Conversation

Notices

1. Embed this notice
   ✧✦Catherine✦✧ (whitequark@mastodon.social)'s status on Wednesday, 11-Jun-2025 20:47:28 JST ✧✦Catherine✦✧

   girl who flirts with you by sending you drone parts (with firmware to extract and reverse-engineer)

   • Rich Felker repeated this.
   • Embed this notice
     ✧✦Catherine✦✧ (whitequark@mastodon.social)'s status on Wednesday, 11-Jun-2025 20:54:25 JST ✧✦Catherine✦✧

     in reply to

     everyone who follows the news knows the UA side is proudly using Ardupilot

     however nobody seems to know what the RU side is using. time to find out, i have an STM32 on my desk and a glasgow with newly added SWD support

   • Embed this notice
     ✧✦Catherine✦✧ (whitequark@mastodon.social)'s status on Wednesday, 11-Jun-2025 21:19:17 JST ✧✦Catherine✦✧

     in reply to

     weapons

   • Embed this notice
     ✧✦Catherine✦✧ (whitequark@mastodon.social)'s status on Wednesday, 11-Jun-2025 21:27:43 JST ✧✦Catherine✦✧

     in reply to

     i need these two pins for SWD

     at the factory, they most likely used serial programming, which i don't want to use as i'm unfamiliar with it and it's not even easier (the board has an RS232 level shifter, etc)

   • Embed this notice
     ✧✦Catherine✦✧ (whitequark@mastodon.social)'s status on Wednesday, 11-Jun-2025 21:28:33 JST ✧✦Catherine✦✧

     in reply to

     • Mäh W.

     @maehw i am not expecting any countermeasures; there are none on other devices i've RE'd which use ASICs that can be used in very secure configurations

   • Embed this notice
     Mäh W. (maehw@chaos.social)'s status on Wednesday, 11-Jun-2025 21:28:35 JST Mäh W.

     in reply to

     @whitequark it will be readout protected, right? Will you need to apply some fault injection or something? Or does it have an external(Q)SPI flash? The internal flash is quite large in that thingie.

   • Embed this notice
     ✧✦Catherine✦✧ (whitequark@mastodon.social)'s status on Wednesday, 11-Jun-2025 21:35:38 JST ✧✦Catherine✦✧

     in reply to

     ok, now i just need to power it

     conveniently, there is silk that explains how to do that

     it uses an LDO, so i don't think i actually need +24V, probably anything above 5V will work. i'll hook it up to a current limited supply first

   • Embed this notice
     ✧✦Catherine✦✧ (whitequark@mastodon.social)'s status on Wednesday, 11-Jun-2025 21:47:07 JST ✧✦Catherine✦✧

     in reply to

     as expected, we have trouble! it draws like 1.5 watts while the supply is sagging down to 3.6 V. those 1.5 watts are going somewhere, and it sure as heck isn't the STM32 or the ublox M8! time for some thermal imaging

     the fusion is pretty bad at this distance, but it's probably this capacitor has broken down

   • Embed this notice
     ✧✦Catherine✦✧ (whitequark@mastodon.social)'s status on Wednesday, 11-Jun-2025 22:02:28 JST ✧✦Catherine✦✧

     in reply to

     it was an identical capacitor on the other side. and i had to find out with my finger, because it got hot but not hot enough to instantly evaporate IPA (i was conservative with current)

   • Embed this notice
     ✧✦Catherine✦✧ (whitequark@mastodon.social)'s status on Wednesday, 11-Jun-2025 22:04:15 JST ✧✦Catherine✦✧

     in reply to

     • Graham Sutherland / Polynomial

     @gsuberland no this is another board from an entirely different drone; this one comes from a decoy with no warhead, not the shahed, i believe

     i mean, this one also had to fall from the sky

   • Embed this notice
     Graham Sutherland / Polynomial (gsuberland@chaos.social)'s status on Wednesday, 11-Jun-2025 22:04:16 JST Graham Sutherland / Polynomial

     in reply to

     @whitequark iirc you said it took a heavy hit at some point, so not surprising the MLCC cracked and you have shorted layers inside it

   • Embed this notice
     ✧✦Catherine✦✧ (whitequark@mastodon.social)'s status on Wednesday, 11-Jun-2025 22:30:25 JST ✧✦Catherine✦✧

     in reply to

     after spending 30 minutes fucking around with the grabber hooks (never use these. seriously. just solder a wire or something. you'll only short out your DUT with the hooks) i discovered that one of the connectors on the board actually just has SWD on it

     ? SWCLK GND SWDIO ?

     also it seems to be a 1.8 V IO bank

   • Embed this notice
     ✧✦Catherine✦✧ (whitequark@mastodon.social)'s status on Wednesday, 11-Jun-2025 22:34:14 JST ✧✦Catherine✦✧

     in reply to

     nope i'm wrong, it just doesn't work properly on anything under 24 V (i'm not sure why i thought it would. bad assumptions)

     and it's just a normal 3.3 V design

   • Embed this notice
     ✧✦Catherine✦✧ (whitequark@mastodon.social)'s status on Wednesday, 11-Jun-2025 22:35:24 JST ✧✦Catherine✦✧

     in reply to

     Here we go

   • Embed this notice
     ✧✦Catherine✦✧ (whitequark@mastodon.social)'s status on Wednesday, 11-Jun-2025 22:40:20 JST ✧✦Catherine✦✧

     in reply to

     ok, new problem

     it responds over SWD... sometimes

     i _think_ the board is attempting to boot and in the process of that browning out and resetting itself. maybe the u-blox has some dead capacitors, maybe something else; this is difficult to diagnose. all i know the power LED seems to go out briefly every second and the SWD interface doesn't work consistently

   • Embed this notice
     ✧✦Catherine✦✧ (whitequark@mastodon.social)'s status on Wednesday, 11-Jun-2025 22:45:37 JST ✧✦Catherine✦✧

     in reply to

     conveniently they put NRST on the same debug connector

     so it's

     RESET SWCLK GND SWDIO ?

