which turned out to be the… Continue reading

Reverse Engineering a D-Link Backdoor – /dev/ttyS0

All right. It’s Saturday night, I have no date, a two-liter bottle of Shasta and my all-Rush mix-tape…let’s hack. On a whim I downloaded firmware v1.13 for the DIR-100 revA. Binwalk quickly found and extracted a SquashFS file system, and soon I had the firmware’s web server (/bin/webs) loaded into… Continue reading

Differentiate Encryption From Compression Using Math – /dev/ttyS0

When working with binary blobs such as firmware images, you’ll eventually encounter unknown data. Particularly with regards to firmware, unknown data is usually either compressed or encrypted. Analysis of these two types of data is typically approached in very different manners, so it is useful to be able to distinguish… Continue reading

Reverse Engineering Serial Ports – /dev/ttyS0

Given the name of this blog and the number of requests that I’ve had, I think it’s high time we discussed serial ports; specifically, serial ports in embedded systems. My goal here is to describe the techniques that I’ve found effective in identifying and reverse engineering embedded serial ports through… Continue reading

Jailbreaking the NeoTV – /dev/ttyS0

Today we’ll be jailbreaking the Netgear NTV300 set top box…with a TV remote. The Netgear NeoTV 300 Negear’s NeoTV set top boxes are designed to compete with the popular Roku, and can stream video from all the usual sources (Netflix, HuluPlus, Youtube, etc). The NTV300 is one of the least… Continue reading

Exploiting a MIPS Stack Overflow – /dev/ttyS0

Although D-Link’s CAPTCHA login feature has a history of implementation flaws and has been proven to not protect against the threat it was intended to thwart, they continue to keep this feature in their products. Today we’ll be looking at the CAPTCHA implementation in the D-Link DIR-605L, which is a… Continue reading

Hacking the Linksys WMB54G – /dev/ttyS0

Today we’re going to take a look at an interesting little device, the Linksys WMB54G wireless music bridge. WMB54G This is a pretty specialized device, so it’s likely a fairly minimalistic system. Even the administrative interface is small and simple: WMB54G Administrative Interface The Linksys support page doesn’t have any… Continue reading