random hacks

reverse engineering, hardware hacking, etc.

Hacking Hyundai Tucson 2020

I bought Hyundai Tucson 2020 two years ago and recently I found great series of blog posts on how to hack Hyundai Ioniq 2021 by greenluigi1. Unfortunately, the methods described there didn’t work for me. My car is running the previous generation of D-Audio which is quite different from D-Audio 2V described by greenluigi1. For reference, these are the exact versions of the firmware/software which I have:

Reversing 2.4GHz remote control

I have an old project on Github called rf-car for controlling a radio car with HackRF. A few months ago, my daughter received a new RC car made by Dickie Toys: This car was faster than the previous one and it was more fun to play with. I thought it’d be great if I can add support for it in the rf-car project and the fun began. FCC docs The car works on 2.

Receiving SSTV from ISS

Today I have successfully received and decoded an SSTV transmission from ISS. This is the result: In this post I will give a quick summary of what I have been using and how it worked for me. Hardware: USRP B200 - this is a high-end SDR but RTL-SDR dongle should also be fine Dipole antenna - I bought this from the RTL-SDR store; each side of the dipole should be around 50cm to make it resonant to 145.

SoftHSMv2 internals

SoftHSMv2 is a software implementation of the PCKS#11 interface. It is often used as replacement for real HSM devices in test environments where protecting key material is not a strong requirement. In this post I will explain how the state of SoftHSMv2 is persisted, the security behind it and what can be improved. Tokens and objects Token is the PKCS#11 term for something that stores cryptographic objects and performs cryptographic operations.

How many people are around

There is a nice open-source project howmanypeoplearearound that counts the number of people around by sniffing WiFi probe requests sent from mobile phones. Well, now we have another method to do the same by exploiting the contact tracing functionality which is being added to iOS and Android. Cell phones are using Bluetooth Low Energy to transmit ephemeral IDs to nearby devices in order to discover encounters with other people. These IDs and the Bluetooth MAC changes every 15-20 minutes to prevent tracking of users.

Signing files with Solo

Solo is FIDO2 security key with open hardware and firmware. I have been following the project and using the key for quite a while now. It shares my believe that security solutions must be open. Solo is not only open but it also have developer edition, called Solo Hacker, which allows firmware modifications. I’ve been dealing with digital signatures a lot lately, so I thought why not use my Solo key to sign files?

Cloning RSA tokens with Frida

At work we are using RSA SecurID for login to corporate services. RSA provides software tokens which are mobile applications that generate one-time passwords that change every minute or so. These applications are closed source and they use proprietary protocol to provision the token. This basically means that you are vendor locked-in with something that relies on security through obscurity. I wanted to have an open-source implementation of RSA SecurID and until now I have been using stoken together with rsa_ct_kip for token provisioning.

Controlling purifiers over the internet

Last time I reverse engineered how AirMatters controls air purifiers which are in the same local network. This time we will look into how AirMatters controls devices using the Philips cloud and how secure it is. Network analysis The network communication is over SSL, so the first step is to bypass the SSL verification in AirMatters. The application loads its CA certificates from /resources/assets and tries to establish a trust chain to them.

Rooting HS6020 IPTV STB

One of my co-workers brought a very old IPTV set-top-box in the office. The box was distributed by one of the very first IPTV providers in Sofia – Megalan. I remember using one of those back in 2009. We decided to see how difficult is to root 10+ years old hardware and the fun began! The box is running both telnet and ssh but there is no default password. The next thing we tried, of course, is connecting a serial console.

Debugging the Linux kernel with VMware

I am playing with emulated HID devices in Linux and found a kernel bug when using the usb_f_hid and dummy_hcd kernel modules. I won’t go into details of what I am trying to achieve (saving this for a future post) but focus on how I troubleshooted this particular bug. As of this writing, it is 100% reproducible with 4.15.0-45 kernel and these steps: Load libcomposite and dummy_hcd into the kernel Create an emulated HID device with configfs Write something to /dev/hidg0 After executing step 3, the machine hangs in a way which makes it clear that it’s not a userspace problem but a kernel one.