Didier Stevens » Hardware

Quickpost: CCTV Over UTP

Didier Stevens — Mon, 22 Aug 2011 00:04:13 +0000

I knew it was possible to transmit a composite video signal over UTP, but I always assumed that this was a kludge: that the preferred way was to use RG59 cable.

But recently I discovered that UTP cabling is often used in professional CCTV installations, because it offers the same benefits of structured cabling (like standardization and cost reduction).

To send the video signal over UTP, you need video baluns (one at each end of the pair). It is not transmitted via Ethernet, but the video signal is transformed to be send over a pair. Since CAT5 cable has 4 pairs, you can send 4 video signals over 1 cable. That’s what I’ve done at home, to limit the number of cables I had to install.

You can also use some pairs in the CAT cable to provide power to the CCTV camera (typically 12V) or to transmit audio (when you add a microphone to your CCTV camera). Video baluns are passive components, they don’t need power to operate. I’ve used baluns to cover distances of about 30m, and I don’t notice a difference in the quality of the video signal (compared to a video signal transmitted over RG59 cable).
Most baluns advertise distances of several hundred meters.

I was also able to transmit a video signal without noticeable quality degradation over an untwisted pair of 10m.

Quickpost info

My Home Surveillance System: Some Details

Didier Stevens — Fri, 05 Aug 2011 11:02:27 +0000

I use Phidgets USB interfaces and sensors for my home surveillance system. For the moment, my home surveillance system consists of Python programs running on a PC, but once I’m past the experimental phase, I will migrate this to a dedicated controller.
I particularly like the PIR motion sensor Phidget, because it gives you an analogue output. When there’s no movement, the output will be around 500. With movement, the output value will oscillate around 500, with larger amplitudes for larger movements.This allows me to differentiate between small and large movements, and to eliminate false positives which are only of a short duration. If you have to run wires for many meters to connect your analogue sensors to the interface module, I recommend you use shielded wires and connect the shield to the ground of the interface module. This allowed me to eliminate noise I had on the readings.

Another plus is that the sensors are powered by the interface module. So if you power the PC (or micro-controller) with a UPS, your home surveillance system will also operate when there’s a power cut.

To take pictures when an event occurs (like ringing the doorbell), I use an IP camera. Take a look at my vs.py program to see how that’s done.

My Home Surveillance System

Didier Stevens — Fri, 29 Jul 2011 10:21:06 +0000

Aside from having installed my own Home Automation and CCTV system, I also designed and installed a surveillance system at home. This post will discuss some of the design decisions I took. Some of them are different from more conventional alarm systems.

The surveillance system has many sensors in and around the house (passive infrared (PIR) sensors, reed switches, temperature sensors, …) and can take several actions, like starting sirens, turning on lights, sending text messages, making phone calls, taking pictures, … Which actions are taken depend on the alert level that was set.

First design decision : this system is designed to deter common burglars, not burglars with inside knowledge of the system.

Second design decision is that the system will log all events coming from sensors, regardless of triggering an alarm.

Third design decision is that there is no alarm delay: if a sensor triggers that would cause the alarm to sound, then the alert sounds immediately. There is no delay or pre-alarm phase. I believe an immediate alarm has a greater deterrent effect. With this design, it’s best to avoid false-positives as much as possible.

Fourth design decision : use analogue PIR detectors, not binary PIR detectors. A classic (binary) PIR detector will just tell you that movement occurred. With an analogue PIR detector, you get the amplitude and duration of the movement, which is useful information to weed out false alarms, or ignore movement from small pets.

Now on to some interesting or unusual use cases.

