CRC Algorithm finder

I’m working on embedded devices again and I’ve had to discover a variety of CRC algorithm in play for checksumming different parts of firmware images. I whipped up a quick python script to search for a predefined algorithm in python’s crcmod that computes a known checksum against a set of data.


# Finds a CRC algorithm based on data and known CRC
# Requires crcmod

import crcmod

def find_crc(data, expected_crc):
    for predef in crcmod.predefined._crc_definitions:
        crc = crcmod.predefined.mkCrcFun(predef['name'])
        if(crc(data) == expected_crc):
    return None

if __name__ == '__main__':
    import argparse
    parser = argparse.ArgumentParser(description='Find CRC algorithm')
    parser.add_argument('infile', help='File containing the data (in binary) to CRC. - for stdin')
    parser.add_argument('crc', help='Expected CRC')

    args = parser.parse_args()
    data = None
    if args.infile == '-':
        import sys
        data =
        with open(args.infile, 'rb') as f:
            data =

    excrc = int(args.crc, 0)

    crc = find_crc(data, excrc)

    if crc:
        print('crcmod predefined algorithm \'%s\' produced %X from the provided data' % (crc, excrc))
        print('crcmod predefined algorithm not found')

To use, extract the set of data and known crc from the binary under analysis and then run the script:

nada@unit-01:~$ ./ data.bin 0x87accff7
crcmod predefined algorithm 'crc-32-bzip2' produced 87ACCFF7 from the provided data nada@unit-01:~$

Happy Reversing!

No Comments

From RF to bytes with an RTL-SDR

I recently un-earthed my RTL-SDR after moving. I also received two RF remote controls for the garage door. It seemed like a good idea to put the two together to see if I could discover what the remotes were transmitting.

The back of one of the remote controls handily listed it’s serial number, FCC ID and the frequency on which it transmits. In this case it transmits at 318MHz. I was expecting that it encoded the transmitted data with On-Off Keying (OOK), also called Amplitude Shift Keying (ASK). OOK is quite simple to generate and decode, which helps keep costs down. The device has multiple buttons, so some bits identifying the pressed button were expected. The serial number was also expected to be present, as well as a code of some description.
Read the rest of this entry »

, , , , , ,

1 Comment

Hacking an Actions MP4 video player to show server statistics

The MP4 player is a small movie player that was used by real estate agents to advertise properties, typically by posting them to potential clients. I saw it on a friend’s desk at his house and asked about it, not being able to pass up an opportunity. Anything with electronics, screens, and batteries will always grab my attention. He had already removed it from its housing / box so I’ve got no idea what it originally looked like. Read the rest of this entry »

, , , , ,


Reverse Engineering the FFS Flash File System Format

As part of de-bricking a Talkswitch TS-450i IP Phone I needed to see and extract the files within the flash image so that I could replace corrupt ones with known good versions. That required reverse engineering the in-flash format of the file system as there was no way to get files off the device, only onto it.
Read the rest of this entry »

, , , , , , , ,


Getting root on a TELUS VGS1432 cable modem and router

ZyXEL VSG1432A friend of mine recently issued me with a challenge to try to break into his router. I would have LAN access (via WiFi), but that would be it, no touchy touchy. I’d wanted the chance to try and get a copy of the firmware on these routers, as it isn’t available for download, in order to poke around. This router came with a package from Telus so it was likely running firmware that differed in some way to the stock ZyXEL image.

Read the rest of this entry »

, , , , , , , ,


Triton 9610 ATM Teardown

A few years ago I got a Triton 9610 single cassette ATM of craigslist as something to play with. While I did take a look at it and started to reverse engineer it, over time I lost interest and it became a potplant stand. I finally decided to get rid of it and I thought I’d rip it to bits and take a bunch of photos during the process.
A nice potplant standIMG_9643_small
Read the rest of this entry »

, , ,

No Comments

Finding JTAG on a Canon ELPH100HS (IXUS115)

I’m currently working on a project involving a Canon ELPH100HS point and shoot camera and my first task was to tear it apart and find any low level hardware access that I could. I chose the IXUS115 mainly for it’s full 1080p video recording capabilities and there is a CHDK port for it, which, it was hoped, would make the reversing and hacking process easier. I was hoping to find a serial console port and JTAG access to the processor, to aid programming and debugging.
Read the rest of this entry »

, , , ,

1 Comment

Dragonfly Ordainment

For my girlfriend’s birthday the other week I made her a dragonfly ordainment.
Here’s how I built it.
Read the rest of this entry »

No Comments

Steampunk Inspired Goggles

I had been meaning to make a set of goggles for a while and when a pair of broken 58mm lenses came into my possession I couldn’t resist. Here is how I went from raw materials to the finished goggles, which took the best part of a day to accomplish.

Read the rest of this entry »

, ,

No Comments

GPS Logger VIII – What happened?

So over two years ago I set out to build a GPS Logger to take hiking and traveling. Everything was assembled and it was good to go (almost) and hasn’t moved from that state. Driving around Australia for 2 years and then taking off around the world has a way of putting a cramp in finishing projects.
Read the rest of this entry »


No Comments