neophob

My Bus Pirate v3 just arrived today, together with a 13.56Mhz RFID module. I bought the stuff at the seeedstudio webshop.

I had to update the Bus Pirate to the v4.1 firmware and v4.1 bootloader (and resolder the LED's). The Bus Pirate use a FTDI USB Serial chip, so make sure you installed this driver.

Now let the fun begin, wire up the Bus Pirate and the RFID module like that:

RESET ---> AUX
RXD ---> MOSI (TX)
TXD ---> MISO (RX)
GND ---> GND
+5V (DC) --->+5V
Now fire up a terminal (I use CoolTerm on a Mac, 115200/8N1), activate the UART Mode, enter 'W' to active the +5V power supply, enter 'a' to trigger the reset (AUX LOW)

Continue reading "Bus Pirate fun - RDM880 RFID module"

Posted by michu

Get the latest Makefile from http://git.opendreambox.org/?p=obi/makefile-opendreambox.git and save it as Makefile-opendreambox-1.5.

My settings:

# target platform: dm500plus, dm600pvr, dm7020, dm7025, dm800, dm8000
MACHINE = dm800
BB_BRANCH = 1.4.2-git
GIT_BRANCH = opendreambox-1.5


Make sure you don't have bitbake installed or you get fancy error messages like this:

ERROR: Exception: Message:'FetchData' object has no attribute 'tag'


You need of course working buildtools and several tools like texi2html, gettext.

Now start the build process:

make -f Makefile-opendreambox-1.5 image


Continue reading "Build a Dreambox image yourself"

Posted by michu

While the Apple AirPort Express Base Station with 802.11n and AirTunes is quite affordable, it's a pity that Apple allow only AES encoded audio streams (aka Remote Audio Output Protocol - raop). However Jon Lech Johansen's reversed the encryption and released JustePort - a .NET tool. Meanwhile other OpenSource applications support the raop protocol:

VLC works out of the box, although the syntax is a bit strange.

$ cd /Applications/VLC.app/Contents/MacOS/
$ VLC --sout='#transcode{acodec=alac,ab=192,channels=2}: raop{access=http,mux=raw,host=192.168.1.15,volume=77}' /08-rex_the_dog-circulate.mp3
[0x14c15dd8] stream_out_raop stream out: Audio latency: 4384
[0x14c15dd8] stream_out_raop stream out: Jack type: analog
The important parameter is "--sout='#transcode{acodec=alac, channels=2, samplerate=44100}: raop{access=http,mux=raw, host=192.168.1.15,volume=77}'".

You may also open the VLC prefs / All / Stream Output / Default Stream Output Chain and enter:
#duplicate{dst="transcode {acodec=alac, channels=2, samplerate=44100}: raop{host=192.168.111.15,volume=77}:display",dst=display}

Hint: VLC did not work for me with those parameter:

--sout-raop-host= Host --sout-raop-volume=

Info from the VLC forum:

The Airport Express will only take the Apple Lossless codec, make also sure the sound is encoded with 44.1 kHz and not something like 32 kHz or 22.05 kHz, as that's all the Airport Express understands.

Continue reading "Apple Airtunes (RAOP) and OpenSource Software"

Posted by michu

If you want to analyze an unknown file for it's content (like a Philips TV firmware image...) it may be useful to create an image out of the binary file. So you can search for patterns. Dan Kaminsky released such a tool (also referenced in the 23C3-Fudging-with-firmware-analysis speech) - but I couldn't find it anymore. So I wrote one myself.

Here is a simple example of a text file (java source):

Now the same file gzipped:

On the first image you may see a pattern while on the second image only random garbage is visible. And random garbage often means compressed or encrypted data.

Another example of /dev/disk0s1:

No random garbage but ordered data here...

Continue reading "Firmware Visualizer fwimage"

Posted by michu

I try to get root access on my Philips PFL9703 TV. Why? don't ask...

The TV runs a 2.6.18 kernel, pnx8535 MIPS32 240MHz CPU, compiled with a MontaVista toolchain.

I need YOUR help to root the Philips TV! Please write a comment (end of the article) or email me if you have any hints, thanks!

RC triggered service modes:
Customer Service Mode (CSM): 123654. Insert USB stick, put the remote in DVD mode and press 2679 - this will create an application dump of the tv application file on the USB stick (binary).

Service Alignment Mode (SAM): 062596info. I didn't find a option to enable the serial console!

Service Default Mode (SDM): 062596menu. Purpose: To create a pre-defined setting, to get the same measurement results as given in the service manual.

Manual software upgrade: Disconnect the TV from the AC Power, press + hold the OK button of the RC and connect set to mains.

Continue reading "Root my TV: Hack Philips PFL9703 "

Posted by michu

iFluenza: Swine Flu – just another iPhone game. We just released our first iPhone game. We means, Oliver Studer and myself. I hope you you like it!

Update 1.1.10: Version 1.5 just hit the store! Massive gameplay update!

Save the world! Stop the evil virus. Kill all bacteria and collect some power ups. Touch a bacteria to start the chain reaction – blow up all other bacteria.

