Wednesday, October 2, 2013

Step by step guide - Beagle Bone Black voice recognition on an LED matrix

So after I made a BeagleBone black output voice recognition to an LED Matrix, I thought I will post a "How-to" guide to make one yourself.

NOTE: If at any point you find yourself confused with a technical term, try to google it, if you are still having trouble, or you would like to make things more clear about this post, add a comment and I will follow up on it :)

First, Materials, Make sure you have all of these when you start:
1. BeagleBone Black
2. USB Audio card  - I narrowed it down for you (1$-3$)
3. Microphone - the smaller the better
4. MicroSD card 8GB
5. AdaFruit I2C LED Backpack - I used green.
6. Male - Female Jumper wire - You will need at least 4 wires
7. Internet connection - I used a LAN cable to keep it simple.

Step 1: Setting up the Angstrom distro on the Beagle
Use this tutorial to create an Angstrom image on the MicroSD card
Next, plug the card into the Beaglebone and Boot to the new OS, make sure you have the USB cable connected.
Once all this is done, open up your com port and login as root. once you get a shell proceed to the next step.

Step 2: Setting up pocket sphinx 
Plug in the LAN cable to your BeagleBone, if you have WiFi good for you, just use a hub to have the USB audio enabled later.
Follow these steps:

  1. run opkg update
  2. opkg install python-distutils
  3. From here (!topic/beagleboard/aBznzq_bNuU) follow these steps:
    1. Install libasound2, alsa-dev, alsa-lib-dev ( before compiling sphinxbase and pocketsphinx.
    2. Get sphinxbase-0.8, and pocketsphinx-0.8 from and extract the tar files. 
    3. Change directory to the sphinxbase directory.
    4. Run "./" to generate the configure file.
    5. If needed run "./configure" 
    6. Run "make"
    7. Run "make install"
    8. Change directory to pocketsphinx directory and redo steps 4, 5, 6, 7.
  4. To check if the pocket sphinx installation worked power off the BeagleBone, make sure the USB audio card is plugged in and power on.
  5. run this command to do a quick test:
    "pocketsphinx_continuous -adcdev hw:1,0 -nfft 2048 -samprate 48000 2>/dev/null"
            note: hw:1,0 is the hw node of your usb audio.
Step 3: Setting up the environment for the AdaFruit LED Backpack
To setup the adaFruit libs and files
1. run "opkg install python-pip python-setuptools python-smbus"
2. run "pip install Adafruit_BBIO"

Step 4: Connect the LED Backpack to the BeagleBone
Switch P8 and P9, the person who created this image mixed them up. 
We will only use the left side header (P8 in this photo)

Connect the LED Backpack like this:
LED Backpack VCC --> PIN 7 SYS_5V
LED Backpack GND --> PIN 1 DGND
LED Backpack SDA --> PIN 20 I2C2_SDA
LED Backpack SCL  --> PIN 19 I2C2_SCL

Step 5: Setting up the code
Copy these files over to your BeagleBone, I put them on my ~/Desktop/ but you can choose wherever.
  1. - From AdaFruit RaspberryPi example code
  2. - From AdaFruit RaspberryPi example code, Modified to use I2C 1 on the BeagleBone.
  3. - From AdaFruit RaspberryPi example code.
  4. - My code to run PocketSphinx and to display the output on the LED Backpack
Once copied, simply run "python" and watch the magic :)

Feel free to modify my code in any way you want, but do not use it to make money. 
Share it, Don't sell it.

Here is a picture of my final version:

Sunday, September 15, 2013

BeagleBone Black based voice recognition on an LED Matrix.

A little over a month ago I was at the BrainSilo hacker space in Portland with some friends,
we were playing around with our HackRF JawBreaker boards, after a while we got board and started chatting and throwing crazy ideas in the air, I got a BeagleBone Black at Defcon and I really wanted to do something with it.

And so one of the ideas was:
"Let's have the beagle bone do speech recognition and output it on an LED matrix and see how it messes up and laugh at it"
so far so good, seem like a fun thing to do for us geeks, so I decided to try it, it is kind of a challenge that won't take too much time off my hands.

At this point I only had the BeagleBone and nothing else, so I started with the largest hurdle, running voice recognition on the BBB (from this point on I will refer to the BeagleBone Black as BBB).
So I search the web looking for solutions, one of them was Texas Instruments Embedded Speech Recognition solution that recently went on the open source path, which oddly requires you to register and wait to be approved as a member before you even get to see a byte of code.
That turned out to be a bust, WAY too complicated to build run and expand for a lazy hacker like me, I want something that is script language friendly and will run without fancy compile tricks.

