Update December 2014: 44CON has posted the videos from all 2013 talks online. Unfortunately, they don’t allow the videos to be embedded, so here’s a link.
For my presentation at 44CON, entitled “Reversing and Exploiting BT CPE Devices”, rather than have one or two or three slides packed with hard to read URLs, I included a single slide with a link to this post. Here you’ll find links to additional resources that I may have referenced in my talk.
White paper: Reverse Engineering and Exploiting the BT HomeHub 3.0b (pdf)
BT HomeHub 3.0b specifications
- http://pdf1.alldatasheet.com/datasheetI pdf/view/94408/STMICROELECTRONICS/NAND256W3A2BN6/+7_4Q9UORlHDyRHOIpa/1XXyxeocP+uKxP6OXPaoV+ /datasheet.pdf
Here’s a walkthrough I wrote on getting Debian MIPS Linux up and running
in QEMU system emulation. I use QEMU & Debian Linux to run and analyze
binaries that I find in firmware.
QEMU/Debian MIPS Linux walkthrough
Often binaries found in firmware won’t play nicely in emulation because
they make a lot of assumptions about the underlying hardware which QEMU
can’t satisfy. The most common case of this is an application querying
NVRAM for configuration parameters. Here’s a library I wrote to
intercept those queries and provide answers from an INI-style
NVRAM “faker” library for use in emulation
Bowcaster is an exploit development API that I wrote to ease development
of buffer overflow exploits. It grew out of all the tools and
techniques Craig Heffner and I developed for exploiting embedded
devices. It primarily targets MIPS Linux, since there support for that
architecture was almost non-existent. I plan to add support for other
architectures as I have time.
Here’s my Github repository for proof-of-concept exploit code. In it,
you’ll find the exploit code for the BT HomeHub 3.0b that I demoed at
44CON, among a few others.
Proof-of-Concept exploit code
I hope these resources are useful. If you came to this article because you saw my 44CON talk and demo, I hope you enjoyed it! Be sure to get in touch and share your thoughts! Twitter or my email are best.
Email: uid000 at gmail