So after watching a talk at Defcon 23 about the Tracking Point rifle scope (When IoT Attacks:
Hacking A Linux-Powered Rifle) I got interested and wanted to know what was in budget for some rifle hacking myself. What was identified in this talk was that it was possible to remotely change the point of impact of the bullet by adjusting the ballistic coefficient of the round within the riflescope settings. This meant that it was possible to aim at one target but the bullet to hit somewhere else.
Well this is where the ATN X-sight came in to play. As an avid shooter already I had seen one of these scopes at my local store, and decided that they were pretty neat and at a price point that I could afford that would allow me to enter the night vision world. Before I splashed the cash I did some research on the device first and found a helpful (until I got banned) group devoted to these scopes on Facebook. Over the course of a few months I asked questions such as:
- Can you role back the ATN firmware to an older version?
- What services are running on the scope?
- Has anyone been able to look into the firmware binaries?
- Has anyone modified the stock firmware to offer extra functionality?
Side note: Well, I ended up getting banned, and I’m not sure by which admin, didn’t even give me a warning. Playing with a device that I own is not against the law. Many people do it in order to improve the device. When ATN stop supporting this product (and they will) members of that group will be running to guys like me for help in order to continue getting life out of the product.
Anyway, back to the point. I managed to pick up a second hand ATN X-Sight from a fellow shooter in the shooting community for a bargain price. AP, if you’re reading this many thanks for the sight. I hope the Black Label Gunpowder Proof rum tasted good?
I know you’re by now wondering what this scope looks like so I better give you a photo of the thing.
When you look through the scope you get a reticle and some extra information at the top such as wifi status, gps status, bearing (compass), time and so on…
Externally the device has a battery compartment, microSD port (32GB max), microUSB (Micro-B USB) and a microHDMI out.
For more details about the device and how it works see the online manual here.
Well before the scope arrived I started to play with the firmware using common *nix tools. I managed to find a repo online contain all the version of the firmware for the ATN X-sight. Unfortunately I lost the link for the repo, but that was after I downloaded the bins myself first. Here they are should anyone need them. As of writing (24th Nov 2015) the latest version is 1.8.07.343 (known in the X-sight community just as 343).
The first tool I decided to use was binwalk in order to see if could do any magic for me. I’ve not used this tool before but a quick look at the homepage found me the Quick Start Guide on github.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503 504 505 506 507 508 509 510 511 512 513 514 515 516 517 518 519 520 521 522 523 524 525 526 527 528 529 530 531 532 533 534 535 536 537 538 539 540 541 542 543 544 545 546 547 548 549 550 551 552 553 554 555 556 557 558 559 560 561 562 563 564 565 566 567 568 569 570 571 572 573 574 575 576 577 578 579 580 581 582 583 584 585 586 587 588 589 590 591 592 593 594 595 596 597 598 599 600 601 602 603 604 605 606 607 608 609 610 611 612 613 614 615 616 617 618 619 620 621 622 623 624 625 626 627 628 629 630 631 632 633 634 635 636 637 638 639 640 641 642 643 644 645 646 647 648 649 650 651 652 653 654 655 656 657 658 659 660 661 662 663 664 665 666 667 668 669 670 671 | root@kali:~/Desktop/xSightFirmware# binwalk -tMre xsight1.8.07.343.bin Scan Time: 2015-10-23 13:36:18 Target File: xsight1.8.07.343.bin MD5 Checksum: 9488a5a25ad7dea2ca942c980bb47182 Signatures: 285 DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 123769 0x1E379 Copyright string: " (C) 2004-2007c: 0x" 351767 0x55E17 mcrypt 2.2 encrypted data, algorithm: blowfish-448, mode: CBC, keymode: 8bit 4754382 0x488BCE XML document, version: "1.0" 4754882 0x488DC2 XML document, version: "1.0" 5041405 0x4CECFD LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, missing uncompressed size 5041457 0x4CED31 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, missing uncompressed size 5041509 0x4CED65 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, missing uncompressed size 5041561 0x4CED99 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, missing uncompressed size 5041613 0x4CEDCD LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, missing uncompressed size 5041665 0x4CEE01 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, missing uncompressed size 5041717 0x4CEE35 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, missing uncompressed size 5041769 0x4CEE69 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, missing uncompressed size 5043485 0x4CF51D LZMA compressed data, properties: 0x5D, dictionary size: 131072 bytes, missing uncompressed size 5043537 0x4CF551 LZMA compressed data, properties: 0x5D, dictionary size: 131072 bytes, missing uncompressed size 5043589 0x4CF585 LZMA compressed data, properties: 0x5D, dictionary size: 131072 bytes, missing uncompressed size 5043641 0x4CF5B9 LZMA compressed data, properties: 