I have a sensor on the doorbell too. When someone rings the doorbell, the event is logged and the system takes pictures of the front door. I’ve seen some interesting events since this doorbell sensor was installed. For example, I expected a package to be delivered after 18:00. The sender had instructed our national courier company to deliver the package after 18:00. You can probably guess they didn’t follow the instructions. I have evidence they attempted to deliver well before 18:00, and what’s even worse, they left a note saying they had passed around 18:15…

Like modern, commercial alarm systems, I have several alarm zones. For example, I can set the alarm level for when we go to bed. In this mode, the alarm will go off if there is movement inside the house, except in the bedroom and nearby rooms/hall. But come morning, you have to remember to switch off the alarm before you leave the bedroom.
Not with my system. If my system detects movement in the protected zone, and if there has been movement in the bedroom zone just before, it will disable the alarm in stead of sounding the alarm. So no false-alarms triggered in my house by sleepy-heads.

Outside lights that switch on when movement is detected are supposed to deter burglars, but they are so common that I believe the deterrent effect is negligible. My system turns on some lights inside the house when it detects movement outside while it is dark and there is no movement inside. I believe this has a much greater deterrent effect, because it’s so uncommon. And it will also take pictures. I now have a large picture collection of neighborhood cats in my back garden

I’ve recently installed wireless interconnected smoke alarms. I will connect one smoke alarm to my home surveillance system, so that my system is aware when smoke alarms trigger and can act appropriately.

Testing all these functions is fun. I’m ” testing in production “, you can imagine that I don’t have a second home that I can use as a test system.
So sometime you can see me run around the house like a madman, but I’m just testing a new feature I programmed…

Quickpost: Blocking and Detecting a Teensy Dropper

Didier Stevens — Thu, 14 Jul 2011 09:58:16 +0000

A Teensy dropper presents itself as a keyboard (HID) to a PC and this is how it can be used to drop files even if you don’t allow removable drives.

You can prevent the installation of new HIDs, but this is an issue when you need to replace keyboards or mice. Irongeek has a good write-up.

Connected HIDs leave forensics traces in the registry, take a look under key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB\

Connecting a Teensy leaves these entries:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB\Vid_16c0&Pid_0482\6&31417f27&0&3
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB\Vid_16c0&Pid_0482&MI_00\7&becc88c&0&0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB\Vid_16c0&Pid_0482&MI_01\7&becc88c&0&0001
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB\Vid_16c0&Pid_0482&MI_02\7&becc88c&0&0002

Quickpost info

Teensy PDF Dropper Part 1

Didier Stevens — Wed, 13 Jul 2011 21:40:52 +0000

Pentesters need to drop files on targets. If a box is not connected to the Internet, and doesn’t accept removable storage, they need to come up with some tricks.

Inputting the file via the keyboard is an option, but typing several millions of bytes is not. This needs automation.

Irongeek uses a Teensy micro-controller to achieve this. My solution is a variation on this. If you need to drop a binary file, you need to find a way to convert the typed ASCII to bytes. There’s a solution with a debugger, but I’m using a PDF Reader.

It’s possible to create a pure ASCII PDF file that embeds a binary file. Here are the steps to drop a binary file:

open Notepad,
insert the Teensy and let it type the ASCII PDF file into Notepad
save the PDF file
open it with a PDF Reader and save the embedded binary file

Writing a program with the Arduino IDE to type an ASCII PDF file is not difficult:

But with the Arduino IDE, your embedded file is limited to a couple of kilobytes. Handling larger files will be described in part 2 of this post.

Integrating My CCTV DVR And Alarm System

Didier Stevens — Thu, 30 Jun 2011 20:49:40 +0000

I’ve designed and installed my own home automation system: it allows me to control lights and appliances, and monitor activity and environmental parameters at home.

I also have a CCTV DVR with a couple of cameras around the house.

Until now, these 2 systems were not linked. If a PIR sensor detected movement in the garden and later I wanted to see what caused the movement, I had to write down the timestamp and then rewind the DVR around the time the movement was detected. Not anymore. My CCTV DVR has an external IO connector, and now events detected by my alarm system are logged on my DVR. I just have to click on an event on my DVR and the video starts to play.

The problem I faced to achieve this integration, was the lack of documentation. There was no pinout of the external IO connector, not in the manual and not online. So I had to reverse engineer it.

