code on irq5 test

code on irq5 testhttps://irq5-7854a1fdb9f4.pages.dev/tag/code/Recent content in code on irq5 testen-usFri, 22 May 2020 00:00:00 +0000Batch Binary Analysis with IDA Pro 7.4 Automationhttps://irq5-7854a1fdb9f4.pages.dev/2020/05/batch-binary-analysis-with-ida-pro-7.4-automation/Fri, 22 May 2020 00:00:00 +0000https://irq5-7854a1fdb9f4.pages.dev/2020/05/batch-binary-analysis-with-ida-pro-7.4-automation/<p>It is easy to script analysis steps with IDAPython, but now we want to automate this analysis over, let’s say, 10,000 files. I did a quick Google and I couldn’t find a guide on how to perform batch binary analysis tasks by automating IDA Pro 7.x.</p><p>Unfamiliar with this, I was constantly guessing whether it was the command-line arguments, the script, or a combination of both that was not working. I’m sharing my experince here so you won’t have to be fumbling around like I was.</p><p>I will be using IDA Pro for Windows here, but it should be applicable to any of their supported platforms like Mac or Linux.</p><h1 id=simple-binary-analysis>Simple Binary Analysis</h1><p>Let’s write some simple IDAPython analysis script and run it within the IDA Pro console. This script loops through all functions in the executable and prints out its address and name:</p><div class=highlight role=region aria-label="code block" translate=no><pre tabindex=0 class=chroma><code class=language-python data-lang=python><span class=line><span class=cl><span class=kn>import</span> <span class=nn>idc</span> </span></span><span class=line><span class=cl><span class=kn>import</span> <span class=nn>idautils</span> </span></span><span class=line><span class=cl> </span></span><span class=line><span class=cl><span class=nb>print</span> <span class=s1>'count </span><span class=si>%d</span><span class=s1>'</span> <span class=o>%</span> <span class=nb>len</span><span class=p>(</span><span class=nb>list</span><span class=p>(</span><span class=n>idautils</span><span class=o>.</span><span class=n>Functions</span><span class=p>()))</span> </span></span><span class=line><span class=cl><span class=k>for</span> <span class=n>ea</span> <span class=ow>in</span> <span class=n>idautils</span><span class=o>.</span><span class=n>Functions</span><span class=p>():</span> </span></span><span class=line><span class=cl> <span class=nb>print</span> <span class=nb>hex</span><span class=p>(</span><span class=n>ea</span><span class=p>),</span> <span class=n>idc</span><span class=o>.</span><span class=n>get_func_name</span><span class=p>(</span><span class=n>ea</span><span class=p>)</span></span></span></code></pre></div><p>The <code>idautils</code> module contains higher-level functionality like getting a list of functions, or finding code & data references to addresses. If you are familiar with IDC scripting, most of the functions by the same name can be found within the <code>idc</code> module. This is not really meant to be an IDAPython or IDC scripting tutorial, so you will need to look elsewhere for that.</p><p><a href="https://irq5-7854a1fdb9f4.pages.dev/2020/05/batch-binary-analysis-with-ida-pro-7.4-automation/#more">Continue reading…</a></p>Data Encryption on Firefox Sendhttps://irq5-7854a1fdb9f4.pages.dev/2019/05/data-encryption-on-firefox-send/Tue, 14 May 2019 11:59:00 +0000https://irq5-7854a1fdb9f4.pages.dev/2019/05/data-encryption-on-firefox-send/<p>If you haven’t heard, <a href=https://send.firefox.com/ rel=noopener target=_blank class=external>Firefox Send</a> is a service that solves the problem of sending large attachments without going through email. It does this in a privacy-preserving manner by encrypting the file in your browser first, before upload.</p><p>The concept is simple:</p><ol><li>An encryption key is generated in your browser</li><li>Your file is encrypted with that key before being uploaded to the server.</li><li>The download URL is returned by the server, but will only work after the browser appends the secret key to the URL <em>fragment</em>.</li></ol><p>Note that URL fragments are never sent to the server. They are often used for page anchors, and sometimes to keep track of local state in SPA.</p><p>This has been made possible through the use of <a href=https://developer.mozilla.org/en-US/docs/Web/API/Web_Crypto_API rel=noopener target=_blank class=external>Web Crypto API</a> exposed via JavaScript.</p><h1 id=technical-details>Technical Details</h1><p>The code that powers <a href=https://github.com/mozilla/send rel=noopener target=_blank class=external>Firefox Send is actually open source</a>, so you can run your own server, or read the code to figure out exactly how it works. The encryption details are documented in <a href=https://github.com/mozilla/send/blob/master/docs/encryption.md rel=noopener target=_blank class=external>docs/encryption.md</a>.