Difference between revisions of "Greenwave Reality Bulbs"
m (Text replacement - "gtvcom-20" to "exploiteers-20") |
|||
(3 intermediate revisions by one other user not shown) | |||
Line 7: | Line 7: | ||
== Purchase == | == Purchase == | ||
Buying devices is expensive and, in a lot of cases our testing leads to bricked equipment. If you would like to help support our group, site, and research please use one of the links below to purchase your next device. | Buying devices is expensive and, in a lot of cases our testing leads to bricked equipment. If you would like to help support our group, site, and research please use one of the links below to purchase your next device. | ||
[http://www.amazon.com/gp/product/B00FN6PHRW/ref=as_li_tl?ie=UTF8&camp=1789&creative=390957&creativeASIN=B00FN6PHRW&linkCode=as2&tag= | [http://www.amazon.com/gp/product/B00FN6PHRW/ref=as_li_tl?ie=UTF8&camp=1789&creative=390957&creativeASIN=B00FN6PHRW&linkCode=as2&tag=exploiteers-20&linkId=WZXBATSRGK4VP46B Purchase the Greenwave Reality TCP Connected Bulbs at Amazon] | ||
== Disassembly == | == Disassembly == | ||
Line 33: | Line 33: | ||
== Exploitation == | == Exploitation == | ||
'''This is patched as of 3.0.74''' | |||
This device ships with an open U-boot installation meaning that with a UART adapter hooked up we have access to modify the default boot parameters. This opens the device to an technique called "Kernel Init Hijacking". This technique involves modifying the "init" boot argument which when passed to the kernel specifies which script will handle the boot-up process after the kernel is loaded. By defining this variable as "/bin/sh" we tell the kernel after booting to drop to a shell over UART. This allows us temporary root access to the file system. | This device ships with an open U-boot installation meaning that with a UART adapter hooked up we have access to modify the default boot parameters. This opens the device to an technique called "Kernel Init Hijacking". This technique involves modifying the "init" boot argument which when passed to the kernel specifies which script will handle the boot-up process after the kernel is loaded. By defining this variable as "/bin/sh" we tell the kernel after booting to drop to a shell over UART. This allows us temporary root access to the file system. | ||
Line 38: | Line 40: | ||
The credentials originally retrieved were: <pre>root:$1$iIngN6uw$iF5XoC.xYL8sTXaWLo8yZ1:14205:0:99999:7:::</pre> | The credentials originally retrieved were: <pre>root:$1$iIngN6uw$iF5XoC.xYL8sTXaWLo8yZ1:14205:0:99999:7:::</pre> | ||
== Demo == | |||
{{#ev:youtube|bOoIETG8BFo}} | |||
== Updates == | |||
Updates can be pulled with the following URL: | |||
<pre>https://update.greenwavereality.com/roxy/update.php?mac=<YOURMAC>&project=Apollo3¤t_version=3.0.39</pre> | |||
'''Previous Updates''' | |||
{| class="wikitable" | |||
| Version | |||
| U-Boot | |||
| RootFS | |||
|- | |||
| 2.0.47 | |||
| None | |||
| [http://update.greenwavereality.eu/roxy/download/1337594376/rootfs.bin RootFS] | |||
|- | |||
| 3.0.39 | |||
| None | |||
| [http://update.greenwavereality.eu/roxy/download/1386066602/rootfs.bin RootFS] | |||
|- | |||
| 3.0.74 | |||
| [http://update.greenwavereality.eu/roxy/download/1408283550/u-boot.bin U-Boot] | |||
| [http://update.greenwavereality.eu/roxy/download/1410966155/rootfs.bin RootFS] | |||
|} |
Latest revision as of 01:22, 7 February 2016
"Although the information we release has been verified and shown to work to the best our knowledge, we cant be held accountable for bricked devices or roots gone wrong."
This page will be dedicated to a general overview, descriptions, and information related to the Greenwave Reality TCP Connected Bulbs.
Purchase
Buying devices is expensive and, in a lot of cases our testing leads to bricked equipment. If you would like to help support our group, site, and research please use one of the links below to purchase your next device. Purchase the Greenwave Reality TCP Connected Bulbs at Amazon
Disassembly
Dropbear SSHD
By default this device spawns an sshd server upon boot.
The default root credentials to the Greenwave Reality TCP Connected Smart Lighting system are:
- username:
root
- password:
thinkgreen
UART
The pin-out for UART can be found on the image below.
Exploitation
This is patched as of 3.0.74
This device ships with an open U-boot installation meaning that with a UART adapter hooked up we have access to modify the default boot parameters. This opens the device to an technique called "Kernel Init Hijacking". This technique involves modifying the "init" boot argument which when passed to the kernel specifies which script will handle the boot-up process after the kernel is loaded. By defining this variable as "/bin/sh" we tell the kernel after booting to drop to a shell over UART. This allows us temporary root access to the file system.
With the Greenwave Reality TCP Connected Lighting System, we only had to use this mode to crack the root password. This is because by default the device runs an sshd server which allows us to login if the correct credentials are known.
The credentials originally retrieved were:
root:$1$iIngN6uw$iF5XoC.xYL8sTXaWLo8yZ1:14205:0:99999:7:::
Demo
Updates
Updates can be pulled with the following URL:
https://update.greenwavereality.com/roxy/update.php?mac=<YOURMAC>&project=Apollo3¤t_version=3.0.39
Previous Updates
Version | U-Boot | RootFS |
2.0.47 | None | RootFS |
3.0.39 | None | RootFS |
3.0.74 | U-Boot | RootFS |