A collection of spare time spent reverse engineering, hardware hacking and conducting vulnerability research.
Taking apart security systems for fun and education.
I spent the last few months researching Lexmark’s printer for this year’s Pwn2Own Ireland 2025. Unfortunately, my bug got patched out a week before the competition, so I thought it might be fun to write it up early! We’ll tear down the pagemaker, discuss some memory corruption strategies and talk about some of the challenges …
Back in December 2022, Blasty published his research titled ‘Dumping the Amlogic A113X Bootrom‘. Feeling inspired, and having a keen interest in embedded device security testing, secure boot and Trustzone research, I thought it might be fun to follow along with his research and document my own process. My hope is that this blog post …
In this blog post, I’ll be looking at the security of a discontinued Hive camera, the HCI002UK. I’ll be focusing on a (now) known vulnerability that required authentication to exploit, but resulted in root access to the device. The vulnerability wasn’t known to me during the analysis, but looking it up in hindsight, it appears …
Having acquired a ‘smart’ doorbell, I wanted to assess whether it was safe for general usage. This series will detail my analysis of the device and its security controls. I do not intend this article to cover all areas of the device’s security, but rather a focused review on key areas of interest (to me). …
At this point we’re actually reversing ESP8266 firmware to understand the functionality, specifically, we’d like to understand what the loop function does, which is the main entry point once booted. Reversing the loop function I’ve analysed and commented the assembly below to detail guessed ports, functions and hostnames: From the above, we’ve determined that: Is …
Recognising VTABLE’s After analysing our firmware image to some degree, it becomes clear that vtables are in use. A VTABLE in this context is essentially a collection of function pointers per each module of the application’s libraries. We can see that each library’s function pointers are delimited by three nullbytes, represented as the below for …
Writing an IDA loader So, why a loader? The main reason was that I wanted something I could re-use when reversing future ESP8266 firmware dumps. Our loader will be quite simple. IDA loaders typically define the following functions: The first is responsible for identifying an applicable file, based on its signature and is executed when …
What is it? So, what is the ESP8266? Wikipedia describes it as follows: The ESP8266 is a low-cost Wi-Fi microchip with full TCP/IP stack and microcontroller capability produced by Shanghai-based Chinese manufacturer, Espressif Systems. Moreover, Wikipedia alludes to the processor specifics: Processor: L106 32-bit RISC microprocessor core based on the Tensilica Xtensa Diamond Standard 106Micro …
Initial analysis As with any unknown binary, our initial analysis will help to uncover any strings that may allude to what we’re looking at, as well as any signatures within the file that could present a point of further analysis. Lastly, we want to look at the hexadecimal representation of the file, in order to …
During my time with Cisco Portcullis, I wanted to learn more about reverse engineering embedded device firmware. This six-part series was written both during my time with Cisco Portcullis, as well in my spare time (if the tagline of this blog didn’t give that away). This series intends to detail my analysis of an embedded …