Conference DEFCON 22. Group GTVHacker. We crack everything: 20 devices in 45 minutes. Part 1
Amir Etemadi: I welcome everyone and welcome to the presentation of GTVHacker "Hacking everything: 20 devices in 45 minutes". We are the creators of the original Google TV products since 201? as well as products such as Chromecast, Roku and Nest, and we also release exploits for all Google TV devices.
So, who are we? I am an Accuvant Labs researcher, created by the GTVHacker group, CJ is the group leader and a security systems researcher, and sometimes also a technology developer. Hans Nielsen works as a senior security consultant for Matasano, and Mike Baker develops firmware and is a co-founder of OpenWRT.
In total, 8 members in our group, including Gynophage, right now he is engaged in a thing called DefCon CTF, Jay Freeman, creator of Cydia, a student of Koa Hoang and Tom Dwenger, the greatest specialist in APK and everything related to Java.
So, why did we decide to hack devices, why not software that we also do not like? You know, when the device becomes obsolete, reaches its end of life, it is simply thrown into the dump. In fact, old devices are being killed, and there's no use in it, as was the case with Logitech Revue.
We give new life to discarded devices, and we also always strive to make the product better, give it more opportunities, and if we can do it, we do it. We like to answer technical challenges, you know, these are like puzzles that you like to solve.
The study, of course, is a delightful process, but the essence of this presentation can be expressed in words:
"You have a root!"
In fact, "hacking 20 devices in 45 minutes", that is, during the presentation, does not leave us much time to spend it in detail on each device. Therefore, I will show you the device display, which will enter our "Wiki" immediately after the presentation. We will acquaint you with technical details, equipment schemes, everything we can, because it is rather difficult to read. At the bottom of the slide, you see a link, you can use it after the presentation to get access to all the things shown during this demonstration. And now I give the floor to my colleague who will tell you about the Prospect of Attacks.
Hans Nielsen: there are an infinite number of ways to attack this type of device. Today, with an example of these 20 devices, we'll look at 3 basic methods of hacking.
The first is the use of ports for debugging, located in the devices themselves. The second method is we can use serial ports or EMMC memory cards, this is an outdated version of SD-cards to connect to the device and modify the storage. The third method is obtaining direct access to the OS, which allows you to implement a whole bunch of commands through the command line to cause the most typical errors of consumer electronics.
So, let's talk about UART - universal asynchronous transceiver. It is used by developers to debug equipment and does not carry any more functional load. This is a very simple interface - one wire is for transmission, the other is for reception, and the third is ground.
They ask me how old I am-I answer, I'm 27 years old, thank you for your question! So, a very simple data exchange protocol is used here, and the port itself operates at different voltages, for example 1.8V, 3.3V or 5V, and is a serial port similar to USB ports on a computer.
So you have several free adapters that allow you to play with your own devices, and I hope you get as much benefit from them as we could get. So, how can you use UART?
Consider a specific device - MFP Epson Artisan 700/80? this is simultaneously a printer, scanner and copier, which can be used as a network printer. It is controlled by Linux ??? - arm1. What can I do with it? If you open the case, you see a printed circuit board on which there are 4 contacts: reception, transmission, grounding, power. This is a variant of the classic UART connection.
After connecting our port of debugging here, we saw the console menu of printer settings.
We can restart the printer, reset the settings, run an arbitrary shell command, execute any commands that we need, in general, it's fun to play around with our printer.
The second device is a clever Belkin WeMo socket with Internet control. It allows you to use a mobile phone to connect your coffee maker and other household appliances through the Internet and is widely used by different people.
This is a fairly small device, so reading the notations on the PCB is difficult. But we found the receiver and transmitter contacts and connected the UART to them. After that, the Internet reported that the device is patched, but it was not true. It turned out that we have only 2 seconds to enter the command, after which the device was automatically rebooted.
At the right time, we managed to enter a team that "killed" the reboot script, after which we could do with this smart socket, whatever we want.
The third device was the clever lamp Greenwave Reality, competitor Phillips Hue, which uses the network protocol of the top level ZigBee, it has been talked about quite a lot. It's funny that she uses the PowerPC microprocessor. During startup, this lamp provides an SSH server from which we did not have a password.
When we opened the case, we also found the contacts for UART. This device was equipped with a universal open boot loader U-boot, which loads and runs Linux. Using this bootloader, you can do anything - reflash the device, change the command line of the kernel. You can accompany loading Linux with many options, for example, allowing you to find out the amount of memory device. We managed to get root-rights by changing the bootloader command line. To do this, we connected via UART, inserted the bin /sh module into the command line of the kernel, and so went into the bootloader shell.
In order to safely use the device in the future, we cracked the password "thinkgreen" for access to root-rights.
