Some of my friends are in a band called Ocean of Lotion. They haven't released any albums yet, but they have released a music video on YouTube. The fat guy riding the bike is me.
I'm really happy with the result and it's one of the most cheesy music videos I've seen in a long time.
Sunday, 2 October 2011
Monday, 11 April 2011
Airpot express pt4
The RAOP/Airtunes key is here http://static.hsorbo.no/0xff/airtunes.pem Although i have had the key for quite some time it was first made public here: http://www.mafipulation.org/blagoblig/2011/04/08#shairport
Wednesday, 10 November 2010
Some info on the Airport.
I have been very busy doing other stuff since last post. I'm very sorry for this taking longer then expected. I have been doing stuff lately on the project, but I won't give you any ETA. I cant give anyone the decrypted-firmware as that is illegal here in Norway. (I also want to do this my self to get more knowledge of ARM). I will give you the firmware-decrypt-algorithm as soon as I find it.
Wednesday, 17 March 2010
Neat OS X terminal-trick for quickly launching apps
Applications on OS X resides in the /Application folder. They are usually a pain to start from the terminall/shell.
You usually have to do something like this open -a /Application/Safari.app to launch safari.
I made this nice, useful one-liner, that creates an alias for every app. It lowercases the name of the app and it removes whitespaces. Safari becomes safari, "Quicktime Player" becomes quicktimeplayer.
The most useful to me is "vlc movie.avi", "0xed binaryfile.bin" and "textmate textfile.txt"
Put this into ~/.zshrc an you have aliases for all your apps
for app in /Applications/*.app;do;alias ${${app//(\.app| |\/Applications\/)/}:l}="open -a \"$app\"";done
You could also put Utilities into aliases with
for app in /Applications/Utilities/*.app;do;alias ${${app//(\.app| |\/Applications\/Utilities\/)/}:l}="open -a \"$app\"";done
You now have nice commands like: diskutility, console, activitymonitor
PS. You need zsh for this script. (just run chsh from shell and change /bin/bash to /bin/zsh).
You usually have to do something like this open -a /Application/Safari.app to launch safari.
I made this nice, useful one-liner, that creates an alias for every app. It lowercases the name of the app and it removes whitespaces. Safari becomes safari, "Quicktime Player" becomes quicktimeplayer.
The most useful to me is "vlc movie.avi", "0xed binaryfile.bin" and "textmate textfile.txt"
Put this into ~/.zshrc an you have aliases for all your apps
for app in /Applications/*.app;do;alias ${${app//(\.app| |\/Applications\/)/}:l}="open -a \"$app\"";done
You could also put Utilities into aliases with
for app in /Applications/Utilities/*.app;do;alias ${${app//(\.app| |\/Applications\/Utilities\/)/}:l}="open -a \"$app\"";done
You now have nice commands like: diskutility, console, activitymonitor
PS. You need zsh for this script. (just run chsh from shell and change /bin/bash to /bin/zsh).
Tuesday, 2 March 2010
Flash / Silverlight video-download in Safari
I have a very poor internet connection at home, and as a result i prefer to download movies from the web. One common problem is that the videos are run from flash or silverlight, and the url is not available. There is a neat trick one can do in Safari to get the url for these movies (provided the video uses http).
Steps:
- You first need to enable the developer menu in Safari.
- Go to the page showing the video.
- Go to the developer menu, press "Show web inspector"
- In the web inspector select resource tracking. (enable for this session)
(This will show all resources the webpage is using, if you sort them by size, the video will soon become the largest element)
- Sort by size
- Wait a few seconds of video playback
- Select the topmost resource.
- Copy the url and paste it the address field of Safari.
- Hit alt+enter (This tells safari to download the url instead of opening it)
- Enjoy!
Here is a demo:
Steps:
- You first need to enable the developer menu in Safari.
- Go to the page showing the video.
- Go to the developer menu, press "Show web inspector"
- In the web inspector select resource tracking. (enable for this session)
(This will show all resources the webpage is using, if you sort them by size, the video will soon become the largest element)
- Sort by size
- Wait a few seconds of video playback
- Select the topmost resource.
- Copy the url and paste it the address field of Safari.
- Hit alt+enter (This tells safari to download the url instead of opening it)
- Enjoy!
Here is a demo:
Friday, 26 February 2010
Reverse engineering the Airport Express Part 3
Part 1, Part 2
A small update.
