Fascinating Projects - A Daily Endeavor description

Fascinating Projects: A Daily Endeavor

This blog is used to broaden my horizon and make some new ideas

Transmit LoRa Frames Without a Radio

The actual emission of a wave is made of different frequencies and phases, so can we make specific kind of wave and send it to imitate a radio? That’s OK.

How we generate specific frequency with SOC (System-on-Chip), we can use the embedded clock !!!

Have a look at lolra. In this project, it shows how using either a shift register (i.e. I2S or SPI port) or an APLL (clock), you can send LoRa packets that can be decoded by commercial off the shelf LoRa gateways and other chips.

Inject a backdoor in supply chain

A researcher discover a backdoor in well-known compressed package xz-utils, which is used in sshd ( ssh-server ), How it can be done ?

Have a look at openwall

You can find how it been done.

Linking Shell Companies to their Secret Owners

This can be a Social Engineering tips I learned from GIJN and it’s fascinating too.

1. In registrationthey can’t get around the basics on those forms: an official business address, real names of at least some directors, and documents about the nature of the business.

2. always seeking the ultimate beneficial owner, rather than the director or owner names you may find early in your search.
3. Start with a quick company or person name search in OpenCorporates
4. Consider a subscription to a corporate risk database if you hit a wall with open source tools - Sayari, Orbis and Factiva.
5. Put yourself in the shoes of billionaires and oligarchs, because they are very predictable
6. Use vetted investigative data in the ICIJ Offshore Leaks Database
7. Flag potential criminal links in OCCRP’s follow-the-money archive - OCCRP’s Aleph database
8. Experiment with different spellings — and check against Google Maps.
9. Cross-search the “nuggets” you find in other free portals - Open Ownership, the UK-based Register of Overseas Entities, and Tenders Electronic Daily (TED).
10. Try a family connections tool to track oligarch assets - RuPEP
11. Paperwork tends to poke holes in secrecy — so keep digging.

Change the debug path in the build outputs

refix use string replacement to change the absolute path in elf debug information so you can let the gdb select correct path of the source files been compiled

Fuxnet: Ukraine Against Russian Infrastructure Malware

Claroty’s analysis of Fuxnet showed that the malware was likely deployed remotely. Once on a device, it would start deleting important files and directories, shutting down remote access services to prevent remote restoration, and deleting routing table information to prevent communication with other devices. Fuxnet would then delete the file system and rewrite the device’s flash memory.

Once it has corrupted the file system and blocked access to the device, the malware attempts to physically destroy the NAND memory chip and then rewrites the UBI volume to prevent rebooting.

For example, config vol_flags = PERSISTENT in /etc/ubi_vol.cfg

If you want further prevent reboot of device, add this in start script

echo 1 > /sys/power/pm_freezer/state
echo 1 > /sys/power/state

In addition, fuxnet moves on to physically destroy the NAND memory chips on the device. In order to do so, the malware performs a bit-flip operation on entire sections of the SSD NAND chip, constantly writing and rewriting the memory, only stopping when the malware fails to write to the memory due to it being corrupted. Since the gateway uses NAND memory, which can only write and re-write data a certain number of times (known as the NAND write cycles), constantly rewriting the memory causes the chip to malfunction and be inoperable.

while(!is_stop) {
  if (write_reseek(fd, xbuf, rz) < 0)
    break;
  if (write_reseek(fd, xbuf, rz) < 0)
    break;
  wr_amount += 2;
  rounds +=2;
  if (rounds >= SSD_ROUNDS) {
    break;
    ssd_bad_rounds = 0
  }
}

Self-made Python Asyncio

I came to find out that Asyncio is basically just a really nice layer on top of Python Generators.

In the article, the author create a simplified version of asyncio using just Python Generators. Then, I’m going to refactor the example to use the async and await keywords with the help of the __await__ dunder method before coming full circle and swapping out my version for the real asyncio. By building a simple version of asyncio, hopefully, by the end of this article, you’ll be able to get a better grasp of how it does its magic!

self-learning notes:

Q: Is function a class (such as C++ class) ?

A: Yes, function has stack to store it’s state (local variables)

Q: Why this is important ?

A: We need a function to stop and save it’s state when stop, so other thread can run

Q: Give an example

A: a iterator through list can be seen to call multiple access and increase. So if every turn in async can be seen as one access and increase.

Coding Details:

1. seen yield as a special return, when the function is called by next() not directly, the next function will check the return (yield and normal return). if there is a true return, it will generate a StopIteration. If it’s a yield, it will stop at yield and remember the current program pointer and function context

2. asyncio is just: generator + state machine + event loop

SYZYGY

An open standard for high-performance peripheral connectivity.

• Low cost, compact, high-performance
• connectors
• Pin count economizes available FPGA I/O
• Low cost cable options
• FREE to license

My Words: It seems that this protocol is designed to hit the “sweet spot” for different peripherals, primarily in the field of FPGAs.

CCS 16 Reviewing Process

Statistics of CCS 16 Reviewing Process

Dumping Firmware from SPI flash chip

This Blog shows how to use CH341A and AsProgrammer to dump the firmware from flash chip.

SQL-like Static Vulnerability Detection in Source Code

Discover vulnerabilities across a codebase with CodeQL, our industry-leading semantic code analysis engine. CodeQL lets you query code as though it were data. Write a query to find all variants of a vulnerability, eradicating it forever. Then share your query to help others do the same.

CodeQL is free for research and open source.

For example, fgets usage can improve the possiblity of state injection attack, so we can write a QL query to catch all fget usage.

import cpp

predicate dangerousFunction(Function function) {

exists (string name | name = function.getQualifiedName() |

name = "fgets")

}

from FunctionCall call, Function target

where call.getTarget() = target

and dangerousFunction(target)

select call, target.getQualifiedName() + " is potentially dangerous"

The finding can be displayed, for example, in udev/udev-rules.c

CodeQL can be used in advanced use case, for example, with data flow.

Python’s Preprocessor

Python has internal preprocessors to decode source codes, you can define your own grammar with that.

There are several projects using it:

1. incdec.py : bring “++” and “–” into python
2. Bython : python with braces