All posts by Kuba Tyszko

Hackaday Supercon 2022

Oh what a weekend it has been.

I not only attended the in-person Supercon (after 2 year of remoticon “hiatus”) but also had the pleasure to give a talk.
I submitted my proposal for a talk focused on my experience cracking encrypted software and to my surprise it got accepted.

I got the first slot on the small stage, Saturday, November 5th, 11 AM.

Judging by the audience, approximately 40-50 people decided it was worth showing up, which was beyond my expectations.

Image borrowed from Hackaday’s twitter: https://twitter.com/SupplyframeDL/status/1588956267275767808?s=20&t=2ErCvqoX56wDcHjO4Y_8sw

Silicon Graphics SGI Fuel ATX Power Supply converter boards – ordering information

Starting July 12th 2021, the PSU converter boards for SGI Fuel will no longer be available to order via eBay.
eBay has implemented some changes to their selling system that made it increasingly difficult to sell stuff, and despite my attempts to resolve it with their support – was unable to fix anything.

My boards are still in stock, available to order on Tindie:
https://www.tindie.com/products/kubatyszko/sgi-fuel-atx-power-supply-converter-new-version/

I also accept direct orders (it’s very easy to figure out how to contact me). Payment via PayPal or Credit Card via Stripe.

Thanks

NetBSD on Airport Express

Just stumbled on this article https://jcs.org/2018/06/12/airport_ssh and I just had to try it out on my Airport Express, even though the method was for the Extreme.
It worked like a charm, as easy as:

python -m acp -t 192.168.234.189 -p xxx --setprop dbug 0x3000
python -m acp -t 192.168.234.189 -p xxx --reboot

Dmesg:


ry = 49844 KB
mainbus0 (root)
cpu0 at mainbus0: Marvell 88F6183 rev 2 (ARMv5TE core) [88F6183 Rev 3]
cpu0: WB enabled EABT
cpu0: 32KB/32B 1-way Instruction cache
cpu0: 32KB/32B 4-way write-back Data cache
cpu0: This kernel does not fully support this CPU.
cpu0: Recompile with "options CPU_ARMV5TE" to correct this.
mbus0 at mainbus0 base 0xf1020000 irq 0: AHB to MBUS Bridge
mvaud0 at mbus0audio0 at mvaud0: full duplex, mmap, independent
mv_audiodec_init: bypassed
mvdevb0 at mbus0 target 1, irq 15: Device Bus
com0 at mvdevb0 offset 0x2000, irq 3: ns16550a, working fifo
com0: console
com1 at mvdevb0 offset 0x2100, irq 4: ns16550a, working fifo
mvtwsi0 at mvdevb0 offset 0x1000, irq 5: Two Wire Serial Interface
mvtwsi0: I2C clocked at 94.696 Khz
iic0 at mvtwsi0: I2C bus
stdflash_orion_match: flash width 4213/0
stdflash0 at mvdevb0 DevCS1: Onboard SPIBootFlash
this is a spansion part...we should check the spansion specific subid (6 entries)
FLASH look for .... 0) 1/2018/20/2018
FLASH look for .... 1) 1/2018/c2/2017
FLASH look for .... 2) 1/2018/c2/2018
FLASH look for .... 3) 1/2018/c2/2013
FLASH look for .... 4) 1/2018/ef/4018
FLASH look for .... 5) 1/2018/1/2018
FLASH SUPPORTED.... 1/2018/5/0
flash0 at stdflash0 00000000-00700000, untranslated, read/write
flash1 at stdflash0 00700000-00e00000, untranslated, read/write
flash2 at stdflash0 00e00000-00f40000, translated, read/write
flash3 at stdflash0 00f40000-00f80000, untranslated, read/write
flash4 at stdflash0 00f80000-01000000, untranslated, read/write
applgpio0 at mvdevb0 offset 0x0000GPIO_interrupt_pin_ex: flipping pin 17.
GPIO_interrupt_pin_ex: flipping pin 3.
(board-revision=-1)
mvgec0 at mbus0 target 7, irq 22: Gigabit Ethernet Global Controller
gec0 at mvgec0 unit 0, irq 18: Gigabit Ethernet Controller, Unit 0
gec0: MAC address: 00:16:cb:00:51:81
makphy0 at gec0 phy 8: Marvell 88E3016 Gigabit PHY, rev. 0
makphy0: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto
mvusb0 at mbus0 target 5, irq 16: ARC USB-HS Host/Device Controller
mvusb0: Core revision 4.0
ehci0 at mvusb0 irq 17, host mode: USB Host Controller
ehci0: EHCI version 1.0
usb0 at ehci0: USB revision 2.0, available bus power 500 mA
uhub0 at usb0
uhub0: ARC USB-HS Core EHCI root hub, class 9/0, rev 2.00/1.00, addr 1
ehci0: self-powered device addr 1 (config 1) power 0 mA. Available power 500 mA (root)
uhub0: 1 port with 1 removable, self powered
mvpcie0 at mbus0 target 4, irq 10: PCI Express Controller
mvpcie_attach() - bus_num = 0, if_num = 0.
PEX0 interface detected Link X1
mvpcie0: INTn interrupting on irq 11
pci0 at mvpcie0 bus 0
pci0: i/o space, memory space enabled
mv0 at pci0 dev 1 function 0
mv0: interrupting at INTA
mv0: load firmware image (96740 bytes)
wlan: mac acl policy registered
mv0: 11a rates: 6Mbps 9Mbps 12Mbps 18Mbps 24Mbps 36Mbps 48Mbps 54Mbps
mv0: 11b rates: 1Mbps 2Mbps 5.5Mbps 11Mbps
mv0: 11g rates: 1Mbps 2Mbps 5.5Mbps 11Mbps 6Mbps 9Mbps 12Mbps 18Mbps 24Mbps 36Mbps 48Mbps 54Mbps
mv0: 11na MCS: 15Mbps 30Mbps 45Mbps 60Mbps 90Mbps 120Mbps 135Mbps 150Mbps 30Mbps 60Mbps 90Mbps 120Mbps 180Mbps 240Mbps 270Mbps 300Mbps
mv0: 11ng MCS: 15Mbps 30Mbps 45Mbps 60Mbps 90Mbps 120Mbps 135Mbps 150Mbps 30Mbps 60Mbps 90Mbps 120Mbps 180Mbps 240Mbps 270Mbps 300Mbps
mv0: versions [driver 0.8.7.0 hw 5 fw 3.7.2.2] (regioncode 16)
mv0: multi-bss support
mvidma0 at mbus0 target 6, irq 24: IDMA Controller
mvidma0: DMA Assist enabled for copyin/copyout and copy/zero page on channel 3
mvaud1 at mbus0 target 5audio1 at mvaud1: full duplex, mmap, independent
mv_audiodec_init: bypassed
clock: hz=100 stathz=0 profhz=0
md0: internal 10240 KB image area
IPsec: Initialized Security Association Processing.
boot device:
root on md0a dumps on md0b
root file system type: ffs
WARNING: no TOD clock present
WARNING: using filesystem time
WARNING: CHECK AND RESET THE DATE!

