Flag: Tornado! Hurricane!

 Forums >>  Target Specific - General  >>  Apple Time Capsule Firmware hacking

Topic created on: August 27, 2011 19:57 CDT by ipatch .

I presently own an Apple Time Capsule, and have been wondering why no one has rooted this device yet (kind of).  There seems to be plenty of potential for this device but nobody has shown any interest in rooting.  I currently located the FW image and a signature file while messing around with the Airport Utility, but I am not sure if the FW image is encrypted, compressed, or both along with the signature file.  Viewing the two files in a hex editor did not reveal much other than a string in the .basebinary file saying Apple Firmware.  I am wondering what would be next logical step to getting this device rooted.

Secondly, I thought a way to view the FW would be to see if the file is decrypted/uncompressed when the firmware is uploaded to the Time Capsule but I have no idea how I would view something like that while the Airport Utility is uploading the firmware.  Maybe use a program like "memorize" to view the contents of the memory on the system that is uploading the FW?

Anyways, this is something I am really interested in, and if  anyone has any thoughts please let me know.

FW
http://ipatch.penguinmilitia.net/wiki/File:7_5_2.basebinary

Signature
http://ipatch.penguinmilitia.net/wiki/File:7_5_2.signature

  NirIzr     September 17, 2011 10:06.28 CDT
you can check its entropy for a basic sense if its packed\compressed\encrypted.. but you might want to calculate the entropy for parts of the file separately.

you could reverse the firmware loader just as well to see if its encrypting\decrypting etc... but bare in mind there's a possibility to have a OTP (one time programmable)chip to decrypt(and verify signature) the image while its being loaded by the device, but in that case it's most likely the signature would be embedded in the firmware base file...

i don't know the apple time capsule but most apple stuff is too expansive to hack while there are other available devices that have the same hardware but for a better price.
if you only want to hack it, use a cheaper manufacturer with apple you pay a lot for the software, GUI and brand...

I'd be interested to hear how it goes, feel free to contact me by email for updates and more questions..

Note: Registration is required to post to the forums.

There are 31,099 total registered users.


Recently Created Topics
How to view IDA Pro'...
Nov/02
reverse MC9S12DG128
Oct/07
Looking for an advan...
Mar/21
Ultimate Hacking Cha...
Jun/21
CreateMutex
May/31
let 'IDAPython' impo...
Sep/24
set 'IDAPython' as t...
Sep/24
GuessType return une...
Sep/20
About retrieving the...
Sep/07
How to find specific...
Aug/15


Recent Forum Posts
Looking for an advan...
tthtlc
Looking for an advan...
tthtlc
Looking for an advan...
clightning
Identify RVA data in...
sohlow
let 'IDAPython' impo...
sohlow
How to find specific...
hackgreti
Problem with ollydbg
sh3dow
How can I write olly...
sh3dow
New LoadMAP plugin v...
mefisto...
Intel pin in loaded ...
djnemo


Recent Blog Entries
nieo
Mar/22
Android Application Reversing

halsten
Mar/14
Breaking IonCUBE VM

oleavr
Oct/24
Anatomy of a code tracer

hasherezade
Sep/24
IAT Patcher - new tool for ...

oleavr
Aug/27
CryptoShark: code tracer ba...

More ...


Recent Blog Comments
nieo on:
Mar/22
IAT Patcher - new tool for ...

djnemo on:
Nov/17
Kernel debugger vs user mod...

acel on:
Nov/14
Kernel debugger vs user mod...

pedram on:
Dec/21
frida.github.io: scriptable...

capadleman on:
Jun/19
Using NtCreateThreadEx for ...

More ...


Imagery
SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit