CRC Algorithm finder
I’m working on embedded devices again and I’ve had to discover a variety of CRC algorithm in play for checksumming different parts of firmware images. I whipped up a quick python script to search for a predefined algorithm in python’s crcmod that computes a known checksum against a set of data.
#!/usr/bin/python2 # Finds a CRC algorithm based on data and known CRC # Requires crcmod import crcmod def find_crc(data, expected_crc): for predef in crcmod.predefined._crc_definitions: crc = crcmod.predefined.mkCrcFun(predef['name']) if(crc(data) == expected_crc): return(predef['name']) return None if __name__ == '__main__': import argparse parser = argparse.ArgumentParser(description='Find CRC algorithm') parser.add_argument('infile', help='File containing the data (in binary) to CRC. - for stdin') parser.add_argument('crc', help='Expected CRC') args = parser.parse_args() data = None if args.infile == '-': import sys data = sys.stdin.read() else: with open(args.infile, 'rb') as f: data = f.read() excrc = int(args.crc, 0) crc = find_crc(data, excrc) if crc: print('crcmod predefined algorithm \'%s\' produced %X from the provided data' % (crc, excrc)) else: print('crcmod predefined algorithm not found')
To use, extract the set of data and known crc from the binary under analysis and then run the script:
nada@unit-01:~$ ./crcfind.py data.bin 0x87accff7 crcmod predefined algorithm 'crc-32-bzip2' produced 87ACCFF7 from the provided data nada@unit-01:~$
Happy Reversing!
From RF to bytes with an RTL-SDR
I recently un-earthed my RTL-SDR after moving. I also received two RF remote controls for the garage door. It seemed like a good idea to put the two together to see if I could discover what the remotes were transmitting.
The back of one of the remote controls handily listed it’s serial number, FCC ID and the frequency on which it transmits. In this case it transmits at 318MHz. I was expecting that it encoded the transmitted data with On-Off Keying (OOK), also called Amplitude Shift Keying (ASK). OOK is quite simple to generate and decode, which helps keep costs down. The device has multiple buttons, so some bits identifying the pressed button were expected. The serial number was also expected to be present, as well as a code of some description.
Read the rest of this entry »
Reverse Engineering the FFS Flash File System Format
As part of de-bricking a Talkswitch TS-450i IP Phone I needed to see and extract the files within the flash image so that I could replace corrupt ones with known good versions. That required reverse engineering the in-flash format of the file system as there was no way to get files off the device, only onto it.
Read the rest of this entry »
Getting root on a TELUS VGS1432 cable modem and router
A friend of mine recently issued me with a challenge to try to break into his router. I would have LAN access (via WiFi), but that would be it, no touchy touchy. I’d wanted the chance to try and get a copy of the firmware on these routers, as it isn’t available for download, in order to poke around. This router came with a package from Telus so it was likely running firmware that differed in some way to the stock ZyXEL image.
Dragonfly Ordainment
For my girlfriend’s birthday the other week I made her a dragonfly ordainment.
Here’s how I built it.
Read the rest of this entry »
Steampunk Inspired Goggles
I had been meaning to make a set of goggles for a while and when a pair of broken 58mm lenses came into my possession I couldn’t resist. Here is how I went from raw materials to the finished goggles, which took the best part of a day to accomplish.
Read the rest of this entry »
GPS Logger VIII – What happened?
So over two years ago I set out to build a GPS Logger to take hiking and traveling. Everything was assembled and it was good to go (almost) and hasn’t moved from that state. Driving around Australia for 2 years and then taking off around the world has a way of putting a cramp in finishing projects.
Read the rest of this entry »