Time-Shift: Veritas liberabit vos
The truth shall set you free

Archive for the ‘Projects’ Category

The connection horror or how I hacked my own data

Sunday, November 29th, 2015

A lot of people know the situation: You get a new and fast Internet connection. But your provider is a support nightmare. He hands you a practically black boxed router that automatically gets its connection data from the Internet and you have no chance of ever getting this data. After all.. why would you.. isn’t it much easier this way? Well.. let me tell you a little secret the providers don’t like to be advertised that much: Not only do they push the configuration to your new router, but they can also change it ANYTIME they want. If you have a regular setup like most people it looks like this:

Network

(Given, not everyone has a NAS at home. But they become more and more common as the devices become more simple and the data people want to store (like e.g. Audio and Video Data) needs to be shared between devices in the network. So for the sake of this article lets assume the regular user has some kind of network capable storage. Technically even a smartphone or a wifi enabled HiFi system is a network attached data storage but lets keep it simple). In this kind of setup that we see in the above picture, the Router that you use is the only barrier between your data (or device that holds your data) and the Internet. Suddenly a device you though just “provides you with internet access” becomes the only thing between your privacy and total disclosure of your private data to the world! Worse yet: even if you are as naive as to assume you provider will never do you harm, will never be hacked and never be forced by the government to give them access to your data, there is hardly a month were security groups in the Internet and from companies don’t find horrific bugs in common router firmware. With the providers being the only ones who can update your router, you have to put total trust in them to do so in a timely manner. Sadly they usually are way behind when it comes to updating the devices. So obviously this is a setup that is not acceptable. A possible solution would look like this:

g10Its possible but it has a few rather bad downsides:

  • You waste power for a device you practically don’t use (the provider router).
  • The provider (or someone who hacked it) can still do stuff to the other router and close ports or mess with connections.
  • You still need to use the provider router for the SIP connection because you don’t have the login data for that.
  • Your connection speed might drop from having two firewalls and 2 NAT systems behind each other.
  • In worst case scenarios you can’t open ANY Ports towards your network because your provider doesn’t want it.

Its obvious that the best solution would be to have your own router (for me this is my Gentoo server) and telephone system (Asterisk in my setup) running that you can maintain and implement your own security plan as needed. When I switched my Internet provider this week (for a lot more speed) I had exactly this problem. They just give you a router (FritzBox) and nothing else. For me it was clear from the beginning that I was going to use my own solution as I have been for the last 4 years. This is the story of how I managed to do just that.

My first idea (that I had before I even had the thing in my hands) was to hack the router right after it had downloaded the configuration from my provider. I knew from articles in the Internet that there was a slim chance of getting a telnet daemon running on the FritzBox and connecting to that. However when the device was done downloading the data, it became clear pretty fast that this door was slammed shut by my provider. In fact there was no getting into that router from any angle. It took me the better part of a day to realize that this idea was a dead end.

I needed a new plan… and I had one. I knew from experience, that most companies don’t take security that seriously. So I though to myself: “Why should that router send all the login data encrypted over my DS Line?”. After all who really has the capabilities to sniff a very high frequency modulated signal in a cable that is mostly under ground (yes the government has, but they can just get that data if they want to). Fortunately the FritzBox has a sniffing program integrated for all Interfaces designed for customer support problems (horrifying I know but in that moment.. pure gold!). It records all packets send over a specified interface in the wireshark format. No sooner said than done I had a neat amount of PPPOE packages on my hard drive recorded during the login procedure via DSL. It didn’t take me to long to find the data that I was looking for. 3 different PPPOE connections. One for the Internet line, one for the voice channel and a third one for the TR-096 channel (provider remote access for touter configuration)! It was unencrypted as I though and the passwords and usernames where plaintext *Place facepalm and happy dance here*.

The last thing that was missing, was the username and password for the sip connection to my provider. And here I hit another dead end again. While PPP login using unencrypted PAP authentication is not that unusual, the SIP protocol has per standard an encrypted HTTP Digest challenge as login procedure. Though I could easily get the username (it was unencrypted of course :-/) it proved impossible to get the password this way (Technically it wasn’t impossible, but I would have had to put an immense amount of CPU/GPU time and energy into reverse calculating that has to a password password. Considering it turned out to be 8 characters long, that might have taken month, if not more, of a permanently running cracking program). But I was not about to give up that easily. After all as Jean-Luc Piccard once said: “Things are always impossible until they’re not!”. I needed yet another plan.

