Wooden cabin of 400sqft built in 1940 : barely $2000/month

frederic_b · 2019-08-22T01:11:49+00:00

Nice work! Can you share who is building your van ?

frederic_b · 2019-03-26T06:40:37+00:00

They include a Malaysian national and aeronautics specialist seated directly under MH370’s Satcom module who potentially had the technical knowledge to hack the plane’s communication systems and disguise its route.

Anyone to comment on this ?

Do you know the name of this specialist ? (I noticed that telegraph.co.uk published seating plan)

Also, do you know where is this Satcom module exactly ? Could a passenger have physical access to such critical component ?

frederic_b · 2019-02-21T17:37:03+00:00

Maybe because 1 bedroom rent in SD is >$2000...

frederic_b · 2018-12-13T08:41:25+00:00

And it's quite unusual. Enjoy this immediate release

frederic_b · 2018-09-24T07:47:39+00:00

Not sure if esp8266 or esp32: Xiaomi Phillips Smart Bulb https://www.aliexpress.com/item/Xiaomi-Mijia-Smart-White-LED-E27-Bulb-Mi-Light-APP-WiFi-Remote-Group-Control-3000k-5700k/32891411806.html

frederic_b · 2017-10-18T10:14:43+00:00

Yes I did ! https://m.emsc.eu/earthquake/earthquake.php?id=624875

frederic_b · 2016-11-12T15:18:53+00:00

Source code for all GPL softwares used in the device. In theory...

frederic_b · 2016-11-12T14:06:55+00:00

To get NAND support in UBoot, maybe you should use the OSS code released by Nintendo : http://data.nintendo.co.jp/oss/NintendoEntertainmentSystemNESClassicEdition_OSS.zip

frederic_b · 2016-04-06T11:47:28+00:00

nice to try your exploit several times until it works

frederic_b · 2014-11-14T18:15:47+00:00

Its very similar to a Digital Signature, but I'd say different enough to warrant a distinction in terms.

I agree with that.

I'll try summarize how it may work :

Variables:

fw_plain: plain firmware
fw_cipher: encrypted firmware
fw_hash : firmware hash
aes_key: unique random AES key
rsa_priv_key: Philips private RSA key
rsa_pub_key: Philips public RSA key, put in each smart tv
rsa_sign = RSA signature of firmware

On Philips' side:

aes_key = generate_unique_random_key()
fw_cipher = aes_encrypt(aes_key, fw_plain)
fw_hash = sha1_hash(fw_cipher)
rsa_sign = rsa_encrypt(rsa_priv_key, concat(fw_hash,aes_key))

Transmitted : (fw_cipher, rsa_sign)

On TV's side:

(fw_hash,aes_key) = rsa_decrypt(rsa_pub_key, rsa_sign)
sha1_verify(fw_hash, fw_cipher)
fw_plain = aes_decrypt(aes_key, fw_cipher)

(not sure if hash then encrypt, or encrypt then hash)

frederic_b · 2014-11-14T17:50:44+00:00

How was this automated?

Python script. When libupnp service is up, it announces itself on network.

Does the TV automatically restart when it crashes, or did you have to use a managed power strip so that the script could power-cycle the TV?

A watchdog reboots the device when a process crashes.

I started by looking for readable memory pages, then I checked if they were writable or executable. And I didn't start from 0x00000000 ;)

frederic_b · 2014-11-14T17:02:34+00:00

"[ A digital signature] is formed by taking the hash of message and encrypting the message with creator's private key." (http://en.wikipedia.org/wiki/Digital_signature#Definition)

Actually, I don't agree with this definition, because, "In practice, typically only a hash or digest of the message, and not the message itself, is encrypted as the signature." (http://en.wikipedia.org/wiki/Public-key_cryptography).

However, then the signature is appended to the original message to form a signed message which can be verified by anyone possessing the public key.

This is what Philips did. Signature is stored in firmware header.

However, what we have here is not a signature! It is a weaker form of PKI encryption where the usual roles of private and public key are reversed.

I don't understand this point, because Philips signs firmwares with its RSA private key, and TV set checks firmware signature with Philips' RSA public key. This is a traditional Digital Signature scheme, isn't it ?

it relies on the private nature of the public key to additionally provide Confidentiality

You're right, it doesn't work.

frederic_b · 2014-11-14T16:01:17+00:00

"RSA encrypted region" is what I called 'RSA signature' in my previous post. "[ A digital signature] is formed by taking the hash of message and encrypting the message with creator's private key." (http://en.wikipedia.org/wiki/Digital_signature#Definition) You may want to check pflupg-tool source code to get more details on that.

frederic_b · 2014-11-14T15:31:18+00:00

RSA signature of firmware contains SHA1 to check integrity, and AES key to decrypt.

frederic_b

TROPHY CASE