Skip to content

Bored Pentester

Bored Pentester

A collection of spare time spent reverse engineering, hardware hacking and conducting vulnerability research.

30th June 2023 / Reverse Engineering

Retreading The AMLogic A113X TrustZone Exploit Process

Back in December 2022, Blasty published his research titled ‘Dumping the Amlogic A113X Bootrom‘. Feeling inspired, and having a keen interest in embedded device security testing, secure boot and Trustzone research, I thought it might be fun to follow along with his research and document my own process. My hope is that this blog post …

Continue Reading
20th March 2024 / Reverse Engineering

Rooting a Hive Camera

In this blog post, I’ll be looking at the security of a discontinued Hive camera, the HCI002UK. I’ll be focusing on a (now) known vulnerability that required authentication to exploit, but resulted in root access to the device. The vulnerability wasn’t known to me during the analysis, but looking it up in hindsight, it appears …

Continue Reading
1st June 2024 / Uncategorised

Smart Doorbell Security (Part 5) (LiteOS analysis)

In the previous part of this series, we analysed the bootloader of the device in order to understand whether the compression in use was trivial. We concluded it appeared to take place in hardware and as such, we didn’t have visibility of its underlying workings. This post intends to analyse the firmware of the device …

Continue Reading
1st June 2024 / Uncategorised

Smart Doorbell Security (Part 4) (Bootloader analysis)

Analysing the bootloader This part of our series intends to inspect the U-Boot bootloader in use by the device in order to understand the firmware decoding routine. It should be noted that I wasn’t able to gain a full understanding of the decoding procedure as this operation seems to have been delegated to hardware, nevertheless, …

Continue Reading
1st June 2024 / Uncategorised

Smart Doorbell Security (Part 3) (Wireless credential theft)

Device overview Previously, we looked at one facet of the software that was used to communicate with our device, focusing specifically on the security authentication and pairing mechanisms, as well as the protocol. In this part, we’ll tear down the device and review the hardware and exposed test ports. Hardware inspection Opening up the device, …

Continue Reading
1st June 2024 / Uncategorised

Smart Doorbell Security (Part 2) (Client credential theft)

Previously, we threat modelled the device and highlighted some primary concerns where I wanted assurance. In this part, we intend to inspect the protocol, authentication and pairing mechanism employed by the application and device. The pairing mechanism The doorbell’s pairing and authentication mechanisms are fairly odd, but not uncommon. For the initial pairing, the device’s …

Continue Reading
1st June 2024 / Reverse Engineering

Smart Doorbell Security (Part 1) (Threat modelling)

Having acquired a ‘smart’ doorbell, I wanted to assess whether it was safe for general usage. This series will detail my analysis of the device and its security controls. I do not intend this article to cover all areas of the device’s security, but rather a focused review on key areas of interest (to me). …

Continue Reading
25th October 2018 / Reverse Engineering

Reversing ESP8266 Firmware (Part 6)

At this point we’re actually reversing ESP8266 firmware to understand the functionality, specifically, we’d like to understand what the loop function does, which is the main entry point once booted. Reversing the loop function I’ve analysed and commented the assembly below to detail guessed ports, functions and hostnames: From the above, we’ve determined that: Is …

Continue Reading
25th October 2018 / Reverse Engineering

Reversing ESP8266 Firmware (Part 5)

Recognising VTABLE’s After analysing our firmware image to some degree, it becomes clear that vtables are in use. A VTABLE in this context is essentially a collection of function pointers per each module of the application’s libraries. We can see that each library’s function pointers are delimited by three nullbytes, represented as the below for …

Continue Reading
25th October 2018 / Reverse Engineering

Reversing ESP8266 Firmware (Part 4)

Writing an IDA loader So, why a loader? The main reason was that I wanted something I could re-use when reversing future ESP8266 firmware dumps. Our loader will be quite simple. IDA loaders typically define the following functions: The first is responsible for identifying an applicable file, based on its signature and is executed when …

Continue Reading

Posts navigation

  • 1
  • 2
  • Next
©2025 Bored Pentester - Powered by Simpleasy