Skip to content

Instantly share code, notes, and snippets.

Avatar

Nicholas Starke nstarke

View GitHub Profile
@nstarke
nstarke / release-android-debuggable.md
Last active Jul 21, 2022
How to make a Release Android App debuggable
View release-android-debuggable.md

How to make a Release Android App debuggable

Let's say you want to access the application shared preferences in /data/data/com.mypackage.
You could try to run adb shell and then run-as com.mypackage ( or adb shell run-as com.mypackge ls /data/data/com.mypackage/shared_prefs), but on a production release app downloaded from an app store you're most likely to see:

run-as: Package 'com.mypackage' is not debuggable
@nstarke
nstarke / linux-dialup-modems.md
Last active Jul 6, 2022
Connecting to Raspberry Pi's using 56k Modems
View linux-dialup-modems.md

Dial Up Connections on Linux

In this tutorial we will detail how to connect two linux hosts via 56k modems. To do this we will use the following components:

@nstarke
nstarke / find-compressed-data.py
Last active Jul 5, 2022
Find Compressed Data without Compression Header
View find-compressed-data.py
#!/usr/bin/env python3
#
# find-compressed-data.py
#
# A small script to bruteforce embedded compressed data that might not have a header
# Useful for raw binary firmware images that do not contain a standard
# binary header (ELF, PE, MACH-O).
#
# I included a limt on size at 16KB because this has a tendency to create
View network-callout.sh
#!/bin/bash
# sudo apt install iw curl jq
ALIVE="$1"
check_public_ip() {
INTERFACE="$1"
PUBLIC_IP=$(curl -s https://httpbin.org/ip | jq -r .origin)
if ! [[ -z $PUBLIC_IP ]]; then
echo "[+] Found Public IP $PUBLIC_IP for $INTERFACE"
fi
@nstarke
nstarke / ecusim-2000.md
Created Feb 23, 2020
Car hacking with ScanTool ECUSim 2000
View ecusim-2000.md

Car hacking with ScanTool ECUSim 2000

An upcoming project has me looking at car hacking at the moment. I watched a great video ( https://www.youtube.com/watch?v=nvxN5G21aBQ ) which caught me up to speed on the fundamentals. There are a few other videos out there on introductory car hacking, but they all seem to revolve around the virtual can interface provided by vcan. I decided I didn't want to test virtually because then I wouldn't know how to work with the actual connection hardware. At the same time, being a beginner, I DID NOT want to plug into my personal vehicle's ODB2 port.

I was looking for something between vcan and a real car. A little googling led me to the ScanTools ECUSim 2000: https://www.amazon.com/OBDLink-ScanTool-ECUsim-Simulator-Development/dp/B008NAH6WE

This board simulates a car. It has a ODB2 port for interfacing just like one would do with a

@nstarke
nstarke / linksys-ea4500-device-firmware-decryption.md
Created Mar 18, 2020
Linksys EA4500 Device Firmware Decryption
View linksys-ea4500-device-firmware-decryption.md

Linksys EA4500 Firmware Decryption

I recently pulled a Linksys EA4500 out of storage for evaluation. The first thing I wanted to do was to update the firmware for the device. https://www.linksys.com/us/support-article?articleNum=148385 offers the latest version of the firmware, which is 3.1.7 as of this writing.

However, we can see with the filename that its probably encrypted: FW_EA4500V3_3.1.7.181919_prod.gpg.img

When I run binwalk I don't get any meaningful results, confirming my suspcicions:

View exploiting-jwt.js
// Original research publication:
// https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/
//
// Depdency installation command:
// npm i jsonwebtoken@0.2.0
//
// Node security advisory:
// https://nodesecurity.io/advisories/88
const jwt = require('jsonwebtoken');
@nstarke
nstarke / qemu-debian-powerpc32.md
Created May 31, 2017
Create Debian PowerPC32 VM Under QEMU
View qemu-debian-powerpc32.md

Create Debian PowerPC32 VM Under QEMU

I have a collection of QEMU VMs for different CPU Architectures. In an attempt to fill in some gaps on architectures I lacked VMs for, I decided to spin up a PowerPC32 VM under QEMU. I chose Debian-PowerPC as the OS.

Gathering Resources

Install the prerequisite PowerPC packages:

# apt-get install qemu-system-ppc openbios-ppc
@nstarke
nstarke / 01-reversing-cisco-ios-raw-binary-firmware-images-with-ghidra.md
Last active Jun 9, 2022
Reversing Cisco IOS Raw Binary Firmware Images with Ghidra
View 01-reversing-cisco-ios-raw-binary-firmware-images-with-ghidra.md

Reversing Raw Binary Firmware Files in Ghidra

This brief tutorial will show you how to go about analyzing a raw binary firmware image in Ghidra.

Prep work in Binwalk

I was recently interested in reversing some older Cisco IOS images. Those images come in the form of a single binary blob, without any sort of ELF, Mach-o, or PE header to describe the binary.

While I am using Cisco IOS Images in this example, the same process should apply to other Raw Binary Firmware Images.

@nstarke
nstarke / resize-ghidra-gui.md
Last active Jun 3, 2022
Resize Ghidra GUI for High DPI screens
View resize-ghidra-gui.md

Resize Ghidra for High DPI screens

If you run Ghidra on a high DPI screen, you will probably find the GUI to be scaled down so small to be almost of no use.

There is a setting that you can adjust to scale the Ghidra GUI:

in $GHIDRA_ROOT/support is a file named launch.properties. In this launch.properties file is the following configuration key:

VMARGS_LINUX=-Dsun.java2d.uiScale=1