Hex Messages when Reverse Engineering

One of the things I did in 2018 was a bit of reverse engineering, the company I worked for had bought a bunch of older hardware which had to be reused, the trouble being?  They had bought the hardware NOT the software.

It look a lot of USB sniffing and signal trapping but eventually I had the device handshake and could see it spew me messages, from these I saw the header format was pretty simple just a pair of bytes and then a length byte followed by whatever the message was.

Interacting with the device stimulated it into sending more messages, so we could start to map physical actions to these USB packet ghosts, eventually we had all the ones we could just prod out of the unit, so it was time to work on more advanced interactions and actually try to tell the device to carry out actions for us.

This immediately met with problems, you see the messages coming out had a counter in the footer, it turned out that if you sent a message you had to use the next number... so receiving messages 1, 2, 3 and then you send 4 and receive 5.  Keeping this in sync was a little bit of black magic, but it soon made sense the unit was serial in operation, you could only talk when it was listening, and it only listened after certain choice messages it sent to you.

This all made sense.... What didn't make sense was a four byte message I saw every few minutes, this frustrated me no end....

10111110111011111101111010101101

I converted these to two into an integer... 3203391149... It didn't ring any bells, but I persisted and was rewarded when I switched it into hex...

BEEF DEAD

This is a common message left in hex in code, as a joke, but it was also apt, the board was not going to talk until a full handshake was given again and the packet series stream started over to order things.  Cute.

I've found other hex strings, but this one was the first on this particular board

Server Admin : Ubuntu 17.04 thinks it's Ubuntu 12.04???

Yeah, I'm serious, I've taken time tonight to look at the release of Ubuntu Server 17.04, specifically to set up a new mini-server which is to be Core 2 Duo powered and on 24/7 as boot strapper & service strapping server itself.

But, before I run I like to walk, so I set up a 2 core, 1GB RAM VMware machine from the 17.04 ISO... Take a look at the first thing it has presented to me....

Yes, just read that again... I booted the server... and the only action I took was to log in... Welcome to 17.04... All good...

What wait?.. Why am I being warned to upgrade my 12.04?  This is 17.04?

Before I ran around like my last vestiges of hair were on fire, I decided to do a simple test, I've previously found that Ubuntu often goes wondering off on the internet for message of the day (motd) information, so I pulled the network card (virtual) out of the machine.

This results in a long boot time, but you at least know no remote files or services are going to be listing things on your screen...

Five minutes later, I get to see what the system says... From experience I think Canonical have shown some news and up to 80 characters of 40 lines of news, I've never seen that much, but it has been a while since I looked at their motd scripts.

After logging in, I still got the message, however, a fresh install (without any network) didn't show the message, so I believe the install we see here cached something from an online source.

Anyway, taking a look in the /etc/update-motd.d folder, you can see a series of numbered scripts, these are so numbered to allow Canonical, or yourself, to add message of the day scripts, and keep them in the order you see them.

Checking "00-header" we see just the usual log in.

Then "10-help-text" is the three lines about documents, management and support.  I actually add "#" to the start of each of those lines to remove that files actions, I don't delete the file though, just in case.

The next line "50-motd-news", this looks to be the culprit... I'm not even going to look inside the file, because I can see the next file in the folder is "90-updates-available" and I can see in the login that the updates available happen after the message I want to be rid of....

So this strange, confusing, message is in "50-motd-news", I'm going to cut to the chase and kill that file.

And now my login is much neater, I have added a call to "ifconfig" into the 10-help-text, but my login is now clean of this strange message.  But I'm not impressed this has gone on, and I'm going to have to take a look through all these other motd scripts to see what and where my server is going off to.... Hmmm.

Development : Phone Link

I wonder around all day with an Android phone in my pocket, however, I can't always answer it... "No Problem" I can hear you cry "leave it to go to answer phone".

However I purposefully have no answer phone, if you can't get a hold of me, you can't get a hold of me, but what I would like is a method of receiving a message which I can digest in my own time, not a voice mail, not a text message, I want to be able to have left my phone at home and still get the information from it that I've had a call....

I'm a developer... I can do this right?!!??!

Well, yes and no, first of all I started with a Java Application which would read the missed calls log and forward it to one of my servers, this worked, but didn't let the person at the other end know I had been made aware of the missed call, it also logged junk mails and just gave me the number.  If I didn't recognise the number I could be left lost.

So, I set about a but of middleware, I had the missed calls log forward to my server every few time it changed, the server then looked up each number on a white list and a black list.  If found on the white list is looked for them in contacts and sends them an automated message that I had received a missed call and to e-mail me...

Fine for contacts.

Last week however I went a step further, if a number is not black listed it looks them up as a contact then if not found it googles for them and looks scrapes the top ten results.  E-mailing the number and these search results to me.

I've today added a series of regular expressions to pattern match any number or name from the results, and if more then two match it flags it as a contact and googles for them, finding an e-mail address is the target... It will go to my various e-mail addresses and alias, looking for previous missives and will send them a mail that way.

The person has to have had a contact with me, this is not blindly spamming people, and I had had to use a POP3 connection to one of my own email providers as Virgin Media stop SendMail from just working... But, so far it's worked.

Today alone I've had nearly eighteen calls, and it's sent about five messages today, since last night (when I started it) it's send just over twenty in total....

I dub this "Phone Link" for Android, and I may very well push it out to the world if I can polish it up a little and not have it so closely bound to my various e-mail services.  What do you all think?