Bake that Book

Last Summer i gave my old Macbook Pro 15″, Late 2011 with 8GB and 160GB SSD to one of my team members at Userlike, since i got a Retina upgrade. I think the old one was still decent, since the SSD gave it that boost to make it usable, even if the laptop was 2 years old at that time. Unluckily the old Macbook Pro didn’t last long, it just died after 3 month. Wouldn’t turn on anymore. As i predicted, after bringing it to the Apple Store, they said the logic board was fried, which always means its totaled. We bought a new Macbook and moved on.

Now i got the broken Macbook back to my place and i thought i would at least sell the display, case and reuse the SSD. But i remembered reading all the Macbook baking blog articles. I already disassembled a few Macbooks down to the logic board and also did some reflow stuff for side projects. Also knowing that a friend of mine has good experience with baking old Nokia phones, i though i give it a try.

  • Go to ifixt.com and look up the tutorial to change the logic board
  • Disassemble the laptop, collect screws and parts in separate containers
  • Be becareful with all the ribbon cable connectors, there are a lot and some are tricky
  • Get the logic board out, remove heat pipes, ram and speakers
  • Preheat oven to 180c
  • I cleaned the board with isopropyl alcohol
  • Set board on tin foil legs on a baking tray
  • Put in the oven for 7 minutes
  • Let it cool fast at a open window
  • Clean fans and case from the inside
  • Assemble, make sure to get all cables connected
  • Boot that Book

I hoped that i had a 50/50 chance that it will work. I was confident, that i don’t mess the laptop during disassemble and assemble phase, i wasn’t sure what the result was after baking. I remembered that the laptop got quite hot while working, so there were some odds that this permanent heat would have altered the setup of the parts of the pcb. And it turned out to be worth the work, the Macbook booted up nicely.

Get your tools

IMG_2536

IMG_2534

IMG_2537

IMG_2538

IMG_2540

IMG_2543

AspeQt for OSX

2 years ago i started to transfer my old Atari 800 XL software from the 28 years old “5,25 disk to ATR images on my laptop. But i was never happy with the setup using a windows program in a vm to do the transfer. I found AspeQt which is opensource, but it did not support OSX. So i started to add an serial driver with OSX support to it. And then forget about it. Till recently when i got an email from the AspeQt maintainer Ray who asked about the state of my github repo. Since i want OSX support in the mainline, i picked the lastest version of AspeQt to update my repo, which already got a little stale. Then i found out that is a pain in the ass to run QT4.8 on Maverick, there is no offical package and building from source you end up in patch hell.

So i decided to move my branch of AspeQt to QT5.2, which was pretty straight forward.

QtCreator is not a great editor but does the job

QtCreator

QtCreator

AspeQt on OSX

AspeQt on OSX

AspeQt on OSX

Found some cool stuff on my disks

Software from the 80ies

Software from the 80ies

Spoof BTADDR

Wrote a quick & dirty python wrapper for the bluez-utils bccmd command to set a the btaddr of an bluetooth hci device. The native bccmd syntax is awkward, so that i found it handy to have a script which accepts normal formated btaddr as an argument and does some error checking and status infomation.

Usage:

root@linux:~/devel/tech/bluetooth/# ./setbtaddr hci0 01:0E:07:75:B7:12
Exec './bccmd  -d hci0 psset -r bdaddr 0x75 0x00 0x12 0xB7 0x07 0x00 0x0E 0x01'
hci0:   Type: USB
        BD Address: 01:0E:07:75:B7:12 ACL MTU: 192:8 SCO MTU: 64:8
        UP RUNNING
        RX bytes:86 acl:0 sco:0 events:9 errors:0
        TX bytes:33 acl:0 sco:0 commands:9 errors:0

download

H00lyshit – DIY Bluetooth Sniffer

Since the 23c3 every interested researcher knew that is easy to compromise bluetooth sessions using the BTcrack tool.Thierry Zoller showed how it’s possible to retrieve link keys, The only problem was to get hands on a bluetooth sniffer device to get the raw bluetooth packets. Such devices are not available at consumer prices. But somehow Max Moser found a way to tranform a vanilla usb bt dongle into a bluetooth sniffer device. Don’t believe the hype…Now bluetooth security is dead.

