Mastodawn

𝐿𝒶𝓃𝒶 "not yet begun to fight"4d ago

@micchiato

schrödinger's trans woman:

- both physically stronger than every cis woman and also physically incapable of serving alongside men and women in the military

- both mentally superior to cis women and also mentally unfit for duty in the armed forces due to debilitating mental illness

- both easily identifiable on sight by any layperson and also capable of infiltrating cis women's spaces unless prevented by professional genital checks and blood work

launchdaemon Jun 28

Mike Sheward Jun 27

Seriously though, who looks at websites, noted for not being able to safely hang onto the already over the top volumes of personal information they collect unnecessarily, and says, “you know what these people need? a copy of everyones government issued ID.”

launchdaemon Jun 21

Rairii

Jun 20

took a gamble on an untested lenovo yoga 11 (armv7 nt convertible laptop)

first time i dumped a VMK via windows boot environment exploits on real hardware!

launchdaemon Jun 14

Phil Sturgeon Jun 14

Reform managing to lose nine of its councillors to ineptitude and outbursts of hate speech. They are en route for implosion at a rate of knots and will hopefully no longer be a going concern by next election. https://hopenothate.org.uk/2025/06/13/dropping-like-flies-reform-loses-nine-councillors-in-six-weeks/

launchdaemon Jun 11

https://github.com/getcursor/cursor/issues/2546

when reverse-engineering embedded devices, i like to make these overlays

to make one yourself, open the datasheet screenshot in gimp, use "select by color" on the _black_ (this is important), grow the border by 1-3 px, copy the selection, paste onto a photo, and use universal transform until it matches

launchdaemon Jun 11

Natasha Jay Jun 11

I simply do not concede that any of your cookie vendors' interests are legitimate.

launchdaemon Jun 9

Very Hairy Jerry Jun 9

I don’t know who to credit for this, but it’s beautiful

launchdaemon Jun 6

Randahl Fink Jun 5

Best comeback of the year. The Polish foreign minister waited three months to deliver this beautiful gem.

launchdaemon Jun 5

jonny (good kind)Jun 4

I am reading the Cursor forums and github issues and this shit is so funny.

bug report: cursor can access my .env file even though it's explicitly not allowed to because it also is given arbitrary use of a shell, and it just grep'd my API key and used cURL rather than calling the script i told it to call

i played myself, the firmware doesn't actually use the SDMMC1 peripheral except to enable its power :/

and i'm fairly sure it's not being used with the SPI peripheral either, given PC8 is connected to DAT0/MISO

i've never seen resistor markings like this

are these jumpers?

https://github.com/Vector35/binaryninja-api/issues/6945
https://github.com/Vector35/binaryninja-api/issues/6946
https://github.com/Vector35/binaryninja-api/issues/6947

i'm going to make a bet that nobody has tried to reverse-engineer Thumb code with VFP instructions in Binary Ninja before

i opened one trivial function and immediately found three bugs, one of which is a show-stopper

https://github.com/GlasgowEmbedded/glasgow/pull/899

implemented a glasgow applet for sniffing conversations over UART with accurate sequencing; this will be used for finding out how the MCU talks to the GPS module

Add an UART sniffer applet by whitequark · Pull Request #899 · GlasgowEmbedded/glasgow

On the command line this applet admits only two channels, rx and tx, but when UARTAnalyzerInterface is used directly, up to 64 channels may be used.

GitHub

just realized that i can't exactly expect this device to work as intended right now, because it doesn't have its IMU

and it needs an IMU, alongside GPS, to know where it is

using the new `uart-analyzer` applet i have obtained the exchange between the MCU and the GNSS module. it is a binary stream in a format unknown to me. for obvious reasons i will not be posting a screenshot of it

of _course_ this device pair is being annoying and switching UART speed at runtime

i didn't implement autobaud in uart-analyzer applet because i thought it 'would not be that important'. agh

adding proper autobaud is fairly tricky for the analyzer, but i did at least add per-channel baud (i.e. you can have different baud rates for RX and TX)

an online ublox protocol decoder (implemented e.g. as a script) could promptly switch baud rates when it observes a command to do so

i've reverse-engineered the entire state machine in the firmware. it only parses three messages! these are:

