Difference between revisions of "Staples Connect Hub​​"

From Exploitee.rs
Jump to navigationJump to search
 
 
(One intermediate revision by the same user not shown)
Line 47: Line 47:
User: root
User: root
Password: oemroot
Password: oemroot
==Root Demo==
{{#ev:youtube|gu8zcCV4u4k}}

Latest revision as of 04:29, 8 March 2015

"Although the information we release has been verified and shown to work to the best our knowledge, we cant be held accountable for bricked devices or roots gone wrong."

Staples Connect Hub.jpg

This page will be dedicated to a general overview, descriptions, and information related to the Staples Connect Hub​​.

Purchase

Purchase the Staples Connect Hub

UART Pinout

Exploitation

Utilizing a safeguard built into U-Boot, which is the bootloader running on the Staples Connect, we can modify the systems boot parameters, and execute our own code, or drop it to a root shell.

This works as during system bootup, the bootloader looks for environmental variables, stored on NAND flash. If it can not find these, it will execute defaults instead. The defaults feature a bootloader shell, which isn't disabled in the normal, saved environmental variables.


To ensure that the bootloader can not see the environmental variables at boot, timing is critical. By grounding out pin 29-30 while the system is booting (just at the right time), the box will boot, but fail to load the environmental variables, dropping us to a root shell. From here we can modify and resave the environmental variables, so that this process needs not be repeated.

  • Boot system
  • Count to 4
  • Short pins 29-30 to ground
  • Success: "Hit any key to stop autoboot"
  • Fail: Hang / Crash / NAND not found.

It may take a few attempts to get this right, as timing is critical.

Run the commands below, boots to a root console. ​

setenv bootargs "console=ttyS0,115200 init=/bin/sh mem=256M mtdparts=orion_nand:1M(uboot),32M(em-rfs),4M(em-kern),5M(pd-kern),-(pd-rfs) ubi.mtd=4,512 root=ubi0:rootfs rootfstype=ubifs rootflags=sync"​
mw.b f1010140 0xFA; if nboot 0x600000 0 0x2500000; then mw.b f1010140 0xF5; bootm 0x600000; fi​

SSH

Using the above to boot to a root console, edit /etc/rc.local, and add:​

dropbear -d 222​

Simply reboot, you can SSH on port 222 using the credentials below:

User: root Password: oemroot

Root Demo