I turned to the internet again and looked for python based/friendly voice recognition options, one of them was pocket sphinx that also happen to run on the BBB almost smoothly. why almost smoothly?
Well, because the python side of the Sphinx never worked for me, so I had to do an ugly hack which I will explain later.

Anyway, Now that I got a Pocket sphinx running on the BBB with this command line:
pocketsphinx_continuous -adcdev hw:1,0 -nfft 2048 -samprate 48000 2>/dev/null
(Using a USB sound card off ebay I connected a microphone to the BBB)

So at this point I have in my hands, a BBB with a fairly decent voice recognition software that actually runs!

Now the next step is to have the BBB display stuff on an LED Matrix, 
I looked into a few solutions, an SPI based controller combined with an L:ED Matrix, which didn't really work on the BBB, and because I didn't want to spend too much time on SPI based re-coding on the BBB I moved on to an I2C based controller, 
I found the right one in AdaFruit, the I2C LED Backpack was perfect, it had code examples in python and someone was using it on the BBB.

But I could not find the code for displaying scrolling text or any text for that matter...
I had no choice but to do some coding, My code is at the bottom of this post, I could not upload a .py file so I just decided to paste to code at the bottom of this post.

The last step left was to combine the two, this is where the ugly hack comes in to view, I used python to run pocket sphinx in a command line ,read it's stdout stream, parse it and display it accordingly on the LED Matrix.

BBB running Angstrom distro unmodified at all, just download and use.
pocket sphinx 0.8 

Demo Video -

All I did was hack a few things together, there has been a lot of work done on each ingredient that led to this result. Thanks to AdaFruit and their code and Pocket-Sphinx and their implementation working on the BBB This could not have worked.
I went through many links on the internets with many forum posts and suggested solution to many problems I encountered, I do apologize for not listing them all.
The code I wrote is posted here under the "do not be a douche" license, meaning you can use it, but don't try to make any profit off it.
Hope you liked this thing!

import time
import datetime
import math
from Adafruit_8x8 import EightByEight
import sys, select, subprocess

grid = EightByEight(address=0x70)

#print "Press CTRL+Z to exit"
AZ = [0x7E, 0x11, 0x11, 0x11, 0x7E, #  A
0x7F, 0x49, 0x49, 0x49, 0x36,   #  B
0x3E, 0x41, 0x41, 0x41, 0x22,   #  C
0x7F, 0x41, 0x41, 0x22, 0x1C,   #  D
0x7F, 0x49, 0x49, 0x49, 0x41,   #  E
0x7F, 0x09, 0x09, 0x01, 0x01,   #  F
0x3E, 0x41, 0x41, 0x51, 0x32,   #  G
0x7F, 0x08, 0x08, 0x08, 0x7F,   #  H
0x00, 0x41, 0x7F, 0x41, 0x00,   #  I
0x20, 0x40, 0x41, 0x3F, 0x01,   #  J
0x7F, 0x08, 0x14, 0x22, 0x41,   #  K
0x7F, 0x40, 0x40, 0x40, 0x40,   #  L
0x7F, 0x02, 0x04, 0x02, 0x7F,   #  M
0x7F, 0x04, 0x08, 0x10, 0x7F,   #  N
0x3E, 0x41, 0x41, 0x41, 0x3E,   #  O
0x7F, 0x09, 0x09, 0x09, 0x06,   #  P
0x3E, 0x41, 0x51, 0x21, 0x5E,   #  Q
0x7F, 0x09, 0x19, 0x29, 0x46,   #  R
0x46, 0x49, 0x49, 0x49, 0x31,   #  S
0x01, 0x01, 0x7F, 0x01, 0x01,   #  T
0x3F, 0x40, 0x40, 0x40, 0x3F,   #  U
0x1F, 0x20, 0x40, 0x20, 0x1F,   #  V
0x7F, 0x20, 0x18, 0x20, 0x7F,   #  W
0x63, 0x14, 0x08, 0x14, 0x63,   #  X
0x03, 0x04, 0x78, 0x04, 0x03,   #  Y
0x61, 0x51, 0x49, 0x45, 0x43]   #  Z

