..::: .
  Viewing 0 - 8  
Sucking out firmware through a curly straw

I'm currently working on cracking a Definity PBX I bought on ebay. It came with a license for using the software installed on it, but you need a support contract to actually make it go. As I'm using it for personal research and don't ever intend to run a business on it, a multi-thousand-dollars support contract is not in the cards. So, I have to crack it instead.

First step is dumping the firmware. I couldn't find a copy anywhere online, which isn't a huge surprise — only Lucent is supposed to be able to make upgrades happen, and it's a rather old release anyway.

First I looked into getting it directly off the board. As it turned out, that would require dumping 4 TSOPs and figuring out how they interleave. Seems reasonable, but my local hackerspace only had SOIC test clips, and TSOP test clips are a very limited availability specialty item, and would cost around $150 for an attempt. Strike one.

My second approach centered around a set of cryptic commands I'd seen poking around the command completion results in the inads account — rp, rva, wp, and wva. A bit of experimentation showed me that they stood for, respectively, read physical, read virtual address, write physical, and write virtual address. That and a few ugly shell commands later, I'm in business hex-dumping the physical memory — 80 bytes at a time.

In one terminal:

$ seq 0 128 16777216 | xargs printf 'rp byte d %x c 80\r\n' > addresses-for-dumping
$ cat addresses-for-dumping | while read line ; do echo $line > /dev/ttyS0 ; sleep 3 ; done

In a second terminal:

$ cat /dev/ttyS0 | sed -ure 's/^[\[..?;..?H/ /g' | fgrep -u '0x' | tee romdump.hex

When done:

$ cat firmware.hex | sed -e 's/^ 0x//;s/    / /' > fw_clean.hex
$ xxd -r fw_clean.hex firmware.bin

I'll see about posting an update in 4 days when this dump is done...


The harddisk in my laptop has a whole passel of bad sectors in the swap partition (/dev/hda5). What this means:

  • I need to go buy a new HD and transfer my datas to it. (pain-in-the-ass)
  • I am restricted to 512 MiB of allocated memory in my applications. (no-big-deal)
  • No suspend-to-disk until I replace the disk, because the kernel will just panic on hitting an I/O error during resume. I might as well just pull the battery out. At least that way it'll save me the time to suspend/resume. (ruins-my-month)

I think I'm going with an 80G this time around. (I've presently got a 60G.) Or perhaps I could go for the lowest-power model I can find. Suggestions?

I don't know how to read SMART output. Help?

eldritch:~# smartctl -A /dev/hda
smartctl version 5.32 Copyright (C) 2002-4 Bruce Allen
Home page is

SMART Attributes Data Structure revision number: 16
Vendor Specific SMART Attributes with Thresholds:
  1 Raw_Read_Error_Rate     0x000b   100   100   062    Pre-fail  Always       -       0
  2 Throughput_Performance  0x0005   100   100   040    Pre-fail  Offline      -       1467
  3 Spin_Up_Time            0x0007   126   126   033    Pre-fail  Always       -       1
  4 Start_Stop_Count        0x0012   100   100   000    Old_age   Always       -       788
  5 Reallocated_Sector_Ct   0x0033   100   100   005    Pre-fail  Always       -       0
  7 Seek_Error_Rate         0x000b   100   100   067    Pre-fail  Always       -       0
  8 Seek_Time_Performance   0x0005   100   100   040    Pre-fail  Offline      -       0
  9 Power_On_Hours          0x0012   099   099   000    Old_age   Always       -       710
 10 Spin_Retry_Count        0x0013   100   100   060    Pre-fail  Always       -       0
 12 Power_Cycle_Count       0x0032   100   100   000    Old_age   Always       -       378
191 G-Sense_Error_Rate      0x000a   097   097   000    Old_age   Always       -       65541
192 Power-Off_Retract_Count 0x0032   100   100   000    Old_age   Always       -       11
193 Load_Cycle_Count        0x0012   095   095   000    Old_age   Always       -       53597
194 Temperature_Celsius     0x0002   144   144   000    Old_age   Always       -       38 (Lifetime Min/Max 16/52)
196 Reallocated_Event_Count 0x0032   100   100   000    Old_age   Always       -       1
197 Current_Pending_Sector  0x0022   100   100   000    Old_age   Always       -       1
198 Offline_Uncorrectable   0x0008   100   100   000    Old_age   Offline      -       0
199 UDMA_CRC_Error_Count    0x000a   200   200   000    Old_age   Always       -       0

