Thread | Brutkey

today we have (unsuccessfully) woken up and chosen violence^W...

... to try and figure out how to dump the running firmware off of an NXT brick

it appears that this isn't supported using any standard tools ( https://bricks.stackexchange.com/q/16909 )

but we're good at reading between the lines, and there appears to be a trick we can do...

R
@r@glauca.space

pwnage successful!

$console output: >>> testbeep() b'\x02\x03\x00' >>> iomap_w32(CMD_MODULE, CMD_OFF_FNPTR, 0x00200000 + 32*1024) >>> testbeep() b'\x02\x03\xaa' >>> testbeep() b'\x02\x03\xaa'$

R
@r@glauca.space

firmware get!

some text in a terminal, from the NXT version screen. the following timestamp is highlighted:

Mar 3 2006
18:21:03

R
@r@glauca.space

it turns out that there's a """security vulnerability""" allowing for native ARM code execution on the NXT brick

definitely over USB, possibly over bluetooth as well?

of course, the NXT is intentionally hackable and designed to allow you to be able to modify the firmware (it even came with public schematics!), so this isn't actually a big deal

would anybody be interested in a writeup of this?