The last two weeks I have been playing around with cardsharing systems. The main purpose was to understand how it works and figure out how the people deal with it. There is a very good post written by ReverseSkills which describes all the steps to get the cardsharing working.

What is cardsharing? Cardsharing is a method of allowing multiple clients or digital television receivers to access a subscription television network with only one valid subscription card. You can find further information in Wikipedia . Although there are a lot of satellite receivers which can be used for cardsharing, but the most famous manufacturer is Dreambox .

So, following the procedure I first used Shodang . Shodan collects banner and version information which may be useful to find some Dreamboxes in well-known ports such as HTTP. It turns out that Shodang has some limitations that can be solved with money, but this is not the case. I did not find anything useful. There were some dreamboxes which can be accessed through the web. But the credentials were not the ones set by the default.

Next step was to implement my own script in order to scan the network looking for dreamboxes. The script used was pretty simple:

• Two loops from 1 to 255 and wget
• grep looking for "dreambox" in the answers
• Typical IP ranges of your country

If the range is correct, you'll get some dreamboxes' IPs for sure.

If you try to access to this IPs with a browser you'll see that some of them have the default credentials and some of them don't. I definitely would go for those with default credentials (user:root, password:dreambox). At this point you can navigate on the web interface provided by the dreambox. However, the web interface does not allow to read system files.

To get the configuration files you have to log in the device. The straightest test here is to run an nmap and see which ports are open. Usually, you have to look for FTP and telnet ports. I did not found any device with the SSH port open. Once you get in, you may find different configuration files depending on the protocol they use to share the keys. I found that people use Gbox and Cccam. The paths to the configuration file for each protocol are:

 /var/etc/CCcam.cfg 
 /var/keys/cwshare.cfg 

Finally, you will need a receiver, reading some stuff about images and protocols and configure your receiver using the configurations files you found.

For what I have seen, there are a lot of users that share their configurations lines in private forums. Usually, these people don't know very much about security, so it is likely they leave their ports open with the default credential. If your social abilities are good, you can join some of these forums and ask for their lines. It could be a good social engineer attack.

One of the basic rules for programmers is to check the input and output of each function. However, depending on the platform that is not enough. There are other parameters that shall be considered since they can leak critical.

One of the parameters to take into account in embedded systems is the timing of the operations. The timing analysis could leak important data like the PIN values of a smart card.

With smart cards, for each hex value of PIN introduced is compared to PIN stored in the memory. So, if the time spent when the value is correct is different than the time spent when the value is wrong, it could lead to a leakage. And, the PIN could be recovered in few attempts.

Here's an example of a string compare function that takes a constant time whether the comparison is correct or not.

 int strcmp(const char *s1, const char *s2) 
 { 
    while (*s1 == *s2++) 
      if (*s1++ == 0) 
        return (0); 
   return (*(unsigned char *)s1 - *(unsigned char *)--s2); 
 } 

Tor is a system intended to enable online anonymity, composed of client software and a network of servers which can hide information about users' locations and other factors which might identify them (more info) .

Install instructions on Debian:

 aptitude install xul-ext-torbutton 

It will install the following packages:

• polipo
• socat
• tor
• tor-geoipdb
• tsocks

Enable some options in the /etc/polipo/config:

 proxyName = "localhost" 

 cacheIsShared = false 

 socksParentProxy = "localhost:9050" 
 socksProxyType = socks5 

 chunkHighMark = 67108864 

 diskCacheRoot = "" 

 localDocumentRoot = "" 

 disableLocalInterface = true 
 disableConfiguration = true 

 dnsUseGethostbyname = yes 

 disableVia = true 

 censoredHeaders = from,accept-language,x-pad,link 
 censorReferer = maybe 

 maxConnectionAge = 5m 
 maxConnectionRequests = 120 
 serverMaxSlots = 8 
 serverSlots = 2 
 tunnelAllowedPorts = 1-65535 

The config file can be download form here .

To start and stop you can use:

 /etc/init.d/polipo start 
 /etc/init.d/polipo stop 

Remember to use the Tor button in the Iceweasel to enable the anonymous connection.

• Si es compten les vegades un dels finalistes m'ha fet aixecar de la cadira Messi guanya.
• Si es compten els partits que ha decidit un dels finalistes Messi torna a guanyar.
• Si es compten els gols marcats de cada finalista, Messi guanya.
• El millor jugador del món ha guanyat la pilota d'or. Just.
• El Barça va ser capaç de guanyar una copa d'Europa amb Xavi lesionat. Podria guanyar-la sense Messi?
• Si la cosa segueix igual l'any que ve pot ser bastant similar. Tenint en comtpte el final de temporada d'Iniesta, pronostico que l'any que ve CR7 substituirà a Xavi com a finalista.
• Una altra vegada, és el pitjor resultat de cara als atacs des de la pseudo-premsa estatal. Ara haurem d'aguantar el linxament a Messi tot i no tenir la culpa de res. Messi deja a España sin Balón de Oro
• Algú s'hauria d'encarregar de dir als familiars que cuidin una mica el discurs. Una cosa és que pensin que és injust i l'altra és insinuar que tot plegat és una màfia.
• En tot això, jo li hauria donat la pilota d'or al Xavi.

