diff --git a/en/research-security.md b/en/research-security.md index 9e1d395..ece3afc 100644 --- a/en/research-security.md +++ b/en/research-security.md @@ -99,68 +99,68 @@ discover even more yet unknown passwords. Sharing is caring, boys! ``` +### Hijacking the default password +_tested on Goke_ + +Over the UART interface, it is possible to temporarily interrupt the normal +booting sequence and drop into a limited Linux shell at early stage of +system startup. +``` +setenv bootargs ${bootargs} single init=/bin/sh +boot +``` +This shell won't load the full working system, so you have to amend it manually. +First, mount `/rom` filesystem: +``` +mount -t jffs2 /dev/mtdblock3 /rom +``` +Mount the rest of mounting points from `/etc/fstab`: +``` +mount -a +``` +Also mount the SD card to copy files to and from: +``` +mount /dev/mmcblk0p1 on /mnt/s0 +``` +On `/rom` filesystem, you can edit the `/room/etc/passwd` file but once the +device restarts it will be reset to default. This happens because there is a +guide bin file recreating `passwd` file on each start, so we need to modify +that executable. + +Copy `system.dat` to an SD card: +``` +cp /rom/system.dat /mnt/s0 +``` +On a linux computer, unpack `system.dat` file using `unsquashfs`: +``` +mkdir squashfs-temp +cd squashfs-temp +unsquashfs system.dat +``` +Find guide file and edit its content in a hex-editor to modify the name of the +file where password is written on every restart. Search for `/etc/passwd` and +change a letter in its name to something different, like `/etc/passwT`. + +Pack the squash file system using `mksquashfs`: +``` +mksquashfs ./squashfs-root ./file -comp xz -no-xattrs -noappend -no-exports -all-root -quiet -b 131072 +``` +and copy it from the SD card back to `/rom` directory on the camera. + +Now you can replace the password in `/rom/etc/passwd` with your own password, and when +you restart the device, you will have full working system with your own password. + + ### Software - [Hashcat](https://hashcat.net/) - [John The Ripper](https://www.openwall.com/john/) - [Hydra](https://github.com/vanhauser-thc/thc-hydra) - [1]: https://en.wikipedia.org/wiki/Rainbow_table [2]: https://en.wikipedia.org/wiki/Brute-force_attack -Alternative way to get access to full working system. + --------------------------------------------------- - -You will not have original root pass but you will be able get into :) - -### Limited shell access -TESTED on GOKE SOC. -Over the UART interface it is possible to get into a limited shell, but this shell does not load full working system. -``` -setenv bootargs ${bootargs} single init=/bin/sh -boot - -``` -Once we are in limited shell it is need to mount ROM filesystem: -``` -mount -t jffs2 /dev/mtdblock3 /rom -``` - -Also will be great to mount sd card to copy some files: -``` -mount -mount -a -mount /dev/mmcblk0p1 on /mnt/s0 -``` - -### Modifying the file system -on /rom filesystem you can edit the /room/etc/passwd file but once the device restarts it will be set to default, this happens because there is a guide bin file writing to passwd file on each start, so we need to modify this executable. - -copy system.dat to sd card -``` -cp /rom/system.dat /mnt/s0 -``` - -on a linux computer it is need to unsquahfs system.dat, do some changes and resquashfs: -``` -mkdir squashfs-temp -cd squashfs-temp - -unsquashfs system.dat -``` - -find guide file and hexedit to modify where "/etc/passwd" is written and change one letter, for example "/etc/passwT". This file will be created on start instead of passwd replaced. - -re squash the file system: -``` -mksquashfs ./squashfs-root ./file -comp xz -no-xattrs -noappend -no-exports -all-root -quiet -b 131072 -``` - -and copy back from sd card to /rom directory on goke soc. - -now you can edit /rom/etc/passwd with your own pass, and when you restart the device you will have full working system with your own pass. - -