Friday 17 April 2015

Upcycling an edit controller

Some time ago (2013!), I picked up an old Panasonic edit controller (VW-EC300) that no longer worked. This edit controller originally controlled  a couple of Panasonic VCR decks, and let you build up an edit list and write it out to videotape. These days, we tend to use computers rather than VCRs, so it's time to see if we can make it talk USB!

Wednesday 11 March 2015

Sunluxy DVR mkII - telnet & root password

Just a quick update on the Grain Media supplied firmware for the new Sunluxy DVR. Unsurprisingly for a cheap bit of kit like this, the security is rather wanting. Everything runs as root and of course telnet is available.

Escape character is '^]'.

GM login: root
Password:
Welcome to

    _____    __      ___       __     ___       _     _    _
   |  ___|  /  \    / __ \    /  \   |  _ \    /  \   \ \ / /
   | |___  / /\ \  | /__\ \  / /\ \  | | \ |  / /\ \   \ V /
   |  ___|| |__| | |  _   / | |__| | | | | | | |__| |   \ /
   | |    |  __  | | |  \ \ |  __  | | |_/ / |  __  |   | |
   |_|    |_|  |_| |_|   \_\|_|  |_| |___ /  |_|  |_|   |_|

For further information check:
http://www.faraday.com/


Sunday 1 March 2015

Sunluxy DVR mkII - quick firmware mod investigation

The last post in this series saw the firmware being dumped from the device. This post looks at the format of the data and some annoyances that were encountered while trying to write a modified image back to the device.

One of the first thing I tend to do whenever I'm investigating a file is to generate an entropy plot. This habit developed from years of reverse engineering malware samples where a simple entropy plot would give you a lot of information about the next steps you'd probably be taking. For instance, packed executables would look significantly different to non-packed samples and files with appended data (think self-extracting archives or tools such as AutoIT) would have the interesting functionality contained in appended data (data that resides outside of the section tables). These are just two basic examples, but I can't stress how useful these graphs can be.

Back to the task at hand, the dumped firmware. The entropy plot looks like this:


Saturday 28 February 2015

Reflashing an Intel Galileo

If you're the lucky owner of an Intel Galileo board then you'll probably know that the device has an 8MByte flash chip, which contains the BIOS and a Linux boot image (even the ones that MS shipped apparently). Sadly, it is possible to accidentally trash the contents of flash chip rendering the device unbootable. The good news is that it is possible to recover the device if you have hardware that talks SPI. That could be a BusPirate, a BusBlaster, a PICKit2 (Linux only) or one of the many FT2232 SPI or JTAG boards. 

Tuesday 17 February 2015

New Sunluxy DVR

A while ago I picked up a cheapo Sunluxy DVR but quickly discovered that it had a couple of nasty security issues. The device actually worked reasonably well as a DVR so I was keen to try and patch the issues by modifying the OS. Sunluxy didn't offer any firmware updates so modifying an existing update wasn't an option.

Cutting a long story short, I basically ended up breaking the device by manually writing to (apparently the wrong bit of) flash. U-boot is available so there is still a chance to recover the situation if I can find the correct flash image.