<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom"><channel><title>Black-Hat on Colin O'Flynn</title><link>https://colinoflynn.com/tag/black-hat/</link><description>Recent content in Black-Hat on Colin O'Flynn</description><generator>Hugo</generator><language>en-ca</language><lastBuildDate>Sat, 18 Feb 2023 02:07:09 +0000</lastBuildDate><atom:link href="https://colinoflynn.com/tag/black-hat/index.xml" rel="self" type="application/rss+xml"/><item><title>Breaking Electronic Door Locks Like You're on CSI: Cyber - Black Hat 2017 Talk</title><link>https://colinoflynn.com/2017/07/breaking-electronic-door-locks-like-youre-on-csi-cyber-black-hat-2017-talk/</link><pubDate>Wed, 26 Jul 2017 02:00:55 +0000</pubDate><guid>https://colinoflynn.com/2017/07/breaking-electronic-door-locks-like-youre-on-csi-cyber-black-hat-2017-talk/</guid><description>&lt;p&gt;This year at Black Hat I&amp;rsquo;m presenting some short work on breaking electronic door locks. This talk focuses on one particular residential door lock. There was a bit of a flaw in the design, where the front panel/keypad can be removed from the outside.
Once the keypad is off, you have access to a connector that goes into the rear side of the device. You can then make a cool &amp;ldquo;brute force&amp;rdquo; board, which was basically the point of this presentation. Finally you can have something that looks like your movie electronic lock hacking mechanism, completed with 7-segment LED displays:
&lt;a href="https://colinoflynn.com/wp-content/uploads/2017/07/lockbreak.png"&gt;&lt;img src="https://colinoflynn.com/wp-content/uploads/2017/07/lockbreak-294x300.png" alt=""&gt;&lt;/a&gt;
This little device does the following:&lt;/p&gt;</description></item><item><title>Philips Hue - R.E. Whitepaper from Black Hat 2016</title><link>https://colinoflynn.com/2016/08/philips-hue-r-e-whitepaper-from-black-hat-2016/</link><pubDate>Thu, 04 Aug 2016 14:37:33 +0000</pubDate><guid>https://colinoflynn.com/2016/08/philips-hue-r-e-whitepaper-from-black-hat-2016/</guid><description>&lt;p&gt;At Black Hat 2016 I presented on some reverse engineering of the Philips Hue (also see &lt;a href="https://colinoflynn.com/2016/07/getting-root-on-philips-hue-bridge-2-0/"&gt;my other post about getting root on it&lt;/a&gt;, which was part of that presentation).&lt;/p&gt;
&lt;p&gt;If you were at the talk, you would have also seen mention that you'll want to keep your eyes out for future publications by Eyal Ronen. You can see &lt;a href="http://www.wisdom.weizmann.ac.il/~eyalro/"&gt;his website for more research related to the Hue &lt;/a&gt;as well, and follow him on twitter @eyalr0. He's been doing some work in parallel that I think will do more than just R.E. the bulbs (as I did), and actually bring some of my `possible' attacks to become real proof-of-concepts.&lt;/p&gt;</description></item><item><title>Black Hat Slides - PIN-Protected HD Enclosure / MB86C311A Research</title><link>https://colinoflynn.com/2016/08/black-hat-slides-pin-protected-hd-enclosure-mb86c311a-research/</link><pubDate>Thu, 04 Aug 2016 14:30:07 +0000</pubDate><guid>https://colinoflynn.com/2016/08/black-hat-slides-pin-protected-hd-enclosure-mb86c311a-research/</guid><description>&lt;p&gt;This is a quick post to link to slides from my Black Hat USA 2016 work.
