or
or
By clicking below, you agree to our terms of service.
New to HackMD? Sign up
Syntax | Example | Reference | |
---|---|---|---|
# Header | Header | 基本排版 | |
- Unordered List |
|
||
1. Ordered List |
|
||
- [ ] Todo List |
|
||
> Blockquote | Blockquote |
||
**Bold font** | Bold font | ||
*Italics font* | Italics font | ||
~~Strikethrough~~ | |||
19^th^ | 19th | ||
H~2~O | H2O | ||
++Inserted text++ | Inserted text | ||
==Marked text== | Marked text | ||
[link text](https:// "title") | Link | ||
 | Image | ||
`Code` | Code |
在筆記中貼入程式碼 | |
```javascript var i = 0; ``` |
|
||
:smile: | ![]() |
Emoji list | |
{%youtube youtube_id %} | Externals | ||
$L^aT_eX$ | LaTeX | ||
:::info This is a alert area. ::: |
This is a alert area. |
On a scale of 0-10, how likely is it that you would recommend HackMD to your friends, family or business associates?
Please give us some advice and help us improve HackMD.
Syncing
xxxxxxxxxx
MITRE eCTF: The Ohio State University Attacking University of Massachusetts Amherst
Bug
Protected firmware and configuration are stored in chunks (~1 KB), which are each individually authenticated and encrypted. While the chunks have an authenticated index that ensures correct orderering, we can swap chunks from two different protected files as long as they have the same index.
Firmware Rollback
The first chunk of the protected firmware contains the release message and version number. To boot
fw_v1
, we can replace the first chunk offw_v1
with the first chunk offw_v2
. The bootloader verifies this and boots it, giving us the flag.Flight Abort
To get a flight abort, we need the device to boot with a corrupted configuration. Both
cfg1
andcfg2
are protected properly so their chunks will be accepted by the device, but their contents are different. Thus we can replace a chunk incfg1
with a chunk fromcfg2
of the same size and the resulting content which gets stored on the device will form a corrupted configuration. Running an aircraft simulation with the device in this state gives us the abort flag.