RT @DHM_ctf: Would you like to participate in the German Hacking Championship next year? 💻🎉Then, your next chance to qualify is this weeken….

RT @C_S_C_G: The Cyber Security Challenge Germany 2025 has started! 🎉.The competition runs from March 1 - 18:00 CET to May 1 - 18:00 CEST.….

RT @Neodyme: Following our #38c3 talk about exploiting security software for privilege escalation, we're excited to kick off a new blog ser….

RT @Neodyme: ND people are @ #38c3 in Hamburg, Germany. Be sure to check out our two talks about LPEs in AV/EDR Products (Saturday, 4 PM YE….

RT @Neodyme: Since we had used a different setup without any administrator account, our official attempt during #Pwn2Own failed. However, @….

Now I could either reflash the emmc chip or use the nice USB-Boot mode of the custom U-Boot ;), though that required pulling Boot0 Pin high and a weird USB Flash drive config.

After some reversing and looking arround, I noticed the U-Boot version was 2017.11 . A quick search revealed CVE-2020-10648. A verified boot bypass for U-Boot. What was left was crafting a new fit image and using a custom initrd with the init command replaced, by a shell.

Unfortunately everything else was encrypted with a key out of the tee. The U-Boot and everything after is also signed with keys, starting on the i.MX6 CPU. So patching the initrd was not possible.

Disassembling the device, I quickly found UART pins. These were a great first find, but did not provide anything useful :/ Next, I tried to dump the firmware by desoldering the emmc chip. This got me lots of insights to the initrd.

After a great #Pwn2Own with @Neodyme , I would like to share some insights I gained when working with the AeoTec Smart Home Hub. We did not manage to find any bugs in time but dumping the firmware was a great lesson. So, let’s tell you the story of how I approached this target.

RT @thezdi: Our final SOHO Smashup of Day 2 ends with a partial collision. Neodyme (@Neodyme) used 4 bugs, including a stack-based buffer o….

RT @Neodyme: gg, this should fit nicely into our new office 🖨️. We'll be looking to complete the set tomorrow by attacking Lexmark CX331adw….

RT @thezdi: Confirmed! Team Neodyme (@Neodyme) used a stack-based buffer overflow to exploit the HP Color LaserJet Pro MFP 3301fdw printer.….

RT @allesctf: The cyber mimic defense starts soon thanks for the invitation. Good luck to all teams.

RT @redrocket_ctf: The @CyberSecRumble next year will be episch 🔥 :

RT @Neodyme: Introducing Riverguard 🏞️💂. A new security tool for Solana program deployers. 🧵. .

RT @C_S_C_G: 1st place of the #ECSC2023: Team Germany 🎉 unexpected!! CYBER!!👏

RT @C_S_C_G: 🇩🇪 | Today, the @BSI_Bund hosted Germany's #ECSC team. These talented youngsters proved their skills during CSCG and will re….

RT @allesctf: Are you also tired from teams stealing flags or organizers stealing 0days from organizers in CTFs?.Then you should play CCCam….

RT @Neodyme: When CS:GO clients connected to our server, they got more than a game. We found 3 RCE vulnerabilities to give clients an unexp….