I recently discovered an almost undocumented function in Xilinx ISE: the Xilinx virtual cable driver. It’s basically “a platform cable without a platform cable” (as marcan said so nicely) - it allows you use Impact (and Chipscope, and all other tools) over TCP/IP.
Normally, ISE comes with a limited set of cable drivers: It supports cables on the parallel port, such as the Xilinx Parallel Cable III (DLC5), which can be DIY’ed easily, or the faster Xilinx Parallel Cable IV (which has an integrated CPLD), or the - quite expensive, but also sophisticated - USB Platform cables.
Vulnerabilities are like good ideas - you’re rarely the first one dealing with it. Some vulnerabilities are almost classic, so I’ll proudly present: 7 old but surprisingly useful bugs that might also affect YOUR device.
(With “you” either being the designer or attacker.)
Just to be clear: none of these exploits are rocket science. This is kind of the “low tech” hacking approach - no fancy oscilloscopes required, no DPA involved, no FIB to rent.
Remember 10years ago? I do!
1
I apologize for the lack of updates. Yeah, I’m sorry. But this time, I’ve got a proper excuse!
Her name is Ida Klara, she was born on April 26th, and she’s awesome2!
Yeah, I’m still on 32bit. [return] And no, that doesn’t mean I’ve stopped hacking. I have some interesting things going on, they are just not finalized3 enough so I can post4 them. [return] [return] Now with a hugo-powered blog.
The WhatsInside post from January was not an incidental post. It is actually snapshot of a much longer forensic investigation to find the ground truth behind some of the technology behind Tektronix’ scope accessories.
Pun aside - In October 2009, I’ve got a new scope, a Tektronix DPO4034. It’s a scope in the $8k range, so while not exactly low-cost, you don’t need a mortgage on your home to buy it.
I’m cheap. Most of my switches aren’t manageable. I know that they are cheap now. My switches are still cheaper.
On the other hand, I recently required a device on a separate network. Having just one NIC on my linux machine, I naturally wanted to use VLANs for that; all it needs is a switch in VLAN mode, where each of the ports (except for one, the “master” port) is on a separate VLAN.
Introduction Abstract In this series of articles, I will talk about the design, implementation and fall of an optical media authentication used on a popular, but past, gaming console. I will show that it’s possible to reverse engineer such stuff without access to expensive equipment or insider information.While I will not talk about practical implementation of attacks against the discussed scheme, I will show that this has been done, and I will analyze how this has been done.
The 24c3 is over now, and we really had a lot of fun. We brought 6 of our Xboxes, which allowed us to grab attention from quite a lot of people in the hackcenter :).
bushing showed a nice Wii hack we had been developing in the last few weeks (though I mostly did watch the show). Ben has been burning like 50 DVDs or so, which all did different things from doing nothing at all to immediately freezing the system, but like 30 min before our lecture, he made it working!
I’m proud to present:
Triangles on the 360, MANY OF THEM - about 40 million per second, or even more if you write clever code. (But this is not a depth of field, just a blurry screenshot ;)
I finally polished my GPU stuff far enough so I can risk a release. You need to compile your shaders, so you need Tser’s shader compiler (which uses part of the windows XNA libraries).
While writing code to extract the GPU microcode out of the kernel from flash (on 360, in order to not require the GPU library to ship with any copyrighted files), I’ve came across a very ugly bug: My code worked perfectly, until I’ve changed the stack layout by inserting a variable or changed gcc’s optimization setting. Suddently, libmspack refused to unpack my data. I’ve carefully audited my code, but couldn’t find any oddity or abuse.
I have known since years that the day had to come, but it was hard anyhow:
My beloved iMac G5 (rev. 1) had to be taken down, in order to move to his new home, the waldobjekt. During the last few years, it always served well the kuehlschrank-website (it’s down now, of course!), provided a home for my emails (people are still calling me crazy for setting up the MX for my primary mail domain into a dyndns), archived our webcam pictures, connected my home to the world wide web (and even further), and had not suffered a single crash.
I apologize for the lack of recent updates. The main reason is that I moved, or better, split up, currently into three different places: My new flat, my old flat (which still takes care of a lot of my equipment), and a new home for electronic devices, called “waldobjekt”. The waldobjekt is a place which finally has enough space for all of my projects (and much more). >260 m² of space for storage, working and having fun!
The Infrant ReadyNAS NV is a Sparc (Leon) powered NAS. It’s not really cheap, but, well, I’ve got it somehow cheap. It featueres 4 SATA channels and Gigabit ethernet, unfortunately it runs a heavily modified Linux Version. Now, Infrant (of course!) complies to the GPL by releasing a 2.4.20-based kernel every now and then, of course every time with an undocumented set of changes under the same filename. Did I forget to tell you that some kernel releases are missing important files (lp_code, lp_data for example was missing in the “2.
This will be an attempt to document stuff I’ve done in the past. I’m bad at documenting, so I’ll just present what I’ve done. If you have further questions, always feel free to email me.
This time I wanted to know what’s on my DVDs. I mean, not what’s normally visible, but what’s underneath the data layer. Contrary to CDs, where a lot of work has been done to allow reading every bit of a CD, there is surprisingly less information for DVDs.