My CCTV DVR is a DVR4L5 sold by Velleman, and is actually produced by AVTECH in Taiwan. The external IO connector is a 9 pin DSUB connector. I can use it to send 4 different alarms to the DVR. But for this to work, the alarm has first to be configured on the DVR:

Set the channel for which you want the alarm to register to N.C. This means Normally Closed, which is counter-intuitive, because I’m using a Normally Open alarm. When I now close the circuit between pin 1 and pin 5 of the external IO connector, an alarm event gets logged and the DVR’s buzzer alerts me. Since I don’t need that buzzer to alert me, I disable it:

Here is an example of alarm events logged by the CCTV DVR:

The DVR can also send alerts to the alarm system. It does this by closing the circuit between pins 6 and 7. For example when it detects movement filmed by one of the cameras. But from experience I know you get a lot of false positives from this motion detection. For example when a cloud moves in front of the sun, the sudden shadow can trigger the simple motion detection algorithm of the DVR. A more useful alert to send to the alarm system is the loss of video signal. The DVR can be configured to sound the alarm when it loses a video signal from one of the cameras. For example when someone tampers with your camera.

Some weeks after I reversed the pinout, I received a reply from AVTECH that confirmed my findings. I’m including it here:

FUNCTION

DESCRIPTION

1~4

ALARM INPUT

Connect ALARM INPUT (PIN1 – 4) and GND (PIN5) connector with wires. Once an alarm is triggered, the DVR will start recording and the buzzer will be on.

PIN	Alarm	Corresponding video channel
PIN 1	1	CH1
PIN 2	2	CH2
PIN 3	3	CH3
PIN 4	4	CH4

GND

GROUND

EXTERNAL ALARM COM

Under the normal operation, COM disconnects with NO. But when any alarm is triggered, COM connects with NO.
Attention: The voltage restriction is under DC24V 1A.

EXTERNAL ALARM NO

Under the normal operation, COM disconnects with NO. But when any alarm is triggered, COM connects with NO.
Attention: The voltage restriction is under DC24V 1A.

RS485-A

RS485-B

10~11

GND

GROUND

Update: vs.py

Didier Stevens — Mon, 06 Jun 2011 18:46:23 +0000

I’ve updated my Python program to take surveillance pictures from IP-cameras. This updated version is multi-threaded. For each picture to retrieve, you can specify a thread.

Each line in vs.config requires a 4th parameter now, the name of the thread:

Hall.jpg    http://192.168.1.1/IMAGE.JPG    -    Thread1

This name can be anything. If you use the same name for different pictures, then these pictures will be retrieved sequentially by this thread.

vs_v0_4.zip (https)

MD5: A2AFAD9E581798F1D986A0AE9DF64577

SHA256: C3AC4892A71DF79E3BA87714CB6323D157C7E74C838EDE81013C96DD4EAD0238

LockIfNotHot

Didier Stevens — Wed, 06 Apr 2011 08:34:39 +0000

When Phidget came out with this new IR temperature sensor, a lightbulb went off. This sensor measures temperature without contact. Point it to the chair in front of your computer, and it will measure your body temperature. Or the temperature of your chair, if you’re not sitting in front of your computer.

And that’s the idea: I wrote a program that locks your Windows workstation when you leave your chair (e.g. when the temperature drops).

In this screenshot, LockIfNotHot is configured to lock the workstation when the temperature drops below 25°C during 3 seconds and there is no user input during 2 seconds.

Once the workstation is locked, you need to provide your Windows account password to unlock it.

Download:

LockIfNotHot_V0_0_1.zip (https)

MD5: 188BE76E0A5BCCA26A8736F8F0C4061C

SHA256: CA915265D3B224DF3AA95E5C59B7C0E7EDF239DF50FC1C03F2C991A8B1800AD2

Detecting EICAR With a .NET Micro-controller

Didier Stevens — Wed, 30 Dec 2009 22:07:51 +0000

I’ve been playing with a .NET Micro Framework micro-controller: the USBizi. A few of its interesting characteristics are that you program it in C# with Visual Studio and that in-circuit debugging (including single-stepping) is supported.