UBX-NAV-PVT
UBX-NAV-SOL
UBX-NAV-SAT

once again, the firmware is... simple. every part i can understand does exactly one thing, in the most uncomplicated way possible

i think this has a buffer overflow

yeah, it reads data from the GNSS module into a preallocated buffer that has space for about 32 satellites (i'm not clear on how many exactly but definitely not more than that)

the GNSS module has 72 channels

... i think this is technically a 0day?..

so, after close examination, i think the device currently in my hands isn't an autopilot or the like. its job is solely to grab a stream of radio frequency data from a CRPA, to do some form of processing on it, and to spit it out in form of a rapid (saturating the UART) stream of telemetry somewhere else (after combining with IMU data)

apparently there are raspberry pis involved at one stage

i feel like after seeing raspberry pis in loitering munitions i can pack my embedded career up. there's nothing more to be seen at this point

reportedly the actual autopilot role is taken up by multiple TMS320's and i have absolutely no desire to stare at TMS320 assembly. bizarre choice of device to design in

Andrew Zonenberg Jun 13

@whitequark TMS320s are all over the place in western munitions too. Not surprised in the slightest

@azonenberg apparently russia has cloned TMS320's long ago but... they don't use the clones? they use actual western TI TMS320's? they don't even come in the same package??

Andrew Zonenberg Jun 13

@whitequark probably easier to find in a dumpster in guangzhou? lol

@azonenberg yeah I suppose in the same dumpster they get AD and ublox parts

Joel Michael Jun 13

@whitequark @azonenberg and judging by the photos, the u-blox parts definitely came out of a dumpster because it’s missing the RF shield

@jpm @azonenberg there are many examples with shields, i think this happened somewhere in the my 'supply chain'

R Jun 13

@azonenberg @whitequark china has access to both TI parts *and* chinese domestic clones https://lcsc.com/product-detail/Digital-Signal-Processors-DSP-DSC_CHIPLON-CLM320VC5402PGE100_C437258.html?s_z=n_320

CLM320VC5402PGE100 | CHIPLON | Price | In Stock | LCSC Electronics

CLM320VC5402PGE100 by CHIPLON - In-stock components at LCSC. Price from $11.2398. Free access CLM320VC5402PGE100 datasheet, Package, pinout diagrams, and BOM tools.

LCSC Electronics

@r @azonenberg nothing cloned here

R Jun 13

@whitequark @azonenberg oh wow, something about this feels *very* "familiar" and not at all like what we expected a weapon to look like

other than the chonky connectors, it feels like any other bit of standard industrial kit (esp. something about the large ugly fiducials and the pile of "QC passed" stickers)

doragasu Jun 13

@whitequark I wrote a lot of C5000 assembly (and a bit of C6000) and I enjoyed it quite a bit! Yeah, I'm dumb 😅

https://www.ebay.com/itm/256969053946?

edmeme Jun 14

@whitequark You might have seen this already. I think its the same part you are looking at, plus some more, and there is definitely a Pi-like board there.

Edit (Pi-like, I think the color of those USB's is a bit off)

Joel Michael Jun 13

@whitequark military-grade code!

Ridley @ WATCH LYCORECO Jun 13

@whitequark what would be the correct way to responsibly disclose this (to the SBU)

@rcombs beats me

but i also would expect the SBU to know basic shit like this already. to the best of my knowledge the devices i have are of little operational interest, Ukrainian electronic warfare is far ahead of what these devices can tolerate

SnowFox Jun 13

@rcombs @whitequark This is a good example of why I don't like the term "responsible disclosure".

maswan Jun 13

@whitequark
Is it one a few ukrainians might be interested in being tagged into this thread, or are we assuming they are already reading it with interest?

@maswan i honestly have no idea and don't want to be presumptious

maswan Jun 13

@whitequark Yeah, it's tricky, and hard to know if it is old stuff to the people really working on this in UA.

But on the other hand if there is even a 5% chance that this could be a useful way of disabling hundreds of drones, it would be nice if they got it sooner rather than later.