This work stands directly on the work done by Joffrey Czarny &amp;amp; Raphaël Rigo presented at HardWear.io last year (2015). They discovered the issues w.r.t. the stream-mode cipher being used by all manufactures on the MB86C311A, and the fact that secrets are stored on the HD itself. Their work is available at:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;a href="https://www.sstic.org/media/SSTIC2015/SSTIC-actes/hardware_re_for_software_reversers/SSTIC2015-Article-hardware_re_for_software_reversers-czarny_rigo.pdf"&gt;Whitepaper by Czarny &amp;amp; Rigo&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="http://hardwear.io/wp-content/uploads/2015/10/Slide-hardware_re_for_software_reversers-By-Czarny-Rigo.pdf"&gt;Presentation slides by Czarny &amp;amp; Rigo&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;They have some newer work coming out which looks to be &lt;em&gt;very&lt;/em&gt; interesting, so please keep your eyes out for that. Anyway onto my stuff. The following is a link to my slides:
&lt;a href="https://colinoflynn.com/wp-content/uploads/2016/08/Brute-Forcing-Lockdown-Harddrive-PIN-Codes.pdf"&gt;Brute-Forcing Lockdown Harddrive PIN Codes [Slides]&lt;/a&gt;&lt;/p&gt;</description></item><item><title>Getting Root on Philips Hue Bridge 2.0</title><link>https://colinoflynn.com/2016/07/getting-root-on-philips-hue-bridge-2-0/</link><pubDate>Tue, 12 Jul 2016 16:00:00 +0000</pubDate><guid>https://colinoflynn.com/2016/07/getting-root-on-philips-hue-bridge-2-0/</guid><description>&lt;p&gt;This post will briefly show you how to get a root console on the new Philips Hue Bridges (the square ones). It's rather easy, the only special tools you require are a USB-Serial cable &amp;amp; a torx screwdriver.&lt;/p&gt;
&lt;p&gt;&lt;a href="https://colinoflynn.com/wp-content/uploads/2016/07/P1080978.jpg"&gt;&lt;img class="alignnone size-medium wp-image-711" src="https://colinoflynn.com/wp-content/uploads/2016/07/P1080978-300x240.jpg" alt="P1080978" width="300" height="240"&gt;&lt;/a&gt;&lt;/p&gt;
&lt;p&gt;There's a video with full details, this post is just the specifics if you don't want a very boring walk-through:&lt;/p&gt;
&lt;div class="embed embed--video"&gt;&lt;iframe src="https://www.youtube-nocookie.com/embed/hi2D2MnwiGM" title="YouTube video" loading="lazy" allowfullscreen frameborder="0"&gt;&lt;/iframe&gt;&lt;/div&gt;
&lt;ol&gt;
 	&lt;li&gt;For the serial cable (a standard 3.3V type one, DO NOT use a 5V cable), there is a 6-pin header along the bottom. Pin '1' has a square footprint, and counting from pin 1 the connections are:
&lt;pre&gt;Pin 1 = GND
Pin 4 = RX In (connect to TX Out of your serial cable)
Pin 5 = TX Out (connect to RX in of your serial cable).&lt;/pre&gt;
&lt;a href="https://colinoflynn.com/wp-content/uploads/2016/07/P1080980.jpg"&gt;&lt;img class="alignnone size-medium wp-image-709" src="https://colinoflynn.com/wp-content/uploads/2016/07/P1080980-259x300.jpg" alt="P1080980" width="259" height="300"&gt;&lt;/a&gt;&lt;/li&gt;
 	&lt;li&gt;The bottom left-corner of the 2-row header is GND. You'll have to short that with a wire to the following test point:
&lt;figure&gt;&lt;a href="https://colinoflynn.com/wp-content/uploads/2016/07/P1080981.jpg"&gt;&lt;img class="wp-image-708 size-medium" src="https://colinoflynn.com/wp-content/uploads/2016/07/P1080981-300x261.jpg" alt="P1080981" width="300" height="261"&gt;&lt;/a&gt;&lt;figcaption&gt;This test-point is shorted to GND with a paper-clip or wire. Click image for full-sized to see in better detail.&lt;/figcaption&gt;&lt;/figure&gt;&lt;/li&gt;