The .NET Micro Framework has no assemblies to support USB in host mode (only guest mode), but the USBizi comes with assemblies for host mode providing support for removable drives like USB sticks. To illustrate this feature, I wrote a program to scan the files on a USB stick for the EICAR test file and replace the content with a message appropriate for the time of the year.

Some ideas I’ve for this device: program it as a hardware keylogger, a hardware password vault, …

using System.Threading;
using System;
using System.IO;
using Microsoft.SPOT.Hardware;
using Microsoft.SPOT;
using Microsoft.SPOT.IO;
using GHIElectronics.System.SystemDevices;
using GHIElectronics.System;
using GHIElectronics.System.IO;
using GHIElectronics.Hardware;

namespace USBiziEICARDetector
{
    public class Program
    {
        static string sEICAR = @"X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*";

        static void Main()
        {
            Boolean bFoundEicar;
            Debug.Print("Starting...");
            while (true)
            {
                // must start system first, no event is associated
                SystemManager.Start(null);
                // wait till we have a device
                while (SystemManager.GetDevices().Length == 0)
                    Thread.Sleep(500);
                // get a list of devices
                Device[] devices = SystemManager.GetDevices();
                // look for a device
                foreach (Device device in devices)
                {
                    // this loop will run once for every device
                    if (device.deviceType == DeviceType.Drive)
                    {
                        try
                        {
                            // USB drive is inserted
                            // Create a new storage device
                            PersistentStorage PS = new PersistentStorage(device.deviceID);
                            // now everything works just like on SD cards....
                            // Mount the file system
                            PS.MountFileSystem();
                            // Assume one storage device is available, access it through NETMF
                            string rootDirectory = VolumeInfo.GetVolumes()[0].RootDirectory;
                            bFoundEicar = false;
                            string[] files = Directory.GetFiles(rootDirectory);
                            Debug.Print("Files on root of USB drive...");
                            foreach (string file in files)
                            {
                                Debug.Print(file);
                                Boolean bFileIsEICAR = false;
                                FileStream fs = File.OpenRead(file);
                                Debug.Print(fs.Length.ToString());
                                if (fs.Length == sEICAR.Length)
                                {
                                    char[] acEICAR = sEICAR.ToCharArray();
                                    for (int iIter = 0; iIter < sEICAR.Length; iIter++)
                                    {
                                        int iByte = fs.ReadByte();
                                        if (acEICAR[iIter] != iByte)
                                            break;
                                        if (iIter == sEICAR.Length - 1)
                                        {
                                            bFoundEicar = true;
                                            bFileIsEICAR = true;
                                        }
                                    }
                                }
                                fs.Close();
                                if (bFileIsEICAR)
                                {
                                    byte[] abHappyNewYear2010 = {
                                        0x0D, 0x0A, 0x0D, 0x0A, 0x0D, 0x0A, 0x20, 0x58, 0x58, 0x58, 0x20, 0x58, 0x58, 0x58, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
                                        0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
                                        0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x58, 0x58, 0x58, 0x20, 0x20, 0x20, 0x20, 0x20, 0x58, 0x58, 0x58, 0x20, 0x20, 0x20, 0x20,
                                        0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x58, 0x58, 0x58, 0x0D, 0x0A, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20,
                                        0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
                                        0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20,
                                        0x58, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x58, 0x58, 0x58, 0x20, 0x20, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x58, 0x0D, 0x0A, 0x20,
                                        0x20, 0x58, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
                                        0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
                                        0x20, 0x20, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x20,
                                        0x20, 0x58, 0x20, 0x20, 0x20, 0x58, 0x0D, 0x0A, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x58, 0x58, 0x58, 0x58, 0x20, 0x20,
                                        0x20, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x20, 0x20, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x20, 0x20, 0x58, 0x58, 0x58, 0x20, 0x58, 0x58, 0x58,
                                        0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x58, 0x20,
                                        0x20, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x58, 0x0D, 0x0A, 0x20, 0x20, 0x58, 0x58, 0x58, 0x58, 0x58,
                                        0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x20,
                                        0x58, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x58, 0x20,
                                        0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x58,
                                        0x0D, 0x0A, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x58, 0x58, 0x58, 0x58, 0x58, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20,
                                        0x20, 0x58, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
                                        0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x20, 0x20, 0x58, 0x20,
                                        0x20, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x58, 0x0D, 0x0A, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20,
                                        0x20, 0x58, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x58, 0x20,
                                        0x58, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20,
                                        0x20, 0x58, 0x20, 0x20, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x58, 0x0D, 0x0A, 0x20, 0x20, 0x58, 0x20,
                                        0x20, 0x20, 0x58, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x58, 0x20,
                                        0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x58, 0x20, 0x58, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x58, 0x20,
                                        0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x20, 0x20, 0x58, 0x20,
                                        0x20, 0x20, 0x58, 0x0D, 0x0A, 0x20, 0x58, 0x58, 0x58, 0x20, 0x58, 0x58, 0x58, 0x20, 0x20, 0x58, 0x58, 0x58, 0x58, 0x20, 0x58, 0x20, 0x20, 0x58,
                                        0x58, 0x58, 0x58, 0x58, 0x20, 0x20, 0x20, 0x58, 0x58, 0x58, 0x58, 0x58, 0x20, 0x20, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
                                        0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x58, 0x58, 0x58, 0x58, 0x58, 0x20, 0x20, 0x20, 0x20, 0x58, 0x58, 0x58, 0x20, 0x20, 0x20, 0x20, 0x58,
                                        0x58, 0x58, 0x58, 0x58, 0x20, 0x20, 0x20, 0x20, 0x58, 0x58, 0x58, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
                                        0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
                                        0x20, 0x58, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x58, 0x58, 0x58,
                                        0x20, 0x20, 0x20, 0x20, 0x20, 0x58, 0x58, 0x58, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x58, 0x58, 0x0D, 0x0A, 0x0D, 0x0A};

