...stuff I do and things I like...

Sunday, March 30 2008

I'm on Vacation!

nothing more to say :-)

Dead Palm Tungsten T3, now it will have to go



so daylight savings time switch again. My Palm Tungsten T3 again died from battery drain while waiting for user interaction to confirm the time switch. All data lost (I have a backup but still). This time I have enough, my T3 is going into the bucket (the box with old PDAs and phones). I don't really use it anymore but I still use to carry it around with me all the time. This will stop now.

Goodby Palm.

Tuesday, March 18 2008

RaidSonic NAS-4220 telnet root login without password

another bug I found in the software of the NAS-4220-B is that you can use telnet to login to the NAS-4220-B as root without being ask for as password. This is possible right after boot of the device. The problem seems to originate from the fact that the software puts together the filesystem in ram during boot. The actual bug is that telnetd is started before /etc/passwd is populated with a root account that has a password set.

[1] raidsonic nas4220 disk crypt key leak

Sunday, March 16 2008

RaidSonic NAS-4220-B Disk Crypt Key Leaking...

Found while playing with my NAS-4220-B last Sunday. RaidSonic didn't answer my emails so here you go.

--- BEGIN ADVISORY ---

Manufacturer: RaidSonic (www.raidsonic.de)
Device:       NAS-4220-B
Firmware:     2.6.0-n(2007-10-11)
Device Type:  end user grade NAS box
OS:           Linux 2.6.15
Architecture: ARM 
Designed by:  Storm Semiconductor Inc (www.storlinksemi.com)


Problem: 
 Hard disk encryption key stored in plain on unencrypted partition.


Time line:
 Found: 09. March 2008
 Reported: 09. March 2008
 Disclosed: 16. March 2008 


Summary:
 The NAS-4220-B offers disk encryption through it's web interface. The key
 used for encrypting the disk(s) is stored on a unencrypted partition.
 Therefore one can extract the encryption key by removing the disk from
 the NAS and reading the value from the unencrypted partition. The key
 itself is stored in a file in plain (base64 encoded). Therefore the 
 NAS-4220 crypt disk support can not be considered secure.


Details:
 The NAS-4220-B can hold two SATA disks. Disk are encrypted through a 
 loop back device using AES128. The problem came to my attention when
 I could access the NAS after reboot without suppling the hard disk key.
 
 The key is stored in /system/.crypt, "/system" is a small configuration 
 partition on the same disk that holds the encrypted partition. The system
 partition is created by the system software running on the NAS-4220. The
 configuration partition of the second hard disk is not mounted by default
 but also contains the .crypt file holding the key for the encrypted 
 partition on the same disk.


 Accessing the key (key value is the example I used):
  $ cat /system/.crypt
  MTIzNDU2Nzg5MDEyMzQ1Njc4OTA=
 
  key in plain           key in base64
  12345678901234567890   MTIzNDU2Nzg5MDEyMzQ1Njc4OTA=


 Base64 decode:
  #!/usr/bin/python
  from base64 import *
  print b64decode("MTIzNDU2Nzg5MDEyMzQ1Njc4OTA=")


Reported by:
 Collin Mulliner 

--- END ADVISORY ---



raidsonic_nas4220_crypt_disk_key_leak_09Mar2008.txt

Saturday, March 15 2008

Pre Paid HSDPA

I noticed that I tend to use mobile internet via GPRS/UMTS more and more mostly because of my Nokia N800 and now N810. But somehow UMTS no longer does it for me, it is too slow. So I started looking for a cheap way to use HSDPA. The solution is a cheap HSDPA USB modem and a pre paid HSDPA SIM card. Last week I found a nice Huawei E220 on eBay and today I bought a FONIC SIM card for 9,99 Euros at Lidl. The price looks good 1MB/24ct. I know that if I use more then 100MB/25Euro per month a flat rate is better.

I just tried it out and yes I got 120KB/s (just a quick download).

Now I just need to build or get one of those USB power injectors so I can also use the HSDPA modem with my N810.

Sunday, March 09 2008

NAS-4220 Hacking Twitter Stream

Frank setup a Twitter stream for our NAS-4220 hacking activities. We are both posting on it now.

twitter.com/nas4220

NAS-4220 Crypto Benchmark

earlier today I've done a small benchmark of the 4220's crypto capabilities (the speed at which you can up/down load when using crypto on the 4220). The results are quite ok for such a small and cheap system.

