Closed Filipowicz251 closed 7 years ago
kollaesch
commented
7 years ago Well, I'm afraid that something happend during the write process. :-1:
(Erasing SPI flash...Erase command 64K // Writing to SPI flash...done)
GM # saveenv
Saving Environment to SPI Flash...
SF: Got idcodes
00000000: c8 40 18 c8 .@..
SF: Detected GD25Q128c with page size 64 KiB, total 16 MiB
flash is 3byte mode
Erasing SPI flash...Erase command 64K
Writing to SPI flash...done
GM #
willthrom
commented
7 years ago The GD25Q128c is the SPI NOR Flash. Which as you can see this kind of "devices" requires to erase before writing back. No idea yet how to Write a a copy from the working camera.. yet. Still I think JTAG will help but I am sure someone here has more knowledge than I do.
kollaesch
commented
7 years ago I uploaded the system as zip (7zip that includes a tgz).
Have fun! I'm out for the weekend and pickup tinkering on Monday. So far this was very exiciting. Thanks for your support! :+1:
andreq
commented
7 years ago @kollaesch I've dug deep, ended up on some russian forums and what not.... I think your best bet, if you have the tool and skillset, would be to read the SPI flash chip from the good working one and flashing the whole thing to the broken one.
I'll keep digging for easier, software solutions tho!
I think we need to find a way to recover cameras if we don't want to end up with a bunch of bricks :P
willthrom
commented
7 years ago @kollaesch I have created an issue for Firmware recovery. Just to keep a place with the information we start gathering.... hopefully some expert will join us.
(so we can leave this one for the "OS/App" hacking... make sense?)
andreq
commented
7 years ago Great idea. I'll follow up on the other issue if I find anything else.
kollaesch
commented
7 years ago split to new issue? Good idea! @willthrom, @andreq approved đ
snoerenberg
commented
7 years ago Hi, I dumped the whole 16MB SPI as follow in u-boot:
This needs 3h to complete :) ... the result (the whole memory is logged to serial console) must be cleaned up. I tried to read from SPI and write to MMC but I was only able to write ~1MB.
With binwalk you can analyse/extract the different images.
Idea from: http://www.openipcam.com/forum/index.php?topic=1467.0
willthrom
commented
7 years ago @snoerenberg Do you need that dump for anything in particular or just a backup of the whole memory? (I am just guessing to be able to restore IF no boo-u direct access to the SPI Flash will be required)
Have you discovered yet if the camera will load any automatic script when inserting the SDCARD? I checked the original fanghack and that is very clean, but I guess if the camera doesn´t support any autorun, direct access to the partition will be required (root..UART..etc).....
I am new to this scene but faking a cooked firmware upgrade might be possible.. isn´t it? (Just thinking in the people doesn´t want/can´t to open the camera....) Do you know if the comm between the camera and miiapp-home is encrypted?
itanczos
commented
7 years ago @willthrom Probably an encrypted UDP connection. Like other xiaomi devices. Need a token. Can be recovered from mihome app (from sqlite3 table).
snoerenberg
commented
7 years ago @willthrom within the dump also the Miio apps are included (which are not accessible through the custom U-Boot boot). Within this also some scripts are started.
Interesting would also what the different "ft_mode"'s are. "privkey.pem" and "rsa_decrypt" are present in firmware as well.
I will also analyze the custom U-Boot which prints out the ft_mode directly at the start. "ft_mode:0" Upon the ft_mode different scripts are started within /etc/init.d/rcS
willthrom
commented
7 years ago @snoerenberg oh nice, a lot of info. Mine is still on its way...hopefully next week. But if you upload the dump somewhere I might be able to take a look (in case I could help).
snoerenberg
commented
7 years ago @willthrom sure, I need to check which cam specific information is within user space ;)
willthrom
commented
7 years ago ft_mode seems to be a flag driving the initialization of the camera with 5 modes (0-4). Analysis bellow
snoerenberg
commented
7 years ago @willthrom download the tar from @kollaesch and investigate the squashfs. http://www39.zippyshare.com/v/gbkeEUpf/file.html
File: squashfs-root\etc\init.d\rcS
willthrom
commented
7 years ago That locations is forbidden at work. Can anyone upload it to this current project? and I will delete it later.
tobbegutt
commented
7 years ago here u go buddy https://drive.google.com/file/d/0By-yfItv_8JMRjRCd2RpRFduXzg/view?usp=drivesdk
Sendt fra min Mi-telefon On willthrom notifications@github.com, 21. aug. 2017 09.36 wrote:
That locations is forbidden at work. Can anyone upload it to this current project? and I will delete it later.
