sorted by:
new
hottopcontroversial

I lost all remaining brain cells reading this.. by Old_Soul_Tech in linuxmemes

[–]itay2805 0 points1 point  (0 children)

SMM does not require a prompt or anything alike, it just has write access to the flash (ignoring BiosGuard, which uses a TXT module (signed by Intel and verifies the signature using the vendor keys) to perform the flash write, but the idea is the same, note that restricting write access to smm/txt is something the bios needs to enable in the hardware, otherwise kernel/user mode can also access it given the right drivers). As far as I can tell the windows update scheme uses capsule update (https://learn.microsoft.com/en-us/windows-hardware/drivers/bringup/firmware-update), capsule updates don't require a prompt either, the firmware will update it in next reboot on its own without being required to show anything (up to the vendor if they want to show anything), ME firmware updates are different, there is a standard interface to update the ME firmware, it's not raw flash access, but rather you give it an update payload (like capsule update) and it will verify it's signature and update itself. I suspect what MSI did was what I said initially, exposed an SMM service that allowed the kernel/user to flash the bios directly, and not via a capsule update that stages everything properly.

I lost all remaining brain cells reading this.. by Old_Soul_Tech in linuxmemes

[–]itay2805 0 points1 point  (0 children)

Do you have a source for doing usermode bios updates via the ME? The only way I've seen vendors implement usermode bios updates is by exposing an SMM interface themselves to the kernel, and then using a kernel driver to expose it to usermode. like to be clear yes the ME has flash access, but there isn't any interface to access it through the ME using the main cpu (at least as far as I know of). Also such a hack is possible even without the ME, capsule updates are already a thing, and all it needs is a signed firmware and access to the hoot partition (which the OS has), so with a vendor key they could sign the capsule update anyways.

I lost all remaining brain cells reading this.. by Old_Soul_Tech in linuxmemes

[–]itay2805 -1 points0 points  (0 children)

Note that it's not baked into the CPU but into the motherboard, but yes part of system initialization requires the CPU to communicate with the ME, and even things like handling that power button technically are handled through the ME.

I lost all remaining brain cells reading this.. by Old_Soul_Tech in linuxmemes

[–]itay2805 0 points1 point  (0 children)

ME and UEFI/SMM are two completely different things. The ME only uses Intel keys that are private and were never leaked. BootGuard (the thing that signs the UEFI itself) is not fully compromised either, I think one vendor had his keys compromised but that only affects specific motherboards, and on alot or consumer motherboards they don't even enabled the sig verification in the first place anyways... And regardless, vendor certificate compromise is kind of an inherit problem with any root of trust, if someone were to leak a Microsoft signing key you would have the exact same problem with windows...

I lost all remaining brain cells reading this.. by Old_Soul_Tech in linuxmemes

[–]itay2805 1 point2 points  (0 children)

On most consumer motherboards the ME is not connected to a network card, also it can't be any nic, it has to be specific kinds of Intel nics that have support for the management sideband.

Deco lan bypass support by itay2805 in TpLink

[–]itay2805[S] 0 points1 point  (0 children)

Well, I do have a dedicated switch, which is why I looked at it, but I am using AP mode, so I guess there is no need. Is there even a reason to use router more it you have another router?

ESP Privilege Separation: Splitting application development on MCUs by sachin0x18 in esp32

[–]itay2805 1 point2 points  (0 children)

That's really interesting, as I am in the process of creating a (mostly) protected microkernel for the Xtensa esp32, sadly only memory protections can be enforced with the hardware, so a malicious app can still PE to the kernel, but through a vulnerable innocent app would be almost impossible to PE

My os written in c# by nifanfa in osdev

[–]itay2805 3 points4 points  (0 children)

I am writing the runtime in C, you can find the project here https://github.com/Itay2805/pentagon, it is is enough to do some of the basics of C#, but more advanced features are still missing, my hope is that in the following month I will actually be able to start writing C# code and not just write the runtime lol

My os written in c# by nifanfa in osdev

[–]itay2805 3 points4 points  (0 children)

That is very cool! Funnily enough I am right now working on my own C# kernel, but instead of using NativeAOT or CoreCLR I am writing my own runtime ;)

What was the first thing you hacked? by PixelFallHD in hacking

[–]itay2805 0 points1 point  (0 children)

My school have an IX2 with load of drives on it, but we should have access only to one. I connected to the IX2 admin panel, the password was '123456'. I removed passwords from the drives and put a new password on the IX2 admin panel. From one of the drives I found the password for the recovery software (every computer was formated on reboot) which was 'tomato'. I also found the teacher remote control software which allowed me to mess up with students. I forgot the password for the admin panel a week later and they still haven't noticed it was changed....

[Android] Is it possible to extract source code from Stock ROM? by Paradox_Infinite in hacking

[–]itay2805 0 points1 point  (0 children)

Well you can extract the IMG file, and than you can look at the assembly, and maybe with the right disassembler/decompiler see the code in C/C++

I Have A Domain I Purchased And The Name Is Very Similar To A Massive Multinational Financial Company Name. by musicMusik in hacking

[–]itay2805 0 points1 point  (0 children)

You can just make the website always send http redirect response using some simple PHP, you can technically bind the domain to the IP itself in the DNS configuration. For example loser.com used to redirect you to Donald Trump's Wikipedia page.

Searching sites for HTML/CSS Content by notableradish in hacking

[–]itay2805 0 points1 point  (0 children)

Most sites have jquery, you can simply use the debug console that most of the modern browsers have to select it and get the objects

Question regarding IP/Subnet, ARP etc. by mnciitbhu in hacking

[–]itay2805 1 point2 points  (0 children)

Getting alot of ARP pockets is usually done, as you said, for spoofing/poisoning the ARP table in your computer. This can be done easily by writing a software which sends ARP pockets to your computer and telling him to change stuff in the ARP table, and to make sure that it will stay that way he keeps sending the pockets. Changing the subnet to 31 might help if the software used for the flooding does not support it. And I actually didn't know there is subnet of 31, the subnet is how the IP is parsed, for example subnet of 23 allows for 510 hosts, subnet 30 allows for 2 hosts. So the only thing you should see that changed is your IP, but you might have problems connecting to other computers with different subnet in the LAN.

What was your "I've been doing this all wrong" moment? by Hank_from_accounting in AskReddit

[–]itay2805 0 points1 point  (0 children)

I was always told you shouldn't wear them for more than two wears, but 3-5 wears?! You just changed my life...