Some painters came over to give my house a new coat of paint for the new year, and in the process wrecked my vintage bathroom mirror. We have what’s called a tilting mirror or pivot mirror in the bathroom area, which we have been using for at least 50 years in the household. We adjust the mirror tilt every day for decades and it has never broke. This style of mirror is quite uncommon these days, perhaps because it has gone out of fashion.
Looking at the damage, it was clear they forcefully tried to remove the nuts securing the mirror and it just snapped off. The other bracket on the opposite side broke off too, but at a different location. I’m no metallurgist but it looks like the part was made from cast iron or something, and therefore quite brittle. For years now I didn’t dare to dismantle the mirror for exactly this reason: the thumbnut loosens up till a certain point then refuse to go further, which is also why I left it in place. I have already removed everything I could for them - toothbrush holders, any hanging towels and racks. Anything else still left on the wall is obviously not removable, or I would have done so already. But these fuckers took it upon themselves to try to remove the mirror when I left them alone for an hour. To say I was very pissed is an understatement.
When they told me they broke the mirror, I thought they had shattered the mirror glass. I was at least a little hopeful when I saw they had placed the mirror under the sink. Still, I was at a loss of how to fix the mirror, until the idea of leveraging 3D printing hit me days later. I’ve known about it since the MakerBot days (and it was a hot topic at maker faires) but since I don’t have a 3D printer or easy access to one, it was just something I didn’t care too much about.
What is in its place now is a piece of IKEA BLODLÖNN, which I have used 3M Command strips to temporarily hold in place, while I tried to learn enough FreeCAD to design a replacement bracket. Buying IKEA was the cheapest option, and I had an inkling that learning FreeCAD from scratch was going to be a steep learning curve, so we needed something to use in the meantime (we kept looking up but finding ourselves staring at a blank wall). You can see the metal supports arms for the tilting mirror are left intact on the wall, but now painted white1.
Follow me as I detail how difficult it is for someone with zero experience like myself to learn FreeCAD, which hopefully inspires you not to give up, and the final results of my journey.
The advantage of Zigbee devices is that they are very low power, and they communicate in a wireless mesh network. The sensors are small and can work off a CR2032 coin cell for at least 2 years, maybe more. Depending on the type of sensor, they cost around US$10 and are readily available from various manufacturers, such as Xiaomi, Aqara (pictured below) or IKEA under their TRÅDFRI range of products.
You typically pair these sensors with a Zigbee gateway, which speaks the IEEE 802.15.4 protocol and relays the information (e.g. sensor readings) to either your mobile app or stores it in the cloud (or the gateway itself). But as you can imagine, a Raspberry Pi with the right adapter can do this job and offer more flexibility.
I was looking at trying to securely implement a door access control system. This usually involves some kind of card that you tap at a reader and the door unlocks.
Because it uses NFC, the NFC reader and electronics can be located safely on the inside, leaving no exposed DIY electronics on the outside for attackers to fiddle around with. Here’s an example project using a 3D-printed enclosure:
A lot of those DIY projects work, but they are just not secure:
Just look at the code and you will see what I mean. They generally look like this:
uint32_tuid=nfc.readCardId();// read the card's unique ID
if(uid==0xAAAAAAAA||uid==0xBBBBBBBB||...){unlock();// YES!!
}
Unfortunately, consumer smart locks like a Yale or Samsung do pretty much the same thing, without hard-coding UIDs of course. When you enroll cards, the door lock will simply record the UID and will unlock when you present a card (or tag) with that UID. MIFARE Classic cards are commonly used for this purpose because they are very inexpensive. They are factory-programmed with a unique identifier stored in sector 0, which is read-only.
Written by Darell Tan on 10 Aug 2020Share Comments
As I have mentioned in the review, the stock firmware on the Xiaomi AX3600 wireless router is extremely limiting. On top of that, the firmware is also locked to install only authorized updates from the manufacturer. If you have been following the blog, you will know that I like the flexibility that ASUSWRT provides for customizing my router.
