Difference between revisions of "Staples Connect Hub"
m (1 revision: Moving from DC22 to main site.) |
Revision as of 08:22, 17 August 2014
"Although the information we release has been verified and shown to work to the best our knowledge, we cant be held accountable for bricked devices or roots gone wrong."
This page will be dedicated to a general overview, descriptions, and information related to the Staples Connect Hub.
Purchase
Purchase the Staples Connect Hub
UART Pinout
Exploitation
Utilizing a safeguard built into U-Boot, which is the bootloader running on the Staples Connect, we can modify the systems boot parameters, and execute our own code, or drop it to a root shell.
This works as during system bootup, the bootloader looks for environmental variables, stored on NAND flash. If it can not find these, it will execute defaults instead. The defaults feature a bootloader shell, which isn't disabled in the normal, saved environmental variables.
To ensure that the bootloader can not see the environmental variables at boot, timing is critical. By grounding out pin 29-30 while the system is booting (just at the right time), the box will boot, but fail to load the environmental variables, dropping us to a root shell. From here we can modify and resave the environmental variables, so that this process needs not be repeated.
- Boot system
- Count to 4
- Short pins 29-30 to ground
- Success: "Hit any key to stop autoboot"
- Fail: Hang / Crash / NAND not found.
It may take a few attempts to get this right, as timing is critical.
Run the commands below, boots to a root console.
setenv bootargs "console=ttyS0,115200 init=/bin/sh mem=256M mtdparts=orion_nand:1M(uboot),32M(em-rfs),4M(em-kern),5M(pd-kern),-(pd-rfs) ubi.mtd=4,512 root=ubi0:rootfs rootfstype=ubifs rootflags=sync" mw.b f1010140 0xFA; if nboot 0x600000 0 0x2500000; then mw.b f1010140 0xF5; bootm 0x600000; fi
SSH
Using the above to boot to a root console, edit /etc/rc.local, and add:
dropbear -d 222
Simply reboot, you can SSH on port 222 using the credentials below:
User: root Password: oemroot