DEF CON 22 – Felix Leder – NinjaTV – Increasing Your Smart TV’s IQ Without Bricking It

لدينا أنظمة آلية للعملاء ، من أجل إنشاء حساب تقييم وفواتير ، يمكن للعملاء التجديد عن طريق الدفع عبر الإنترنت على الموقع الإلكتروني. - لدينا أكثر من 9000 قناة HD و ...

so our next speak is gonna be super cool searching forward to this and we've got One more Stay demo we are gonna find out about the way to mess with your Good Tv set process and i am guessing most likely allow it to be do things that it was not intended to originally is always that proper which is exceptional fantastic effectively hopefully it does every little thing that it was intended for currently correct yeah all correct all ideal willing to go all appropriate effectively let's provide a large significant social gathering keep track of welcome to Felix and let's get this issue started alright um could it be on are we however gotta obtain the video set up up for the reason that I want to teach you Stay how to take advantage of the technique and so forth so I brought a box but we have to switch to a video clip projector in between so we remain working on it all right lit up right here we go ok there is not any seem commences very well This is often how my Tale starts who actually is familiar with what it is sorry that is definitely Tata that is a German Television set series It can be a crime series it's almost as old as Columbo the only real distinction is that they remain manufacturing exhibits and It truly is continue to functioning so when some German people it is a tradition that after the weekend is in excess of on Sunday evening quarter previous 8 you sit down you turn on the first TV channel which was ever there and that's even now there therefore you watched the display new episode and as it's a tradition it's also a thing that my wife and I like to do and we moved to a unique state a few years back again and however we were being not able to see this show any more and It truly is form of unhappy and that's the beginning from the story so where my my title is Felix Lida and my enthusiasm is to consider points aside and to set other things collectively that assist to just take points aside Other than which i'd wish to be out inside the snow or inside the drinking water and to elucidate you a bit much more what I signify by using factors aside I choose to hunt bugs and malware and gather them I also love to research spouse takeovers and countermeasures and i am heavily associated with the unaired venture throughout my working day position I perform around cellular menace analysis at a very wonderful company identified as Blue Coat but this investigate I am presenting is don't just my very own do the job you already know each study has some supporters and In such cases It really is a gaggle of people from enterprise known as enzymes they usually assisted me with this particular And so the qualifications with the story is always that we had this box a Western Electronic Television life hub I even have a single on phase below and It truly is It is really an extremely great piece of components basing will make your dumb Television sensible and When you have a sensible TV you have far more services plus much more prospects to carry out things you see here as HDMI output Additionally, there are two USB ports it supports Wi-Fi then and unit Television attach a keyboard and stuff like this but what's a lot more appealing is because the instant it seems to be extra like an Apple Television set or a thing similar to this In addition it has a 1 terabyte hard disk drive in there and that's sort of neat simply because You'll be able to upload your motion pictures It truly is all on one particular system You do not will need an extra storage like an ass or a thing in order that's pretty effortless the processor in There exists rather of slower to MIPS processor but it's also not answerable for participating in the online video actually the codecs are all and hardware about the technique and they Ensure that you could Engage in the video clips quick plenty of back to your Tale so this box previously has all kinds of providers on there which might be rather pleasant like YouTube and Spotify and stuff such as this and after we didn't have this TV present you are not tada laughter for a long time my wife truly said you already know you're constantly breaking stuff The complete time why Will not you for when do one thing helpful using this and put my most loved present on this box and you recognize Once your spouse asks you something such as this you far better ensure you remember to her basically I hope my wife is just not listed here because she would almost certainly comment properly what Are you aware about how to please me nicely that's a different Tale okay alright so let's get started now ahead of we start we can also be planning to release the modifications that Now we have accomplished on the firmware so we'd like a disclaimer That is for instructional or investigate reasons provided that you are doing what We've got finished in this article and you crack your box it's actually not our fault and we won't have people today are unable to help In addition, you if you utilize any kind of DRM keys and so on about the Box it isn't really our fault alright a great deal of to the disclaimer um starting point very first attempt was we did in offline in Examination of the disk that is in there mainly taken it out plugging it into Laptop see what is actually on there and it started off incredibly really Fortunate we discovered A non-public partition on there but immediately after a few minutes we uncovered out there's in fact nothing nothing at all of relevance on that partition just some offline storage for Spotify and hope htb and Apart from that there is just the partition that holds all the info all of the videos that we add and swap so that was nothing regretably bad try obtaining some stress now from my wife for throwing away time second stage this box has an update mechanism it automatically reaches out to Western Electronic to examine if there is a new firmware and if there is it asks in order to set up it and it does all of that quickly you can even download the firmware manually should you go to their assistance web site and see what is while in the update so once we