That’s right – I’m booked for Quakecon 2009! For those who don’t know Quakecon is a 4 day epic lan/gaming convention centered around id software games. It’s hosted in Grapevine, Texas.

I’m leaving on the 12th and returning to Sydney on the 1st of September. Between Quakecon and returning I’m holidaying for 3 weeks in the US staying in Vegas and LA.

There is only one more night to go before our biggest event yet. Including staff we have 63 people signed up, we have an awesome lineup of competitions and prizes, and we have even had our first event epic fail – our web host stopped working for the better part of a day!

There are only 5 2 -4 :O places left. Sign up here now.

SOGC DominationLAN – 4th July 2009
Mosman Returned Serviceman’s Club – 719 Military Rd, Mosman, NSW
10AM to 10PM

Confirmed Games list

PC’s

Flatout 2
Counter-Strike: Source
Call of Duty 4: Modern Warfare
Team Fortress 2
Defcon
Homeworld 2 (with Complex Mod)
Battlefield 2
Unreal Tournament 3

Consoles

Fight Night: Round 3
Street Fighter IV
Smash Bros. Wii

Competition information for the day can be found in this forum post.

Update: I have added more photos to this post as of ~12:30pm

This is a Sun Microsystems Javastation Krups model. It was Sun’s earlier attempt at creating a network computer, basically a diskless workstation. I *really* need to get this doing something interesting. There are quite a few resources on the net with information about how to get them to network boot linux. With that information I might even be able to write my own software for it.

Keeping in the theme of Network Computers the Digital Equipment Multia was DEC’s attempt at a lightweight network centric computer. This particular version has a 166mhz Alpha AXP processor. It runs a small laptop hard drive, floppy drive and supports PCMCIA cards. As far as I know it works but it has nothing installed on it. Either that or the hard drive doesn’t work.

I have an original NeXT Slab. Unfortunately I only have the slab and the keyboard and mouse. Unfortunately I don’t have the sound box which is used to split the video/devices cable into the video, keyboard and mouse connectors. Thus I haven’t been able to boot it up so I have no idea if it works. It is pretty, though.

This is a Silicon Graphics o2 which I paired with a Silicon Graphics 1600SW. Not exactly uncommon. I don’t know the specs of this o2, but I know it is loaded with 6.5.something version of Irix and does nothing particularly useful .

Sun Sparcstation 5 – a pizza box Sparc based workstation.

IBM PC Convertible. From memory it runs an 80c88 processor which is a CMOS variant of the Intel 8088 processor. It had the ability to have it’s state maintained simply by turning off the clock signal.

This is a Silicon Graphics Indy with a Indy Presenter 1280 flat panel screen. Also included is a IndyCam which is a streaming video camera.

It’s a Macintosh Classic. Enough said

Inspired by a forum post on osdev.org about image colour downsampling I decided to have a crack at writing a program which could take a 24-bit image and convert it down to any lesser image format. The picture above shows an image split down the middle. On the right is the original 24-bit colour version and on the left is a 8-bit per pixel version with 2 bits for the red colour channel and 3 bits for the green and blue colour channels (rather than having a specific palette for the image I am downsampling to a 2:3:3 bpp image). As you can see the colour loss is acceptable and despit the limitations it still looks nice. Obviously the image could be improved further by choosing a colour palette suitable for the image but that is for another project.

I’ll post the code once I have cleaned it up a bit and smoothed it out so it doesn’t have so many hard coded values.

CDP Transponder

Another project I’ve been working on with my interest in Cisco hacking and reverse engineering is my Cisco Discovery Protocol transponder. It is a small program which sits on your computer and emits a configured CDP message every so often allowing your computer to show up on CDP neighbour lists. It doesn’t really have much purpose at the moment but I hope to play around with it and trying to bridge it with LLDP devices so I can get old Cisco gear to show up on my new Windows network topology maps.

This is the output of the show cdp neighbors command on my Cisco 2610XM router. It shows my computer as the device connected to the Fastethernet 0/0 port.

I’ve been working on replacement configuration for the server (on my own computer running on VMWare Workstation) to be able to provide the same services while halving the memory usage (from 512mb to 256mb) and not hitting the swap except in edge cases.

