29b Enterprises

QingPing CGS2 De-cloud - making an air quality monitor ours

Sun, 21 Dec 2025 07:07:07 +0100

QingPing Air Quality Monitor Gen 2 (also known as CGS2) is a rather stylish little air quality monitor. It has all the nice sensors you might want (CO2, PM2.5, PM10 , temperature, humidity) and then some (noise, eTVOC…). It’s all packaged in a nice looking device, with a colour touch screen, built in battery and WiFi. In this short writeup, we’ll untether it from the cloud and make it report the data to us.

Slim filters for Fuji GF670

Tue, 11 Nov 2025 11:11:11 +0000

Fuji GF670 is a great medium format camera, but has a few drawbacks. I’ve been shooting happily with it for a long time but every once in a while I wished I had a filter on. The way you are supposed to use filters with it is quite bonkers. A hood that you attach each time you want to use them, plus you have to take it off every time you want to close the camera? Using it is slow as is… Chances are I’ll shoot all of the 10 frames of a roll using the same filter. I’d like to be able to leave the filter on the camera.

I love high contrast black and white photography, and like using yellow/orage/red filters where appropriate. An ND filter can be nice as well, given that this camera maxes out at 1/500s shutter speed.

Small praise for modern compilers - A case of Ubuntu printing vulnerability that wasn’t

Mon, 10 Feb 2025 07:13:37 +0000

Earlier this year, we conducted code audits of the macOS printing subsystem, which is heavily based on the open-source CUPS package. During this investigation, IPP-USB protocol caught our attention. IPP over USB specification defines how printers that are available over USB can only still support network printing via Internet Printing Protocol (IPP). After wrapping up the macOS investigation, we decided to take a look at how other operating systems handle the same functionality.

About

Sun, 15 Sep 2024 07:07:07 +0100

Mentions of what will later grow into 29b Enterprises can be traced all the way back to scientific endeavors of Ibn Sina and the first recorded and studied transit of Venus. Ever since, our engineers (exact job title changed throughout the ages) were there to do the less glamorous tasks that are the cornerstone of scientific research. Measuring, documenting, cataloging and observing in the time of imprecise instruments and unreliable recording media.

Snapshot fuzzing on macOS

Thu, 16 May 2024 07:13:37 +0000

Finding novel and unique vulnerabilities often requires the development of unique tools that are best suited for the task. Platforms and hardware that target software run on usually dictate tools and techniques that can be used. This is especially true for parts of the macOS operating system and kernel due to its close-sourced nature and lack of tools that support advanced debugging, introspection or instrumentation.

Compared to fuzzing for software vulnerabilities on Linux, where most of the code is open-source, targeting anything on macOS presents a few difficulties. Things are closed-source, so we can’t use compile-time instrumentation. While Dynamic Binary instrumentation tools like Dynamorio and TinyInst work on macOS, they cannot be used to instrument kernel components.

Abusing XFG: Mitigations are a reverser's friend

Sat, 03 Feb 2024 07:13:37 +0000

With the release of Windows 11, Microsoft is introducing another iteration of control flow integrity mitigation called “eXtended Flow Guard” or XFG. In short, it further restricts targets of indirect calls to not only valid function entry points, but to a subset of functions that have a particular signature consisting of return value type, number and types of parameters and other function properties.

Surely, this added metadata can somehow aid us in our reverse engineering process. To see how, we’ll need to understand the implementation details.

Film X-ray imaging for reverse engineering

Tue, 23 Jan 2024 07:07:07 +0100

A cabinet x-ray machine is a handy tool for any reverse engineer of electronics, but the price tag keeps convenient x-ray photography beyond the reach of most hobbyists, particularly when the digital sensor works. In this lecture, we’ll show two film alternatives to digital photography, generating x-ray pictures first with a proper dark room under a red light and second with polaroid/fujiroid film in the absence of wet chemistry. We’ll also explain where film can be a better alternative to a digital sensor, offering better resolution and dynamic range at a much larger surface area.

Uncovering weaknesses in Apple macOS and VMWare vCenter: 12 vulnerabilities in RPC implementation

Thu, 13 Jul 2023 07:13:37 +0000

MSRPC implementations on macOS and vCenter are based on the same DCERPC codebase, forked at different times and modified to suit different use cases Uncovered issues fall into use-after-free, buffer-overflow, information leak and denial-of-service vulnerability classes. Some of these could be combined to achieve remote code execution or privilege escalation. Apple has addressed all of the vulnerabilities on three separate occasions in their scheduled monthly updates in January, March and May 2023. VMWare has addressed all reported issues in an update on June 22. Talos is now disclosing all these vulnerabilities in adherence to Cisco’s third-party vulnerability disclosure policy. Approaching a target’s attack surface layer by layer, we show vulnerabilities that stem from single packet parsing, temporal vulnerabilities that require multiple interacting sessions and complex vulnerabilities that can only be reached by performing concrete and well-formed RPC calls.