Memory alignment took a few hours. I did this by dumping a lot of the string offsets in the firmware using standard unix console tools:
strings -n 10 -o | grep "Audio" | awk '{print $2}'
I then wrote a IDA script that dumped all load operation offsets, made a second script that brute-forced matching the offsets. The best match was 0x80010000 and not to anybody's surprise this made IDA pro very happy and she started auto analyzing the firmware.
Here is a screen shot of the memory-offsets:
Here is a in-action screen shot of IDA:
I've done a good amount of reversing and everything is going well, still have no ETA on anything though. Subscribe to the blog or check back after the weekend if you are curious.
A small update.
Memory alignment took a few hours. I did this by dumping a lot of the string offsets in the firmware using standard unix console tools:
strings -n 10 -o | grep "Audio" | awk '{print $2}'
I then wrote a IDA script that dumped all load operation offsets, made a second script that brute-forced matching the offsets. The best match was 0x80010000 and not to anybody's surprise this made IDA pro very happy and she started auto analyzing the firmware.
Here is a screen shot of the memory-offsets:
Here is a in-action screen shot of IDA:
I've done a good amount of reversing and everything is going well, still have no ETA on anything though. Subscribe to the blog or check back after the weekend if you are curious.
Tuesday, 23 February 2010
Reverse engineering the Airport Express Part 2
Part 1, Part 3
Yesterday I was analyzing my firmware-dump and I couldn't make sense of very much. One thing that got my attention was that scattered around the firmware-dump were a lot of 0xFF. I Found a pattern, and I tried to convince myself that this was some sort of container or padding between important chunks of data. Then as the night approached BOOM, it hit me. The pattern was like this: 512 bytes of data, 16 bytes of 0xFF, 512 bytes of data and 16 bytes of 0xFF. This was significant and here is the problem/solution.
The flash chip on AT45DB321B is like a book with 8192 pages and 528 letters on each page. When I dumped it my program just read through the book carefully noting every letter. Now the airport express doesn't do it this way, the airport just turns to the page it wants and reads what is needed (random access). Now there is one other limitation, the Airport Express doesn't read more than 512 letters from each page. This means that he doesn't care about the last 16 letters I have been carefully putting into my dump/analysis. I Fixed this and my brute-force decopression-program (15 line python script) found both the bootloader and the main firmware. Their md5-sums are: ff4c561a6dcce8686749594d84ff4e7d and 7db70daf035f085eb455d8de3c2099fb. A guy name James seems to have done the deployment of this firmware :)
I think all that remains now is spending time with IDA Pro. I need to get a memory alignment as the start address of memory seems to be 0x8000000 + some offset.
A screenshot of the strings-window in IDA Pro (strings used in the Airtunes authentication):
I really think this discovery makes for part 2 as I now am pretty sure the rest is doable, albeit time consuming.
PS. I had to replace every occurence of dump with firmware-dump as the text became very questionable
Yesterday I was analyzing my firmware-dump and I couldn't make sense of very much. One thing that got my attention was that scattered around the firmware-dump were a lot of 0xFF. I Found a pattern, and I tried to convince myself that this was some sort of container or padding between important chunks of data. Then as the night approached BOOM, it hit me. The pattern was like this: 512 bytes of data, 16 bytes of 0xFF, 512 bytes of data and 16 bytes of 0xFF. This was significant and here is the problem/solution.
The flash chip on AT45DB321B is like a book with 8192 pages and 528 letters on each page. When I dumped it my program just read through the book carefully noting every letter. Now the airport express doesn't do it this way, the airport just turns to the page it wants and reads what is needed (random access). Now there is one other limitation, the Airport Express doesn't read more than 512 letters from each page. This means that he doesn't care about the last 16 letters I have been carefully putting into my dump/analysis. I Fixed this and my brute-force decopression-program (15 line python script) found both the bootloader and the main firmware. Their md5-sums are: ff4c561a6dcce8686749594d84ff4e7d and 7db70daf035f085eb455d8de3c2099fb. A guy name James seems to have done the deployment of this firmware :)
I think all that remains now is spending time with IDA Pro. I need to get a memory alignment as the start address of memory seems to be 0x8000000 + some offset.
A screenshot of the strings-window in IDA Pro (strings used in the Airtunes authentication):
I really think this discovery makes for part 2 as I now am pretty sure the rest is doable, albeit time consuming.
PS. I had to replace every occurence of dump with firmware-dump as the text became very questionable
Subscribe to:
Posts (Atom)