Applications

Applications I have developed and released publicly.
Developed: Since 2009
Cost: $25, free trial available
Tech Stack (Desktop): C#, .NET, WinForms, DevExpress components, CBFS Connect
Tech Stack (Web): C#, .NET, Google Cloud (Run, CDN, Load Balancer, Storage, Firestore), FastSpring
Platform: Windows Desktop
FATXplorer Screenshot

FATXplorer is an Xbox storage device explorer. With it, it is possible to mount any type of Xbox storage natively in Windows through a file system driver. Also featured are formatting tools, recovery tools, and much more. In active development since 2009 and still selling copies worldwide.

Callback Technologies Case Study

DevTool

Developed: 2012-2013
Cost: Free
Tech Stack: C#, .NET Framework, WinForms, DevExpress components
Platform: Windows Desktop
DevTool Screenshot

Once-private Xbox 360 development PC companion. Publicly released July 2015.

XePatch

Developed: 2011
Cost: Free
Tech Stack: C#, .NET Framework, WinForms, DevExpress components
Platform: Windows Desktop
XePatch Screenshot

An Xbox 360 patch viewer and editor.

Banjo-Kazooie Nuts and Bolts Mod Tool

Developed: 2009
Cost: Free
Tech Stack: C#, .NET Framework, WinForms, DevExpress components
Platform: Windows Desktop
Banjo-Kazooie Nuts and Bolts Mod Tool Screenshot

The first free application I ever created and released publicly. It was an Xbox 360 save editor gamers could use to give their in-game character an edge.

Web

My projects involving websites.

Grape Intentions

Developed: Since 2016
Tech Stack: WordPress, PHP, MySQL, C#, .NET Framework, EasyPost, Stripe, and more
Position: Director of Technology

Currently handling day-to-day maintenance, development, security, and general operations for the Grape Intentions website and backend systems.

Finish Line Rowing Used Boat Marketplace

Developed: 2017
Tech Stack: WordPress, PHP, MySQL

Used boat marketplace for Finish Line Rowing in the form of a WordPress plugin.

Security

My cybersecurity-related discoveries, analyses, and reports.

Honda eCommerce Hack

Type: Security issue, report
Reported to vendor: March 16, 2023
Public disclosure: June 6, 2023

Through a password reset exploit I gained entry into Honda's power equipment / marine / lawn & garden dealer eCommerce platform and managed to take over the entire platform and access all data.

News coverage:

Toyota C360 Hack

Type: Security issue, report
Reported to vendor: October 30, 2022
Public disclosure: March 6, 2023

I broke into Toyota's C360 CRM, a web app used by Toyota to manage Mexican customers.

News coverage:

Toyota GSPIMS Hack

Type: Security issue, report
Reported to vendor: November 3, 2022
Public disclosure: February 6, 2023

I hacked Toyota's Global Supplier Preparation Information Management System ("GSPIMS"), a web app used by Toyota employees and their suppliers to coordinate projects, parts, surveys, purchases, and other tasks related to the global Toyota supply chain. This is one of the most severe vulnerabilities I have ever found (so far!)

Discussion links: X | Reddit

News coverage:

Jacuzzi SmartTub Hack

Type: Security issue, report
Reported to vendor: December 3, 2021
Public disclosure: June 20, 2022

Two vulnerable Jacuzzi SmartTub administration panels exposed worldwide customer data for multiple brands. The admin panels provided unprecedented control over the SmartTub network. Disclosure to Jacuzzi was difficult and mostly a one-way conversation.

Discussion links: X | Reddit (gadgets, netsec)

News coverage:

Microsoft Xbox Game Developer Forums Exposure

Type: Security issue, report
Reported to vendor: May 22, 2015
Public disclosure: January 31, 2022

In May 2015 Microsoft accidentally exposed several years worth of private Xbox game developer forum content. The incident was responsibly disclosed to Microsoft/Xbox and remedied 24 hours later.

Mercedes-Benz XENTRY TIPS Mobile User Impersonation

Type: Security issue, report
Reported to vendor: September 7, 2021
Public disclosure: January 31, 2022

XENTRY TIPS is a database of topics that Mercedes-Benz maintains to help their dealers troubleshoot and fix issues with Mercedes-Benz vehicles. A mobile website built using Angular exists that allows dealer personnel easier access through their mobile devices. The content is locked behind a paid subscription linked to your account, but it was discovered that user impersonation was possible by modifying the user ID value that was sent via query param to their API. If you substituted your user ID with a user ID that had an active subscription (easy to find at the bottom of various TIPS documents posted on the NHTSA website), it was possible to access topics and other resources. The incident was responsibly disclosed to Mercedes-Benz and fixed a few weeks later.

XENTRY TIPS Mobile API Call
Example of an exploitable API call.

MBUSA Dealer Help Center website data exfiltration

Type: Security issue, report
Reported to vendor: June 20, 2019
Public disclosure: December 19, 2019
Mercedes-Benz Dealer Confidential Notice
The header of one of the downloaded PDFs. Don't worry, you are allowed to read this post.😉

Downloading confidential information from Mercedes-Benz USA's Dealer Help Center website was possible due to missing authentication on downloads. The incident was responsibly disclosed to Mercedes-Benz and fixed after a lengthy back-and-forth.

Thank-you letter from Mercedes-Benz CISO, Michael Schrank

Cloudflare Access Bypass

Type: Security issue, report
Reported to vendor: December 12, 2017
Public disclosure: December 12, 2017

It was possible to bypass Cloudflare Access authentication by appending a query parameter to protected URLs. Details were shared with a Cloudflare employee over email, and a Cloudflare t-shirt was awarded.

Reverse engineering and removing Pokémon GO's certificate pinning

Type: Analysis
Published: July 31, 2016
Pokémon GO opened in The Interactive Disassembler
Relevant Pokémon GO ARM subroutine in The Interactive Disassembler.

An analysis of Pokémon GO on Android's certificate pinning, and removing it to allow HTTPS request inspection. Made the front page of Hacker News.

Hacks & Mods

My noteworthy game and console-related hack/mod projects.

Extra Large Xbox 360 Internal HDD Storage

Released: August 9, 2022
XL HDD the Xbox 360 dashboard

Through one last comprehensive kernel patch and custom formatting tool, it is now possible to use up to 16 TB of space on an internal Xbox 360 HDD or SSD.

A technical deep-dive will be published in the future. Subscribe so you don't miss it!

Extra Large Xbox 360 USB Storage

Released: April 6, 2022
2 XL USBs on the Xbox 360 dashboard

Through another comprehensive kernel patch and custom formatting tool, it is now possible to use up to 16 TB of space on a single USB storage device connected to an Xbox 360. This project also improves the overall performance of the Xbox 360 USB driver.

A technical deep-dive will be published in the future. Subscribe so you don't miss it!

Large Xbox 360 USB Storage

Released: December 27, 2012

Back when Microsoft added USB storage support to Xbox 360 consoles, it was only possible to use up to 32 GB of space. Through a comprehensive kernel patch and a custom formatting tool, the 32 GB limit was broken and extended to 2 TB.

A technical deep-dive will be published in the future. Subscribe so you don't miss it!

Floodout

Released: April 29, 2008
Floodout Screenshot

Halo 2 mod for the Lockout map. The map has been "floodified" with grimy textures, modified weapons with new projectiles & effects, a retextured player biped, and scary ambient background sounds. Winner of a Halomods.com mod-of-the-month competition.🏆