Open mcarey42 opened 6 years ago
JeffKitson
commented
6 years ago Thanks! I'll test this update against the XL850 I have. Do you mind providing information on the device you targeted (firmware version, device model)? I take it based on the update line this applies to tranewreck.rb?
mcarey42
commented
6 years ago Hi Jeff, It is indeed for trainwreck.rb! I also happen to have a “spare” XL850 that I repaired (thanks to my then then 3 year old pulling it off the wall and breaking the touch interface).
I’ll look up the version data on my “production” unit and see what it is.
As an incidental, have you figured out how to extract the firmware form the bundles? If not, I have, and have attached a file outlining it. It also covers how to run emulation on the binaries in the image. Makes it fun to analyze and debug (or reverse engineer). :-)
Keep up the great work Jeff :-),
-Mark.On Dec 24, 2017, at 3:11 PM, Jeff Kitson notifications@github.com wrote:
Thanks! I'll test this update against the XL850 I have. Do you mind providing information on the device you targeted (firmware version, device model)? I take it based on the update line this applies to tranewreck.rb?
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/JeffKitson/Tranewreck_tools/issues/1#issuecomment-353801305, or mute the thread https://github.com/notifications/unsubscribe-auth/ACEGIiYXp1LMxs4b6cHH8t-0P-UhAvpJks5tDrAAgaJpZM4RL0Wd.
mcarey@services:~/Trane_Comfort_Link_II$ cat Article\ Writeup.txt Hello all, a few observations on the Trane Comfort Link II Thermostat:
Addressing the first point:
In order to extract the updates, you will need a Linux, Mac OS X host, or something like the 7zip File Manager for Windows. I'm using Linux for ease of use and simplicity. The updates are really just tar.gz files (compressed archives) with a different file name. If you extract them, you will get a set of files that are two kernel images with initrds (an initrd file is an initial RAM disk for boot), a manifest file, build number (version) file, and a compressed root file system.
PLEASE NOTE THAT YOU WILL NEED TO DO THESE STEPS AS THE "root" USER!
The reason for this is that some of the operations are privileged operations (like mounting disk images). I've used Ubuntu 12.04LTS in these examples.
The sequence of commands to extract this from the archive are:
If we look at the list of files that were extracted, we get:
a_138271353801 b_138271353801 c_138271353801
d_138271353801 e_138271353801 m_138271353801
v_138271353801
Linux also provides us a excellent way to examine what a file might really be with the "file" command.
phorkus@services:~/Trane_Comfort_Link_II/extracted$ file * a_138271353801: u-boot legacy uImage, Linux-2.6.26-466-ga04670e, Linux/ARM, OS Kernel Image (Not compressed), 1998776 bytes, Thu Oct 17 02:35:10 2013, Load Address: 0x80008000, Entry Point: 0x80008000, Header CRC: 0x80377065, Data CRC: 0x444BD40E b_138271353801: gzip compressed data, was "rootfs.ext2", from Unix, last modified: Thu Oct 17 02:59:46 2013 c_138271353801: Linux jffs2 filesystem data little endian d_138271353801: u-boot legacy uImage, Linux-2.6.26-466-ga04670e, Linux/ARM, OS Kernel Image (Not compressed), 1850060 bytes, Fri Oct 25 11:30:05 2013, Load Address: 0x80008000, Entry Point: 0x80008000, Header CRC: 0x0A1BF3DC, Data CRC: 0xDE2425B3 e_138271353801: data m_138271353801: ASCII text v_138271353801: ASCII text
If we examine the content of the files, we find that:
Next up, we want to extract the root file system with the following sequence of commands:
If we look at the file now using the file command we see: b_uncompressed: Linux rev 0.0 ext2 filesystem data, UUID=00000000-0000-0000-0000-000000000000
Excellent! Now let's mount the file system so we can examine it.
If you are running as the root account, you will now be able to browse the file system under the extracted/mnt directory. The extracted information confirms this is a pretty standard looking embedded ARM Linux distribution:
drwxrwxr-x 2 root root 2048 Oct 17 02:59 bin drwxrwxr-x 6 root root 3072 Oct 17 02:59 dev drwxrwxr-x 5 root root 1024 Oct 17 02:59 etc drwxr-xr-x 2 root root 1024 Nov 20 2007 home drwxr-xr-x 3 root root 2048 Oct 17 02:59 lib lrwxrwxrwx 1 root root 11 Oct 17 02:59 linuxrc -> bin/busybox drwx------ 2 root root 2651136 Oct 17 02:59 lost+found drwxr-xr-x 7 root root 1024 Oct 17 02:35 mnt drwxr-xr-x 2 root root 1024 Nov 20 2007 opt drwxr-xr-x 2 root root 1024 Nov 20 2007 proc drwxrwxr-x 2 root root 1024 Oct 17 02:59 root drwxr-xr-x 2 root root 1024 Oct 17 02:59 sbin drwxr-xr-x 2 root root 1024 Nov 20 2007 sys drwxrwxrwt 2 root root 1024 Nov 20 2007 tmp drwxrwxr-x 9 root root 1024 Oct 17 02:59 usr drwxr-xr-x 11 root root 1024 Oct 17 02:59 var -rw-r--r-- 1 root root 7900 Oct 17 02:38 xmlwf.1
Before we start digging in to this root file system, let's mount the JFFS2 file system, also. You will need to get the jffs2-dump.py script by Igor Skochinsky to dump the contents easily (or hack your kernel to allow you to mount a non-MTD JFFS2 filesystem). It can be obtained at: http://code.ohloh.net/file?fid=G5dAYwrgEVirRINJHms-GWLem5c&cid=Q23-rTiawxw&s&fp=17006&mp&projSelected=true#L0
I saved it in the "extracted/jffs" directory and named it "jffs2-dump.py"
The commands to extract the JFFS2 image are:
This will spew a lot of information, and create a directory called "extracted/jffs/root" and a file called "extracted/jffs/log.txt". This is the actual root file system that the device runs from under normal operating mode, from the look of things.
