A while ago, I picked up a Sportstech S-Walk treadmill — a compact walking pad with built-in Bluetooth support. Naturally, I wanted to get more out of it than the default app experience and the default app just sucked big time. So I started digging into the treadmill’s BLE (Bluetooth Low Energy) capabilities to read real-time speed, distance, and workout time. I found myself in FTMS (Fitness Machine Service), a standard for communicating protocol with fitness equipment over BLE.
Jooki was a dream come true for parents—an intuitive, screen-free audio player that let kids enjoy music and stories with the tap of a token. But that dream turned into frustration when the company behind Jooki went bankrupt, leaving countless devices bricked and families frustrated. But what if Jooki isn’t as dead as it seems?
This blog post isn’t just about fixing a broken audio player—it’s about peeling back the layers of its firmware, finding hidden exploits, a backdoor and unlocking code execution.
With a bit of ingenuity, we might just breathe new life into these abandoned devices—on our own terms. Ready to dive into the rabbit hole? Let’s crack this thing open.
A while ago, I reached out to Mats, the creator behind the YouTube channel Topfvollgold, offering my help with data scraping. I thought it might be useful for his projects and mentioned that I’d be happy to assist if the need ever arose.
Recently, Mats reached out with an intriguing request: he needed help scraping data directly from YouTube for an interesting video idea. Naturally, I jumped at the opportunity and got straight to work.
Close to a year ago, I stumbled upon the Kekz Headphones, which seemed like an interesting approach on the whole digital audio device space. They claimed to work without any internet connection and all of the content already on the headphones itself. They are On-Ear Headphones, which work by placing a small chip (I call them “Kekz” or “Cookie”) into a little nook on the side and it plays an audio story. I was intrigued, because there were some speculations going around, how they operate with those “Kekz”-Chips.
I invite you to join me on a journey into the inner workings of those headphones. We will talk about accessing the encrypted files on the device, breaking the crypto and discovering disclosure of data from customers.
I’ve identified a security concern within the self-hosted file sharing tool ProjectSend in the current version r1605. By exploiting a chain of vulnerabilities – including Cross-Site Scripting (XSS), Insecure Direct Object Reference (IDOR), and weaknesses in its change password implementation – an authenticated attacker can force a logged-in user to unknowingly change their account password, by clicking a link.
But let me explain the attack in detail.
A couple of months ago, i asked around on Mastodon if anybody was able to provide some HDDs with hardware faults. Clicking, Buzzing, Silent. Whatever. I wanted to learn the art of Head Swapping and other shenanigans.
Two weeks later, somebody I know, answered my call into the Fediverse, with a drive i could try to get the data from it. I was delighted and scared.
Why scared, you might ask.
The first electronic device which a young child autonomously uses, is most likely an audio device to chose their own music or stories. I am in my mid 30s now and we used cassette tapes, which we were pretty much a common standard back then. Nowadays multiple different licensing methods exists. Tonies, Kekz, Jooki, Coins, you name it. Every company has their own methods and ways to store, encrypt and work with audio files.