https://irq5-7854a1fdb9f4.pages.dev/Recent content on irq5 testen-usMon, 01 Jan 2024 00:00:00 +0000https://irq5-7854a1fdb9f4.pages.dev/2024/01/fixing-my-vintage-mirror-with-3d-printing/Mon, 01 Jan 2024 00:00:00 +0000https://irq5-7854a1fdb9f4.pages.dev/2024/01/fixing-my-vintage-mirror-with-3d-printing/<p>Some painters came over to give my house a new coat of paint for the new year, and in the process wrecked my vintage bathroom mirror. We have what&rsquo;s called a <em>tilting mirror</em> or <em>pivot mirror</em> in the bathroom area, which we have been using for at least 50 years in the household. We adjust the mirror tilt every day for decades and it has never broke. This style of mirror is quite uncommon these days, perhaps because it has gone out of fashion.</p><p><picture><source srcset=/posts/2024/img/bracket_1304.jpg.webp type=image/webp><img src=https://irq5-7854a1fdb9f4.pages.dev/posts/2024/img/bracket_1304.jpg alt="broken mirror bracket, snapped off at the screw portion with the thumbnut still attached" width=1280 height=853></picture></p><p>Looking at the damage, it was clear they forcefully tried to remove the nuts securing the mirror and it just snapped off. The other bracket on the opposite side broke off too, but at a different location. I&rsquo;m no metallurgist but it looks like the part was made from cast iron or something, and therefore quite brittle. For years now I didn&rsquo;t dare to dismantle the mirror for exactly this reason: the thumbnut loosens up till a certain point then refuse to go further, which is also why I left it in place. I have already removed everything I could for them - toothbrush holders, any hanging towels and racks. Anything else still left on the wall is obviously not removable, or I would have done so already. <strong>But these fuckers took it upon themselves to try to remove the mirror when I left them alone for an hour. To say I was very pissed is an understatement.</strong></p><p>When they told me they broke the mirror, I thought they had shattered the mirror glass. I was at least a little hopeful when I saw they had placed the mirror under the sink. Still, I was at a loss of how to fix the mirror, until the idea of leveraging 3D printing hit me days later. I&rsquo;ve known about it since the MakerBot days (and it was a hot topic at <a href=https://irq5-7854a1fdb9f4.pages.dev/tag/makerfaire/ rel=noopener>maker faires</a>) but since I don&rsquo;t have a 3D printer or easy access to one, it was just something I didn&rsquo;t care too much about.</p><p>What is in its place now is a piece of IKEA BLODLÖNN, which I have used 3M Command strips to temporarily hold in place, while I tried to learn enough FreeCAD to design a replacement bracket. Buying IKEA was the cheapest option, and I had an inkling that learning FreeCAD from scratch was going to be a steep learning curve, so we needed something to use in the meantime (we kept looking up but finding ourselves staring at a blank wall). You can see the metal supports arms for the tilting mirror are left intact on the wall, but now painted white<sup id=fnref:1><a href=#fn:1 class=footnote-ref role=doc-noteref>1</a></sup>.</p><p><picture><source srcset=/posts/2024/img/blodlonn_1318.jpg.webp type=image/webp><img src=https://irq5-7854a1fdb9f4.pages.dev/posts/2024/img/blodlonn_1318.jpg alt="white wall with a piece of BLODLÖNN mirror, flanked by metal support arms for the old mirror" width=1280 height=853></picture></p><p>Follow me as I detail how difficult it is for someone with zero experience like myself to learn FreeCAD, which hopefully inspires you not to give up, and the final results of my journey.</p><p><a href="https://irq5-7854a1fdb9f4.pages.dev/2024/01/fixing-my-vintage-mirror-with-3d-printing/#more">Continue reading…</a></p>https://irq5-7854a1fdb9f4.pages.dev/2022/01/setting-up-a-zigbee-sensor-network/Tue, 04 Jan 2022 23:52:00 +0000https://irq5-7854a1fdb9f4.pages.dev/2022/01/setting-up-a-zigbee-sensor-network/<p>The advantage of Zigbee devices is that they are very low power, and they communicate in a wireless mesh network. The sensors are small and can work off a CR2032 coin cell for at least 2 years, maybe more. Depending on the type of sensor, they cost around US$10 and are readily available from various manufacturers, such as Xiaomi, Aqara (pictured below) or IKEA under their TRÅDFRI range of products.</p><p>You typically pair these sensors with a <em>Zigbee gateway</em>, which speaks the IEEE 802.15.4 protocol and relays the information (e.g. sensor readings) to either your mobile app or stores it in the cloud (or the gateway itself). But as you can imagine, a Raspberry Pi with the right adapter can do this job and offer more flexibility.</p><p><picture><source srcset=/posts/2022/img/zigbee-apu4-0888.jpg.webp type=image/webp><img src=https://irq5-7854a1fdb9f4.pages.dev/posts/2022/img/zigbee-apu4-0888.jpg alt width=1280 height=853></picture></p><p><a href="https://irq5-7854a1fdb9f4.pages.dev/2022/01/setting-up-a-zigbee-sensor-network/#more">Continue reading…</a></p>https://irq5-7854a1fdb9f4.pages.dev/2021/07/using-u2f-for-door-access-control-systems/Fri, 02 Jul 2021 00:00:00 +0000https://irq5-7854a1fdb9f4.pages.dev/2021/07/using-u2f-for-door-access-control-systems/<p>I was looking at trying to <em>securely</em> implement a door access control system. This usually involves some kind of card that you tap at a reader and the door unlocks.</p><p>Because it uses NFC, the NFC reader and electronics can be located safely on the inside, leaving no exposed DIY electronics on the outside for attackers to fiddle around with. Here&rsquo;s an example project using a 3D-printed enclosure:</p><p><picture><source srcset=/posts/2021/img/nfc-lock-qtechknow-FFOTW1TI7L6T5HL.jpg.webp type=image/webp><img src=https://irq5-7854a1fdb9f4.pages.dev/posts/2021/img/nfc-lock-qtechknow-FFOTW1TI7L6T5HL.jpg alt="photo of a DIY NFC door lock found on Instructables.com, with all the electronics & parts on the interior side of the door" width=1620 height=1080></picture></p><p>A lot of those DIY projects <em>work</em>, but they are just not secure:</p><ul><li><a href=http://www.instructables.com/NFC-Door-Lock-with-the-Qduino-Mini-under-100/ rel=noopener target=_blank class=external>NFC Door Lock With the Qduino Mini &ndash; Instructables.com</a></li><li><a href=http://keyduino.forumsactifs.com/t4-nfc-drawer-lock rel=noopener target=_blank class=external>NFC drawer lock</a></li><li><a href=https://www.makeuseof.com/tag/diy-smart-lock-arduino-rfid/ rel=noopener target=_blank class=external>DIY Smart Lock with Arduino and RFID</a></li></ul><p>Just look at the code and you will see what I mean. They generally look like this:</p><div class=highlight role=region aria-label="code block" translate=no><pre tabindex=0 class=chroma><code class=language-c data-lang=c><span class=line><span class=cl><span class=kt>uint32_t</span> <span class=n>uid</span> <span class=o>=</span> <span class=n>nfc</span><span class=p>.</span><span class=n>readCardId</span><span class=p>();</span> <span class=c1 translate>// read the card&#39;s unique ID </span></span></span><span class=line><span class=cl><span class=c1 translate></span><span class=k>if</span> <span class=p>(</span><span class=n>uid</span> <span class=o>==</span> <span class=mh>0xAAAAAAAA</span> <span class=o>||</span> <span class=n>uid</span> <span class=o>==</span> <span class=mh>0xBBBBBBBB</span> <span class=o>||</span> <span class=p>...)</span> <span class=p>{</span> </span></span><span class=line><span class=cl> <span class=n>unlock</span><span class=p>();</span> <span class=c1 translate>// YES!! </span></span></span><span class=line><span class=cl><span class=c1 translate></span><span class=p>}</span></span></span></code></pre></div><p>Unfortunately, consumer smart locks like a Yale or Samsung do pretty much the same thing, without hard-coding UIDs of course. When you enroll cards, the door lock will simply record the UID and will unlock when you present a card (or tag) with that UID. <a href=https://learn.adafruit.com/adafruit-pn532-rfid-nfc/mifare rel=noopener target=_blank class=external>MIFARE Classic cards</a> are commonly used for this purpose because they are very inexpensive. They are factory-programmed with a unique identifier stored in sector 0, which is read-only.