</p><p>A master key is first generated and from it, a few keys are derived using HKDF SHA-256. The derived key length depends on its purpose, so for AES-128 encryption, the key will be 128-bit. Oddly though, the Subtle Crypto API returns a a 512-bit key for HMAC SHA-256, which had me stumped for a while. I wrote some code that you can <a href=https://gist.githack.com/geekman/f9735602f744ebe5fa812f8ba17518c4/raw/webcrypto-hdkf.html rel=noopener target=_blank class=external>try out online</a>.</p><p>Because HKDF is based on a hash algorithm, derived keys are inherently not reversible to obtain the master key from which they were derived (unless the algorithm itself is somehow broken).</p><p>3 keys are derived from the master key:</p><ol><li><strong>Data Encryption key</strong>. Used to encrypt the actual file contents.</li><li><strong>Authentication key.</strong> Given to the service and used to authenticate future downloaders.</li><li><strong>Metadata key.</strong> Used to encrypt the upload manifest (filename and size information) for display.</li></ol><p><picture><source srcset=/posts/2019/img/ffsend-keys.png.webp type=image/webp><img src=https://irq5-7854a1fdb9f4.pages.dev/posts/2019/img/ffsend-keys.png alt="keys derived in Firefox Send" width=1574 height=491></picture></p><p><a href="https://irq5-7854a1fdb9f4.pages.dev/2019/05/data-encryption-on-firefox-send/#more">Continue reading…</a></p>Crypto-Erasing BitLocker Driveshttps://irq5-7854a1fdb9f4.pages.dev/2018/05/crypto-erasing-bitlocker-drives/Thu, 10 May 2018 12:45:00 +0000https://irq5-7854a1fdb9f4.pages.dev/2018/05/crypto-erasing-bitlocker-drives/<p>These days with larger and larger drive capacities, erasing stored data takes longer and longer. Another problem is also the inability to do so when the time comes, due to bad sectors or hardware failures. Just because the data is not accessible by you does not mean that it is also inaccessible to someone else with the know-how.</p><p><strong><em>Cryptographic erasure</em> to the rescue!</strong></p><p>Crypto erase simply erases the encryption key that is used to encrypt the data on your drive. This is the <a href=https://irq5-7854a1fdb9f4.pages.dev/2014/04/encrypt-all-the-drives/ rel=noopener>primary reason why</a> I encrypt my drives.</p><p>Oddly, I have not found anyone talking about BitLocker crypto erasure or doing it. The closest I have seen is <a href=https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/manage-bde-forcerecovery rel=noopener target=_blank class=external><code>manage-bde -forcerecovery</code></a>, which removes all TPM-related key protectors. This is briefly described in a TechNet article titled <a href=https://technet.microsoft.com/en-us/library/cc512654.aspx rel=noopener target=_blank class=external>BitLocker™ Drive Encryption and Disk Sanitation</a>.</p><p>But what if we are not running Windows? What if the disk is not a Windows boot drive that is protected by a TPM key protector?</p><p>In order to erase the (key) data, we first need to know how the data is stored on disk. For open-source FDE implementations, this is easy because the disk format is well-documented, but BitLocker is not exactly open.</p><h1 id=bitlocker-disk-format>BitLocker Disk Format</h1><p>BitLocker was first introduced in Windows Vista and has gone through changes since then. Some changes were made to the format in Windows 7, but has largely remained unchanged through Windows 8 till 10.</p><p>For LUKS, it is simple - there is a LUKS header at the start of the disk, followed by the encrypted volume data. For BitLocker, it is slightly more involved, probably due to backward-compatible design considerations.</p><p>The header at the start of the partition is a valid boot sector (or boot block), so not all BitLocker information can be stored within. Instead, this volume header points to the FVE metadata block where most of the data is kept. In fact, there are 3 of these for redundancy. This metadata block is what holds all the key material.</p><p>The metadata blocks are spaced (almost) evenly apart, located near the start of the volume.</p><div class=highlight role=region aria-label="code block" translate=no><pre tabindex=0 class=chroma><code class=language-fallback data-lang=fallback><span class=line><span class=cl># blwipe -offset 0x2010000 bitlocker-2gb.vhd </span></span><span class=line><span class=cl>metadata offset 0: 0x02100000 </span></span><span class=line><span class=cl>metadata offset 1: 0x100c8000 </span></span><span class=line><span class=cl>metadata offset 2: 0x1e08f000 </span></span><span class=line><span class=cl>metadata block 0 (size 65536): parsed OK </span></span><span class=line><span class=cl>metadata block 1 (size 65536): parsed OK </span></span><span class=line><span class=cl>metadata block 2 (size 65536): parsed OK</span></span></code></pre></div><p>The first metadata block <em>usually</em> begins at <code>0x02100000</code>. This illustration depicts the locations for a 2 GB volume:</p><p><picture><img src=https://irq5-7854a1fdb9f4.pages.dev/posts/2018/img/fve-md-disk-layout.png alt="Diagram of disk layout with FVE metadata blocks marked out" width=1145 height=279></picture></p><p>If there are 3 of these blocks, how do we know know which ones contain valid data?