Steam Stream – A short rundown

So today I got the invite to the Steam Streaming beta and I spent a few minutes testing it and it works reasonably well.
I don’t plan to talk here about what it is,how good it works, what it can or can’t do or anything that everybody that got invited tried and said anyway.After all, all it does is recording the screen and sending it over network + input commands.
I planned or more exactly I plan on writing a small client or maybe a libretro core for it.
So the first step is to take a look at the protocol :) so let’s start.
So I started a little session and took at the traffic with wireshark.First it seems to negotiate the session through tcp and the rest of the protocol is (like one could guess) entirely in udp.
The tcp traffic format seems to have a variable length of the data stream but it always seems to start with 0×17030300.
The udp streams first package looks like:
0x0100XY000000000000FOOBARAB
Also it should be noted that it used the vlc libraries to encode the video.
At least the stream tells me:
x264 - core 138 - H.264/MPEG-4 AVC codec - Copyright 2003-2013 - http://www.videolan.org/x264.html - options: cabac=1 ref=1 deblock=1:0:0 analyse=0x1:0x1 me=dia subme=1 psy=1 psy_rd=1.00:0.00 mixed_ref=0 me_range=16 chroma_me=1 trellis=0 8x8dct=0 cqm=0 deadzone=21,11 fast_pskip=1 chroma_qp_offset=0 threads=2 lookahead_threads=2 sliced_threads=1 slices=2 nr=0 decimate=1 interlaced=0 bluray_compat=0 constrained_intra=0 bframes=0 weightp=1 keyint=infinite keyint_min=536870913 scenecut=40 intra_refresh=0 rc_lookahead=0 rc=crf mbtree=0 crf=23.0 qcomp=0.60 qpmin=0 qpmax=69 qpstep=4 vbv_maxrate=250 vbv_bufsize=272 crf_max=0.0 nal_hrd=none crop_rect=0,0,0,12 ip_ratio=1.40 aq=1:1.00
The first part of the udp traffic establishes some basic informations like information of the client os (gpu informations,cpu informations and os type) and some things like encoding information and Game infos.
Later on I will try to actually understand the protocol, but that has to do for a quick look.

ATA security lock removal for seagate [Solved] ;)

After spending a few hours working on this and finding it very interesting I now write this little article to maybe help or guide people having the same problem as me, because in my opinion this really simple matter isn’t covered enough on the internet.
Don’t get me wrong it is extensively covered, but most of the coverage repeats and rehashes the same thing over and over again.
There is no new knowledge and no community (that I found) that works on this.I found the hddguru forum helpful, but exchanging real information isn’t common in there.Most times I found a question that was askable the second or third post would be like “We can’t verify it’s your hd so we can’t help”.This seems to be purely because of the lack of knowledge because they didn’t seem to have a problem with the thread itself.

But let me start at the beginning:
One week ago my uncle gave me a laptop hdd of a colleague.This guy had a friend help him setup his pc and lock his laptops hd with a password.After a few months of not using or needing the laptop both of these guys forgot the password and tried guessing it (guess how that went).My uncle is the PC expert of their choice and so they let him work on it.Because he had no luck unlocking he asked me to take a look at it.
This was the first time I had ever seen someone use this feature.If someone gave me this without telling me that it was locked I would probably just insert it into my usb sata reader see input output errors and forget it and even if I would have inserted it into my desktop pc I probably wouldn’t have checked hdparm for the locked status.Now if I get a hd like this,this will be one of the first things I’ll check.

Now how did I go about it?
After a short search I found a few sites and links I thought could be helpful.Especially this seemed interesting.I even found additional infos on hddguru.The people didn’t seem that interested in it, even thought it helps you recover your hdd password.
So I downloaded the image and booted it, the third PC I tested it on even recognized my sata controller and succesfully identified my hard disks.