az = [0x20, 0x54, 0x54, 0x54, 0x78,
0x7F, 0x48, 0x44, 0x44, 0x38,
0x38, 0x44, 0x44, 0x44, 0x20,
0x38, 0x44, 0x44, 0x48, 0x7F,
0x38, 0x54, 0x54, 0x54, 0x18,
0x08, 0x7E, 0x09, 0x01, 0x02,
0x08, 0x14, 0x54, 0x54, 0x3C,
0x7F, 0x08, 0x04, 0x04, 0x78,
0x00, 0x44, 0x7D, 0x40, 0x00,
0x20, 0x40, 0x44, 0x3D, 0x00,
0x00, 0x7F, 0x10, 0x28, 0x44,
0x00, 0x41, 0x7F, 0x40, 0x00,
0x7C, 0x04, 0x18, 0x04, 0x78,
0x7C, 0x08, 0x04, 0x04, 0x78,
0x38, 0x44, 0x44, 0x44, 0x38,
0x7C, 0x14, 0x14, 0x14, 0x08,
0x08, 0x14, 0x14, 0x18, 0x7C,
0x7C, 0x08, 0x04, 0x04, 0x08,
0x48, 0x54, 0x54, 0x54, 0x20,
0x04, 0x3F, 0x44, 0x40, 0x20,
0x3C, 0x40, 0x40, 0x20, 0x7C,
0x1C, 0x20, 0x40, 0x20, 0x1C,
0x3C, 0x40, 0x30, 0x40, 0x3C,
0x44, 0x28, 0x10, 0x28, 0x44,
0x0C, 0x50, 0x50, 0x50, 0x3C,
0x44, 0x64, 0x54, 0x4C, 0x44]
space = [0x00,0x00,0x00,0x00,0x00] # ord = 32
dot = [0x00, 0x60, 0x60, 0x00, 0x00] # .  ord = 46

def main():
      while (i<130):
          print i

def runstring(text):
    #ord a = 97 ==> first element in the array, 97 == 0 98 == 5
    #print text
    scroll = [];
    #first append empty 8 columns
    for c in text:
        #print ord(c)
        num = ord(c)
        if ((num > 64) and (num < 123)): # is a letter
            #Build a scrolling string
            if (num in range(65,90)):
                #print 'CAPITAL'
                #print 'regular'
            if (num == 46):
    #end with empty 8 columns
    while i <= len(scroll):
        try :
        except :
            #print 'exception'
    #print 'end of func'
#runstring("Hello My name is Inigo Montoya. You killed my father. Prepare to die");

proc = subprocess.Popen(['sh', '-c', 'pocketsphinx_continuous -adcdev hw:1,0 -nfft 2048 -samprate 48000 2>/dev/null'],stdout=subprocess.PIPE)
while True:
    line = proc.stdout.readline()
    if line != '':
        #the real code does filtering here
        output = line.rstrip()
        print output
        if (len(output.split("READY"))>1):
        if (len(output.split("please wait"))>1):
            runstring("Please wait")
        if (len(output.split(":"))>1):


Tuesday, July 9, 2013

Example - Reporting a security vulnerability when there is no clear security contact

Today I wanted to report an authentication bypass vulnerability in a router to it's vendor,
I went online to the company web site and looked for any contact info, the only thing I found was a "live chat" option, at this point I stopped and thought to myself "Why the hell not"

Just to clarify, the support person I was chatting with did his very best to do his job, and I tried to be polite, I have the outmost respect for the individuals working in support centers and would never intend to insult or demean them in any way.

Here is the result of this interesting experiment:

Support Tue, 7/9/2013 08:38:44 pm
Thank you for choosing ***********. How may I help you today?

Me Tue, 7/9/2013 08:39:32 pm
Please provide me with an email address of a security team representative to which I can rely the details of a security vulnerability I have discovered in the ****

Support Tue, 7/9/2013 08:41:20 pm
As I understand, you are asking for the security team representative so that you can address your concern reagrding the **** router?

Me Tue, 7/9/2013 08:41:48 pm
almost, I want to report a possibly new security vulnerability in the **** Router

Support Tue, 7/9/2013 08:42:12 pm
May I ask, what do you mean about security vulnerability?

Me Tue, 7/9/2013 08:42:48 pm
you know when you put in and the router asks you for a username and password before you can view all the options in it?
I found a way to get in the router menu's without authenticating via username and password
and I would like to report it to the relevant contact in your comapny at ***********

Support Tue, 7/9/2013 08:44:46 pm
I see. When you accessed the page with no authentication required, is that your first time to access the setup page then?

Me Tue, 7/9/2013 08:46:44 pm
no,after performing a few specific actions i have access to the setup pages. without those certain actions i would not have access at all

Support Tue, 7/9/2013 08:47:10 pm
What browser did you use to access the ********** setup page?

