Hi, I am after downloading the fccu linux boot cd, and want to test out the 1394memimage tool from MetlStorm to acquire a target host memory through the firewire bus. However the documentation seems to be corrupt, i cannot access it. If anybody has used this tool before i would greatly appreciate it if you could tell me how to use it.
Thanks
hi brown_a
have you tried metlstorms website? theres a link in there to pdf file which gives background info on 1394, the tool itself, and demo screenshots (commandline)
kern
No i haven't tried that, will do now. Thanks kern
I'm not sure if i have found the correct pdf as the link appears to be dead. Is the pdf you mentioned the presentation he gave "Hit By A Bus Physical Access Attacks With Firewire" at Ruxcon 2006. found on this page http//
Yep, thats the one. I grabbed the pdf file outside of the browser, (wget under linux) as the link didn't want to work for me either. i just assumed firefox wasn't happy with the link. let me know if you still have trouble, and we can maybe work out an alternate means of getting you the file.
cheers
Kern
Thanks kern, i got the pdf. I am however a little confused about some of the steps taken in the demo. Particularly the line
"romtool -o 0 0 omgipod.csr"
I am im afraid learning about firewire as i go along, and am not sure what the romimagefile that he references is, or how he produced the 'omgipod.csr' file. If anybody could help me out with these issues i would greatly appreciate it.
The recently released Helix 1.9 disk now also has Adam's tool on it.
the steps are reasonably straight forward.
1. Confirm that the appropritate firewire modules are loaded then run the businfo tool
2. Use romtool to load the CSR image of the ipod romtool -s 0 ipod.csr (assuming that the you are using port 0 for the cable connection)
3. Plug in the cable to your target then use businfo to query the firewire information to enumerate the target address node number.
4. Use the 1394image tool to acquire the target's memory e.g. 1394image 0 1 suspect.mem -512M this will acquire the first 512Mb of memory from port 0 node 1.
Adam provides the ipod csr in his tarball, you can also "snarf" a csr from another device using the -g get switch with romtool.
I wrote a small guide on how to use his tools sometime ago with various distros.
The recently released Helix 1.9 disk now also has Adam's tool on it.
the steps are reasonably straight forward.
1. Confirm that the appropritate firewire modules are loaded then run the businfo tool
2. Use romtool to load the CSR image of the ipod romtool -s 0 ipod.csr (assuming that the you are using port 0 for the cable connection)
3. Plug in the cable to your target then use businfo to query the firewire information to enumerate the target address node number.
4. Use the 1394image tool to acquire the target's memory e.g. 1394image 0 1 suspect.mem -512M this will acquire the first 512Mb of memory from port 0 node 1.Adam provides the ipod csr in his tarball, you can also "snarf" a csr from another device using the -g get switch with romtool.
I wrote a small guide on how to use his tools sometime ago with various distros.
Excellent guide!
A numpty question…
With this method, is it only possible to use an Ipod, or is it possible to connect a device such as a laptop via firewire?
With this method, is it only possible to use an Ipod, or is it possible to connect a device such as a laptop via firewire?
The tool works from a computer, but you can "snarf" another firewire device's csr. Ideally you should use a csr from a firewire storage device, e.g. Lacie. I have used a csr from an external firewire hard drive without problems.
Just checked out this CD and seem very impressed with its functionality and tools.
Just wondering how forensically secure it is and if it auto mounts any attached hard drives?
Ronan