</p><p><a href="https://irq5-7854a1fdb9f4.pages.dev/2021/07/using-u2f-for-door-access-control-systems/#more">Continue reading…</a></p>https://irq5-7854a1fdb9f4.pages.dev/2020/08/custom-firmware-for-the-xiaomi-ax3600-wireless-router/Mon, 10 Aug 2020 23:53:00 +0000https://irq5-7854a1fdb9f4.pages.dev/2020/08/custom-firmware-for-the-xiaomi-ax3600-wireless-router/<p>As I have <a href=https://irq5-7854a1fdb9f4.pages.dev/2020/07/xiaomi-aiot-wireless-router-ax3600-review/ rel=noopener>mentioned in the review</a>, the stock firmware on the <strong>Xiaomi AX3600 wireless router</strong> is extremely limiting. On top of that, the firmware is also locked to install only authorized updates from the manufacturer. If you have been following the blog, you will know that I like <a href=https://irq5-7854a1fdb9f4.pages.dev/tag/asuswrt/ rel=noopener>the flexibility that ASUSWRT provides</a> for customizing my router.</p><p>While there is currently an on-going effort to try and port vanilla OpenWRT for this router, I suspect that might take some time. In this post, I describe how to workaround the lousy firmware and configure the router with the advanced features I need.</p><h1 id=router-disassembly>Router Disassembly</h1><p>It is recommended to have UART access handy, in case something bad happens and you need to recover your router, or if you want access to U-Boot, the bootloader. This would require you to crack open your router, so you might only want to do this if necessary. <strong>Feel free to skip this section if you are not interested in the hardware, or don&rsquo;t need low-level access.</strong></p><p><picture><source srcset=/posts/2020/img/50192590117_c462cfd63a_7171.jpg.webp type=image/webp><img src=https://irq5-7854a1fdb9f4.pages.dev/posts/2020/img/50192590117_c462cfd63a_7171.jpg alt="router top view, with cover opened" width=1023 height=682></picture></p><p>You need to unscrew 5 screws, 4 of which are hidden under the rubber feet, and one under the center sticker label. In the disassembled top view photo here, you can see the screw holes at the corners, as well as a missing chunk in the center of the heatsink for the mating screw post, directly aligned with the AIoT antenna and indicator LEDs.</p><p><a href="https://irq5-7854a1fdb9f4.pages.dev/2020/08/custom-firmware-for-the-xiaomi-ax3600-wireless-router/#more">Continue reading…</a></p>https://irq5-7854a1fdb9f4.pages.dev/2020/07/xiaomi-aiot-wireless-router-ax3600-review/Mon, 13 Jul 2020 00:00:00 +0000https://irq5-7854a1fdb9f4.pages.dev/2020/07/xiaomi-aiot-wireless-router-ax3600-review/<p>I recently bought the <strong>Xiaomi AIoT AX3600 wireless router</strong> to experience WiFi 6 (or 802.11ax). This WiFi 6 router has been touted as having very good hardware specs for under US$100. After checking out a few reviews, it looked like you could achieve close to Gigabit speeds over a wireless link, which was pretty exciting. It reminded me of the time I upgraded my home network to Gigabit and could finally copy large files over the network quickly. I decided to get my hands on one and evaluate it with some speed tests around the house.</p><p><picture><source srcset=/posts/2020/img/ax3600-router.jpg.webp type=image/webp><img src=https://irq5-7854a1fdb9f4.pages.dev/posts/2020/img/ax3600-router.jpg alt="the Xiaomi AX3600 wireless router" width=1280 height=853></picture></p><p>I don&rsquo;t have any compatible WiFi 6 devices yet, so I ordered an Intel AX200NGW wireless card to replace the one in my laptop. These cards typically go for US$15 on AliExpress or eBay.</p><p><a href="https://irq5-7854a1fdb9f4.pages.dev/2020/07/xiaomi-aiot-wireless-router-ax3600-review/#more">Continue reading…</a></p>https://irq5-7854a1fdb9f4.pages.dev/2020/05/batch-binary-analysis-with-ida-pro-7.4-automation/Fri, 22 May 2020 00:00:00 +0000https://irq5-7854a1fdb9f4.pages.dev/2020/05/batch-binary-analysis-with-ida-pro-7.4-automation/<p>It is easy to script analysis steps with IDAPython, but now we want to automate this analysis over, let&rsquo;s say, 10,000 files. I did a quick Google and I couldn&rsquo;t find a guide on how to perform batch binary analysis tasks by automating IDA Pro 7.x.</p><p>Unfamiliar with this, I was constantly guessing whether it was the command-line arguments, the script, or a combination of both that was not working. I&rsquo;m sharing my experince here so you won&rsquo;t have to be fumbling around like I was.</p><p>I will be using IDA Pro for Windows here, but it should be applicable to any of their supported platforms like Mac or Linux.</p><h1 id=simple-binary-analysis>Simple Binary Analysis</h1><p>Let&rsquo;s write some simple IDAPython analysis script and run it within the IDA Pro console. This script loops through all functions in the executable and prints out its address and name:</p><div class=highlight role=region aria-label="code block" translate=no><pre tabindex=0 class=chroma><code class=language-python data-lang=python><span class=line><span class=cl><span class=kn>import</span> <span class=nn>idc</span> </span></span><span class=line><span class=cl><span class=kn>import</span> <span class=nn>idautils</span> </span></span><span class=line><span class=cl> </span></span><span class=line><span class=cl><span class=nb>print</span> <span class=s1>&#39;count </span><span class=si>%d</span><span class=s1>&#39;</span> <span class=o>%</span> <span class=nb>len</span><span class=p>(</span><span class=nb>list</span><span class=p>(</span><span class=n>idautils</span><span class=o>.</span><span class=n>Functions</span><span class=p>()))</span> </span></span><span class=line><span class=cl><span class=k>for</span> <span class=n>ea</span> <span class=ow>in</span> <span class=n>idautils</span><span class=o>.</span><span class=n>Functions</span><span class=p>():</span> </span></span><span class=line><span class=cl> <span class=nb>print</span> <span class=nb>hex</span><span class=p>(</span><span class=n>ea</span><span class=p>),</span> <span class=n>idc</span><span class=o>.</span><span class=n>get_func_name</span><span class=p>(</span><span class=n>ea</span><span class=p>)</span></span></span></code></pre></div><p>The <code>idautils</code> module contains higher-level functionality like getting a list of functions, or finding code & data references to addresses. If you are familiar with IDC scripting, most of the functions by the same name can be found within the <code>idc</code> module. This is not really meant to be an IDAPython or IDC scripting tutorial, so you will need to look elsewhere for that.</p><p><a href="https://irq5-7854a1fdb9f4.pages.dev/2020/05/batch-binary-analysis-with-ida-pro-7.4-automation/#more">Continue reading…</a></p>https://irq5-7854a1fdb9f4.pages.dev/2019/09/generating-small-static-binaries/Mon, 30 Sep 2019 11:59:00 +0000https://irq5-7854a1fdb9f4.pages.dev/2019/09/generating-small-static-binaries/<p>I&rsquo;ve recently seen some shell script that tries to test for your OS architecture by running executables encoded within. There&rsquo;s one for i386 (x86 platforms) and a few for ARM variants.