f-log

Back in 1998 you could do this
http://web.archive.org/web/19990829170137/http://www.dsikar.demon.co.uk/murder/
and no one would bat an eyelid.
I know the guy and he used to get very serious requests from that page...
1997
http://web.archive.org/web/19981205045247/http://tdg.linst.ac.uk/technosphere/index.html
good times, good times ...

After my fun with BT Buzbys I reread my 2009 exploits.
At the time it was very important that I not reveal the details(ethical hacking), but now it is time to lift the veil.
Here is the original(which was a lot of fun to write)

Once upon-a-time there was a new and exciting technology, but it was so new no one was using it and the only way to experience it was to watch the developers demonstrate it at trade shows.
Then the word was given that a web site would use the new technology and create a new user experience, the word was good.
ManyMe visited the site but the proclaimers stated the doors were closed. Despondent I tried again and again to visit the holy lands only to be shunned.
Until a fate full day when the proclaimers did proclaim all come welcome and I did enter the hallowed gates to find ...
Four sacred chapels, each with the revered experience held within, but each guarded by three challenges!
The challenges were difficult and tedious so I did what any soul in search of enlightenment would do, I cheated.
Seems the client received word from up above as to which challenges and chapels were accessible. I sent down false words and thus the chapels opened and unto me all challenges fell open. But alas the holiest of holys, the new experience was hidden from me, so it was that I told each of the challenges how to be, and as master of the challenges found them no challenge.
Now armed with not only the challenges and chapels key I also had the markers of immaculate completion and once again I requested the experience.
Now and only now I realised that I was missing an important browser upgrade that the gated ones keep hidden.
Released from the burden of having old and wretched browser plug-ins I gazed upon the experience and although it was a sight to beholden I saw a weakness.
So unto I did downloadreceive the holy scriptures and with sprinkling of bash did I determine that the hidden passages were in fact touched with additional meta-data that did reveal itself unto me.
And I found myself saying unto the higher ones this is how I did hackdisturb your site and they said OK thanks we will fix that less thy exploit these weaknesses to win great and magnificent prizes.
Hear the word of the White hat 2009-03

The "new and exciting technology" was Photosynth, a way of combining lots of 2D images into a 3D world.
The web site to use this technology was a promotional site for the new(at the time) Dan Brown film Angels and Demons.
It was launched with a teaser countdown, nothing was there until the timer reached zero.
Once it reached zero there were three challenges to complete before being able to use the Photosynth.
The "challenges" were annoying Silverlight games that I had no patience for, three games for each of the four levels, each with a different Photosynth experience at the end.
Fiddler showed me that the Silverlight was downloading each games "levels" as plain xml files.
Fiddler can be setup to offer up a file from your local file system when a specific URL is requested from the browser. I download the game levels, altered them to make them "one move to win" and told fiddler to server them. Silverlight uses the browsers network stack so the Silverlight client never know that it was not getting legitimate files and I could complete all the games in a single move.
Each Area only opened on a set day, but once again this information was in the xml file, so I just offered up one that said they were all open.
You would think that would be the end of the story but I was very interested if where I was working could use the Photosynth Silverlight client in our own web sites so I looked at what happened when, after unlocking everything the Photosynth ran.
It downloaded xml files that told it what images to use, I used that information to download all the images.
I then used an "exif" tool in cygwin/bash to find the the dates of the files and low an behold the special files showed up as being edited at a completely different date than all the rest.
Then I realised the file stamp had the same information, "doh!".
The point of the competition was to find a secret area in each part of the Photosynth unlocking entry into competition sweepstakes for motorbikes, holidays and generally not cheap stuff.
I had spent sometime in the Photosynth trying to find things but the navigation was not linear, sometimes trying to go one way would fail because you did not click on the right pixel, very frustrating.
This whole excursion had been for a legitimate reasons to explore the new Silverlight Photosynth client, I did not want to get into trouble for hacking the competition and so after checking one of the locations by looking at my image store and the "special" images I reported my "ease" of access.
Being the responsible hacker, I crafted a detailed report of what had happened, how I had done it and what they could do about it. Unfortunately my boss sent the email to the marketing department who then forwarded it to anyone they could find and it got very messy very quickly, I had to hand over the email address I had used on the web site and I never tried to access it again.
I presume they fixed it by encoding the xml data and updating the Silverlight clients to require it to be encoded...
Maybe I should have just won the competition...
It did log scores, so the fact I had completed each game in a single move in under 5 seconds and I had done so on areas that should have been locked at the time would have tipped them off.

