Blockchain technology


For the last couple of days, I have been trying to read and fully understand blockchain technology. I watched video tutorials, read online articles, and even started reading books on the topic. One of the simplest, yet most valuable paper I read is the following: “Blockchain: Simple Explanation“, written by my colleague and friend O. Mazonka.


Journal of Reference (JR)

The  e-print archive service Journal of Reference (JR) is now available.


What is JR and how can I make use of it?

JR is an archive of public documents with the purpose of referencing. It is suitable for standards, constitutions, reports, formal letters, academic papers, contracts and other formal documents. It is not suitable for blog articles which are either a personal opinion, demonstrating no interviews or research, or of casual writing style. The aim of JR is to serve organisations producing public documents which do not have means to publish externally.

All papers should include a brief abstract. Submissions can be of any length and may contain URLs. Authors retain copyright and may republish their material elsewhere. The authors are responsible for the accuracy and thoroughness of the article content and citations.


I’ve been watching you.. a lalala long – Reverse Engineering IP cameras (Part 1)

The Foscam FI9816P is a wireless Internet Protocol (IP) camera commonly employed for surveillance and it can send and receive data via a computer network and the Internet. This particular model costs around $70 USD and can help you, according to Foscam, keep an eye on what matters most (a lalalala long).

There are numerous Foscam models out there with critical security vulnerabilities; so, Tasos had the idea to order the new FI19816P model and check if this is the case. The goals of this side project is to undestand how IP cameras work, find bugs and exploit them to get internal access, and dump and backdoor the firmware. In order to achieve all these, the first step is to teardown the camera and look for a serial port. Serial ports are typically used by the embedded system developers for debugging and various other technical support purposes. Access to the serial port interface can allow us to observe the booting process, access the bootloader, check debug messages, and ultimately interact via a shell with the system.

Identifying the serial headers

Most serial port headers have between 4-6 pins (typically 4):

  • Vcc (3.3 V)
  • Ground (GND)
  • Transmit (TXD)
  • Receive (RXD)

Since the UART port is not designed to be utilized by the end users it almost never has pins or connectors attached. After taking a quick look at the board of FI9816P, 3 sets of unused pads call our attention.



Time to get out the multimeter.

Pad 2 (J6) is unlikely to be the UART console. All 4 pins indicate 0 V (metal shielding is a convenient ground point to use for testing). Pad 3 has half of its pins to ground, and half to 5 V. It is also unlikely to be the serial port: the 5 V pins are not steady to 5 V indicating that none of them is Vcc (also, most Foscam models have 3.3 V as the Vcc pin). On the other hand, pad 1 (J5) has a grounded pin and the other pins around 3.3 V (time for a short celebration).

In order to verify that pad 1 is the UART port, JTAGulator  can help us identify the pinout.  JTAGulator is a hardware tool  that can assist in identifying on-chip debug interfaces like JTAG and UART. A logic analyzer, an oscilloscope, or even the variations of the multimeter can also help identify the pins.

Once we have connect the JTAGulator to pad 1 (GND to GND, and the other 3 pins to channels 8-10 of JTAGulator), we set the target system voltage to 3.3 V and issue the :u command to identify the UART pinout.


The JTAgulator permutation results reveal that channel 9 of JTAGulator is connected to TXD and channel 8 to RXD. Among these results, only the 115200 bits per second baudrate returns the 0D hexadecimal ASCII representation of Carriage Return (CR).



The 115200 b/s baudrate is also verified with, a python script that attempts to auto detect the baud rate of an actively transmitting serial port.

Connecting to serial port


Once we have both the pinout and baudrate, we are ready to start communicating with the device. In contrast with pad 2 and 3, we cannot attach headers to the serial port – pad 1 (J5). Therefore, we need to solder the J5 pinout connection.


To verify the correctness of the soldering we use JTAGulator one more time.



Now that we’ve got the hardware setup ready, it’s time to talk to the device. To achieve that, any UART to USB bridge would do the job. We used the 3.3 V C232HD USB – UART cable. In this part, it is important to connect the TXD and RXD pins of the device to RXD and TXD of the UART – USB bridge respectively.


Serial terminal

We are ready to open a serial terminal in our computer and communicate with the IP camera (any serial communication program would do, e.g. screen, minicom, putty, etc.). The video below presents how UART spits out information during the booting of the device.

Hitting any key during the booting process it allows to interrupt the bootloading and get (presumably) a shell after typing the correct password.


Getting the password

A way to get the password is to disassemble the firmware of the FI9816P camera and check if it resides over there. Unfortunately, the firmware of this particular camera model is openssl-encrypted.