download all this we saw that there is a zip file and within the zip file We now have five unique other documents and two that appear to be very appealing just one is usually a bin file and a person known as bi – They may be a hundred and fifty megabytes around and we want to find out if we discover a thing that we can easily recognize in there and fortune we did there's a squash FS filesystem in there nonetheless it's at offset 32 so I even now require many people drinking with me tonight so you will get a beer If you're able to respond to what the first 32 byte may very well be if you guess suitable any Suggestions what the very first 32 byte prior to the further file process picture our signature Superb who explained it very first all proper come back later on to me out bio bio beer best yeah it turns out It is really an md5 signature of The entire picture and so we began researching this a little more closely how the images look like and truly Whatever you see is you've two unique illustrations or photos that compose the whole functioning process within the product it is a Linux technique during which just one is the root filesystem basically for every thing from root downwards it has an conclude signature such as the size and at the pretty commencing similar to the gentleman just pointed out there is certainly the md5 of The entire graphic this md5 is then also appended to the next graphic which is normally mounted at /decide and this again has another signature while in the incredibly entrance to make certain they all healthy together and practically nothing's damaged and people two collectively fundamentally make up the picture now let's check into the written content which is a tad little bit tiny I know that so I will demonstrate it around the still left aspect you see the leading graphic the root impression and it has the same old init system which initializes The full unit it has a config file with some static config and it has Yet another file with md5sum d5s During this presentation seems like Western Digital likes md5 on the ideal side there's the OP folder and there was one appealing folder identified as Website server which in fact seemed fairly exciting so with this particular there was enough information and facts to really modify the box but we were being a bit hesitant about Have a peek here no matter whether we should always just modify the firmware and add a fresh 1 for The main reason that we weren't certain whenever they didn't have additional md5 checks there and it appeared like they'd a whole lot so we have been a little hesitant to change the firmware and perhaps just break that solitary gadget that we had one other possibility was let us go hunt for some vulnerabilities could possibly take a lot more time but it's also far more entertaining right ok so a vulnerability acquiring very first thing was to consider the webserver um this issue incorporates a webserver allow me to also rapidly swap to exactly where We now have Firefox here Now we have Firefox which is lifetime around the box now so you see that is the obtain should you once you log in you plus the password is admin by the way once you log in you obtain a handheld remote control but you can also change the password etc to make sure that look form of promising and Luckily the PHP that is certainly employed to vary the many configuration will not be encoded encrypted or just about anything It is just They may be in plain in order that's always an excellent start out you already know starting from the web server SQL injection which was the very first endeavor and as you may see there is a incredibly great SQL statement at the bottom which happens to be made up of parameters proper from your get requests like entry ID language ID best and that is using SQLite so This is the assertion that will truly create an SQLite database that is concurrently an SQLite and a legitimate PHP file does any have anybody here have encounter Using the PDO database driver anyone over in this article what's the situation Will not see it PDO only permits a person statement at any given time and we wanted to inject five statements below so regrettable didn't get the job done and perhaps if it experienced labored we learned later on this Portion of the file units actually go through only so no prospect in the least bummer okay further than the webserver observe next thing to try was remote file inclusion and what we learned is you will find an remote file inclusion or maybe a file inclusion likelihood based upon the language which happens to be saved inside the cookie so let me swap again to the world wide web server and you will see you there It's important to enter a password and down here You must can pick out the language alright I've a cookie editor up in this article and when we refresh it you can see there's a language ID of 3 in below so we ended up thinking alright can we just modify this adding a handful of dots adding several slashes they push the correct button screens a bit distant yeah I did In order you can see now we get an error concept stating oh it didn't discover the file open or PHP and afterwards we believed all right um why not only add a file known as residence dot PHP into the folder that we could access via SMB then modify the cookie to stage to that and truly can work out the path just by looking at the firmware okay I press the wrong button sorry the cookie editor is de facto little and It is really difficult to begin to see the display screen truly from below all right Wow nice now we obtained a PHP shell so People of you who may have labored with PHP shells know that they're ache from the ass appropriate so the very first thing you should do is consider to figure out if you can find telling it on there and really inform it had been on there so we want to activate it and acquire on towards the box and I have to admit my background is frequently not far too much the embedded units but a lot more such as the Personal computer entire world and usually after you possess the online server the subsequent point you need to do is think about privilege escalation all proper so um similar point right here let us go and switch it to the box and so that you can know like from which it rely to him escaped or to obtain the privileges first you figure