0x5D, dictionary size: 131072 bytes, missing uncompressed size 5043693 0x4CF5ED LZMA compressed data, properties: 0x5D, dictionary size: 131072 bytes, missing uncompressed size 5043745 0x4CF621 LZMA compressed data, properties: 0x5D, dictionary size: 131072 bytes, missing uncompressed size 5043797 0x4CF655 LZMA compressed data, properties: 0x5D, dictionary size: 131072 bytes, missing uncompressed size 5043849 0x4CF689 LZMA compressed data, properties: 0x5D, dictionary size: 131072 bytes, missing uncompressed size 5048035 0x4D06E3 LZMA compressed data, properties: 0xC0, dictionary size: 65536 bytes, uncompressed size: 131072 bytes 5048179 0x4D0773 LZMA compressed data, properties: 0xC0, dictionary size: 65536 bytes, uncompressed size: 131072 bytes 5049775 0x4D0DAF LZMA compressed data, properties: 0xC0, dictionary size: 65536 bytes, uncompressed size: 131072 bytes 5088023 0x4DA317 HTML document header 5187125 0x4F2635 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, missing uncompressed size 5187185 0x4F2671 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, missing uncompressed size 5187225 0x4F2699 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, missing uncompressed size 5187265 0x4F26C1 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, missing uncompressed size 5187305 0x4F26E9 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, missing uncompressed size 5187345 0x4F2711 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, missing uncompressed size 5188365 0x4F2B0D LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, missing uncompressed size 5188425 0x4F2B49 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, missing uncompressed size 5188465 0x4F2B71 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, missing uncompressed size 5188505 0x4F2B99 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, missing uncompressed size 5188545 0x4F2BC1 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, missing uncompressed size 5188585 0x4F2BE9 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, missing uncompressed size 5238201 0x4FEDB9 LZMA compressed data, properties: 0x88, dictionary size: 65536 bytes, uncompressed size: 196608 bytes 5955583 0x5ADFFF LZMA compressed data, properties: 0xC0, dictionary size: 16777216 bytes, uncompressed size: 256 bytes 5957567 0x5AE7BF LZMA compressed data, properties: 0xC0, dictionary size: 65536 bytes, uncompressed size: 200 bytes 6024002 0x5BEB42 LZMA compressed data, properties: 0x5A, dictionary size: 16777216 bytes, uncompressed size: 65538 bytes 6081344 0x5CCB40 YAFFS filesystem 6194836 0x5E8694 ASCII cpio archive (SVR4 with no CRC), file name: "dev", file name length: "0x00000004", file size: "0x00000000" 6194952 0x5E8708 ASCII cpio archive (SVR4 with no CRC), file name: "dev/console", file name length: "0x0000000C", file size: "0x00000000" 6195076 0x5E8784 ASCII cpio archive (SVR4 with no CRC), file name: "root", file name length: "0x00000005", file size: "0x00000000" 6195192 0x5E87F8 ASCII cpio archive (SVR4 with no CRC), file name: "TRAILER!!!", file name length: "0x0000000B", file size: "0x00000000" 9219152 0x8CAC50 Linux kernel version "2.6.38.8 (pwdev@flexlm.od.atncorp.com) (gcc version 4.7.3 (Sourrp.com) (gcc version 4.7.3 (Sourcery CodeBench Lite 2013.05-24)" 9247780 0x8D1C24 gzip compressed data, maximum compression, from Unix, last modified: Thu Jul 23 12:50:08 2015 9340553 0x8E8689 LZMA compressed data, properties: 0x65, dictionary size: 8388608 bytes, uncompressed size: 1048576 bytes 9793604 0x957044 Ubiquiti partition header, header size: 56 bytes, name: "NAME=%s", base address: 0x00000000, data size: 1920298595 bytes 9841948 0x962D1C xz compressed data 19017984 0x1223100 JPEG image data, JFIF standard 1.01 19018014 0x122311E TIFF image data, big-endian 19044608 0x1229900 JPEG image data, JFIF standard 1.01 19077376 0x1231900 JPEG image data, JFIF standard 1.01 19077406 0x123191E TIFF image data, big-endian 19112192 0x123A100 JPEG image data, JFIF standard 1.01 19126528 0x123D900 JPEG image data, JFIF standard 1.02 19130624 0x123E900 JPEG image data, JFIF standard 1.02 19132672 0x123F100 JPEG image data, JFIF standard 1.02 19173396 0x1249014 ISO 9660 CD-ROM filesystem data, version 3.0 volume name: "", 20089088 0x1328900 PNG image, 14 x 8, 8-bit/color RGBA, non-interlaced 20090064 0x1328CD0 Zlib compressed data, best compression, uncompressed size >= 456 20091136 0x1329100 PNG image, 71 x 58, 8-bit/color RGBA, non-interlaced 20092112 0x13294D0 Zlib compressed data, best compression, uncompressed size >= 16530 20097280 0x132A900 PNG image, 13 x 13, 8-bit/color RGBA, non-interlaced 20098256 0x132ACD0 Zlib compressed data, best compression, uncompressed size >= 689 20099328 0x132B100 PNG image, 41 x 49, 8-bit/color RGBA, non-interlaced 20100304 0x132B4D0 Zlib compressed data, best compression, uncompressed size >= 8085 20103424 0x132C100 PNG image, 16 x 13, 8-bit/color RGBA, non-interlaced 20104400 0x132C4D0 Zlib compressed data, best compression, uncompressed size >= 845 20105472 0x132C900 PNG image, 16 x 16, 8-bit/color RGBA, non-interlaced 20106448 0x132CCD0 Zlib compressed data, best compression, uncompressed size >= 1040 20107520 0x132D100 PNG image, 20 x 28, 8-bit/color RGBA, non-interlaced 20108496 0x132D4D0 Zlib compressed data, best