So, I just got the Tektronix 2236 Oscilloscope. Within 30 minutes, I've now got a pretty decent understanding of how to get what I'm looking for (at least for the Sprint AIRAVE project). That's mostly thanks to the amazing tutorials available online; I'm really very grateful for all of the advice that people have posted. I'm able to trace circuits, and will hopefully find the jtag lines off this chip soon. Once I find those, soldering in the actual trace pins to attach a jtag emulator will be tricky. I might have to ask one of the technicians at work to do some quick "freelance" soldering work.
I'm also pretty amazed at a lot of the malware out there now. I started a debug session on some of the 0-day adobe stuff that's floating around the internet (you can check out Sep. 8th metasploit blog post for more info) and was pretty impressed with all of the guards and techniques the system uses. I actually wasn't able to get it to run at all. I tried the !hidedebug All_... commands, right after starting the process in ImmunityDebugger, but I must not understand it well enough. I'll have to read up more on that when I get some time. Otherwise, I'm stuck trying to decipher the asm.
Work has asked me to scope out the effort required to port Valgrind to the Octeon Cavium family of processors. I think it should be quite a bit of time, since there's a lot of architecture configuration going on. Perhaps not, though. I've gone through some of the other architectures already built into Valgrind (x86-linux, x64-linux, ppc-linux), so I think it's a lot of "grunt" work; oh well, better than not getting paid.
I'm pumped about this Tektronix unit though. I'll be playing with it some more later tonight. I'm brewing tomorrow, so I won't get very far on the AIRAVE decode, but.. meh. I'm not in a super huge rush.
Friday, September 10, 2010
Wednesday, September 8, 2010
Hacking (again)
So, I published an exploit for the nginx 0.6.38 and earlier heap corruption vulnerability. Apparently, some people were impressed enough with it that I got some really cool offers by mail (and some which seemed not so legitimate). I'm not able to act on the offers at this time (and believe me when I say, such a decision is freakin' tough); maybe someday in the future though.
I've gotta get back to hacking at sfuzz some more, but I can't seem to get myself excited about it. Or rather, there's a lot of mundane functionality that needs to be written (and rewritten) to get it to a state where I can add the cool stuff. Hopefully Ricky-Lee, and Vasu, will be able to help me get more excited about it. 0.6.3 should drop before the end of the year.
I just purchased a Tektronix 2236 multi-function scope, as well as an ARM DSO nano. Obviously, the Tektronix is for a bench unit, and the ARM DSO is for a portable hack-toy (and for $50 US, you can't go wrong).
I've been kindof itching to do some hardware hacking again. This time, I've cracked open a Samsung AIRAVE. The main ASIC/FPGA combo chip is labeled SBM1320, but it's really an Altera HC210. I have the data sheet on it, and maybe I'll post some pictures of the "guts" of the thing. Since I used to work on the Airvana femto (the AirHub or HubBub or whatever) I have some familiarity with the OTA stuff that's going on. Taking apart the shielded radio brought back some memories. I've found a number of i2c taps, and with the HC210 specs I should be able to locate the JTAG ports. I've got the Quantum II SDK, and hopefully I'll find all the assembler routines and write a small disassembler. From there, it'll be a long and arduous journey to complete control of the system. I haven't seen a TPM, but then again, I'm not an expert hardware hacker. Anyone who also has one of these and wants to void their warranty, let me know.
Oh - and beer. I'm thinking about getting a brew going in october for the december timeframe. Probably a stout. And probably a "Rock your face off" stout. Something dark, heavy, and warm for the winter.
I've gotta get back to hacking at sfuzz some more, but I can't seem to get myself excited about it. Or rather, there's a lot of mundane functionality that needs to be written (and rewritten) to get it to a state where I can add the cool stuff. Hopefully Ricky-Lee, and Vasu, will be able to help me get more excited about it. 0.6.3 should drop before the end of the year.
I just purchased a Tektronix 2236 multi-function scope, as well as an ARM DSO nano. Obviously, the Tektronix is for a bench unit, and the ARM DSO is for a portable hack-toy (and for $50 US, you can't go wrong).
I've been kindof itching to do some hardware hacking again. This time, I've cracked open a Samsung AIRAVE. The main ASIC/FPGA combo chip is labeled SBM1320, but it's really an Altera HC210. I have the data sheet on it, and maybe I'll post some pictures of the "guts" of the thing. Since I used to work on the Airvana femto (the AirHub or HubBub or whatever) I have some familiarity with the OTA stuff that's going on. Taking apart the shielded radio brought back some memories. I've found a number of i2c taps, and with the HC210 specs I should be able to locate the JTAG ports. I've got the Quantum II SDK, and hopefully I'll find all the assembler routines and write a small disassembler. From there, it'll be a long and arduous journey to complete control of the system. I haven't seen a TPM, but then again, I'm not an expert hardware hacker. Anyone who also has one of these and wants to void their warranty, let me know.
Oh - and beer. I'm thinking about getting a brew going in october for the december timeframe. Probably a stout. And probably a "Rock your face off" stout. Something dark, heavy, and warm for the winter.
Subscribe to:
Posts (Atom)