From China, With Love – /dev/ttyS0

Lest anyone think that D-Link is the only vendor who puts backdoors in their products, here’s one that can be exploited with a single UDP packet, courtesy of Tenda. After extracting the latest firmware for Tenda’s W302R wireless router, I started looking at /bin/httpd, which turned out to be the… Continue reading

Some IDA Plugins – /dev/ttyS0

I’ve posted a few of my IDA plugins on github. Though simple, I’ve found their functionality quite useful when reversing firmware and RISC architectures: Defining ASCII strings not defined during IDA’s auto analysis Defining undefined bytes in the data segment as DWORDs (allowing IDA to resolve function/jump table pointers, etc)… Continue reading

Encryption vs Compression, Part 2 – /dev/ttyS0

I’ve recently been examining the feasibility of differentiating compressed data from encrypted data based on variations in the entropy of the data. Initial results showed some promise, but were tested against too small of a sample set to draw any hard conclusions. Since then, I’ve been experimenting with larger data… Continue reading

Differentiate Encryption From Compression Using Math – /dev/ttyS0

When working with binary blobs such as firmware images, you’ll eventually encounter unknown data. Particularly with regards to firmware, unknown data is usually either compressed or encrypted. Analysis of these two types of data is typically approached in very different manners, so it is useful to be able to distinguish… Continue reading

IDAScript For Linux and OSX – /dev/ttyS0

Being able to run IDA scripts from the command line is very useful, but can be a bit kludgy. Fortunately, idascript was written to simplify this process. Unfortunately (for me), it was written for Windows. Since I work primarily in a Linux environment, I re-wrote the idascript utility in Python…. Continue reading

Jailbreaking the NeoTV – /dev/ttyS0

Today we’ll be jailbreaking the Netgear NTV300 set top box…with a TV remote. The Netgear NeoTV 300 Negear’s NeoTV set top boxes are designed to compete with the popular Roku, and can stream video from all the usual sources (Netflix, HuluPlus, Youtube, etc). The NTV300 is one of the least… Continue reading

Exploiting a MIPS Stack Overflow – /dev/ttyS0

Although D-Link’s CAPTCHA login feature has a history of implementation flaws and has been proven to not protect against the threat it was intended to thwart, they continue to keep this feature in their products. Today we’ll be looking at the CAPTCHA implementation in the D-Link DIR-605L, which is a… Continue reading

Hacking the Linksys WMB54G – /dev/ttyS0

Today we’re going to take a look at an interesting little device, the Linksys WMB54G wireless music bridge. WMB54G This is a pretty specialized device, so it’s likely a fairly minimalistic system. Even the administrative interface is small and simple: WMB54G Administrative Interface The Linksys support page doesn’t have any… Continue reading

Emulating NVRAM in Qemu – /dev/ttyS0

Being able to emulate embedded applications in Qemu is incredibly useful, but not without pitfalls. Probably the most common issue that I’ve run into are binaries that try to read configuration data from NVRAM; since the binary is running in Qemu and not on the target device, there is obviously… Continue reading

Qemu vs sstrip – /dev/ttyS0

Qemu usually does a great job emulating embedded Linux applications, but as with anything you will occasionally run into bugs. While attempting to debug an embedded application in Qemu the other day, I ran into the following error: eve@eve:~/firmware$ sudo chroot . ./qemu-mips bin/ls bin/ls: Invalid ELF image for this… Continue reading