</p><p><a href="https://irq5-7854a1fdb9f4.pages.dev/2018/05/crypto-erasing-bitlocker-drives/#more">Continue reading…</a></p>Framework for Writing Flexible Bruteforcershttps://irq5-7854a1fdb9f4.pages.dev/2017/08/framework-for-writing-flexible-bruteforcers/Wed, 30 Aug 2017 01:01:00 +0000https://irq5-7854a1fdb9f4.pages.dev/2017/08/framework-for-writing-flexible-bruteforcers/<p>When writing a bruteforcer, it’s easiest to think of it as mapping some kind of output to a monotonically-increasing number.</p><p>Like for one of the solved PlaidCTF question, the answer string was composed from the eight letters “plaidctf”, which conveniently is a power of 2, meaning each output character can be represented with 3 bits. To write a bruteforcer for a string composed of these characters, you might imagine generating a 3-bit number (i.e. from 0 to 7) then mapping it to the character set for one output character, or a 30-bit number if the output string was 10 characters. Unsurprisingly, this was <a href=https://gist.github.com/geekman/6b749c6dcb6acd6ba1d2/d69f852e30374376ce8a9cd4a65e49c72d4ef991 rel=noopener target=_blank class=external>exactly what I did</a> for my solver script. The output string was generated from a <em>BitVector</em> of <code>171 * 3</code> bits.</p><p>But what if the output was composed of several different pieces that cannot be represented uniformly as a set of bits?</p><p>One solution might be to emulate such a behaviour using an array of integers, like how I <a href=https://irq5-7854a1fdb9f4.pages.dev/2016/08/labyrenth-2016-write-up-regex/ rel=noopener>modified my solver script in version 2</a> to handle a character set of arbitrary length.</p><p>In this post, I will walk-through writing a basic, but flexible, bruteforcer with accompanying code snippets in <a href=https://golang.org/ rel=noopener target=_blank class=external>Go</a>.</p><h1 id=keeping-state>Keeping State</h1><p>Continuing on the CTF puzzle, the <em>BitVector</em> was replaced with an array of <code>Int</code>s. Each <code>Int</code> will represent one character of the output string. We can thus represent the state like so (for simplicity, let’s limit the output string to 2 characters):</p><div class=highlight role=region aria-label="code block" translate=no><pre tabindex=0 class=chroma><code class=language-go data-lang=go><span class=line><span class=cl><span class=kd>type</span> <span class=nx>state</span> <span class=kd>struct</span> <span class=p>{</span> </span></span><span class=line><span class=cl> <span class=nx>digit</span> <span class=p>[</span><span class=mi>2</span><span class=p>]</span><span class=kt>int</span> </span></span><span class=line><span class=cl><span class=p>}</span></span></span></code></pre></div><p>In order to increment each digit, we can write a function that increments <code>state.digit</code> until a certain number, then resets it to zero.</p><p>To make it generic, we will write a function that returns another function that manipulates a digit position, so we don’t have to copy & paste the code for each digit position:</p><div class=highlight role=region aria-label="code block" translate=no><pre tabindex=0 class=chroma><code class=language-go data-lang=go><span class=line><span class=cl><span class=c1 translate>// returns a function that manipulates the digit at given pos </span></span></span><span class=line><span class=cl><span class=c1 translate></span><span class=kd>func</span> <span class=nf>digitManipulator</span><span class=p>(</span><span class=nx>pos</span> <span class=kt>int</span><span class=p>)</span> <span class=kd>func</span><span class=p>(</span><span class=o>*</span><span class=nx>state</span><span class=p>)</span> <span class=kt>bool</span> <span class=p>{</span> </span></span><span class=line><span class=cl> <span class=k>return</span> <span class=kd>func</span><span class=p>(</span><span class=nx>s</span> <span class=o>*</span><span class=nx>state</span><span class=p>)</span> <span class=kt>bool</span> <span class=p>{</span> </span></span><span class=line><span class=cl> <span class=nx>s</span><span class=p>.</span><span class=nx>digit</span><span class=p>[</span><span class=nx>pos</span><span class=p>]</span><span class=o>++</span> </span></span><span class=line><span class=cl> <span class=k>if</span> <span class=nx>s</span><span class=p>.