While there is currently an on-going effort to try and port vanilla OpenWRT for this router, I suspect that might take some time. In this post, I describe how to workaround the lousy firmware and configure the router with the advanced features I need.
Router Disassembly
It is recommended to have UART access handy, in case something bad happens and you need to recover your router, or if you want access to U-Boot, the bootloader. This would require you to crack open your router, so you might only want to do this if necessary. Feel free to skip this section if you are not interested in the hardware, or don’t need low-level access.
You need to unscrew 5 screws, 4 of which are hidden under the rubber feet, and one under the center sticker label. In the disassembled top view photo here, you can see the screw holes at the corners, as well as a missing chunk in the center of the heatsink for the mating screw post, directly aligned with the AIoT antenna and indicator LEDs.
Written by Darell Tan on 13 Jul 2020Share Comments
I recently bought the Xiaomi AIoT AX3600 wireless router to experience WiFi 6 (or 802.11ax). This WiFi 6 router has been touted as having very good hardware specs for under US$100. After checking out a few reviews, it looked like you could achieve close to Gigabit speeds over a wireless link, which was pretty exciting. It reminded me of the time I upgraded my home network to Gigabit and could finally copy large files over the network quickly. I decided to get my hands on one and evaluate it with some speed tests around the house.
I don’t have any compatible WiFi 6 devices yet, so I ordered an Intel AX200NGW wireless card to replace the one in my laptop. These cards typically go for US$15 on AliExpress or eBay.
Written by Darell Tan on 22 May 2020Share Comments
It is easy to script analysis steps with IDAPython, but now we want to automate this analysis over, let’s say, 10,000 files. I did a quick Google and I couldn’t find a guide on how to perform batch binary analysis tasks by automating IDA Pro 7.x.
Unfamiliar with this, I was constantly guessing whether it was the command-line arguments, the script, or a combination of both that was not working. I’m sharing my experince here so you won’t have to be fumbling around like I was.
I will be using IDA Pro for Windows here, but it should be applicable to any of their supported platforms like Mac or Linux.
Simple Binary Analysis
Let’s write some simple IDAPython analysis script and run it within the IDA Pro console. This script loops through all functions in the executable and prints out its address and name:
The idautils module contains higher-level functionality like getting a list of functions, or finding code & data references to addresses. If you are familiar with IDC scripting, most of the functions by the same name can be found within the idc module. This is not really meant to be an IDAPython or IDC scripting tutorial, so you will need to look elsewhere for that.
Written by Darell Tan on 30 Sep 2019Share Comments
I’ve recently seen some shell script that tries to test for your OS architecture by running executables encoded within. There’s one for i386 (x86 platforms) and a few for ARM variants.
For one, I’m not sure why inspecting /proc/cpuinfo or uname -a is not really sufficient for their needs. And also, why such large binaries are required.
After all, what you want to do is just to check that it executes successfully. Were they trying to test for the presence of a working libc? Nope, because the binaries are statically-linked:
Now, I am not talking about crazy techniques like using assembly language instead of C, or making a weird ELF that might load only on Linux, but just using normal C and the standard gcc and binutils.
collectd has always been able to grab interface traffic statistics from Linux. But what if we want to collect data about individual WiFi clients that connect to it? How much bandwidth is each of the clients using?
That information is already being recorded by the wireless driver; all we need to do is to query it. Turns out you can do that with the wl utility. This is Broadcom’s proprietary tool to control and query the wireless interfaces.