compression, uncompressed size >= 2268 20109568 0x132D900 PNG image, 46 x 52, 8-bit/color RGBA, non-interlaced 20110544 0x132DCD0 Zlib compressed data, best compression, uncompressed size >= 9620 20113664 0x132E900 PNG image, 46 x 52, 8-bit/color RGBA, non-interlaced 20114640 0x132ECD0 Zlib compressed data, best compression, uncompressed size >= 9620 20117760 0x132F900 JPEG image data, JFIF standard 1.01 22536469 0x157E115 Copyright string: " 2014 Brightcove, Inc. https://github.com/videojs/video.js/blobgithub.co m/videojs/video.js/blob/master/LICENSE */ " 22608136 0x158F908 Zlib compressed data, best compression, uncompressed size >= 35480 22663424 0x159D100 XML document, version: "1.0" 22685952 0x15A2900 PNG image, 14 x 8, 8-bit/color RGBA, non-interlaced 22686928 0x15A2CD0 Zlib compressed data, best compression, uncompressed size >= 456 22688000 0x15A3100 PNG image, 71 x 58, 8-bit/color RGBA, non-interlaced 22688976 0x15A34D0 Zlib compressed data, best compression, uncompressed size >= 16530 22694144 0x15A4900 JPEG image data, EXIF standard 22694156 0x15A490C TIFF image data, little-endian 22712576 0x15A9100 PNG image, 13 x 13, 8-bit/color RGBA, non-interlaced 22713552 0x15A94D0 Zlib compressed data, best compression, uncompressed size >= 689 22714624 0x15A9900 PNG image, 16 x 13, 8-bit/color RGBA, non-interlaced 22715600 0x15A9CD0 Zlib compressed data, best compression, uncompressed size >= 845 22716672 0x15AA100 PNG image, 16 x 16, 8-bit/color RGBA, non-interlaced 22717648 0x15AA4D0 Zlib compressed data, best compression, uncompressed size >= 1040 22718720 0x15AA900 PNG image, 46 x 52, 8-bit/color RGBA, non-interlaced 22719688 0x15AACC8 Zlib compressed data, best compression, uncompressed size >= 9620 22722816 0x15AB900 PNG image, 46 x 52, 8-bit/color RGBA, non-interlaced 22723792 0x15ABCD0 Zlib compressed data, best compression, uncompressed size >= 9620 23489964 0x1666DAC LZMA compressed data, properties: 0x5D, dictionary size: 1048576 bytes, missing uncompressed size 23490576 0x1667010 LZMA compressed data, properties: 0x5D, dictionary size: 1048576 bytes, missing uncompressed size 23896808 0x16CA2E8 LZMA compressed data, properties: 0x5D, dictionary size: 262144 bytes, missing uncompressed size 25381344 0x18349E0 LZMA compressed data, properties: 0x5D, dictionary size: 1048576 bytes, missing uncompressed size 28759000 0x1B6D3D8 ELF 32-bit LSB shared object, ARM, version 1 (SYSV) 28777000 0x1B71A28 LZMA compressed data, properties: 0xD8, dictionary size: 16777216 bytes, uncompressed size: 50331648 bytes 28777480 0x1B71C08 ELF 32-bit LSB shared object, ARM, version 1 (SYSV) 29170188 0x1BD1A0C LZMA compressed data, properties: 0x5D, dictionary size: 2097152 bytes, missing uncompressed size 29429148 0x1C10D9C LZMA compressed data, properties: 0x76, dictionary size: 16777216 bytes, uncompressed size: 100663296 bytes 29429628 0x1C10F7C LZMA compressed data, properties: 0xD8, dictionary size: 16777216 bytes, uncompressed size: 50331648 bytes 29430112 0x1C11160 ELF 32-bit LSB shared object, ARM, version 1 (SYSV) 29507717 0x1C24085 Copyright string: " (C) 2006 Free Software Foundation, Inc.ion, Inc." 29523536 0x1C27E50 ELF 32-bit LSB shared object, ARM, version 1 (SYSV) 29564840 0x1C31FA8 LZMA compressed data, properties: 0xD8, dictionary size: 16777216 bytes, uncompressed size: 50331648 bytes 29565328 0x1C32190 ELF 32-bit LSB shared object, ARM, version 1 (SYSV) 29684308 0x1C4F254 ELF 32-bit LSB MathCoPro/FPU/MAU Required (SYSV) 29684324 0x1C4F264 ELF 32-bit LSB no machine, version 1 (GNU/Linux) 29684352 0x1C4F280 ELF 32-bit LSB no machine, 29707072 0x1C54B40 ELF 32-bit LSB shared object, ARM, version 1 (SYSV) 29722040 0x1C585B8 ELF 32-bit LSB shared object, ARM, version 1 (SYSV) 29735928 0x1C5BBF8 LZMA compressed data, properties: 0xD8, dictionary size: 16777216 bytes, uncompressed size: 50331648 bytes 29736408 0x1C5BDD8 ELF 32-bit LSB shared object, ARM, version 1 (SYSV) 29763752 0x1C628A8 ELF 32-bit LSB shared object, ARM, version 1 (SYSV) 29856752 0x1C793F0 LZMA compressed data, properties: 0x5D, dictionary size: 16777216 bytes, missing uncompressed size 29864176 0x1C7B0F0 LZMA compressed data, properties: 0x63, dictionary size: 16777216 bytes, uncompressed size: 2097152 bytes 29876272 0x1C7E030 ELF 32-bit LSB relocatable, ARM, version 1 (SYSV) 29880392 0x1C7F048 LZMA compressed data, properties: 0x6D, dictionary size: 16777216 bytes, uncompressed size: 2097152 bytes 29884536 0x1C80078 LZMA compressed data, properties: 0x6D, dictionary size: 33554432 bytes, uncompressed size: 2097152 bytes 30013084 0x1C9F69C LZMA compressed data, properties: 0x5D, dictionary size: 16777216 bytes, uncompressed size: 33554432 bytes 30013204 0x1C9F714 LZMA compressed data, properties: 0x8B, dictionary size: 16777216 bytes, uncompressed size: 33554432 bytes 30013284 0x1C9F764 LZMA compressed data, properties: 0x99, dictionary size: 16777216 bytes, uncompressed size: 33554432 bytes 30013444 0x1C9F804 LZMA compressed data, properties: 0xB7, dictionary size: 16777216 bytes, uncompressed size: 50331648 bytes 30013524 0x1C9F854 LZMA compressed data, properties: 0xBD, dictionary size: 16777216 bytes, uncompressed size: 50331648 bytes 30052808 0x1CA91C8 ELF 32-bit LSB relocatable, ARM, version 1 (SYSV) 30211112 0x1CCFC28 LZMA compressed data, properties: 