You may have noticed recently that the nightly builds haven’t updated over the last few days. Unfortunately I’ve lost the network card in main build machine due to a power failiure / spike and it’s not coming back online. Because it’s a rackmount it’s not a simple case of replacing the NIC. I hope to get it back online in the next few days if I can get a replacement.
Download a tool to extract and split the wma rom..
A map of the ROM so far appears to be this..
00000 Bootloader
0E000 non-volatile parameters, ssid, wep key, etc…
10000 Kernel uncompressor
12990 Kernel (gzip image)
9C000 filesystem (gzip image)
Download readwma11brom.tar.gz…
Upload readflash to your wma11b and run from /tmp it will create a dump of the devices 2meg ROM. Transfer the wma11b.rom file to your pc / linux box and run splitrom (after you’ve compiled it) and it will chuck out all the bits of the rom I’ve discovered so far.
I’m not brave enough to reflash it yet.
Now in theory we should be able to hack the gzip area after 9C000 to contain a new filesystem so we can ditch the squishguave image totally and all the pc based software.
You can mount the filesystem image after uncompressing it with this command…
$ mount ./ramdisc -o loop /mnt/wma/
Let me know if you discover anymore…
Oh, and if you really really want to play about writing to the flash, email me and I’ll let you know the ioctl commands to erase and unlock the write protect on it. Just let me know you wont blame me if you can never use it again… ;-p
Well, as has now been well publicised, I was beaten to the punch with the airport express public key.There appears to actually be a total of 255 keys in iTunes, but as far as I know only one is used to communicate with the airport express.
Anyway. If you’d like to rip all the keys I’ve uploaded some of the code I used to rip them from itunes.exe and dump them as asn1 objects as they’re stored internally.
You’ll probably have to tweak the code a little to point to your location of itunes.exe.. And you may want to download dumpasn1 to display the keys.
Well not really. But, If you’ve wondered why you don’t see much in itunes if you try hacking it that relates to remote audio, it’s because they’ve encrypted little chunks of the code here and there.It’s really easy to hack once you notice this and find the decryption code and it makes it a lot easier to place your breakpoints.
Here’s an example to decrypt the Apple-Challenge and Apple-Response header lines. Note: This only decodes that text, not the actual content of the challenge and the header.
Has anyone else even looked at the airport express and air tunes yet? The only stuff I can find on the net is very slim and what there is (cocoadev.org for example) is pretty incorrect in places.
Just a quick note to say I got an Airport Express today. Finally. Took a little mucking about to get it on the network but no problems once I sorted it out..
Well I’ve not done much with it yet apart from the obvious but here’s a little network dump just to give you an idea. It looks like it’s got some heavy encryption going on so this one may be a sucker to crack. Although I’m going to give it a little go…
Also some scanning software reported ports 53 (DNS) 161 (SNMP) 5000 (The dreaded uPnp) and 10000 (Network data management protocol) are all open. It also reports it’s running NetApp OnTap 5.3.5r2 as the Os.. Interesting eh?