Sidenote: I didn’t write on the article for 2 month now so the whole thing isn’t as fresh in my memory as it could be

Sadly it didn’t work all too well.
I was using a Seagate hd and this only seems to work for WD hds.Some commands just didn’t get executed.
Anyway after a while I found this.Now I could play around with a serial console,for which I had no documentation.
After I played with it for a bit I started to see that this actually might lead to something.A quick google helped and I actually found a pdf that documented the diagnostic functions.
Another 5 minutes later I saw the first few lines of memory and buffer (Dxx and Bxx).
I still didn’t know what to expect of this output, but I had a new angle I could work on.
I don’t want to go into to much detail for now, but I quickly realised that I could easily write a script that dumps the buffer and the memory for me and hopefully that would lead to something.I already read somewhere that you could unlock the hd by writing something to the memory of it and I thought to myself that I would have to find out how to do this if I couldn’t find the password in one of the dumps.I can tell you I didn’t had high hopes for this,I already planned on writing an entry for the Hackaday “Fail of the Week” series.

2 hours and 2 python scripts later I had my first working POC.For aesthetics I also hacked together a wget style status and watched the memory dump crawl :)
Another half an hour later I had the complete dump.
In the progress of my research many people suggested possible master passwords.It seems that every hd type has specific default passwords (who would have thought?) and the SeaGate passwords are mostly variations of Seagate and spaces.I already tried every possibility I found online so I was sure that the default didn’t apply here and after aimlessly looking through the dump my prediction of failure seemed all too true,but I wouldn’t go down without a fight!I still got a few Seagate hard disks in storage and it sure as hell wouldn’t hurt locking them and creating a dump.And again half an hour and one dump later I once again grepped through a dump with hexedit and sure enough / found me my password!Sadly jumping to this address in the old dump didn’t bring me the result I was looking for.Another 30 minutes and another hd dump later (again a different hd) showed me that between different models the addresses vary as well.But now that I knew that the layout itself didn’t change nothing could stop me.I searched for common features,created a small regex and tried it on the new dumps I had and what do you know?I got a sure method that found me the user and the master password contained in the dump.
Sadly the passwords for the hd I wanted to crack seemed to be garbage (because they didn’t form ascii text I could enter).Again expecting failure I tried entering the now found password with hdparm

hdparm –security-unlock $(printf ‘\x0b\x0b\x0b\x0b’) /dev/sdb

and my heart skipped a beat.HELL YEAH!IT WORKS!!!!
The owner of the HD used the bios integrated functions!I tried brute forcing the pw before,but I could have waited forever because my dictionary attack would have never worked.I had to convert my password with the scancodes of the characters to unlock this hd.And sure enough the user used 0000 as the password.

I haven’t worked on the script I used in a long time,but I don’t want that got stuck in the same situation as me to have to rewrite the script I just described and duplicate work so I will put my work in progress code onto github for everyone to see.It’s true that now no seagate hd is “secure” through this “encryption” but to be fair, they never were!For 50-100$ everybody could unlock a hd without any real proof and the loosers on the forums that tell you “Wee need to see proof that this is your HD or we can/won’t help you” simply can’t help you, because they don’t know how!And how should they know?Nobody documented this shit yet.And why trust a firm with your precious data when you can save it yourself in half an hour with parts that you got either at home (I had a cable I could use and an arduino) or get online for ~5$.
The code is located here don’t expect to much ;) this is only my quick hack, but it works rather well and you even can fine tune a bit.
Neither the tool nor this article is finished yet, to be exact they both are far from finished but before this gets yet another Draft of mine that doesn’t get posted I will open up and share my findings.Have a nice day and keep on hacking.

My fight … with RubiCon

So it’s official I’m a student at the Ruhr-Universit├Ąt Bochum.

We got this fine piece of junk called RubiCon, no not the river, no not the music player either but a ecampus application in form of a smartcard with a smartcard reader and windows software to use it.

