Author Archives: Darshan Gencarelle

Mame on the Beaglebone Black

Posted on by

20140117_081445

A few years ago I put together an Mame arcade system using an old laptop, X-Arcade Tanksitck, and a Xtension Mini Arcade Cabinet.  Over the past few months the laptop has become flaky and now needs to be replaced. I figured the Beaglebone would be the perfect replacement as it has enough horsepower to run Mame, and low power enough that so I can just leave it running all the time.

Unfortunately I was not able to locate a prebuilt image that included Mame. Getting X to work properly with sound, and then finding a version of Mame that’ll compile on the Black’s arm chip turned out to be a bigger hassle than I expected. There are a number of things that need to be fixed but overall I think this image should work fine for running the games I had on the old laptop.

The image runs Debian as the OS, AdvanceMame for the game emulation, and Wahcade as a front end. It can be run either from an SD or copied on to the internal storage. Wahcade will start automatically when the system boots… just boot the system and its ready to go.

http://gencarelle.com/public_files/mamebone/mamebone-0.5.img

I’ve only included the Circus and Tankwars roms in this image. To add your own roms login with the user name mame with the password of mame. New roms go in the emulators/mame/roms directory.

If you try the image and have problems and/or suggestions let me know. I have a few more tweaks planned to make adding roms easier and will post how I got AdvanceMame to compile eventually.

 

DEFCON 2013 Forensics Challenge

Posted on by

Wow! First place baby!

Here is a write up I did on a competition that took place at DEFCON this year. To be fair I should disclose that I work for Cybertap and work on the Recon product. The tasks where Recon was used could of course been solved using other tools, but when you have access to a network analysis tool designed for this sort of thing it really helps.

This year’s challenge had approximately 200 teams competing. The 2nd and 4th place teams from last year’s competition were also present. It took 4.5 hours to complete a total of eight rounds. The 2nd place team (the same team that came in 4th last year) took about 5 hours to complete the challenge.

Tools used

CYBERTAP RECON
Recon ingests real-time or archived (Pcap) network packets, decompiles all the flows and indexes every byte of information using a search engine. All network data is indexed including address and port meta-data, protocol meta-data, message contents, embedded file meta-data, and file content metadata.

WIRESHARK
Wireshark is a network protocol analyzer.

NETWORKMINER FREE
NetworkMiner is a Network Forensic Analysis Tool for Windows. NetworkMiner can parse PCAP files for off-line analysis and to regenerate/reassemble transmitted files and certificates from PCAP files.

HXD
HxD is a fast free hex.

NOTEPAD++
Notepad++ is a free Windows based source code editor and Notepad replacement.

VLC
VLC is an open-source cross-platform multimedia player.

TRUECRYPT
Free open-source disk encryption software.

USEFUL WEBSITES
www.asciitohex.com – used to convert hex to ASCII text.
display-kml.appspot.com – used to map KML data to a Google map.
http://en.wikipedia.org/wiki/List_of_file_signatures – Website with list of file signatures.

Forensic Challenge

1. What day of the week is the meeting scheduled for?
Wednesday

Time to compete task: 15 mins

NetworkMinner was able to identify an IRC chat but some messages were hex encoded. We used Notepad++ to clean up the text in the hex encoded messages and then converted the hex to ASCII.

Original text:
How does Wednesday sound?

Cleaned up hex:
48 6F 77 20 64 6F 65 73 20 57 65 64 6E 65 73 64 61 79 20 73 6F 75 6E 64 3F

Converted to ASCII:
How does Wednesday sound?

Tools used:
NetworkMinner
Notepad++

2. What city are they meeting?
Las Vegas

Time to compete task: 46 mins

The solution for this one required multiple steps.

Using Recon we searched and found the word betty in an AOL email message that contain text about the meeting. Using the source IP address (172.29.1.50) and viewing the results in Recon’s surveyor we were able to step through all the documents pertaining to this address. One document that stood out was sent on port 1024 and appeared to contain binary data.