     ... i think

   • Embed this notice
     ✧✦Catherine✦✧ (whitequark@mastodon.social)'s status on Wednesday, 11-Jun-2025 22:48:52 JST ✧✦Catherine✦✧

     in reply to

     okay, it doesn't seem to brown out any more, and probe-rs no longer crashes with an SWD error

     however, because enough ROM tables are in reset, i can't get `probe-rs info` to work

   • Embed this notice
     ✧✦Catherine✦✧ (whitequark@mastodon.social)'s status on Wednesday, 11-Jun-2025 22:59:24 JST ✧✦Catherine✦✧

     in reply to

     • Mäh W.

     @maehw read the firmware. so in principle, stopping the core and grabbing everything behind one MEM-AP should be enough to do it

   • Embed this notice
     Mäh W. (maehw@chaos.social)'s status on Wednesday, 11-Jun-2025 22:59:26 JST Mäh W.

     in reply to

     @whitequark So far, I've only used off-the-shelf SWD probes, i.e. ST-Link and J-Link which hide most technical stuff behind the scenes -- probably unless you toggle some verbosity switch(es). What are you trying to accomplish here?

   • Embed this notice
     ✧✦Catherine✦✧ (whitequark@mastodon.social)'s status on Wednesday, 11-Jun-2025 23:05:53 JST ✧✦Catherine✦✧

     in reply to

     for unclear reasons probe-rs continues to crash in some odd ways, so i think i have no choice but to grab ADIv5.2 and try to read the firmware myself? i have really not expected to have to do this...

   • Embed this notice
     ✧✦Catherine✦✧ (whitequark@mastodon.social)'s status on Wednesday, 11-Jun-2025 23:11:22 JST ✧✦Catherine✦✧

     in reply to

     the problem with this is that this is an uhhhhhh very special device

     jebani dostawcy

   • Embed this notice
     ✧✦Catherine✦✧ (whitequark@mastodon.social)'s status on Wednesday, 11-Jun-2025 23:12:25 JST ✧✦Catherine✦✧

     in reply to

     at least the docs explain which of the three AXI MEM-APs belong to what

   • Embed this notice
     ✧✦Catherine✦✧ (whitequark@mastodon.social)'s status on Wednesday, 11-Jun-2025 23:34:48 JST ✧✦Catherine✦✧

     in reply to

     fortunately, glasgow lets you write scripts, so i wrote this quick script that lets me read memory while ignoring all errors by resetting the SWD interface whenever they happen

   • Embed this notice
     ✧✦Catherine✦✧ (whitequark@mastodon.social)'s status on Wednesday, 11-Jun-2025 23:37:44 JST ✧✦Catherine✦✧

     in reply to

     oops i was reading ITCM instead of Flash which is at 0x08000000

     now _this_ looks like code (the very start of the firmware doesn't have anything interesting in it)

   • Embed this notice
     ✧✦Catherine✦✧ (whitequark@mastodon.social)'s status on Wednesday, 11-Jun-2025 23:40:11 JST ✧✦Catherine✦✧

     in reply to

     (holding "identifying firmware" book)

     yep. that's firmware

   • Embed this notice
     ✧✦Catherine✦✧ (whitequark@mastodon.social)'s status on Wednesday, 11-Jun-2025 23:42:58 JST ✧✦Catherine✦✧

     in reply to

     • Mäh W.

     @maehw oh yeah

   • Embed this notice
     Mäh W. (maehw@chaos.social)'s status on Wednesday, 11-Jun-2025 23:43:00 JST Mäh W.

     in reply to

     @whitequark Reset vector should be at 0x08001639 then. BTW your binary file name might have a typo as it's a STM32H743 and not a STM32H723?

   • Embed this notice
     ✧✦Catherine✦✧ (whitequark@mastodon.social)'s status on Wednesday, 11-Jun-2025 23:53:12 JST ✧✦Catherine✦✧

     in reply to

     based on strings in the firmware, it looks like it's using this exact STM32 bootloader

     the bootloader repo is over 300 MB in size because they checked in a build of an Android app that you can use to reflash the thing

     https://github.com/Embetronicx/STM32-Bootloader

   • Embed this notice
     zabri (zabrinaz@mastodon.social)'s status on Wednesday, 11-Jun-2025 23:54:10 JST zabri

     in reply to

     @whitequark hi, great.
     i want build superlink in rust termux, can you help me?
     i get error message in build.
     thanks

   • Embed this notice
     ✧✦Catherine✦✧ (whitequark@mastodon.social)'s status on Wednesday, 11-Jun-2025 23:57:00 JST ✧✦Catherine✦✧

     in reply to

     perfect match

     (the \n was probably chomped off by clang as it turned printf into puts. yes, this is a valid optimization it does)

   • Embed this notice
     ✧✦Catherine✦✧ (whitequark@mastodon.social)'s status on Wednesday, 11-Jun-2025 23:57:50 JST ✧✦Catherine✦✧

     in reply to

     • zabri

     @zabrinaz what is the error message?

   • Embed this notice
     ✧✦Catherine✦✧ (whitequark@mastodon.social)'s status on Wednesday, 11-Jun-2025 23:58:16 JST ✧✦Catherine✦✧

     in reply to

     • Mäh W.

