That really only happens to me: I am still doing some carnival event related things in my hometown. Last week the owner of the company contracted for stage audio and lighting approached me (he's been doing that for years and we know each other from these events) and told me he recently wanted to buy a single photo printer and found one on a surplus auction website. What ye didn't realize was that he ordered a whole pallet of these fucking things for less than 200€.

Now he sits on a bunch of these printers, but the catch is they are an OEM variant and the media kits (paper and ink essentially) are differently coded and incompatible between the OEM version he has and the original. Theory is it's all just software enforcing that as usual. He has a firmware updater containing the original firmware, but the updater refuses to install it.

Me: "Can't be that hard to convince the thing otherwise"
Him: "Okay, I'll get you one next week if you want"

Now I have one of these printers in the back of my car. Dude knew exactly how to nerd-snipe me and I'm not even mad.

I just asked him for the original firmware. He downloaded it on his phone, extracted the Zip and I saw a ".S" file next to the exe that is the updater. In the preview on the iPhone the file format looked familiar.

Me: "Can you open that file there? Oh look! That's a Motorola S-Record file! And that's most likely the firmware. And you see these patterns all over the place? It's not even encrypted..."
Him: "What the fuck?"

He also got me two weird Intel Atom kiosk PCs with an 11 inch touchscreen in the front: "Oh, these are terminals that are usually connected to these printers in shops where you can have your pictures printed. I thought you might have some use for them, so I brought you two as well. I paid about 0,70€ per box, just take them"

🤷‍♂️

Large Language Models machen nicht nur Fehler und halluzinieren, sie sind eine neue Form von Esoterik bzw. Aberglaube. Ihr Gebrauch ist mit Rationalität schlichtweg nicht vereinbar.

https://chatgpt.com/g/g-eBazvNcPn-handwriting-analysis

Okay, STM32. RDP1 protected, means I have access to the BootROM in a limited fashion and I could potentially glitch the flash content out of it as usual by triggering a flash memory read in the boot ROM via UART, CAN or whatever other interface I want to use and glitch the RDP check.

The problem is, you only get 256 bytes per glitch back from the ROM, so you need to land a lot of glitches to extract the whole flash.
The STM32s have the nasty tendency to flip even more protection bits or trigger a full chip erase when you don't land a glitch perfectly which turns hitting a lot of glitches until you extracted the flash into a pretty exciting process.

I just dumped a ROM from an F7 and threw it into IDA. While reverse engineering, I got another idea: There is a write memory command. This not only allows writing to flash, but also to SRAM in case the chip is unlocked.
There is also a Go command which sets SP and jumps to code you point it at. Also only if you are unprotected.

Why did nobody glitch these two commands yet? First try to get some payload into SRAM using the memory write cmd, then once this succeeded, glitch the Go command until your payload is executed. Your payload then just dumps the flash to UART. I can squeeze that into 256 bytes, so there are only TWO glitches I need to land.

Am I missing something why this wouldn't work? Code running from SRAM can access flash even when RDP1 is set, right? RDP1 just causes the flash to be locked after a JTAG probe attach. So that should work.

I also have multiple tries when doing this. I would glitch it continuously without resetting it (as long as it survives the glitches) when hitting the read command, so that is not a problem eiter: Just get the payload into the chip, then hammer the Go command with glitches until it jumps.

Why did nobody document this approach yet?

/cc @stacksmashing any thoughts?

Stinkebäume sind doof.

https://www.aachen.de/services/presse/pressemitteilungen/2025/september/020925-ginkgofaellungen/

#aachen #lustig

Today I have a more serious topic than usual, please consider reposting for reach:

My wife and I are urgently looking for a specialist in neuropediatrics or a similar field for our autistic child with a diagnosed, but not further specified, movement disorder (myoclonus and/or spasms) to finally find a cause and, above all, an effective therapy. The symptoms are bothering our son ever since he’s born, now for more than nine years, seriously affecting his sleep. The usual processes and medical contact points have failed us unfortunately and he seems stuck in this condition.

We’re based in Berlin, Germany but really any contact with a specialist who would be willing to take on this case we’d be grateful for!

To reach use you can DM me or contact us via Email at [email protected]

🚨 Our new blog post about Windows CVE-2025-33073 which we discovered is live:

🪞The Reflective Kerberos Relay Attack - Remote privilege escalation from low-priv user to SYSTEM with RCE by applying a long forgotten NTLM relay technique to Kerberos:

https://blog.redteam-pentesting.de/2025/reflective-kerberos-relay-attack/