Me Tue, 7/9/2013 08:47:17 pm

Support Tue, 7/9/2013 08:48:10 pm
I see. I believe the security password has been saved on the Chrome's settings that is why it dis not ask for a password the next time you access the setup page.

Me Tue, 7/9/2013 08:49:01 pm
i have never set it to save, nor have I ever authenticated to the router, every time I have tried to access the router IP i was prompted for authentication but i never did.

Support Tue, 7/9/2013 08:49:35 pm
Can you try to access the setup page using another computer?

Me Tue, 7/9/2013 08:50:40 pm
yes, I did that. do you have an **** test device online at the moment that I can reach?

Support Tue, 7/9/2013 08:51:11 pm
I do apologize but we do not have that support.

Me Tue, 7/9/2013 08:52:22 pm
what do you suggest?
I do not want support, I want to report a security vulnerability

Support Tue, 7/9/2013 08:53:10 pm
May I ask, when you try to use another computer, did it ask for authentication when you access the ********** setup page?

Me Tue, 7/9/2013 08:53:34 pm
yes it did
do you have 2nd level support?

Support Tue, 7/9/2013 08:54:05 pm
Did it ask authentication again the next time you accessed it?

Me Tue, 7/9/2013 08:54:33 pm
it allways asked me for authentication, until i bypassed ti with this vulnerability

Support Tue, 7/9/2013 08:55:49 pm
I see. This is actually an isolated case since this is our first time to know this concern.

Me Tue, 7/9/2013 08:56:23 pm
I know, I dont expect you to solve this for me, just start escalating me

Support Tue, 7/9/2013 08:56:42 pm
Let me forward your concern to our management so that they can check and verify your concern.

Me Tue, 7/9/2013 08:56:54 pm
thank you!

Support Tue, 7/9/2013 08:57:12 pm
But as of the moment, we cannot provide the precise solution for your concern.

Me Tue, 7/9/2013 08:57:40 pm
I know, I dont want a solution for it right now, I want to help you guys understand it and fix it

Support Tue, 7/9/2013 08:58:33 pm
We highly acknowledged your side.
May I ask your full name so that I can log this session?

Me Tue, 7/9/2013 08:58:57 pm
thank you I guess
use my email: *********@*****.***

Support Tue, 7/9/2013 08:59:32 pm
Do you have phone number for us to reach you?

Me Tue, 7/9/2013 09:00:38 pm
Let's start with email first, after that we can exchange phone numbers, I tend not to give out personal information on the "first date"

Support Tue, 7/9/2013 09:01:07 pm
I understand.

Me Tue, 7/9/2013 09:01:53 pm
awesome :) so I will expect someone to contact me at my email. thanks for your help ****

Support Tue, 7/9/2013 09:02:23 pm
You are most welcome! Is there anything else that I can assist you with today?

Me Tue, 7/9/2013 09:02:35 pm
nope, that was it :)

Support Tue, 7/9/2013 09:02:45 pm
Alright then. Remember that you are always a valued customer with ***********. Once again, thank you for choosing ***********. Have a wonderful day!

Thursday, May 9, 2013

CVE 2013-3518 - Belkin WeMo Information Exposure

# Title: Belkin WeMo Information Exposure
# Date: 5/9/13
# Author: Mickey Shkatov
# Vendor Homepage:
# Version: Any version prior to
US : WeMo_US_2.00.2176.PVT
World Wide :WeMo_WW_2.00.2176.PVT
 # CVE: CVE 2013-3518

Belkin WeMo devices with firmware prior to WeMo_US_2.00.2176.PVT allow physically proximate attackers to access the file system and extract the private key, public key, trust chain and passphrase used to encrypt Belkin firmware.

Affected products:
 - Belkin WeMo
 - Other: Since the same encryption keys are used for other Belkin products, all those products are susceptible to malicious modification.

Jan 10 2013 - Contacted Belkin support.
Jan 11 2013 - Belkin support replies with request for details.
Jan 11 2013 - Description of vulnerability sent.
Mar 28 2013 - A fix to the Firmware has been published by Belkin.
Apr  7 2013 - Fix confirmed.

Saturday, November 24, 2012

The end of Windows sidebar gadgets

So... after doing the con-tour at Blackhat, Defcon, Brucon and BsidesPDX
(which was AWESOME!!! btw)
It is time to summarise it all and share the knowledge, below are the links and the short description of all the relevant files.