I remembered that though I did not know that password, neither did my router when I first unpacked it. I started digging into the TR-096 protocol. And there I found the weak link I was looking for. Although TR-096 uses HTTP as means of transport it is recommended to use HTTPS for obvious security reasons. My provider of course did not. When I saw the CPE management URI starting with http:// I knew I was onto the solution. I set my router back to its original state and disconnected the DSL cable. After rebooting the box, I immediately started the sniffer on the Internet line.

At first I was only getting rather useless PPPOE session data (PADI;PADO;PADR,PADS) or chunks of TCP data that wasn’t readable. I already became somewhat frustrated when the sniffer hit gold.A series of HTTP packages! I quickly put them together (they where fragmented) and the result looked something like this:

POST /live/CPEManager/CPEs/Auth_Basic/avm/ HTTP/1.1
Host: ***.***.***.***:80
Content-Length: 2776
Content-Type: text/xml; charset=”utf-8″
SOAPAction: “cwmp:Inform”

<soap:Envelope xmlns:soap=”http://schemas.xmlsoap.org/soap/envelope/” xmlns:soap-enc=”http://schemas.xmlsoap.org/soap/encoding/” xmlns:xsi=”http://www.w3.org/2001/XMLSchema-instance” xmlns:xsd=”http://www.w3.org/2001/XMLSchema” xmlns:cwmp=”urn:dslforum-org:cwmp-1-0″>
<soap:Header>
<cwmp:ID soap:mustUnderstand=”1″>100</cwmp:ID></soap:Header>
<soap:Body>
<cwmp:Inform>
<DeviceId>
<Manufacturer>AVM</Manufacturer>
<OUI>00040E</OUI>
<ProductClass>FRITZ!Box</ProductClass>
<SerialNumber>************</SerialNumber></DeviceId>
<Event soap-enc:arrayType=”cwmp:EventStruct[4]”>
<EventStruct>
<EventCode>7 TRANSFER COMPLETE</EventCode>
<CommandKey></CommandKey></EventStruct>
<EventStruct>
<EventCode>M Download</EventCode>
<CommandKey>*************</CommandKey></EventStruct>
<EventStruct>
<EventCode>4 VALUE CHANGE</EventCode>
<CommandKey></CommandKey></EventStruct>
<EventStruct>
<EventCode>1 BOOT</EventCode>
<CommandKey></CommandKey></EventStruct></Event>
<MaxEnvelopes>1</MaxEnvelopes>
<CurrentTime>0001-01-01T00:02:00</CurrentTime>
<RetryCount>1</RetryCount>
<ParameterList soap-enc:arrayType=”cwmp:ParameterValueStruct[8]”>
<ParameterValueStruct>
<Name>InternetGatewayDevice.DeviceSummary</Name>
<Value xsi:type=”xsd:string”>InternetGatewayDevice:1.4[](Baseline:2, EthernetLAN:1, ADSLWAN:1,ADSL2WAN:1, Time:2, IPPing:1, WiFiLAN:2, DeviceAssociation:1), VoiceService:1.0[1](SIPEndpoint:1, Endpoint:1, TAEndpoint:1), StorageService:1.0[1](Baseline:1, FTPServer:1, NetServer:1, HTTPServer:1, UserAccess:1, VolumeConfig:1)</Value></ParameterValueStruct>
<ParameterValueStruct>
<Name>InternetGatewayDevice.DeviceInfo.HardwareVersion</Name>
<Value xsi:type=”xsd:string”>*********************</Value></ParameterValueStruct>
<ParameterValueStruct>
<Name>InternetGatewayDevice.DeviceInfo.SoftwareVersion</Name>
<Value xsi:type=”xsd:string”>************</Value></ParameterValueStruct>
<ParameterValueStruct>
<Name>InternetGatewayDevice.DeviceInfo.SpecVersion</Name>
<Value xsi:type=”xsd:string”>1.0</Value></ParameterValueStruct>
<ParameterValueStruct>
<Name>InternetGatewayDevice.DeviceInfo.ProvisioningCode</Name>
<Value xsi:type=”xsd:string”>*****</Value></ParameterValueStruct>
<ParameterValueStruct>

….