To extract the original file out of the pcap we used Wireshark. There’s probably an easier way to do this… Using this filter we were able to capture just the traffic from 172.29.1.50 on port 1024.

tcp.port == 1024 and ip.src == 172.29.1.50

The results were then saved to a new pcap using the File->Export Specified Packets option. Next we opened the new pcap in Wireshark, follow tcp stream (there is only one stream in this new pcap), and then saved as raw file.

We had a file that probably contained what we were looking for but no idea what the format was. The Linux file utility identified it as data (no help there) and stings did not produce anything useful. There was one of three possibilities… it’s compressed, encrypted, or junk data to throw us off. The hint that it was encrypted was this bit of text from the email:

Here is the password for where you should meet me: S3cr3tVV34p0n

We have a password and what we assume is an encrypted file so the next step is to just start trying various encryption formats to see if there was anything that could open it. After lots of wasted time trying different formats, TrueCrypt was tried with the S3cr3tVV34p0n password with success. The TrueCrypt archive contained a text document and a picture of Vegas.

Tools used:
Recon
Wireshark
TrueCrypt

3. What will Gregory die from, if he fails to meet with Betty?
Dysentery

Time to compete task: 16 mins

Looking at this pcap in Wireshark we found a session that contained both text and data. The text part contained “VID_20130705_145557.mp4” indicating the data was an MP4 file.

The session was saved in a raw format that included the extra text garbage at the start of the file. To figure out where the actual start of the MP4 file was we used a hex editor and searched for the magic number for MP4 files.

00 00 00 nn 66 74 79 70

Once we had the start of the file we just remove all the data. The file was then playable in VLC. The video shows a reference to the game Oregon Trail and zooms in on the word dysentery.

Tools used:
Wireshark
HxD
VLC

4. What is the password provided to Gregory?
Brutus

Time to compete task: 10 mins

Using Recon we found an XML file in the body of an email message. The file contents indicated it was a klm file.

KML is a file format used to display geographic data in an Earth browser such as Google Earth, Google Maps, and Google Maps for mobile.

To map the KML data to a Google map we used this site: http://display-kml.appspot.com/.

Brutus

Tools used:
Recon

5. What happened to Gregory?
Unconscious behind recycle bin

Time to compete task: 60 mins

There was no pcap required to solve this round, just a dump of an Android smart phone. All the files from the dump were imported into Recon to make them searchable.

We were able to find text in a sent mms messages “I got the recipe for the toxic pumpkin pie”, but this was not the correct answer. Thinking maybe the message was hidden in an image we searched for just images and found one that provided the answer.

man down!

Tools used:
Recon

6. How many bytes of data is the malicious payload?
3113 B

Time to compete task: 4 mins

Processing the pcap in NetworkMiner the installed antivirus application flagged the 200912-paimia-&a.html file as malicious. Once we had the file name all that was required is to look at the size on disk.

Tools used:
Network Miner

7. What is the URL of the false(Malicious) web page Victoria is directed to?
bankofamerica.tt.omtrdc.net

Time to compete task: 67 mins

Lots of time was wasted examining javascript for a possible Black Hole redirection. The solution was found by searching for webhosts in Recon that contained bankofamerica but not part of the bankofamerica domain.

Tools used:
Recon

8. Who killed Gregory?
Victoria

Time to compete task: 5 mins

Recon extracted 4 voip files perfectly. Listing to the first file the caller (Victoria) admitted to the crime.

Tools used:
Recon

Ads, Yay!

Posted on by

Sorry about the ads now being displayed here. Its not about making money… honestly I don’t expect to see a single cent. I’ve never setup Google AdSense and wanted to go through the exercise. Overall it was pretty easy, the only tricky part was I forgot to disable AdBlock and couldn’t figure out why my ads were not showing up. Oops.