     @maehw yeah it's using TX1/RX1 and TX6/RX6 based on PCB markings

   • Embed this notice
     Mäh W. (maehw@chaos.social)'s status on Wednesday, 11-Jun-2025 23:58:17 JST Mäh W.

     in reply to

     @whitequark Nice find. And the Bootloader might be logging to a UART. At least two UARTs are initialized there and it's using `printf` calls.

   • Embed this notice
     ✧✦Catherine✦✧ (whitequark@mastodon.social)'s status on Thursday, 12-Jun-2025 00:09:33 JST ✧✦Catherine✦✧

     in reply to

     besides one or two functions in the bootloader, there are no strings in the firmware

     the application section is a 128K blob full of vector floating point instructions. this is going to be extremely challenging to reverse engineer

   • Embed this notice
     ✧✦Catherine✦✧ (whitequark@mastodon.social)'s status on Thursday, 12-Jun-2025 00:38:11 JST ✧✦Catherine✦✧

     in reply to

     okay i think i know why it was unstable

     remember that broken down capacitor that i removed? it was on the VIN pin of a TPS5430 buck converter. and TPS5430 really, _really_ wanted its VIN pin to be bypassed

   • Embed this notice
     ✧✦Catherine✦✧ (whitequark@mastodon.social)'s status on Thursday, 12-Jun-2025 00:45:29 JST ✧✦Catherine✦✧

     in reply to

     • Graham Sutherland / Polynomial

     @gsuberland it caused so much EMI that the glasgow would frequently re-enumerate, which was incredibly spooky

   • Embed this notice
     Graham Sutherland / Polynomial (gsuberland@chaos.social)'s status on Thursday, 12-Jun-2025 00:45:31 JST Graham Sutherland / Polynomial

     in reply to

     @whitequark TPS5430 can have a little rail collapse,,, as a treat

   • Embed this notice
     ✧✦Catherine✦✧ (whitequark@mastodon.social)'s status on Thursday, 12-Jun-2025 01:34:14 JST ✧✦Catherine✦✧

     in reply to

     implemented memory dumping via SWD so that you don't have to rely on other tools that may or may not be able to identify the chip https://github.com/GlasgowEmbedded/glasgow/pull/898

   • Embed this notice
     ✧✦Catherine✦✧ (whitequark@mastodon.social)'s status on Thursday, 12-Jun-2025 02:07:32 JST ✧✦Catherine✦✧

     in reply to

     looking at this firmware: it has no strings (except in the bootloader), very little structure i can recognize, and is basically a 128K sized blob of numeric code

     i don't think it's one of the popular open-source firmwares. definitely not as-is, and probably not even a modified one; i would expect vtables, command parsers, stuff like that; none of it is there

   • Embed this notice
     ✧✦Catherine✦✧ (whitequark@mastodon.social)'s status on Thursday, 12-Jun-2025 03:23:22 JST ✧✦Catherine✦✧

     in reply to

     • Mäh W.

     @maehw it just uses a few USARTs (i think 1, 2, and 6 at least, but i haven't fully traced the board yet) and an SDMMC peripheral. and GPIOA bank. nothing else as far as i can tell, very conservatively written

     probably C, and definitely no OS

   • Embed this notice
     Mäh W. (maehw@chaos.social)'s status on Thursday, 12-Jun-2025 03:23:24 JST Mäh W.

     in reply to

     @whitequark do you think it has been manually coded (C code?) and runs bare metal? Seeing the bootloader approach let's me guess that they may also have used STM32 HAL/LL code. Or aren't there any other peripherals than the GPS/navigation module? Generated code for math stuff?

   • Embed this notice
     ✧✦Catherine✦✧ (whitequark@mastodon.social)'s status on Thursday, 12-Jun-2025 03:26:25 JST ✧✦Catherine✦✧

     in reply to

     • Mäh W.

     @maehw on a second thought, they are definitely using a HAL, the way resets are controlled for a peripheral has all hallmarks (ha!) of it

   • Embed this notice
     ✧✦Catherine✦✧ (whitequark@mastodon.social)'s status on Thursday, 12-Jun-2025 05:40:51 JST ✧✦Catherine✦✧

     in reply to

     when reverse-engineering embedded devices, i like to make these overlays

     to make one yourself, open the datasheet screenshot in gimp, use "select by color" on the _black_ (this is important), grow the border by 1-3 px, copy the selection, paste onto a photo, and use universal transform until it matches

   • Embed this notice
     ✧✦Catherine✦✧ (whitequark@mastodon.social)'s status on Thursday, 12-Jun-2025 05:54:50 JST ✧✦Catherine✦✧

     in reply to

     here's another one

     i had to expand the u-blox symbol a bit since they didn't quite get the spacing right

   • Embed this notice
     Jonas (magnetic_tape@infosec.exchange)'s status on Thursday, 12-Jun-2025 06:02:06 JST Jonas

     in reply to

     @whitequark
     What's ADIv5.2?

   • Embed this notice
     ✧✦Catherine✦✧ (whitequark@mastodon.social)'s status on Thursday, 12-Jun-2025 06:02:06 JST ✧✦Catherine✦✧

     in reply to

     • Jonas

     @magnetic_tape ARM® Debug Interface Architecture Specification ADIv5.0 to ADIv5.2

   • Embed this notice
     ✧✦Catherine✦✧ (whitequark@mastodon.social)'s status on Thursday, 12-Jun-2025 06:02:22 JST ✧✦Catherine✦✧

     in reply to

     • F4GRX Sébastien

     @f4grx it's just normal code. lots and lots of normal numerics code

   • Embed this notice
     F4GRX Sébastien (f4grx@chaos.social)'s status on Thursday, 12-Jun-2025 06:02:24 JST F4GRX Sébastien

     in reply to

     @whitequark ciphered and copied in ram before running? what are the vectors pointing to? there should be boot code there.

