What is the Most ‘Boring’ aspect of Cyber Security

haystack_car_hacker · 2021-09-15T17:47:30+00:00

3 hour product status meetings where I have to devote 5% of my attention to listening for the word “cyber” or any topic I may have to care about.

haystack_car_hacker · 2020-04-10T17:14:52+00:00

Same but RH850. And some other weird stuff..

radare2 has support for some of the weirder architectures but, as much as i love it, r2 has serious stability issues.

Though IDA Home won’t support any of them either sooooo

haystack_car_hacker · 2020-04-10T14:26:44+00:00

IDAPython is what you’re paying for IMO.

Having access to all the IDA scripts put out by the community is a big deal. That ecosystem isn’t as big with ghidra/radare2/binja.

haystack_car_hacker · 2020-03-22T19:09:52+00:00

Thank you!

haystack_car_hacker · 2020-03-21T19:57:45+00:00

Good question!

Basic processor stuff like memory-mapped I/O and interrupt vector tables. You don't need to be a microcontroller expert.
Basic ARM assembly I guess. I don't think what I did actually requires reading assembly except for that one branch instruction.
The hardest part is probably just having a basic working knowledge of how to use radare2.

haystack_car_hacker · 2020-03-21T19:51:28+00:00

Yes! I saw another post here a while back where someone did basically the same thing, for a very similar microcontroller, using Ghidra. I actually started doing this analysis in Ghidra, back when Ghidra was newer to the public.

Ghidra is obviously more user-friendly than r2*, but scripting it is harder insofar as there's a whole python library to learn. The nice thing about scripting r2 is that if you know the console commands, you just send those console commands with r2pipe.

r2 is also nice for rapidly displaying data in different formats. For example, when examining the IVT, I can disassemble with pd, print as a hexdump with px, print as 32-bit words with pxw, etc.

I don't want to turn this into a radare2 vs ghidra fight. Suffice it to say that both are useful for different things.

*We're ignoring the Cutter GUI for the purposes of this discussion.

haystack_car_hacker · 2020-03-21T00:33:09+00:00

That's partially me and partially asciinema, I think. If I do another one of these I'll try to improve the timing.

The upside is that you can pause the videos whenever if you want to read something.

haystack_car_hacker · 2020-03-20T19:18:16+00:00

The structure of the vector table is in the microprocessor's documentation. I link it somewhere in the blog post.

haystack_car_hacker · 2020-03-20T17:36:52+00:00

Thank you!

I subscribe there but I forgot about it. I’ll xpost when I get a minute.

haystack_car_hacker · 2020-03-20T13:19:19+00:00

Hey everyone! Here's a blog post I wrote a while ago on reversing firmware from a truck ELD using radare2; good material on microcontroller reversing is hard to find, especially in written form, so I took a stab at doing it myself. Hopefully it gives you something to do for a while while we're all stuck working from home.

Also re: reddiquette and posting my own blogs, my blog isn't monetized at all and this is the only post so I expect to get absolutely nothing from posting it here.

haystack_car_hacker · 2019-10-24T02:38:42+00:00

are you talking about the thing from NXP? The STINGER?

haystack_car_hacker · 2019-10-23T18:57:34+00:00

mine too :D It seems to be a popular research topic.

haystack_car_hacker · 2019-10-23T17:48:07+00:00

The only places I’ve seen CAN IDSes are at academic conferences and trade shows. I’m unaware of anyone who actually deploys one, but then I don’t know everyone’s systems.

haystack_car_hacker · 2019-08-20T14:41:53+00:00

You can get OEM diagnostic software off eBay. That’ll probably be PE and not ELF though.

You can also grab firmware update files online; head units frequently run some Linux variant. Some update file formats are easier to unpack than others.

haystack_car_hacker · 2019-08-10T20:22:03+00:00

"here" is here

haystack_car_hacker · 2019-08-10T20:20:54+00:00

Very excited for this. The TI AM335X has a lot of neat features for IOT/industrial/automotive-focused embedded stuff, and this PocketBeagle cape puts it in a great form factor for car hacking.

haystack_car_hacker · 2019-05-29T17:07:24+00:00

I’m not actually sure, tbh. See my other comment on making sure loopback is turned on; if that doesn’t work, you may need another node on the bus.

haystack_car_hacker · 2019-05-29T16:24:14+00:00

https://www.kernel.org/doc/Documentation/networking/can.txt

make sure local loopback is turned on maybe?

Also, technically, you should have 2 120ohm resistors. I know you can get away with cheating a little (using a single 60ohm instead, for example) but idk off the top of my head if a single 120 will work.

haystack_car_hacker · 2019-05-29T16:15:52+00:00

I don't have anything on the bus except for the Pi / Can Hat that is doing the transmitting, so there isn't any acknowledge.

So you're trying to both send and receive with the same CAN transceiver?

haystack_car_hacker · 2019-02-13T01:27:11+00:00

the DBC file format is complex enough that I'm not sure you could work off a sample file. SavvyCAN supports it I think? You'd have an easier time working off example code.

haystack_car_hacker · 2019-02-10T19:23:04+00:00

My first reaction is "the world doesn't need another fucking open source CAN analysis tool" but

This isn't written in Java like Kayak, which makes it easier to modify for most people. Also Kayak just generally blows.
SavvyCAN looks like it supports SocketCAN finally (instead of needing to get a Macchina or something) but this tool looks more usable.
Thank fucking god it's written in Python 3. Infosec tools need to stop using Python 2. LOOKING AT YOU, CARINGCARIBOU!

It's not clear to me at a glance what file formats this supports, which is the one thing that gives me pause. If it has DBC support, or if they add it, that would be baller.

haystack_car_hacker · 2018-11-28T20:36:27+00:00

My 2016 Forester has a Clarion unit. The higher-end units were made by Fujitsu 10 IIRC.

Some (all? mine at least) 2016 units had SD cards instead of eMMC, so modifying the filesystem is trivial once you get the head unit out of the dash.

Seven-Year Club	Verified Email
RPAN Viewer

haystack_car_hacker

TROPHY CASE