random hacks

reverse engineering, hardware hacking, etc.

Making a Chromecast receiver

I made a Chromecast receiver which works on Linux. It is called Shanocast and it can mirror a Chrome tab or the entire desktop. Here is a demo: Your browser does not support the video tag. The implementation is based on Openscreen which is an open-source implementation of the Chromecast protocol. The tricky part is the receiver authentication. Google Chrome authenticates the receiver and refuses to stream to it if the authentication fails.

Hyundai Head Unit Hacking

In the previous post I have shown how to crack the official firmware for Hyundai Tucson 2020 and reverse engineer it. At the end I was thinking that I can simply modify the update package, zip it again with the same password and push it to the car. But it turned out it is not that simple. The update package is signed with an RSA key which corresponds to the daudio.

Hacking Hyundai Tucson 2020

I bought Hyundai Tucson 2020 two years ago and recently I found great series of blog posts on how to hack Hyundai Ioniq 2021 by greenluigi1. Unfortunately, the methods described there didn’t work for me. My car is running the previous generation of D-Audio which is quite different from D-Audio 2V described by greenluigi1. For reference, these are the exact versions of the firmware/software which I have: I also found the password protected Engineering Mode which appears by tapping 5 times on the left from the Update button and 2 times on the right:

Reversing 2.4GHz remote control

I have an old project on Github called rf-car for controlling a radio car with HackRF. A few months ago, my daughter received a new RC car made by Dickie Toys: This car was faster than the previous one and it was more fun to play with. I thought it’d be great if I can add support for it in the rf-car project and the fun began. FCC docs The car works on 2.

Receiving SSTV from ISS

Today I have successfully received and decoded an SSTV transmission from ISS. This is the result: In this post I will give a quick summary of what I have been using and how it worked for me. Hardware: USRP B200 - this is a high-end SDR but RTL-SDR dongle should also be fine Dipole antenna - I bought this from the RTL-SDR store; each side of the dipole should be around 50cm to make it resonant to 145.

SoftHSMv2 internals

SoftHSMv2 is a software implementation of the PCKS#11 interface. It is often used as replacement for real HSM devices in test environments where protecting key material is not a strong requirement. In this post I will explain how the state of SoftHSMv2 is persisted, the security behind it and what can be improved. Tokens and objects Token is the PKCS#11 term for something that stores cryptographic objects and performs cryptographic operations.

How many people are around

There is a nice open-source project howmanypeoplearearound that counts the number of people around by sniffing WiFi probe requests sent from mobile phones. Well, now we have another method to do the same by exploiting the contact tracing functionality which is being added to iOS and Android. Cell phones are using Bluetooth Low Energy to transmit ephemeral IDs to nearby devices in order to discover encounters with other people. These IDs and the Bluetooth MAC changes every 15-20 minutes to prevent tracking of users.

Signing files with Solo

Solo is FIDO2 security key with open hardware and firmware. I have been following the project and using the key for quite a while now. It shares my believe that security solutions must be open. Solo is not only open but it also have developer edition, called Solo Hacker, which allows firmware modifications. I’ve been dealing with digital signatures a lot lately, so I thought why not use my Solo key to sign files?

Cloning RSA tokens with Frida

At work we are using RSA SecurID for login to corporate services. RSA provides software tokens which are mobile applications that generate one-time passwords that change every minute or so. These applications are closed source and they use proprietary protocol to provision the token. This basically means that you are vendor locked-in with something that relies on security through obscurity. I wanted to have an open-source implementation of RSA SecurID and until now I have been using stoken together with rsa_ct_kip for token provisioning.

Controlling purifiers over the internet

Last time I reverse engineered how AirMatters controls air purifiers which are in the same local network. This time we will look into how AirMatters controls devices using the Philips cloud and how secure it is. Network analysis The network communication is over SSL, so the first step is to bypass the SSL verification in AirMatters. The application loads its CA certificates from /resources/assets and tries to establish a trust chain to them.