   • Embed this notice
     ✧✦Catherine✦✧ (whitequark@mastodon.social)'s status on Thursday, 12-Jun-2025 06:03:58 JST ✧✦Catherine✦✧

     in reply to

     for some reason people expect military firmware to do things like "code protection", "encryption", or "obfuscation"

     they forget this firmware is usually made in a rush, by the lowest bidder, and (quite likely) by someone who doesn't really care about the craft

     i have never seen any RE countermeasures

   • Embed this notice
     natan (natanbc@mastodon.social)'s status on Thursday, 12-Jun-2025 06:08:13 JST natan

     in reply to

     @whitequark military-grade software (derogatory)

   • Embed this notice
     ✧✦Catherine✦✧ (whitequark@mastodon.social)'s status on Thursday, 12-Jun-2025 06:09:46 JST ✧✦Catherine✦✧

     in reply to

     • natan

     @natanbc military-grade anything (derogatory)

     i always find it laughable when people use "military-grade" in marketing. like, you mean, "overpriced by a factor of 20, ten years out of date, built in a factory chosen by what's benefitting some politician, and used in imperial conquest? which of these things are desirable, exactly?"

   • Embed this notice
     ✧✦Catherine✦✧ (whitequark@mastodon.social)'s status on Thursday, 12-Jun-2025 06:32:24 JST ✧✦Catherine✦✧

     in reply to

     • Graham Sutherland / Polynomial
     • Jonas

     @magnetic_tape @gsuberland to place the USB connector side away from the DUT would be the cheapest :)

   • Embed this notice
     Jonas (magnetic_tape@infosec.exchange)'s status on Thursday, 12-Jun-2025 06:32:25 JST Jonas

     in reply to

     • Graham Sutherland / Polynomial

     @whitequark
     Interesting, never had that. What would you suggest to prevent that? Some mini faraday cage for the glasgow? Earthing the (metal) shell of the Glasgow?
     @gsuberland

   • Embed this notice
     ✧✦Catherine✦✧ (whitequark@mastodon.social)'s status on Thursday, 12-Jun-2025 06:46:31 JST ✧✦Catherine✦✧

     in reply to

     the end result of connectivity extraction for me is usually these tables

   • Embed this notice
     ✧✦Catherine✦✧ (whitequark@mastodon.social)'s status on Thursday, 12-Jun-2025 06:52:40 JST ✧✦Catherine✦✧

     in reply to

     i played myself, the firmware doesn't actually use the SDMMC1 peripheral except to enable its power :/

     and i'm fairly sure it's not being used with the SPI peripheral either, given PC8 is connected to DAT0/MISO

   • Embed this notice
     ✧✦Catherine✦✧ (whitequark@mastodon.social)'s status on Thursday, 12-Jun-2025 06:54:27 JST ✧✦Catherine✦✧

     in reply to

     i've never seen resistor markings like this

     are these jumpers?

   • Embed this notice
     ✧✦Catherine✦✧ (whitequark@mastodon.social)'s status on Thursday, 12-Jun-2025 08:19:18 JST ✧✦Catherine✦✧

     in reply to

     i'm going to make a bet that nobody has tried to reverse-engineer Thumb code with VFP instructions in Binary Ninja before

     i opened one trivial function and immediately found three bugs, one of which is a show-stopper

     https://github.com/Vector35/binaryninja-api/issues/6945
     https://github.com/Vector35/binaryninja-api/issues/6946
     https://github.com/Vector35/binaryninja-api/issues/6947

   • Embed this notice
     Robert Prehn (prehnra@mastodon.social)'s status on Thursday, 12-Jun-2025 08:26:48 JST Robert Prehn

     in reply to

     • natan

     @whitequark @natanbc My grandpa who was in the military gave me a can opener at one point and said "you know what this is? The only thing the army ever issued to us that worked worth a shit."

   • Embed this notice
     ✧✦Catherine✦✧ (whitequark@mastodon.social)'s status on Thursday, 12-Jun-2025 09:08:50 JST ✧✦Catherine✦✧

     in reply to

     • H4kii the Posnaniese

     @hakki they don't do that anywhere

   • Embed this notice
     H4kii the Posnaniese (hakki@floss.social)'s status on Thursday, 12-Jun-2025 09:08:52 JST H4kii the Posnaniese

     in reply to

     @whitequark i am really amused that they did not use STMs readout protection, which is actually provided by STM flashing toolkit

   • Embed this notice
     ✧✦Catherine✦✧ (whitequark@mastodon.social)'s status on Thursday, 12-Jun-2025 10:51:12 JST ✧✦Catherine✦✧

     in reply to

     implemented a glasgow applet for sniffing conversations over UART with accurate sequencing; this will be used for finding out how the MCU talks to the GPS module

     https://github.com/GlasgowEmbedded/glasgow/pull/899

   • Embed this notice
     zabri (zabrinaz@mastodon.social)'s status on Thursday, 12-Jun-2025 10:55:43 JST zabri

     in reply to

     error: attributes starting with `rustc` are reserved for use by the `rustc` compiler
     --> shim/main.rs💯11 error: cannot find attribute `rustc_safe_intrinsic` in this scope
     --> shim/main.rs💯11 error: requires `legacy_receiver` lang_item
     --> shim/main.rs:144:11 error: requires `legacy_receiver` lang_item
     --> shim/main.rs:147:11 error: intrinsic safety mismatch between list of intrinsics within the compiler and core library intrinsics for intrinsic `wrapping_add`

