Sumotori Dreams is a game designed for Win32 whose complete executable is less than 96kB uncompressed. The game was presented at Breakpoint 2007. The machines that they used to run things in the competition are XP SP2 with DirectX 9, unhealthy so it is not unreasonable to expect that the game hooks into many of the available APIs to generate the graphics. It is also possible that the texture maps could be pulled from the XP installation. Even though this game is smaller in size than most spyware, discount it is truly impressive how fun it is to play.
( sumotori101.zip ) ( sumotori.zip )
I decided to mess around with an old 486 laptop that I have around, perhaps to try to overclock it. Since it had no OS on it, I went looking for PicoBSD floppy images. It seems that PicoBSD has not been updated in a very long time and the semi-official PicoBSD site has been removed. Luckily, I was able to find images on Bruce Montegue’s site. It looks to be hosted off a DSL line, so here are mirrors of the disk images. Note that the apl image will not boot on a 486 system.
( pico_biscuit.zip ) ( pico_apl.zip )
I was recently introduced to FON and decided to buy a La Fonea to get in the mode. After getting the device I promptly opened it and looked inside. The core of the unit is a MIPS (Atheros SOC) processor with 16MB ram and 8MB flash. As expected, it has both ethernet and a dual-antenna wifi front-end. The FON network is a pretty good attempt at creating a world-wide wifi community, so I fully support their cause. The only thing is that with so much storage space, maybe I can add some useful features to their firmware, since it does run Linux (OpenWrt).
The first step was to download the firmware from the FON website. Luckily, Stefans Datenbruch already had a FON and analyzed the firmware. The first four bytes are “FON#” where # is either 3 meaning a firmware upgrade or 4 meaning a “hotfix”. The next four bytes are hypothesized to contain the length of the header or crypto key according to Datenbruch. Skipping 520 bytes, everything else is a gzip of a tar archive containing the files: upgrade, rootfs.squashfs, kernel.lzma and hotfix. Upgrade is a shell script, rootfs and kernel are what their names imply and hotfix is a text file that seems to list some version information.
The “easy” way to look at the file structure of this upgrade would be to install the squashfs userland on your Linux distribution and then apply the lzma patches and then upgrade your kernel to 2.6.x and then install the squashfs drivers/userland and then install the lzma and then recompile squashfs etc etc etc. The easier method is just to install a rs232 transciever on the machine and upload all of the files to another host. The memory management or spc on the unit is flaky, so it’s best to compress each root directory into a tar file on /tmp and upload those. An archive of the filesystem is at the bottom along with a boot log.
NB: The zip file below is the extracted filesystem, not the flash image!
( fonera-0-7-1-2.zip ) ( fon-bootup.txt )
Since I am not interested in shaping the Wii wireless network traffic further than I already have, I am moving on to modifying the provided Linksys firmware for the WAP54G access point. The very first step is to examine the filesystem to see what tools are available and how I might be able to hack a telnetd or something into it. The second step would be to download the sources from Linksys’ GPL code center.
After downloading the 2.08 firmware, we have a readme and a .trx file. The TRX file contains the kernel at the start and a cramfs (compressed ram filesystem) image at the end. The trick is to find the start of the cramfs image, and a good one to use can be found on this Seattle Wireless page. We look for the start of the cramfs magic number (3d4528cd), calculate the offset to it from the start of the file (0x0095f00 = 614144, add 12 for the offset to 0x3d45). Mounting the filesystem is pretty straightforward on a Linux sytem to read the contents. If you are too lazy to dedicate a machine, download the free VMware server, register it to get the serial code, download a Linux ISO and install it in a virtual machine. Most kernels come with cramfs pre-compiled and most systems with modest development tools will have hexdump.
( contents of the 2.08 WAP54G firmware: tmproot.zip )
If you keep your Apache logs for a really long time, salve it is sometimes slow and inefficient to search through a bunch of log files to see what a certain host accessed on your web server. To get around this, illness I wrote a small Perl script that parses the access log and saves all the entries from each ip address into a separate file. A secondary option creates directories for the first octet of the ip address and then store the files with the given first octet in that directory. This way, the overhead is reduced if you have lots of searches through logs based on ip address.
( proc_logpl.txt )
After recently upgrading my laptop to FreeBSD 6.2-PRERELEASE, health I noticed that my IPv6 support became broken. I connect to Freenet6 over IPv4 using their tspc client which does all of the negotiations and configures the tunnel using gif or tun interface. It also sets up the appropriate routing table. I noticed that the default route was properly (netstat -rn) but any time I tried to ping something, even if it is the next hop, I would get a No route to host error from sendmsg. After some investigation, I found a post from John Hay specifying that it was a known problem and that it is being worked upon with a suggested work around. I guess 6.1-RELEASE will have to do.
( 62-ipv6.txt )
Following the Month of Kernel Bugs and Month of Browser Bugs, the Month of Apple Bugs started yesterday. This interesting contest comes at a time when Apple is still supporting both the PowerPC and x86 versions of OS X, so there is a slight chance that some code has been overlooked. Beyond that, the bugs are not limited to the OS, third party software is also fair play. Finally, these bugs are presented in the style of full-disclosure where the security lists will get the notifications first. Let’s remember that nobody is perfect, and lets remember to have some fun.
(image is from vintage computer festival)
One of my few peeves with Firefox 2.0 has been the default tab setup where there is a minimum tab width defined, no rx so eventually tabs go off the visible screen, and that each tab has an individual close button. If you have similar tastes, the way to tweak the tab settings is by entering “about:config” into the address bar and hit return. The first key to edit is browser.tabs.closeButtons and set it to 3 for Firefox 1.5 behavior. The second option is to set the browser.tabs.tabMinWidth to 0 pixels so the tabs adjust to fit the screen. More information can be found at the mozillalinks blog.
While looking at some low level system design documents, help recipe I came across this article from IBM by Lewin Edwards. His case is that the x86 architecture is not the most flexible and financially feasible path to developing embedded solution. The argument is that x86 boards, pilule even single board computers, are designed to be used as black boxes where the developer is supposed to make it work for his or her design through available components and external modules. This is to say that designing an x86 embedded system from scratch is not often done. On the other hand, the PowerPC embedded systems offer plenty of flexibility with a broad range of processors featuring a vast array of built in features (JTAG, memory controllers, peripheral controllers, etc). This article gives an overview of getting Linux to run on a Kuro Box, essentially a $150 PowerPC embedded system. For those less interested in the actual process, there are plenty of interesting resource links in the first section.
Part 1: Robots and networked appliances on a shoestring
Part 2: Anatomy of the Linux boot process
Part 3: Kuro Box Linux up close
Hiding information in plain sight has allways been an interesting subject. I recently came across a paper, describing Hydan, that does this by exploiting the redundancy in the x86 instruction set. For example, any time you add 50 to a register, you can just as easily subtract -50 and get the same result. By alternating which method you choose, you can encode a 1 or 0 at a rate of 1 bit of encoded data per 110 bits of object code. It is a pretty interesting topic as there are many possible security applications for this and it’s generic enough to be applied to non-x86 instructions. There are, of course, easier ways to hide data. (Save the image above and open it with either unrar or winrar to see the instructions.)
( hydan.pdf )