Rairii

@Rairii@haqueers.com

Reversing (malware and otherwise); appsec and websec; embedded security; exploit dev; software preservationist; knows how not to use cryptography.

Currently finding bugs in Windows bootloaders.

You may also know me from capcom.sys.

#nobot

This profile is from a federated server and may be incomplete. Browse more on the original instance.

atomicpoet, to fediverse

I disagree with those who say “Let’s focus on spreading awareness for Mastodon—not the Fediverse” for three reasons:

  1. Some people hate Mastodon. If they don’t like Mastodon, they should know about options to their liking.

  2. Some people are looking for alternatives to Facebook, YouTube, Instagram—and Mastodon is not the answer for them.

  3. What about developers looking to build novel and new social media? They should know what ActivityPub does.

Rairii,

@atomicpoet wait, does that include forks like glitchsoc/hometown?

lowqualityfacts, to random
@lowqualityfacts@mstdn.social avatar

My goal isn't for Mastodon to replace Twitter.

My goal is for the Fediverse to attack and dethrone God.

Rairii,

@lowqualityfacts which god

atomicpoet, to random

What’s the point of blocking Twitter Blue users? Blocking can easily be overridden by Elon Musk.

However, Elon Musk can’t override you from leaving Twitter.

Rairii,

@atomicpoet what's the bet that next thing twitter blue subscribers get is "can't be blocked"

tinker, to random

You know that creepy "Report a Trans" form from the Missouri state government? (found here: https://ago.mo.gov/file-a-complaint/transgender-center-concerns )

Here's an interesting Proof of Concept code for spamming that form that you can analyze:

https://github.com/boiled-water-tsar/eat-my-entire-trans-ass-andrew-bailey

Rairii,

@metricguy @tinker @endi @jackemled anyone want to crowdfund shady captcha solving service? ;)

Rairii,

@metricguy @tinker @endi @jackemled that said, is the captcha actually implemented properly? i remember at least one occurance when it was done entirely client side

Rairii, to RaspberryPi

hired a surveillance cop then reacted poorly to people criticising them?

I already released (partial) VCE disassembler, which is enough for an interested reverser to keygen the <=RPi3 codec licensing algorithm.

Maybe I should just, ya know, post the serial algo code.

(fuck software patents/etc anyway)

Rairii,

// codec licensing serial algo (<=RPi3)
// shoutouts to fabien perigaud/synacktiv. your beerump 2017 presentation slides started me on this journey.
// (sure you redacted the fun stuff, I just rediscovered it myself)
// also shoutouts to everyone involved in BCM2708 reversing!
// greetings to elites, fuckings to lamers (second category includes broadcom and rpi foundation)

??=include <stdint.h>
??=include <stdio.h>

typedef uint8_t u8;
typedef uint16_t u16;
typedef uint32_t u32;

u8 vce_data[] = {
0x54, 0x6f, 0x76, 0x6b, 0x94, 0xce, 0x1a, 0x57, 0x56, 0x51, 0x0c, 0xb2, 0x72, 0xc9, 0xc3, 0x12,
0x13, 0xbc, 0xe8, 0xd2, 0x5b, 0xa3, 0x2d, 0x2a, 0x5a, 0x62, 0x4d, 0xeb, 0x16, 0x40, 0x05, 0x87,
0xe0, 0x98, 0x39, 0xf7, 0xac, 0xc6, 0xab, 0x7c, 0xe9, 0xfb, 0x07, 0xaa, 0x29, 0xcd, 0x1d, 0x9b,
0xf6, 0x0e, 0x01, 0xbb, 0x5c, 0xfc, 0x15, 0xae, 0xd9, 0xfa, 0x9c, 0xef, 0xf1, 0x75, 0x8e, 0x70,
0x46, 0x8b, 0xb0, 0x89, 0x50, 0xaf, 0x6e, 0x67, 0x18, 0xda, 0xee, 0xd4, 0x32, 0xbe, 0x4e, 0x58,
0x5d, 0x1f, 0x4b, 0x73, 0x88, 0xc0, 0x79, 0x02, 0xde, 0x47, 0xa0, 0x43, 0x9a, 0xdb, 0xc8, 0x35,
0x95, 0x3c, 0xcc, 0x8d, 0x64, 0x2f, 0x14, 0x68, 0x00, 0x71, 0x03, 0xb9, 0xed, 0x0b, 0xf3, 0x24,
0x60, 0xb1, 0x17, 0x63, 0xdf, 0x48, 0x41, 0xa4, 0x28, 0x5e, 0x2b, 0xd8, 0xb4, 0x90, 0xba, 0x83,
0xe4, 0x08, 0xd0, 0xe2, 0xb8, 0x6a, 0x10, 0x74, 0x9f, 0x7b, 0x19, 0x38, 0x8f, 0x91, 0xd6, 0xa8,
0x27, 0x06, 0x30, 0x33, 0x61, 0x34, 0x25, 0x21, 0x53, 0xc7, 0x66, 0x23, 0xff, 0xc5, 0x80, 0x85,
0xf4, 0xd7, 0x97, 0x99, 0x55, 0xf2, 0x8c, 0x04, 0x6c, 0x4f, 0xa1, 0x36, 0x20, 0x0a, 0xe1, 0x44,
0x59, 0xcf, 0x7d, 0xb6, 0xf9, 0x0f, 0x6d, 0x11, 0x78, 0x93, 0xe5, 0x3f, 0xf0, 0x9e, 0x84, 0xd3,
0x7e, 0xbd, 0xd1, 0xf5, 0xa5, 0x81, 0x22, 0x37, 0xf8, 0x52, 0xe3, 0x5f, 0xa9, 0xca, 0xfd, 0x42,
0x7f, 0x09, 0xa2, 0x9d, 0x8a, 0xb7, 0x4a, 0xe6, 0xa6, 0x77, 0x3d, 0x1c, 0x2e, 0xcb, 0x1b, 0x69,
0xb3, 0x1e, 0xc1, 0x7a, 0x82, 0xdd, 0x2c, 0xdc, 0x49, 0xea, 0x3a, 0xe7, 0x31, 0x4c, 0xad, 0xbf,
0x0d, 0xc2, 0xc4, 0x96, 0x65, 0x26, 0xfe, 0x92, 0x86, 0x3b, 0x3e, 0xec, 0xd5, 0xb5, 0xa7, 0x45
};

