Customizing Xiaomi ARM Cortex-M Firmware

October 19, 2019 by 2 Comments

This hack was revealed a while ago at DEFCON26, but it’s still a fascinating look into vulnerabilities that affect some of the most widely used IoT devices.

[Dennis Giese] figured out a way to modify ARM Cortex-M based firmware for use in customizing the functionality of devices or removing access to the vendor. Obviously, there are more malicious activities that can be done with this type of hack, as with any exploits of firmware, but they are (also) obviously not condoned.

The talk goes into the structure of Xiaomi ecosystem and products before going into a step-by-step approach to binary patching the firmware. The first step was to acquire the firmware, either by dumping SPI flash memory (using JTAG, SWD, or desoldered Flash pins) or intercepting traffic during a firmware update and downloading the firmware. There’s also a possibility of downloading the firmware using a URL, although this can be more difficult to find.

The firmware can then be parsed, which first requires the format to be converted from a proprietary format to and ELF file. This conversion makes it easier to load into IDA pro, and gives information on the segments of the firmware and its entry point. Python tools luckily exist for converting binary files to ELF, which simplifies the task.

After loading the ELF file into the disassembler, you’ll want to find the key memory area, denoted by “TAG_MAC”, “TAG_DID”, and “TAG_KEY” in the example firmware (for storing the MAC address, device ID, and key). In order to prepare the firmware for Nexmon – a software that supported C-based firmware binary patching for ARM Cortex-A and ARM Cortex-M binaries – you’ll need to partition some space in the memory for patches and know the function names and signatures for the firmware.

The latter is done by doing a difference comparison in the disassembler between an unknown executable and the example executable.

With the necessary information gathered, you can now use Nexmon to make your modifications. The fact that this can be done for smart devices at home means that smart devices you acquire – especially those partitioned by others – may contain malicious code, so take care when handling used devices.

Continue reading “Customizing Xiaomi ARM Cortex-M Firmware”

There’s More To The 3D Print Than The Eye Can See

October 19, 2019 by 11 Comments

If you thought CADing designs for 3D printing was hard enough, wait until you hear about this .stl trick.

[Angus] of Maker’s Muse recently demoed a method for creating hidden geometries in .stl files that are only revealed during the slicing process before a 3D print. (Video, embedded below.) The process involves creating geometries with a thickness smaller than the size of the 3D printer’s nozzle that still appear to be solid in a .stl editor, but will not be rendered by a FDM slicer.

Most 3D printers have 0.4 mm thickness nozzle, so creating geometries with a wall thinner than this value will result in the effect that you’re looking for. Some possible uses for this trick are to create easter eggs or even to mess with other 3D printing enthusiasts. Of course, [Angus] recommends not to use this “deception for criminal or malicious intent” and I’d have to agree.

There’s a few other tricks that he reveals as well, including a way to create a body that’s actually a thin shell but appears to be solid: great for making unprintable letters that reveal hidden messages.

Nevertheless, it’s a cool trick and maybe one of those “features not bugs” in the slicer software.

Continue reading “There’s More To The 3D Print Than The Eye Can See”

Converting A Tesla To A Pickup Truck

October 19, 2019 by 38 Comments

The renowned inventor of useless robots [Simone Giertz] has outdone herself this time. She, along with a team of engineers featuring [Rich Rebuilds], [Laura Kampf], and [Marcos Ramirez], recently decided to convert a Tesla into a pickup truck, and make a video along the way, all while salvaging what remains they can of the back of the car and making the final product roadworthy. Yeah, this is a couple weeks old now, and yeah, it’s kind of a commercial, but really: [Simone Giertz] and Co. rock.

In her vlog of the experience, the team starts by gutting out the interior of the car in order to find out the weight distribution and form of the outer frame. Essentially, in order to create the pickup truck, a portion of the back of the car needs to be removed, with additional beams and support welded in depending on the consequent structural integrity. With a sawzall and angle grinder, the top portion of the frame is cut and taken out, but not before a worrying glance brings about the realization that the car needs exterior support during its modifications.

