Show filters Hide filters

Refine your search

Publication Year
1-5 out of 5 results
Change view
  • Sort by:
57:44 REcon English 2016

How Do I Crack Satellite and Cable Pay TV?

Follow the steps taken to crack a conditional access and scrambling system used in millions of TV set-top-boxes across North America. From circuit board to chemical decapsulation, optical ROM extraction, glitching, and reverse engineering custom hardware cryptographic features. This talk describes the techniques used to breach the security of satellite and cable TV systems that have remained secure after 15+ years in use. Topics include: chemical decapsulation and delayering of ICs in acids, microphotography and optical bit extraction of ROM, binary analysis using IDA and homebrew CPU simulators, datalogging and injection of SPI and serial TS data, designing and using a voltage glitcher, extracting secret keys from RAM of a battery-backed IC, analyzing hardware-based crypto customizations, studying undocumented hardware peripherals, MPEG transport streams and non-DVB-standards, QPSK demodulation, interleaving, randomization, FEC of OOB (out-of-band) cable data. The result is knowledge of the transport stream scrambling modes and knowledge of the conditional access system used to deliver keys. Strong and weak points are identified, advanced security features implemented nearly 20 years ago are compared to modern security designs. A softcam is designed and tested using free software, working for cable and satellite TV.
  • Published: 2016
  • Publisher: REcon
  • Language: English
57:47 REcon English 2016

Visiting The Bear Den

During the last two years, three cheerful chaps tracked one of the most prolific espionage group out there. The group in question created a complex software ecosystem–composed of tens of different components–and also regularly pulls out 0-day exploits. This talk presents the results of the hunt.
  • Published: 2016
  • Publisher: REcon
  • Language: English
55:51 REcon English 2016

Shooting the OS X El Capitan Kernel Like a Sniper

OS X El Capitan has introduced new exploit mitigations to the kernel. Such mitigations include “vm map copy” mitigation, System Integrity Protection/Rootless, SMAP (enforced on new model of Macbook Pro), etc. Combining with the existing modern OS exploit mitigations like kASLR, DEP, exploiting OS X El Capitan kernel became harder. Approaches to defeat those new mitigations have been discovered by security researchers in late 2015, but most of them have additional prerequisite to either the bug or the environment. For example, the technology to overwrite the size of vm map copy requires a perfect zone overflow (overflowed length controllable + content controllable), also some of the technology requires creating specific user client which is prohibited by sandboxed processes (Safari WebContent, Chrome sandbox, etc.) In this talk, we will introduce a new approach to exploit the El Capitan kernel from the most restrictive sandboxed process (Safari WebContent). The new approach is universal to all OS X kernel and doesn’t require too much on bug quality. Only a single write (not necessarily arbitrary value) is needed to pwn everything (including info leak, kASLR, DEP, SIP, SMAP bypass). The new technology will be illustrated by a live remote root demo during the talk.
  • Published: 2016
  • Publisher: REcon
  • Language: English
34:17 REcon English 2016

Black box reverse engineering for unknown/custom instruction sets

Have you ever come across a firmware image for which you couldn’t find a disassembler? This talk will cover reverse-engineering techniques for extracting an instruction encoding from a raw binary with an unknown/custom instruction set. The main focus is on static techniques and features of firmware images that you can use to your advantage–but some dynamic techniques will be covered as well.
  • Published: 2016
  • Publisher: REcon
  • Language: English
29:20 REcon English 2016

BBS-Era Exploitation for Fun and Anachronism

The bulletin board era was a golden age for those of us who were into computers (and in existence) at the time. Yet, think of how much better it could have been if we’d had today’s exploitation tradecraft to bring to bear back then. In this presentation, we’re taking modern technology back with us a couple decades and aiming it at BBS-era software, possibly to see what we can learn from attacking these scrutable-yet-unusual systems but mostly just because we can. We’ll use tools and techniques that didn’t publicly exist at the time to run, reverse engineer, attack, debug, and exploit old code. Finally, we’ll demonstrate some of the fun we could’ve had, if only we knew then what we know now… Source code and proofs-of-concept will be released.
  • Published: 2016
  • Publisher: REcon
  • Language: English
out of 1 pages


   80 ms - page object
   42 ms - search
    2 ms - highlighting
    1 ms - highlighting/32738
    1 ms - highlighting/32737
    2 ms - highlighting/32740
    1 ms - highlighting/32736
    2 ms - highlighting/32744


AV-Portal 3.8.0 (dec2fe8b0ce2e718d55d6f23ab68f0b2424a1f3f)