Of course there was real data in there. I just put the stars in to cover up sensitive information. Somewhere in this chunk of data (apart from all the config data that I already had from my other sniffing attempts) if found two junks that where like the second coming for me on this day:

<Name>InternetGatewayDevice.Services.VoiceService.1.VoiceProfile.1.Line.1.SIP.AuthUserName</Name>
<Value xsi:type=”xsd:string”>*************</Value>

<Name>InternetGatewayDevice.Services.VoiceService.1.VoiceProfile.1.Line.1.SIP.AuthPassword</Name>
<Value xsi:type=”xsd:string”>*************</Value>

Bingo! The last puzzle pieces to my odyssey! As a last measure of verification, I flashed my router with a de-branded firmware and entered the data that I had collected in the appropriate interfaces (to make sure that there was no other special stuff in that old firmware that was needed to make the connections). And it worked like a charm. Even though it might not seem like such a big deal for some.. for me those two days of hacking to get my own data (after all I pay for that connection) was quite an experience in itself. Especially since I was successful! Another win for free choice and against oppression :-P.

And the moral of the story? Thank god most ISP’s are to lazy to implement real security. If all those connections would’ve been encrypted, it would’ve been nearly impossible to get all that data. Crazy and scary at the same time :-P.

Kartuga Gameplay Trailer

Friday, August 17th, 2012

A new snippet of information about Kartuga has been made public on the GamesCom 2012 yesterday. A fancy game-play trailer has been released so that people finally can have a glimpse at what the real game-play will look like in Kartuga. I’d like to mention that all of the footage in this trailer was made using an In game camera. So all of this is REAL. No part of this trailer is pre-rendered (After all Kartuga is not Pirate Storm :-P). So… enjoy!

[jwplayer config=”Default” html5_file=”http://www.time-shift.de/downloads/OfficialKartugaGameplayTrailer.mp4″ download_file=”http://www.time-shift.de/downloads/OfficialKartugaGameplayTrailer.mp4″]

If the Video loads to slowly for your taste (my server hasn’t the best connection upload wise) you can always see it faster on YouTube.

Kartuga: The board is set. The pieces are moving.

Tuesday, June 5th, 2012

Finally the long awaited day has come: Our game has been made official at the E3 in Los Angeles! So we are allowed to admit its existence now :-P. Not much more I’m afraid. But after all I also can show you some of the screen shots that where made available for press usage. If you want to preregister for the upcoming closed beta go ahead to http://www.kartuga.com and register. It sure will be worth it. I’m very proud to be part of such a talented team. So spread the news and stay tuned for more infos as soon as we’re allowed to talk ;-).

Here is the official press release:

InnoGames presents new Action-MMOG at the E3

06/05/2012

Today, InnoGames presents a first look at its upcoming 3D browser title, Kartuga, at the E3 in Los Angeles. The action-packed MMOG is based on Unity 3D and focuses strongly on cooperative PvP gameplay with several role-playing elements. Hamburg-based Ticking Bomb Games is responsible for the development of the title, which is set to launch in 2012. www.kartuga.com gives players a peek into its stylized fantasy world with screenshots and a feature list.

InnoGames co-founder Eike Klindworth is convinced of the game’s potential and is looking forward to the success of the company’s first joint venture with Ticking Bomb Games: “We are bringing out a high quality product with Kartuga. The game offers multiple PvP modes, intuitive controls, plus detailed and vibrant 3D graphics. This action MMOG is an extremely useful addition to InnoGames’ portfolio.”

The developer also has high expectations for the title: “We have been working hard on this project for some years now, and the results are fantastic. The player completely loses the feeling of playing in a browser with Kartuga – it really stands up to client games, “says Ticking Bomb Games Development Director Tobias Severin.