</p><div class=highlight role=region aria-label="code block" translate=no><pre tabindex=0 class=chroma><code class=language-bash data-lang=bash><span class=line><span class=cl>test_i386<span class=o>()</span> </span></span><span class=line><span class=cl><span class=o>{</span> </span></span><span class=line><span class=cl>cat <span class=s>&lt;&lt; EOF | $_base64 &gt; /tmp/archtest &amp;&amp; chmod a+x /tmp/archtest </span></span></span><span class=line><span class=cl><span class=s>f0VMRgEBAQAAAAAAAAAAAAIAAwABAAAA5oAECDQAAACoEAAAAAAAADQAIAAEAC </span></span></span><span class=line><span class=cl><span class=s>AAAAAIAECACABAgUBwAAFAcAAAUAAAAAEAAAAQAAANwPAADcnwQI3J8ECDgAAA </span></span></span><span class=line><span class=cl><span class=s> . . . </span></span></span><span class=line><span class=cl><span class=s>AAAAAAAgAAAAAAAAAFYAAAABAAAAMAAAAAAAAAAUEAAAMgAAAAAAAAAAAAAAAQ </span></span></span><span class=line><span class=cl><span class=s>AwAAAAAAAAAAAAAARhAAAF8AAAAAAAAAAAAAAAEAAAAAAAAA </span></span></span><span class=line><span class=cl><span class=s>EOF</span> </span></span><span class=line><span class=cl>/tmp/archtest &gt; /dev/null 2&gt;<span class=p>&amp;</span><span class=m>1</span> <span class=o>&amp;&amp;</span> <span class=nv>arch</span><span class=o>=</span>i386 </span></span><span class=line><span class=cl><span class=o>}</span></span></span></code></pre></div><p>What is terrible (well, to me at least) is that these executables are huge:</p><div class=highlight role=region aria-label="code block" translate=no><pre tabindex=0 class=chroma><code class=language-fallback data-lang=fallback><span class=line><span class=cl>$ ls -l *.bin </span></span><span class=line><span class=cl>-rwxrwx--- 1 root root 4832 Jul 17 06:58 archtest-armv6.bin </span></span><span class=line><span class=cl>-rwxrwx--- 1 root root 4820 Jul 17 06:59 archtest-armv7.bin </span></span><span class=line><span class=cl>-rwxrwx--- 1 root root 4992 Jul 17 06:59 archtest-armv8.bin </span></span><span class=line><span class=cl>-rwxrwx--- 1 root root 4824 Jul 17 06:57 archtest-x86.bin</span></span></code></pre></div><p>For one, I&rsquo;m not sure why inspecting <code>/proc/cpuinfo</code> or <code>uname -a</code> is not really sufficient for their needs. And also, why such large binaries are required.</p><p>After all, what you want to do is just to check that it executes successfully. Were they trying to test for the presence of a working libc? Nope, because the binaries are statically-linked:</p><div class=highlight role=region aria-label="code block" translate=no><pre tabindex=0 class=chroma><code class=language-fallback data-lang=fallback><span class=line><span class=cl>$ file ./archtest-x86.bin </span></span><span class=line><span class=cl>./archtest-x86.bin: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, stripped</span></span></code></pre></div><p>I think this just adds unnecessary bloat.</p><p><strong>There are ways to make smaller binaries.</strong></p><p>Now, I am not talking about crazy techniques like using assembly language instead of C, or <a href=https://www.muppetlabs.com/~breadbox/software/tiny/teensy.html rel=noopener target=_blank class=external>making a weird ELF that might load only on Linux</a>, but just using normal C and the standard <code>gcc</code> and <code>binutils</code>.</p><p>Let&rsquo;s get started.</p><p><a href="https://irq5-7854a1fdb9f4.pages.dev/2019/09/generating-small-static-binaries/#more">Continue reading…</a></p>https://irq5-7854a1fdb9f4.pages.dev/2019/08/detailed-wireless-client-stats-with-collectd/Thu, 01 Aug 2019 11:59:00 +0000https://irq5-7854a1fdb9f4.pages.dev/2019/08/detailed-wireless-client-stats-with-collectd/<p>collectd has always been able to grab interface traffic statistics from Linux. But what if we want to collect data about individual WiFi clients that connect to it? How much bandwidth is each of the clients using?</p><p>That information is already being recorded by the wireless driver; all we need to do is to query it. Turns out you can do that with the <code>wl</code> utility. This is Broadcom&rsquo;s proprietary tool to control and query the wireless interfaces.</p><p>To do this, first use <code>wl</code> to get associated stations:</p><pre><code>wl -i eth2 assoclist </code></pre><p>Given a particular MAC address that is associated to the AP, query its info using <code>sta_info</code>:</p><div class=highlight role=region aria-label="code block" translate=no><pre tabindex=0 class=chroma><code class=language-fallback data-lang=fallback><span class=line><span class=cl># wl -i eth2 sta_info d4:a3:00:aa:bb:cc </span></span><span class=line><span class=cl>STA d4:a3:00:aa:bb:cc: </span></span><span class=line><span class=cl> aid:2 </span></span><span class=line><span class=cl> rateset [ 6 9 12 18 24 36 48 54 ] </span></span><span class=line><span class=cl> idle 0 seconds </span></span><span class=line><span class=cl> in network 16 seconds </span></span><span class=line><span class=cl> state: AUTHENTICATED ASSOCIATED AUTHORIZED </span></span><span class=line><span class=cl> flags 0x11e03b: BRCM WME N_CAP VHT_CAP AMPDU AMSDU </span></span><span class=line><span class=cl> HT caps 0x6f: LDPC 40MHz SGI20 SGI40 </span></span><span class=line><span class=cl> VHT caps 0x43: LDPC SGI80 SU-BFE </span></span><span class=line><span class=cl> tx data pkts: 663916 </span></span><span class=line><span class=cl> tx data bytes: 68730715 </span></span><span class=line><span class=cl> tx ucast pkts: 155 </span></span><span class=line><span class=cl> tx ucast bytes: 42699 </span></span><span class=line><span class=cl> tx mcast/bcast pkts: 663761 </span></span><span class=line><span class=cl> tx mcast/bcast bytes: 68688016 </span></span><span class=line><span class=cl> tx failures: 0 </span></span><span class=line><span class=cl> rx data pkts: 234 </span></span><span class=line><span class=cl> rx data bytes: 73557 </span></span><span class=line><span class=cl> rx ucast pkts: 192 </span></span><span class=line><span class=cl> rx ucast bytes: 62971 </span></span><span class=line><span class=cl> rx mcast/bcast pkts: 42 </span></span><span class=line><span class=cl> rx mcast/bcast bytes: 10586 </span></span><span class=line><span class=cl> rate of last tx pkt: 866667 kbps </span></span><span class=line><span class=cl> rate of last rx pkt: 780000 kbps </span></span><span class=line><span class=cl> rx decrypt succeeds: 195 </span></span><span class=line><span class=cl> rx decrypt failures: 1 </span></span><span class=line><span class=cl> tx data pkts retried: 19 </span></span><span class=line><span class=cl> tx data pkts retry exhausted: 0 </span></span><span class=line><span class=cl> per antenna rssi of last rx data frame: -61 -56 -59 0 </span></span><span class=line><span class=cl> per antenna average rssi of rx data frames: -61 -56 -57 0 </span></span><span class=line><span class=cl> per antenna noise floor: -104 -98 -98 0</span></span></code></pre></div><p>The &ldquo;easy way&rdquo; is probably to write a shell script, invoked via the <a href=https://collectd.org/wiki/index.php/Plugin:Exec rel=noopener target=_blank class=external>Exec plugin</a> that calls <code>wl</code> multiple times (once per interface, and once for each WiFi client) and uses <code>grep</code> or <code>awk</code> to get the information we need. This won&rsquo;t be performant, of course.</p><p><code>wl</code> itself does have quite a fair bit of overhead. It does some verification of the provided interface name. It checks for the Broadcom driver magic to ensure that the interface is a Broadcom device. It then needs to convert the MAC address from the argument string to binary, and vice-versa. Sure, that&rsquo;s not really much &ldquo;these days&rdquo;, but we can definitely do better.</p><p>Instead, let&rsquo;s short-circuit the process and write a plugin that directly collects the data, without going through <code>wl</code>. This way, we avoid creating several new processes for every query.</p><p><a href="https://irq5-7854a1fdb9f4.pages.dev/2019/08/detailed-wireless-client-stats-with-collectd/#more">Continue reading…</a></p>https://irq5-7854a1fdb9f4.pages.dev/2019/05/data-encryption-on-firefox-send/Tue, 14 May 2019 11:59:00 +0000https://irq5-7854a1fdb9f4.pages.dev/2019/05/data-encryption-on-firefox-send/<p>If you haven&rsquo;t heard, <a href=https://send.firefox.com/ rel=noopener target=_blank class=external>Firefox Send</a> is a service that solves the problem of sending large attachments without going through email. It does this in a privacy-preserving manner by encrypting the file in your browser first, before upload.</p><p>The concept is simple:</p><ol><li>An encryption key is generated in your browser</li><li>Your file is encrypted with that key before being uploaded to the server.</li><li>The download URL is returned by the server, but will only work after the browser appends the secret key to the URL <em>fragment</em>.</li></ol><p>Note that URL fragments are never sent to the server. They are often used for page anchors, and sometimes to keep track of local state in SPA.