Updated Ubuntu 13.04 Image

Posted on by

I’ve created an updated Ubuntu 13.04 image suitable for the BeagleBone Black that includes a number of useful packages and fixes. Most notable are:

  • Hamachi is installed and working
  • USB network is working
  • Fixed Realtek RTL8188CUS driver
  • Using 3.8.13 kernel
  • Fix for USB power added
  • Deb packages updated to latest

Login name is ubuntu/temppwd

You can download it from here. If you find any problems with this image please let me know.

*Update 1 – USB network is in fact not working by default. The wrong kernel module is being loaded. To correct rmmod the g_cdc module and modprobe g_ether module. Once thats done you and ifup usb0 and it should work.

*Update 2 – If you plan on using Hamachi there is one additional step that should be done. Hamachi is fully configured and already has a IP and ID assigned. This will need to be reset. The fix is pretty easy. Just stop Hamachi , remove /var/lib/logmein-hamachi and start Hamachi again.

Problems with Realtek RTL8188CUS

Posted on by

The Miniature WiFi module from Adafruit does not work with Ubuntu 13.04 on the BeagleBone Black. Wish I knew that before I purchased it. Would have saved me many hours of work. Strap in, this one is a bit ugly.

814_MED

The instructions are for the ubuntu-13.04-armhf-minfs-3.8.12-bone17.img.xz image. If you use a different image it should still work. Just make sure you have the correct kernel headers installed.

1. Grab the modified driver from here:
wget https://realtek-8188cus-wireless-drivers-3444749-ubuntu-1304.googlecode.com/files/rtl8192cu-tjp-dkms_1.6_all.deb

2. Update the available package information
apt-get update

3. Grab the kernel headers and install
wget http://rcn-ee.net/deb/raring-armhf/v3.8.12-bone17/linux-headers-3.8.12-bone17_1.0raring_armhf.deb
dpkg -i linux-headers-3.8.12-bone17_1.0raring_armhf.deb

5. install the dkms package and all its dependencies
apt-get install dkms

6. Install the rtl8192cu-tjp-dkms_1.6_all.deb package. Its going to fail, dont be concerned. We aren’t done yet!
dpkg -i rtl8192cu-tjp-dkms_1.6_all.deb

7. Fix the missing arch type
cd /usr/src/linux-headers-3.8.12-bone17/arch/
ln -s arm armv7l

8. Fix a problem with the timex.h header
vi /usr/src/linux-headers-3.8.12-bone17/arch/armv7l/include/asm/timex.h

change line 18 from

#include <mach/timex.h>

to

#include </usr/src/linux-headers-3.8.12-bone17/arch/arm/include/asm/timex.h>

9. Run make to build the driver

cd /usr/src/rtl8192cu-tjp-1.6
make

10. Copy the new module in to the kernel modules directory
cp 8192cu.ko /lib/modules/3.8.12-bone17/kernel/drivers/net/wireless/

11. Update the module deps
depmod

12. Blacklist the native drivers.
vi /etc/modprobe.d/blacklist.conf

add this to the end:

# Blacklist native RealTek 8188CUs drivers
blacklist rtl8192cu
blacklist rtl8192c_common
blacklist rtlwifi

13. reboot

Its OK to now remove the driver source under /usr/src/rtl8192cu-tjp-1.6 if you need to free up some disk space.

That’s it. Hopefully all the steps worked for you. If not leave me a message. Enjoy!

USB power fix for BeagleBone Black running Ubuntu

Posted on by

If you power your BBB using USB power you’ve probably found the board will power off unexpectedly and/or not boot from the SD. This change allows > 500mA through the mini-USB port.

Edit the uEnv.txt (located in /boot) and add this: i2c mw 0x24 1 0x3e

Your uEnv.txt fill will end up looking something like this:

uenvcmd=run findfdt; if test $board_name = A335BNLT; then i2c mw 0x24 1 0x3e; setenv mmcde…

To give credit where its due I found the fix here: http://archlinuxarm.org/forum/viewtopic.php?f=28&t=5486#p32325

Running Hamachi on a Beaglebone Black

Posted on by

*** I have created an updated Ubuntu image with Hamachi baked right in. Grab it from here ***

After hunting around for a long time I wasn’t able to find instruction on getting Logmein Hamachi working on the Beaglebone Black running Ubuntu 13.04. It turns out Ubuntu dropped support for a armel package that’s required to install some for the necessary dependencies to run armel on armhr hardware. Here is how I finally got it running.