   • Embed this notice
     zabri (zabrinaz@mastodon.social)'s status on Thursday, 12-Jun-2025 10:56:10 JST zabri

     in reply to

     @whitequark error: aborting due to 5 previous errors
     thread 'main' panicked at build.rs:47:9:
     note: run with `RUST_BACKTRACE=1` environment variable to display a backtrac

   • Embed this notice
     ✧✦Catherine✦✧ (whitequark@mastodon.social)'s status on Thursday, 12-Jun-2025 11:10:31 JST ✧✦Catherine✦✧

     in reply to

     just realized that i can't exactly expect this device to work as intended right now, because it doesn't have its IMU

     and it needs an IMU, alongside GPS, to know where it is

   • Embed this notice
     Joel Michael (jpm@aus.social)'s status on Thursday, 12-Jun-2025 11:10:57 JST Joel Michael

     in reply to

     @whitequark I’m pretty familiar with uBlox M8 GPS receivers, feel free to ping if any questions.

   • Embed this notice
     ✧✦Catherine✦✧ (whitequark@mastodon.social)'s status on Thursday, 12-Jun-2025 11:10:57 JST ✧✦Catherine✦✧

     in reply to

     • Joel Michael

     @jpm absolutely taking you up on this!

   • Embed this notice
     ✧✦Catherine✦✧ (whitequark@mastodon.social)'s status on Thursday, 12-Jun-2025 11:16:32 JST ✧✦Catherine✦✧

     in reply to

     • Andrew Zonenberg

     @azonenberg it's not a missile! it's a loitering munition

   • Embed this notice
     Andrew Zonenberg (azonenberg@ioc.exchange)'s status on Thursday, 12-Jun-2025 11:16:33 JST Andrew Zonenberg

     in reply to

     @whitequark the missile doesn't know where it is because it doesn't know where it wasn't?

   • Embed this notice
     ✧✦Catherine✦✧ (whitequark@mastodon.social)'s status on Thursday, 12-Jun-2025 11:17:04 JST ✧✦Catherine✦✧

     in reply to

     • Andrew Zonenberg

     @azonenberg actually i'm not sure what this specific device should be called because it shouldn't have carried a warhead, it's a decoy

     is that still a munition? i guess it is

   • Embed this notice
     ✧✦Catherine✦✧ (whitequark@mastodon.social)'s status on Thursday, 12-Jun-2025 12:23:08 JST ✧✦Catherine✦✧

     in reply to

     using the new `uart-analyzer` applet i have obtained the exchange between the MCU and the GNSS module. it is a binary stream in a format unknown to me. for obvious reasons i will not be posting a screenshot of it

   • Embed this notice
     ✧✦Catherine✦✧ (whitequark@mastodon.social)'s status on Thursday, 12-Jun-2025 12:27:56 JST ✧✦Catherine✦✧

     in reply to

     of _course_ this device pair is being annoying and switching UART speed at runtime

     i didn't implement autobaud in uart-analyzer applet because i thought it 'would not be that important'. agh

   • Embed this notice
     wickedshell (wickedshell@mastodon.social)'s status on Thursday, 12-Jun-2025 12:29:48 JST wickedshell

     in reply to

     @whitequark is it UBX (u-blox's binary protocol)? It's typically used for config because you usually can't turn it off on a port. 0xB5 0x62 are the sync bytes if so.

   • Embed this notice
     wickedshell (wickedshell@mastodon.social)'s status on Thursday, 12-Jun-2025 12:30:58 JST wickedshell

     in reply to

     @whitequark particularly common for figuring out where a ublox device is. (ArduPilot does the same thing)

   • Embed this notice
     ✧✦Catherine✦✧ (whitequark@mastodon.social)'s status on Thursday, 12-Jun-2025 12:35:45 JST ✧✦Catherine✦✧

     in reply to

     • Andrew Zonenberg

     @azonenberg 9600->115200

   • Embed this notice
     Andrew Zonenberg (azonenberg@ioc.exchange)'s status on Thursday, 12-Jun-2025 12:35:46 JST Andrew Zonenberg

     in reply to

     @whitequark wait what it's dynamically changing the uart speed? Between what bauds?

   • Embed this notice
     ✧✦Catherine✦✧ (whitequark@mastodon.social)'s status on Thursday, 12-Jun-2025 12:40:57 JST ✧✦Catherine✦✧

     in reply to

     adding proper autobaud is fairly tricky for the analyzer, but i did at least add per-channel baud (i.e. you can have different baud rates for RX and TX)

     an online ublox protocol decoder (implemented e.g. as a script) could promptly switch baud rates when it observes a command to do so

   • Embed this notice
     ✧✦Catherine✦✧ (whitequark@mastodon.social)'s status on Thursday, 12-Jun-2025 13:11:21 JST ✧✦Catherine✦✧

     in reply to

     i've reverse-engineered the entire state machine in the firmware. it only parses three messages! these are:

     UBX-NAV-PVT
     UBX-NAV-SOL
     UBX-NAV-SAT

     once again, the firmware is... simple. every part i can understand does exactly one thing, in the most uncomplicated way possible

   • Embed this notice
     ✧✦Catherine✦✧ (whitequark@mastodon.social)'s status on Thursday, 12-Jun-2025 13:20:40 JST ✧✦Catherine✦✧

     in reply to

     i think this has a buffer overflow

   • Embed this notice
     crzwdjk ✅ (crzwdjk@mastodon.social)'s status on Thursday, 12-Jun-2025 13:24:38 JST crzwdjk ✅

     in reply to

     @whitequark the RE countermeasures are external to the firmware (they figure the device will destroy itself anyway)

   • Embed this notice
     poleguy looking for lost tools (poleguy@mastodon.social)'s status on Thursday, 12-Jun-2025 13:28:20 JST poleguy looking for lost tools

     in reply to

     • Andrew Zonenberg

     @whitequark @azonenberg The Wayne Gretzkys of baud rate.