The fourth device is the File Transporter, a flash drive with the ability to transfer data over the network. This is a kind of portable "cloud", which uses a large hard disk of the classic HDD format with a capacity of 1 TB to store files. It can be connected to a home network and can access files on various home devices.
This "file carrier" appeared on the market recently and is a pretty standard kind of device running Linux. It's quite a funny thing, and removing the case from it, we easily found the adapter for connecting UART.
We also used the bootloader U-boot, so we, as in the previous case, were able to get root-rights using the command line of the kernel. This allowed us to change the root password and access the device.
The fifth device was a network media player Vizio CoStar LT model ISV-B11. It provides access to the CoStar channel, which used to belong to the Google TV network. This media player connects to other devices via the Internet or cable through the HDMI output.
It may be funny to say that Google TV no longer exists, but there is still our group called GTVHacker. So, in the upper left corner of the PCB white letters denote the classic connector for connecting UART from 4 pins in a row. Here we had some difficulties in communicating with the kernel, since after we connected the "flash drive", we received a message "an incomprehensible file system on a flash drive." We reformatted it into FAT3? and then a message popped up: "I can not find fs.sys". It looked suspicious, so we did some research.
As a result, it was concluded that at boot time you need to have both fs.sys and safe-kernel.img1 on the flash drive. The first file is a U-Boot script loader that contains arbitrary U-Boot commands that are executed at boot time. We used the same technique as when hacking the previous device. Modifying the command line of the kernel gave us the opportunity to crack the kernel and get root-rights. To download a completely new kernel, you can use a combination of these two files located on a flash drive that simply connects to the UART.
Staples Connect, the Linksys Zonoff model, was the sixth device we hacked. This is another small center of home automation, a hub that performs a joint communication of home devices of different brands and different types. It is equipped with a Wi-Fi module and a USB port for connecting a hard drive and is based on the use of cloud technology.
On the printed circuit board we found a shoe with contact sockets. We shorted the pins of the 29/30 NAND memory, so when the U-Boot environment was loaded, an error occurred and the device rebooted. After setting the timeout by default, we ran the command setenv bootargs "console = ttyS?115200 init = /bin /sh[…]", We booted into the root console. Adding the line # dropbear - d 22? we were able to modify, save and edit U-Boot. To access the root, we used the SSH password "oemroot", which we managed to crack relatively easily. And now I want to introduce you to CJ.
CJ Jerez: I want to talk to you about non-volatile memory cards of eMMC format - Embedded MultiMedia Card. They are based on a standard chip of SD memory cards. This is a pretty cool thing, which includes a flash memory module and a flash memory controller. You do not need to worry about any additional magic bits.
A conventional memory card contains additional bits that handle errors and contain error correction code, this function is intended for developers. The eMMC memory card uses a regular file system, and access to it is via a cheap multimedia card reader that reads equally well both conventional SD cards and eMMC. Since this card is structurally a surface-mounted BGA chip, its outputs are solder balls placed on the back of the pad. To work with such a card, you need to identify these contacts, that is, we needed certain balls to connect the debugger.
To find the necessary contacts, we first looked at the design of the board, all sorts of labels, inscriptions under the resistors, tracing the printed substrate and contacts on the other side of the board. Then we took advantage of intuition and logical analysis, and after that just pulled out the chip and watched that it did not work. We were able to connect this card to the MMC-reader and reset the settings.
Now let's talk about our 7th device, it's an Amazon Fire TV set-top box with a remote control.
It is equipped with a 4-core Snapdragon 600 processor with 1.7 GHz frequency and an 8MB eMMC memory, and is controlled by a modified version of Android ??? called Fire OS 3.0.
Opening the case, we began to look for eMMC pinouts, and during the search we spoiled one device, because we broke one of the contacts when we pulled out the eMMC chip, so we had to work on the second copy of the console.
The left side of the slide shows the location of the eMMC contacts, on the right - the 1.8V UART contacts.
Successfully hacking this console, we took up the device number 8 - Hisense Android TV, smart TV running Android, it's a kind of Google TV, which was rebranded. It uses one of the latest processors, 4-core Marvell MV88DE3108. At last year's DefCon conference we showed how to bypass the boot in safe mode for the processors of this line due to a small error that exists in their firmware.
The next slide shows how the contacts look to connect to the debugger. They are small enough, but we did not need to draw a chip of flash memory.
For this device, it was necessary to perform a rather extensive procedure - first to mount the factory_settings partition with the command /dev /mmcblk0p? which was saved between downloads, then use the good old mode # chmod 4755 su, you can also use the program to get the root-rights Super SU. Further through the debug bridge "Android" ADB you can modify the OS, which is very similar to the original Android.