Filesystem:

Filesystem Size Used Avail Capacity Mounted on
/dev/md0a 9.7M 7.7M 2.0M 79% /
/dev/flash2a 1.1M 41K 1.0M 3% /mnt/Flash
mfs:141 15M 512B 14M 0% /mnt/Memory

Running processes (with airtunes enabled):

PID TTY STAT TIME COMMAND
0 ? DKs 0:00.01 [swapper]
1 ? Is 0:00.02 init
2 ? DK 0:05.30 [stdflash0]
3 ? DK 0:00.00 [usb0]
4 ? DK 0:00.00 [usbtask-hc]
5 ? DK 0:00.00 [usbtask-dr]
6 ? DK 0:00.01 [pagedaemon]
7 ? DK 0:00.04 [ioflush]
8 ? DK 0:00.01 [aiodoned]
9 ? DK 0:00.01 [sfdaemon]
18 ? DK 0:00.02 [physiod]
96 ? Ia 0:00.03 /sbin/sntpd -client=time.apple.com
97 ? I 0:00.35 /sbin/wpa_supplicant -K -M -F /var/log/hostap_wlan1.log -D net80211 -i wlan1 -c /etc/hostap_wlan1.conf
99 ? I 0:00.01 /sbin/iCloudd
141 ? Ss 0:00.03 mount_mfs -s 32768 swap /mnt/Memory
164 ? Ia 0:00.02 /sbin/airtunesd -i bridge0
175 ? Is 0:00.00 /usr/sbin/inetd -l
183 ? Is 0:00.01 /usr/sbin/cron
245 ? Sa 0:01.54 /sbin/mDNSResponder -d
253 ? I 0:00.74 /usr/sbin/sshd -D -e
271 ? Ss 0:00.87 sshd: root@ttyp0
415 ? I 0:00.03 /sbin/link_local bridge0
467 ? I 0:00.04 /sbin/dhclient -q -d
505 ? I 0:00.06 /sbin/snmpd -f -DALL -c /etc/snmpd.conf -p /var/run/snmpd.pid
539 ? Ia 0:00.22 /sbin/printd -i -d local.
604 ttyp0 R+ 0:00.00 ps -ax
627 ttyp0 Ss 0:00.05 -sh
94 tty00- S 0:00.06 svscan /var/sv
107 tty00- Ia 0:08.53 /sbin/ACPd -nofork
108 tty00- I 0:00.02 supervise dnscache
110 tty00- I 0:00.01 supervise walldns
112 tty00- I 0:00.01 supervise log
113 tty00- I 0:00.01 supervise log
116 tty00- I 0:00.01 cat -
118 tty00- I 0:00.02 cat -
184 tty00 Is+ 0:00.04 -sh
186 tty01 Is+ 0:00.05 -sh