This reads like my story (highly obfuscated) from a few years ago.
BT released a 320Gb panorama taken from the BT tower at the end of the 2012 Olympics.
http://btlondon2012.co.uk/pano.html
The level of detail is amazing and actually a bit frightening, no blurring of faces or number plates and you can see into windows miles away.
After sometime of peering into windows and just being enthralled by the constant high quality I came across a strange yellow chicken waving at the camera.
A frame appeared around him then the mouse was over, a colleague advised it was a competition and to click on it, highly exited I clicked filled in the form.
As a bit of fun BT are running a competition to find BT Buzbys (people in yellow chicken suits).
http://www.btplc.com/gigapixel/
After a while I returned to the panorama and wondered how they were noting the location of the Buzbys .. and down the rabbit hole I fell.
Fiddler showed me all the network traffic and I found that the Flash SWF being used to display the panorama called pano.xml.
In that file was lots of information including

<point ath="168.489" atv="42.509" />
<point ath="-37.043" atv="2.784" />
<point ath="174.040" atv="2.786" />
<point ath="14.157" atv="3.132" />
<point ath="8.532" atv="43.300" />

Which was odd, there are only three Buzbys and what is ath,atv ?
The "ath" reminded me of maps and mapping onto spheres.
A quick Google for ath atv map turned up krpano which is a flash product for displaying panoramas!
Now how to map the coordinates from the xml file to the map I was seeing in the browser ?
Well krpano have a well stocked forum and I saw references to a "screentosphere" function that could be called in Action Script and I started to look into plugins and ways of executing this method without touching the code..
Which lead me to a couple of notes that there was a JavaScript API, could I run "screentosphere" from the browser ?
http://www.krpano.com/forum/wbb/index.php?page=Thread&postID=9703&highlight=double+click+zoom
seemed to think it did!
Back to the panorama, but the code did not work! It couldn't find the SWF object, maybe they named it something else?
No, there it was id="krpanoSWFObject"
I needed to get at the object in the IFrame...
var iframe = document.getElementById('panoapp');
var innerDoc = iframe.contentDocument || iframe.contentWindow.document;
krpano=innerDoc.getElementById("krpanoSWFObject");
But the code still did not work, "krpano" did not seem to be a function, I tried some minimal code
var mousex = krpano().get("mouse.x");
var mousey = krpano().get("mouse.y");
var hvs = krpano().get("screentosphere("+mousex +","+mousey +")");
Why wasn't it working?
var mousex = krpano.get("mouse.x");
var mousey = krpano.get("mouse.y");
var hvs = krpano.get("screentosphere("+mousex +","+mousey +")");
Worked, hvs contained my ath,atv based on the mouse position. I did not want to run this code every time I moved the mouse so I added "cheese"(and I regretted it later).
function cheese() {
var mousex = krpano.get("mouse.x");
var mousey = krpano.get("mouse.y");
var hvs = krpano.get("screentosphere("+mousex +","+mousey +")");
console.log(hvs);
}

self.setInterval(function(){cheese()},1000);
Every 1000ms(1 second) cheese would report the coordinates of my mouse in "ath,atv".
I scrolled over to the first Buzby and saw the coordinates of "ath=8.532, atv=43.300" it WORKED!!
Now to track down the other four Buzbys, but after some time staring at the console output from "cheese" I could not find anything at "ath=14.157, atv=3.132".
I was getting fed up with the coordinates from cheese being so jumpy and I realised that if the "screentosphere" function worked from JavaScript maybe there was a "centre map" function...
krpano.call("moveto(8.532,43.300)");
Set the display but no Buzby, which was odd because I knew it was there, "cheese" was still running and I manually moved the map to the known Buzby, but the coordinates were wrong, or were they.
"cheese" was showing "ath=168.489, atv42.509", hang on that was one of the other coordinates in the xml ...
If you zoomed in a certain amount the map jumps as if it is using another camera/data source(the contrast is quite different). When I zoomed past this point "cheese" reported quite different coordinates.
So calling "moveto" on the coordinates also required the manual step of zooming in and out until a Buzby is found.
krpano.call("moveto(8.532,43.300)");
krpano.call("moveto(168.489,42.509)");
krpano.call("moveto(14.157,3.132)");
krpano.call("moveto(174.040,2.786)");
krpano.call("moveto(-37.043,2.784)");
Will get you all three Buzbys depending on zoom level.

So if you are company running a competition where data is sent to the client just expect that someone will read it other than your code.

After setting up the raspberry pi with rasmbc...
I did not want to use an remote control or a remote application(no wifi or LAN) so I dug out a USB Numpad.

XBMC allows you to remap keys and controls to allow for different devices and preferences.
ssh into the running raspbmc pi
vi ~/.xbmc/userdata/keymaps/keyboard.xml
and add

<!-- Keypad keymap for xbmc -->
<keymap>
<global>
    <keyboard>
     <numpadzero>OSD</numpadzero>
     <numpadone>Stop</numpadone>
     <numpadtwo>Down</numpadtwo>
     <numpadthree>BigStepBack</numpadthree>
     <numpadfour>Left</numpadfour>
     <numpadfive>Select</numpadfive>
     <numpadsix>Right</numpadsix>
     <numpadseven>XBMC.ActivateWindow(Home)</numpadseven>
     <numpadeight>Up</numpadeight>
     <numpadnine>BigStepForward</numpadnine>
     <numpaddivide>StepBack</numpaddivide>
     <!-- my numpad divide shows up as "forwardslash" -->
     <forwardslash>StepBack</forwardslash>
     <numpadtimes>StepForward</numpadtimes>
     <numpadperiod>Info</numpadperiod>
     <numlock>Pause</numlock>
     <!-- + and - handle the volume by default -->
     <!-- BackSpace is "back" by default -->
     <!-- Enter is "select" by default -->
     <!-- the Raspberry Pi uses Omxplayer which does not support FastForward or Rewind -->
    </keyboard>
</global>
</keymap>

Now I have the USB stick in one USB port and the Keypad in the other, perfect.

raspbmc

Or Raspberry Pi Media Centre using XMBC (XBox Media Centre) gives you a highly customisable media centre that can connect to the network for streaming off of use USB sticks for files.
I wanted to see how easy it would be to get something useful that I could rip the kids DVDs onto.
For some reason I had lots of issues with my SanDisk 8GB Class 10 SD card and the supplied installer script, but a manual install did the trick
zcat ./installer.img.gz > /dev/sdc
Where I had already downloaded the installer.img.gz file and sdc was the device assigned to the SD card.
Booted up the Pi and waited an age for the system to download the actual OS and install, then plugged in a USB stick with some video files.
Some of the videos were choppy, which was odd because I had heard great things about the Pi and full screen video decoding, then I found that the hardware video decoding is disabled and you must buy a licence to enable it.

Over the to the Pi Store and for the price of a BigMac(tm) and fries got both the VC1 and MPG2 codecs, the next day I could play videos with no buffering, crystal.
$ vcgencmd codec_enabled MPG2
MPG2=disabled
$ vcgencmd codec_enabled WVC1
WVC1=disabled
$ sudo bash
$ echo decode_MPG2=0xffffffff >>/boot/config.txt
$ echo decode_WVC1=0xffffffff >>/boot/config.txt
$ exit
$ vcgencmd codec_enabled MPG2
MPG2=enabled
$ vcgencmd codec_enabled WVC1
WVC1=enabled
Where 0xffffffff is the hex code emailed to you when you purchase the codecs.

next time, controlling the raspbmc...

I have big plans for my panic button on the Raspberry PI but, for now I am content just to note it is pressed.
A bash script that simply waits for you to push the button

1 #!/bin/bash
2
3 #detect when the button is pressed
4
5 while [ $(cat /sys/bus/usb/drivers/panicb/*/button) = 0 ]; do
6     echo -n "."
7     sleep 0.5
8 done
9 echo "pressed"

This will check for the button [line 5], if it is pressed then exit the loop and print the message "pressed" [line 9].
If the button has not been pressed output a full stop [line 6] (the -n is to not add a CR) then wait half a second [line 7] and then try again.
I can then call this script from another, looping, to always print "pressed" when the button is pressed and never exit.

Next time I setup raspmc media centre with a USB keypad...

I got this USB Panic button a few years ago, very cheap, I think it only worked in Windows XP and then not very well.

It seemed like the easiest thing to try and get working with the Raspberry Pi After some googling three options came up, driver in Perl, Python or C.
After some hours trying to get CPAN(its a Perl thing) to handle USB I gave up with an unanswered post http://www.raspberrypi.org/phpBB3/viewtopic.php?f=50&t=29240&p=257052#p257052
I had little hope for Python so it was onto the C version, *HERE BE DRAGONS*

Only problem being that the C code was for a full kernel module and at the time the Raspberry Pi did not have the kernel header files needed to build kernel modules.
http://www.raspberrypi.org/phpBB3/viewtopic.php?f=71&t=29326&p=257733#p257733

There were some posts regarding the manual building of the Pi's kernel header files but they were for earlier versions, this is what I came up with
(mostly taken from http://www.raspberrypi.org/phpBB3/viewtopic.php?f=71&t=17666&p=179845#p179845)

wget https://github.com/raspberrypi/linux/tarball/rpi-3.6.y
tar xzf rpi-3.6.y
cd raspberrypi-linux-31a9510/
zcat /proc/config.gz > .config
make oldconfig
make modules_prepare
wget https://github.com/raspberrypi/firmware/raw/master/extra/Module.symvers
KSRC=`pwd`
pushd /lib/modules/`uname -r`
ln -s ${KSRC} source
ln -s ${KSRC} build
popd
pushd /usr/src
ln -s ${KSRC} linux-`uname -r`
ln -s ${KSRC} linux
popd

The Panic button code is part of a collection of USB gadgets https://github.com/pficheux/USBFun

mkdir usbdevices
cd usbdevices/
wget "https://github.com/pficheux/USBFun/archive/master.zip"
unzip master.zip
cd USBFun-master/
cd panicb/
make

it was going so well at this point and could not last

"error: unknown field 'ioctl' specified in initializer"

Stack overflow lead me to the fix
http://stackoverflow.com/questions/5868908/using-ioctl-communication-between-kernel-mode-and-user-mode
vi panicb.c
:169
wiunlocked
[ESC]
:wq
make

Which simply updated the line
    .ioctl = panicb_ioctl
to
    .unlocked_ioctl = panicb_ioctl
the updated way of handling this call in newer kernels.

Then
sudo ./detach_hid 1130 202
sudo insmod ./panicb.ko

cat /sys/bus/usb/drivers/panicb/*/button
* is for the designation of the usb address e.g.
/sys/bus/usb/drivers/panicb/1-1.3:1.0/button
that is the USB hub/port/address(not supposed to be human readable, though can be decoded)

if the result is 0 the button has not been pressed since it was last checked, 1 if it has been (this then resets it back to 0)
the press does not register until the button is released (this is a hardware not software issue).

running the newly compiled app sudo ./panicb_test /dev/panicb0 crashed my pi

to make it work on reboot (so you do not have to manually detach and insmod each time)
sudo make install
sudo cp 99-panicb.rules /etc/udev/rules.d
sudo udevadm control --reload-rules
modprobe panicb
if that fails with
FATAL: Module panicb not found.
then you need to find the panicb.ko file and move it
(this was because the kernel version ended in a + and command is not quoted)
mv /lib/modules/3.6.11/extras/panicb.ko /lib/modules/3.6.11+/kernel/drivers/usb/misc/
modprobe panicb
no errors and can see panicb in
lsmod
and finally add panicb to the /etc/modules file
echo panicb >> /etc/modules

Next time I demo a quick bash shell script to detect the panic button presses.