Kartuga players choose one of three customizable classes of ships to sail through a series of quests and missions. The ingenious battle system, along with a strong focus on cooperative PvP, guarantees long lasting fun.

Bachelor Thesis online

Monday, August 29th, 2011

Since I’ve got my Bachelor diploma I’ve released my bachelor thesis and the practical solution as binary and source code here. Please be aware that the source code is released under GPL, but the written thesis may only be used for personal education. If you want to publish my thesis in any way please contact me first. The thesis handles displacement mapping in Direct X 11 using hull and domain shader. It makes use of almost every new Direct X 11 feature (Tessellation, Compute Shader). If you have any questions concerning my work please don’t hesitate to contact me or leave a comment. I’ll be happy to explain or help with you work if I can.

Tessellation Demo

Tessellation Demo

Tessellation Demo low tessellation

Tessellation Demo low tessellation

Tessellation Demo wireframe mode

Tessellation Demo wireframe mode

Tessellation Demo low tessellation wireframe

Tessellation Demo low tessellation wireframe

KWatchman – An Idea given Birth

Tuesday, October 12th, 2010

First of all: Thank you everyone for you comments and suggestions. They really got me on the road and showed my that there indeed is interest enough to do some more serious work. So I sat down and made myself a little planing and even some (small) coding today. Here’s what I got so far:

The project will consist of mainly 3 Parts:

  1. Part one being the kwatchman-service (in what manner I’ll realize this I’m not sure yet). Its basically just an empty rack to manage and run part 2 (maybe this will even be a daemon so it can run under higher privileges).
  2. Part two being Plug-ins that can be loaded by kwatchman-service. There will be (for now) 4 kinds of Plug-ins:
    • Sensor Plug-ins (they collect the data from a specific source e.g. libsensors-plugin, hddtemp-plugin, nvclock-plugin, etc.. )
    • Interface Plug-ins (they provide interfaces for all apps that like to access the collected data e.g. dbus-plugin, network-plugin, nagios-plugin?, etc… )
    • Database Plug-ins (they provide storage for long term data collection e.g. mysql-plugin, postgresql-plugin, nepomuk-plugin?, etc… )
    • Alert Plug-ins (they do something in case an alert is issued by crossing some threshold e.g. knotify-plugin, phonon-lugin, log-plugin, shell-plugin, etc… )

Apart from the database Plug-ins all Plug-ins can be used or not used at will. So the user can ultimately decide what gets refresh and which alert is being send if a threshold is crossed. Concerning the Database Plug-ins I guess its much easier if only one is allowed at a time. All other use cases can be handled by Interface Plug-ins (e.g. if you want nepomuk as your db but want to access the data via php on a webserver a php friendly interface Plug-in would be the solution).

  1. The last part are GUI’s that access the data and configure the Plug-ins via the interface Plug-ins. Those can be a very wide variety of apps and applets ( e.g. native KDE4 apps, plasmoids, KCModules etc.). Im not completely sure how the initial configuration of the service should be made so that at least the correct interface Plug-in for your favorite App is activated.

The first implementation will (most likely) contain:

  • The kwatchman-service (whatever it will be)
  • A lm_sensors sensor Plug-in
  • A nepomuk or MySQL database Plug-in (not sure yet)
  • A native (ksensors like) KDE4 app
  • A interface Plug-in for the native app (maybe via dbus?)
  • A knotify Alert Plug-in

As soon as I’ve got those components in working order I’ll concentrate on more sensors and Alert Plug-ins. After I that database Plug-ins will be my attention and finally I’ll write some more apps and Interface Plug-ins.

As for now I’ve got a (very rudimentary) cmake concept for detecting libs and deciding what gets compiled, a (also rudimentary) file structure for the code and some template for the KDE4 App.

So.. now to it: What do you think about THAT concept? Crazy? To big? Super? If you have any supplementary suggestions to the concept don’t hesitate to comment!

The King is dead, long live the king!

Monday, October 11th, 2010

Have you ever wondered what became out of KSensors? I did. Many times. Well the sad but inevitable fact is: its dead :-(. And as far as I can tell there are no real successors standing in the doorstep. All the sensor apps available for KDE4 are hardly replacements. Most of them are plasmoids and I’d rather consider them toys then the real deal. Because of this I decided to bring in KWatchman (hope the name isn’t taken. Couldn’t find anything though). Essentially KWatchman aims to be a full replacement for KSensors. Showing sensor data on a dashboard, in KDE4 sys tray and ringing “the bell” if something is wrong. As of now the only thing that exists for this project is the idea, an (empty) git repository (http://gitorious.org/watchman) and an (mostly empty) IRC channel (#kwatchman @ freenode ). Before I begin on writing any code however I’d like to ask YOU about this ;-). So: What do you think about this idea and more important what do you think should be changed / made better as with KSensors? As this will not be a fork of KSensors but a complete rewrite I’d like to hear any Idea about this. Just drop me an E-Mail, write me in IRC or post a comment to this blog entry. I’m happy about any comment. Thx.

Are we there yet?

Thursday, August 12th, 2010

What I hear a lot from users lately if I’m talking about my current projects for Amarok: “Are we there yet?”. I’m mainly working on three things at the moment: A spectrum analyzer applet, a visualization applet and song fingerprinting. Today I’m happy I can say to at least one of this projects (and maybe even a second one) the answer is: “YES we are!”. I’ve just pushed my last changes to my spectrum analyzer applet. Sadly it won’t go into trunk as of now because bugs in then xine and vlc backend are preventing it from working correctly. If you want to try it out anyhow have a look at my gitorious repository (Be warned! The applet currently only shows data if you are using the xine backend and with that you WILL get crashes as soon as you stop or end the current song in any way!). The second project I might give a positive report about is my fingerprinting code. It works. Suffers from the same problems as the analyzer though (use of xine backend will crash, use of vlc will give no data). If you’re feeling adventurous you can also find this code in my repository. If you find any bugs or stuff that bother you (or just want to say how you like it) don’t hesitate to contact me. As a little appetizer I’ve made some nice pictures of the analyzer (this time with real music input):

Amarok Spectrum Analyzer

Friday, April 9th, 2010

I’m currently working on a Spectrum Analyzer applet for Amarok. The applet will benefit from my OpenGL applet template I made a few days ago (see this Post). This way it will also have all the nice functionality the template has (like switching between fullscreen, windowed and widget mode). I’ve already made some nice pictures with fake audio data (since the real audio data currently is hard to get via phonon). Enjoy!

Plasma Applets and OpenGL

Friday, April 9th, 2010

I lately tried to implement an Plasma Amarok Applet that has an OpenGL Widget inside of it. One would think this is a rather easy task since all this new and fancy KDE Plasma stuff smells a lot like OpenGL. Sadly not by a long shot. Implementing an OpenGL Plasma widget normally works this way: create a widget, set the Viewport of the Graphics view to an new QGLWidget and you got it. This approach has 2 Downsides though: first of all if you Viewport is an QGLWidget all you drawing will be rendered via OpenGL. And not only on this applet but on all Applets that share this widget. One might think this is no Problem. But OpenGL handles a lot of stuff quite different then the Qt Implementations of the Graphics Objects. For starters colors. The same color values won’t give you the same output if one is rendered by OpenGL and the others by Qt. So you get strange colors all over the place (and not only in this particular applet but in all the others, because all Amarok Applets share one Viewport). The second problem with this approach is that it will make rendering of non OpenGL stuff and OpenGL stuff at the same time quite hard. You’ve got to watch out for what you’re painting when and in what order and a lot of OpenGL functionality will have to be left untouched because it would mess with you Non OpenGL windows etc. As you might have guessed this was not an acceptable solution. All other approaches I made (render into the QGLWidget and get the Framebuffer from there for example) ended in either an empty Widget or a separate window for my OpenGL stuff. Googleing my ass of and tyrannizing a lot of nice people on IRC finally got me the “right” answer to my problem: I had to render all the OpenGL stuff into a QGLPixelBuffer and then paint this buffer onto the Widget with all the other Graphics Objects. Insane? Definitely! But it works like a charm. And know what? Its quite fast and reliable. I even got it to paint either to a separate Window, the Widget or even fullscreen just by clicking a button. Looks like we’re living in an insane world after all :-P.