   • Embed this notice
     ✧✦Catherine✦✧ (whitequark@mastodon.social)'s status on Thursday, 12-Jun-2025 13:28:39 JST ✧✦Catherine✦✧

     in reply to

     • crzwdjk ✅

     @crzwdjk this one is a decoy, it's guaranteed to crash-land unless shot down

   • Embed this notice
     ✧✦Catherine✦✧ (whitequark@mastodon.social)'s status on Friday, 13-Jun-2025 13:54:50 JST ✧✦Catherine✦✧

     in reply to

     • dojoe

     @dojoe ngl that was my first thought until i concluded it was silly

   • Embed this notice
     dojoe (dojoe@chaos.social)'s status on Friday, 13-Jun-2025 13:54:51 JST dojoe

     in reply to

     @whitequark [REDACTED]

   • Embed this notice
     ✧✦Catherine✦✧ (whitequark@mastodon.social)'s status on Friday, 13-Jun-2025 13:57:50 JST ✧✦Catherine✦✧

     in reply to

     i should have mentioned that i didn't come up with the idea, i learned it from watching my headmate RE something. previously i would use transparency for the datasheet layer, which was suffering

   • Embed this notice
     Joel Michael (jpm@aus.social)'s status on Friday, 13-Jun-2025 16:28:59 JST Joel Michael

     in reply to

     @whitequark *giggle*

     ✧✦Catherine✦✧ repeated this.
   • Embed this notice
     Joel Michael (jpm@aus.social)'s status on Friday, 13-Jun-2025 16:28:59 JST Joel Michael

     in reply to

     @whitequark

     UBX-NAV-PVT length = 92 bytes
     UBX-NAV-SOL length = 52 bytes
     UBX-NAV-SAT length = how many satellites can you see right now?

   • Embed this notice
     ✧✦Catherine✦✧ (whitequark@mastodon.social)'s status on Friday, 13-Jun-2025 19:55:07 JST ✧✦Catherine✦✧

     in reply to

     yeah, it reads data from the sensor into a preallocated buffer that has space for about 32 satellites (i'm not clear on how many exactly but definitely not more than that)

     the GNSS module has 72 channels

   • Embed this notice
     ✧✦Catherine✦✧ (whitequark@mastodon.social)'s status on Friday, 13-Jun-2025 19:55:49 JST ✧✦Catherine✦✧

     in reply to

     • Joel Michael
     • chrisgj198

     @chrisgj198 @jpm it overflows the buffer

     i don't know how long it is exactly because it appears to never check the buffer but it's like half the module channel count

   • Embed this notice
     chrisgj198 (chrisgj198@mastodon.social)'s status on Friday, 13-Jun-2025 19:55:50 JST chrisgj198

     in reply to

     • Joel Michael

     @jpm @whitequark I wonder what happens if you give the GPS receiver signals from too many satellites (well, pretend satellites ideally). There is likely some limit (possibly implemented safely) in the GPS firmware but it may still be higher than the length of this buffer...

   • Embed this notice
     ✧✦Catherine✦✧ (whitequark@mastodon.social)'s status on Friday, 13-Jun-2025 19:57:37 JST ✧✦Catherine✦✧

     in reply to

     ... i think this is technically a 0day?..

   • Embed this notice
     chrisgj198 (chrisgj198@mastodon.social)'s status on Friday, 13-Jun-2025 20:02:28 JST chrisgj198

     in reply to

     • Joel Michael

     @whitequark @jpm I hope something important is right after this buffer then. A suitable GNSS simulator might be quite easy to make if the bitstream could be pre-computed and just played back into a mixer with appropriate LO.

   • Embed this notice
     ✧✦Catherine✦✧ (whitequark@mastodon.social)'s status on Friday, 13-Jun-2025 20:05:35 JST ✧✦Catherine✦✧

     in reply to

     • Joel Michael
     • chrisgj198

     @chrisgj198 @jpm i could also just feed it the ublox binary messages; same result for less effort (with the caveat that i don't know if the ublox module will actually emit such long messages in any practical environment)

     i _really_ don't want to mess with GNSS signals too much, since if they leak i'll get a not-so-friendly visit from Ofcom and it'll be 100% deserved

   • Embed this notice
     chrisgj198 (chrisgj198@mastodon.social)'s status on Friday, 13-Jun-2025 20:10:00 JST chrisgj198

     in reply to

     • Joel Michael

     @whitequark @jpm I was more thinking of how it would behave in its natural environment, where the serial port is inaccessible. I agree that during investigations you should limit the power of any transmissions such that nobody else notices them.

   • Embed this notice
     ✧✦Catherine✦✧ (whitequark@mastodon.social)'s status on Friday, 13-Jun-2025 20:12:32 JST ✧✦Catherine✦✧

     in reply to

     • Joel Michael
     • chrisgj198

     @chrisgj198 @jpm my understanding (based on talking to someone who worked with GNSS emulators) is that it's particularly difficult to limit the power of GNSS transmissions, seeing as receivers will pull them from well below the thermal noise floor

   • Embed this notice
     chrisgj198 (chrisgj198@mastodon.social)'s status on Friday, 13-Jun-2025 20:16:52 JST chrisgj198

     in reply to

     • Joel Michael

     @whitequark @jpm True, but the inverse square law is pretty effective, if you don't vastly exceed the power that you need. Maybe attenuating one of the signals *before* mixing would give more certainty that the signal that you don't want to escape doesn't exist anywhere at high power.