0x5A, dictionary size: 16777216 bytes, uncompressed size: 33554432 bytes 30211312 0x1CCFCF0 LZMA compressed data, properties: 0x90, dictionary size: 16777216 bytes, uncompressed size: 33554432 bytes 30211632 0x1CCFE30 LZMA compressed data, properties: 0xC6, dictionary size: 16777216 bytes, uncompressed size: 50331648 bytes 30212285 0x1CD00BD LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, missing uncompressed size 30263888 0x1CDCA50 ELF 32-bit LSB shared object, ARM, version 1 (SYSV) 30402456 0x1CFE798 ELF 32-bit LSB shared object, ARM, version 1 (SYSV) 30428768 0x1D04E60 LZMA compressed data, properties: 0xD8, dictionary size: 16777216 bytes, uncompressed size: 50331648 bytes 30429256 0x1D05048 ELF 32-bit LSB shared object, ARM, version 1 (SYSV) 30464952 0x1D0DBB8 ELF 32-bit LSB shared object, ARM, version 1 (SYSV) 30470649 0x1D0F1F9 LZMA compressed data, properties: 0x5D, dictionary size: 2097152 bytes, missing uncompressed size 30545472 0x1D21640 LZMA compressed data, properties: 0xD8, dictionary size: 16777216 bytes, uncompressed size: 50331648 bytes 30545952 0x1D21820 ELF 32-bit LSB shared object, ARM, version 1 (SYSV) 30940428 0x1D81D0C LZMA compressed data, properties: 0x5D, dictionary size: 2097152 bytes, missing uncompressed size 31714269 0x1E3EBDD BLCR context data (big endian, version 0) 31748089 0x1E46FF9 Copyright string: " (C) 2012 Free Software Foundation, Inc.ion, Inc." 31844312 0x1E5E7D8 ELF 32-bit LSB shared object, ARM, version 1 (SYSV) 31895789 0x1E6B0ED LZMA compressed data, properties: 0xBF, dictionary size: 16777216 bytes, uncompressed size: 262144 bytes 31895812 0x1E6B104 LZMA compressed data, properties: 0xD8, dictionary size: 16777216 bytes, uncompressed size: 50331648 bytes 31908808 0x1E6E3C8 ELF 32-bit LSB executable, ARM, version 1 (SYSV) 31983144 0x1E80628 HTML document header 31984128 0x1E80A00 HTML document footer 32057806 0x1E929CE HTML document header 32083768 0x1E98F38 ELF 32-bit LSB shared object, ARM, version 1 (SYSV) 32124440 0x1EA2E18 ELF 32-bit LSB shared object, ARM, version 1 (SYSV) 32235464 0x1EBDFC8 ELF 32-bit LSB shared object, ARM, version 1 (SYSV) 32242483 0x1EBFB33 mcrypt 2.2 encrypted data, algorithm: blowfish-448, mode: CBC, keymode: 8bit 32631932 0x1F1EC7C LZMA compressed data, properties: 0x5D, dictionary size: 2097152 bytes, missing uncompressed size 33019440 0x1F7D630 ELF 32-bit LSB shared object, ARM, version 1 (SYSV) 33023568 0x1F7E650 ELF 32-bit LSB shared object, ARM, version 1 (SYSV) 33418364 0x1FDEC7C LZMA compressed data, properties: 0x5D, dictionary size: 2097152 bytes, missing uncompressed size 34044154 0x20778FA Unix home path string: "/home/pwdev/norman/obsidian/boss_sdk/buildroot/. ./host.oem/usr/" 34244612 0x20A8804 LZMA compressed data, properties: 0x5D, dictionary size: 16777216 bytes, missing uncompressed size 34284461 0x20B23AD LZMA compressed data, properties: 0x5D, dictionary size: 131072 bytes, missing uncompressed size 34285992 0x20B29A8 ELF 32-bit LSB shared object, ARM, version 1 (SYSV) 34296568 0x20B52F8 ELF 32-bit LSB shared object, ARM, version 1 (SYSV) 34321184 0x20BB320 ELF 32-bit LSB shared object, ARM, version 1 (SYSV) 34445552 0x20D98F0 ELF 32-bit LSB shared object, ARM, version 1 (SYSV) 34508319 0x20E8E1F Copyright string: " 1995-2010 Jean-loup Gailly and Mark Adler Mark Adler " 34523440 0x20EC930 ELF 32-bit LSB shared object, ARM, version 1 (SYSV) 34555021 0x20F448D LZMA compressed data, properties: 0x5D, dictionary size: 524288 bytes, missing uncompressed size 34555896 0x20F47F8 ELF 32-bit LSB shared object, ARM, version 1 (SYSV) 34573848 0x20F8E18 ELF 32-bit LSB shared object, ARM, version 1 (SYSV) 34610304 0x2101C80 ELF 32-bit LSB shared object, ARM, version 1 (SYSV) 34894520 0x21472B8 ELF 32-bit LSB executable, ARM, version 1 (SYSV) 34904112 0x2149830 HTML document header 34904951 0x2149B77 HTML document footer 34916656 0x214C930 ELF 32-bit LSB executable, ARM, version 1 (SYSV) 34925612 0x214EC2C LZMA compressed data, properties: 0xB7, dictionary size: 16777216 bytes, uncompressed size: 50331648 bytes 34927688 0x214F448 ELF 32-bit LSB executable, ARM, version 1 (SYSV) 35056390 0x216EB06 Copyright string: " (c) 2000-2011 Simon KelleyyZDNLERKzowefnbvhdkqr:m:p:c:l:s:i:t:u:g:a:x :S:C:A:T:H:Q:I:B:F:G" 35077640 0x2173E08 ELF 32-bit LSB executable, ARM, version 1 (SYSV) 35474076 0x21D4A9C LZMA compressed data, properties: 0x5D, dictionary size: 2097152 bytes, missing uncompressed size 35524137 0x21E0E29 Copyright string: " (C) 2001-2011 Alvaro Lopez Ortega.ega." 35572283 0x21ECA3B HTML document header 35572352 0x21ECA80 HTML document footer 35575060 0x21ED514 Unix home path string: "/home/pwdev/norman/obsidian/boss_sdk/buildroot/. ./host.oem/usr/" 35575256 0x21ED5D8 Unix home path string: "/home/pwdev/norman/obsidian/boss_sdk/buildroot/. ./host.oem/usr/" 35587045 0x21F03E5 GIF image data, version "89a", 1 x 1 35587245 0x21F04AD PNG image, 91 x 103, 8-bit/color RGBA, non-interlaced 35595323 0x21F243B HTML document header 35601299 0x21F3B93 Copyright string: " (C) 2001 - 2011 <a href="http://www.alobbs.com/">Alvaro Lopez //www.alobbs.com/">Alvaro Lopez Ortega</a> <alvaro@alobbs.co" 35602089 0x21F3EA9 HTML document footer 35615477 0x21F72F5 HTML document header 35616562 0x21F7732 HTML document footer 35628272 0x21FA4F0 gzip compressed