â You are receiving this because you commented. Reply to this email directly, view it on GitHubhttps://github.com/Filipowicz251/mijia-1080P-hacks/issues/1#issuecomment-323669047, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AdYZJiM-rasdjYTmyU1GfqjzVY2jWFNBks5saTOTgaJpZM4OzU0s.
tobbegutt
commented
7 years ago willthrom
commented
7 years ago @tobbegutt I meant to this github project, but thanks for the effort. I will get it by other way.
willthrom
commented
7 years ago Summary, with a special KEY in shcard (mmc_device=/dev/mmcblk0p1), we can initialize the camera in different modes, one of them (1) will allow to run commands from Serial. (1-4, 0 is default) With Mode different that 0 we can start a different script (sdcard folder/ft/ft_boot.sh.) at boot time.
Key
It is not in the current dump: /mnt/data/ft/prikey.pem (this folder is not mounted)
The decryption is done with /mnt/data/ft/rsa_decrypt (this folder is not mounted)
With the Key (hopefully from Memory Dump) can be used to sign the "hack".
Analysis \etc\init.d\rcS it checks if there is a sdcard If it is there will check for configuration file: ft_config.ini to determinate the mode the system will behave: ft_mode
The configured values is under: ft_mode=cat /proc/ft_mode
For all the modes except 0, it requires a SDCARD mounted to validate key.
After this the SDCARD is unmounted. (if any of the check fails, the ft_mode will be set to 0.
Mode 1 and 2 will initialize only two scripts (for developers):
Mode 1 will allow to run command from the UART (sh < /dev/ttyS0)
/etc/init.d/S10mdev start /etc/init.d/S50gm start
Mode 3 (seems to be a quiet initialization meanwhile 0 will printout everything run under /etc/init.d/S??*
Script etc\init.d\S50gm For non 0 modes will start the SDCARD/ft/ft_boot.sh script. For Mode 0 will start \gm\config\vg_boot.sh
Notes
Mode 3 will start wifi in different mode (TO CHECK):
if [ "$ft_mode" = "3" ];then /mnt/data/ot_wifi_tool/wifi_start_ft_mode.sh | /usr/bin/logger -t wifi & else /mnt/data/ot_wifi_tool/wifi_start.sh | /usr/bin/logger -t wifi & fi
Any other Mode, like 4 (for file output logging) will behave as 3
snoerenberg
commented
7 years ago Hi,
@willthrom here is the content of the data partition incl. privkey etc. https://drive.google.com/file/d/0B9gWdg64NxjUdlVsUHdoTHNGb0U/view?usp=sharing
The ft_mode is already also somehow set in the U-Boot. I couldn't get IDA to correctly find all references. "ft_mode:0" -> it's within every boot log and it's prior booting the linux kernel.
snoerenberg
commented
7 years ago @willthrom a file named "ft_config.ini" must be present on the SD card. The content must correspond to this shit :)
config_mode=`awk '$1~/\[.*/{_cdr_par_=0}\
$0 ~ /^ *\[ *config *\]/ {_cdr_par_=1}\
$0~/^[\011 ]*mode *=.*/ { if(_cdr_par_==1) { sub("="," "); print $2; exit 0} }\
' $sd_mountdir/$ft_cfg_file`I'll try to fiddle around to get something useful.
This part will be shitty afterwards:
if [ "$ft_mode" != "0" ];then
if [ ! -f $ft_securekey_file ];then
echo "no securekey file, ft is not allowed"
ft_mode="0"
elif [ ! -d $sd_mountdir/ft ];then
echo ${sd_mountdir}"/ft is not found"
ft_mode="0"
else
dir_count=`find $sd_mountdir/ft -type d | wc -l`
dir_size=`du -m $sd_mountdir/ft | cut -f 0`
if [ $dir_count -gt 1 ];then
echo "subdir found in ft"
ft_mode="0"
elif [ $dir_size -gt 10 ];then
echo "ft size is too large"
ft_mode="0"
else
mkdir $ft_running_dir
md5sum $sd_mountdir/ft/* > $ft_running_dir/md5.sum
sed -i '/secret.bin/d' $ft_running_dir/md5.sum
$ft_decrypt $sd_mountdir/ft/secret.bin $ft_running_dir/md5_org.sum $ft_securekey_file
decrypt_result=$?
if [ -f $ft_running_dir/md5_org.sum ] && [ $decrypt_result -eq 0 ];then
#if [ "1" ];then
if md5sum -cs $ft_running_dir/md5_org.sum;then
echo "md5 check success"
if cp -r $sd_mountdir/ft/* $ft_running_dir;then
echo "ft running is ready"
else
echo "cp ft fail"
ft_mode="0"
fi
else
echo "md5 check fail"
ft_mode="0"
fi
rm $ft_running_dir/md5_org.sum
else
echo "md5 org is not found"
ft_mode="0"
fi
fi
fi
fi@snoerenberg ft_mode is set by cat /proc/ft_mode so yes, U-Boot might be able to set it however it doesn't matter because the /etc/init.d/rcS will set it again based on not able to mount sdcard and decrypt the new config.
