Saturday, September 14, 2013

STM32 Firmware Loader

For some of my hobby projects I'm using STM32 MCU. To make my life easier when loading different firmwares I created this simple STM32 Firmware Loader.

Using a software USB boot-loader has some disadvantages:

  • It has to occupy some part of the user Flash, which leads to less available Flash memory (usually a whole page)

  • it is difficult (or impossible) to protect it from accidental erase or data corruption.

  • the user firmware has to be build with the boot-loader in mind

  • it has to have own USB PID/VID. Having a VID is a little bit expensive, especially for small hobby projects.

The solution I have is to use the STM32 internal loader. This allows me to use the whole Flash memory for my user code. On top of that I have some more flexibility with this solution - I have a control over the hardware reset pin from the software.

However, all it comes at a price - an external components are needed. The schematic is very simple. A popular FTDI FT232 USB-to-UART converter is used.

Two GPIO from FT232 are used to control STM32_RESET and STM32_BMODE pins, and two pins for UART communication.


Operation is simple - when a firmware has to be loaded, the boot mode pin is set to enable the internal boot-loader and a hardware reset is issued. The STM32 goes to boot-loader mode. Via UART the new firmware is loaded, the boot pin is set to a state to enable user code execution and the STM32 is reset again. At this point the new firmware gets executed.

The source code can be found on The GUI is based on Qt.

Subscribe for our NewsLetter!

Wednesday, September 11, 2013

gnome-mplayer remote with qt and libssh2

This is project I've created some time ago for gnome-mplayer remote control. It uses qt as a GUI, libssh2 for ssh communication and dbus to control the player.

The plan was to put all those peaces together and make a remote control for this media player. I started a project, which you can find here:

The remote control uses dbus commands over ssh to control the gnome-mplayer.

First thing is to connect to the host and establish ssh connection and get ansi terminal. It's nice to use a terminal as we can see when the command is completed. For this I'm using a little trick - I'm changing the prompt string. Once I receive this string I know the command is executed.

The first command is to set the xorg display environment variable:
"export DISPLAY=:0\n"

To check if there is gnome-mplayer running I'm using the following code. It checks the running processes for 'gnome-mplayer' and gets their PIDs.
"pgrep gnome-mplayer\n"

QString s = "$(tr '\' '\\n' < /proc/$(pgrep gnome-mplayer | head -1 )/environ | sed -e 's/^/export /')\n";
  execSSHCmd((char*)s.toUtf8().constData(),s.size(), buf, 0);
  execSSHCmd((char*)s.toUtf8().constData(),s.size(), buf, 0);

To get the files and folders I'm using 'ls' command. The only difference is that I force the output to be an entry per line (-1) and no colours (--color=none). It makes much easier the output parsing.
"ls -1 --color=none\n"

The other part of the code is pretty straight forward. It uses the gnome-mplayer dbus messages to control the player.

The nice thing is that it is very easy to open and close the player as well as navigate the the desired media file and play it.

You can download the code and use it without any restrictions. However, I'll appreciate if you leave a feedback or if you send me any modifications you've made.

I hope you find it useful.

Subscribe for our NewsLetter!

Monday, September 9, 2013

GSM Security - attacks on the GSM protocols

file000612993608GSM Security is getting more important. There are many successful attacks on GSM communication reported recently. And the list keeps growing. Today is extremely easy to get access to a technology which allows you to record GSM session and possible decrypt it.

In this article I will mention some of the early attempts to decypher the GSM communication. However, there are projects explaining in more details about the GSM attack itself (like and providing more information.

Many GSM users rely on the GSM cryptographic system to transfer information securely. Since the late 80's, when GSM network become popular, its cryptographic system is a subject of many attacks. The first attacks on A5 algorithm are purely theoretical but recently there are reports for some successful practical attacks too. The rainbow table attack is one of the most successful attacks on A5 algorithm. Using this approach breaking the cipher is possible within a minute if few packets of cipher text are available. The rainbow tables size is few terabytes, but that is not a problem those days. Furthermore, this method allows using different size of the rainbow tables, which lead to different calculation time breaking the cipher.

The new 3G mobile network uses more advanced KASUMI cipher. Even the KASUMI is better than the old A5 cipher, its implementation makes it weaker than MISTY1. There are also a few attacks on KASUMI which are not applicable on the original MISTY1 cypher.

There are many attacks and cryptanalysis of the A3/A8, COMP128 and A5 algorithms.

A5/1 is developed in 1987, and A5/2 - in 1989. Both protocols are kept secret. However the algorithms ware entirely reverse engineered in 1999 by Marc Briceno from GSM telephone and A5/2 was broken at the same time.

A5/1 was broken on academic level in 1997, but the firs attack on the real cipher is in 2000 by  Alex Biryukov, Adi Shamir and David Wagner.