The server currently runs Apache, MySQL and PHP along with Dovecot and Postfix for email as well as a few other scripts for virus checking and spam filtering.

My new server config looks to be running Nginx, MySQL, PHP, Dovecot and Postfix. Pretty much the same except everything has been tweaked and optimised for lower memory usage.

I have also enabled caching for this website so it should be a bit faster now. Not that it was that slow before.

SOGC DominationLAN now has a working Battlefield 2 Dedicated Server. We will be running a Battlefield 2 competition, prizes to be determined, so get practicing.

UnHexDump takes the familiar output of HexDump and converts it back into nice binary format. I wrote this program to assist in extracting files off my Cisco 7970 IP phone which lacks any remote file copying capability.

I am now releasing UnHexDump to the world. It’s a little hackish (given that I wrote it at 3am this morning to solve a problem, that usually happens :[ ). It is licensed under the GNU GPLv3 License. The source code is plain C++ and a windows executable are to be found in the zip file below.

It can be found by clicking the UnHexDump link on the sidebar or here.

As of late I’ve been doing quite a bit of Cisco phone trickery. I’ve gotten a network of Cisco phones working with Asterisk and I’ve been building up sleek looking XML services for the 797x models. What I really want to do, though, is delve a little deeper into the spirit of hardware hacking and see if I can properly customise the phone beyond what is possible with configuration files.

Basic Hardware

The Cisco 7970 is based around a Broadcom BCM1100 IP Phone Processor which includes a R3000 MIPS32 core running at 100mhz and a DSP running at 140mhz. This single chip provides the bulk of the functionality required by the phone. Attached to this core is 32MB of DRAM and 16MB of Flash Memory.

Behind the scenes the phone runs on a proprietary unix-like operating system called CNU-OS. Running the command uname -a emits the following,

CNU6-OS  8.5(2TH1.9) 3.3(0.3) CP-7970G BCM1100-C1(MIPS32)

The operating system

The operating system provides a multitasking environment on which the phone software runs. It, of course, mostly runs on Java.

Unfortunately for would be hackers *cough* the Superuser account is barred from regular access by a random password generator. Attempting to access the Superuser account, either from the login screen or via the su command, results in the following

$ su

challenge: ZTHPLNFJ password:
Invalid Username/Password Entry.
challenge: XZLDHZGX password:
Invalid Username/Password Entry.
challenge: KCKVNLNQ password:
Invalid Username/Password Entry.

The challenge value changes with each attempt. The challenge value is always an 8 character uppercase letter only string, though. It is also in exactly the same format as the passwords encoded in the /etc/passwd file. From this I make a few assumptions regarding the root challenge

1. The password is symmetrically encrypted, rather than hashed
2. This is because a Cisco engineer would need to decrypt the challenge in order to obtain the access code
3. The password is undoubtably a small string of random letters

Alternate means of access

I never let a lack of superuser access prevent me from doing what needs to be done. Surely having physical access, not to mention ownership of said phone, endows me with the right to do with it what I wish? Apparently not. I came up with an interesting idea for granting full filesystem access to any user.

During the phone boot process it runs the /etc/init.tab script which performs a number of tasks like mounting the partitions and starting the various services. Since this is a fixed platform there isn’t much need for automated scripts. I had the idea of replacing a less important command with a ‘chmod -R 777 /’ command to grant read, write and execute permissions for everybody to everything. It’s a little hackish but that doesn’t really matter. The only problem is that you can’t edit the file in place on the phone (because of a lack of permissions). The file *is* editiable when it is still a part of the phone load. I cunningly edited the phone load file (jar70sccp.8-5-2TH1-9.sbn for anyone interested) which contains, among other things, the init script I wished to edit right in plain text.

I forced the phone to reload the firmware from TFTP and was met with Cisco’s next roadblock to hacking goodness. The SBN file, which is a Signed Binary, was no longer valid. Since the file is not encrypted I can only assume at this stage that the file contains a checksum of some sort that became invalid when I updated the necessary file.

That still remains an interesting vector of attack. The SBN file format is not that complicated looking and the bulk of the file data is the very files it contains, stacked one after the other.

So what nao

Now I am working on deciphering the SBN file format so that I can create tools to build by own phone loads. There is a lot of potential for customisation. All of the phone’s graphical assets are stored in a number of PNG files which are easily editable.