Optixx

Wrote a quick & dirty python wrapper for the bluez-utils bccmd command to set a the btaddr of an bluetooth hci device. The native bccmd syntax is awkward, so that i found it handy to have a script which accepts normal formated btaddr as an argument and does some error checking and status infomation.

Usage:

root@linux:~/devel/tech/bluetooth/# ./setbtaddr hci0 01:0E:07:75:B7:12
Exec './bccmd  -d hci0 psset -r bdaddr 0x75 0x00 0x12 0xB7 0x07 0x00 0x0E 0x01'
hci0:   Type: USB
        BD Address: 01:0E:07:75:B7:12 ACL MTU: 192:8 SCO MTU: 64:8
        UP RUNNING
        RX bytes:86 acl:0 sco:0 events:9 errors:0
        TX bytes:33 acl:0 sco:0 commands:9 errors:0

download

2 Comments »

Since the 23c3 every interested researcher knew that is easy to compromise bluetooth sessions using the BTcrack tool.Thierry Zoller showed how it’s possible to retrieve link keys, The only problem was to get hands on a bluetooth sniffer device to get the raw bluetooth packets. Such devices are not available at consumer prices. But somehow Max Moser found a way to tranform a vanilla usb bt dongle into a bluetooth sniffer device. Don’t believe the hype…Now bluetooth security is dead.

Mini Howto:

#Backup old firmware
dfutool -d hci0 archiv backup.dfu
# Backup config
bccmd -d hci0 pslist -s 0x000F >> backup_cfg
# Check Vendor ID ( has to be 0x0a12)
bccmd -d hci0 psget -s 0x000f 0x02be
# Write new Product ID
bccmd -d hci0 psset -s 0x0002 0x02bf 0x0002 

6 Comments »

Got a new Toy. It’s a Juicebox from Mattel, a kids video and mp3 player. Actually it’s a linux based and has Samsung S3C44B0 ARM CPU, 8MB Flash and 2MB Ram. Since it has JTAG Pinouts you can use it as a really cheap ARM Dev Board. You can’t get one for around $10 at ebay. You find a lot of good info here.

Made some LCD test stuff, a 3d starfield and a simple fire demo. This code runs directly on the hardware not on top of the build-in linux. You need a JTAG cable to download the code directly into the RAM.

I’m using openocd for this:

halt 
wait_halt 
poll 
load_binary lcd_3.bin 0x0c001000 
resume 0x0c001000

download source

No Comments yet »

Ported the glcd lib to the Epson based Nokia LCDs. I tried to leave the code portable so that you can switch between the Epson and the Philips controller via a #define switch.

Actually i only changed the lowlevel hw access and init functions to deal with the Epson controller. Currently native screen rotation is implemented but i didn’t work on the hardware scrolling stuff. May i’ll do this later.

download source

3 Comments »

Got my Nokia 6100 LCD working. Long story of failures. First try was a LCD with a Epson controller from ebay for 10 Euros. But somehow someone failed to solder the smd socket proberly and it went a way ( thx max ) .

Next try was a Epson based LCD including a header board from sparkfun . But this time i wasn’t able to run some demo code which was made for the LPC2138 on my LPC2148. I think the board was to fast to talk to the display. I wasn’t able set up SPI on the LPC2148 correct. Need more investigation on that topic.

So i gave up at this point and decided to go for a atmega16. I did a devel board for that which is losy based on this schematics. The boads uses simple parport icsp and has a serial line for debugging and sending data.

Finally i threw some code together using the init commands found in this project. Added support for receiving images via uart and wrote an little python client for sending images.

Future plans are to port the glcd lib to the epson based lcd.

download source

3 Comments »

Found a LPC2138 port of the Embedded Filesystems Library. Took this stuff and made this working on my LPC2148.

Now i can access an SD-Card attached to the LPC2148. Currently the FAT filesystem is supported. The sample pgramm includes an minimal serial line shell which supports file reading and directoy listings.

MMC/SD Card Filesystem Test (P:LPC2148 L:EFSL)
CARD init...spiInit for SSP/SPI1
Card is initialising.
CSD: 00 26 00 32 5F 59 83 C8 BE FB CF FF 92 40 40 D7
Drive Size is 1015808000 Bytes (1984000 Sectors)
Init done...
Press Command: d r a 
You pressed : d
Directory of 'root':
TEST01      ( 6 bytes )
TEST02      ( 6 bytes )
TEST03      ( 6 bytes )
TEST04      ( 6 bytes )
TEST05      ( 6 bytes )
TEST06      ( 6 bytes )
TEST09      ( 6 bytes )
TEST10      ( 6 bytes )
LOGDAT9 TXT ( 833 bytes )
DUMMY   LOG ( 2754 bytes )

download source

No Comments yet »

Just got my ARM LPC2148 Dev Board from Olimex

I put together a small overview how to get things working using a linux host system.

Toolchain

GNU Compiler Toolchain

Serial Programmer

Sample Code

Crt0

Linkerscript

Init Routine

Simple IO Test

SIO Debug Console

GNU Compiler Toolchain

I use a standard arm GNU toolchain. Actuallay found this binary download from mikrocontroller.net. But also my GBA Toolchain worked and produced good binaries. So a Gentoo ARM Crossdev should to the work. Think that the LPC is not too picky about that.