After the cushions, glass, wiring, and all other accessories are removed, they install a truck bed from another sacrificial pickup truck, as well as a roof rack to complete the look. Amidst the deconstruction and reconstruction, there are moments when the car encounters a “Safety restraint system fault” or when the team accidentally lines the inside of the car with fiberglass right before shooting their video. Between complaints of the different clip sizes used and the clear time pressure of the project, it’s a funny and informative look into a pretty unique car mod.

The final commercial they made of their Tesla-pickup hybrid, dubbed Truckla, is available on [Giertz]’s YouTube channel.

Continue reading “Converting A Tesla To A Pickup Truck”

File Compression By Steganography

October 19, 2019 by 29 Comments

In a world with finite storage and an infinite need for more storage space, data compression becomes a very necessary problem. Several algorithms for data compression may be more familiar – Huffman coding, LZW compression – and some a bit more arcane.

[Labunsky] decided to put to use his knowledge of steganography to create a wholly unique form of file compression, perhaps one that may gain greater notoriety among other information theorists.

Steganography refers to the method of concealing messages or files within another file, coming from the Greek words steganos for “covered or concealed” and graphe for “writing”. The practice has been around for ages, from writing in invisible ink to storing messages in moon cakes. The methods used range from hiding messages in images to evade censorship to hiding viruses in files to cause mayhem.

100% not [via xkcd]
The developer explains that since every file is just a bit sequence, observing files leads to the realization that a majority of bits will be equal on the same places. Rather than storing all of the bits of a file, making modifications to the hard drive at certain locations can save storage space. What is important to avoid, however, is lossy file compression that can wreak havoc on quality during the compression stage.

The compression technique they ended up implementing is based on the F5 algorithm that embeds binary data into JPEG files to reduce total space in the memory. The compression uses libjpeg for JPEG decoding and encoding, pcre for POSIX regular expressions support, and tinydir for platform-independent filesystem traversal. One of the major modifications was to save computation resources by disabling a password-based permutative straddling that uniformly spreads data among multiple files.

One caveat – changing even one bit of the compressed file could lead to total corruption of all of the data stored, so use with caution!

Miss Nothing With A Hacked 360 Degree Camera Trap

October 18, 2019 by 4 Comments

Camera traps are a very common tool in wildlife conservation and research, but placing and pointing them correctly can be a bit of a guessing game. Something very interesting could happen just out of frame and you’d be none the wiser. The [Andrew Quitmeyer] and [Danielle Hoogendijk] at DINALABS (Digital Naturalism Laboratories) in Panama are experimenting with hacked consumer 360° cameras to help solve problem.

The project is called Panatrap and looks very promising. They’ve done very detailed testing with a number of different 360° cameras, and have built functional prototypes with the Xiaomi Misphere and Ricoh Theta V. The Xiaomi had some handy contacts on the bottom of the camera for its selfie stick interface (simply a resistor and button), which allowed full control of the camera. An Arduino compatible board waits for the motion detected signal from a PIR sensor which then sends the required command to the camera to wake-up and take footage. The Ricoh was slightly more challenging, but they discovered that the camera will wake up if an emulated keyboard command is received over it’s USB port from a Teensy. Triggering is then done by a servo pushing against the camera’s button. Everything is housed in a laser cut acrylic case to help it survive the wet jungle. If anyone knows how to hack the Samsung Gear camera to work, the team is keen to hear from you!

All the work is open sourced, with build details and hardware designs available on the project page and software up on Github. Check out some cool 360° test footage after the break with some local wildlife. We are looking forward to more footage! Continue reading “Miss Nothing With A Hacked 360 Degree Camera Trap”

Revisiting The BlackHat Hack: How A Security Conference Was Pwned

October 18, 2019 by 1 Comment

Does anyone remember the Black Hat BCard hack in 2018? This hack has been documented extensively, most notoriously by [NinjaStyle] in his original blog post revealing the circumstances around discovering the vulnerability. The breach ended up revealing the names, email addresses, phone numbers, and personal details of every single conference attendee – an embarrassing leak from one of the world’s largest cybersecurity conferences.

To recap: The Black Hat conference badges included an embedded NFC tag storing the participant’s contact details presumably for vendors to scan for marketing purposes. After scanning the tag, [NinjaStyle] realized that his name was readily available, but not his email address and other information. Instead, the NFC reader pointed to the BCard app – an application created for reading business cards.

[NinjaStyle] decompiled the APK for the app to search for API endpoints and found that the participants each had a custom URL made using event identification values. After finding data that appeared to correspond to an eventID and badgeID, he sent a request over a web browser and found that his attendee data was returned completely unauthenticated. With this knowledge, it was possible to brute-force the contact details for every Black Hat attendee (the range of valid IDs was between 100000-999999, and there were about 18,000 attendees). Using Burp Suite, the task would take about six hours. 

He was able to get ahold of BCard to reveal the vulnerability, which was fixed in less than a day by disabling the leaky API from their legacy system. Even so, legacy APIs in conference apps aren’t an uncommon occurrence – the 2018 RSA Conference (another cybersecurity conference) also suffered from an unprotected app that allowed 114 attendee records to be accessed without permission.

With the widespread publicity of leaked attendee data, event organizers are hopefully getting smarter about the apps that they use, especially if they come from a third-party vendor. [Yashvier Kosaraju] gave a talk at TROOPERS19 about pen testing several large vendors and discovering that Kitapps (Attendify) and Eventmobi both built apps with unauthenticated access to attendee data. It’s hard to say how many apps from previous years are still around, or whether or not the next event app you use will come with authentication – just remember to stay vigilant and to not give too much of your personal data away.

A Low-Power Solution To Streamlining Sensor Data For IoT

October 18, 2019 by 16 Comments

For home use IoT systems, getting sensor data from tons of physical locations centralized to a single Raspberry Pi can be a difficult job, especially when considering the power consumption that’s necessary for doing it all over WiFi. When you’re using an ESP8266, for instance, swapping out batteries and accounting for connectivity issues can be a major hassle for a long-term solution. The NoCAN platform, created by [Alain Pannetrat], solves this problem using a wired approach that improves the use of the CAN bus.

Since SPI and I2C only work for short distances, approaches like RS-485 and CAN bus are a better bet for this type of setup. For systems with one centralized point, RS-485 works best – thus, the CAN bus is the better approach when you’re considering using multiple masters in a single environment.

CAN devices typically need a static address, so messaging involves sending data to the known address of the destination device. With NoCAN, a dynamic address assignment scheme allows nodes to request an address from a node manager on boot-up (similar to DHCP). A command line application also allows users to send and receive message from nodes using a pub/sub implementation – a device sends messages to a channel, and every device subscribed to the channel receives the message.

The hardware for the NoCAN platform consists of a Raspberry Pi with a “PiMaster” HAT and an Arduino-compatible CANZERO board. The PiMaster HAT uses an STM32F042 ARM Cortex M0 MCU, acting as an interface between the Pi and the CAN bus as well as preventing over-current events with a software-controlled smart switch. The CANZERO is based on the the SAMD21G18 ARM Cortex M0+ running at 48MHz, similar to the Arduino MKR Zero, with CAN bus networking using the STM32F042 ARM Cortex M0. The double MCU design allows the secondary MCU to reset the primary if it gets stuck due to a programming error, with the messages sent over the CAN bus.

To join the network together, a four-wire cable daisy-chains the nodes in the bus network, providing connectivity for up to 1000 feet. Either 12V or 24V DC power runs through the network, stepping down to 5V or 3.3V at each node. The approach is similar to PoE (power over Ethernet), although it is slower and lower in cost. Overall, it seems like a good solution for environments where wireless connectivity simply doesn’t cut it.