So today I took the liberty to take a look at the system.I searched for a way to use it with Linux and found this.It basicly explains how to install pcscd and the ccid lib on ubuntu and configure firefox to use the rubicon device.
I thought this was fine, but it wasn’t.Installing the device didn’t need a explanation of 2 pages.How to use it after it was set up was the question (and still is).
After a few minutes of testing and searching for a login page I tried to google it.For sure someone solved my problem.I found a forum thread where some guys were desperate trying to figure out how to run the windows application on windows not knowing that wine hasn’t got usb support (yet), two links from rub.de the faq where they tell you that mac and linux are not supported and the notwindows link where they basicly tell you that it’s enough for them to have a over 90% compatibility.I also found a link to an ubuntu forum but I didn’t clicked on it as a matter of principle.
So I guessed I had no choice but to install Windows.I searched my original Windows XP(tm) CD and installed it in a virtual mashine (vmware,virtualbox and qemu/kvm all have usb passthrough support).
So I installed the software and voila it was working I finally could print my certificate of study I longed for, but naturally this wasn’t enough I wanted to know what the program does (I read about the security concept but they virtually said that they check if the user enters the correct pin and then they do some ssl magic.)
So I took a look at the installation directory,saw thisca.pem
config.xml
fai_de.qm
fai_eng.qm
fai_it.qm
libltdl3.dll
libp11.dll
msvcp71.dll
msvcr70.dll
msvcr71.dll
opensc.dll
opensc-pkcs11.dll
pkcs15init.dll
qt-mt330.dll
RUBICon.exe
ssl.pem

So they used the opensc library for communication (just like me) had a config file,dlls,3 qm files (whatever this is),2 pem files and the executeable.
First the config :)

<!DOCTYPE config>
<config>
<common>
<terminalid>1</terminalid>
</common>
<browser>
<maxtabs>5</maxtabs>
<urls>
<loggedoff>cardidentified.html</loggedoff>
<loggedin/>
</urls>
</browser>
<card>
<readername>SCM Microsystems Inc. SCR33x USB Smart Card Reader 0</readername>
</card>
<server>
<portal>
<host/>
<port/>
<mode/>
</portal>
</server>
</config>

So somewhere there must be cardidentified.html maybe we find this later on,I maybe can only open 5 tabs and I see my smartcard reader, but I don’t see anything vital in it what could be of any help.
Next the pem files:
ca.pem is a file with 3 certificates and ssl.pem who would have thought?RSA key + cert.Woohoo ….
Moving on.
Now a short look at the executeable.I did this early in the morning and so it’s only logical that I did nothing big to it just a simple: strings RUBICon.exe|grep http
Let’s see what urls are hidden in this stupid thing and WTF?
Seems like someone had a http server running on port 8000 and someone thought of a girl named Kerstin…
http://localhost:8000/rgne/flip.html?froep=daddel&huebi=Kerstin&hallo=welt.
Looks like fun … or unclean code.What you want.
Also I found https://web-rubicon.vspl.ruhr-uni-bochum.de/rubicon/3/

https://web-rubicon.vspl.ruhr-uni-bochum.de/rubicon/1/

https://web-rubicon.vspl.ruhr-uni-bochum.de/rubicon/wait/

But this wasn’t of any help either.
So last step for today I thought: Actually capturing traffic while running it and hoping for the best.
It was all hellos and handshakes and ssl things I didn’t even want to take a look at.
(even though I took a look at it and found http://crl.thawte.com/ThawtePremiumServerCA.crl)
Anyway after opening the portal page of the app many times in IE,firefox I simply let netcat listen on some port and tried to access it through the RubiCon-Browser and WOOW
GET / HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Accept-Language: de
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727)
Host: 10.0.2.2
Connection: Keep-Alive

It was what it looked like a modified IE. (for comparison the actual IE)
GET / HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Accept-Language: de
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727)
Host: 10.0.2.2
Connection: Keep-Alive

So I could try as long as I want because there was a flag no browser has “UA-CPU: x86″.
And I anticipated the worst.Maybe it was meaningless finding the cookies, because they didn’t use cookies!
I started wireshark again and opened in the embedded browser the startpage this time I edited https to http!!!!!AND IT HAPPENED
GET /rubiks/rubicon_portal.startseite HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Accept-Language: de
X-RUBICon-Sessionid: A2FE33B94E5D747241FD376F49724DA0E43B2621E1608CDA1C838EAECF41599B
X-RUBICon-Userid: xxxxxxxxxxxx
X-RUBICon-Ticket: BF4CB1D477DE9A7BB2AD08682AA333D18E94D78EAD07B8979
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727)
Host: ca.ruhr-uni-bochum.de
Connection: Keep-Alive...

So I knew they modified the browser and extended the protocol.
The Sessionid is given when authing the Userid is your Userid (found on your student card) and the Ticket is different for every html request and defined before the actual request happens.
So know I need some sleep … understandably.