Reverse Engineering a D-Link Backdoor

Here’s one true hack (Google cache link) for our dear Hackaday readers. On a Saturday night, as [Craig] didn’t have anything else to do, he decided to download the firmware of an old D-Link DIR-100 router (because who wouldn’t?). His goal was to see what interesting things he could find in it. He fired up binwalk to extract the SquashFS file system, then opened the router webserver on the multi-processor disassembler/debugger IDA. [Craig] discovered that the webserver is actually a modified version of thttpd, providing the administrative interface for the router. As you can see in the picture above, it seems Alphanetworks (a spin-off of D-Link) performed the modifications.

Luckily for [Craig], the guys at Alphanetworks were kind enough to prepend many of their custom function names with the string “alpha”. Looking at the disassembly of the http identification functions revealed that a backdoor is implemented on the firmware. If one malicious user has the string “xmlset_roodkcableoj28840ybtide” as his browser user agent, no authentication is required to gain access to the router. One of the comments on the reddit thread points out that reading that string backwords results in: “edit by (04882) joel backdoor”.

JTAGulator Finds Debug Interfaces

jtagulator

[Joe Grand] has come up with a tool which we think will be useful to anyone trying to hack a physical device: The JTAGulator. We touched on the JTAGulator briefly during our DEF CON coverage, but it really deserves a more in-depth feature. The JTAGulator is a way to discover On Chip Debug (OCD) interfaces on unfamiliar hardware.

Open any cell phone, router, or just about any moderately complex device today, and you’ll find test points. Quite often at least a few of these test points are the common JTAG / IEEE 1149.1 interface.

JTAG interfaces have 5 basic pins: TDI (Test Data In), TDO (Test Data Out), TCK (Test Clock), and TMS (Test Mode Select), /TRST (Test Reset) (optional).

If you’re looking at a PCB with many test points, which ones are the JTAG pins? Also which test points are which signals? Sometimes the PCB manufacturer will give clues on the silk screen. Other times you’re on your own. [Joe] designed the JTAGulator to help find these pins.

[Read more...]

An Open Source Hardware Modchip

OSHW XenoGC Clone

Many Hackaday readers might remember the days of buying modchips from somewhat questionable sources. These little devices connect to a gaming system to circumvent security measures, allowing you to run homebrew games (and pirated games, but lets not focus on that). [Guillermo] built an open source hardware Gamecube modchip based on the XenoGC.

The XenoGC was a popular modchip back in the Gamecube days, and its source was released in a forum post. A Wiki page explains how to build a clone of the device based on an ATtiny2313.  Most modchips were closed source, but this project lets you look at how they work. You can browse the XenoGC source on Google Code to learn more about the exploit itself. You’ll find the AVR code, which manipulates the DVD drive over a serial interface, in the XenoAT folder.

[Guillermo]’s hardware is available from OSHPark, so you can easily order boards. He’s also hosted the design files on Github. With one in hand, you can start building homebrew for the Gamecube, which can probably be picked up for around $25 nowadays.

Modified E-ZPass detects reads far from toll booths

ezpass1

Def Con speaker [pukingmonkey] has spent quite a bit of time studying methods government and law enforcement use to track private citizens’ vehicles on the roads. One of the major tracking methods is E-ZPass, an electronic toll collection system used in several states around the country. [pukingmonkey] cracked open his E-ZPass tag to find a relatively basic circuit. In his DEF CON presentation (PDF), he notes you shouldn’t do this to your own tag, as tags are legally not the property of the user.

The tag uses a 3.6 volt long life battery to operate. When idle, the tag only draws 8 microamps. During reads, current draw jumps to 0.3 mA. Armed with this information, it was relatively simple to add a current detecting circuit that outputs a pulse on tag reads. Pulses are then fed into a toy cow, which lights up and “Moos” on each read.

[Read more...]

Cloning an infrared disarming remote of a $8 home security system

5

[Sylvio] decided to buy one of the cheap alarm systems you can find on the internet to have a look at its insides. The kit he bought was composed of one main motion sensor and two remote controls to arm/disarm it.

Communication between the remotes and the sensor is done by using infrared, requiring a direct line of sight for a signal to be received. Modern alarm systems typically use RF remotes with a typical frequency of 434MHz or 868MHz.  In his write-up, [Sylvio] first tries to replicate the IR signal with one of his ‘learning remote controls’ without success and then proceed to reverse engineering the remote circuit shown in the above picture. Hackaday readers may figure out just by looking at it that it is a simple astable multivibrator (read ‘oscillator’). Its main frequency is 38.5kHz, which is typical for IR applications. Therefore, if one of your neighbours had this ‘security system’ one could just disarm it with any of the same remotes…

[Sylvio] then explains different ways to replicate the simple IR signal, first with an Arduino then with a frequency generator and finally using the USB Infrared Toy from Dangerous Prototypes. We agree with his conclusion: “you get what you pay for”.

Using Google Authenticator with an Arduino

Lego One Time Password

Google Authenticator is an app that generates one time passwords (OTPs). These passwords are often used as a second factor of authentication, along with your normal password. OTPs work by having a shared secret and a synchronized clock on two devices. When you generate the password, a hash based on the secret and timestamp is created. This proves that you have access to the secret, and can only be used once.

To secure his Lego mini-figures, [Luca] built an authentication system using Google Authenticator and Arduino. A web app is used to generate a secret that can be configured into the Arduino using an array, and into Google Authenticator using a QR code. The Arduino is using a library that implements Time-based One Time Password authentication (TOTP).

There are some challenges, including keeping a good clock source on the Arduino, but this look like an interesting way to do authentication. After the break, watch a quick video overview of the project (for English captions, hit the CC button).

[Read more...]

Stripping Kindle DRM with Lego

DRM

Consider a book sitting on a shelf. You can lend it out to a friend, you don’t need a special device to read it, and if you are so inclined, you can photocopy it. This isn’t true with Kindle eBooks that place severe restrictions on what you can do with a book via DRM. Although it is possible to strip eBook DRM with a few programs on your computer, [Peter] came up with a fool-proof way that’s an amateur engineering marvel. He’s turning Kindle eBooks into plain text using Lego.

[Peter] is using a few bits of a Lego NTX system to press the, ‘next page’ button on his Kindle, then smash the space bar on his Mac to take a picture. These pictures are then sent to a cloud-based text recognition service. After a few hours of listening to plastic gears grinding, [Peter] has a copy of his eBook in plain text format sitting in his computer.

As impractical as it looks, using a robot, camera, and OCR is actually a really, really good way to turn eBooks plagued with DRM into a text file. Even if Amazon updates their DRM to make the current software cracking methods break, [Peter] will always have his Lego robot ready to scan a few hundred pages of text at a time.

[Read more...]