Exception(al) Failure - Breaking the STM32F1 Read-Out Protection. Our observation shows that once an exception takes place, the vector fetch exposes protected flash memory content through the PC.
In this section, we discuss how this behaviour can be exploited to bypass the read-out protection of the STM32F1. We already mentioned the vector table: it contains the initialization value of the main stack pointer (MSP) followed by an entry address for every exception. The vector table for microcontrollers based on the ARMv7-M architecture is shown in Table 1. Getting Statically Linked Binaries under Debian. Say you need e.g. a statically linked mkdosfs under Debian (see ). figure out which package contains your binary Fetch the build dependencies for the package Fetch the source package (Make sure you have some deb-src lines in /etc/apt/sources.list) find the directory that contains the binary $ find dosfstools-2.11/ -iname mkdosfs -exec file {} \; dosfstools-2.11/mkdosfs/mkdosfs: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), for GNU/Linux 2.6.8, dynamically linked (uses shared libs), not stripped $ cd dosfstools-2.11/mkdosfs/ Recompile the binary, statically linking $ export CFLAGS=-static $ export LDFLAGS=-static $ export CPPFLAGS=-static $ make mkdosfs cc -static mkdosfs.o -o mkdosfs $ file mkdosfs mkdosfs: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), for GNU/Linux 2.6.8, statically linked, not stripped.
The story of how qemu met MIPS and created netcat – Intrepidus Group - Insight. Earlier this week I found myself in a predicament when I was reversing a stripped down MIPS embedded device.
The device had minimal available memory and the only real executables on it were an even more stripped down busybox executable, tftp, and tcpdump. My goal was to obtain tcpdump logs being captured on device, but due to the lack of NFS support and the minimal available memory, I had very few options. Initially I attempted to write the tcpdump logs to a file, and tftp them up to my local box. This became an issue when the log file became too large and all of the running processes started crashing. Trying to get my timing correct for the tftp command to execute, before everything went haywire, became a serious frustration.
First, I downloaded every MIPS netcat I could find and tried to run them on the device. The story of how qemu met MIPS and created netcat. Earlier this week I found myself in a predicament when I was reversing a stripped down MIPS embedded device.
The device had minimal available memory and the only real executables on it were an even more stripped down busybox executable, tftp, and tcpdump. My goal was to obtain tcpdump logs being captured on device, but due to the lack of NFS support and the minimal available memory, I had very few options. Initially I attempted to write the tcpdump logs to a file, and tftp them up to my local box. This became an issue when the log file became too large and all of the running processes started crashing. Trying to get my timing correct for the tftp command to execute, before everything went haywire, became a serious frustration.
Telnetftp / mips rk. Corss Compile tcpdump for linux/mips. Setting up a reverse SSH tunnel using PuTTY. WWW.Smythies.com. Setting up a reverse SSH tunnel using PuTTY.
WWW.Smythies.com These notes are merely because I keep forgetting how to set up two reverse Secure Shell (SSH) tunnels, which are then used to have two tcpdump sessions, one for each of eth0 and eth1, feeding data to two instances of wireshark running on a windows PC. (also requires a windows version of netcat, ncat, installed on the windows PC). Modifikationen der Fritz!Box. Über einen FTP-Zugang ist es möglich, Dateien von der Fritz!
Toolchains - LinuxMIPS. A toolchain is a complete collection of compiler and binutils programs and can be run either as a cross-compiler, or native on the target (if performance allows).
Pre-built/Build Kits MIPS Technologies UK maintains their own source tree for the toolchain components. SDE combines all necessary GNU tools, is infrequently resynchronized with mainstream GNU releases (which inevitably have bugs for less widely used architectures such as MIPS) and focuses on supporting the full range of ISAs, ASEs and cores, as well as providing the most reliable, best-performing compiler for the largest range of MIPS CPUs. See MIPS SDE Installation. Note that the pre-built cross-compiler is only suitable for building a Linux kernel, and cannot be used to create Linux applications or shared objects.
OpenWrt. OpenWrt can be run on CPE routers, residential gateways, smartphones (e.g.
Neo FreeRunner), pocket computers (e.g. Ben NanoNote), and laptops (e.g. One Laptop per Child (OLPC)). Also, it is possible to run OpenWrt on ordinary computers (e.g. x86 architecture). Many patches from the OpenWrt source base have been included upstream in the Linux kernel mainline. Try Sourcery CodeBench free for 30 days. Reverse Engineering - Perusing the release notes for the latest Linksys WRT120N firmware, one of the more interesting comments reads: Firmware 1.0.07 (Build 01) - Encrypts the configuration file.
Having previously reversed their firmware obfuscation and patched their code to re-enable JTAG debugging, I thought that surely I would be able to use this access to reverse the new encryption algorithm used to secure their backup configuration files. Boy was I giving them way too much credit. Here’s a diff of two backup configuration files from the WRT120N.
The only change made between backups was that the administrator password was changed from “admin” in backup_config_1.bin to “aa” in backup_config_2.bin: Documentation - firmware-mod-kit - Firmware Mod Kit Documentation - This kit allows for easy deconstruction and reconsutrction of firmware images for various embedded devices. Introduction The Firmware Mod Kit allows for easy deconstruction and reconstruction of firmware images for various embedded devices.
While it primarily targets Linux based routers, it should be compatible with most firmware that makes use of common firmware formats and file systems such as TRX/uImage and SquashFS/CramFS. Prerequisites In order to use the Firmware Mod Kit, you must have a subversion client, standard Linux development tools (gcc, make, etc), the python-magic module, and the zlib and lzma development packages.
Rpef - Module Documentation - Redmine. Owning the Network - Adventures in Router Rootkits.
Android.