Features:
• 25 entertaining levels
• Simple and addictive gameplay
• Progressive difficulty
• Onling leader boards: best scores und best failed scores
• Unlock Awards
• Friends lists
• Facebook and Twitter integration
• Listen sound from the library or listen to the atmospherical gamesound
• Persistent player profile (Online and Offline)
• iFluenza uses AGON Online by Aptocore

Some Screenshots:

Posted by michu

If you use a SSH server to transfer files (scp or sftp) you might want to restict the connecting users.

Restrict the user shell, use rssh:

rssh is a restricted shell for use with OpenSSH, allowing only scp and/or sftp. It now also includes support for rdist, rsync, and cvs. For example, if you have a server which you only want to allow users to copy files off of via scp, without providing shell access, you can use rssh to do that.

Secured? Nope! The user might use port forwarding to do some nasty stuff, if he connects without shell/command (SSHv2). If you use password based authentication there is only ONE option: disallow port forwarding in the sshd.conf:

AllowTcpForwarding
Specifies whether TCP forwarding is permitted. The default is “yes”. Note that disabling TCP forwarding does not improve security unless users are also denied shell access, as they can always install their own forwarders.

If you use key-based authentication you may look at the ~/.ssh/authorized_keys file. There you can set options like no-port-forwarding, no-X11-forwarding... If you use this option make sure you place the authorized_keys file outside the user directory, for example: "AuthorizedKeysFile /etc/ssh/%u/authorized_keys".

no-port-forwarding
Forbids TCP forwarding when this key is used for authentication. Any port forward requests by the client will
return an error. This might be used, e.g. in connection with the command option.


Posted by michu

The last official displaytag release is quite old and there is still a dependency on the old itext v1.x version. Thats why I created an up-to-date snapshot release of revision 1160 with additional patches. Here is a short changelog:


reverted this change:
some fun with displaytag 1.3: java 1.4 and EL version not supported anymore
------------------------------------------------------------------------
r1154 | fgiust | 2008-12-27 14:41:37 +0100 (Sa, 27. Dez 2008) | 1 line

patches:
-suport for itext v2.1.5 (issue DISPL-450)
-pdf export fixed (issue DISPL-352)


Download source and binary.

Posted by michu

So you updated your iPhone with the latest jailbreaked image and you did a backup before you reflashed your phone. But no more contacts/pics on the updated iPhone?

1st you need iPhone Backup Extractor
2nd start the tool and extract "iPhone OS Files" to /tmp/iPhone OS Files/.

In this example I use 192.168.1.8 as the iPhone IP. Make sure SSH is running on the iPhone.

Check local Adressbook from the backup:

#cd /tmp/iPhone\ OS\ Files/Library/AddressBook/
#sqlite3 AddressBook.sqlitedb
sqlite> select ABPerson.first,ABPerson.last,ABMultiValue.value from ABPerson,ABMultiValue where ABMultiValue.record_id=ABPerson.ROWID;

Replace AddressBook on the iPhone:

#cd /tmp/iPhone\ OS\ Files/Library/AddressBook/
#scp * root@192.168.1.8:/var/mobile/Library/AddressBook/
Terminate the Telephone app (kill it!) to reload the Address Book!

Restore SMS on the iPhone:

#cd /tmp/iPhone\ OS\ Files/Library/SMS/
#scp -r * root@192.168.1.8:/var/mobile/Library/SMS

Replace Call History on the iPhone:

#cd /tmp/iPhone\ OS\ Files/CallHistory/
#scp call_history.db root@192.168.1.8:/var/mobile/Library/CallHistory/


Continue reading "iPhone, Jailbreak and lost images/contacts..."

Posted by michu

Thanks to this post http://forum.aircrack-ng.org/index.php?topic=6091.new I was able to compile aircrack for Snow Leopard! I used svn r1623 and it workls like a charm!


Index: src/Makefile
===================================================================
--- src/Makefile (revision 1623)
+++ src/Makefile (working copy)
@@ -4,7 +4,7 @@

TEST_DIR = $(AC_ROOT)/test

-CFLAGS += -Iinclude
+CFLAGS += -Iinclude -arch i386 -I/opt/local/include -L/opt/local/lib

iCC = $(shell find /opt/intel/cc/*/bin/icc)
iCFLAGS = -w -mcpu=pentiumpro -march=pentiumpro $(COMMON_CFLAGS)
Index: common.mak
===================================================================
--- common.mak (revision 1623)
+++ common.mak (working copy)
@@ -57,7 +57,7 @@
ifeq ($(OSNAME), cygwin)
CC = $(TOOL_PREFIX)gcc-4
else
-CC = $(TOOL_PREFIX)gcc
+CC = $(TOOL_PREFIX)gcc-4.0
endif

RANLIB = $(TOOL_PREFIX)ranlib
@@ -67,7 +67,7 @@
REVFLAGS = -D_REVISION=$(REVISION)

OPTFLAGS = -D_FILE_OFFSET_BITS=64
-CFLAGS ?= -g -W -Wall -Werror -O3 -Wno-strict-aliasing
+CFLAGS ?= -g -W -Wall -Werror -O3 -Wno-strict-aliasing -arch i386 -isysroot /Developer/SDKs/MacOSX10.5.sdk
CFLAGS += $(OPTFLAGS) $(REVFLAGS) $(COMMON_CFLAGS)

prefix = /usr/local


Continue reading "Compiling aircrack-NG 1.0 (svn) on Snow Leopard"

Posted by michu