aptitude install wvdial

Edit the file /etc/wvdial.conf and copy this text:

[Dialer Defaults]
Phone = *99***1#
Password = movistar
Username = movistar
Stupid mode =1
Dial command = ATDT

[Dialer reset]
Modem = /dev/ttyUSB0
Init1 = ATDT

[Dialer movistar]
Phone = *99***1#
Modem = /dev/ttyUSB0
Baud = 460800
Init2 = ATZ
Init3 = ATQ0 V1 E1 S0=0 & C1 & D2 +FCLASS=0
ISDN=0
Modem Type = Analog Modem
Init5 = AT+CGDCONT=1,"IP","movistar.es";

1. Order your new phone at the your phone company.
2. Check out the order status frequently.
3. When your order is at the last stage, just before being sent, make a call to your company and cancel it.
4. Probably, the communication between the customer service department and the delivery department is pretty slow. So, the phone will be delivered but in the computer system will appear as cancelled.
5. Make sure that your order status is cancelled.
6. If so, order another phone.
7. In the meantime you'll get the first phone and in some days you'll receive the second phone.
8. At this point call your phone company telling that you have two phones and you only want one of them. Ask to send one back.
9. Up to now, you only have one phone, but the phone company will charge the two phones.
10. Return this charge and call them again explaining that you bought one device, that the second device was a misunderstanding.
11. At this point your request will get stuck in an endless loop impossible to be solved.
12. Wait some months and change your phone company or go to step one!

True story!

One collegue brought this 240GB USB flash from China for less than 10$. It looks suspicious taking into account that the kingston webpage only shows USB DataTraveller up to 32GB. So, 8 times less.

True or fake?
Fake. After looking at the partitions table it turned out it was a 512MB USB. They altered the partition table to fake the 240GB.

If you want to get one of this you don't need to go to China. There are plenty of chinese webs which are selling them.

A lot of stuff is going on lately since the PS3 modchip was released on August 2010. In my point of view is one of the hacks of the year. It is pretty cool to hack the PS3 using a non-invasive techinique like using a dongle or even a phone.

The exploit allows users to backup and play games off the hard drive. Actually is a little bit hard to understand it well if you do not have a good idea of the boot process. Anyway, there is an interesting link which explains a the exploit.

The timeline of the modchip has followed the next steps:

1. First PS Jailbreak was released. It is a dongle which run the exploit. The price was around 100$.
2. Some days after releasing the PS Jailbreak a new exploit method came up: PS Groove . It is an open-source reimplementation of the psjailbreak exploit for AT90USB and related microcontrollers. These microcontrollers are much more cheaper and brought the exploit to the homebrew stage. The price of an USB developement kit with a microcontroller is around 30$.
3. Finally, the PS Groove was adapted to be used in several smartphone models . All the information can be found in PSFreedom.com . So, if you have the suitable phone it is free.

Sony made a fast movement issuing the 3.42 firmware version and making it a mandatory upgrade. This version disables this hack so, the upgrade does not seem a good idea.

And now what? It seems that the best thing to do is to keep the old firmware version until something new cames up. The best option could be the usage of a custom firmware. At the moment, a USB firmware loader was released on 19th of September (yesterday). So, I hope there are some developers working on the next steps.

I recently got an HTC Magic with Android OS, also known as HTC Sapphire.
After one month using the 1.6 version of Android (provided by Vodafone) I decided to upgrade it.
So, I installed a the latest CyanogenMod-6.0.0-DS-RC3 with the 2.2 Android version.

All the information about rooting and upgrading the Andoid was in the CyanogenMod wiki .
Actually, the steps that I followed are in this wiki.

It is pretty cool to have a rooted Android phone. One of the main advantages is to unistall the OS provided by the operator, which might have some functionalities disabled. In my case I was not able to use the tethearing which is very useful when you travel with your laptop.
Also, the default OS might not respect the privacy pretty much.

The performance of these release in an HTC Magic is not very high due to the the phone limitations.
It requires some extra work removing some Apps and installing some applications to improve the performance.

Good gadget!

Last two days I've been working on the RSS support for the web. It is something I didn't include in the initial post but it is a very important functionality (I've already added it in the post).

The RSS Generator is an XSL Transformation. Basically, it reads the XML file which contains all the data and creats other XML file that is RSS compliant.

Currently, it only shows the description of the web. I'm thinking in the possibility to include the whole content of the post. If I include all the content I have to manage the HTML tags, which probably will generate some errors.

If you don't belive here is the evidence:

It seems that the use of the RFID technology is increasing in our every day life. We can pay drinks , rent bikes or take the public transportation ... (the list could be infite). My main concerns in this scenario are security and privacy.