</p><p>This has been made possible through the use of <a href=https://developer.mozilla.org/en-US/docs/Web/API/Web_Crypto_API rel=noopener target=_blank class=external>Web Crypto API</a> exposed via JavaScript.</p><h1 id=technical-details>Technical Details</h1><p>The code that powers <a href=https://github.com/mozilla/send rel=noopener target=_blank class=external>Firefox Send is actually open source</a>, so you can run your own server, or read the code to figure out exactly how it works. The encryption details are documented in <a href=https://github.com/mozilla/send/blob/master/docs/encryption.md rel=noopener target=_blank class=external>docs/encryption.md</a>.</p><p>A master key is first generated and from it, a few keys are derived using HKDF SHA-256. The derived key length depends on its purpose, so for AES-128 encryption, the key will be 128-bit. Oddly though, the Subtle Crypto API returns a a 512-bit key for HMAC SHA-256, which had me stumped for a while. I wrote some code that you can <a href=https://gist.githack.com/geekman/f9735602f744ebe5fa812f8ba17518c4/raw/webcrypto-hdkf.html rel=noopener target=_blank class=external>try out online</a>.</p><p>Because HKDF is based on a hash algorithm, derived keys are inherently not reversible to obtain the master key from which they were derived (unless the algorithm itself is somehow broken).</p><p>3 keys are derived from the master key:</p><ol><li><strong>Data Encryption key</strong>. Used to encrypt the actual file contents.</li><li><strong>Authentication key.</strong> Given to the service and used to authenticate future downloaders.</li><li><strong>Metadata key.</strong> Used to encrypt the upload manifest (filename and size information) for display.</li></ol><p><picture><source srcset=/posts/2019/img/ffsend-keys.png.webp type=image/webp><img src=https://irq5-7854a1fdb9f4.pages.dev/posts/2019/img/ffsend-keys.png alt="keys derived in Firefox Send" width=1574 height=491></picture></p><p><a href="https://irq5-7854a1fdb9f4.pages.dev/2019/05/data-encryption-on-firefox-send/#more">Continue reading…</a></p>https://irq5-7854a1fdb9f4.pages.dev/2019/04/onv-pd3401g-poe-splitter-teardown-review/Tue, 02 Apr 2019 11:59:00 +0000https://irq5-7854a1fdb9f4.pages.dev/2019/04/onv-pd3401g-poe-splitter-teardown-review/<p>Continuing my <a href=https://irq5-7854a1fdb9f4.pages.dev/tag/poe rel=noopener>PoE series</a>, I bought the <strong>ONV PD3401G</strong>, an active PoE splitter that is capable of extracting up to 60W (24V @ 2.5A) from the PSE. It is housed in a small aluminum extruded case that can be DIN rail mounted. This splitter is comparatively low-cost, about US$35, and more importantly, is capable of passing through Gigabit.</p><p>ONV seems to be quite a reputable company, so I believe their products shouldn&rsquo;t be too badly designed. This unit can also be easily purchased on Aliexpress without having to go through some obscure distributor.</p><p><picture><source srcset=/posts/2019/img/47507377741_54f9e66587_2813.jpg.webp type=image/webp><img src=https://irq5-7854a1fdb9f4.pages.dev/posts/2019/img/47507377741_54f9e66587_2813.jpg alt="ONV PoE splitter, side view" width=1280 height=853></picture></p><p><picture><source srcset=/posts/2019/img/33630711828_27cb5770a8_2819.jpg.webp type=image/webp><img src=https://irq5-7854a1fdb9f4.pages.dev/posts/2019/img/33630711828_27cb5770a8_2819.jpg alt="ONV PoE splitter, front view" width=1280 height=853></picture></p><p>Internally it uses the <a href=https://www.analog.com/en/products/lt4275.html rel=noopener target=_blank class=external>LT4275A</a> (marking <code>LTGBT</code>) for PD interfacing. The <code>A</code> variant of this chip supports up to 90W of power. On the power supply side, it uses a <a href="https://www.onsemi.com/PowerSolutions/product.do?id=NCP1034" rel=noopener target=_blank class=external>NCP1034</a> synchronous buck converter. The NCP1034 is capable of handling up to 100V, which is more than sufficient for PoE.</p><p>Looking inside, the in/out Ethernet ports are connected via a transformer, in order extract power from the center taps of each pair. We can see that the PCB traces for the input port pairs are thicker to carry the higher currents. Large beefy diodes form rectifier bridges for the data pairs.</p><p><picture><source srcset=/posts/2019/img/46783600124_a981bb08b6_2807.jpg.webp type=image/webp><img src=https://irq5-7854a1fdb9f4.pages.dev/posts/2019/img/46783600124_a981bb08b6_2807.jpg loading=lazy alt="PCB, top side" width=1280 height=853></picture></p><p>Surrounding the input port on the underside, there are a lot of unpopulated components; those were supposed to offer input protection, probably using some TVS of some kind. these are marked <code>RD1</code> ~ <code>RD8</code>, one for each Ethernet wire.</p><p><a href="https://irq5-7854a1fdb9f4.pages.dev/2019/04/onv-pd3401g-poe-splitter-teardown-review/#more">Continue reading…</a></p>https://irq5-7854a1fdb9f4.pages.dev/2019/01/35c3-ctf-write-up-php/Mon, 07 Jan 2019 23:40:00 +0000https://irq5-7854a1fdb9f4.pages.dev/2019/01/35c3-ctf-write-up-php/<h1 id=php-web>php (web)</h1><blockquote><p>PHP&rsquo;s unserialization mechanism can be exceptional. Guest challenge by jvoisin.</p><p>Files at <a href=https://35c3ctf.ccc.ac/uploads/php-ff2d1f97076ff25c5d0858616c26fac7.tar rel=noopener target=_blank class="external rawurl">https://35c3ctf.ccc.ac/uploads/php-ff2d1f97076ff25c5d0858616c26fac7.tar</a>. Challenge running at: <code>nc 35.242.207.13 1</code></p></blockquote><p>This challenge exposes a service written in PHP, and as you can guess, it has something to do with <em>unserialization</em>.</p><p>The single source file is straightforward to understand:</p><div class=highlight role=region aria-label="code block" translate=no><pre tabindex=0 class=chroma><code class=language-fallback data-lang=fallback><span class=line><span class=cl>&lt;?php </span></span><span class=line><span class=cl> </span></span><span class=line><span class=cl>$line = trim(fgets(STDIN)); </span></span><span class=line><span class=cl> </span></span><span class=line><span class=cl>$flag = file_get_contents(&#39;/flag&#39;); </span></span><span class=line><span class=cl> </span></span><span class=line><span class=cl>class B { </span></span><span class=line><span class=cl> function __destruct() { </span></span><span class=line><span class=cl> global $flag; </span></span><span class=line><span class=cl> echo $flag; </span></span><span class=line><span class=cl> } </span></span><span class=line><span class=cl>} </span></span><span class=line><span class=cl> </span></span><span class=line><span class=cl>$a = @unserialize($line); </span></span><span class=line><span class=cl> </span></span><span class=line><span class=cl>throw new Exception(&#39;Well that was unexpected…&#39;); </span></span><span class=line><span class=cl> </span></span><span class=line><span class=cl>echo $a;</span></span></code></pre></div><p>Your goal is to get the flag printed by somehow getting the destructor of class B to execute.</p><p><a href="https://irq5-7854a1fdb9f4.pages.dev/2019/01/35c3-ctf-write-up-php/#more">Continue reading…</a></p>https://irq5-7854a1fdb9f4.pages.dev/2018/12/extending-asuswrt-functionality-part-2/Fri, 28 Dec 2018 00:11:00 +0000https://irq5-7854a1fdb9f4.pages.dev/2018/12/extending-asuswrt-functionality-part-2/<p>Following up from <a href=https://irq5-7854a1fdb9f4.pages.dev/2012/12/hacking-functionality-into-asuswrt-routers/ rel=noopener>my earlier post</a>, Asus has released faster and beefier routers. But perhaps the more important change here is that they have moved from MIPS in the RT-N56U to ARM in newer routers. I have also upgraded to the <strong>RT-AC68U</strong> for better reception and hopefully to fix the poor battery life experienced by my Android tablet.</p><p><picture><source srcset=/posts/2018/img/asus-routers.jpg.webp type=image/webp><img src=https://irq5-7854a1fdb9f4.pages.dev/posts/2018/img/asus-routers.jpg alt="the Asus N56U and AC68U routers, side by side" width=1023 height=682></picture></p><p>After upgrading, I noticed that the method I described back then no longer works. Someone also noticed this, as they <a href=http://koolshare.cn/thread-105955-1-1.html rel=noopener target=_blank class=external>translated key portions of my post</a> into Chinese, while pointing out some of the steps that didn’t work.