It runs SNMP daemon:

snmpwalk -c public 192.168.234.189| head

SNMPv2-MIB::sysDescr.0 = STRING: Apple AirPort - Apple Inc., 2006-2012. All rights Reserved.
SNMPv2-MIB::sysObjectID.0 = OID: NET-SNMP-MIB::netSnmpAgentOIDs.255
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (2064754916) 238 days, 23:25:49.16
SNMPv2-MIB::sysContact.0 = STRING: default_user@contact.domain
SNMPv2-MIB::sysName.0 = STRING: airport-express
SNMPv2-MIB::sysLocation.0 = STRING: defaultlocation
SNMPv2-MIB::sysServices.0 = INTEGER: 12
SNMPv2-MIB::sysORLastChange.0 = Timeticks: (3) 0:00:00.03
SNMPv2-MIB::sysORID.1 = OID: SNMPv2-MIB::snmpMIB
SNMPv2-MIB::sysORID.2 = OID: TCP-MIB::tcpMIB

It seems to have racoon installed, pppoe.
PF is enabled by default:

airport-express# pfctl -s all
FILTER RULES:
block drop all
pass on lo0 all flags S/SA keep state
pass out proto tcp from any to any port = domain flags S/SA keep state
pass out proto udp from any to any port = domain keep state
pass out inet6 proto ipv6-icmp all icmp6-type neighbrsol keep state
pass out inet6 proto ipv6-icmp all icmp6-type routersol keep state
pass in inet6 proto ipv6-icmp all icmp6-type neighbradv keep state
pass in inet6 proto ipv6-icmp all icmp6-type routeradv keep state
pass out inet proto icmp all icmp-type echoreq keep state
No queue in use

Interesting huh?

IPsec (OSX to Linux) with Certificates

Got around to setting up IPSec between my OSX and Linux server, it worked just fine with PSK (pre-shared key), but failed when using certificates, the error on the server side was:

generating ID_PROT response 0 [ KE No CERTREQ NAT-D NAT-D ]

I enabled debugging of racoon on OSX (add the 2 lines to file /etc/racoon/racoon.conf)

log debug;
path logfile "/var/log/racoon.log”;

and got:

Jul  3 10:33:48  racoon[19904] : created CERT payload
Jul  3 10:33:48  racoon[19904] : use ID type of DER_ASN1_DN09000000 3032310b 30090603 55040613 02504c31 0d300b06 0355040a 13044b75
62613114 30120603 55040313 0b4b7562 61206950 686f6e65
Jul  3 10:33:48  racoon[19904] : hmac(hmac_sha2_256)
Jul  3 10:33:48  racoon[19904] : error -25308 errSecInteractionNotAllowed.
Jul  3 10:33:48  racoon[19904] : failed to sign.
Jul  3 10:33:48  racoon[19904] : failed to get sign
Jul  3 10:33:48  racoon[19904] : failed to allocate send buffer
Jul  3 10:33:48  racoon[19904] : IKE Packet: transmit failed. (Initiator, Main-Mode Message 5).
Jul  3 10:33:48  racoon[19904] : sending vpn_control ike failed message - code=65535  from=local.
Jul  3 10:33:48  racoon[19904] : failed to process packet.
Jul  3 10:33:48  racoon[19904] : Phase 1 negotiation failed.

The error seemed to indicate issues signing the message, so I started poking around, and realised that racoon may simply have no permissions to my private key, the fix was easy:

in Keychain Access, find the private key portion of your certificate, double click on the private key and in the “Access Control” tab, add a new application to the permission list, you may need to press Command+Shift+G to open “go to location”, enter “/usr/sbin” and then find a “racoon” binary.

Save and you should be good to go.