data, from Unix, NULL date: Thu Jan 1 01:00:00 1970 35638480 0x21FCCD0 PNG image, 16 x 16, 8-bit/color RGBA, non-interlaced 35639352 0x21FD038 PNG image, 16 x 16, 8-bit/color RGBA, non-interlaced 35640256 0x21FD3C0 PNG image, 16 x 16, 8-bit gray+alpha, non-interlaced 35640888 0x21FD638 PNG image, 16 x 16, 8-bit/color RGBA, non-interlaced 35641968 0x21FDA70 PNG image, 16 x 16, 8-bit/color RGBA, non-interlaced 35642816 0x21FDDC0 PNG image, 16 x 16, 8-bit/color RGBA, non-interlaced 35643992 0x21FE258 PNG image, 16 x 16, 8-bit/color RGBA, non-interlaced 35645024 0x21FE660 PNG image, 16 x 16, 8-bit/color RGBA, non-interlaced 35645984 0x21FEA20 PNG image, 16 x 16, 8-bit/color RGBA, non-interlaced 35646896 0x21FEDB0 PNG image, 16 x 16, 8-bit/color RGBA, non-interlaced 35647696 0x21FF0D0 PNG image, 16 x 16, 8-bit/color RGBA, non-interlaced 35648528 0x21FF410 PNG image, 16 x 16, 8-bit/color RGBA, non-interlaced 35648992 0x21FF5E0 PNG image, 16 x 16, 8-bit/color RGBA, non-interlaced 35649872 0x21FF950 PNG image, 16 x 16, 8-bit/color RGBA, non-interlaced 35650824 0x21FFD08 PNG image, 16 x 16, 8-bit/color RGBA, non-interlaced 35651760 0x22000B0 PNG image, 16 x 16, 8-bit gray+alpha, non-interlaced 35652432 0x2200350 PNG image, 16 x 16, 8-bit/color RGBA, non-interlaced 35653312 0x22006C0 PNG image, 424 x 214, 8-bit/color RGBA, non-interlaced 35653422 0x220072E Zlib compressed data, compressed, uncompressed size >= 163840 35727488 0x2212880 PNG image, 16 x 16, 8-bit/color RGBA, non-interlaced 35728312 0x2212BB8 PNG image, 16 x 16, 8-bit/color RGBA, non-interlaced 35729192 0x2212F28 PNG image, 16 x 16, 8-bit/color RGBA, non-interlaced 35730208 0x2213320 PNG image, 16 x 16, 8-bit/color RGBA, non-interlaced 35731136 0x22136C0 PNG image, 16 x 16, 8-bit/color RGBA, non-interlaced 35732088 0x2213A78 PNG image, 16 x 16, 8-bit/color RGBA, non-interlaced 35732896 0x2213DA0 PNG image, 16 x 16, 8-bit/color RGBA, non-interlaced 35734032 0x2214210 PNG image, 16 x 16, 8-bit/color RGBA, non-interlaced 35734896 0x2214570 PNG image, 16 x 16, 8-bit gray+alpha, non-interlaced 35735472 0x22147B0 PNG image, 16 x 16, 8-bit/color RGBA, non-interlaced 35736878 0x2214D2E HTML document header 35738729 0x2215469 HTML document footer 35739696 0x2215830 Executable script, shebang: "/bin/sh" 36171552 0x227EF20 ELF 32-bit LSB executable, ARM, version 1 (SYSV) 36475686 0x22C9326 Copyright string: " (c) 2002-2010, Jouni Malinen <j@w1.fi> and contributorsj@w1.fi> and contributors" 36493736 0x22CD9A8 LZMA compressed data, properties: 0x5D, dictionary size: 16777216 bytes, missing uncompressed size 36560802 0x22DDFA2 XML document, version: "1.0" 36563394 0x22DE9C2 XML document, version: "1.0" 36566949 0x22DF7A5 XML document, version: "1.0" 36567984 0x22DFBB0 XML document, version: "1.0" 36568236 0x22DFCAC LZMA compressed data, properties: 0x5D, dictionary size: 2097152 bytes, missing uncompressed size 36584784 0x22E3D50 ELF 32-bit LSB executable, ARM, version 1 (SYSV) 36605168 0x22E8CF0 ELF 32-bit LSB executable, ARM, version 1 (SYSV) 36768896 0x2310C80 LZMA compressed data, properties: 0xB7, dictionary size: 16777216 bytes, uncompressed size: 50331648 bytes 36769456 0x2310EB0 ELF 32-bit LSB executable, ARM, version 1 (SYSV) 36798227 0x2317F13 Copyright string: " (c) 2004-2011, Jouni Malinen <j@w1.fi> and contributorsj@w1.fi> and contributors" 36823096 0x231E038 ELF 32-bit LSB executable, ARM, version 1 (SYSV) 36836615 0x2321507 Copyright string: " (c) 2004-2010, Jouni Malinen <j@w1.fi> and contributorsj@w1.fi> and contributors" 36846232 0x2323A98 ELF 32-bit LSB executable, ARM, version 1 (SYSV) 37240172 0x2383D6C LZMA compressed data, properties: 0x5D, dictionary size: 2097152 bytes, missing uncompressed size 37435016 0x23B3688 LZMA compressed data, properties: 0x5D, dictionary size: 16777216 bytes, missing uncompressed size 37478311 0x23BDFA7 Copyright string: " (c) 2003-2011, Jouni Malinen <j@w1.fi> and contributorsj@w1.fi> and contributors" 37501256 0x23C3948 ELF 32-bit LSB relocatable, ARM, version 1 (SYSV) 37802408 0x240D1A8 LZMA compressed data, properties: 0x89, dictionary size: 16777216 bytes, uncompressed size: 33554432 bytes 37893128 0x2423408 Executable script, shebang: "/bin/sh" 37896705 0x2424201 HTML document header 37896838 0x2424286 HTML document footer 37897120 0x24243A0 Executable script, shebang: "/bin/sh" 37898448 0x24248D0 Executable script, shebang: "/bin/sh" 37901056 0x2425300 Executable script, shebang: "/bin/sh" 37901976 0x2425698 Executable script, shebang: "/bin/sh" 37904744 0x2426168 Executable script, shebang: "/bin/sh" 37907320 0x2426B78 Executable script, shebang: "/bin/sh" 37908240 0x2426F10 Executable script, shebang: "/bin/sh" 37909496 0x24273F8 Executable script, shebang: "/bin/sh" 37910007 0x24275F7 Copyright string: " (C) 2013, Ambarella Inc." 37916984 0x2429138 Executable script, shebang: "/bin/sh" 37918240 0x2429620 Executable script, shebang: "/bin/sh" 37920160 0x2429DA0 Executable script, shebang: "/bin/sh" 37938440 0x242E508 Executable script, shebang: "/bin/sh" 37939016 0x242E748 Executable script, shebang: "/bin/sh" 37940176 0x242EBD0 Executable script, shebang: "/bin/sh" 37940720 0x242EDF0 Executable script, shebang: "/bin/sh" 37942000 0x242F2F0 Executable script, shebang: "/bin/sh" 37942896 0x242F670 Executable script, shebang: "/bin/sh" 37943296 0x242F800 Executable script, shebang: "/bin/sh" 37943728 0x242F9B0 Executable script, shebang: "/bin/sh" 37946056 0x24302C8 Executable script, shebang: "/bin/sh" 37954960 0x2432590 Executable script, shebang: "/bin/sh" 37958712 0x2433438 Executable script, shebang: "/bin/sh" 37959840 0x24338A0 HTML document header 37960060 0x243397C HTML document footer 37960344 0x2433A98 Executable script, shebang: "/bin/sh" 37963840 0x2434840 Executable script, shebang: "/bin/sh" 38784597 0x24FCE55 LZMA compressed data, properties: 0x5D, dictionary size: 16777216 bytes, missing uncompressed size 39001936 0x2531F50 ELF 32-bit LSB executable, ARM, version 1 (SYSV) 39022784 0x25370C0 ELF 32-bit LSB executable, ARM, version 1 (SYSV) 39029432 0x2538AB8 ELF 32-bit LSB executable, ARM, version 1 (SYSV) 39054832 0x253EDF0 ELF 32-bit LSB executable, ARM, version 1 (SYSV) 39076720 0x2544370 ELF 32-bit LSB executable, ARM, version 1 (SYSV) 39099888 0x2549DF0 ELF 32-bit LSB executable, ARM, version 1 (SYSV) 39104720 0x254B0D0 ELF 32-bit LSB executable, ARM, version 1 (SYSV) 39214448 0x2565D70 ELF 32-bit LSB executable, ARM, version 1 (SYSV) 39350776 0x25871F8 ELF 32-bit LSB executable, ARM, version 1 (SYSV) 39382344 0x258ED48 ELF 32-bit LSB executable, ARM, version 1 (SYSV) 39435224 0x259BBD8 ELF 32-bit LSB executable, ARM, version 1 (SYSV) 39485832 0x25A8188 ELF 32-bit LSB executable, ARM, version 1 (SYSV) 39516888 0x25AFAD8 ELF 32-bit LSB executable, ARM, version 1 (SYSV) 39534696 0x25B4068 ELF 32-bit LSB executable, ARM, version 1 (SYSV) 39584680 0x25C03A8 ELF 32-bit LSB executable, ARM, version 1 (SYSV) 39591328 0x25C1DA0 ELF 32-bit LSB executable, ARM, version 1 (SYSV) 39600656 0x25C4210 ELF 32-bit LSB executable, ARM, version 1 (SYSV) 39626105 0x25CA579 Copyright string: " (C) 2005-2011 by Zack T Smith." 39645424 0x25CF0F0 ELF 32-bit LSB executable, ARM, version 1 (SYSV) 39652691 0x25D0D53 mcrypt 2.2 encrypted data, algorithm: blowfish-448, mode: CBC, keymode: 8bit 39996395 0x2624BEB OpenSSL encryption, salted, salt: 0x2D252D32357300 40021949 0x262AFBD HTML document header 40022179 0x262B0A3 HTML document footer 40040876 0x262F9AC LZMA compressed data, properties: 0x5D, dictionary size: 2097152 bytes, missing uncompressed size 40070367 0x2636CDF Private key in DER format (PKCS#8), 40070685 0x2636E1D Private key in DER format (PKCS#8), 40071293 0x263707D Private key in DER format (PKCS#8), 40072484 0x2637524 Private key in DER format (PKCS#8), 40082304 0x2639B80 ELF 32-bit LSB executable, ARM, version 1 (SYSV) 40304648 0x2670008 ELF 32-bit LSB executable, ARM, version 1 (SYSV) 40319424 0x26739C0 ELF 32-bit LSB executable, ARM, version 1 (SYSV) 40350048 0x267B160 ELF 32-bit LSB executable, ARM, version 1 (SYSV) 40357944 0x267D038 ELF 32-bit LSB executable, ARM, version 1 (SYSV) 40395507 0x26862F3 Copyright string: " (C) 2001 Erik Andersen <andersen@codepoet.org>en@codepoet.org>" 40409610 0x2689A0A Unix home path string: "/home/ftp:/bin/sh" 40409742 0x2689A8E Unix home path string: "/home/default:/bin/sh" 40411767 0x268A277 mcrypt 2.2 encrypted data, algorithm: blowfish-448, mode: CBC, keymode: 8bit 40411855 0x268A2CF mcrypt 2.2 encrypted data, algorithm: blowfish-448, mode: CBC, keymode: 8bit 40412031 0x268A37F mcrypt 2.2 encrypted data, algorithm: blowfish-448, mode: CBC, keymode: 8bit 40412104 0x268A3C8 Executable script, shebang: "/bin/sh" 40412576 0x268A5A0 Executable script, shebang: "/bin/sh" 40414224 0x268AC10 Executable script, shebang: "/bin/sh" 40414760 0x268AE28 Executable script, shebang: "/bin/sh" 40417032 0x268B708 Executable script, shebang: "/bin/sh" 40418272 0x268BBE0 Executable script, shebang: "/bin/sh" 40421680 0x268C930 Executable script, shebang: "/bin/sh" 40426512 0x268DC10 Executable script, shebang: "/bin/sh" 40426896 0x268DD90 Executable script, shebang: "/bin/sh" 40427320 0x268DF38 Executable script, shebang: "/bin/sh" 40432816 0x268F4B0 Executable script, shebang: "/bin/sh" 40433208 0x268F638 Executable script, shebang: "/usr/bin/perl" 40439208 0x2690DA8 Executable script, shebang: "/bin/sh" 40439600 0x2690F30 Executable script, shebang: "/usr/bin/perl -w" 40439670 0x2690F76 Copyright string: " (c) 2002 The OpenTSA Project. All rights reserved. All rights reserved." 40482544 0x269B6F0 ELF 32-bit LSB executable, ARM, version 1 (SYSV) 40877036 0x26FBBEC LZMA compressed data, properties: 0x5D, dictionary size: 2097152 bytes, missing uncompressed size 41039140 0x2723524 Zip multi-volume archive data, at least PKZIP v2.50 to extract 41312096 0x2765F60 CramFS filesystem, little endian size 950912 version #2 hole_support CRC 0x62656572, edition 950934, 0 blocks, 873122 files Scan Time: 2015-10-23 13:37:14 Target File: _xsight1.8.07.343.bin.extracted/8D1C24 MD5 Checksum: 21b60e42a19e6cdab004f7915287d54a Signatures: 285 DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 17132 0x42EC MPFS (Microchip) filesystem, version 61.121, 17162 file entries 17150 0x42FE MPFS (Microchip) filesystem, version 95.77, 21839 file entries 26473 0x6769 MPFS (Microchip) filesystem, version 61.121, 8970 file entries 26490 0x677A MPFS (Microchip) filesystem, version 95.80, 21327 file entries |
Sadly, this turned up blank as all the firmware reversing tutorials (1,2,3,4,5) I had found on the net were pretty different to this.