    Upload (to the NAS) was between 3.5MB/s and 4.5MB/s

    Download was about 4.70MB/s


It's nothing when comparing it with the unencrypted speeds (10MB/s up and 19MB/s down).

Thursday, March 06 2008

NAS-4220

today my NAS-4220 (RaidSonic ICY BOX IB-NAS4220-B) arrived. The 4220 is a really small NAS box with a lot of nice features like: size of a shoe box, 2xSATA (internal), 2xUSB-2 (external), GBit Ethernet, TCP Offloading, hardware crypto acceleration and it runs Linux and has an open boot-loader (RedBoot). In short this is a totally hack able piece of hardware.

Today I checked out the default firmware to see what it is capable of. The web interface is really bad but who cares. Some cool stuff. It supports RAID0, RAID1, and SPAN (make one disk out of two). You can create crypto volumes through the web interface and it seems to have a build in bittorrent client. Quite nice.

Since this thing has GBit ethernet I wanted to see how fast it is. I just used FTP to upload and download some files from my ThinkPad. For upload I could only get 10.5MB/s downloading was much faster with about 19MB/s. Since this was I quick test only I didn't try to tune anything. Btw. my setup was: the NAS box was running RAID1 (not crypted) and my laptop has a crypted disk. This looks quite good for a 120Euro NAS (without disks).

Now I'm going to build my own Linux image (kernel + buildroot filesystem). I will do this together with Frank who also just got him self a Nas-4220.

[1] NAS-4220
[2] Some infos on the used chip set and Linux support from Harald Welte
[3] NAS-4220 Infos from GPL-Devices.org
[4] NAS-4220.org community
[5] RaidSonic GPL code download (end of page section Sources)

Quasi Ausfall von AliceDSL

heute morgen (ca. 5 Uhr) hat sich Alice dazu entschlossen meine 16Mbit/s auf ca. 5Kbit/s zu drosseln. Der Support wusste auch nicht was nicht funktioniert und es haben ca. 5 verschiedene Personen meine Leitung durch-gemessen. Ergebnis keiner wusste was los ist. Eine halbe Stunde nach dem letzten Support Gespraech war dann ploetzlich wieder alles normal. Interessant war auch das die Upload Geschwindigkeit wehrend der ganzen Zeit normal war. Schon eine komische Sache, hat mich 1 1/2 Stunden heute Abend gekostet.

Sunday, March 02 2008

Setting J2ME Internet connection on Nokia S40

In my previous post on the RMV Handy Ticket (post in German) I've complained about the fact that the J2ME application can't seem to be able to use the internet/GPRS connection. I've tried the various autoconfiguartion tools provided by Nokia and my mobile phone operator but I couldn't get it working. The strange thing for me is that the GPRS connection works (I'm using my phone as a GPRS modem for my N810 and my laptop and I can also browse the web with the build in browser). So I asked Simon if he had an idea. He told me that internet is not internet for J2ME on these phones. Me WTF?!? The trick seems to be to configure the internet connection in two places: Settings -> Connections -> Packetdata (this is the one I had set) and Settings -> Configuration -> Favorite Connection (J2ME apparently needs this one). The thing that pissed me off the most was the fact that I found all the configuration settings I got via SMS under Favorite Connection.

Anyway now it works and I'm happy :-)

Saturday, March 01 2008

RMV Handy Ticket

Der RMV hat seit dem 27. Februar sein Handy Ticket System in Betrieb genommen. Sage Sie. Am 27ten konnte ich mich allerdings erst am Abend anmelden denn tagsueber ist deren Webanwendung beim PIN setzen immer mit einer java.lang.NullPointerException ausgestiegen. Nachdem dann die Anmeldung irgendwann funktioniert hat bekam ich auch eine Dienst-Mitteilung (oder auch Service-SMS) mit einer Download-URL. Download und Installation ging auch soweit ganz gut. Beim ersten Start der Applikation muss man allerdings die oben genannte PIN eingeben die dann wohl auf dem Server ueberprueft wird. Irgendwie klappt aber der Verbindungsaufbau nicht und ja natuerlich habe ich bei Verbindungsaufbau Zulassen? JA gesagt. Das Telefon (ein Nokia 6131 NFC) probiert noch nicht mal eine GPRS Verbindung aufzubauen. Da frage ich mich echt was das soll? Das Nokia 6131 NFC ist immerhin deren Referenz Telefon fuer das Ticketing System. Ich werde es wohl spaeter noch mal mit meinem Nokia 6233 probieren.

Hat das schon jemand zum laufen bekommen?