Posts
Undocumented Fastboot Oem Commands
Introduction Printers are cool because they are, but I have friends that remind me at least weekly that hacking a printer is not useful. Every time it’s mostly the same thing all over again, find a 1990 type bug, write a stupid script, done. Some months ago, I started a new project, a wild ride inside Google’s humongous codebase. While most of Google code, especially Android, is open source, some parts are not.
Posts
QEMU IOCTL Hooks
Introduction In the last post, we saw that nwsoc was dying in pain because it relied on some wired IOCTLs. If we were, hypothetically, developing an exploit to pwn the office printer (to print some sick memes, of course) now, we would have a problem. We need nwsoc because it has some network interfaces exposed, but we can’t fuzz it because it relies on some data from the kernel (e.g., ink levels).
Posts
Epson Printer Deamon under QEMU
Why Because it’s fun and because I believe in the motto hack dumb shit
What In the last post I mentioned that most nwsoc dies in pain without it’s kernel module is not supplied. The scope of this article is to give a brief overview on two things:
Running a dynamic binary complied for Arm that doesn’t use glibc Hooking function calls in a binary using LD_PRELOAD Different LibC Computers are complex.
Posts
Epson Printer Reversing
Why Don’t be my parents. I like printers. There’s nothing bad about it.
Extraction At first glance two big section are used. They both start with CROM.
Contains uboot image, linux kernel and two sqashfs partition. Respectively one contains the rootfs, the other contains epson proprietary module and maybe a daemon.
Early analysis suggest that the kernel calls /root/PreBoot . After initializing the system, /root/PreBoot calls S99NWControl S99NWControl seems to be the control script for the low level daemon.
Posts
Add Custom IOCTL to QEMU
Introduction In this post I’ll try to explain how to add unsupported system calls to QEMU user.
The first part will give a bit of high level context, as to answer the question why are you doing this? The second part will be about the system call that was missing and that will be implemented. The third part will be about toolchains and development environments, or more specifically how to setup an efficient workspace to experiment with QEMU.