Hard Drive Rootkit Is Frighteningly Persistent

There are a lot of malware programs in the wild today, but luckily we have methods of detecting and removing them. Antivirus is an old standby, and if that fails you can always just reformat the hard drive and wipe it clean. That is unless the malware installs itself in your hard drive firmware. [MalwareTech] has written his own frightening proof of concept malware that does exactly this.

The core firmware rootkit needs to be very small in order to fit in the limited memory space on the hard drive’s memory chips. It’s only a few KB in size, but that doesn’t stop it from packing a punch. The rootkit can intercept any IO to and from the disk or the disk’s firmware. It uses this to its advantage by modifying data being sent back to the host computer. When the computer requests data from a sector on the disk, that data is first loaded into the disk’s cache. The firmware can modify the data sitting in the cache before notifying the host computer that the data is ready. This allows the firmware to trick the host system into executing arbitrary code.

[MalwareTech] uses this ability to load his own custom Windows XP bootkit called TinyXPB. All of this software is small enough to fit on the hard drive’s firmware. This means that traditional antivirus cannot detect its presence. If the owner of the system does get suspicious and completely reformats the hard drive, the malware will remain unharmed. The owner cannot even re-flash the firmware using traditional methods since the rootkit can detect this and save itself. The only way to properly re-flash the firmware would be to use an SPI programmer, which would be too technical for most users.

There are many more features and details to this project. If you are interested in malware, the PDF presentation is certainly worth a read. It goes much more in-depth into how the malware actually works and includes more details about how [MalwareTech] was able to actually reverse engineer the original firmware. If you’re worried about this malicious firmware getting out into the wild, [MalwareTech] assures us that he does not intend to release the actual code to the public.

D-Link Fails at Strings

Small Office and Home Office (SOHO) wireless routers have terrible security. That’s nothing new. But it is somewhat sad that manufacturers just keep repurposing the same broken firmware. Case in point: D-Link’s new DIR-890L, which looks like a turtled hexapod. [Craig] looked behind the odd case and grabbed the latest firmware for this device from D-Link’s website. Then he found a serious vulnerability.

D-Link's DIR-890 Router

The usual process was applied to the firmware image. Extract it, run binwalk to find the various contents of the firmware image, and then extract the root filesystem. This contains all the code that runs the router’s various services.

The CGI scripts are an obvious place to poke for issues. [Colin] disassembled the single executable that handles all CGI requests and started looking at the code that handles Home Network Administration Protocol (HNAP) requests. The first find was that system commands were being built using HNAP data. The data wasn’t being sanitized, so all that was needed was a way to bypass authentication.

This is where D-Link made a major error. They wanted to allow one specific URL to not require authentication. Seems simple, compare string A to string B and ensure they match. But they used the strstr function. This will return true if string A contains string B. Oops.

So authentication can be bypassed, telnetd can be started, and voila: a root shell on D-Link’s most pyramid-shaped router. Oh, and you can’t disable HNAP. May we suggest OpenWrt or dd-wrt?

Magic Lantern Brings Linux to Canon EOS Cameras

On April 1st the Magic Lantern team announced a proof of concept that lets you run Linux on a Canon EOS camera. Because of the date of the post we’ve poured over this one and are confident it’s no joke. The development has huge potential.

The hack was facilitated by a recent discovery that the LCD screen on the camera can be accessed from the bootloader. In case you don’t recognize the name, Magic Lantern is an Open Source project that adds features to these high-end cameras by utilizing the bootloader with binary files on the SD card. It’s long been a way of hacking more features in but has always been complicated by the fact that you must figure out how to play nicely with the existing firmware. Commanding the LCD was the last part of the hardware that had previously not been driven directly from Magic Lantern.

Now that the Linux kernel is in the picture, ground-up features can be built without dealing with the stock firmware in any way (and without overwriting it). We’re excited to see where this one goes. Currently it’s just a proof that you can boot Linux, it’s not actually functional yet. Here’s your chance to polish those kernel porting skills you’ve been holding in reserve.

Unlock Your Demo Kindle Paperwhite

If you’ve been holding off on upgrading your kindle, this project might inspire you to finally bite the bullet. [WarriorRocker] recently saved quite a few dollars on his Kindle upgrade by using a demo unit. Of course, it’s not as simple as just finding a demo unit and booting it up. There’s some hacking involved.

[WarriorRocker] found his Kindle Paperwhite demo unit on an online auction site for just $20. Kindles are great for reading but also make popular displays for your own projects. This used display model was much less expensive than a new unit, which makes sense considering it had probably received its share of abuse from the consumers of some retail store. The problem with a demo unit is that the firmware that comes with it is very limited, and can’t be used to sync up with your Amazon account. That’s where the hacking comes in.

pwdu-01The first step was to crack open the case and locate the serial port. [WarriorRocker] soldered a small three pin header to the pads to make it easier to work on his device as needed. He then connected the Kindle to his PC using a small serial to USB adapter. Pulling up the command prompt was as simple as running Putty and connecting to the correct COM port. If the wires are hooked up correctly, then it just takes a press of the enter key to pull up the login prompt.

The next step requires root access. The root password for each unit is related to the unit’s serial number. [WarriorRocker] obtained the serial number by rebooting the Kindle while the Serial connection was still open. The boot sequence will spit out the number. This number can then be entered in to an online tool to generate possible root passwords. The tool is available on [WarriorRocker’s] project page linked above.

Next, the Kindle needs to be rebooted into diagnostic mode. This is because root logins are not allowed while the device is booted to the system partition. To enter diagnostic mode, [WarriorRocker] had to press enter over and over during the boot sequence in order to kill the automatic boot process. Then he checked some environment variables to locate the memory address where the diagnostic mode is stored. One more command tells the system to boot to that address and into diagnostic mode.

The last step of the process begins by mounting the Kindle as a USB storage device and copying over the stock Kindle firmware image. Next [WarriorRocker] had to exit the diagnostic menu and return to a root command prompt. Finally, he used the dd command to copy the image to the Kindle’s partition bit by bit. Fifteen minutes and one reboot later and the Kindle was working just as it should. [WarriorRocker] even notes that the 3G connection still works. Not bad for $20 and an hour or two of work.

Upgrading DJI Flight Controllers

DJI, the company that gave us the far too popular Phantom line of quadcopters, doesn’t just make the most popular line of FPV quads. Their top of the line flight controller, The Naza V2, is very good, able to connect to flight planning software that will set waypoints, talk to peripherals over a CAN bus, and has improved flight algorithms. On the other hand, their ‘reduced price’ model, the Naza Light, can’t connect to these nifty CAN bus peripherals and has a bit of a problem with drifting the quad from one side or another.

The Naza V2 sells for around $300, and the Naza Light sells for about $170, both with a GPS module. The hardware inside the V2 and Light is exactly the same. We all know how this is going to go down, right?

[udnham] over on the RC Groups forum figured out a way to load the more capable Naza V2 firmware on the Naza Light, giving the cheaper flight controller features that were, until now, only found in the more expensive V2 hardware. The upgrades include better algorithms for GPS position and altitude hold, the ability to connect to DJI peripherals including the Bluetooth module, the iOSD, and camera gimbals, Octocopter support, the DJI datalink modem, and a bunch of other features.

Even though DJI is using the same hardware in the $170 Naza Light and the $300 Naza V2, upgrading the firmware requires an Internet connection to the DJI servers. [udnham] wrote a utility that modifies the /etc/hosts file on your computer, runs a service, and allows you to upgrade your firmware on the Naza Light. It’s basically a $130 firmware upgrade for a DJI flight controller that’s a single download away.

[udnham] set up a site where you can download the firmware flashing tool with a few videos showing the upgrade process and the improvement over the stock firmware. You can check those out below.

Continue reading “Upgrading DJI Flight Controllers”

Crypto Photography and Custom Firmware

Imagine a camera that took encrypted pictures. If your camera is stolen, the only thing on the memory card would be random data that can only be unlocked with a key. If you hire a photographer, those images cannot be copied without the key. At the very least, it’s an interesting idea made impressive because this actually exists.

[Doug] recently got his hands on a Samsung NX300, a nice camera for the price that conveniently runs Linux and is kinda open-sourced by Samsung. With special firmware, [Doug] created public/private key encryption for this camera, giving only the person with the private key the ability to unlock the pictures taken with this camera.

[Doug] started his build by looking at the firmware for this camera, figuring out how to take everything apart and put it back together. With a few modifications that included encryption for all images taken with this camera, [Doug] repackaged the firmware and upgraded the camera.

The encryption firmware is available on the site, but considering how easily [Doug] was able to make this hack happen, and a great walkthrough of how to actually do it raises some interesting possibilities. The NX300 is a pretty nice camera that’s a little bit above the Canon PowerShot cameras supported by CHDK. It also runs Linux, so if you’re looking for something cool to do with a nice camera, [Doug] has a very good resource.

Amazon Fire TV Update Bricks Hacked Devices

The Amazon Fire TV is Amazon’s answer to all of the other streaming media devices on the market today. Amazon is reportedly selling these devices at cost, making very little off of the hardware sales. Instead, they are relying on the fact that most users will rent or purchase digital content on these boxes, and they can make more money in the long run this way. In fact, the device does not allow users to download content directly from the Google Play store, or even play media via USB disk. This makes it more likely that you will purchase content though Amazon’s own channels.

We’re hackers. We like to make things do what they were never intended to do. We like to add functionality. We want to customize, upgrade, and break our devices. It’s fun for us. It’s no surprise that hackers have been jail breaking these devices to see what else they are capable of. A side effect of these hacks is that content can be downloaded directly from Google Play. USB playback can also be enabled. This makes the device more useful to the consumer, but obviously is not in line with Amazon’s business strategy.

Amazon’s response to these hacks was to release a firmware update that will brick the device if it discovers that it has been rooted. It also will not allow a hacker to downgrade the firmware to an older version, since this would of course remove the root detection features.

This probably doesn’t come as a surprise to most of us. We’ve seen this type of thing for years with mobile phones. The iPhone has been locked to the Apple Store since the first generation, but the first iPhone was jailbroken just days after its initial release. Then there was the PlayStation 3 “downgrade” fiasco that resulted in hacks to restore the functionality. It seems that hackers and corporations are forever destined to disagree on who actually owns the hardware and what ownership really means. We’re locked in an epic game of cat and mouse, but usually the hackers seem to triumph in the end.