Tags: , ,

You are OS2-Warp. You're plagued by feelings of abandonment and disgust for your backstabbing step-brother.  Oh, what might have been.
Which OS are You?

You are Smalltalk. You like to treat everyone the same way, but this lack of individuality makes everyone feel like objects.
Which Programming Language are You?

You are .html You are versatile and improving, but you do have your limits.  When you work with amateurs it can get quite ugly.
Which File Extension are You?

You are You are a know-it-all.  You are trustworthy, most of the time.  You are  versatile and useful.  You like volunteering.  You are free.
Which Website are You?

Mood: procrastinatory
Today's shell script

#! /bin/bash
for F in `seq -w $1 $2`
  wget `echo $3 | sed -e "s/{}/$F/g"` --referer=`echo $4 | sed -e "s/{}/$F/g"`
  sleep 4

I'm sure that you guys can come up with another use for this.

Tags: , , , ,
Purchasing Process

Posting from UW HUB, using the LogJam client on my laptop named "eldritch". I would use my web browser, but FireFox 1.0.4 crashes on opening the "post" page when using the new LJ style. I should report it, but I'm too lazy.

At least here I can cut from emacs easily. (LogJam is really small w.r.t. screen space.)

I went to the Facilities building eariler today to pick up a copy of the map I requested a few weeks ago. Actually, I first went to the Communications building to pay at the copy center. But they told me I had to get a card and they would charge me that way. So I went to the Facilities office building and talked to Jeff, who got me the card with "$3.75" written on it. Back up to Communications, where I paid and got a receipt. Then I go back to Facilities, where I hand over both the card and the receipt and get the map in exchange. They then present a bunch of receipts to the copy center staff monthly or so and get money transferred into their budget.

It kind of reminds me of the Kerberos authentication process.

The UW has pervasive wireless network, which is cool. But I can't setup passwordless SSH to the Dante shell account, because sshd wants your IP to be the same all the time. Perhaps there's a way around this.


Today I got hall-swept for being two minutes late to math class. So I went to the lunchyroom to serve my LTD. All that happens is you eat your lunch at a table and you can go in 20 minutes. If you don't, then you have to show up for Saturday School. Learning is punishment.

I turned in my Latin textbooks today. I may miss Catullus.

My bladder is full.

Tomorrow I shall go to Yuen Lui for the purpose of being photographed.

Today I switched back to using Window Maker instead of Sawfish for my primary window manager. It's so fast!


So I sent in my acceptance to the UW. Today I logged in to MyUW and guess what I see! I get a shell account on, and they're willing to store my email for me. Imagine that! They're providing space for my email! And I'm using SSH, of course. Haven't even bothered testing if they accept telnet. (Just did, and they do. /me slaps UW)

My /etc/passwd entry is f:!:247792:30:D. Smith:/da09/d25/f:/usr/local/bin/psh. That's a high UID, isn't it? (Yes. My username is "f", so I make sure that at least the password is hard to guess.) wc -l /etc/passwd gives 53076 accounts, including the usual 60 or so daemons.

The system is AIX. They don't have mutt, preferring their in-house pine. However, there is GNU Emacs installed, so I'll live. ;)

Tags: ,

Livejournal is suprisingly useful when used in w3m. It's even more usable in w3m than in IE! (not really saying much, but whatever)

Tags: , ,
  Viewing 0 - 8