  1. Demo Proxy code - Source code for the simple http python proxy, modified to intercept clear text JS requests and replace with a custom payload. Link to file holding the decoded payloads, makes it easy to understand quickly
  2. Demo gadgets - These are not zipped files, they are actual folders of the gadgets as they appear in the windows file system. To install the gadgets, download+zip+rename to '.gadget' and double click.
The interesting technical part is located in the gadget.html, thats where the code resides.

  • Gmail demo gadget - Gadget that opens a gmail URL assuming the user never logs out, then the gadget uses keyboard short cuts to send an email to all the user's contacts.
  • Wire transfer demo gadget - Gadget that opens a URL to a demo web page of a banking web site, the assumption here is that a user stores theirs credentials in the browser, leaving the gadget to simply hit 'Enter' and log in. Look in gadget.html to see the commented source code.
  • Open calc gadget - This one opens calculator by only sending key strokes to the OS, take a look in the gadget.html for a giggle :)

Tuesday, July 10, 2012

XSS in iPhone iOS

I am going to share my thoughts on an XSS vulnerability I discovered in Apple iPhone iOS,

Question: What is the "Content-disposition" header in HTTP response?
Answer: Simply put, it tells your browser what kind of content it is receiving so it can choose how to handle it being displayed,  
For example: Content-Disposition: attachment;filename="test.html";filename*=UTF-8''test.html 
which means that the server is telling the client: "Yo!, here is that thing you requested, by the way... it is a file"

Now, Back on topic:

iPhone iOS safari will ignore the content disposition  header and display the content if it is clicked, to display this in a POC I have created a file called:
And I emailed it to myself, when I opened the attachment in my iPhone's safari, the server told the iPhone that this is a file and not an HTML page but still the safari app opened the file as an html, and here is the picture:

At first I thought this might be a google bug, but no, Google servers send this header in the response:
Content-Disposition: attachment; filename="test.pleasedonttouchme"

which means that the receiving application should handle this content as type of "pleasedonttouchme" but instead is handeling it like it is HTML.

But wait!
There is more...

When googling for similar CVE's I found this:
and in that page you can see this interesting piece of data:
SafariAvailable for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4, iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later, iOS 3.2 through 4.3.5 for iPad
Impact: Opening maliciously crafted files on certain websites may lead to a cross-site scripting attack
Description: iOS did not support the 'attachment' value for the HTTP Content-Disposition header. This header is used by many websites to serve files that were uploaded to the site by a third-party, such as attachments in web-based e-mail applications. Any script in files served with this header value would run as if the file had been served inline, with full access to other resources on the origin server. This issue is addressed by loading attachments in an isolated security origin with no access to resources on other sites.
CVE-2011-3426 : Christian Matthies working with iDefense VCP, Yoshinori Oota from Business Architects Inc working with JP/CERT
Ok, Cool, This is exactly what I am talking about... but wait... i am using iOS 5.1.1 and this is relating to iOS 5... wait... what???
I have verified this on all iOS versions from 4.2.1 and up to 5.1.1  (Not iOS 6 beta yet)
The end.

Monday, May 7, 2012

Python proxy - Custom reply to requests with pattern in headers

I have been doing some research and i needed to reply to certain requests for specific domains in a constant and certain way,What I normally did was use ZAP or fiddler to MitM the requests and reply with my own self modified requests but i quickly got tired of the manual sisyphic work and decided to look for a simple thin and limber proxy i can modify to my own use.

And so i googled and came across this: Simple python http proxy post by Mitko Haralanov, in the post it mentions that it is based on Suzuki Hisao's Tiny HTTP Proxy. ( I hope i didn't miss anyone, they deserve credit).
Anyway, as I was saying, I found this piece of python code and hacked it to deliver specific responses to specific requests.

And then i thought: "Well, I can make this a little bit more generic for others to use"

and so I did :)

Here is the python script:

And here is the config file: Config.xml

How to use:
(It is extremely simple to use, so just run it and you will figure it out.)
- First: edit the config.xml file (needs to be in the same dir as the .py file), now the only thing i need to say is that the response part of the xml is the response, so you need to place it there with "\r\n" as needed

Example XML:
    <attack lookInRequestForThis="" replyWithThis="\r\nKAKA\r\n"/>

What this means is that the proxy will look for the "" string in all of the requests headers (if it appears more than once than the first occurrence will be identified), once found the proxy will reply with the response given in the "replyWithThis" attribute.

After you configured the XML, you can run the proxy with the command line below as an example, but note, for performance reasons the XML will load when the proxy starts and not per request so if you want to change the data on the fly you will need to stop+start the proxy.

command line to run it:
                 python -l proxy.log -i -p 2222

Enjoy :)