Skip to content

Instantly share code, notes, and snippets.

Avatar

Nicholas Starke nstarke

  • Bondurant, IA
View GitHub Profile
@nstarke
nstarke / linux-firmare-cpu_rec.txt
Last active Jul 10, 2021
CPU_REC run against linux-firmware
View linux-firmare-cpu_rec.txt
# CPU_REC run against "linux-firmware"
# CPU_REC @ Git Commit: 9cc225db5e027658ad28c6886b6d6a9980cbe69f
# $ time find . -type f -not -name "LICENSE.*" -and -not -name "LICENCE.*" -and -not -name README -and -not -name GPL-3 -exec python3 ~/cpu_rec/cpu_rec.py {} \; > ../linux-firmware-cpu_rec.txt
# real 2572m26.253s
# user 2533m39.604s
# sys 38m23.537s
./cxgb3/ael2005_twx_edc.bin full(0x5bc) None chunk(0x100;2) MN10300
./cxgb3/t3fw-7.0.0.bin full(0x757c) None chunk(0xc0;3) Cell-SPU
@nstarke
nstarke / aqn-cpu_rec-results.txt
Created Jul 8, 2021
Aquantia Firmware Update Files - CPU_REC Results
View aqn-cpu_rec-results.txt
$ python3 ~/cpu_rec/cpu_rec.py *.clx
AQC100-Felicity-3.1.121_bdp_aqsign.clx full(0x200000) None chunk(0x30800;97) Xtensa
AQC107-Nikki-3.1.121_bdp_aqsign.clx full(0x200000) None chunk(0x30800;97) Xtensa
AQC111-Bermuda-B0-3.1.121_bdp_aqsign.clx full(0x200000) None chunk(0x31000;98) Xtensa
$ binwalk *.clx
Scan Time: 2021-07-08 17:01:00
Target File: /home/nick/aqn/AQC100-Felicity-3.1.121_bdp_aqsign.clx
MD5 Checksum: 3dd8e40cd3e4aa183b13939190b86b05
Signatures: 404
@nstarke
nstarke / CountReferencedStrings.java
Last active Jan 20, 2021
Ghidra Script: Count Referenced Strings
View CountReferencedStrings.java
/* ###
* IP: GHIDRA
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
@nstarke
nstarke / find-compressed-data.py
Last active Jan 18, 2021
Find Compressed Data without Compression Header
View find-compressed-data.py
#!/usr/bin/env python3
#
# find-compressed-data.py
#
# A small script to bruteforce embedded compressed data that might not have a header
# Useful for raw binary firmware images that do not contain a standard
# binary header (ELF, PE, MACH-O).
#
# I included a limt on size at 16KB because this has a tendency to create
@nstarke
nstarke / decrypting-dlink-proprietary-firmware-images.md
Last active Jul 20, 2021
Decrypting DLINK Proprietary Firmware Images
View decrypting-dlink-proprietary-firmware-images.md
@nstarke
nstarke / linksys-ea4500-device-firmware-decryption.md
Created Mar 18, 2020
Linksys EA4500 Device Firmware Decryption
View linksys-ea4500-device-firmware-decryption.md

Linksys EA4500 Firmware Decryption

I recently pulled a Linksys EA4500 out of storage for evaluation. The first thing I wanted to do was to update the firmware for the device. https://www.linksys.com/us/support-article?articleNum=148385 offers the latest version of the firmware, which is 3.1.7 as of this writing.

However, we can see with the filename that its probably encrypted: FW_EA4500V3_3.1.7.181919_prod.gpg.img

When I run binwalk I don't get any meaningful results, confirming my suspcicions:

@nstarke
nstarke / linux-dialup-modems.md
Last active Mar 15, 2020
Connecting to Raspberry Pi's using 56k Modems
View linux-dialup-modems.md

Dial Up Connections on Linux

In this tutorial we will detail how to connect two linux hosts via 56k modems. To do this we will use the following components:

@nstarke
nstarke / 0000-cve-2020-8597.md
Last active Nov 27, 2020
CVE-2020-8597 - Buffer Overflow in pppd
View 0000-cve-2020-8597.md

CVE-2020-8597 - Buffer Overflow in pppd

In this short tutorial we will go over how to reproduce the crash from CVE-2020-8597. This is a stack-based buffer overflow in the pppd binary.

We will use our own pppd binary compiled from source, using the latest version: 2.4.8.

To accomplish this goal, we will need two Virtual Machines connected by a virtual serial port. I typically use VirtualBox since it is open source, but the same sort of configuration should work on other hypervisors.

I spun up two VMs:

@nstarke
nstarke / building-and-running-ovmf-in-qemu.md
Created Feb 25, 2020
Building and Running OVMF in Qemu
View building-and-running-ovmf-in-qemu.md

Building and Running OVMF in Qemu

I built EDK2 and OVMF from source using the instructions here: https://github.com/tianocore/tianocore.github.io/wiki/How-to-run-OVMF

The instructions are helpful in getting the build tooling configured to build edk2, but I consistently ran into a problem when I built the DEBUG version of OVMF. I would run:

$ qemu-system-x86_64 -bios ../edk2/Build/OvmfX64/DEBUG_GCC5/FV/OVMF.fd
@nstarke
nstarke / ecusim-2000.md
Created Feb 23, 2020
Car hacking with ScanTool ECUSim 2000
View ecusim-2000.md

Car hacking with ScanTool ECUSim 2000

An upcoming project has me looking at car hacking at the moment. I watched a great video ( https://www.youtube.com/watch?v=nvxN5G21aBQ ) which caught me up to speed on the fundamentals. There are a few other videos out there on introductory car hacking, but they all seem to revolve around the virtual can interface provided by vcan. I decided I didn't want to test virtually because then I wouldn't know how to work with the actual connection hardware. At the same time, being a beginner, I DID NOT want to plug into my personal vehicle's ODB2 port.

I was looking for something between vcan and a real car. A little googling led me to the ScanTools ECUSim 2000: https://www.amazon.com/OBDLink-ScanTool-ECUsim-Simulator-Development/dp/B008NAH6WE

This board simulates a car. It has a ODB2 port for interfacing just like one would do with a