https://www.Exploitee.rs/index.php?title=Staples_Connect_Hub%E2%80%8B%E2%80%8B&feed=atom&action=historyStaples Connect Hub - Revision history2024-03-29T09:22:08ZRevision history for this page on the wikiMediaWiki 1.37.2https://www.Exploitee.rs/index.php?title=Staples_Connect_Hub%E2%80%8B%E2%80%8B&diff=2446&oldid=prevZenofex at 04:29, 8 March 20152015-03-08T04:29:27Z<p></p>
<table style="background-color: #fff; color: #202122;" data-mw="interface">
<col class="diff-marker" />
<col class="diff-content" />
<col class="diff-marker" />
<col class="diff-content" />
<tr class="diff-title" lang="en">
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">← Older revision</td>
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">Revision as of 04:29, 8 March 2015</td>
</tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l47">Line 47:</td>
<td colspan="2" class="diff-lineno">Line 47:</td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>User: root</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>User: root</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>Password: oemroot</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>Password: oemroot</div></td></tr>
<tr><td colspan="2" class="diff-side-deleted"></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;"></ins></div></td></tr>
<tr><td colspan="2" class="diff-side-deleted"></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;">==Root Demo==</ins></div></td></tr>
<tr><td colspan="2" class="diff-side-deleted"></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;">{{#ev:youtube|gu8zcCV4u4k}}</ins></div></td></tr>
<!-- diff cache key gtvhack_wiki:diff::1.12:old-2194:rev-2446 -->
</table>Zenofexhttps://www.Exploitee.rs/index.php?title=Staples_Connect_Hub%E2%80%8B%E2%80%8B&diff=2194&oldid=prevZenofex: 1 revision: Moving from DC22 to main site.2014-08-17T08:22:47Z<p>1 revision: Moving from DC22 to main site.</p>
<table style="background-color: #fff; color: #202122;" data-mw="interface">
<col class="diff-marker" />
<col class="diff-content" />
<col class="diff-marker" />
<col class="diff-content" />
<tr class="diff-title" lang="en">
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">← Older revision</td>
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">Revision as of 08:22, 17 August 2014</td>
</tr>
<!-- diff cache key gtvhack_wiki:diff::1.12:old-2193:rev-2194 -->
</table>Zenofexhttps://www.Exploitee.rs/index.php?title=Staples_Connect_Hub%E2%80%8B%E2%80%8B&diff=2193&oldid=prevCJ: /* Exploitation */2014-08-07T01:50:33Z<p><span dir="auto"><span class="autocomment">Exploitation</span></span></p>
<p><b>New page</b></p><div>__FORCETOC__<br />
{{Disclaimer}}<br />
[[File:Staples_Connect_Hub.jpg|200px|left|thumb]]<br />
[[Category:Home Automation]]<br />
This page will be dedicated to a general overview, descriptions, and information related to the Staples Connect Hub.<br />
<br />
== Purchase ==<br />
[http://www.staples.com/Staples-Connect-Hub-powered-by-Linksys/product_280287 Purchase the Staples Connect Hub]<br />
<br />
== UART Pinout ==<br />
<br />
<gallery><br />
File:StaplesConnectUART.png<br />
</gallery><br />
<br />
== Exploitation ==<br />
<br />
Utilizing a safeguard built into U-Boot, which is the bootloader running on the Staples Connect, we can modify the systems boot parameters, and execute our own code, or drop it to a root shell.<br />
<br />
This works as during system bootup, the bootloader looks for environmental variables, stored on NAND flash. If it can not find these, it will execute defaults instead. The defaults feature a bootloader shell, which isn't disabled in the normal, saved environmental variables. <br />
<br />
<br />
To ensure that the bootloader can not see the environmental variables at boot, timing is critical. By grounding out pin 29-30 while the system is booting (just at the right time), the box will boot, but fail to load the environmental variables, dropping us to a root shell. From here we can modify and resave the environmental variables, so that this process needs not be repeated.<br />
<br />
*Boot system<br />
*Count to 4<br />
*Short pins 29-30 to ground<br />
*Success: "Hit any key to stop autoboot"<br />
*Fail: Hang / Crash / NAND not found.<br />
<br />
It may take a few attempts to get this right, as timing is critical.<br />
<br />
Run the commands below, boots to a root console. <br />
<pre><br />
setenv bootargs "console=ttyS0,115200 init=/bin/sh mem=256M mtdparts=orion_nand:1M(uboot),32M(em-rfs),4M(em-kern),5M(pd-kern),-(pd-rfs) ubi.mtd=4,512 root=ubi0:rootfs rootfstype=ubifs rootflags=sync"<br />
mw.b f1010140 0xFA; if nboot 0x600000 0 0x2500000; then mw.b f1010140 0xF5; bootm 0x600000; fi<br />
</pre><br />
<br />
== SSH ==<br />
Using the above to boot to a root console, edit /etc/rc.local, and add:<br />
<pre><br />
dropbear -d 222<br />
</pre><br />
<br />
Simply reboot, you can SSH on port 222 using the credentials below:<br />
<br />
User: root<br />
Password: oemroot</div>CJ