Tue 07 June 2022 by

Firmware key extraction by gaining EL3

A bit of history

A few months back, I turned my attention on my fiber gateway. So I ordered the same model on ebay, unsoldered and dump the nand, and after a lot of work, managed to have a clear view of the system, from bootloader to userland.

Basically, the bootloader check the signature of the kernel image, uncrypt the kernel image with a bootloader stored key, which in turn, uncrypt the rootfs image and voila.

[YYYY] / # ls
README       dev          lib          opt          sbin         usr
bin          etc          media        proc         sys          var
config       exports      mnt          root         tftpboot
ctmp         home         nonexisting  run          tm
[YYYY] / # cat README
If you can read this, congratulations !

Feel free to drop me an email, xxxx@yyyy.zz
Mon 04 April 2022 by

Pwning the bcm61650

The percello prc6000, also known as bcm61650 after Broadcom bought the company, is a chip used in 3g femtocells (Home-nodeB).

Here is a summary writeup of how I achieved to bypass its secure ROM to run arbitrary firmwares.

Mon 10 April 2017 by

Video Distorsion

Found this old piece of code, written in 2013. Only needed to change hardcoded resolution of the webcam to get it working again.

Fri 17 April 2015 by

Hello World

#include <stdio.h>

int main(int argc, char** argv) {
    printf("Hello World\n");
    return 0;

Page 1 / 1

Social Network