Skip to content

Instantly share code, notes, and snippets.

View nstarke's full-sized avatar

Nicholas Starke nstarke

173 followers · 10 following
View GitHub Profile
@nstarke
nstarke / building-and-running-ovmf-in-qemu.md
Created February 25, 2020 23:14
Building and Running OVMF in Qemu

Building and Running OVMF in Qemu

I built EDK2 and OVMF from source using the instructions here: https://github.com/tianocore/tianocore.github.io/wiki/How-to-run-OVMF

The instructions are helpful in getting the build tooling configured to build edk2, but I consistently ran into a problem when I built the DEBUG version of OVMF. I would run:

$ qemu-system-x86_64 -bios ../edk2/Build/OvmfX64/DEBUG_GCC5/FV/OVMF.fd
@nstarke
nstarke / ecusim-2000.md
Created February 23, 2020 04:20
Car hacking with ScanTool ECUSim 2000

Car hacking with ScanTool ECUSim 2000

An upcoming project has me looking at car hacking at the moment. I watched a great video ( https://www.youtube.com/watch?v=nvxN5G21aBQ ) which caught me up to speed on the fundamentals. There are a few other videos out there on introductory car hacking, but they all seem to revolve around the virtual can interface provided by vcan. I decided I didn't want to test virtually because then I wouldn't know how to work with the actual connection hardware. At the same time, being a beginner, I DID NOT want to plug into my personal vehicle's ODB2 port.

I was looking for something between vcan and a real car. A little googling led me to the ScanTools ECUSim 2000: https://www.amazon.com/OBDLink-ScanTool-ECUsim-Simulator-Development/dp/B008NAH6WE

This board simulates a car. It has a ODB2 port for interfacing just like one would do with a

@nstarke
nstarke / netgear-private-key-disclosure.md
Last active January 23, 2025 21:42
Netgear TLS Private Key Disclosure through Device Firmware Images

Netgear Signed TLS Cert Private Key Disclosure

Overview

There are at least two valid, signed TLS certificates that are bundled with publicly available Netgear device firmware.

These certificates are trusted by browsers on all platforms, but will surely be added to revocation lists shortly.

The firmware images that contained these certificates along with their private keys were publicly available for download through Netgear's support website, without authentication; thus anyone in the world could have retrieved these keys.

@nstarke
nstarke / 0000-thecus-firmware-decrypt.sh
Last active June 12, 2024 22:47
Thecus Firmware Decrypt Bash Script
#!/bin/bash
#
# This script takes a Thecus Firmware Image and decrypts it.
# The encryption key is based off of one of the supported
# models, which are listed in the firmware filename. This
# script will try all of the model names in the file name
# and delete any that do not decrypt to a gzip file.
#
# You will need the following c program compiled and passed
@nstarke
nstarke / mac-address-table-filler.py
Last active January 16, 2020 15:34
Mac Address Table Filler
#!/usr/bin/env python
#
# This script is meant to assist in filling up a MAC ADDRESS Table on a switch
# This script reuqires scapy to be installed, and most likely will need to be
# run as root. That means scapy will have to be installed for the root user
# in order for this script to work.
#
# Arguments:
# * Interface to send ARP packet on
@nstarke
nstarke / resize-ghidra-gui.md
Last active March 21, 2025 13:32
Resize Ghidra GUI for High DPI screens

Resize Ghidra for High DPI screens

If you run Ghidra on a high DPI screen, you will probably find the GUI to be scaled down so small to be almost of no use.

There is a setting that you can adjust to scale the Ghidra GUI:

in $GHIDRA_ROOT/support is a file named launch.properties. In this launch.properties file is the following configuration key:

VMARGS_LINUX=-Dsun.java2d.uiScale=1
@nstarke
nstarke / rsync-auth.py
Last active November 28, 2019 01:44
Rsync Protocol Authentication flow in Python
#!/usr/bin/env python
from Crypto.Hash import MD4
import socket
import base64
import os
import random
import time
import sys
@nstarke
nstarke / FindHTMLDocuments.java
Last active November 20, 2019 20:32
Ghidra Plugin for Finding Embedded HTML Documents and Fragments
// Search for HTML Documents / Fragments embedded in a binary and create a bookmark
// @author Nicholas Starke
import ghidra.app.script.GhidraScript;
import ghidra.program.model.address.Address;
import ghidra.program.model.mem.Memory;
import ghidra.program.model.mem.MemoryAccessException;
import ghidra.program.model.mem.MemoryBlock;
import java.nio.charset.StandardCharsets;
@nstarke
nstarke / papi.py
Created September 24, 2019 14:39 — forked from eriknl/papi.py
Reverse engineered partial Aruba PAPI implementation
import hashlib
from struct import *
"""
This implementation was reverse engineered using Wireshark (and source code), strace and two excelent articles:
- https://x-c3ll.github.io/posts/CVE-2018-7081-RCE-ArubaOS/
- https://packetstormsecurity.com/files/136997/Aruba-Authentication-Bypass-Insecure-Transport-Tons-Of-Issues.html
"""
def papi_encrypt(data):
@nstarke
nstarke / binary-split-zero.py
Created September 24, 2019 00:10
Split Binary File on Zero'd Memory Regions
#!/usr/bin/env python
# The idea behind this file is that many times firmware images are constructed with zero'd out address regions as the delimiter.
# This script will split files in a firmware image when the embedded files are $MAX zero'd bytes in distance from each other.
import sys
import copy
FILE=sys.argv[1]
MAX=512