So, we move on. Do not ever say: "Device X can not be hacked." In 201? the USPS postal service published an ad that said that "the refrigerator can not be hacked." This company positioned itself as a leader in the field of refrigerators safety. You can watch the video on YouTube here . I took it as a challenge. I did not have extra $ 3000 to check this statement on the new refrigerator, but you can find anything at the dump, including parts of the ejected refrigerators. I was able to get the electronic stuffing of the smart refrigerator LG Smart Refrigerator, model LFX31995ST, running a slightly outdated operating system Android 2.3. This is the ninth device that was able to crack.
The "brain" of the refrigerator controlled frost, food temperature, ice making, drinking water consumption, and the device itself was equipped with a Wi-Fi module, a USB port and an SD memory card.
On the printed circuit board there were UART contacts, allowing to load the Root-console, and the eMMC chip. This made it possible to mount the system, as in the case of Fire TV, insert the Android boot loader and load the superuser binary file. As it turned out, the parameter ro.secure = ? that is, the device already had access to the superuser. Probably, the developers were sure that no one would even take advantage of this opportunity.
Then we started typing commands. I note that you should never trust data that the user enters and never use shell commands. Entering the ls% s command with the "; reboot" option gave the result of ls; reboot, after which the system successfully rebooted.
Exhibit 1? which perfectly demonstrated the possibility of hacking, was a smart TV Vizio Smart TV, model VF552XVT, which is based on a series of smart TVs BCM97XXX Yahoo Powered Smart TV. Despite the fact that this platform is obsolete, it is still widely used.
This is one of the latest LED-backlit TVs, which is noticeably thinner than models with an LCD display.
The command line is injected here via the Wi-Fi password, which is a more modern version of the UART debugger via the USB port.
If you set Wi-Fi mode, you can enter the menu and connect to a Wi-Fi network access point. If you can enter the commands shown on the slide, you will have access to the root of the system.
To do this, we used a USB UART adapter and then entered a string of several characters that told the kernel where to send the data. A couple of minutes later we received a data entry error, and then entered a long command bash ? which meant that all the data coming from this device should be sent to the shell, and send all the shell data to the device. So we were able to get root-rights via USB UART.
The device number 11 was Blu-ray player Sony BDP-S5100 with a processor MTK 8500 running OC Linux. It is equipped with Wi-Fi, access to online viewing services for Netflix movies, VUDU and so on.
Another Blu-ray player on the same chipset is the device number 1? LG BP53? with similar functionality.
We found that both of these devices have the same chipset firmware error, which supports the use of the SDK.
If you put an empty file called "vudu.txt" in a folder called "vudu" on the USB flash drive, and also create an exploit of "vudu.sh" containing these lines:
mount -t overlayfs -o overlayfs /etc /passwd
echo "root :: 0: 0: root: /root: /bin /sh"> /etc /passwd
/mnt /rootfs_normal /usr /sbin /telnetd
Then you can do the following.
Start the VUDU service, it executes the shell script as the superuser, and you can use the connection completely through the Telnet network. This can be done with all the players on the MTK 8500 chipset, including the following device under the number 13 - Panasonic DMP-BDT230 Blu-ray player.
It's very simple. The next slide shows a printed circuit board having almost the same layout for all the mentioned players. There is a console output 115200 8n? to which you can connect the UART. This was very important for us, as it allowed us to detect the above error during debugging. However, there is another possibility of injecting a command line via the root console using the on-screen menu, since the name of the network folder is not checked before use.
Thus, you can get the superuser rights and dispose of all the possibilities of the devices at your discretion.
Conference DEFCON 22. Group GTVHacker. We crack everything: 20 devices in 45 minutes. Part 2
Thank you for staying with us. Do you like our articles? Want to see more interesting materials? Support us by placing an order or recommending to friends, 30% discount for Hubr users for the unique analogue of entry-level servers, which we invented for you: The whole truth about VPS (KVM) E5-2650 v4 (6 Cores) 10GB DDR???GB SSD 1Gbps from $ 20 or how to divide the server correctly? (options are available with RAID1 and RAID1? up to 24 cores and up to 40GB DDR4).
VPS (KVM) E5-2650 v4 (6 Cores) 10GB DDR???GB SSD 1Gbps until December Free of charge when paying for a period of six months, you can order here .
Dell R730xd is 2 times cheaper? Only we have 2 x Intel Dodeca-Core Xeon E5-2650v???GB DDR4 6x480GB SSD 1Gbps 100 TV from $ 249 in the Netherlands and the USA! Read about that How to build a building infrastructure. class with the use of servers Dell R730xd E5-2650 v4 cost 9000 euros for a penny?
It may be interesting