</p><p>In this post, I&rsquo;ll summarize the key changes required to get it working again.</p><p><a href="https://irq5-7854a1fdb9f4.pages.dev/2018/12/extending-asuswrt-functionality-part-2/#more">Continue reading…</a></p>https://irq5-7854a1fdb9f4.pages.dev/2018/07/boot-time-device-tree-overlays-with-u-boot/Sun, 22 Jul 2018 22:12:00 +0000https://irq5-7854a1fdb9f4.pages.dev/2018/07/boot-time-device-tree-overlays-with-u-boot/<p>I bought a <em>Banana Pi</em> some time ago and have been using it as my go-to ARM box. Among the single-board computers I have, this Allwinner A20-based platform has the fastest CPU.</p><p>Similar to the (old) Raspberry Pi, it has a 26-pin GPIO header on one side that sports the same layout. This means that the 5V, 3V3 and I2C pins are the same as where they would be on the Raspberry Pi.</p><p><picture><source srcset=/posts/2018/img/banana-pi-a20.jpg.webp type=image/webp><img src=https://irq5-7854a1fdb9f4.pages.dev/posts/2018/img/banana-pi-a20.jpg alt width=1280 height=853></picture></p><h1 id=device-tree--overlays>Device Tree & Overlays</h1><p>On embedded systems, the <a href=https://elinux.org/Device_Tree_What_It_Is rel=noopener target=_blank class=external>Device Tree</a> helps the kernel understand various peripherals that are connected to the board and how to initialize them. These hardware might be things like LDO regulators, various controllers, GPIO, etc which are generic, but yet needs certain configuration that should not be hard-coded into the kernel. To understand more about device trees I recommend you start with the Raspberry Pi <a href=https://www.raspberrypi.org/documentation/configuration/device-tree.md rel=noopener target=_blank class=external>documentation on this topic</a>. There are more links at the end of this article.</p><p>To support <a href=https://www.raspberrypi.org/blog/introducing-raspberry-pi-hats/ rel=noopener target=_blank class=external>Pi HATs</a> and other non-HAT accessories, the Pi added a <a href=https://github.com/raspberrypi/firmware/blob/master/boot/overlays/README rel=noopener target=_blank class=external><code>dtoverlay</code> configuration parameter</a> in the <code>config.txt</code> file. This allows you to specify, at boot time, <a href=https://www.kernel.org/doc/Documentation/devicetree/overlay-notes.txt rel=noopener target=_blank class=external><em>Device Tree Overlays</em></a>, which modify the board&rsquo;s base device tree to specify additional peripherals like I2C devices, or to configure GPIO pins for certain purposes. The BeagleBone also has a similar mechanism to support its add-on boards via <a href=https://elinux.org/Capemgr rel=noopener target=_blank class=external>Capemgr</a>. These mechanisms enable non-technical users to easily modify the device tree by simply editing a text file or running a command. Neither of these have been adopted into mainline Linux, so there is no provisions for doing quick overlays on other boards yet.</p><p>Fortunately for us, <a href=https://bootlin.com/blog/dt-overlay-uboot-libfdt/ rel=noopener target=_blank class=external>device tree overlay support has been merged</a> into <a href=https://www.denx.de/wiki/U-Boot rel=noopener target=_blank class=external>U-Boot</a>, and the Banana Pi uses U-Boot for booting Linux. This means that U-Boot can perform the merging of device tree overlays with the base device tree, and pass the entire Flattened Device Tree (FDT) structure to the kernel during boot-up.</p><p>Before we get started, you will need the <code>i2c-tools</code> and <code>dtc-overlay</code> package, and the U-Boot source code for the <code>mkimage</code> tool (you <em>did</em> have to compile U-Boot for your Banana Pi right?)</p><h1 id=creating-the-overlay>Creating the Overlay</h1><p>For this example, we will be attaching an <a href=http://www.ti.com/lit/ds/symlink/ina219.pdf rel=noopener target=_blank class=external>INA219 current sensor</a> to the Banana Pi over I2C. The kernel has drivers for this sensor in its hwmon subsystem and provides an easy way of reading values for us.</p><p><picture><source srcset=/posts/2018/img/ina219-breakout.jpg.webp type=image/webp><img src=https://irq5-7854a1fdb9f4.pages.dev/posts/2018/img/ina219-breakout.jpg alt="INA219 current sensor breakout board" width=1280 height=853></picture></p><p>The default I2C address on most INA219 breakout boards is with the address lines <code>A0</code> and <code>A1</code> grounded, giving it an address of <code>0x40</code>. Also note that the shunt resistor is marked with <code>R100</code>, which denotes 0.1 mΩ or 100,000 µΩ.</p><p>My Banana Pi has 3 I2C buses:</p><div class=highlight role=region aria-label="code block" translate=no><pre tabindex=0 class=chroma><code class=language-fallback data-lang=fallback><span class=line><span class=cl>$ i2cdetect -l </span></span><span class=line><span class=cl>i2c-1 unknown mv64xxx_i2c adapter N/A </span></span><span class=line><span class=cl>i2c-2 unknown sun4i_hdmi_i2c adapter N/A </span></span><span class=line><span class=cl>i2c-0 unknown mv64xxx_i2c adapter N/A</span></span></code></pre></div><p>We will try scanning each of the buses, and the one with device <code>0x40</code> will <em>likely</em> be the bus that is exposed via the GPIO headers. We can do this using <code>i2cdetect</code>:</p><div class=highlight role=region aria-label="code block" translate=no><pre tabindex=0 class=chroma><code class=language-fallback data-lang=fallback><span class=line><span class=cl># i2cdetect -y 1 </span></span><span class=line><span class=cl> 0 1 2 3 4 5 6 7 8 9 a b c d e f </span></span><span class=line><span class=cl>00: -- -- -- -- -- -- -- -- -- -- -- -- -- </span></span><span class=line><span class=cl>10: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- </span></span><span class=line><span class=cl>20: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- </span></span><span class=line><span class=cl>30: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- </span></span><span class=line><span class=cl>40: 40 -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- </span></span><span class=line><span class=cl>50: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- </span></span><span class=line><span class=cl>60: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- </span></span><span class=line><span class=cl>70: -- -- -- -- -- -- -- --</span></span></code></pre></div><p>The last parameter to <code>i2cdetect</code> specifies the bus number, which is <code>1</code> in this case. We can see here that the INA219 has been correctly wired and detected, as it shows up in the I2C bus scan.</p><p>We now need to find out which device tree node this bus corresponds to:</p><div class=highlight role=region aria-label="code block" translate=no><pre tabindex=0 class=chroma><code class=language-fallback data-lang=fallback><span class=line><span class=cl>$ readlink /sys/class/i2c-adapter/i2c-1/of_node </span></span><span class=line><span class=cl>../../../../../firmware/devicetree/base/soc@1c00000/i2c@1c2b400</span></span></code></pre></div><p>In order to figure out the symbolic name for this I2C bus, we can <code>grep</code> from the kernel&rsquo;s live device tree, parsed with the help of the <code>dtc</code> utility:</p><div class=highlight role=region aria-label="code block" translate=no><pre tabindex=0 class=chroma><code class=language-fallback data-lang=fallback><span class=line><span class=cl># dtc -I fs /proc/device-tree | grep 1c2b400 </span></span><span class=line><span class=cl>... </span></span><span class=line><span class=cl> i2c2 = &#34;/soc@1c00000/i2c@1c2b400&#34;;</span></span></code></pre></div><p><a href="https://irq5-7854a1fdb9f4.pages.dev/2018/07/boot-time-device-tree-overlays-with-u-boot/#more">Continue reading…</a></p>https://irq5-7854a1fdb9f4.pages.dev/2018/06/poe-quick-guide-cheap-hardware/Wed, 06 Jun 2018 12:45:00 +0000https://irq5-7854a1fdb9f4.pages.dev/2018/06/poe-quick-guide-cheap-hardware/<p>I have been looking around for Power over Ethernet (PoE) devices to supply power to some networking hardware that will be located in a remote location, without a convenient power outlet. These networking hardware do not have built-in PoE support, so I have to find both an <em>injector</em> and a <em>splitter</em> device.