Next steps

In order to decrypt the file, both the cipher and the password must be known. So, it seems that the firmware path is a dead end.

If anybody has any ideas how to get the password and thus shell access on the device, it would be greatly appreciated. If not, I am sure we will find a way with Tasos.


Math-related jokes


A mathematical tragedy: two parallel lines fall in love.

Q: What’s green and really far away?
A: The lime at infinity.

Q: What’s a polar bear?
A: A rectangular bear after a coordinate transform.

Q: Why did the vector cross the road?
A: It wanted to be normal.

Q: Why shouldn’t you argue with a decimal?
A: Decimals always have a point.

A girl to her mathematician boyfriend:
– Let’s do something that is forbidden tonight.
– Divide by zero?

-How can you distinguish a mathematician from a physicist?
-Ask for an antonym for the word parallel.
-A mathematician will answer perpendicular, and a physicist serial.

Q: Why is 6 afraid of 7?
A: Because 7 8 9

Q: What does the zero say to the the eight?
A: Nice belt!

-Some bike thief managed to open my combination lock. How could they possibly guess that the combo was the year of the canonization of Saint Dominic by Pope Gregory IX at Rieti, Italy?
-What year was that?

-Mike, here are 10 chocolates. Give half of them to your brother.
-OK. I’ll give him three chocolates.
-You can’t count?
-I can, but he can’t.

– Do you know a statistics joke?
– Probably, but it’s mean!

A traffic policeman stops a car:
– You’re going 70 in a 35 miles-per-hour zone.
– But there are two of us!

A mathematician’s son:
– Dad, how do I write the number 8?
– That’s easy: rotate the infinity symbol by pi over 2.

Archimedes, Pascal and Newton play hide and seek. Archimedes is the seeker. Pascal hides, but Newton draws a 1-meter square around himself. Archimedes opens his eyes and shouts:
– I see Newton!
– Oh, no! One newton per square meter is the pascal.

There are two types of people: those who know nothing about fractals and those who think that there are two types of people: those who know nothing about fractals and those who think that there are two types people…

A Roman walks into a bar, holds up two fingers, and says, “Five beers, please.”

A poet, a priest, and a mathematician are discussing whether it’s better to have a spouse or a lover.
The poet argues that it’s better to have a lover because love should be free and spontaneous.
The priest argues that it’s better to have a spouse because love should be sanctified by God.
The mathematician says, “I think it’s better to have both. That way, when each of them thinks you’re with the other, you can sit down and do some mathematics.”

– We’ll split the money 50-50.
– I want 70.
– Okay, 70-70!

– If a black cat crosses in front of you and then crosses back, what does it mean? Is your bad luck doubled or canceled?
– Is this a scalar or a vector cat?
– Huh?
– A scalar cat doubles and a vector cat cancels.



[1] Tanya Khovanova’s Math Blog

[2] Zev Chonoles

WSCC 9-Bus System

WSCC 9-bus test system (also known as P.M Anderson 9-bus) represents a simple approximation of the Western System Coordinating Council (WSCC) to an equivalent system with 9 buses and 3 generators. This particular test case also includes 3 two-winding transformers, 6 lines and 3 loads. The base kV levels are 13.8 kV, 16.5 kV, 18 kV, and 230 kV. The single-line diagram of the WSCC 9-bus case is shown below [1]:


The modeling of the bus system has been implemented in various software tools. The files are provided below:

IEEE Common Data Format (CDF Format) [Download]
DigSILENT PowerFactory (v. 14.1) [Download]
ETAP (v. 12.6) [Download]
PowerWorld Simulator (v. 18) [Download]
PSAT/MATLAB [Download]
Siemens PSS/E (v. 33) [Download]
Simulink/MATLAB  [Download]


[1] P. M. Anderson and A. A. Fouad, Power System Control and Stability, 2nd ed. New York: IEEE Press, 2003.
[2] The Illinois Center for a Smarter Electric Grid (ICSEG), WSCC 9-Bus System,Power Cases.
[3] Francisco M. Gonzalez-Longatt, “Test Case P.M. Anderson Power System”, Power Systems Test Cases.
[4] ETAP, ETAP 12.6, 2015.
[5] DigSILENT PowerFactory, DigSILENT PowerFactory 14.1, 2015.
[6] Jconto, “Dynamic data for IEEE 9 bus”, PSSE forum.
[7] Ray D. Zimmerman, Carlos E. Murillo-Sánchez et. al., “MATPOWER: A MATLAB Power System Simulation Package”.
[8] J. Pettikkattil, “IEEE 9 Bus”, Mathworks Simulink File Exchange Center.
[9] Al-Roomi, Power Flow Test Cases, 9-Bus System (WSCC Test Case.