I decided to check the firmware for strings, this is usually the first thing I do when performing tasks like this but I decided due to the size(~40MB) of the firmware files that this would be a time consuming process. This was confirmed when I realised the output from running strings against the firmware resulted in over 100,000 results:
1 2 | root@kali:~/Desktop/xSightFirmware# strings -8 xsight1.8.07.343.bin | tee strings.343.txt | wc -l 117281 |
Looking into my strings.343.txt file allowed me to narrow down my search further:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 | root@kali:~/Desktop/xSightFirmware# grep "init.d" strings.343.txt Warning, call load_dsp_init_data too early. pdm_init_diskmanager failed callback app, pwr_beep_init_done callback app, aenc_init_done callback app, adec_init_done HLS did not inited! t dspinfo dsp_info - dsp init data streaming_api is not inited %s: streaming_api is not inited amba_streaming Already inited! UVC Already inited! uvc_api is not inited %s: uvc_api is not inited AMBA Network IO stream was inited before AMBA LNX FIO stream was inited before Example Network IO stream was already inited %s: example_network_stream is NOT inited. status:%d AMP_init_de_params img_init_de_params_multi : Wrong type!!! AMBA_YUVIMG: yuv_init_device() fail sync_dsp_init_data() fail ========== sync dsp_init_data =========== Warning, call init_dsp_cmd_msg_param too early. AMBA Avimux was inited before AMBA Null IO stream was inited before AMBA Dummymux was inited before AMBA Custommux was inited before AMBA isodemux fmt was inited before AMBA tsmux was inited before, maybe avchd already init %s: AMBA movmux was inited before.. %s: AMBA mp4mux was inited before.. %s: AMBA m4amux was inited before.. %s: AMBA msmp4mux was inited before.. %s: AMBA 3gpmux was inited before.. boss: initrd = %08x, %08x AMBA img sensor2 has been inited. aini_chksta_all_init_done aini_chksta_enc_init_done aini_chksta_dec_init_done aini_chksta_infra_init_done init_date_sort_file noinitrd retain_initrd keepinitrd <2>initrd overwritten (0x%08lx < 0x%08lx) - disabling it. /initrd.image <5>Trying to move old root to /initrd ... /root/initrd /initrd does not exist. Ignored. /initrd.image <6>rootfs image is not initramfs (%s); looks like an initrd /initrd.image ambarella_init_dma tty_init_dev <3>INITRD: 0x%08lx+0x%08lx overlaps in-use memory region - disabling initrd <6>tty_init_dev: ldisc open failed, clearing slot %d sock_init_data init_dummy_netdev xdr_init_decode FIXME: unsafe to do th1_stack_check_init during th2 mode transitiono FIXME: unsafe to do th1_stack_check_init during th3 mode transitiono still_rm_init_dma-reg() START still_rm_init_dma-reg() END still_rm_init_dyn_smem. END w=%d still_rm_init_dyn_smem(): STILL_SMEM_COMMON_ALL: base=0x%x, size=%d still_rm_init_dyn_smem(): STILL_SMEM_COMMON_1 base=0x%x, size=%d still_rm_init_dyn_smem(): extended STILL_SMEM_COMMON_1 and size_extra=%d still_rm_init_dyn_smem. STILL_SMEM_COMMON_1 usage=%d still_rm_init_dyn_smem. START w=%d still_mctf_init_dma: START >>> cmd_seq=%d smem_index_base=0x%x, dram_index_base=0x%x still_mctf_init_dma: END <<< TH%d MEMD memd_hl_init_dma: end at , %d TH%d MEMD memd_hl_init_dma: start at , %d init_dpb() rd %d, wr %d init_dummy_netdev Not inited yet! ar6000_dbglog_init_done elif [ -e /etc/init.d/S51hibernation ]; then main: Exam_framer inited! main: AmbaStream inited! Not inited yet! already inited... # Note: BusyBox init doesn't support runlevels. The runlevels field is ttyS1::sysinit:/etc/init.d/rcS # Start all init scripts in /etc/init.d for i in /etc/init.d/S??* ;do /etc/init.d/rcS |
This didn’t really help me in identifying what’s running on the device so I decided to actually start physically connecting to the device.
The device has the options to act as a wireless hotspot which you then connect your phone to in order to remotely view the screen by using the provided ATN Obsidian application. This application allows you to configure the settings of the device and view the stored photos and videos (did I not mention this scope allows you to record your hunting activities?).
