Issuu is a digital publishing platform that makes it simple to publish magazines, catalogs, newspapers, books, and more online.Easily share your publications and get.Lt1_cjiCv7EYeE3zw9Hm1u_Tfrv-_FwbtktNlEG_GmF5UWbm2unWWrNuWvdwDNkhw=h900' alt='How To Install Dropbear On Android' title='How To Install Dropbear On Android' />Jailbreaking the Neo.TV devtty. S0. Today well be jailbreaking the Netgear NTV3.TV remote. The Netgear Neo.TV 3. 00. Negears Neo.TV set top boxes are designed to compete with the popular Roku, and can stream video from all the usual sources Netflix, Hulu.Plus, Youtube, etc.How To Install Dropbear On Android' title='How To Install Dropbear On Android' />Today well be jailbreaking the Netgear NTV300 set top boxwith a TV remote.Negears NeoTV set top boxes are designed to compete with the popular Roku, and can.This post will show you how to build and deploy the Yocto Linux distribution on the Beaglebone Black.Since the latest Yocto 1.The NTV3. 00 is one of the least expensive Neo.TV models, and while a GPL release is available, it contains only copies of the various standard open source utilities used by the NTV3.All the interesting bits such as Netflix streaming, or the ability to build a custom firmware image are not included.Inside the NTV3. 00 we find a Mediatek ARM So.C, a 1. 28. MB NAND flash chip and 2.MB of RAM Inside the NTV3.The four pin header in the top right corner of the PCB is a serial port 1.N1, and while it provides access to the U Boot boot loader, it does not provide a root shell.After the system boots, it displays copious debug messages and allows for rudimentary control over the NTV3.News and feature lists of Linux and BSD distributions.Various attempts to send BREAK and SIGINT signals have no affect well have to dig a little deeper into this one.Luckily, the firmware updates for the NTV3.A binwalk scan of the firmware update image reveals a few firmware headers and two Squash.FS images. DECIMAL HEX DESCRIPTION.F9. C8 Mediatek bootloader.B4. E0 Mediatek bootloader.F4. 85 LZMA compressed data, properties 0x.B1. C JFFS2 filesystem data little endian, JFFS node length 8.LZMA compressed data, properties 0x.A9 LZMA compressed data, properties 0x.C1 LZMA compressed data, properties 0x.Image header, header size 6.CRC 0x. 20. 23. 17.F, created Tue Oct 1.Data Address 0x. DA0.Entry Point 0x. DA0.CRC 0x. FD6. 1E4.OS Linux, CPU ARM, image type OS Kernel Image, compression type none, image name.C6. 4 LZMA compressed data, properties 0x.CC4. 9 gzip compressed data, from Unix, last modified Sun Oct 1.FD3. 00 Squashfs filesystem, little endian, version 4.Tue Oct 1. 6 2. 3 3.D5. DDF5 PNG image, 1.RGBA, non interlaced.B2. DF5 JFFS2 filesystem data little endian, JFFS node length 1.A7 PNG image, 2. RGBA, non interlaced.ABBF0 PNG image, 2.RGBA, non interlaced.C8. 45. C PNG image, 2.RGBA, non interlaced.DE1. C2 PNG image, 2.RGBA, non interlaced.FC8. 6F PNG image, 2.RGBA, non interlaced.C6. F PNG image, 2.RGBA, non interlaced.A9. DBF7 PNG image, 7.RGBA, non interlaced.DC2. CC0 Squashfs filesystem, little endian, version 4.Thu Oct 4 0. 1 5.E1. 4CC0 PNG image, 1.RGB, non interlaced.E1. AA4. 0 PNG image, 7.RGB, non interlaced.While the firmware update does not appear to contain a complete file system, most of the interesting stuff appears to be in the first Squash.FS image. The usrlocalbinntv.NTV3. 00s user interface, including the handling of user input from both the remote control and the serial console.Although the ntv.Printfs reveal original function names.A quick IDAPython script takes care of renaming most of these functions.A Z. for xref in Xrefs.ToLoc. By. Nameprintf.False. realname None.Get. Mnemea LDR. Get.Opndea, 0. R1. r.Get. StringLoc. By.NameGet. Opndea, 11.None and regex. matchr.None. elif opnd in R0, R2, R3.Get. StringLoc. By.NameGet. Opndea, 11.None and s in r. True.False. if found and realname is not None.Get. Function. Namexref.Make. NameLoc. By.Namename, realname.Renamed d functions lenfuncs.With functions properly named, reversing can begin in ernest, and the code in ntv.It looks like Netgear hired some Unix admins and told them to write an application in C for example, here is how they re implemented libcs stat function How not to stat a file.In fact, system and popen are used generously throughout the code.These are particularly interesting System calls to iwpriv.Popen calls to iwpriv.System call to wpacli.The SSID and encryption key values are used as part of system and popen calls.So where do the SSID and network key values come from You guessed it, the user User controlled dataSo what happens if we tell the NTV3.SSID named rebootCommand injection via SSIDConnecting to rebootRebooting Sweet Since we are already connected to the serial port, it would be nice if we could spawn a shell for ourselves on the serial terminal.Lets try Connecting to binsh Shell successfully spawned on the serial terminal.While this provides us with a minimalist shell, it is not very user friendly.There is no command echoing, and a ton of debug output is intermixed with the command output.Lets see if we can find an easier way to get a shell preferably one that doesnt involve taking the device apart.Examining the file system on the live device, there are plenty of files and directories that were not included in the firmware update file.Checking out some of the start up scripts, we find this juicy piece of code in rootrc.WNC RD Maufacturing Mode.WNC RD Set ip forward. A Methodology For Evaluating Geographic Profiling Software Informer . WNC RD Set Ethernet Fixed IP 1.Network. Interface.Ip. Mode. echo n 1.Ip. Address. echo n 2.Sub. Net. Mask. echo n 0.Gateway. echo n 0.Primary. DNS. echo n 0.Secondary. DNS. sync.WNC RD enable telnetd.WNC RD Normal mode.XBMC Server. if f usrlocalbinxbeventd a e mntfifo then.It checks to see if the mntubibootmfgtestenable file exists, and if so, it fires up a telnet service among other things.However, the mfgtest directory doesnt exist at all on the production system Directory listing of mntubibootBut with the SSID command injection vulnerability, we can easily create it.The commands to create the file are too long to fit into the restricted 3.SSID input field, so well echo them piecemeal into a shell script and then execute that script cd mntubibootmkdir mfgtestcd mfgtestecho enablebinsh tmpa.Finally, we power cycle the box.If successful, the NTV3.IP address should have been set statically by the rootrc.Lets check Static IP settings.We can now change the DHCP settings back to dynamic, connect the NTV3.Root telnet shell.Rooted with nothing but the remote control it came with.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |