ready for Operation Triangulation in saal 1 #37c3
| free hax | https://haxx.in/ |
blasty
- 600 Followers
- 148 Following
- 15 Posts
hightech lowlife
@lordgaav Sorry, totally missed this message! I do not. Documentation says those are protected by a unique password though? (https://docs.fortinet.com/document/fortimanager/7.4.3/administration-guide/112240/backing-up-the-system)
New blog post is up! Dumping the AMLogic A113X/A113D BootROM (and eFUSE/OTP data): https://haxx.in/posts/dumping-the-amlogic-a113x-bootrom/
Dumping the Amlogic A113X Bootrom
In this post we will exploit a memory corruption issue in AMLogic El3 code that is used by various consumer devices like the Sonos One (2nd generation) and the Lenovo Smart Clock. The goal is to get a copy of the OTP/eFUSE data and dump out the code for the application processor BootROM.
Lexmark published an advisory in response to my work: https://publications.lexmark.com/publications/security-alerts/CVE-2023-23560.pdf -- apparently it affects ~130 of their printer models, not a bad haul! *pats himself on the back* 🤣 Only took them 13 days to come up with a response/fix; irresponsible disclosure works!
q3k 
Finally put together a full writeup about wInd3x, the iPod Nano 5G bootrom vulnerability I discovered and exploited last year:
Decided to publish the Lexmark printer exploit + writeup + tools instead of sell it for peanuts. 0day at the time of writing: https://github.com/blasty/lexmark -- enjoy!
@G33KatWork @swapgs this is a universal disclaimer actually that I should add to any working directory I push to github
@swapgs https://github.com/blasty/printer-cracktro here you go :)
Got quite a few questions about the post-exploitation payload for the printer(s), here is the code: https://github.com/blasty/printer-cracktro
It even runs in the browser thanks to the power of Emscripten/WASM: https://haxx.in/files/canon_wasm.html