Posts Tagged ‘hack’

Apple Security: I’m in yo keeboards hax0ring yo porn sitez.

August 2nd, 2009 No comments

I’ll let you decide if this is LOL worthy.

APPLE KEYBOARDS ARE vulnerable to a hack that puts keyloggers and malware directly into the keyboard. This could be a serious problem, and now that the presentation and code is out there, the bad guys will surely be exploiting it.

The vulnerability was discovered by K. Chen, and he gave a talk on it at Blackhat this year. The concept is simple, a modern Apple keyboard has about 8K of flash memory, and 256 bytes of working ram. For the intelligent, this is more than enough space to have a field day.

Nothing is encrypted, decrypted, and the process is simple. You then resume HIDFirmwareUpdaterTool, and in a few seconds, your keyboard is compromised. Formatting the OS won’t do you any good, the code is in keyboard flash. There are no batteries to pull, no nothing, the keyboard is simply compromised.

Then from the proof of concept document:

The application checks a number of properties of the keyboard and checks the validity of the ?rmware image ?le kbd 0x0069 0x0220.irrxfw in the bundle. The ?rmware validity checking routine is called CRC32: and is the 75 byte routine starting at 0x00003005. Despite the name, this routine does not do CRC32 at all and in fact, it simply just adds up the bytes of the ?rmware image ?le and the application veri?es that the sum is 0x252ed7.

EPIC FAIL. While the rest of the world has been working hard on securing the fabrics of their kernel, Apple have concentrated on painting the Lepoard with new stripes. Before you fall into a trap thinking this isn’t as big as they make it out to be – because you need physical (and root) access to update firmware (and the user would have to approve), think of malware or a Safari related exploit. How many security conscience Mac users are there do you think? Wasn’t the original deal move to Mac and forget all your troubles?

Surely Apple can’t be the only keyboard at fault, I’m sure my Razer Tarrantula (with a few modifications) can fall into the same trap – atleast you’d hope so, for Apple’s sake (or not!).

Anyway, woo WINdows 7 to Technet/MSDN guys this week!

{lang: 'en-GB'}

Getting a Windows 7 Beta 1 Product Key

January 10th, 2009 4 comments

Just over 12hrs ago the download links for Windows 7 Beta 1 went live and I posted not long after about it… But in my rush to get Neo to a friends place for a doggy day (where were my priorities aye?) I forgot to mention how to obtain a proper license key to utilise the betas. So heres the spill.

Sign in via your .NET Passport

Its vital that you sign in via your .NET Passport, otherwise you’ll keep getting redirected to the Microsoft homey page or the Windows Beta 7 site. You can do this by visiting any protected section of Microsoft, say like the Manage Your Profile section.

Once your signed in, your ready to try and obtain your key. Use one of the following URLs (they are purposely not hyperlinks so you are forced to copy/paste):

  • Windows 7 Beta 1 – x86
  • Windows 7 Beta 1 – x64

If at first you don’t succeed, reload and try again.

Most of the time you try the links you’ll be greeted with this:

But dont fret, its only to warn off n00bs, just keep refreshing your browser and eventually the server will bite.

Successful x64 Key obtained.

Some people have gone so far as to using 20 tabs in firefox, cycle-through (just use CTRL+TAB) after they’ve all reloaded and checking, if none bite just right click on a tab and select “Reload All Tabs”. Repeat till key found.

If your _really_ desperate, you can automate the entire process via Firefox + GreaseMonkey by following this forum posting. Nothing like calling on the greasy helper monkeys to work whilst you ponder the mysteries of life.

You can also readup on Installation Instructions for Windows 7 Beta 1 to get up to speed on the setup process and also some information on the Windows Blog about downloading and installing Beta 1.

{lang: 'en-GB'}

Breaking News: BD+ Broken

November 2nd, 2008 1 comment

BD+ is the DRM system for Blu-ray discs, as Wikipedia puts it:

BD+ is a component of the Blu-ray Disc Digital Rights Management system. It was developed by Cryptography Research Inc. and is based on their Self-Protecting Digital Content concept. BD+ played an important role in the past format war of Blu-ray Disc and HD DVD. Several studios have cited Blu-ray Disc’s adoption of the BD+ anti-copying system as the reason they supported Blu-ray Disc over HD DVD.

One of the more humorous observations was that unlike DVD (which used DeCSS for its copy protection system) and AACS which powered the bulk of the HD-DVDs of the time that BD+ would uphold its protection for atleast the next 10 years. This may have been one of the key factors in the HD-Wars, but alas it seems someone  has found a way of traveling into the future and finding the break.

Oopho2ei (who claims is not a professional programmer :O) from the Doom9 forums along with a few others (bmnot, schluppo, Disabled, evdberg) have (it seems) successfully broken the BD+ protection scheme in a grand total of 5 weeks and 3 days (started on the 24th of August). They have restored the BD+ protected “The Day After Tomorrow”:

I am glad to announce the first successful restoration of the BD+ protected movie “The Day After Tomorrow” in linux. It was done using a blue ray drive with patched firmware (to get the volume id), DumpHD to decrypt the contents according to the AACS specification and the BDVM debugger from this thread to generate the conversion table. The conversion table is the key information to successfully repair all the broken parts in m2ts files to restore the original video content. This small tool was finally used to repair the main movie file “00001.m2ts” according to the conversion table.

To verify the correctness i compared my 00001.m2ts with the one AnyDVD-HD creates and they both match. The MD5 hash of this 30GB large file is in both cases “0fa2bc65c25d7087a198a61c693a0a72”.

Breaking the code is no simple feat, Oopho2ei and team has had to reimplement the VM that runs the BD+ protection layer and realises that there’s a fair chance that it could be blocked at a later stage and may phone-home:

There has to be some kind of firewall around the virtual machine which validates all communication between the ( potentially hostile ) content code and the outside world (traps and events). Part of the rules which are enforced by that firewall are the parameter checks on every trap call. It’s obvious that the traps and the event handling itself has to be carefully implemented. I believe this additional effort is necessary to prevent the content code from breaking out of it’s sandboxed environment and do nasty things like gathering user information and “calling home” when it detects an unlicensed emulator. So because these additional security measures make things more difficult i suggested to test this code first with the easy traps.

Even a guy from SlySoft (who makes the ever popular AnyDVD-HD product) chimes in early on but backs off after realising he could well get the sacker.

I’ll just say: due to certain properties of BD+, once you’re past a certain point, you can handle it pretty much without reversing – BD+ itself then helps you out – on any player

Actually you’d have to know how BD+ really works, to know what I meant (and even then you probably wouldn’t ).
But if I start unraveling that, I’d be finding myself looking for a new job by next week

Love this bit in one of Oopho2ei posts:

I would like to stress again that this project wasn’t intended to circumvent copy protection and promote piracy. This can already be done using commercial software like AnyDVD-HD. Instead this project was an attempt to enable users of open source operating systems (like linux) to playback their BD+ protected discs without having to use proprietary software. Furthermore only two movies “I Robot” and “The Day After Tomorrow” have been proven to be handled correctly so far. Obviously there is still a lot of debugging to be done.

Classy! Download a copy of the BDVmDbg build for educational reasons and try PortableBDVM which comes in C99 source form.

{lang: 'en-GB'}