Wednesday, September 8, 2010

Hacking (again)

So, I published an exploit for the nginx 0.6.38 and earlier heap corruption vulnerability. Apparently, some people were impressed enough with it that I got some really cool offers by mail (and some which seemed not so legitimate). I'm not able to act on the offers at this time (and believe me when I say, such a decision is freakin' tough); maybe someday in the future though.

I've gotta get back to hacking at sfuzz some more, but I can't seem to get myself excited about it. Or rather, there's a lot of mundane functionality that needs to be written (and rewritten) to get it to a state where I can add the cool stuff. Hopefully Ricky-Lee, and Vasu, will be able to help me get more excited about it. 0.6.3 should drop before the end of the year.

I just purchased a Tektronix 2236 multi-function scope, as well as an ARM DSO nano. Obviously, the Tektronix is for a bench unit, and the ARM DSO is for a portable hack-toy (and for $50 US, you can't go wrong).

I've been kindof itching to do some hardware hacking again. This time, I've cracked open a Samsung AIRAVE. The main ASIC/FPGA combo chip is labeled SBM1320, but it's really an Altera HC210. I have the data sheet on it, and maybe I'll post some pictures of the "guts" of the thing. Since I used to work on the Airvana femto (the AirHub or HubBub or whatever) I have some familiarity with the OTA stuff that's going on. Taking apart the shielded radio brought back some memories. I've found a number of i2c taps, and with the HC210 specs I should be able to locate the JTAG ports. I've got the Quantum II SDK, and hopefully I'll find all the assembler routines and write a small disassembler. From there, it'll be a long and arduous journey to complete control of the system. I haven't seen a TPM, but then again, I'm not an expert hardware hacker. Anyone who also has one of these and wants to void their warranty, let me know.

Oh - and beer. I'm thinking about getting a brew going in october for the december timeframe. Probably a stout. And probably a "Rock your face off" stout. Something dark, heavy, and warm for the winter.

1 comment:

cyrozap said...

I know this post is a year old, but I have recently purchased a Samsung Airave (for Sprint) and was interested in hacking it.

I found some posts ( that have more info on the serial port (disguised as an HDMI port) and other valuable info (GPS captures, serial boot captures, etc.).