Mini Howto:

#Backup old firmware
dfutool -d hci0 archiv backup.dfu
# Backup config
bccmd -d hci0 pslist -s 0x000F >> backup_cfg
# Check Vendor ID ( has to be 0x0a12)
bccmd -d hci0 psget -s 0x000f 0x02be
# Write new Product ID
bccmd -d hci0 psset -s 0x0002 0x02bf 0x0002 

Undelete with Sleuthkit

Wrote a little Bash script using Sleuthkit tools to recover a deleted file from a partion. Tested the script with ext2 and fat32 filesystems.

Setup a test image:

dd  if=/dev/zero of=image  bs=1k count=8192
mkfs.ext2 image
mount -o loop image /mnt/image
cp something /mnt/image
rm /mnt/image/something
sync
umount /mnt/image

Now you can start the script to find a token of the deleted file:

./find.sh image “Test”

The Code for find.sh

#!/bin/sh
 
IMAGE=$1
TOKEN=$2
BSIZE=1024
TYPE="linux-ext2"
TMP="dls_$(date +%Y%d%m_%H%M%S)"
 
if [ $# -ne 2 ]
then
    echo "Usage: $0 image token"
    exit -1
fi
 
if [ ! -f $IMAGE ]
then
  echo "Cannot find $IMAGE"
  exit -1
fi
 
if [  -z "$TOKEN" ]
then
  echo "Pleae give search token"
  exit -1
fi
 
echo "--------------------------"
echo "Found deleted"
fls -f $TYPE -rd $IMAGE
dls -f $TYPE $IMAGE > $TMP
strings -t d $TMP > $TMP.str
echo "--------------------------"
grep -i "$TOKEN" $TMP.str
echo "--------------------------"
echo -en "Select Offset:"
read n
ADDR=$(grep -i "$TOKEN" $TMP.str | grep "$n" |  sed 's/^[ \t]*//' | head -n 1 | cut -d " " -f1)
if [ -z "$ADDR" ]
then
    echo "Nothing found for '$TOKEN'"
    exit -1
fi
echo "Found $ADDR"
OFFSET=$(echo "$ADDR / $BSIZE" | bc)
echo "Using Offset $OFFSET"
BLOCK=$(dcalc -f $TYPE  -u $OFFSET  $IMAGE)
echo "Using Block $BLOCK"
echo "----------------------------"
dcat -f $TYPE  $IMAGE  $BLOCK
echo
echo "----------------------------"
INODE=$(ifind -f $TYPE  $IMAGE -d $BLOCK)
echo "Found Inode $INODE"
istat -f $TYPE $IMAGE $INODE
BLOCKS=$(istat -f $TYPE $IMAGE $INODE | tail -n 1)
echo "---------------------------"
echo "Found Blocks $BLOCKS"
echo "---------------------------"
(for BLOCK in $BLOCKS
do
   dcat -f $TYPE  $IMAGE  $BLOCK
done) | tee $TMP.found
echo "---------------------------"
echo "Saved to $TMP.found"
echo "---------------------------"
rm -f $TMP $TMP.str

InlineEgg Shellcode

Made a nice shellcode using the python inlineEgg library. The shellcode is designed to smash the stack of a programm which is listen on a socket. The read buffer gets overflowed by the shellcode. The code was tested an on older SUSE9.0, because current disto use pie and ssp

Features:

  • Python script that generates the shellcode
  • Re-uses the listen socket of the victim and connects it to new shell
  • Scans for correct fd and peername
  • Embedded Telnet client which connects to created remote shell
  • Encoder to generate polymorph shellcode

    Download