ready for Operation Triangulation in saal 1 #37c3
| free hax | https://haxx.in/ |
blasty
- 600 Followers
- 148 Following
- 15 Posts
hightech lowlife
New blog post is up! Dumping the AMLogic A113X/A113D BootROM (and eFUSE/OTP data): https://haxx.in/posts/dumping-the-amlogic-a113x-bootrom/
Dumping the Amlogic A113X Bootrom
In this post we will exploit a memory corruption issue in AMLogic El3 code that is used by various consumer devices like the Sonos One (2nd generation) and the Lenovo Smart Clock. The goal is to get a copy of the OTP/eFUSE data and dump out the code for the application processor BootROM.
Lexmark published an advisory in response to my work: https://publications.lexmark.com/publications/security-alerts/CVE-2023-23560.pdf -- apparently it affects ~130 of their printer models, not a bad haul! *pats himself on the back* 🤣 Only took them 13 days to come up with a response/fix; irresponsible disclosure works!
q3k 
Finally put together a full writeup about wInd3x, the iPod Nano 5G bootrom vulnerability I discovered and exploited last year:
Decided to publish the Lexmark printer exploit + writeup + tools instead of sell it for peanuts. 0day at the time of writing: https://github.com/blasty/lexmark -- enjoy!
Got quite a few questions about the post-exploitation payload for the printer(s), here is the code: https://github.com/blasty/printer-cracktro
It even runs in the browser thanks to the power of Emscripten/WASM: https://haxx.in/files/canon_wasm.html
TrendAI Zero Day InitiativeWhile
@bl4sty
only scored a COLLISION (non-unique bug) - Peter definitely gets a boatload of STYLE POINTS for this hack on a Canon printer @ #P2OToronto #Pwn2Own
@bl4sty
only scored a COLLISION (non-unique bug) - Peter definitely gets a boatload of STYLE POINTS for this hack on a Canon printer @ #P2OToronto #Pwn2Own
t00t t00t.