Skip to content

Instantly share code, notes, and snippets.

@tniessen
tniessen / stm32-cmox-crypto-crc-aes-gcm.md
Created December 28, 2023 21:09
How CMOX (X-CUBE-CRYPTOLIB) uses the STM32's CRC unit for AES encryption and decryption

X-CUBE-CRYPTOLIB (CMOX) and the STM32's CRC unit

This write-up is about the STM32 cryptographic firmware library X-CUBE-CRYPTOLIB, also known as the Cortex-M Optimized Crypto Stack (CMOX). It is a cryptographic library developed by STMicroelectronics (ST) for their series of STM32 processors, which are based on the ARM Cortex-M family.

Hardware features vary across different STM32 processors. Because CRC checksums are widely used in embedded systems, most (if not all) STM32 processors feature a hardware CRC unit that is supposed to accelerate CRC computations.

Introduction

Interestingly, on the page "Getting started with the Cryptographic Library", ST claims:

@drvink
drvink / cornbread.md
Created December 15, 2018 23:46
best cornbread recipe

The cornbread recipe is easy; it's right off the Alber's Yellow Cornmeal box.

  • 1 cup Alber's yellow cornmeal
  • 1 cup all purpose flour
  • 1/4 cup granulated sugar
  • 1 Tbs. baking powder (Not soda)
  • 1 tsp. salt
  • 1 cup milk
  • 1/3 cup vegetable oil (like canola)
  • 1 large egg, slightly beaten
@darkarnium
darkarnium / FT2232HSWD.py
Last active April 18, 2020 01:28
Provides a very basic FT2232H SWD implementation
''' Provides a very basic (read: shitty) FT2232H SWD implementation. '''
import time
import logging
import binascii
from struct import pack
from struct import unpack
from operator import xor
from pyftdi.gpio import GpioController
@shuffle2
shuffle2 / fuses.c
Created October 17, 2017 23:26
dump + decode tegra t210 ipatches
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/mman.h>
#include <errno.h>
#include <fcntl.h>
#include <stdio.h>
#include <stdint.h>
#include <string.h>
#define ARRAYSIZE(x) (sizeof(x) / sizeof(*x))
@truemongo
truemongo / gist:7aea60f80f6aa9b79cc9509b633557c9
Last active October 20, 2017 06:55
Infineon TPM fake buggy key generator
#!/usr/bin/python2
from random import randint, choice
from gmpy2 import is_prime # pip install gmpy2
import operator
### Code from ROCA
primes = [3, 5, 7, 11, 13, 17, 19, 23, 29, 31, 37, 41, 43, 47, 53, 59, 61, 67, 71, 73, 79, 83, 89, 97, 101,
103, 107, 109, 113, 127, 131, 137, 139, 149, 151, 157, 163, 167]
prints = [6, 30, 126, 1026, 5658, 107286, 199410, 8388606, 536870910, 2147483646, 67109890, 2199023255550,
@egirault
egirault / Syscan2015Badge.md
Last active November 11, 2024 17:51
Dumping the flash memory of the Syscan 2015 badge

Dumping the flash of the Syscan 2015 badge

The badge of the Syscan 2015 conference included an ARM-based STM32F030R8 processor running some challenges. Although SWD pins are accessible on the badge, some have noted that the STM32 is readout-protected, meaning that it will refuse to dump its flash memory.

Fortunately, two researchers (Johannes Obermaier and Stefan Tatschner) recently published a paper at the WOOT '17 conference, in which they reveal a vulnerability allowing to bypass the readout protection. Their technique allows to dump the flash one DWORD at a time, rebooting the CPU between each access.

I implemented this attack using a BusPirate and the PySWD module. Here is a quick'n dirty PoC to

@c3c
c3c / redis-lua-linux-x86-poc.py
Created February 24, 2017 09:29
Redis Lua 5.1 sandbox escape 32-bit Linux exploit
## Redis Lua 5.1 sandbox escape 32-bit Linux exploit
## Original exploit by corsix and sghctoma
## Author: @c3c
## It's possible to abuse the Lua 5.1 sandbox to obtain RCE by loading modified bytecode
## This concept is fully explained on corsix' gist at https://gist.github.com/corsix/6575486
## This version uses pieces of the 32-bit Windows exploit made by corsix and the 64-bit Linux exploit made by sghctoma; as expected, a few offsets were different
## sghctoma's exploit uses the arbitrary memory read to leak pointers to libc and find the address of "system" http://paper.seebug.org/papers/Security%20Conf/Defcon/2015/DEFCON-23-Tamas-Szakaly-Shall-We-Play-A-Game.pdf
## This code is much the same, except the process is done using pwntools' DynELF
## Furthermore, attempting to leak addresses in libc appears to cause segfaults on my 32-bit Linux, in which case, you will need to obtain the remote libc version
@graphitemaster
graphitemaster / T0.md
Last active May 6, 2024 10:18
Vulkan Tutorial

Tutorial 0

What is Vulkan

Vulkan is a low-overhead, cross-platform 3D graphics and compute API.

Vulkan targets

Vulkan targets high-performance realtime 3D graphics applications such as games and interactive media across multiple platforms providing higher performance and lower CPU usage.

@grawity
grawity / SASL.md
Last active August 21, 2024 07:09
SASL authentication from the perspective of IRC server-to-server protocols

SASL authentication in IRC

© 2014 Mantas Mikulėnas <[email protected]>

This documentation is released under Creative Commons 3.0 Attribution license.


This is a description of server-server protocol, intended for ircd and services developers. For the client-server protocol descriptions, intended for client & bot developers, see the IRCv3 [sasl-3.1][] and [sasl-3.2][] specifications.

Guide to how fucked is SSL?

Thanks to Jacob Kaplan-Moss, Donald Stufft, David Reid, Allen Short, Zain Memon, and Chris Armstrong for review.

This is a guide for technical individuals to understand in what circumstances SSL communications are secure against an observer-in-the-middle (for all intents and purposes: the NSA).