</p><p>PoE is typically found on enterprise networking equipment, which usually means a higher price tag. Not wanting to spend a ton on PoE hardware, I did some research to understand what was required to make it work.</p><p>Hopefully this will help you understand PoE, how it works, and what to look out for when shopping for PoE hardware that are suitable for your needs.</p><h1 id=poe-quick-guide>PoE Quick Guide</h1><h2 id=active-vs-passive>Active vs Passive</h2><p>Passive adapters are very simple, and you will see them mostly as an RJ45 socket with pigtails for power and Ethernet. These adapters do not contain or require any circuitry, which also explains why they are the more inexpensive option between the two.</p><p><picture><img src=https://c2.staticflickr.com/2/1756/41507595985_0a4a94cca6_o.jpg alt="Photo of a passive PoE injector & splitter pair, sold on Adafruit"></picture></p><p><strong>Active PoE</strong> (the <em>real</em> Power over Ethernet) on the other hand requires some negotiation between the two devices, called the PSE (power sourcing equipment) and the PD (powered device).</p><p>There are several PoE standards. 802.3af, 802.3at and the newer 802.3bt. The difference is mainly in the maximum power is made available to PDs:</p><ul><li>802.3af - 15.4W</li><li>802.3at - 30W</li><li>802.3bt - 60W to 100W</li></ul><p>802.3bt was just ratified in the last year (2017). In the time span before the 802.3bt standards was ratified (~8 years!), some companies like Linear Technolgy & Cisco Systems took it upon themselves to find other means of carrying up to 60W. The result was <a href=http://www.analog.com/media/en/technical-documentation/technical-articles/ltc_nov11_psde.pdf rel=noopener target=_blank class=external><em>LTPoE++</em></a> and <a href=https://www.cisco.com/go/upoe rel=noopener target=_blank class=external><em>UPOE</em></a>, an evolution of the existing 802.3af/at standards, but may not be compatible with the final standard arrived at by committee.</p><h2 id=mode-a-or-b>Mode A or B</h2><p>The Cat5 cable has 8 wires, forming 4 twisted pairs. For 10/100Mbps, only 2 pairs are used: pair 1/2 for Tx and pair 3/6 for Rx.</p><p>The modes refer to how power is delivered to the device:</p><ul><li>Mode A: pairs 1/2, 3/6</li><li>Mode B: pairs 4/5, 7/8</li></ul><p><picture><source srcset=/posts/2018/img/poe-modeAB.png.webp type=image/webp><img src=https://irq5-7854a1fdb9f4.pages.dev/posts/2018/img/poe-modeAB.png alt="PoE mode A & B wiring diagram" width=1305 height=494></picture></p><p>Mode A uses the data pairs for power. This mode is well suited for very old cabling which didn&rsquo;t connect all 4 pairs end-to-end. You might see some manufacturers calling this mode <em>End-span</em> wiring. To carry power over the same data cables, <em>phantom power delivery</em> is used (more on this later).</p><p>Mode B uses the unused (or spare) pairs for power. You might see this being referred to as <em>Mid-span</em>. This type of wiring is easier because it knows the pair is not carrying any data and thus can be wired directly.</p><p>Unlike mode A, mode B in this form cannot be used to carry power for Gigabit networks, because a Gigabit connection will require all 4 pairs for data transmission. Power must therefore be delivered via centre-tapped transformers, or what is known as <em>phantom power</em>. How this works is explained in a 1944 US Army <a href="https://www.youtube.com/watch?v=H4NDVkjT9mg" rel=noopener target=_blank class=external>video on telephone electronics</a>.</p><h2 id=power-capacity>Power Capacity</h2><p>The committee decided that two pairs of Cat5 wire should only carry up to 30W of power; which two pairs will depend on whether mode A or B wiring is used.</p><p>For higher power capacity like 802.3bt (PoE++) or the non-standards-based <em>UPOE</em> and <em>LTPoE++</em>, the other 2 pairs will be paralleled up, making use of all 4 pairs to carry higher currents.</p><p><picture><source srcset=/posts/2018/img/poe-4wire.png.webp type=image/webp><img src=https://irq5-7854a1fdb9f4.pages.dev/posts/2018/img/poe-4wire.png loading=lazy alt="PoE wiring diagram for 4-pair based PoE" width=638 height=488 class=half></picture></p><p>For Gigabit Ethernet (1000Mbps), because all 4 pairs are used to carry data, power (regardless of which pairs used) must be delivered via phantom power delivery.</p><h2 id=why-use-active-poe>Why use Active PoE?</h2><p>In short, because it is safer.</p><p>It was designed with the consideration that not all network equipment can accept power, whether via the data pairs or spare pairs.</p><p>During the detection phase, the PSE will apply 2.7V to 10V to check for a known resistance. This voltage is low enogh and also for a brief period such that it wouldn&rsquo;t matter if the device on the other end is shorted. A device that was not designed for PoE would thus never see any higher voltage beyond the detection phase.</p><p><picture><img src=https://irq5-7854a1fdb9f4.pages.dev/posts/2018/img/poe-phases.png loading=lazy alt="Graph depicting voltage vs time during various PoE phases" width=902 height=683 class=half></picture></p><p>In contrast, passive PoE makes the full voltage and current available on the data/spare pairs. If the remote end is using a <em>magnetics</em> configuration that shorts out the centre taps, the 30W of power would just melt the port (one would assume).</p><p>Integrated PSE controller chipsets will also contain features like overcurrent protection, thermal cut-offs and surge protection, etc. which all contribute towards keeping your PDs safe from harm.</p><h1 id=finding-low-cost-poe-hardware>Finding Low-Cost PoE Hardware</h1><p>It was quite a daunting task, trawling AliExpress for PoE injectors & splitters. The description or specifications for items are also not accurate; it&rsquo;s like finding a USB cable listed as capable of carrying 2A when in fact it does not.</p><p>While passive injectors are the cheapest option, most of them are not meant for Gigabit Ethernet. Recall that <em>Mode B</em> wiring is the easiest and most low-cost method for building a passive device, and that is what you will mostly find. This wiring configuration does not pass through all 4 pairs and thus cannot be used for Gigabit.</p><p>Most active PoE splitters output 12V, or 5V via USB. This is largely due to the fact that these devices were meant for IP cameras, which operate at that voltage. If your target device uses a non-standard voltage, you will have difficulty finding a suitable (and yet low-cost) splitter.</p><p>Here&rsquo;s a list of hardware I&rsquo;ve found; which one is suitable for you depends on your requirements:</p><ul><li>Do you need 1000Mbps, or just 10/100Mbps would suffice?</li><li>What voltage does your target device require?</li><li>How much power does it require? 13W, 30W?</li></ul><p><a href="https://irq5-7854a1fdb9f4.pages.dev/2018/06/poe-quick-guide-cheap-hardware/#more">Continue reading…</a></p>https://irq5-7854a1fdb9f4.pages.dev/2018/05/crypto-erasing-bitlocker-drives/Thu, 10 May 2018 12:45:00 +0000https://irq5-7854a1fdb9f4.pages.dev/2018/05/crypto-erasing-bitlocker-drives/<p>These days with larger and larger drive capacities, erasing stored data takes longer and longer. Another problem is also the inability to do so when the time comes, due to bad sectors or hardware failures. Just because the data is not accessible by you does not mean that it is also inaccessible to someone else with the know-how.</p><p><strong><em>Cryptographic erasure</em> to the rescue!</strong></p><p>Crypto erase simply erases the encryption key that is used to encrypt the data on your drive. This is the <a href=https://irq5-7854a1fdb9f4.pages.dev/2014/04/encrypt-all-the-drives/ rel=noopener>primary reason why</a> I encrypt my drives.