??=define INLINE static inline attribute ((optimize (3))) attribute((always_inline))

INLINE u32 GET(u32 var, u8 bits) {
return vce_data[(var >> bits) & 0xff] << bits;
}

// should probably use bitwise OR, but this is what the vce code does
INLINE u32 GET32(u32 var) {
return GET(var,24) ^ GET(var,16) ^ GET(var,8) ^ GET(var,0);
}

// vce has no rotate instructions, so it does it the long way as in C
INLINE u32 ROR(u32 var, u32 right) {
return (var >> right) ^ (var << (32 - right));
}

u32 codec_license_hash(u32 board_serial /* r1 /,u32 codec / r2 */) {

??=define CODEC_XOR_BOARD_ROR(bits) codec ^= ROR(board_serial,bits)
??=define BOARD_XOR_CODEC_ROR(bits) board_serial ^= ROR(codec,bits)

for (u32 i = 0; i < 17; i++) {
CODEC_XOR_BOARD_ROR(1);
BOARD_XOR_CODEC_ROR(6);
CODEC_XOR_BOARD_ROR(13);
BOARD_XOR_CODEC_ROR(17);
CODEC_XOR_BOARD_ROR(21);
BOARD_XOR_CODEC_ROR(29);

board_serial = GET32(board_serial);
codec = GET32(codec);
}

??=undef CODEC_XOR_SHIFTS_BOARD
??=undef BOARD_XOR_SHIFTS_CODEC

return codec;
}

// This board serial taken from hxxps://web.archive.org/web/20221208160705/forums.raspberrypi.com/viewtopic.php?t=38901
// The person who owns the SoC with this serial burned in fuses did a nice thing and provided their own WVC1 + MPG2 keys, we can use that to verify this implementation is correct:
// decode_MPG2=0x6fd66307
// decode_WVC1=0x01a512b0
??=define BOARD_SERIAL 0x9d3e8cb1

void main() {
printf("??= VC1 key\ndecode_WVC1=0x%08x\n\n", codec_license_hash(BOARD_SERIAL, 0xf00bad34 ^ 0x57564331 /* 'WVC1' /));
printf("??= MPEG-2 key\ndecode_MPG2=0x%08x\n\n", codec_license_hash(BOARD_SERIAL, 0xf00bad34 ^ 0x4D504732 / 'MPG2 /));
printf("??= Super-secret key ;)\n??=\n"
"??= start.elf, before booting ARM, reads bootsig key from efuses, then compares against 1/2 of 5 hardcoded keys.\n"
"??= If not equal, then this key is checked, if not correct then infinite loop + LED flash\n"
"??= (same as if 3rdsig -- ARM kernel binary HMAC signature -- verification fails)\n"
"??= As to why this is done, I have no idea. Bootsig key is also 128-bit HMAC key and this reduces the available\n"
"??= possible entropy for unique bootsig key (necessary for boot-time security I would think!) down to either\n"
"??= 51, 52, or 77 bits depending on what key was burned into your Pi's efuses...\n"
"decode_0001=0x%08x\n\n", codec_license_hash(BOARD_SERIAL, 0xf00bad34 ^ 0x30303031 / '0001' */));
}

zhuowei, to random

x86-64 is 20 years old today.
AMD released the first Opteron processor on April 22, 2003.
https://en.wikipedia.org/wiki/Opteron
Yes, you're old.

Rairii,

@bk1e @zhuowei i just checked the xpsp1 leak and the amd64 nt port started to happen in early 2000

the earliest date that doesn't appear to be an outlier is 2000-02-05

the dates on the bootloader code for amd64? 2000-04-20

i wonder when the amd64 port was far enough along that it could boot to something useful

nano, to random

led?
in MY zeppelin?

Rairii,

@nano unleaded zeppelin

  • All
  • Subscribed
  • Moderated
  • Favorites
  • JUstTest
  • InstantRegret
  • ngwrru68w68
  • osvaldo12
  • magazineikmin
  • tacticalgear
  • rosin
  • thenastyranch
  • Youngstown
  • khanakhh
  • slotface
  • mdbf
  • kavyap
  • DreamBathrooms
  • megavids
  • GTA5RPClips
  • Durango
  • cubers
  • modclub
  • cisconetworking
  • tester
  • everett
  • ethstaker
  • Leos
  • anitta
  • normalnudes
  • provamag3
  • lostlight
  • All magazines
    •