Yes
mkdir $ft_running_dir md5sum $sd_mountdir/ft/* > $ft_running_dir/md5.sum sed -i '/secret.bin/d' $ft_running_dir/md5.sum $ft_decrypt $sd_mountdir/ft/secret.bin $ft_running_dir/md5_org.sum $ft_securekey_file decrypt_result=$?
This is the "validation" of the information in the SDCARD has been signed by someone.
To be able to create a Tool (Hack) we need to generate the new secret.bin. Doesn't seem to difficult if we already have the private key :P
We will have to simulate this Linux somewhere (ARM) to do some testing with the rsa_decrypt.
snoerenberg
commented
7 years ago @willthrom are you able to write a correct ft_config.ini I'm really not aware of awk. I know regen but not how it behaves together.
When I've some spare time I try to create a config and give it a try and see what's printed on UART.
I drilled 2 holes in the back cover and have there my cables for RX/TX and GND(soldered to the USB shielding)
willthrom
commented
7 years ago @snoerenberg ft_config.ini will not be an issue. I can create a script to generate it (at least for the ft_mode).
The problem is the encryption of the whole FT folder under the private key. I will take a look about that after work.
andreq
commented
7 years ago My google-fu lead me to believe we can use Openssl to encrypt the MD5 of the folder.
$ft_decrypt $sd_mountdir/ft/secret.bin $ft_running_dir/md5_org.sum $ft_securekey_file
This only check if the MD5 match the decrypted one right?
p.s. Still waiting for my camera, I just want to help!
willthrom
commented
7 years ago @andreq we need to know first what that rsa_decrypt really does, but yep Openlssl could be a solution to encrypt back. Still I haven´t look what secret.bin has... maybe we don´t care. (I will look to this)
The good thing is we have the private key.
snoerenberg
commented
7 years ago @willthrom can you paste a sample config line in here? The secret.bin I've not found anywhere.
willthrom
commented
7 years ago @snoerenberg the secret.bin is a file which should be in the sdcard. @andreq I am pretty sure this rsa_decrypt is from the OpenSSl.
I don´t have the camera but I will try to product a working key and a config.... (it will be a lot of guessing)
willthrom
commented
7 years ago By the way.. we will need someone to record a new voices for the camera :P
data/sound is full of sound file in Chinese.
kollaesch
commented
7 years ago Hi guys, in the meantimes I figured out the awk-lines:
@snoerenberg snoerenberg
config_mode=`awk '$1~/\[.*/{_cdr_par_=0}\ $0 ~ /^ *\[ *config *\]/ {_cdr_par_=1}\ $0~/^[\011 ]*mode *=.*/ { if(_cdr_par_==1) { sub("="," "); print $2; exit 0} }\ ' $sd_mountdir/$ft_cfg_file`
1) '$1~/\[.*/{_cdr_par_=0}: if the line directly begins with a '[sTring ' then _cdr_par = 0
'$1~/[.*/{_cdrpar=0} => example: '[aBcD ' => _cdr_par_=0
2) $0 ~ /^ *\[ *config *\]/ {_cdr_par_=1}\
'$0' means the whole line => example: `' [ config ] ' => _cdrpar=1``
3) ``$0~/^[\011 ]*mode *=.*/ { if(_cdr_par_==1) { sub("="," "); print $2; exit 0} }```` \011` = "\t" represents 1+ tabs at the beginning of the line
example: '\t*mode = aBcDeF'
All togeher:
_cdr_par will be set to '0'_cdr_par=1_cdr_par=1 then replace '=' with ' '.Hope this helps.
willthrom
commented
7 years ago The flow when a SDCARD is detected:
snoerenberg
commented
7 years ago @willthrom from this
sed -i '/secret.bin/d'
I would expect it's somewhere on the cam.
Edit: ah no it creates this file :D
willthrom
commented
7 years ago @snoerenberg To be honest I am stuck there with the option /d. I don´t remember any regular expression with that modifiers.
The code: md5sum $sd_mountdir/ft/* > $ft_running_dir/md5.sum sed -i '/secret.bin/d' $ft_running_dir/md5.sum
so the sed -i (or 'e in other linux implementation) means to run in interactive mode or direct mode over md5.sum. I could guess it is trying to find/replace/ 'secret.bin' in the md5.sum.
If that were in the camera I would need to understand then the: if md5sum -cs $ft_running_dir/md5_org.sum;then
Besides there is a secret.bin file i the SDCARD.
kollaesch
commented
7 years ago @willthrom
This folder will have less than 10 files and MD5 factor is calculated on the folder: sdcard/ft I read the file differently: 1) the folder must not have subfolders 2) the foldersize must not exceed 10 bytes
kollaesch
commented
7 years ago @willthrom @snoerenberg
To be honest I am stuck there with the option /d. I don´t remember any regular expression with that modifiers.