To do this, first use wl to get associated stations:
wl -i eth2 assoclist
Given a particular MAC address that is associated to the AP, query its info using sta_info:
# wl -i eth2 sta_info d4:a3:00:aa:bb:cc
STA d4:a3:00:aa:bb:cc:
aid:2
rateset [ 6 9 12 18 24 36 48 54 ]
idle 0 seconds
in network 16 seconds
state: AUTHENTICATED ASSOCIATED AUTHORIZED
flags 0x11e03b: BRCM WME N_CAP VHT_CAP AMPDU AMSDU
HT caps 0x6f: LDPC 40MHz SGI20 SGI40
VHT caps 0x43: LDPC SGI80 SU-BFE
tx data pkts: 663916
tx data bytes: 68730715
tx ucast pkts: 155
tx ucast bytes: 42699
tx mcast/bcast pkts: 663761
tx mcast/bcast bytes: 68688016
tx failures: 0
rx data pkts: 234
rx data bytes: 73557
rx ucast pkts: 192
rx ucast bytes: 62971
rx mcast/bcast pkts: 42
rx mcast/bcast bytes: 10586
rate of last tx pkt: 866667 kbps
rate of last rx pkt: 780000 kbps
rx decrypt succeeds: 195
rx decrypt failures: 1
tx data pkts retried: 19
tx data pkts retry exhausted: 0
per antenna rssi of last rx data frame: -61 -56 -59 0
per antenna average rssi of rx data frames: -61 -56 -57 0
per antenna noise floor: -104 -98 -98 0
The “easy way” is probably to write a shell script, invoked via the Exec plugin that calls wl multiple times (once per interface, and once for each WiFi client) and uses grep or awk to get the information we need. This won’t be performant, of course.
wl itself does have quite a fair bit of overhead. It does some verification of the provided interface name. It checks for the Broadcom driver magic to ensure that the interface is a Broadcom device. It then needs to convert the MAC address from the argument string to binary, and vice-versa. Sure, that’s not really much “these days”, but we can definitely do better.
Instead, let’s short-circuit the process and write a plugin that directly collects the data, without going through wl. This way, we avoid creating several new processes for every query.
Written by Darell Tan on 14 May 2019Share Comments
If you haven’t heard, Firefox Send is a service that solves the problem of sending large attachments without going through email. It does this in a privacy-preserving manner by encrypting the file in your browser first, before upload.
The concept is simple:
An encryption key is generated in your browser
Your file is encrypted with that key before being uploaded to the server.
The download URL is returned by the server, but will only work after the browser appends the secret key to the URL fragment.
Note that URL fragments are never sent to the server. They are often used for page anchors, and sometimes to keep track of local state in SPA.
This has been made possible through the use of Web Crypto API exposed via JavaScript.
A master key is first generated and from it, a few keys are derived using HKDF SHA-256. The derived key length depends on its purpose, so for AES-128 encryption, the key will be 128-bit. Oddly though, the Subtle Crypto API returns a a 512-bit key for HMAC SHA-256, which had me stumped for a while. I wrote some code that you can try out online.
Because HKDF is based on a hash algorithm, derived keys are inherently not reversible to obtain the master key from which they were derived (unless the algorithm itself is somehow broken).
3 keys are derived from the master key:
Data Encryption key. Used to encrypt the actual file contents.
Authentication key. Given to the service and used to authenticate future downloaders.
Metadata key. Used to encrypt the upload manifest (filename and size information) for display.
Continuing my PoE series, I bought the ONV PD3401G, an active PoE splitter that is capable of extracting up to 60 W (24 V @ 2.5 A) from the PSE. It is housed in a small aluminum extruded case that can be DIN rail mounted. This splitter is comparatively low-cost, about US$35, and more importantly, is capable of passing through Gigabit.
ONV seems to be quite a reputable company, so I believe their products shouldn’t be too badly designed. This unit can also be easily purchased on Aliexpress without having to go through some obscure distributor.
Internally it uses the LT4275A (marking LTGBT) for PD interfacing. The A variant of this chip supports up to 90 W of power. On the power supply side, it uses a NCP1034 synchronous buck converter. The NCP1034 is capable of handling up to 100 V, which is more than sufficient for PoE.
Looking inside, the in/out Ethernet ports are connected via a transformer, in order extract power from the center taps of each pair. We can see that the PCB traces for the input port pairs are thicker to carry the higher currents. Large beefy diodes form rectifier bridges for the data pairs.
Surrounding the input port on the underside, there are a lot of unpopulated components; those were supposed to offer input protection, probably using some TVS of some kind. these are marked RD1 ~ RD8, one for each Ethernet wire.