   • Embed this notice
     ✧✦Catherine✦✧ (whitequark@mastodon.social)'s status on Friday, 13-Jun-2025 20:18:30 JST ✧✦Catherine✦✧

     in reply to

     • Joel Michael
     • chrisgj198

     @chrisgj198 @jpm I do feel that I'm not skilled enough to properly attempt this

   • Embed this notice
     chrisgj198 (chrisgj198@mastodon.social)'s status on Friday, 13-Jun-2025 20:23:58 JST chrisgj198

     in reply to

     • Joel Michael

     @whitequark @jpm I think you are, partly because of the caution with which you approach the topic.

   • Embed this notice
     ✧✦Catherine✦✧ (whitequark@mastodon.social)'s status on Friday, 13-Jun-2025 21:52:21 JST ✧✦Catherine✦✧

     in reply to

     • Joel Michael
     • chrisgj198

     @chrisgj198 @jpm i don't have access to a _stepped_ attenuator i think (there are some 10dB and 30dB inline attenuators around...) though that could be arranged, and my headmate has a plutosdr which i believe is good enough for this

   • Embed this notice
     chrisgj198 (chrisgj198@mastodon.social)'s status on Friday, 13-Jun-2025 21:52:22 JST chrisgj198

     in reply to

     • Joel Michael

     @whitequark @jpm You would want some good stepped attenuators and some receiver ( SDR or spectrum analyser) so that you can verify the amount of leakage (modulated with a simple tone) before you feed it the right bitstream though.

   • Embed this notice
     ✧✦Catherine✦✧ (whitequark@mastodon.social)'s status on Friday, 13-Jun-2025 21:53:57 JST ✧✦Catherine✦✧

     in reply to

     • maswan

     @maswan i honestly have no idea and don't want to be presumptious

   • Embed this notice
     maswan (maswan@mastodon.acc.sunet.se)'s status on Friday, 13-Jun-2025 21:53:59 JST maswan

     in reply to

     @whitequark
     Is it one a few ukrainians might be interested in being tagged into this thread, or are we assuming they are already reading it with interest?

   • Embed this notice
     ✧✦Catherine✦✧ (whitequark@mastodon.social)'s status on Friday, 13-Jun-2025 21:54:52 JST ✧✦Catherine✦✧

     in reply to

     • Ignas Kiela

     @ignaloidas i am not at all sure it's exploitable, partly because of what you say, partly because it's flying in an environment saturated with EW, partly because i'm not sure there's any usable pointers after this block of RAM

   • Embed this notice
     Ignas Kiela (ignaloidas@not.acu.lt)'s status on Friday, 13-Jun-2025 21:54:54 JST Ignas Kiela

     in reply to

     @whitequark@mastodon.social it's uhh, quite hard to be in view of more satellites than that? I guess you could try tricking it with ground simulators, but that's a bit hard to do reliably

   • Embed this notice
     ✧✦Catherine✦✧ (whitequark@mastodon.social)'s status on Friday, 13-Jun-2025 22:01:21 JST ✧✦Catherine✦✧

     in reply to

     • maswan

     @maswan i'm almost completely certain that this would add nothing over the existing EW efforts even if you somehow got the entire chain to work

   • Embed this notice
     maswan (maswan@mastodon.acc.sunet.se)'s status on Friday, 13-Jun-2025 22:01:23 JST maswan

     in reply to

     @whitequark Yeah, it's tricky, and hard to know if it is old stuff to the people really working on this in UA.

     But on the other hand if there is even a 5% chance that this could be a useful way of disabling hundreds of drones, it would be nice if they got it sooner rather than later.

   • Embed this notice
     ✧✦Catherine✦✧ (whitequark@mastodon.social)'s status on Friday, 13-Jun-2025 22:13:47 JST ✧✦Catherine✦✧

     in reply to

     please chill yall i don't think there's any useful pointers after that block of memory

   • Embed this notice
     dram🎀 (dramforever@mastodon.social)'s status on Friday, 13-Jun-2025 22:21:04 JST dram🎀

     in reply to

     @whitequark my guess is there's really nothing worth looking for for war purposes because there's the far easier attack of "just shoot it down"

     it clearly works and this is how you got your hands on one

   • Embed this notice
     ✧✦Catherine✦✧ (whitequark@mastodon.social)'s status on Friday, 13-Jun-2025 22:22:10 JST ✧✦Catherine✦✧

     in reply to

     • dram🎀

     @dramforever also like, they fly in an environment that i understand to be saturated with GNSS jamming. which works better

   • Embed this notice
     ✧✦Catherine✦✧ (whitequark@mastodon.social)'s status on Friday, 13-Jun-2025 22:22:57 JST ✧✦Catherine✦✧

     in reply to

     • dram🎀

     @dramforever "shoot it down" isn't as easy as it sounds because of this

   • Embed this notice
     dram🎀 (dramforever@mastodon.social)'s status on Friday, 13-Jun-2025 22:25:29 JST dram🎀

     in reply to

     @whitequark ngl that's higher tech than i expected

   • Embed this notice
     chrisgj198 (chrisgj198@mastodon.social)'s status on Friday, 13-Jun-2025 22:37:25 JST chrisgj198

     in reply to

     • Joel Michael

     @whitequark @jpm It doesn't *have* to be stepped, it's just nice to be able to dial up any attenuation you want, up to say 100dB. I used to buy old RF test equipment from Stewart of Reading - (sometimes slightly broken but usually ok value). For things that wear out and get flaky, like cables and connector adapters, I prefer new-old-stock from ebay.

