Archive for category Hack
CRC Algorithm finder
I’m working on embedded devices again and I’ve had to discover a variety of CRC algorithm in play for checksumming different parts of firmware images. I whipped up a quick python script to search for a predefined algorithm in python’s crcmod that computes a known checksum against a set of data.
#!/usr/bin/python2
# Finds a CRC algorithm based on data and known CRC
# Requires crcmod
import crcmod
def find_crc(data, expected_crc):
for predef in crcmod.predefined._crc_definitions:
crc = crcmod.predefined.mkCrcFun(predef['name'])
if(crc(data) == expected_crc):
return(predef['name'])
return None
if __name__ == '__main__':
import argparse
parser = argparse.ArgumentParser(description='Find CRC algorithm')
parser.add_argument('infile', help='File containing the data (in binary) to CRC. - for stdin')
parser.add_argument('crc', help='Expected CRC')
args = parser.parse_args()
data = None
if args.infile == '-':
import sys
data = sys.stdin.read()
else:
with open(args.infile, 'rb') as f:
data = f.read()
excrc = int(args.crc, 0)
crc = find_crc(data, excrc)
if crc:
print('crcmod predefined algorithm \'%s\' produced %X from the provided data' % (crc, excrc))
else:
print('crcmod predefined algorithm not found')
To use, extract the set of data and known crc from the binary under analysis and then run the script:
nada@unit-01:~$ ./crcfind.py data.bin 0x87accff7 crcmod predefined algorithm 'crc-32-bzip2' produced 87ACCFF7 from the provided data nada@unit-01:~$
Happy Reversing!
From RF to bytes with an RTL-SDR
I recently un-earthed my RTL-SDR after moving. I also received two RF remote controls for the garage door. It seemed like a good idea to put the two together to see if I could discover what the remotes were transmitting.
The back of one of the remote controls handily listed it’s serial number, FCC ID and the frequency on which it transmits. In this case it transmits at 318MHz. I was expecting that it encoded the transmitted data with On-Off Keying (OOK), also called Amplitude Shift Keying (ASK). OOK is quite simple to generate and decode, which helps keep costs down. The device has multiple buttons, so some bits identifying the pressed button were expected. The serial number was also expected to be present, as well as a code of some description.
Read the rest of this entry »
Reverse Engineering the FFS Flash File System Format
As part of de-bricking a Talkswitch TS-450i IP Phone I needed to see and extract the files within the flash image so that I could replace corrupt ones with known good versions. That required reverse engineering the in-flash format of the file system as there was no way to get files off the device, only onto it.
Read the rest of this entry »
Getting root on a TELUS VGS1432 cable modem and router
A friend of mine recently issued me with a challenge to try to break into his router. I would have LAN access (via WiFi), but that would be it, no touchy touchy. I’d wanted the chance to try and get a copy of the firmware on these routers, as it isn’t available for download, in order to poke around. This router came with a package from Telus so it was likely running firmware that differed in some way to the stock ZyXEL image.
Triton 9610 ATM Teardown
A few years ago I got a Triton 9610 single cassette ATM of craigslist as something to play with. While I did take a look at it and started to reverse engineer it, over time I lost interest and it became a potplant stand. I finally decided to get rid of it and I thought I’d rip it to bits and take a bunch of photos during the process.
Read the rest of this entry »
File format reverse engineering – Redux
I was contacted by a visitor of this site asking for the following:
‘I read your nice article on file format reverse engineering and was wondering if you could give me a small tip / hint about compression / encryption. I am trying to understand a constant size file format and need to know if by any chance the file is compressed or encrypted in a simpler way, which leaves hope in cracking it.
…
In the case you would like to have a look at the files, I generated 2 pairs. The first file pair differs only in that one variable. The second file’s name and caption are set to “;1”;, the file 2b to “;1111111…”; (31 chars)’
As the reader seeked advice on how to proceed further and provided enough information to investigate the problem, I took a look. Read the rest of this entry »
Using the BusPirate with a SD card
As part of my GPS Logger project I needed to make sure that I could initialise and talk to a SD card over a SPI bus. The BusPirate is an excellent tool for testing the physical and datalink layers. All parameters can be checked and adjusted on the fly without having to write any code. When the time comes to write code for the GPS logger, it will work first time as all the kinks and quirks were quickly worked out with the BusPirate.
This post covers SPI bus setup, card initialisation, reading and writing individual sectors.
File format reverse engineering, an introduction.
So you have a file that you know contains something good, if only you could read it. Your searching efforts for documentation proved fruitless, required a significant outlay or to sign a NDA. Looks like you are going to need to reverse engineer the file format so you can use it. Most applications tend to use custom file formats for various reasons. These files are usually containers where other files are kept or application data. A hex editor (xvi32) and C compiler (VS2008) were used to discover the layout of the culprit file. Read the rest of this entry »