The regex /secret.bin/d (according to my O'Reilly sed-handbook) 'deletes secret.bin'
willthrom
commented
7 years ago @kollaesch Only one sub folder, and 10 MB... no bytes :) (I wrote it wrong as well before)
dir_count=find $sd_mountdir/ft -type d | wc -l
dir_size=du -m $sd_mountdir/ft | cut -f 0
if [ $dir_count -gt 1 ];then elif [ $dir_size -gt 10 ];then
snoerenberg
commented
7 years ago Can we try to produce a working tf_config.ini at first. Than we can go further with the secret. The script has nice output how to go on afterwards.
willthrom
commented
7 years ago @kollaesch
The regex /secret.bin/d (according to my O'Reilly sed-handbook) 'deletes secret.bin'
Good.. I know what that this does.
sed -i '/secret.bin/d' $ft_running_dir/md5.sum
For the calculated md5 from the files in sdcard/ft, remove the entry secret.bin
This confirms the secret.bin files needs to be in the SDCARD.
@snoerenberg you only have to follow @kollaesch depicts of the aws :P. In any case, that is the less of our problems.
andreq
commented
7 years ago For the calculated md5 from the files in sdcard/ft, remove the entry secret.bin
It make sens tho, you wouldn't be able to encrypt itself into the resulting encrypted secret.bin.
Keep going guys! We might have something before I get my camera :O
willthrom
commented
7 years ago To generate the plain sdcard/ft/secret.bin just need to run:
md5sum /toolsFolder/* > secret.bin. the content of sdcard/ft/ will be our new ToolsHACKFolder
willthrom
commented
7 years ago @snoerenberg just try this. Generate the ft_config with the content
[ config ]
mode=3keep in mind the space between [ and config and the space between config and ] and there is a TAB between the begin of the line and mode
snoerenberg
commented
7 years ago @willthrom great job. Config file is ready. Tested on my linux docker container.
root@8f5db7cfa4f5:~/config# awk '$1~/\[.*/{_cdr_par_=0}$0 ~ /^ *\[ *config *\]/ {_cdr_par_=1}$0~/^[\011 ]*mode *=.*/ { if(_cdr_par_==1) { sub("="," "); print $2; exit 0} }' ft_config.ini
3This looks promising as well: https://github.com/XLILT/rsa/blob/master/rsa.cpp
kollaesch
commented
7 years ago @snoerenberg @willthrom
If I am not mistaken ... try this instead ...
[ config ]
mode=P2Pif [ "$config_mode" == "P2P" ];then
ft_mode="3"
elif [ "$config_mode" == "SA" ];then
ft_mode="1"
elif [ "$config_mode" == "MTBF" ];then
ft_mode="4"
else
ft_mode="2"
echo $config_mode > /tmp/ft_sub_mode
ficalculates the modes. If nothing matches => standard will be 2
willthrom
commented
7 years ago @kollaesch is right... I forgot what I said before:
In that config file a parameter need to be set to P2P, SA or MTBF or something else (mapped to ft_mode 3,1,4 or 2) to able to start a custom script (more later)
I am creating the full ft folder.. in 10min... although I am trying to guess what type of encryption they are using (besides RSA)
willthrom
commented
7 years ago @snoerenberg
Give this a try: https://expirebox.com/download/c206135f42917e263c3cdf0d28590a0c.html
It is a hack encrypted under the private key.
just decompress the content in a SDCARD, I guess partitioned as EXT2 (edit VFAT).
:You should see a message in the log like:
"Hack Enabled"
snoerenberg
commented
7 years ago @willthrom I can test it tomorrow I'm not at home. "mount -t vfat" > must be FAT32 or similar
willthrom
commented
7 years ago @snoerenberg yes you are right, I was thinking in the other partion
fdisk /dev/mmcblk0 mkfs.vfat /dev/mmcblk0p1 2>&1 mkfs.vfat: format SD done.
The upload of my tools will expire in 48h... FYI.
snoerenberg
commented
7 years ago @willthrom I drove back and tried it.
[ 1.040000] mmc1: new high speed SDIO card at address 0001
ft_mode is:0
[ 2.090000] Starting /etc/init.d/S00restoreBut I formatted the card just with Windows onboard stuff and copied your files.
snoerenberg
commented
7 years ago @willthrom can you share the RSA file generation? Have you checked upper and lowercase from "md5sum"?
Hi.
I'm creating new topic, where we can discuss creating hack for Xiaomi Mijia 1080P Smart IP Camera (not Fang, not 360)