Rather than connect my iPhone to the sight I instead connected my laptop so that I could see what services are visible on the device. I was expecting to see SSH, HTTPS and some form of streaming service for the video. What I actually found was telnet, HTTP and some other clear text services.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 | Nmap scan report for 192.168.42.1 Host is up (0.012s latency). Not shown: 65529 closed ports PORT STATE SERVICE VERSION 23/tcp open telnet BusyBox telnetd 53/tcp open domain dnsmasq 2.59 | dns-nsid: |_ bind.version: dnsmasq-2.59 80/tcp open http Cherokee httpd 1.2.101b150723_ |_http-server-header: Cherokee/1.2.101b150723_ (UNIX) |_http-title: Site doesn't have a title (text/html; charset=utf-8). 554/tcp open rtsp? |_rtsp-methods: OPTIONS, DESCRIBE, SETUP, TEARDOWN, PLAY, PAUSE, GET_PARAMETER, SET_PARAMETER 7878/tcp open unknown 8787/tcp open unknown MAC Address: 34:28:F0:XX:XX:XX (ATN International Limited) Device type: general purpose Running: Linux 2.6.X|3.X OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3 OS details: Linux 2.6.38 - 3.0 Network Distance: 1 hop Service Info: Host: buildroot; OS: Unix Nmap scan report for 192.168.42.1 Host is up (0.013s latency). Scanned at 2015-10-23 14:18:47 BST for 1091s Not shown: 998 closed ports PORT STATE SERVICE 53/udp open domain 67/udp open|filtered dhcps MAC Address: 34:28:F0:XX:XX:XX (ATN International Limited) |
I connected to the web service bring provided by Cherokee HTTP Daemon on TCP port 80. This just appeared to be a presentation of the memory card contents and a few other (possibly symlinked) directories.
I wanted to see if i could identify the URL for the RTSP service running on TCP port 554. NMAP has an NSE script that can do this, sadly it didn’t come up trumps:
1 2 3 4 5 6 7 | Nmap scan report for 192.168.42.1 Host is up (0.0054s latency). PORT STATE SERVICE 554/tcp open rtsp | rtsp-url-brute: | An error occurred while testing the following URLs |_ rtsp://192.168.42.1/cam1/h264 |
The telnet service presented a login option so i thought it was worth looking through the firmware to see if i could identify the password. I proceeded to see if I could identify the root password hash in order to brute force that to try and gain access via the telnet service.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 | root@kali:~/Desktop/xSightFirmware# grep "root:" strings.343.txt nfs_get_root: getattr error = %d nfs_get_root: get root inode failed nfs_get_root: get root dentry failed <5>UBIFS: reserved for root: %llu bytes (%llu KiB) cannot chdir to filesystem root: %s chroot: 'Chroot jail', document_root: %s root:x:0: root::10933:0:99999:7::: root:x:0:0:root:/root:/bin/sh null root:root 666 @chmod 666 $MDEV zero root:root 666 full root:root 666 random root:root 444 urandom root:root 444 hwrandom root:root 444 grsec root:root 660 kmem root:root 640 mem root:root 640 port root:root 640 console root:tty 600 @chmod 600 $MDEV ptmx root:tty 666 pty.* root:tty 660 tty root:tty 666 tty[0-9]* root:tty 660 vcsa*[0-9]* root:tty 660 ttyS[0-9]* root:root 660 pcm.* root:audio 660 =snd/ control.* root:audio 660 =snd/ midi.* root:audio 660 =snd/ seq root:audio 660 =snd/ timer root:audio 660 =snd/ event[0-9]+ root:root 640 =input/ mice root:root 640 =input/ mouse[0-9] root:root 640 =input/ |
Well, blimey, the password hash section is blank(see lines 9,10,11), surely there is a root password? Nope!
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 | phillips321@Macbook ~> telnet 192.168.42.1 Trying 192.168.42.1... Connected to 192.168.42.1. Escape character is '^]'. buildroot login: root ~ # netstat -lnp Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:7878 0.0.0.0:* LISTEN 725/network_message tcp 0 0 0.0.0.0:554 0.0.0.0:* LISTEN 756/AmbaOnDemandRTS tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 735/cherokee-worker tcp 0 0 0.0.0.0:8787 0.0.0.0:* LISTEN 725/network_message tcp 0 0 0.0.0.0:53 0.0.0.0:* LISTEN 971/dnsmasq tcp 0 0 0.0.0.0:23 0.0.0.0:* LISTEN 687/telnetd netstat: /proc/net/tcp6: No such file or directory udp 0 0 0.0.0.0:53 0.0.0.0:* 971/dnsmasq udp 0 0 0.0.0.0:67 0.0.0.0:* 971/dnsmasq udp 0 0 0.0.0.0:7877 0.0.0.0:* 725/network_message netstat: /proc/net/udp6: No such file or directory netstat: /proc/net/raw6: No such file or directory Active UNIX domain sockets (only servers) Proto RefCnt Flags Type State I-Node PID/Program name Path |
Ok, now that I had root access to the device I could start investigating the app. What I decided to do was monitor the comms coming to the device using tcpdump. As this is a cut down OS running busybox it was clear that tcpdump wasn’t present. A quick google found me precompiled tcpdump for android (http://www.androidtcpdump.com). I download this, uploaded it to the memory card and then navigated to the directory /var/www/DCIM/ in order to run it.
And this is where this post will end. But to give you a snippet this is what I’ve got planned for part 2:
Further reading:
http://copter.sovgvd.info/a/Xiaomi-Yi-protocol-remote-control
https://www.blackhat.com/docs/us-15/materials/us-15-Sandvik-When-IoT-Attacks-Hacking-A-Linux-Powered-Rifle.pdf
http://www.hackseagatesatellite.com/wordpress/wp-content/uploads/2011/11/Basic-Mod-Step-1-SSH.pdf
https://www.defcon.org/images/defcon-21/dc-21-presentations/Manning-Lanier/DEFCON-21-Manning-Lanier-GoPro-or-GTFO-Updated.pdf
Leave a Reply
You must be logged in to post a comment.