 	&lt;li&gt;To get the system working, check you are getting boot messages. Now, restart the system and after you get a bit of output, short the pin. You might see some output like this:
&lt;pre&gt;U-Boot 1.1.4 (Sep&amp;nbsp; 8 2015 - 04:08:21)
&lt;p&gt;bsb002 - Honey Bee 2.0DRAM: &amp;nbsp;&lt;br /&gt;
sri&lt;br /&gt;
Honey Bee 2.0&lt;br /&gt;
ath_ddr_initial_config(195): (16bit) ddr2 init&lt;br /&gt;
tap = 0x00000003&lt;br /&gt;
Tap (low, high) = (0x8, 0x22)&lt;br /&gt;
Tap values = (0x15, 0x15, 0x15, 0x15)&lt;br /&gt;
64 MB&lt;br /&gt;
Top of RAM usable for U-Boot at: 84000000&lt;br /&gt;
Reserving 214k for U-Boot at: 83fc8000&lt;br /&gt;
Reserving 192k for malloc() at: 83f98000&lt;br /&gt;
Reserving 44 Bytes for Board Info at: 83f97fd4&lt;br /&gt;
Reserving 36 Bytes for Global Data at: 83f97fb0&lt;br /&gt;
Reserving 128k for boot params() at: 83f77fb0&lt;br /&gt;
Stack Pointer at: 83f77f98&lt;br /&gt;
Now running in RAM - U-Boot at: 83fc8000&lt;br /&gt;
Flash Manuf Id 0xc8, DeviceId0 0x40, DeviceId1 0x13&lt;br /&gt;
flash size 0MB, sector count = 8&lt;br /&gt;
Flash: 512 kB&lt;br /&gt;
*** Warning *** : PCIe WLAN Module not found !!!&lt;br /&gt;
In:&amp;nbsp;&amp;nbsp;&amp;nbsp; serial&lt;br /&gt;
Out:&amp;nbsp;&amp;nbsp; serial&lt;br /&gt;
Err:&amp;nbsp;&amp;nbsp; serial&lt;br /&gt;
Net:&amp;nbsp;&amp;nbsp; ath_gmac_enet_initialize...&lt;br /&gt;
Fetching MAC Address from 0x83febe80&lt;br /&gt;
Fetching MAC Address from 0x83febe80&lt;br /&gt;
ath_gmac_enet_initialize: reset mask:c02200 &lt;br /&gt;
Scorpion ----&amp;gt;S27 PHY*&lt;br /&gt;
S27 reg init&lt;br /&gt;
: cfg1 0x800c0000 cfg2 0x7114&lt;br /&gt;
eth0: 00:03:7f:11:20:ce&lt;br /&gt;
athrs27_phy_setup ATHR_PHY_CONTROL 4 :1000&lt;br /&gt;
athrs27_phy_setup ATHR_PHY_SPEC_STAUS 4 :10&lt;/pre&gt;&lt;br /&gt;
Which will then fall back to a prompt:&lt;br /&gt;
&lt;pre&gt;ath&amp;gt;&lt;/pre&gt;&lt;br /&gt;
Good news! We can now get everything working for you. You can print the existing variables if you wish:&lt;br /&gt;
&lt;pre&gt;ath&amp;gt; printenv&lt;/pre&gt;&lt;br /&gt;
&lt;/li&gt;&lt;br /&gt;
 	&lt;li&gt;Set a boot delay such we can enter the menu without the boot hack:&lt;br /&gt;
&lt;pre&gt;setenv bootdelay 3&lt;/pre&gt;&lt;br /&gt;
Check it works with&lt;br /&gt;
&lt;pre&gt;printenv bootdelay&lt;/pre&gt;&lt;br /&gt;
and confirm you get a line like this:&lt;br /&gt;
&lt;pre&gt;bootdelay=3&lt;/pre&gt;&lt;br /&gt;
Finally, save the setting with:&lt;br /&gt;
&lt;pre&gt;saveenv&lt;/pre&gt;&lt;br /&gt;
You can now reset the system (use the 'reset' command), and confirm there is a count-down that gives you time to hit "enter" and get this prompt again.&lt;/li&gt;&lt;br /&gt;
 	&lt;li&gt;Now let's fix the root password. Before doing this, I suggest you keep a copy of the old value:&lt;br /&gt;
&lt;pre&gt;printenv security&lt;/pre&gt;&lt;br /&gt;
This would let you restore things back to default. Then the following will set the root password to 'toor':&lt;br /&gt;
&lt;pre&gt;setenv security '$1$3vGNd7Q3$ISqFeo1VkmQV6nyriUV0V/'&lt;/pre&gt;&lt;br /&gt;
You may have to copy this into notepad first to ensure it all fits on one line! The quotes are critical here. Again check it works with printenv, then type saveenv to store things to disk.&lt;/p&gt;</description></item></channel></rss>