So what your saying is this is not an easy task to perform and
noone and or anyone should try this for the ribbk of messing up
their braillenote? Do I Have this correct?
Marcus L McCrae
Administrator of the Braillenote users forum.
Contact information
Business email: marcus.mccrae@xxxxxxxxxxxxxx
List email: marcusm318@xxxxxxxxx
Personal email: masterchef512@xxxxxxxxx
Emergency contact email: marcusmccrae@xxxxxxxxxxxxx
Jabber or Google-Talk Address: mccrusher685@xxxxxxxxx
skype: marcus.mccrae1
List information.
To subscribe use: braillenote-request@xxxxxxxxxxxxx Put subscribe
in the subject.
To get in touch with your list administrators and moderators
email braillenote-moderators@xxxxxxxxxxxxx
To post on the Braillenote users forum email:
braillenote@xxxxxxxxxxxxx
Thank you.
----- Original Message -----
From: Jessica Brown <justforlistmessages531@xxxxxxxxx
To: joseph.lee22590@xxxxxxxxx, bn list <braillenote@xxxxxxxxxxxxx
Date sent: Tue, 21 Apr 2015 19:16:59 -0800
Subject: [BNU] Re: problem when keysoft 9.5 comes out
Yes, I am interested in how CE and KS boot and I can think of
some others on this list who may also be interested.
----- Original Message -----
From: "Joseph Lee" <joseph.lee22590@xxxxxxxxx
To: "'petras'" <zumbagecko@xxxxxxxxx>,"'rajmund'"
<brajmund2000@xxxxxxxxx>,<braillenote@xxxxxxxxxxxxx
Date sent: Mon, 20 Apr 2015 16:19:57 -0700
Subject: [BNU] Re: problem when keysoft 9.5 comes out
Hi,
That's why Rajmund was suggesting a "workaround" from outside the
Apex (in a
way, from security point of view, this is more towards data
access).
Ordinarily, Apex will be locked with a password, but some were
saying that
there might be a way to delete the password bank file while
browsing Apex's
file system from a PC (the only way to do that is through
ActiveSync/WMDC),
and if that cannot be done, then the second to last method is to
go through
the tedious method of calling HumanWare and installing the HWL
file. The
last type of attack that is hypothetically possible is called
"cold boot
attack". Basically, a user would force BrailleNote to stop
before
KeySoft
loads, access the Flash Disk and delete the password bank file.
In reality,
the chance of this procedure succeeding is quite slim.
This is how it is usually done with reasons why it is possible or
may not
work (sorry for jargon here; listen carefully):
The idea of the cold boot attack is to steal secure data while
computer is
being powered on. When you turn off a computer such as
BrailleNote Apex, you
may think all secure data is wiped from RAM (physical memory)
when in fact
it is not. The design of computer memory modules, especially RAM
is such
that memory contents are kept for a little while (up to several
seconds),
potentially containing both secure and nonsecure data. The goal
of the
attacker is to power on a computer right after it shuts down,
access RAM
using a program and read (or dump) the contents of previous data
before the
computer was turned off.
BrailleNote obeys this rule. As Apex is really a specialized
computer, when
you reset your unit by pressing the reset button, previous
content from RAM
is still visible. This may include document you might have been
editing,
files not saved to disk, password information that were not
deleted,
possible content from the password bank file and so on. A
hypothetical
procedure to retrieve or force a BrailleNote to surrender its
password is as
follows (don't try this at home, as you'll need specialized
equipment and
knowledge of how machines and operating systems work):
1. While the Apex is unlocked (that is, a correct password is
given when
KeySoft starts), reset the BrailleNote.
2. Using an external debugger (typically a hardware or from
Visual Studio),
force Windows CE kernel to stop booting at a point where you can
access
Flash Disk content.
3. Access Flash Disk content from a host PC and delete the
password bank.
Why this procedure may work:
* When you reset your Apex, the Apex goes through the booting
procedure
similar to your desktop or laptop computer with a twist. This
means that,
given the correct hardware equipment and programming knowledge,
you can halt
Apex's booting sequence (how Apex boots and a summary of the
bootloader file
is the subject of another topic, as it is very technical).
* at some point during the boot sequence, Windows CE will try to
access
contents of Flash Disk. This is the earliest point where you can
force Apex
to stop booting (this is right before KeySoft starts).
* Once you take control of Apex, you can then delete a file, and
that should
unlock your unit unless some security measure is in place.
* A more automated way is to write a program that'll run on Apex
that'll
force itself to load right before KeySoft loads. However, this
cannot be
done (you'll see why in a second).
Why this procedure will ultimately fail:
* Windows CE (and in extension, KeySoft) uses a different
procedure when
booting. Whereas you can choose to boot using a USB thumb drive
on your
laptop, Apex's Flash ROM is told to boot from KeySoft ROM image
first.
* In order to ship a password hijacker, you need to build a
custom KeySoft
ROM image (in fact, when you "upgrade" your Apex, you are in fact
burning
the new Windows CE/KeySoft image onto Flash ROM), and in order to
build one,
you need Microsoft Visual Studio with Windows CE tools installed
along with
source code for KeySoft (only HumanWare have this).
* One alternative is to hijack a program that KeySoft depends on
to also
delete password bank file. Again because of the nature of ROM
images, it'll
not work.
Please do let me know (on and offlist) if you do want me to
describe how
Windows CE 6/KeySoft boots.
Cheers,
Joseph
-----Original Message-----
From: petras [mailto:zumbagecko@xxxxxxxxx]
Sent: Monday, April 20, 2015 3:55 PM
To: rajmund; joseph.lee22590@xxxxxxxxx; zumbagecko@xxxxxxxxx;
braillenote@xxxxxxxxxxxxx
Subject: re: [BNU] Re: problem when keysoft 9.5 comes out
For the password to turn on the braillenote, you cant do a flash
disk
format, until it is unlocked.
----- Original Message -----
From: rajmund <brajmund2000@xxxxxxxxx
To: joseph.lee22590@xxxxxxxxx, zumbagecko@xxxxxxxxx,
braillenote@xxxxxxxxxxxxx Date sent: Mon, 20 Apr 2015 21:04:19
+0100
Subject: re: [BNU] Re: problem when keysoft 9.5 comes out
Hello All, And Joseph,
Now, I will say no details, but my helpers, in school, can not
use the bn,
what so ever. But especially not computer braille.
So for one thing, they can't set a password. Especially if I set
a password
on the unit beforehand, in computer braille. Then once, (if
ever) they get
in, we still have a few problems. If, I set the password, I will
obviously
unlock the thing, whenever I want it to. I think, due to the
terminal mode,
doing a flash disk format will in fact, be doable. I can see a
few work
arounds, that could be put into place, but I will not say them,
at this
point. If my teacher sets up the password, I speed back up
speech, and
could gather password, and get out. But, after my discovery,
here's another
thing. Since, I know where login.ini is, and the bn would be
connected to a
pc, someone could get in a bootable image of NVDA, start it, and
the process
from then on is smooth. Once I get in, I can refresh active
synk, and
delete the login. After that, reset bn, and off I go, chat with
my friends.
This is just an idea for now, but if someone feels adventurous,
like
yourself, I would really have a go at this. PS. I think, the
regular
unlock file, would unlock it. Too bad I have never got my hands
on one, to
play with it, even more.
Sent from the BrailleNote
----- Original Message -----
From: "Joseph Lee" <joseph.lee22590@xxxxxxxxx
To: <zumbagecko@xxxxxxxxx>,<braillenote@xxxxxxxxxxxxx
Date sent: Mon, 20 Apr 2015 12:46:32 -0700
Subject: [BNU] Re: problem when keysoft 9.5 comes out
Hi,
This is only my guess, based on Greg's video:
If you set a password (for that's what locks the unit into exam
mode),
you'll be stuck in braille terminal mode. Even if you reset the
unit, it'll
be locked into this mode unless we can figure out a flaw to
unlock this
functionality.
The following is my guesses as to what Apex will do when this
mode is
engaged:
1. The framework uses the password feature, introduced a few
years back.
This is evidenced by the fact that exam mode can be engaged just
as one
would set a password.
2. Once the exam mode password is set, BrailleNote will launch
braille
terminal mode once you confirm the password and answer yes to
confirm
changes (does not return you to main menu at all). This suggests
that some
major refactor has been done on KeySoft.exe source code to enable
future
scenarios where apps can be locked via a password.
3. Once in exam mode, you cannot exit exam mode unless you type
the exam
mode password at the exit prompt, akin to unlocking your Apex
with a
password. The fact that this persists even after a warm reset
tells me that
a file-based password bank is in use (Rajmund and others found
this out a
few months back), which means a malicious user could
hypothetically gain
access to Apex's storage system (Flash Disk) to remove the exam
mode
password unless ActiveSync lockdown is in place.
I can see some major issues with exam mode:
* What if the student forgot the password? A tedious procedure
must be
followed to unlock the unit, if it exists.
* There is no time limit feature where exam mode can be
disengaged
automatically.
* If access to Options Menu is possible and if support
information mode can
be accessed, this may not stop the student from "forcing" the
BrailleNote to
surrender the password (Flash Disk Reformat) unless if it prompts
for a
password.
With exam mode in place, I can see a host of possibilities,
including
locking some features of the brailleNote with a password, further
refactoring of KeySoft.exe source code (written in C++) and so
on.
Cheers,
Joseph
-----Original Message-----
From: braillenote-bounce@xxxxxxxxxxxxx
[mailto:braillenote-bounce@xxxxxxxxxxxxx] On Behalf Of petras
Sent: Monday, April 20, 2015 12:31 PM
To: braillenote@xxxxxxxxxxxxx
Subject: [BNU] problem when keysoft 9.5 comes out
Hi, My braillenote has been having major issues and exam mod when
it comes
out will not work properly. I could potenally get out of the
test by doing
a reset and when it would start it would go to the main menu.
That's why
exam mode will be no use. What should I do when it comes out?
-------------------------------
BNU: BrailleNote Users - a forum for users of BrailleNote family
of products
from Humanware.
Website: www.braillenoteusers.info
IMPORTANT: By default, replies will be sent to individuals. If
you feel
that your reply would be useful for others, please use "reply to
all"
feature in
your email client.
If you wish to unsubscribe from this list, send an email with the
subject
line of "unsubscribe" to braillenote-request@xxxxxxxxxxxxx.
You can also visit our list page at:
www.freelists.org/list/braillenote
From this page, you can unsubscribe, change email delivery
settings and view
list archives.
If you have any comments or questions for list moderators, please
send an
email to braillenote-moderators@xxxxxxxxxxxxx. Thanks.
-------------------------------
BNU: BrailleNote Users - a forum for users of BrailleNote family
of products
from Humanware.
Website: www.braillenoteusers.info
IMPORTANT: By default, replies will be sent to individuals. If
you feel
that your reply would be useful for others, please use "reply to
all"
feature in your email client.
If you wish to unsubscribe from this list, send an email with the
subject
line of "unsubscribe" to braillenote-request@xxxxxxxxxxxxx.
You can also visit our list page at:
www.freelists.org/list/braillenote
From this page, you can unsubscribe, change email delivery
settings and view
list archives.
If you have any comments or questions for list moderators, please
send an
email to braillenote-moderators@xxxxxxxxxxxxx. Thanks.
-------------------------------
BNU: BrailleNote Users - a forum for users of BrailleNote family
of products from Humanware.
Website: www.braillenoteusers.info
IMPORTANT: By default, replies will be sent to individuals. If
you feel that your reply would be useful for others, please use
"reply to all" feature in your email client.
If you wish to unsubscribe from this list, send an email with the
subject line of "unsubscribe" to
braillenote-request@xxxxxxxxxxxxx.
You can also visit our list page at:
www.freelists.org/list/braillenote
From this page, you can unsubscribe, change email delivery
settings and view list archives.
If you have any comments or questions for list moderators, please
send an email to braillenote-moderators@xxxxxxxxxxxxx. Thanks.
-------------------------------
BNU: BrailleNote Users - a forum for users of BrailleNote family
of products from Humanware.
Website: www.braillenoteusers.info
IMPORTANT: By default, replies will be sent to individuals. If
you feel that your reply would be useful for others, please use
"reply to all" feature in your email client.
If you wish to unsubscribe from this list, send an email with the
subject line of "unsubscribe" to
braillenote-request@xxxxxxxxxxxxx.
You can also visit our list page at:
www.freelists.org/list/braillenote
From this page, you can unsubscribe, change email delivery
settings and view list archives.
If you have any comments or questions for list moderators, please
send an email to braillenote-moderators@xxxxxxxxxxxxx. Thanks.
-------------------------------
BNU: BrailleNote Users - a forum for users of BrailleNote family of products
from Humanware.
Website: www.braillenoteusers.info
IMPORTANT: By default, replies will be sent to individuals. If you feel that your reply
would be useful for others, please use "reply to all" feature in your email
client.
If you wish to unsubscribe from this list, send an email with the subject line of
"unsubscribe" to braillenote-request@xxxxxxxxxxxxx.
You can also visit our list page at:
www.freelists.org/list/braillenote
From this page, you can unsubscribe, change email delivery settings and view
list archives.
If you have any comments or questions for list moderators, please send an email
to braillenote-moderators@xxxxxxxxxxxxx. Thanks.