@maswan i'm almost completely certain that this would add nothing over the existing EW efforts even if you somehow got the entire chain to work

Mäh W.Jun 13

@whitequark weapon 0day exploit development 😏

@whitequark *giggle*

UBX-NAV-PVT length = 92 bytes
UBX-NAV-SOL length = 52 bytes
UBX-NAV-SAT length = how many satellites can you see right now?

@jpm @whitequark I wonder what happens if you give the GPS receiver signals from too many satellites (well, pretend satellites ideally). There is likely some limit (possibly implemented safely) in the GPS firmware but it may still be higher than the length of this buffer...

@chrisgj198 @jpm it overflows the buffer

i don't know how long it is exactly because it appears to never check the buffer but it's like half the module channel count

@whitequark @jpm I hope something important is right after this buffer then. A suitable GNSS simulator might be quite easy to make if the bitstream could be pre-computed and just played back into a mixer with appropriate LO.

@chrisgj198 @jpm i could also just feed it the ublox binary messages; same result for less effort (with the caveat that i don't know if the ublox module will actually emit such long messages in any practical environment)

i _really_ don't want to mess with GNSS signals too much, since if they leak i'll get a not-so-friendly visit from Ofcom and it'll be 100% deserved

@whitequark @jpm I was more thinking of how it would behave in its natural habitat, where the serial port is inaccessible. I agree that during investigations you should limit the power of any transmissions such that nobody else notices them.

@chrisgj198 @jpm my understanding (based on talking to someone who worked with GNSS emulators) is that it's particularly difficult to limit the power of GNSS transmissions, seeing as receivers will pull them from well below the thermal noise floor

@whitequark @jpm True, but the inverse square law is pretty effective, if you don't vastly exceed the power that you need. Maybe attenuating one of the signals *before* mixing would give more certainty that the signal that you don't want to escape doesn't exist anywhere at high power.

@chrisgj198 @jpm I do feel that I'm not skilled enough to properly attempt this

@whitequark @jpm I think you are, partly because of the caution with which you approach the topic.

revenge of the boltzmann brain Jun 13

@chrisgj198 @whitequark @jpm something like this https://github.com/osqzss/LimeGPS ?

GitHub - osqzss/LimeGPS: Real-time GPS signal simulator for LimeSDR

Real-time GPS signal simulator for LimeSDR. Contribute to osqzss/LimeGPS development by creating an account on GitHub.

GitHub

Dusty

Jun 12

@whitequark clearly they should’ve written it in rust /s

Andrew Zonenberg Jun 12

@whitequark wait what it's dynamically changing the uart speed? Between what bauds?

@azonenberg 9600->115200

Joel Michael Jun 12

@whitequark @azonenberg yep u-blox receivers can do this, there’s a command sequence from the host to the receiver that does it.

And in the intended application, it makes sense to do so because I’ll bet one of the next commands is to increase the frequency of navigation messages up from the default of 1Hz

Andrew Zonenberg Jun 12

@jpm @whitequark Yeah it makes sense to run fast, booting at 9600 doesn't.

can you not just nonvolatile-ly configure the ublox to boot up at 115200 out of the box?

wickedshell Jun 12

@azonenberg @jpm @whitequark you can, but that still has to be done at some point, and you don't want to make assumptions about what changes with different firmware versions, or if the receiver dumps the configuration (I've seen all of the above catch people out)

Joel Michael Jun 12

@azonenberg @whitequark booting at 9600 does make sense because factory config spits out NMEA at 1Hz. It also depends on exactly which receiver in the range it is, only some have actual non-volatile flash for storing configuration, the rest are only non-volatile as long as battery backup power is applied…

poleguy looking for lost tools Jun 12

@whitequark @azonenberg The Wayne Gretzkys of baud rate.

wickedshell Jun 12

@whitequark particularly common for figuring out where a ublox device is. (ArduPilot does the same thing)

Andrew Zonenberg Jun 12

@whitequark the missile doesn't know where it is because it doesn't know where it wasn't?

@azonenberg it's not a missile! it's a loitering munition