                                    File.WriteAllBytes(file, abHappyNewYear2010);
                                    Debug.Print("EICAR found!");
                                }
                            }
                            Debug.Print("... end of list!");
                            // if we need to unmount
                            Thread.Sleep(500);
                            PS.UnmountFileSystem();
                            Thread.Sleep(500);
                            PS.Remove();
                            OutputPort LED = new OutputPort(USBizi.Pins.E2x, false);
                            if (bFoundEicar)
                            {
                                Debug.Print("bFoundEicar = true");
                                BlinkXTimes(LED, 4, 300);
                            }
                            else
                            {
                                Debug.Print("bFoundEicar = false");
                                BlinkXTimes(LED, 2, 300);
                            }
                        }
                        catch (Exception e)
                        {
                            Debug.Print("Exception:");
                            Debug.Print(e.Message);
                        }
                    }
                }
                Thread.Sleep(500);
                SystemManager.Reboot(SystemManager.RebootMode.Normal);
            }
        }

        public static void BlinkXTimes(OutputPort LED, int times, int milliseconds)
        {
            for (int i = 0; i < times; i++)
            {
                LED.Write(true);
                Thread.Sleep(milliseconds);
                LED.Write(false);
                Thread.Sleep(milliseconds);
            }
        }
    }
}

Quickpost: Read-Only USB Stick

Didier Stevens — Sun, 20 Dec 2009 20:52:33 +0000

When someone asks me for a read-only USB stick, I recommend to use an SD card with a SD-to-USB adapter, because these are easier to find than USB sticks with write-protection. Most SD cards have a write-protection tab.

But last time I got a surprise: when testing a new SD card reader, I was able to write to the write-protected SD card. Turns out that this particular SD card reader doesn’t support the write-protection tab and always allows the OS to write to the SD card.

Quickpost info