</span><span class=nx>digit</span><span class=p>[</span><span class=nx>pos</span><span class=p>]</span> <span class=o>==</span> <span class=nx>MAX_NUMBER</span> <span class=p>{</span> </span></span><span class=line><span class=cl> <span class=nx>s</span><span class=p>.</span><span class=nx>digit</span><span class=p>[</span><span class=nx>pos</span><span class=p>]</span> <span class=p>=</span> <span class=mi>0</span> </span></span><span class=line><span class=cl> <span class=k>return</span> <span class=kc>true</span> </span></span><span class=line><span class=cl> <span class=p>}</span> </span></span><span class=line><span class=cl> <span class=k>return</span> <span class=kc>false</span> </span></span><span class=line><span class=cl> <span class=p>}</span> </span></span><span class=line><span class=cl><span class=p>}</span></span></span></code></pre></div><p>We will talk more about the boolean return value later.</p><p><a href="https://irq5-7854a1fdb9f4.pages.dev/2017/08/framework-for-writing-flexible-bruteforcers/#more">Continue reading…</a></p>Patching ZIP Fileshttps://irq5-7854a1fdb9f4.pages.dev/2015/07/patching-zip-files/Fri, 03 Jul 2015 15:31:00 +0000https://irq5-7854a1fdb9f4.pages.dev/2015/07/patching-zip-files/<p>I have recently been working with VM images and to transport & distribute them conveniently I had to zip them up. I mainly work in a Windows environment and I use <a href=http://www.7-zip.org/ rel=noopener target=_blank class=external>7-Zip</a> for packing and unpacking archives. It’s actually quite nice (and free), if you don’t mind the spartan interface. On my workstation, I have NTFS file encryption (EFS) enabled on my home directory. The way this works is that you can selectively encrypt files and folders by setting a special attribute on these items.</p><p><picture><img src=https://irq5-7854a1fdb9f4.pages.dev/posts/2015/img/screen-ntfs-encrypt.png alt="NTFS encryption attribute" width=394 height=300 class=noinvert></picture></p><p>I was in a hurry to prepare a VM image for a class and I used 7-Zip to archive the entire VM folder. The problem was, this encryption attribute was also recorded in the ZIP file and I only realized it when I unpacked it on a machine for testing right before the class started. On a machine that does not use NTFS, it warns the user and asks if it should continue extracting unencrypted. On a machine <em>with</em> NTFS, the destination files get encrypted and Windows starts nagging the user to back up the EFS keys. Compressing a 9 GB image into a 3 GB ZIP file took about 40 minutes, so there was really no time left to decrypt the files (EFS really sucks in this regard) and re-compress it into a ZIP file without encryption.</p><p>You can check whether a file is marked for encryption by checking the Attributes column in 7-Zip. (Note that this encryption attribute is native to NTFS and is different from ZIP file encryption.) The attribute string is somewhat cryptic but <code>E</code> means encrypted and <code>A</code> is archive. Interestingly, 7-Zip itself does not restore the encrypted attribute, but the native Windows unzipping functionality does.</p><p><picture><source srcset=/posts/2015/img/screen-zip-attr.png.webp type=image/webp><img src=https://irq5-7854a1fdb9f4.pages.dev/posts/2015/img/screen-zip-attr.png alt="ZIP attributes" width=435 height=300 class=noinvert></picture></p><h2 id=patch-all-the-things>Patch All The Things!</h2><p>While I did not manage to solve this annoyance in time for the class, I had this idea to write a tool that would just patch the ZIP file. No changes need to be made to the file data and so there is actually no need to re-compress it.</p><p><a href="https://irq5-7854a1fdb9f4.pages.dev/2015/07/patching-zip-files/#more">Continue reading…</a></p>Visualizing Binary Features with matplotlibhttps://irq5-7854a1fdb9f4.pages.dev/2014/12/visualizing-binary-features-with-matplotlib/Fri, 26 Dec 2014 01:18:00 +0000https://irq5-7854a1fdb9f4.pages.dev/2014/12/visualizing-binary-features-with-matplotlib/<p>Some time ago, I started playing around with data analysis and machine learning. One of the more popular tools for such tasks is <em>IPython Notebook</em>, a browser-based interactive REPL shell based on <a href=http://ipython.org/ rel=noopener target=_blank class=external>IPython</a>. Each session becomes a “notebook” that records the entire REPL session with both inputs and (cached) outputs, which can be saved and reviewed at a later time, or exported into another format like HTML. This capability, combined with <a href=http://matplotlib.org/ rel=noopener target=_blank class=external>matplotlib</a> for plotting and <a href=http://pandas.pydata.org/ rel=noopener target=_blank class=external>pandas</a> for slicing and dicing data makes this a handy tool for analyzing and visualizing data. To give you an idea of how useful this tool can be, take a look at some example notebooks using <a href=http://nbviewer.ipython.org/ rel=noopener target=_blank class=external>the online notebook viewer</a>.