• From my point of view, security must be a prerequisite to take into account before the implementation and design of an RFID system. Unfortunately, it happens only eventually (at least in some countries). However, security is unfamiliar to IT companies. And then, of course, bad things happens. For instance, some students discovered a vulnerability in the security software of the public transportation card in the Netherlands. This flaw allowed reuse of the disposable ticket.
• All the RFID tags can be always tracked down. Obviously, everybody is tracked when gets in/out an station (they know the associated ID number). But with the RFID technology you could be tracked everywhere it is a RFID reader installed. So, they could know (for instance) the places you visit inside the station. And they could make a correlation of this data and use it for publicity.

I recently bought an OpenPCD . It is a free hardware design for Proximity Coupling Devices (PCD) based on 13,56MHz communication. The idea is to load a firmware to the microcontroller and try to establish a communication with RFID cards or tags. Using a sniffer in the middle of the communication the signal can be captured and stored using a digital scope. The documentation, the firmware and the hardware design are open, so it should be easy to adapt the firmware according to my needs.

My idea is to test several RFID services and perform a little reverse engineering and analyse the security of the different systems. After that, I will analyse some Mifare implementations with crypto. For instance, the MIFARE Classic encryption Crypto-1 can be broken in about twelve seconds on a laptop, if approx. 50 bits of known (or chosen) key stream are available. So, I will focus on the aplication security and the card security. I guess that the initial objectives of the project will vary as I get a deeper knowledge.

First thing to do, however, is to read ISO 14443.

July 4, 1776
We hold these truths to be self-evident, that all men are created equal, that they are endowed by their Creator with certain unalienable Rights, that among these are Life, Liberty and the pursuit of Happiness. That to secure these rights, Governments are instituted among Men, deriving their just powers from the consent of the governed, That whenever any Form of Government becomes destructive of these ends, it is the Right of the People to alter or to abolish it, and to institute new Government, laying its foundation on such principles and organizing its powers in such form, as to them shall seem most likely to effect their Safety and Happiness. Prudence, indeed, will dictate that Governments long established should not be changed for light and transient causes; and accordingly all experience hath shewn, that mankind are more disposed to suffer, while evils are sufferable, than to right themselves by abolishing the forms to which they are accustomed. But when a long train of abuses and usurpations, pursuing invariably the same Object evinces a design to reduce them under absolute Despotism, it is their right, it is their duty, to throw off such Government, and to provide new Guards for their future security.

4 de Juliol, 1776
Sostenim com a evidents per si mateixes les següent veritats, que tots els homes són creats iguals, que són dotats pel seu Creador de certs Drets inalienables, entre els quals hi ha el dret a la Vida, a la Llibertat i a la recerca de la Felicitat. Que per garantir aquests drets, s'institueixen els Governs entre els Homes, els quals obtenen els seus poders legítims del consentiment dels governats, Que quan s'esdevingui que qualsevol Forma de Govern es faci destructora d'aquestes finalitats, és el Dret del Poble reformar-la o abolir-la, i instituir un nou Govern que es fonamenti en els esmentats principis, tot organitzant els seus poders de la forma que segons el seu judici ofereixi les més grans possibilitats d'aconseguir la seva Seguretat i Felicitat. La prudència, és clar, aconsellarà que no es canviïn per motius lleus i transitoris Governs establerts d’antic; i, en efecte, l’experiència ha demostrat que la humanitat està més disposada a patir, mentre els mals siguin tolerables, que a fer justícia abolint les formes a que està acostumada. Però quan una llarga sèrie d’abusos i usurpacions, dirigida invariablement al mateix Objectiu, demostra el designi de sotmetre al poble a un Despotisme absolut, és el seu dret, és el seu deure, derrocar aquest Govern i establir nous Resguards per la seva futura seguretat.

Tot i que penso que falta una mica més de feina per plasmar les idees que tinc al cap a la web, he decidit fer el primer pas i començar a publicar contingut.
Abans de tot, donar les gràcies a l' Skurz0 . He partit del seu treball previ i l'he adaptat per les meves necessitats.
Aquesta web està basada en XSL+XML. Un sistema que segons els meus apunts de la universitat el conec des de l'any 2003. Tot i així, fins fa poc no hi he mirat en detall.
Funcionalitats actuals de la web:

• Sistema d'entrades amb categoria i tag/s.
• Búsqueda de post a través de la categoria.
• Búsqueda de post a través dels tags.
• Sistema d'actualització basat en edició XML i mercurial.

Coses que tinc al cap per seguir treballant:

• Sistema d'administració senzillet amb autenticació.
• Canviar algunes coses de la presentació.
• Modularitzar el disseny.
• Sistema per afegir plugins.
• Suport per RSS (added 28/07/2010)
• Versió per a dispositius mòbils (05/08/2010)

Molta feina per davant, però pot ser divertida.