Serial Programmer

I tried lpc21isp but it didn’t work for me. So i ended up using lpc2k_pgm. It has little gui and where you can setup all needed configs. I use iHex format to upload to the dev board, where i had best results using quite slow sio speed like 9600bps. You have to enable BSL on the LPC2148 for ICSP. On my LPC the switch is called ‘ICSP1′ which needs to be set into ON position.

Crt0

Nothing special about that. Took it from similar LPC based projects.Just setup stack sizes and default IRQ vectors. Worked out of the box.

Linkerscript

Tooks this from a other LPC project. The script specifies the memory layout of the target system and defines the sections for the binary output.

Init Routine

Code found in startup.c does the PLL init. The LPC2148 has 12 Mhz internal crystal but can run up to 60Mhz when setting the PLL. Also the default IRQ Handlers are defined here.

Simple IO Test

I used the on-board leds for a simple IO test.

int main(void)
{
    unsigned int i;
    Initialize();
    ConsoleInit(60000000 / (16 * BAUD_RATE));
    puts("Init done\n");
    IODIR0 |= 1 < < 10;          // P0.10 is an output
    IODIR0 |= 1 << 11;          // P0.10 is an output
    IOSET0 = 1 << 10;           //LED off
    IOSET0 = 1 << 11;           //LED off

    while (1) {
        for (i = 0; i < 1000000; i++);
        IOSET0 = 1 << 10;       //LED off
        IOCLR0 = 1 << 11;       //LED on
        puts("led1: off  led2: on\n");
        for (i = 0; i < 1000000; i++);
        IOCLR0 = 1 << 10;       //LED on
        IOSET0 = 1 << 11;       //LED off
        puts("led1: on   led2: off\n");
    }
}

SIO Debug Console

Addes a little module that uses one of the two serial line for debugging output. I use the same serial port as for for the ICSP, so after the flashing lpc2k_gpm will display the output directly without any setup changes.

download source

1 Comment »

For a PSP project i need to convert a font to texture. Found a good working program here. But the current version seems to be not maintained anymore. So i did some bugfixes and made it compile against current WX Widget libs. Also i add a new feature that the fontface info is written to c source file, that can be used directly in your project.

Source

No Comments yet »

Wrote a little Bash script using Sleuthkit tools to recover a deleted file from a partion. Tested the script with ext2 and fat32 filesystems.

Setup a test image:

dd  if=/dev/zero of=image  bs=1k count=8192
mkfs.ext2 image
mount -o loop image /mnt/image
cp something /mnt/image
rm /mnt/image/something
sync
umount /mnt/image

Now you can start the script to find a token of the deleted file: ./find.sh image “Test” The Code for find.sh

#!/bin/sh

IMAGE=$1
TOKEN=$2
BSIZE=1024
TYPE="linux-ext2"
TMP="dls_$(date +%Y%d%m_%H%M%S)"

if [ $# -ne 2 ]
then
    echo "Usage: $0 image token"
    exit -1
fi

if [ ! -f $IMAGE ]
then
  echo "Cannot find $IMAGE"
  exit -1
fi

if [  -z "$TOKEN" ]
then
  echo "Pleae give search token"
  exit -1
fi

echo "--------------------------"
echo "Found deleted"
fls -f $TYPE -rd $IMAGE
dls -f $TYPE $IMAGE > $TMP
strings -t d $TMP > $TMP.str
echo "--------------------------"
grep -i "$TOKEN" $TMP.str
echo "--------------------------"
echo -en "Select Offset:"
read n
ADDR=$(grep -i "$TOKEN" $TMP.str | grep "$n" |  sed 's/^[ \t]*//' | head -n 1 | cut -d " " -f1)
if [ -z "$ADDR" ]
then
    echo "Nothing found for '$TOKEN'"
    exit -1
fi
echo "Found $ADDR"
OFFSET=$(echo "$ADDR / $BSIZE" | bc)
echo "Using Offset $OFFSET"
BLOCK=$(dcalc -f $TYPE  -u $OFFSET  $IMAGE)
echo "Using Block $BLOCK"
echo "----------------------------"
dcat -f $TYPE  $IMAGE  $BLOCK
echo
echo "----------------------------"
INODE=$(ifind -f $TYPE  $IMAGE -d $BLOCK)
echo "Found Inode $INODE"
istat -f $TYPE $IMAGE $INODE
BLOCKS=$(istat -f $TYPE $IMAGE $INODE | tail -n 1)
echo "---------------------------"
echo "Found Blocks $BLOCKS"
echo "---------------------------"
(for BLOCK in $BLOCKS
do
   dcat -f $TYPE  $IMAGE  $BLOCK
done) | tee $TMP.found
echo "---------------------------"
echo "Saved to $TMP.found"
echo "---------------------------"
rm -f $TMP $TMP.str

No Comments yet »

Made a nice shellcode using the python inlineEgg library. The shellcode is designed to smash the stack of a programm which is listen on a socket. The read buffer gets overflowed by the shellcode. The code was tested an on older SUSE9.0, because current disto use pie and ssp

Features:

• Python script that generates the shellcode
• Re-uses the listen socket of the victim and connects it to new shell
• Scans for correct fd and peername
• Embedded Telnet client which connects to created remote shell

• Encoder to generate polymorph shellcode

  Download

No Comments yet »