</p><p>In this quick post, I’ll describe how I visualize binary features (present/not present) and clustering of such data. I am assuming that you already have experience with all of the above-mentioned libraries. For this example, I’ve extracted permissions (<code>uses-permission</code>) and features (<code>uses-feature</code>) used by a set of Android apps using <a href=https://code.google.com/p/androguard/ rel=noopener target=_blank class=external>Androguard</a>. The resulting visualization looks like this:</p><p><picture><source srcset=/posts/2014/img/apps-binary-features-viz.png.webp type=image/webp><img src=https://irq5-7854a1fdb9f4.pages.dev/posts/2014/img/apps-binary-features-viz.png alt="visualization of binary features" width=630 height=386></picture></p><p>Each row represents one app and each column represents one feature. More specifically, each column represent whether a permission or feature is used by the app. Such a visualization makes it easy to see patterns, such as which permission or feature is more frequently used by apps (shown as downward streaks), or whether an app uses more or less features compared to other apps (which shows up as horizontal streaks).</p><p>While this may look relatively trivial, when the number of samples increase to thousands of apps, it becomes difficult to make sense of all the rows & columns in the data table by staring at it.</p><p><a href="https://irq5-7854a1fdb9f4.pages.dev/2014/12/visualizing-binary-features-with-matplotlib/#more">Continue reading…</a></p>Bruteforcing LUKS Volumes Explainedhttps://irq5-7854a1fdb9f4.pages.dev/2014/11/bruteforcing-luks-volumes-explained/Wed, 19 Nov 2014 02:01:00 +0000https://irq5-7854a1fdb9f4.pages.dev/2014/11/bruteforcing-luks-volumes-explained/<p>Some weeks back, we were forced to reboot one of our server machines because it stopped responding. When the machine came back up, we were greeted with a password prompt to decrypt the partition. No problem, since we always used a password combination (ok, permutation) that consisted of a few words, something along the lines of “john”, “doe”, “1954”, and the server’s serial number. Except that it didn’t work, and we forgot the permutation rules AND whether we used “john” “doe” or “jack” “daniels”.</p><p>All the search results for bruteforcing LUKS are largely the same – “use <code>cryptsetup luksOpen --test-passphrase</code>”. In my case, the physical server is in the server room, and I don’t want to stand in front of the rack trying to figure all this out. My question is, can I do this offline on another machine? None of those blog entries were helpful in this regard.</p><h2 id=the-luks-header>The LUKS Header</h2><p>To answer this question, I took a look at the LUKS header. This header is what provides multiple “key slots”, allowing you to specify up to 8 passwords or key files that can decrypt the volume. <a href=https://gitlab.com/cryptsetup/cryptsetup rel=noopener target=_blank class=external>cryptsetup</a> is the standard userspace tool (and library) to manipulate and mount LUKS volumes. Since LUKS was designed based on TKS1, the <a href=https://gitlab.com/cryptsetup/cryptsetup/-/wikis/TKS1 rel=noopener target=_blank class=external>TKS1 document</a> referenced by the cryptsetup project was very helpful. After consulting the documentation & code, I came up with the following diagram that describes the LUKS key verification process:</p><p><picture><source srcset=/posts/2014/img/luks-encryption-flowchart.png.webp type=image/webp><img src=https://irq5-7854a1fdb9f4.pages.dev/posts/2014/img/luks-encryption-flowchart.png alt="LUKS encryption flowchart" width=1200 height=396></picture></p><p><a href="https://irq5-7854a1fdb9f4.pages.dev/2014/11/bruteforcing-luks-volumes-explained/#more">Continue reading…</a></p>Creating Minimal Throw-away CentOS 6 VMshttps://irq5-7854a1fdb9f4.pages.dev/2014/08/creating-minimal-throw-away-centos-6-vms/Sun, 24 Aug 2014 02:23:00 +0000https://irq5-7854a1fdb9f4.pages.dev/2014/08/creating-minimal-throw-away-centos-6-vms/<p>Whether you are using CentOS for a build server or simply testing out a new configuration, you can quickly create a VM (virtual machine) that is under 1GB. You can do this without downloading any special tools or ISO files – just the CentOS installation DVD and VirtualBox (or VMware if you prefer).