In 2003, Barkan et al. published several attacks on GSM encryption. The first is an active attack. GSM phones can be convinced to use the much weaker A5/2 cipher briefly. A5/2 can be broken easily, and the phone uses the same key as for the stronger A5/1 algorithm. A second attack on A5/1 is outlined, a ciphertext-only time-memory tradeoff attack which requires a large amount of pre computation.

In 2006, Elad Barkan, Eli Biham, Nathan Keller published the full version of their 2003 paper, with attacks against A5/X Ciphers. A precomputed table is used to attack A5/2 and the key can be found in less than a second on a personal computer using one packet of encrypted information.

In 2007 Universities of Bochum and Kiel started a research project to create a massively parallel FPGA based crypto accelerator COPACOBANA. COPACOBANA was the first commercially available solution using fast time-memory trade-off techniques that could be used to attack the popular A5/1 and A5/2 algorithms, used in GSM voice encryption, as well as the Data Encryption Standard (DES). It also enables brute force attacks against GSM eliminating the need of large precomputed look-up tables.

In 2008, the group The Hackers Choice launched a project to develop a practical attack on A5/1. The attack requires the construction of a large look-up table of approximately 3 terabytes. Together with the scanning capabilities developed as part of the sister project, the group expected to be able to record any GSM call or SMS encrypted with A5/1, and within about 3–5 minutes derive the encryption key and hence listen to the call and read the SMS in clear. But the tables weren't released.

A similar effort, the A5/1 Cracking Project, was announced at the 2009 Black Hat security conference by cryptographers Karsten Nohl and Sascha Krißler. It created the look-up tables using Nvidia GPGPUs via a peer-to-peer distributed computing architecture. Starting in the middle of September 2009, the project ran the equivalent of 12 Nvidia GeForce GTX 260. According to the authors, the approach can be used on any cipher with key size up to 64-bits.

In December 2009, the A5/1 Cracking Project attack tables for A5/1 were announced by Chris Paget and Karsten Nohl[8]. The tables use a combination of compression techniques, including rainbow tables and distinguished point chains. These tables constituted only parts of the 2TB completed table, and had been computed during three months using 40 distributed CUDA nodes, and then published over BitTorrent. More recently the project has announced a switch to faster ATI Evergreen (GPU family) code, together with a change in the format of the tables and Frank A. Stevenson announced breaks of A5/1 using the ATI generated tables.

There are some theoretical attacks on KASUMI. In 2001, an impossible differential attack on six rounds of KASUMI was presented by Kühn (2001).

In 2005, Israeli researchers Eli Biham, Orr Dunkelman and Nathan Keller published a related-key rectangle (boomerang) attack on KASUMI that can break all 8 rounds faster than exhaustive search. The attack requires 254.6 chosen plain texts, each of which has been encrypted under one of four related keys, and has a time complexity equivalent to 276.1 KASUMI encryptions. While this is not a practical attack, it invalidates some proofs about the security of the 3GPP protocols that had relied on the presumed strength of KASUMI.

In 2010, Dunkleman, Keller and Shamir published a new attack that allows to recover a full A5/3 key by related-key attack. The time and space complexities of the attack are low enough that the authors carried out the attack in two hours on a modest desktop computer even using the unoptimised reference KASUMI implementation. The authors note that this attack may not be applicable to the way A5/3 is used in 3G systems; their main purpose was to discredit 3GPP's assurances that their changes to MISTY wouldn't significantly impact the security of the algorithm.

Some time ago I created an article about GSM communication protocol and the attempts to be compromised.

Subscribe to the security newsletter and get the file.

Monday, August 12, 2013

Media SSH Remote Control with Qt and libssh2

After setting up a media center from an old laptop and building libssh2 library with Visual Studio 2010 it's a time to  go a step further and add a simple remote control for the gnome-mplayer - the  SSH Remote Control with Qt and libssh2.

Gnome-mplayer supports many media formats and is very lightweight - runs smoothly on a low end machines. A nice feature of this player is that it can be controlled remotely via ssh using dbus commands.

Using dbus commands over SSH has many advantages:

  • SSH is secure

  • Can access files and folders

  • Easy to implement (thanks to libssh2 library)

I made a simple Qt project to demonstrate remote control for gnome-mplayer using dbus commands over ssh. The project source code for this Media SSH Remote Control with Qt and libssh2 can be found here.

Please, leave your feedback.

Sunday, July 7, 2013

Build libssh2 on Visual Studio 2010


In this post I'd like to show you few easy steps how to build libssh2 library with Microsoft Visual Studio 2010.

Recently I started a project which require SSH connection to a server. I've tried few libraries which provide SSH support and libssh2 seems to feet my need the best. It's portable, easy to work with (even the documentation is not great) and has a SSH client support.

Unfortunately the libssh2 comes only as a source code, but fortunately it's very easy to build. The setup I'm using is Microsoft Visual Studio 2010 on Windows 7 64bit.

