Stm32wb55 FUS 2.0
A few days before my SSTIC presentation Récupération de la clé des firmwares radio du stm32wb55 (in french), while doing my slides, I was made aware of a new release of the FUS for the stm32wb55. And of course, the attack I was going to present 5 days later was no longer working...
more...ECC collision HOWTO
This is a small blog post I would have been happy to read while searching how to find ecc collision when dealing with how to exploit a limited write to flash.
No rocket science, just a little write-up.
more...Bypassing a noexec by elf roping
In this post, I will show you how I bypassed a noexec permission in a limited chrooted env.
more...Extracting stm32wb55 CPU2 firmware key
The stm32wb55 mcu is a dual core (cortex-m4/cortex-m0) mcu with integrated wireless capabilities (ble/thread/zigbee).
more...Firmware key extraction by gaining EL3

A bit of history
A few months back, I turned my attention on my fiber gateway. So I ordered the same model on ebay, unsoldered and dump the nand, and after a lot of work, managed to have a clear view of the system, from bootloader to userland.
Basically, the bootloader check the signature of the kernel image, uncrypt the kernel image with a bootloader stored key, which in turn, uncrypt the rootfs image and voila.
[YYYY] / # ls README dev lib opt sbin usr bin etc media proc sys var config exports mnt root tftpboot ctmp home nonexisting run tm [YYYY] / # cat README If you can read this, congratulations ! Feel free to drop me an email, xxxx@yyyy.zz
Pwning the bcm61650
The percello prc6000, also known as bcm61650 after Broadcom bought the company, is a chip used in 3g femtocells (Home-nodeB).

Here is a summary writeup of how I achieved to bypass its secure ROM to run arbitrary firmwares.
more...It Didn't Work
A picture is worth a thousand words...

Video Distorsion
Found this old piece of code, written in 2013. Only needed to change hardcoded resolution of the webcam to get it working again.