</p><p>I like the text-based console, so you won’t be getting a GUI or fancy Linux desktop with this one. Given its small size, you could also archive the entire environment (or even several of them) for future use without having to waste gigabytes of free space. These environments also serve as a base which can be upgraded or added onto to provide more functionality later.</p><p><a href="https://irq5-7854a1fdb9f4.pages.dev/2014/08/creating-minimal-throw-away-centos-6-vms/#more">Continue reading…</a></p>Encrypt All the Driveshttps://irq5-7854a1fdb9f4.pages.dev/2014/04/encrypt-all-the-drives/Tue, 08 Apr 2014 01:50:00 +0000https://irq5-7854a1fdb9f4.pages.dev/2014/04/encrypt-all-the-drives/<p>I have always been an advocate on storage security (all types of security, actually). I like how iOS devices keep all files encrypted, even if you do not set a passcode on the device. They do this to facilitate quick erasure of files on the device – to erase all the data, they simply wipe the master key.</p><p>Erasing magnetic storage media isn’t difficult, but it is time-consuming. For solid state media such as SSDs and flash drives, the wear-leveling makes it difficult to ensure that all flash blocks have been securely overwritten. The answer to this is to encrypt everything.</p><p><picture><img src=https://irq5-7854a1fdb9f4.pages.dev/posts/2014/img/encrypt-all-the-drives.png alt="Encrypt all the drives!! (meme)" width=439 height=327 class=noinvert></picture></p><p>Recently I have been busy building a Linux-based NAS and I decided to put this to practice.</p><p><a href="https://irq5-7854a1fdb9f4.pages.dev/2014/04/encrypt-all-the-drives/#more">Continue reading…</a></p>Implementing EAP-SIM at Homehttps://irq5-7854a1fdb9f4.pages.dev/2013/12/implementing-eap-sim-at-home/Mon, 23 Dec 2013 00:57:00 +0000https://irq5-7854a1fdb9f4.pages.dev/2013/12/implementing-eap-sim-at-home/<p>EAP-SIM is one of the authentication methods that can be used in an 802.1x or WPA Enterprise network. Specifically, it relies on the user’s SIM card to process a presented challenge. This has been used by some telcos to provide WiFi service without having to maintain a separate set of credentials. However, not all phones support EAP-SIM.</p><p><picture><source srcset=/posts/2013/img/eap-sim-7433.jpg.webp type=image/webp><img src=https://irq5-7854a1fdb9f4.pages.dev/posts/2013/img/eap-sim-7433.jpg alt="Phone displaying EAP-SIM as a WiFi authentication method" width=640 height=359></picture></p><p>Since I’m already using a RADIUS setup at home, the use of EAP-SIM will eliminate the need to install my CA certs onto each device. But of course, there is still a fair bit of work to do…</p><p><a href="https://irq5-7854a1fdb9f4.pages.dev/2013/12/implementing-eap-sim-at-home/#more">Continue reading…</a></p>Quick & Dirty PHP Devel Setup on Windowshttps://irq5-7854a1fdb9f4.pages.dev/2013/06/quick-dirty-php-devel-setup-on-windows/Tue, 18 Jun 2013 00:23:00 +0000https://irq5-7854a1fdb9f4.pages.dev/2013/06/quick-dirty-php-devel-setup-on-windows/Here’s a quick tip if you’re developing a really simple PHP site and need a development setup on Windows with minimal fuss. Don’t bother with a full LAMP stack like XAMPP, which requires you to run a batch file that will rewrite its Apache and PHP configuration files. PHP version 5.4.0 and above comes with a handy built-in webserver. Simply download the binaries for Windows and unzip it into a directory of your choice.<p><a href="https://irq5-7854a1fdb9f4.pages.dev/2013/06/quick-dirty-php-devel-setup-on-windows/#more">Continue reading…</a></p>Decoding BCARD Conference Badgeshttps://irq5-7854a1fdb9f4.pages.dev/2013/04/decoding-bcard-conference-badges/Sat, 13 Apr 2013 01:28:00 +0000https://irq5-7854a1fdb9f4.pages.dev/2013/04/decoding-bcard-conference-badges/<p>Last month, I had the opportunity to fly halfway around the world to attend <em>RSA Conference 2013</em>. Everyone was given a lanyard and badge which contains your information entered during registration. When you visit booths, they can then scan your badge to collect your information and follow up by sending you spam.</p><p><picture><source srcset=/posts/2013/img/rsa-conf-pass.jpg.webp type=image/webp><img src=https://irq5-7854a1fdb9f4.pages.dev/posts/2013/img/rsa-conf-pass.jpg alt="RSA conference pass" width=640 height=427></picture></p><p>The scanner varies across different booths, but mostly it’s an Android device that ran a custom software. Since it had a large NXP logo, let’s try to read it with the <a href="https://play.google.com/store/apps/details?id=com.nxp.taginfolite" rel=noopener target=_blank class=external>NFC TagInfo app</a>. Looks like the tag identifies itself as a NDEF message but the data is gibberish.</p><p><picture><img src=https://irq5-7854a1fdb9f4.pages.dev/posts/2013/img/bcard_taginfo.png alt="Data in the BCARD as decoded by TagInfo" width=720 height=1034 class="half noinvert"></picture></p><p><a href="https://irq5-7854a1fdb9f4.pages.dev/2013/04/decoding-bcard-conference-badges/#more">Continue reading…</a></p>Debugging Fun with JNIhttps://irq5-7854a1fdb9f4.pages.dev/2012/02/debugging-fun-with-jni/Wed, 29 Feb 2012 21:25:00 +0000https://irq5-7854a1fdb9f4.pages.dev/2012/02/debugging-fun-with-jni/Our proprietary system, written in a mix of Java and C++, was crashing quite often. It only started happening after some new features were added, so naturally that became the prime suspect, but my colleague claimed it was because the process ran out of memory. I wrote a small test case to see if an out-of-memory situation would cause this, and true enough, it did. The JVM generated a crash log file that looked like this (I’ve omitted the unimportant parts):<p><a href="https://irq5-7854a1fdb9f4.pages.dev/2012/02/debugging-fun-with-jni/#more">Continue reading…</a></p>Python bindings for iTunesMobileDevice.dllhttps://irq5-7854a1fdb9f4.pages.dev/2011/09/python-bindings-for-itunesmobiledevice.dll/Mon, 12 Sep 2011 01:24:00 +0000https://irq5-7854a1fdb9f4.pages.dev/2011/09/python-bindings-for-itunesmobiledevice.dll/Oddly enough I can’t seem to find a Python wrapper for iTunesMobileDevice.dll. I did manage to find a C# equivalent called Manzana though, which is quite widely used. Anyhow, I bit the bullet and read through the ctypes documentation and wrote AMDevice.py which exposes some simple classes to handle connecting to an iPhone. I only implemented the minimal set of functions required to download and upload files to the iPhone, as I wrote this primarily for my iPhone SMS import script.<p><a href="https://irq5-7854a1fdb9f4.pages.dev/2011/09/python-bindings-for-itunesmobiledevice.dll/#more">Continue reading…</a></p>Importing SMSes into the iPhonehttps://irq5-7854a1fdb9f4.pages.dev/2011/06/importing-smses-into-the-iphone/Sat, 18 Jun 2011 17:15:00 +0000https://irq5-7854a1fdb9f4.pages.dev/2011/06/importing-smses-into-the-iphone/Since my iPhone 3GS died, I have been using my dad’s Samsung Jet as a temporary replacement phone. I really can’t stand the resistive touch screen - tapping backspace will at times hit the T9 button when I’m composing an SMS. Also, I miss the display of SMSes as a conversation with both sent and received messages in a single place. I obsess over keeping chat history, so naturally I want to find a way to preserve these messages on the phone.<p><a href="https://irq5-7854a1fdb9f4.pages.dev/2011/06/importing-smses-into-the-iphone/#more">Continue reading…</a></p>Publishing Services over mDNS in Chttps://irq5-7854a1fdb9f4.pages.dev/2011/04/publishing-services-over-mdns-in-c/Sun, 10 Apr 2011 23:26:00 +0000https://irq5-7854a1fdb9f4.pages.dev/2011/04/publishing-services-over-mdns-in-c/For some time now I’ve been looking into mDNS-advertised services. My aim was to advertise a service using mDNS in a C program. Typically, doing this is really easy: call the Bonjour or Avahi APIs, and the system-wide daemon will do the rest for you. The problem arises when there is no system-wide daemon such as mDNSResponder (if you’re on a Mac or Windows) or Avahi (for the other OSes). This usually happens when you’re on an embedded system, like a router that runs Linux.<p><a href="https://irq5-7854a1fdb9f4.pages.dev/2011/04/publishing-services-over-mdns-in-c/#more">Continue reading…</a></p>MIDI to USB (Serial) Converterhttps://irq5-7854a1fdb9f4.pages.dev/2011/03/midi-to-usb-serial-converter/Sat, 12 Mar 2011 19:37:00 +0000https://irq5-7854a1fdb9f4.pages.dev/2011/03/midi-to-usb-serial-converter/<p>MIDI is actually just serial data at 31,250bps in <a href=http://en.wikipedia.org/wiki/8-N-1 rel=noopener target=_blank class=external>8N1</a> format that is transmitted over a 5-pin DIN cable. This means you can receive MIDI data from your musical instrument using a serial port, or an <a href=http://www.ftdichip.com/Products/Cables/USBTTLSerial.htm rel=noopener target=_blank class=external>FTDI cable</a>.</p><p>Receiving MIDI data over the FTDI cable doesn’t magically turn your USB serial device into a MIDI device - you need to be running a software bridge or a driver that pretends to be a virtual MIDI device emitting these messages. For this purpose, I shall use the <a href=http://www.spikenzielabs.com/SpikenzieLabs/Serial_MIDI.html rel=noopener target=_blank class=external>Serial MIDI Converter</a> from SpikenzieLabs.</p><p>I’m using Mac OS X 10.6.6 and the latest Java update, so I didn’t need any extra JAR files.</p><h1 id=wiring-it-up>Wiring It Up</h1><p>The circuit is relatively simple - you need the DIN socket, an opto-isolator, 2 resistors, and optionally a diode. In my case, parts came from a scrap bin, so I used a 330 ohm resistor instead of a 220 ohm for Rb and a 1K for Rd instead of 280 ohms. For the opto-isolator, element14 had some non-RoHS CNY17-2 on sale, so I just used that.</p><p><picture><img src=https://irq5-7854a1fdb9f4.pages.dev/posts/2011/img/midi_schematic.png alt="MIDI hookup schematic" width=468 height=285></picture></p><p>Note that the RXD output is only meant for interfacing with a TTL circuit like an FTDI chip/cable or MAX232 transceiver, not the RS232 serial port directly.</p><p>You can find the same circuit diagram (with different values & parts) in the official <a href=http://www.midi.org/techspecs/electrispec.php rel=noopener target=_blank class=external>MIDI Electrical Specification Diagram</a>.</p><p><a href="https://irq5-7854a1fdb9f4.pages.dev/2011/03/midi-to-usb-serial-converter/#more">Continue reading…</a></p>mdns-repeater: mDNS across subnetshttps://irq5-7854a1fdb9f4.pages.dev/2011/01/mdns-repeater-mdns-across-subnets/Sun, 02 Jan 2011 03:51:00 +0000https://irq5-7854a1fdb9f4.pages.dev/2011/01/mdns-repeater-mdns-across-subnets/<p><strong>Update 21-Sep-2011: Added an <a href=#Installation rel=noopener>Installation</a> section and updated the binaries on Bitbucket.</strong></p><p>As you may know, I have a couple of Apple devices. Apple is fond of using Multicast DNS (mDNS) for their service discovery. The recent addition to these services being AirPrint (wireless printing service) and AirPlay (wireless audio/video streaming) from your iOS devices.</p><p>My home is setup in such a way that the wired and wireless networks are on 2 separate subnets. mDNS uses a multicast address that is “administratively scoped”, meaning the packets will not travel across subnets. I tried fiddling around with iptables rules and looked around for how I can route these packets across the subnets, but to no avail.</p><p>There is another solution - a repeater daemon that sits on the router and repeats packets between the 2 subnets. <a href=http://avahi.org rel=noopener target=_blank class=external>Avahi</a> is used to provide mDNS services and it has a reflector mode that does exactly this. A more lightweight solution was <a href=http://www.smittyware.com/linux/tivobridge/ rel=noopener target=_blank class=external>TiVoBridge</a>, which supposedly performs the same task but it’s much smaller. I tried to compile and set up TiVoBridge, but it required a config file and I couldn’t really get it to work the way I wanted it to. There’s an even lighter-weight solution called <a href=http://svn.ninux.org/svn/ninuxdeveloping/say/trunk/ rel=noopener target=_blank class=external>SAY</a>, but it uses libpcap.</p><p>Enter <a href=http://bitbucket.org/geekman/mdns-repeater/ rel=noopener target=_blank class=external>mdns-repeater</a> - a small Linux daemon that does exactly what I want it to do. I have a Linksys WRT54G which runs dd-wrt. This program was intended to be compiled for and installed on the Linksys router. As with all other programs that run on the router, it requires no configuration.</p><p>The default dd-wrt configuration has 2 interfaces - <code>vlan1</code> for the WAN interface and <code>br0</code> for the wireless interface (and 4-port switch). The program accepts the arguments <code>vlan1</code> and <code>br0</code> and begins repeating packets from <code>vlan1</code> to <code>br0</code> and vice-versa. I can now get my iOS devices to detect wired servers like a print server for AirPrint.</p><p><em>mdns-repeater</em> is released under GPLv2. Feel free to change it to repeat whatever protocol you want. Patches to add functionality and bug fixes are welcome. You can contact me via bitbucket.org, or if you clone the repository my email is in the commits.</p><p><a href="https://irq5-7854a1fdb9f4.pages.dev/2011/01/mdns-repeater-mdns-across-subnets/#more">Continue reading…</a></p>Raw binary protocol analysis with Wiresharkhttps://irq5-7854a1fdb9f4.pages.dev/2010/09/raw-binary-protocol-analysis-with-wireshark/Mon, 20 Sep 2010 21:22:00 +0000https://irq5-7854a1fdb9f4.pages.dev/2010/09/raw-binary-protocol-analysis-with-wireshark/<p>I’m currently trying to analyze a binary protocol between 2 devices, but their communication does not occur over the network, neither can it be sniffed easily. Since this involves communication between 2 parties, I think the most apt software for analyzing such “conversations” would be <strong>Wireshark</strong>.</p><p>Wireshark allows for custom protocol dissectors. Writing such a dissector is usually done in C for speed, but I didn’t really want to setup the whole compilation environment to compile Wireshark. Fortunately, the Wireshark (Windows) binaries are compiled with Lua scripting support, which can also be used to write dissectors (although they run slower than C implementations).</p><p><a href="https://irq5-7854a1fdb9f4.pages.dev/2010/09/raw-binary-protocol-analysis-with-wireshark/#more">Continue reading…</a></p>