   • Embed this notice
     ✧✦Catherine✦✧ (whitequark@mastodon.social)'s status on Friday, 13-Jun-2025 23:01:47 JST ✧✦Catherine✦✧

     in reply to

     • Joel Michael
     • chrisgj198

     @chrisgj198 @jpm oh that's actually a really good idea, thanks!

   • Embed this notice
     chrisgj198 (chrisgj198@mastodon.social)'s status on Friday, 13-Jun-2025 23:01:48 JST chrisgj198

     in reply to

     • Joel Michael

     @whitequark @jpm for mixers, amplifiers and stuff, Mini-Circuits is good, though the ones with connectors aren't so cheap.

   • Embed this notice
     chrisgj198 (chrisgj198@mastodon.social)'s status on Friday, 13-Jun-2025 23:01:48 JST chrisgj198

     in reply to

     • Joel Michael

     @whitequark @jpm If I were really, really worried about transmitting something that upset people's navigation, I'd get the PlutoSDR to generate the modulated signal at a very wrong frequency where it could do little harm, attenuate it a lot, and then mix the attenuated version to the right frequency, and then only operate it for the miniumu duration necessary for the tests.

   • Embed this notice
     ✧✦Catherine✦✧ (whitequark@mastodon.social)'s status on Saturday, 14-Jun-2025 02:51:12 JST ✧✦Catherine✦✧

     in reply to

     so, after close examination, i think the device currently in my hands isn't an autopilot or the like. its job is solely to grab a stream of radio frequency data from a CRPA, to do some form of processing on it, and to spit it out in form of a rapid (saturating the UART) stream of telemetry somewhere else

     apparently there are raspberry pis involved at one stage

   • Embed this notice
     ✧✦Catherine✦✧ (whitequark@mastodon.social)'s status on Saturday, 14-Jun-2025 02:51:57 JST ✧✦Catherine✦✧

     in reply to

     i feel like after seeing raspberry pis in loitering munitions i can pack my embedded career up. there's nothing more to be seen at this point

   • Embed this notice
     ✧✦Catherine✦✧ (whitequark@mastodon.social)'s status on Saturday, 14-Jun-2025 02:56:35 JST ✧✦Catherine✦✧

     in reply to

     reportedly the actual autopilot role is taken up by multiple TMS320's and i have absolutely no desire to stare at TMS320 assembly. bizarre choice of device to design in

   • Embed this notice
     ✧✦Catherine✦✧ (whitequark@mastodon.social)'s status on Saturday, 14-Jun-2025 03:06:16 JST ✧✦Catherine✦✧

     in reply to

     • Andrew Zonenberg

     @azonenberg apparently russia has cloned TMS320's long ago but... they don't use the clones? they use actual western TI TMS320's? they don't even come in the same package??

   • Embed this notice
     Andrew Zonenberg (azonenberg@ioc.exchange)'s status on Saturday, 14-Jun-2025 03:06:17 JST Andrew Zonenberg

     in reply to

     @whitequark TMS320s are all over the place in western munitions too. Not surprised in the slightest

   • Embed this notice
     Andrew Zonenberg (azonenberg@ioc.exchange)'s status on Saturday, 14-Jun-2025 03:10:46 JST Andrew Zonenberg

     in reply to

     @whitequark probably easier to find in a dumpster in guangzhou? lol

   • Embed this notice
     ✧✦Catherine✦✧ (whitequark@mastodon.social)'s status on Saturday, 14-Jun-2025 03:10:46 JST ✧✦Catherine✦✧

     in reply to

     • Andrew Zonenberg

     @azonenberg yeah I suppose in the same dumpster they get AD and ublox parts

   • Embed this notice
     ✧✦Catherine✦✧ (whitequark@mastodon.social)'s status on Saturday, 14-Jun-2025 05:40:50 JST ✧✦Catherine✦✧

     in reply to

     • Phil M0OFX

     @philpem these did not work whatsoever

   • Embed this notice
     Phil M0OFX (philpem@digipres.club)'s status on Saturday, 14-Jun-2025 05:40:51 JST Phil M0OFX

     in reply to

     @whitequark What kind of probes are you using for that? I've had trouble finding QFP probes which don't fall off.

   • Embed this notice
     🇺🇦 haxadecimal (brouhaha@mastodon.social)'s status on Saturday, 14-Jun-2025 05:44:19 JST 🇺🇦 haxadecimal

     in reply to

     • Phil M0OFX

     @whitequark @philpem
     probe without rhythm
     don't attract the worm

   • Embed this notice
     ✧✦Catherine✦✧ (whitequark@mastodon.social)'s status on Saturday, 14-Jun-2025 08:57:32 JST ✧✦Catherine✦✧

     in reply to

     • Joel Michael
     • Andrew Zonenberg

     @jpm @azonenberg there are many examples with shields, i think this happened somewhere in the my 'supply chain'

   • Embed this notice
     Joel Michael (jpm@aus.social)'s status on Saturday, 14-Jun-2025 08:57:33 JST Joel Michael

     in reply to

     • Andrew Zonenberg

     @whitequark @azonenberg and judging by the photos, the u-blox parts definitely came out of a dumpster because it’s missing the RF shield

   • Embed this notice
     edmeme (edmeme@mastodon.social)'s status on Sunday, 15-Jun-2025 06:54:53 JST edmeme

     in reply to

     @whitequark You might have seen this already. I think its the same part you are looking at, plus some more, and there is definitely a Pi there.

     https://www.ebay.com/itm/256969053946?

   • Embed this notice
     ✧✦Catherine✦✧ (whitequark@mastodon.social)'s status on Sunday, 15-Jun-2025 06:59:12 JST ✧✦Catherine✦✧

     in reply to

     • edmeme

     @edmeme yeah it's the same INS