out which account you are and oh hey We've Ruud already this was substantially much easier than I predicted but You can even see my stupidity over the display screen since really the PHP shell now tells you that you're route alright awesome so this was only the start simply because we had been in a position to get route but a lesson which i had to learn over the practical experience is You should not get started with SQL injection Never start with a remote file inclusion don't get started with SQLite privilege a privilege escalation stuff such as this try to find the definitely small hanging fruits so investigating the image label additional I found that truly the fellows from Western Digital experienced place up a symlink through the Internet support root directory appropriate into the disk so it was not even necessary to add or to try to use the method and I'm not rather guaranteed if they have got just forgotten it or whether or not they required to make it easy for men and women due to the fact if I just say consumer maintain or PHP and that's priya authentication no authentication at this stage I also get the shell just in a special directory ah which is nice so but I thought nicely if It is that effortless we almost certainly discover more stuff so hum When you've got found the very first talk this early morning hacking 22 points in 45 minutes it had been an incredible speak the fellows have taken a part the Google Tv set in past times and they went for UART so we tried using precisely the same we also experienced a glance within the board and tried to determine where by our pins or wherever our soloing factors the place we may add some pins and we located that there are two pins that actually are candidates the thing is them both of those in the image right here and a little bit of measuring close to and things similar to this we learned the a single during the entrance that's nearer on the chasis that is basically a typical u artwork which can be X you will find tx2 ground in addition to a three.

three volt pin and Here is the warning in order to try this in your own home it's a three.

3 volts plus your Computer is 5 volts you can burn up possibly your Personal computer you can burn the box or you could burn off there one example is USB to UART converter I've burned a few there was there was my lesson uncovered of not obtaining cheap things from Taiwan so what do you receive after you connect a serial console so when you set up you obtain all types of details about the process where the impression is stored what else is exactly where configurations precisely what is now loaded which motorists are loaded and really If you have the program up and running and see the display screen of your program therefore you press a button around the handheld remote control or a little something it informs you particularly which button you're pressed and which steps are taken in order to get there so this is ideal debugging great when it was finished umm you see some thing similar to this I informed you they like md5 so the thing is an md5 and the thing is login what is the password which is a chance for winning An additional beard tonight person it's actually not that quick it is not as simple as hacker as admin as OAM root or something these men like md5 let's have a look sorry md5 fifty percent which at yeah It is near but it is not very It is really a bit more refined really I talked to another guy a few minutes before he explained truly a minimum of I did one thing suitable but let's have a closer glance so um the shadow file that truly exists in TMP shadow and et Cie shadow is just a link to that and we located the hash in there and started to within the Ripper of course mainly because we want to understand what it is actually but that doesn't did not get us pretty far promptly so we began investigating slightly nearer And that i told you the serial line is quite useful for debugging there was actually one line saying password for root improved as it is possible to see from your screenshot there also like other details but like which modules are began ahead of which modules are began and loaded soon after a lot of stuff such as this so this was really beneficial to track triage which module which software was essentially accountable for this there's a tool identified as G bus study serial range and that's located in a folder that's not inside of the original firmware impression It truly is truly an encrypted addition into the file procedure making use of AES encryption which happens to be later on quantity to make use of a neighborhood s pin and below you find some security by obscurity mainly because it's situated in slash home slash file and that's containing plenty of intriguing information I've also put the data here how you can in fact extract the AES important but I'm not likely to enter the small print that is far more for reference so This is how it appears visually We now have in the house folder a file code file we hold the AES key in ROM and afterwards stuff is extracted into a folder or mounted right into a entire a consumer nearby s bin and We've this program and there's also One more software in there and that is thirteen megabytes in size called DMA OSD considering the fact that This is often an encrypted folder we already thought this is probably pretty passions thing let's have a closer seem but let us get back again to exactly what is the password so the moment We have now This system we had been essentially able to reverse engineer The most cost effective beats arena and we found out It really is executing a program call some method purpose connect with not a process simply call where the serial quantities made use of the md5 of that is actually generated and it is the password How can you have the serial quantity Have got a consider the box yeah there is in fact an easier way Possess a think about the login screen since the serial selection could be the md5 proper before login I didn't deliver the serial cable or I in fact introduced a co a cable but because I blue display screen my windows some moments with the serial cable I don't desire to try it out listed here we can consider it out with Linux afterwards for the reason that that works far better but I nevertheless need to demo to you guys how this