Even I'm on 64 bit machine I'll build 32 bit version of libssh2. It's easier that way.

Download the sources

First we have to download the sources. The current version is 1.4.3 and can be downloaded from libssh2 website here.

Next in Visual Studio, File->Open->Project/Solution and navigate to libssh-1.4.3\win32. Open libssh2.dsw. The Visual Studio will ask to convert it to 2010 workspace file format. Say YES.

After the it is converted there should be 2 projects in the workspace:

  • libssh2 - the library

  • tests - asimple test application which uses the libssh2 library file created by libssh2 project.

Additional libraries needed

  • openssl can be downloaded from here

  • zlib an be downloaded from here

Both have to be 32 bit as we are going to build 32 bit version of the libssh2.


First thing first - build the library

  1. On the libssh2 project properties C/C++->General->Additional Include Directories add '<path to openssl>\include'.

  2. Go to libssh2_priv.h(43) and comment out the line [sourcecode language="plain"]#define LIBSSH2_LIBRARY[/sourcecode]

  3. libssh2 project properties C/C++->Preprocessor->Preprocessor Definitions and add 'LIBSSH2_LIBRARY'.

 Build the 'test' project

  1. test project properties Linker->General->Output File replace with '%(OutputFile)'

  2. test project properties Linker->General->Additional Library Directories add:

    • '<path to openssl>\lib'

    • '<path to zlib>\static32'. Make sure you rename 'zlibstat.lib' to 'zlib.lib' within this folder as we reference to 'zlib'lib.

    • <path to libssh2.lib>. In my case it is '.\Debug_lib'.

  3. test project properties Linker->Input->Additional Dependencies add zlib.lib and libeay32.lib.

  4. test project properties Debugging->Command and change to '$(OutputPath)\$(TargetFileName)'

  5. test project properties Debugging->Working Directory and change to '$(OutputPath)'

  6. Now if you build you'll probably get:

[sourcecode language="plain"]
simple.obj : error LNK2019: unresolved external symbol __imp__libssh2_exit referenced in function _main
simple.obj : error LNK2019: unresolved external symbol __imp__libssh2_session_free referenced in function _main
simple.obj : error LNK2019: unresolved external symbol __imp__libssh2_session_init_ex referenced in function _main
simple.obj : error LNK2019: unresolved external symbol __imp__libssh2_init referenced in function _main
simple.obj : error LNK2019: unresolved external symbol __imp__libssh2_base64_decode referenced in function _test_libssh2_base64_decode

Go to 'test' project properties C/C++->Preprocessor->Preprocessor Definitions and remove 'LIBSSH2_WIN32'

That's it. Build and Enjoy.

Subscribe for our NewsLetter!

Thursday, July 4, 2013

When will be the next financial crisis?

© Iacobut | Dreamstime Stock Photos & Stock Free Images

Everyone would like to know the answer to this question, but can the next financial crisis be predicted? Wouldn't it be nice if you know in advance and prepare? Even better - you can take advantage of it. ...but what will happen if everybody knows and try to take advantage of it?

It looks like that Didier Sornette has developed a way How we can predict the next financial crisis.

You can watch the video on TED website.

Wednesday, July 3, 2013

Make use of your old Assus EEE PC h1101ha laptop

asus-eee-pc-1101HA-seashellLong time I'm thinking what I can do with an old h1101ha laptop. I didn't want to throw it in the bin, despite the fact it has no working battery anymore.
There few things coming to my mind I can use it for:

- make home automation system

- video player

- network storage

Home automation system is a cool thing and there are many open source software products available. The drawback is that some investments of time and money are needed for all the sensors, actuators, switches and connections. That's the main reason I left this project for later.

The other two – network storage and video player look very straight forward. Just have to install any Linux and that's it. …or is it?

After some research I decided I'll go for Ubuntu. The latest version 13 seems OK. Ubuntu has pretty good support and nice GUI. The only thing I'll have to do after installing it is to set-up the samba server and the XBMC media center.

After installing Ubuntu 13 on the Assus EEE PC it turned out it's not usable. It runs so slowly, that I hardly move the mouse pointer. The fancy desktop manager in the latest Ubuntu is so heavy, that it consumes all the resources of the laptop. It has to be replaced.

The LXDE seems to be the right choice. It runs smoothly on this machine, but the video playback is not the best I've seen. Especially youtube videos.

The next step was to get rid of Ubuntu and try something else – Debian with LXDE desktop. I downloaded the latest Debian Wheezy with LXDE desktop image. It worked much faster, and the playback was good. The problem was that the external monitor didn't run on properly. The xorg modesetting driver made me troubles and the GMA500 (pulsbo) video driver as well.

Again I decided to try one more time. This time with lubuntu. It is a Ubuntu with LXDE desktop. It's lightweight and is based on the latest Ubuntu 13.04 and has the latest xorg.

So far it looks that's the right version.