Lytro Unlock - Making a bad camera slightly better

Tue, 24 Jan 2023 07:07:07 +0100

I’ve recently spent some time playing with and reverse engineering this curious piece of tech that was a first consumer oriented,though odd looking, lightfield camera called Lytro. Killer feature of this new technology was the ability to refocus the image after it was taken! The bad side was that the software was pretty bad, the camera was trying to solve a problem that didn’t exist and the whole endeavor mostly failed.

Rooting Bosch lcn2kai Headunit

Thu, 19 Aug 2021 07:07:07 +0100

My Nissan Xterra came with a (for the time) modern head unit that has a touch screen, built-in navigation, backup camera display, multimedia features and smartphone connectivity. Some of the more advanced features are only available through NissanConnect App which requires registration and subscription. I’ve never used it and I’m not even sure if it’s still supported.

Wouldn’t it be neat if were able to get code execution on the device and even develop extensions and apps of our own?

Vulnerability Spotlight: Multiple vulnerabilities in Pixar OpenUSD affects some versions of macOS

Thu, 12 Nov 2020 07:13:37 +0000

Pixar OpenUSD contains multiple vulnerabilities that attackers could exploit to carry out a variety of malicious actions.

OpenUSD stands for “Open Universal Scene Descriptor.” Pixar uses this software for several types of animation tasks, including swapping arbitrary 3-D scenes that are composed of many different elements. Aimed at professional animation studios, the software is designed for scalability and speed as a pipeline connecting various aspects of the digital animation process. It is mostly expected to process trusted inputs in most use cases. This stands at odds with security considerations.

Vulnerability Spotlight: Zoom Communications user enumeration

Tue, 21 Apr 2020 07:13:37 +0000

Video conferencing and calling software has spiked in popularity as individuals across the globe are forced to stay home due to the COVID-19 pandemic. There are a plethora of players in this space, with one or two getting increased attention. One service in particular — Zoom — has received an enormous amount of attention from the media and users.

Today, Cisco Talos is disclosing a user enumeration vulnerability in Zoom Communications that could allow a malicious user to obtain a complete list of Zoom users inside a specific organization. There has been a lot of discussion around what is and is not a vulnerability and what security features should exist in video conferencing software. This is not the purpose of this blog. This disclosure is made in accordance with our vulnerability disclosure policy, in the interests of ensuring the security and privacy of users at-large against this information disclosure vulnerability.

Smart Response XE & CC1101

Sat, 11 Jan 2020 07:07:07 +0100

This project repurposes the Smart Response XE device for digital radio trickery by adding a CC1101 module to it. Initial application is a proof of concept DAPNET pager receiver. Currently in very early stage that can only properly receive short frames.

Additionally, there is a spectrum analyzer application showcased in above photo.

IPv6 unmasking via UPnP

Mon, 18 Mar 2019 07:13:37 +0000

With tools such as ZMap and Masscan and general higher bandwidth availability, exhaustive internet-wide scans of full IPv4 address space have become the norm after it was once impractical. Projects like Shodan and Scans.io aggregate and publish frequently updated datasets of scan results for public analysis, giving researchers greater insight into the current state of the internet.

While IPv4 is the norm, the use of IPv6 is on the rise. However, there’s been very little analysis on the most recent version of the internet protocol because it’s impossible to run exhaustive scans given the size of the address space. We need to deploy novel techniques to enumerate active IPv6 hosts.

Fast Cash for Useless Bugs!

Mon, 23 Oct 2017 07:13:37 +0000

Every one of us who has ever looked at a piece of code looking for vulnerabilities has ended up finding a number of situations which are more than simple bugs but just a bit too benign to be called a vulnerability. You know, those bugs that lead to process crashes locally, but can’t be exploited for anything else, and don’t bring a remote server down long enough to be called a Denial Of Service.

Memcached - A Story of Failed Patching & Vulnerable Servers

Mon, 17 Jul 2017 07:13:37 +0000

In October last year, we performed a source code audit of Memcached server and identified three distinct but similar vulnerabilities. All three are in the implementation of the binary protocol. Two vulnerabilities lie in the part of the code dealing with adding and updating cached objects, while the third is in the aforementioned SASL authentication mechanism. All three vulnerabilities are due to integer overflows leading to controlled heap buffer overflows and due to the nature of the protocol can be abused for sensitive memory disclosure which can lead to straightforward and reliable exploitation.

Stack Smashing Protection Bypass - Exploiting MiniUPnP

Wed, 27 Jan 2016 07:13:37 +0000

MiniUPnP is commonly used to allow two devices which are behind NAT firewalls to communicate with each other by opening connections in each of the firewalls, commonly known as “hole punching”. Various software implementations of this technique enable various peer-to-peer software applications, such as Tor and cryptocurrency miners and wallets, to operate on the network.

In 2015 Talos identified and reported a buffer overflow vulnerability in client side code of the popular MiniUPnP library. The vulnerability was promptly fixed by the vendor and was assigned TALOS-CAN-0035 as well as CVE 2015-6031. Martin Zeiser and Aleksandar Nikolic subsequently gave a talk at PacSec 2015 (“Universal Pwn n Play”) about the client side attack surface of UPnP and this vulnerability was part of it.