The Cave

Tue 17 June 2025 by Xilokar

SSTIC 2025 Demos

A quick post to share th demo of my sstic 2025 talk more...

Sat 07 June 2025 by Xilokar

A few days before my SSTIC presentation Récupération de la clé des firmwares radio du stm32wb55 (in french), while doing my slides, I was made aware of a new release of the FUS for the stm32wb55. And of course, the attack I was going to present 5 days later was no longer working...

more...

Tue 29 October 2024 by Xilokar

ECC collision HOWTO

This is a small blog post I would have been happy to read while searching how to find ecc collision when dealing with how to exploit a limited write to flash.

No rocket science, just a little write-up.

more...

Mon 27 November 2023 by Xilokar

Bypassing a noexec by elf roping

#Reverse

In this post, I will show you how I bypassed a noexec permission in a limited chrooted env.

more...

Thu 21 July 2022 by Xilokar

Extracting stm32wb55 CPU2 firmware key

The stm32wb55 mcu is a dual core (cortex-m4/cortex-m0) mcu with integrated wireless capabilities (ble/thread/zigbee).

more...

Tue 07 June 2022 by Xilokar

Firmware key extraction by gaining EL3

#Reverse

A bit of history

A few months back, I turned my attention on my fiber gateway. So I ordered the same model on ebay, unsoldered and dump the nand, and after a lot of work, managed to have a clear view of the system, from bootloader to userland.

Basically, the bootloader check the signature of the kernel image, uncrypt the kernel image with a bootloader stored key, which in turn, uncrypt the rootfs image and voila.

[YYYY] / # ls
README       dev          lib          opt          sbin         usr
bin          etc          media        proc         sys          var
config       exports      mnt          root         tftpboot
ctmp         home         nonexisting  run          tm
[YYYY] / # cat README
If you can read this, congratulations !

Feel free to drop me an email, xxxx@yyyy.zz

more...

Mon 04 April 2022 by Xilokar