</p><p>Oddly, I have not found anyone talking about BitLocker crypto erasure or doing it. The closest I have seen is <a href=https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/manage-bde-forcerecovery rel=noopener target=_blank class=external><code>manage-bde -forcerecovery</code></a>, which removes all TPM-related key protectors. This is briefly described in a TechNet article titled <a href=https://technet.microsoft.com/en-us/library/cc512654.aspx rel=noopener target=_blank class=external>BitLocker™ Drive Encryption and Disk Sanitation</a>.</p><p>But what if we are not running Windows? What if the disk is not a Windows boot drive that is protected by a TPM key protector?</p><p>In order to erase the (key) data, we first need to know how the data is stored on disk. For open-source FDE implementations, this is easy because the disk format is well-documented, but BitLocker is not exactly open.</p><h1 id=bitlocker-disk-format>BitLocker Disk Format</h1><p>BitLocker was first introduced in Windows Vista and has gone through changes since then. Some changes were made to the format in Windows 7, but has largely remained unchanged through Windows 8 till 10.</p><p>For LUKS, it is simple - there is a LUKS header at the start of the disk, followed by the encrypted volume data. For BitLocker, it is slightly more involved, probably due to backward-compatible design considerations.</p><p>The header at the start of the partition is a valid boot sector (or boot block), so not all BitLocker information can be stored within. Instead, this volume header points to the FVE metadata block where most of the data is kept. In fact, there are 3 of these for redundancy. This metadata block is what holds all the key material.</p><p>The metadata blocks are spaced (almost) evenly apart, located near the start of the volume.</p><div class=highlight role=region aria-label="code block" translate=no><pre tabindex=0 class=chroma><code class=language-fallback data-lang=fallback><span class=line><span class=cl># blwipe -offset 0x2010000 bitlocker-2gb.vhd </span></span><span class=line><span class=cl>metadata offset 0: 0x02100000 </span></span><span class=line><span class=cl>metadata offset 1: 0x100c8000 </span></span><span class=line><span class=cl>metadata offset 2: 0x1e08f000 </span></span><span class=line><span class=cl>metadata block 0 (size 65536): parsed OK </span></span><span class=line><span class=cl>metadata block 1 (size 65536): parsed OK </span></span><span class=line><span class=cl>metadata block 2 (size 65536): parsed OK</span></span></code></pre></div><p>The first metadata block <em>usually</em> begins at <code>0x02100000</code>. This illustration depicts the locations for a 2 GB volume:</p><p><picture><img src=https://irq5-7854a1fdb9f4.pages.dev/posts/2018/img/fve-md-disk-layout.png alt="Diagram of disk layout with FVE metadata blocks marked out" width=1145 height=279></picture></p><p>If there are 3 of these blocks, how do we know know which ones contain valid data?</p><p><a href="https://irq5-7854a1fdb9f4.pages.dev/2018/05/crypto-erasing-bitlocker-drives/#more">Continue reading…</a></p>https://irq5-7854a1fdb9f4.pages.dev/2018/04/pcbway-pcb-review/Sat, 07 Apr 2018 12:47:00 +0000https://irq5-7854a1fdb9f4.pages.dev/2018/04/pcbway-pcb-review/<p><a href=https://www.pcbway.com/ rel=noopener target=_blank class=external>PCBWay</a> is a PCB manufacturer that prides itself on quick turnaround. You can learn about <a href="https://www.youtube.com/watch?v=NfeDs5ce1PA" rel=noopener target=_blank class=external>CNLohr&rsquo;s sucess story here</a>. They also offer detailed tracking of your order&rsquo;s progress on their website.</p><p>They have reached out to me and kindly offered to sponsor the boards for this particular project, which I will be talking about in the coming weeks. As the cost of these boards were more expensive (compared to their &ldquo;normal&rdquo; orders), I had to pay for shipping myself.</p><p>With each PCB project, I find more and more methods of testing PCB manufacturers. This time, it&rsquo;s with a PCB that is inserted directly into your USB socket.</p><p><picture><img src=https://c1.staticflickr.com/5/4724/25588137367_dff247a8d1_b.jpg alt="project PCBs"></picture></p><p>The requirement for such a board is 2 mm thickness. The USB connector size is standard, so the usual 1.6 mm PCB thickness isn&rsquo;t going to work unless you pad the connector area.</p><p>Also, I opted for gold fingers on the USB connector contacts. This is usually done for contacts on the board edge that will be inserted into some mating connector (like PCI cards and USB connectors such as this).</p><p><strong>They also offer matte black & matte green colors.</strong> I haven&rsquo;t seen matte colours being offered at other board houses so far. I would have loved to try them out, but that would have bloated the cost beyond my comfort level.</p><h1 id=order-process>Order Process</h1><p>The order flow for PCBWay is a bit different because you submit your gerbers without making payment first. This allows their engineers to take a look at the design before you actually pay.</p><p>Most other systems I&rsquo;ve used are largely automated. After you submit your gerbers, they typically don&rsquo;t expect any problems and so they collect payment from you first.</p><p><picture><source srcset=/posts/2018/img/pcbway-order-process.png.webp type=image/webp><img src=https://irq5-7854a1fdb9f4.pages.dev/posts/2018/img/pcbway-order-process.png alt="PCBWay order flow" width=905 height=185></picture></p><p>I uploaded the gerbers on the 8th Aug and I tracked my order progress online. Their website allows you to track the detailed progress of your board as it moves along the manufacturing process. For small runs like this one, it is not crucial but if you were doing a large project with panels of many boards, this would definitely be handy.</p><p><picture><img src=https://irq5-7854a1fdb9f4.pages.dev/posts/2018/img/pcbway-progress.png loading=lazy alt="table of PCB production processes and their completion times" width=650 height=530></picture></p><p>They started manufacture 2 days later (on the 10th) and completed everything by 12th. It was not until the 14th that they actually shipped the boards out and provided me with a tracking number.</p><p>Here&rsquo;s a summary of the timeline:</p><ul><li>08: Gerber files submission</li><li>10: start of PCB manufacture</li><li>12: boards completed</li><li>14: boards shipped (via registered post)</li><li>24: boards received</li></ul><p><a href="https://irq5-7854a1fdb9f4.pages.dev/2018/04/pcbway-pcb-review/#more">Continue reading…</a></p>https://irq5-7854a1fdb9f4.pages.dev/2017/10/flare-on-2017-write-up-pewpewboat.exe/Sat, 14 Oct 2017 23:30:00 +0000https://irq5-7854a1fdb9f4.pages.dev/2017/10/flare-on-2017-write-up-pewpewboat.exe/<h3 id=flare-on-2017-challenge-5----pewpewboatexe>Flare-On 2017 Challenge #5 &ndash; pewpewboat.exe</h3><p>As usual, the first thing to do when tackling the challenge is to run the binary first, to see what it does. You will soon learn that it&rsquo;s not actually a Windows executable, but rather a 64-bit Linux ELF.</p><div class=highlight role=region aria-label="code block" translate=no><pre tabindex=0 class=chroma><code class=language-fallback data-lang=fallback><span class=line><span class=cl>$ ./pewpewboat.exe </span></span><span class=line><span class=cl>Loading first pew pew map... </span></span><span class=line><span class=cl> 1 2 3 4 5 6 7 8 </span></span><span class=line><span class=cl> _________________ </span></span><span class=line><span class=cl>A |_|_|_|_|_|_|_|_| </span></span><span class=line><span class=cl>B |_|_|_|_|_|_|_|_| </span></span><span class=line><span class=cl>C |_|_|_|_|_|_|_|_| </span></span><span class=line><span class=cl>D |_|_|_|_|_|_|_|_| </span></span><span class=line><span class=cl>E |_|_|_|_|_|_|_|_| </span></span><span class=line><span class=cl>F |_|_|_|_|_|_|_|_| </span></span><span class=line><span class=cl>G |_|_|_|_|_|_|_|_| </span></span><span class=line><span class=cl>H |_|_|_|_|_|_|_|_| </span></span><span class=line><span class=cl> </span></span><span class=line><span class=cl>Rank: Seaman Recruit </span></span><span class=line><span class=cl> </span></span><span class=line><span class=cl>Welcome to pewpewboat! We just loaded a pew pew map, start shootin&#39;! </span></span><span class=line><span class=cl> </span></span><span class=line><span class=cl>Enter a coordinate:</span></span></code></pre></div><p>So this is a <a href=https://en.wikipedia.org/wiki/Battleship_%28game%29 rel=noopener target=_blank class=external>Battleship game</a>. Playing manually for a bit, I see the &ldquo;ships&rdquo; form up in the shape what looked like a letter. Hmm could this be the flag?