Realtek eCos SDK SIP ALG buffer overflow

A bug in a Realtek software development kit (SDK) means any third party devices with software that uses the SDK could inherit a vulnerability in their Session Initiation Protocol (SIP) implementations.

Broadcom eCos | Ghidra Loader Release

We're releasing a custom Ghidra loader for Broadcom's ProgramStore firmware format.

Zyxel | Auto-identifying eCos Firmwares Load Address

This is a guest post by cq674350529 on searching (and finding) the correct load address of an eCos firmware image from Zyxel.

Broadcom eCos | Gaining Persistence with Firmware Implants

How to gain persistence with firmware implants on Broadcom eCos.

Broadcom eCos | Building Custom Shellcode

In this article I’ll explain how to craft shellcode that you can deliver as a second stage to a victim eCos device. I’m specifically covering the Broadcom variant of eCos here.

Broadcom eCos | Exploiting Stack Overflows (Netgear CG3700)

Methodology and corresponding techniques that you can use to exploit buffer overflows on the Broadcom variant of eCos.

Broadcom eCos | Firmware Analysis with Ghidra

In this post I’ll share tools, tips, and tricks to help you reverse engineer an eCos firmware image dumped from a Broadcom eCos BFC cable modem. I consider that you have an extracted firmware image with you and the latest version of Ghidra installed.

Broadcom eCos | Reversing the Heap Allocator

Let's reverse Broadcom's custom memory allocator for eCos.

Broadcom eCos | Reversing the OS Memory Layout

Let's go over my methodology to reverse the memory layout used by eCos, and more specifically by the Broadcom variant of eCos.

Broadcom eCos | Reversing Interrupt and Exception Handling

Let's go through the different steps I followed when trying to understand interrupt and exception handling on eCos.

Broadcom eCos | Writing a device profile for bcm2-utils

In this blog post we'll dive into jclehner’s bcm2-utils tools and perform the following steps. : dump an unknown bootloader with bcm2dump, reverse engineer specific sections of the booloader, write a device profile for bcm2dump, dump the NAND flash and extract the eCos firmware, and dump the SPI flash and analyze non-vol settings. From there, we will patch non-vol settings to enable console access, flash it and then adapt the console section of our initial bcm2dump profile.

Welcome to ! aims at documenting in a single place everything related to eCos platform security research.