If you want to save some time I have posted all the files to: http://www.gencarelle.com/public_files

1. Download Ubuntu 13.04 image.
http://s3.armhf.com/debian/raring/bone/ubuntu-13.04-armhf-minfs-3.8.12-bone17.img.xz

2. Download and install 7-zip.
http://www.7-zip.org/download.html

3. Uncompress Ubuntu image file using 7-zip.

4. Download and install Image Writer for Windows.
http://sourceforge.net/projects/win32diskimager/files/latest/download

5. Write the Ubuntu image to the SD memory module.

6. If the SD module is larger than 2 Gigs you should expand the root partition. I used gparted on Linux.

7. Boot the beaglebone with the boot button pressed – required to boot from SD. Login name and password is ubuntu. Use “sudo su” to switch to the root user. Password is ubuntu.

8. Update the Ubuntu package repository.
apt-get update

9. Install packages (and package requirements).
apt-get install –fix-missing –no-install-recommends lsb lsb-core aptitude libc6-armel libc6-armel-cross linux-libc-dev-armel-cross

11. Make a directory to hold the downloaded packages.
mkdir /root/packages

12. Change to the new package directory.
cd /root/packages

13. Download the armel libs.
aptitude download libstdc++6-armel-cross libgcc-4.7-dev-armel-cross  libgcc1-armel-cross libgomp1-armel-cross libc6-dev-armel-cross

14. There is no gcc-4.7-arm-linux-gnueabi-base package for this version of Ubuntu. Force Install the armel libs we have.
dpkg -i –force-all *.deb

15. Tell the system where to find the libs hamachi needs. Edit the /etc/ld.so.conf and add this path at the bottom.
/usr/arm-linux-gnueabi/lib

16. Update the library cache.
ldconfig

17. Download the hamachi package.
wget https://secure.logmein.com/labs/logmein-hamachi_2.1.0.101-1_armel.deb

18. Install the hamachi package. I got a python error during the install but it didnt seem to cause a problem.
dpkg –force-architecture -i logmein-hamachi_2.1.0.86-1_armel.deb

 You can now safely remove the /root/packages directory.

Beaglebone Black

Posted on by

I’ve been running an Ubuntu server in a VM at home for some time. The host system is a older XPS laptop running Windows 7. I can’t speak to quality of other XPS systems, but this one has not held up very well. Its now on it’s 4th and final motherboard. I believe most of (all?) the problems have been related to the system overheating.

The main thing I’ve been using this system for is to run a Hamachi VPN and a Squid proxy. Its a nice setup that allows me to browse the web and not have to worry about someone snooping in. However, its only a matter of time  before it dies again and a bit overkill.

Sooo, in my quest to find a small low power standalone Linux server I came across the Beaglebone Black. Its a bit more expensive than the Raspberry PI but the specs (see for a side by side comparison: http://roboteurs.com/beaglebone-black-vs-raspberry-pi/)  are slightly better suited for what I want to use it for.

For anyone who cares I ordered it from Adafruit. I’ve had good luck with them in the past and was able to order everything with no problems. Here is my parts and price list.

  • 1 x Miniature WiFi (802.11b/g/n) Module: For Raspberry Pi and more[ID:814]  = $11.95
  • 1 x Adafruit Bone Box – Enclosure for Beagle Bone/Beagle Bone Black[ID:699] = $19.95
  • 1 x Micro HDMI to HDMI Cable – 2 meter[ID:1322] = $9.95
  • 1 x BeagleBone Black[ID:1278] = $45.00

My first task will be to replace the OS with Ubuntu and then get Hamachi working.