</p><p>It&rsquo;s now time to read the code.</p><p><a href="https://irq5-7854a1fdb9f4.pages.dev/2017/10/flare-on-2017-write-up-pewpewboat.exe/#more">Continue reading…</a></p>https://irq5-7854a1fdb9f4.pages.dev/2017/09/writing-code-for-the-attiny10/Sat, 09 Sep 2017 12:47:00 +0000https://irq5-7854a1fdb9f4.pages.dev/2017/09/writing-code-for-the-attiny10/<p>I previously wrote about the hardware aspects of <a href=https://irq5-7854a1fdb9f4.pages.dev/2010/07/programming-the-attiny10/ rel=noopener>getting your code into an ATtiny10</a> some 7 years ago (wow that was <em>realllyy</em> a long time ago!).</p><p>Now, avrdude is at version 6.3 and the TPI bitbang implementation has already been integrated in. The upstream avr-gcc (and avr-libc) also have proper support for ATtiny10s now. These software components are bundled with most distributions, including the <a href=https://www.arduino.cc/en/Main/Software rel=noopener target=_blank class=external>Arduino IDE</a>, making it easily accessible for anyone. Previously a fully integrated and working toolchain only came from Atmel and it was behind a registration page.</p><p>The price of the ATtiny10 has also dropped by a lot. When I first bought this microcontroller in 2010, element14 carried it for $1.85 in single quantities. Now, they are only $0.56 each.</p><p>I thought I&rsquo;d write up a short post about writing and compiling code for it.</p><p><picture><source srcset=/posts/2017/img/attiny10-closeup.jpg.webp type=image/webp><img src=https://irq5-7854a1fdb9f4.pages.dev/posts/2017/img/attiny10-closeup.jpg alt="ATtiny10 on a prototyping board" width=1023 height=682></picture></p><p><a href="https://irq5-7854a1fdb9f4.pages.dev/2017/09/writing-code-for-the-attiny10/#more">Continue reading…</a></p>https://irq5-7854a1fdb9f4.pages.dev/2017/08/framework-for-writing-flexible-bruteforcers/Wed, 30 Aug 2017 01:01:00 +0000https://irq5-7854a1fdb9f4.pages.dev/2017/08/framework-for-writing-flexible-bruteforcers/<p>When writing a bruteforcer, it&rsquo;s easiest to think of it as mapping some kind of output to a monotonically-increasing number.</p><p>Like for one of the solved PlaidCTF question, the answer string was composed from the eight letters &ldquo;plaidctf&rdquo;, which conveniently is a power of 2, meaning each output character can be represented with 3 bits. To write a bruteforcer for a string composed of these characters, you might imagine generating a 3-bit number (i.e. from 0 to 7) then mapping it to the character set for one output character, or a 30-bit number if the output string was 10 characters. Unsurprisingly, this was <a href=https://gist.github.com/geekman/6b749c6dcb6acd6ba1d2/d69f852e30374376ce8a9cd4a65e49c72d4ef991 rel=noopener target=_blank class=external>exactly what I did</a> for my solver script. The output string was generated from a <em>BitVector</em> of <code>171 * 3</code> bits.</p><p>But what if the output was composed of several different pieces that cannot be represented uniformly as a set of bits?</p><p>One solution might be to emulate such a behaviour using an array of integers, like how I <a href=https://irq5-7854a1fdb9f4.pages.dev/2016/08/labyrenth-2016-write-up-regex/ rel=noopener>modified my solver script in version 2</a> to handle a character set of arbitrary length.</p><p>In this post, I will walk-through writing a basic, but flexible, bruteforcer with accompanying code snippets in <a href=https://golang.org/ rel=noopener target=_blank class=external>Go</a>.</p><h1 id=keeping-state>Keeping State</h1><p>Continuing on the CTF puzzle, the <em>BitVector</em> was replaced with an array of <code>Int</code>s. Each <code>Int</code> will represent one character of the output string. We can thus represent the state like so (for simplicity, let&rsquo;s limit the output string to 2 characters):</p><div class=highlight role=region aria-label="code block" translate=no><pre tabindex=0 class=chroma><code class=language-go data-lang=go><span class=line><span class=cl><span class=kd>type</span> <span class=nx>state</span> <span class=kd>struct</span> <span class=p>{</span> </span></span><span class=line><span class=cl> <span class=nx>digit</span> <span class=p>[</span><span class=mi>2</span><span class=p>]</span><span class=kt>int</span> </span></span><span class=line><span class=cl><span class=p>}</span></span></span></code></pre></div><p>In order to increment each digit, we can write a function that increments <code>state.digit</code> until a certain number, then resets it to zero.</p><p>To make it generic, we will write a function that returns another function that manipulates a digit position, so we don&rsquo;t have to copy & paste the code for each digit position:</p><div class=highlight role=region aria-label="code block" translate=no><pre tabindex=0 class=chroma><code class=language-go data-lang=go><span class=line><span class=cl><span class=c1 translate>// returns a function that manipulates the digit at given pos </span></span></span><span class=line><span class=cl><span class=c1 translate></span><span class=kd>func</span> <span class=nf>digitManipulator</span><span class=p>(</span><span class=nx>pos</span> <span class=kt>int</span><span class=p>)</span> <span class=kd>func</span><span class=p>(</span><span class=o>*</span><span class=nx>state</span><span class=p>)</span> <span class=kt>bool</span> <span class=p>{</span> </span></span><span class=line><span class=cl> <span class=k>return</span> <span class=kd>func</span><span class=p>(</span><span class=nx>s</span> <span class=o>*</span><span class=nx>state</span><span class=p>)</span> <span class=kt>bool</span> <span class=p>{</span> </span></span><span class=line><span class=cl> <span class=nx>s</span><span class=p>.</span><span class=nx>digit</span><span class=p>[</span><span class=nx>pos</span><span class=p>]</span><span class=o>++</span> </span></span><span class=line><span class=cl> <span class=k>if</span> <span class=nx>s</span><span class=p>.</span><span class=nx>digit</span><span class=p>[</span><span class=nx>pos</span><span class=p>]</span> <span class=o>==</span> <span class=nx>MAX_NUMBER</span> <span class=p>{</span> </span></span><span class=line><span class=cl> <span class=nx>s</span><span class=p>.</span><span class=nx>digit</span><span class=p>[</span><span class=nx>pos</span><span class=p>]</span> <span class=p>=</span> <span class=mi>0</span> </span></span><span class=line><span class=cl> <span class=k>return</span> <span class=kc>true</span> </span></span><span class=line><span class=cl> <span class=p>}</span> </span></span><span class=line><span class=cl> <span class=k>return</span> <span class=kc>false</span> </span></span><span class=line><span class=cl> <span class=p>}</span> </span></span><span class=line><span class=cl><span class=p>}</span></span></span></code></pre></div><p>We will talk more about the boolean return value later.</p><p><a href="https://irq5-7854a1fdb9f4.pages.dev/2017/08/framework-for-writing-flexible-bruteforcers/#more">Continue reading…</a></p>https://irq5-7854a1fdb9f4.pages.dev/2017/07/labyrenth-2017-binary-4/Thu, 27 Jul 2017 23:59:00 +0000https://irq5-7854a1fdb9f4.pages.dev/2017/07/labyrenth-2017-binary-4/Hint: Send me this identifier together with your $$$$ to decrypt your file: da91e949f4c2e814f811fbadb3c195b8 Binary4 is a Mach-O binary, nothing IDA Pro can&rsquo;t handle. You will notice it has some obfuscated names, like wshwfknafsknfadj, pojklfasd, etc. Looking at the main() function, IDA Pro&rsquo;s decompiler produces the following pseudo-C code: memset(&v17, 0, 0x400uLL); v17 = 46; LODWORD(v3) = wshwfknafsknfadj(&v17, 0LL); v15 = v3; LODWORD(v4) = bmasdfiukjwe(&v17); v14 = v4; if ( 999 !<p><a href="https://irq5-7854a1fdb9f4.pages.dev/2017/07/labyrenth-2017-binary-4/#more">Continue reading…</a></p>