Flag: Tornado! Hurricane!

 Forums >>  Target Specific - General  >>  Apple Time Capsule Firmware hacking

Topic created on: August 27, 2011 19:57 CDT by ipatch .

I presently own an Apple Time Capsule, and have been wondering why no one has rooted this device yet (kind of).  There seems to be plenty of potential for this device but nobody has shown any interest in rooting.  I currently located the FW image and a signature file while messing around with the Airport Utility, but I am not sure if the FW image is encrypted, compressed, or both along with the signature file.  Viewing the two files in a hex editor did not reveal much other than a string in the .basebinary file saying Apple Firmware.  I am wondering what would be next logical step to getting this device rooted.

Secondly, I thought a way to view the FW would be to see if the file is decrypted/uncompressed when the firmware is uploaded to the Time Capsule but I have no idea how I would view something like that while the Airport Utility is uploading the firmware.  Maybe use a program like "memorize" to view the contents of the memory on the system that is uploading the FW?

Anyways, this is something I am really interested in, and if  anyone has any thoughts please let me know.

FW
http://ipatch.penguinmilitia.net/wiki/File:7_5_2.basebinary

Signature
http://ipatch.penguinmilitia.net/wiki/File:7_5_2.signature

  NirIzr     September 17, 2011 10:06.28 CDT
you can check its entropy for a basic sense if its packed\compressed\encrypted.. but you might want to calculate the entropy for parts of the file separately.

you could reverse the firmware loader just as well to see if its encrypting\decrypting etc... but bare in mind there's a possibility to have a OTP (one time programmable)chip to decrypt(and verify signature) the image while its being loaded by the device, but in that case it's most likely the signature would be embedded in the firmware base file...

i don't know the apple time capsule but most apple stuff is too expansive to hack while there are other available devices that have the same hardware but for a better price.
if you only want to hack it, use a cheaper manufacturer with apple you pay a lot for the software, GUI and brand...

I'd be interested to hear how it goes, feel free to contact me by email for updates and more questions..

Note: Registration is required to post to the forums.

There are 31,041 total registered users.


Recently Created Topics
Ultimate Hacking Cha...
Jun/21
CreateMutex
May/31
let 'IDAPython' impo...
Sep/24
set 'IDAPython' as t...
Sep/24
GuessType return une...
Sep/20
About retrieving the...
Sep/07
How to find specific...
Aug/15
How to get data depe...
Jul/07
Identify RVA data in...
May/06
Immunity Debugger Re...
Aug/03


Recent Forum Posts
How to find specific...
hackgreti
Problem with ollydbg
sh3dow
How can I write olly...
sh3dow
New LoadMAP plugin v...
mefisto...
Intel pin in loaded ...
djnemo
OOP_RE tool available?
Bl4ckm4n
OOP_RE tool available?
van7hu
Should binaries be n...
Kolisar
Problem with ollydbg
nullx42
!findtrampoline Immu...
skycrack


Recent Blog Entries
crystalwade
Jul/20
test

nieo
Mar/22
Android Application Reversing

halsten
Mar/14
Breaking IonCUBE VM

oleavr
Oct/24
Anatomy of a code tracer

hasherezade
Sep/24
IAT Patcher - new tool for ...

More ...


Recent Blog Comments
nieo on:
Mar/22
IAT Patcher - new tool for ...

djnemo on:
Nov/17
Kernel debugger vs user mod...

acel on:
Nov/14
Kernel debugger vs user mod...

pedram on:
Dec/21
frida.github.io: scriptable...

capadleman on:
Jun/19
Using NtCreateThreadEx for ...

More ...


Imagery
SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit