A couple of months ago, I spent some time fiddling around my ISP-provided residential gateway. This gateway is actually not just a gateway. It’s more like a mix between a set-top Box and a gateway. Additionally, to access the Internet, the end-user can also use it to watch TV through the HDMI output of the device.

I actually went quite far, and I’ve found a couple of interesting things.

This post won’t go through all of my findings. Instead, I’ll focus on the most “unusual”, educational and interesting one. I’ve indeed found a rather creative way of bypassing (under certain conditions) the WPA2 protection of the gateway’s hotspot. This will involve reverse-engineering, electronics, desoldering things, microcontrollers, and even Software Defined Radio.

Finding and exploiting this flaw allowed me to write a bunch of general purpose tools and even to contribute to the radare2 project. I’m releasing my code along with this article. Hopefully, someone may find it useful.

I received the Aura, a device advertised as a “Connected Alarm Clock”. This device in itself is quite cool and uses different sounds and color patterns to help the user fall asleep and wake him up during light stages of his sleep cycles.

Soon I was interested in doing some reverse engineering on it because:

• It was fun.
• I wanted to really own the device, I wanted to be able to run my own code on it.

This article describes my journey into the Aura, from firmware image grabbing to remote buffer overflow exploitation.