Andy

@G33KatWork@infosec.exchange
893 Followers
539 Following
3.8K Posts

I like computering. Doing security research at Rapid7 Labs.

This is a professional account. Used to play a lot of CTF with @EatSleepPwnRpt and @StratumAuhuur

LocationAachen, Germany
Bloghttps://www.geekatwork.de
Show threadAndy2d ago
🥳
Andy2d ago

I took some Christmas holidays and hacked on my KNX stack over the last week. Among a few other things I had an LLM vibe-code a conformance test runner for my KNX stack. The tests are all available in the specification itself, so you can just implement all of them yourself. These tests are also run if you want to officially certify a device or device stack by a test lab. That means passing these tests ensures that you are 100% conformant with the spec. At least if you trust them to cover every single edge case.
Normally you are expected to buy the "EITT" from the KNX association which is the software that implements all these tests and executes them against physical devices. For that you need to be a member of the association and I heard it's not cheap, so fuck that!

It spawns my stack with a mock device and a data link layer that offers transmit and receive queues to the test runner and then executes the specified tests.

Slowly but surely we are getting close to passing all tests for the network layer and transport layer. This includes the connection state machine in the transport layer.

Boy, I am hyped! Once the last five missing transport layer tests are passing, the next task is to add more test for the application layer, management tasks and group object communication. The latter is already fully implemented and the device management partly.

I can't wait to get this thing done.

Show threadAndyNov 22

Well, that was actually quick!

edit: Lol! Even the DVI output works!
I just need to give it the right environment or load the MAC address from the SPI flash where the CE loader config is stored. It's confused right now.

Show threadAndyNov 22

HALELUJA! It's finally saying "HI" on the debug UART.

Turns out they disable the MMU right before they jump into your code. All the addresses inside of the NK.bin however are virtual. That was confusing as fuck and I constantly linked my code to the wrong address.

Also I didn't know which UART of the five available I was hooked up to. I found a little bootloader shell in the original CE loader that let me peek into device registers, so I just checked out which had the right bits in their registers set so they do something. Turns out it was UART4.

Anyway, got code execution. Almost done, u-boot is next. Or as we say in German: "Reinstes Kuchenblech! Der Tresor ist so gut wie offen."

AndyNov 14

👀 ⚡

(The PA9/10 labels are not aligned with the others... already fixed.)

AndyOct 22
The German landing page about the AWS VPN is very finished 👌
AndyOct 19

Made leaps of progress in my KNXnet/IP implementation today. Turns out the IP part of KNX is something like its own protocol stack that you place before your real protocol stack <insert image of Xzibit here>.

I now have basic infrastructure like a packet buffer allocator, parsing and serialization functions for the first few discovery packets and substructures contained within, infrastructure for subservers that later allow for Routing, Tunneling, Device Discovery etc., a discovery server that makes my test device already pop up in the ETS, a socket endpoint manager that takes registrations on different endpoints (Unicast, Multicast and/or Broadcasts) from subservers, deduplicates them, opens sockets and then dispatches arriving messages to the appropriate subserver that registered interest to the specific message type we just received. That is JUST the IP part! And only UDP for now, TCP will come later where applicable.

On the KNX side I already have table management and a completely working application, connectionless transport and network layer for a simple device. That means no routing in the network layer for now.

So now, I "only" need to implement a routing server and theoretically I could then read, write and update communication objects using group addresses remotely from other devices on a real KNX installation like my house. All the config like the address and association tables are completely static and need to be build by hand in a JSON file for now, because nothing that would allow device management is implemented yet.

For the whole ETS device management stuff, more is missing like the stateful connected transport layer and all the management server stuff, but that will come later.

That was A LOT of work. Especially because it's all no_std, no alloc, async Rust. I like pain. 🥵

AndyOct 17

😳

I need a Rust borrow checker version.

AndySep 23

"Don't lecture me on jurisdiction, Lieutenant! I wrote a book about space... jurisdiction. And I am known for my dic(k)tion!"

I love everything about this. (SNW S03E04)

Show threadAndySep 15
The printer is printing better and better. This is the electronics enclosure for the main controller that will be slapped on the other side like the PSU.