If you want to play with the binaries in the system, you can also install ARM emulation (through qemu) and run the commands to see what they do. Be warned, running them as root might be a REALLY BAD idea since some of these might try to format things or poke at hardware in your PC.
Next you will need to replace the text files that JFFS uses to create links with "real" Linux links for the libraries and binaries. You can do this using this script from the "extracted/jffs/root/" directory. I named it "fixbins.sh" and ran it using "bash ./fixbins.sh"
cd lib
REPLACELIST=file * | grep ASCII | cut -f 1 -d ":"
for fileName in ${REPLACELIST[@]}
do
echo "Linking $fileName to /lib/cat $fileName"
ln -sf /lib/cat $fileName $fileName
done
chmod +x
cd ..
cd bin
REPLACELIST=`file | grep ASCII | cut -f 1 -d ":" for fileName in ${REPLACELIST[@]} do echo "Linking $fileName to /bin/cat $fileName" ln -sf /bin/cat $fileName$fileName done chmod +x * cd .. cd sbin REPLACELIST=file | grep ASCII | cut -f 1 -d ":" for fileName in ${REPLACELIST[@]} do echo "Linking $fileName to /sbin/cat $fileName" ln -sf /sbin/cat $fileName` $fileName
done
chmod +x
cd ..
cd usr/lib
REPLACELIST=file * | grep ASCII | cut -f 1 -d ":"
for fileName in ${REPLACELIST[@]}
do
echo "Linking $fileName to /usr/lib/cat $fileName"
ln -sf /usr/lib/cat $fileName $fileName
done
chmod +x
cd ../..
cd usr/bin
REPLACELIST=`file | grep ASCII | cut -f 1 -d ":" for fileName in ${REPLACELIST[@]} do echo "Linking $fileName to /usr/bin/cat $fileName" ln -sf /usr/bin/cat $fileName$fileName done chmod +x * cd ../.. cd usr/sbin REPLACELIST=file | grep ASCII | cut -f 1 -d ":" for fileName in ${REPLACELIST[@]} do echo "Linking $fileName to /usr/sbin/cat $fileName" ln -sf /usr/sbin/cat $fileName` $fileName
done
chmod +x
cd ../..
In order to test this let's chroot into the virtual device's file system and poke around a bit. (From the "extracted/jffs/" directory) root@ubuntu:/home/phork/Trane_Comfort_Link_II/extracted/jffs# chroot root /bin/ash
BusyBox v1.6.1 () Built-in shell (ash) Enter 'help' for a list of built-in commands.
/ $ ls -l drwxr-xr-x 2 root root 4096 Feb 26 04:04 bin drwxr-xr-x 6 root root 4096 Feb 26 03:59 dev drwxr-xr-x 6 root root 4096 Feb 26 03:59 etc drwxr-xr-x 3 root root 4096 Feb 26 03:59 home drwxr-xr-x 5 root root 4096 Feb 26 04:00 lib -rw-r--r-- 1 root root 11 Feb 26 03:59 linuxrc drwxr-xr-x 7 root root 4096 Feb 26 03:59 mnt drwxr-xr-x 2 root root 4096 Feb 26 03:59 opt drwxr-xr-x 2 root root 4096 Feb 26 03:59 proc drwxr-xr-x 4 root root 4096 Feb 26 04:08 root drwxr-xr-x 2 root root 4096 Feb 26 04:04 sbin drwxr-xr-x 2 root root 4096 Feb 26 03:59 sys drwxr-xr-x 2 root root 4096 Feb 26 03:59 tmp drwxr-xr-x 10 root root 4096 Feb 26 03:59 usr drwxr-xr-x 11 root root 4096 Feb 26 03:59 var / $ uname -a Linux ubuntu 2.6.32 #31~precise1-Ubuntu SMP Tue Feb 4 21:25:43 UTC 2014 armv7l unknown
Well now! That looks pretty good! What else can we learn about this system from here?
I've looked for the normal stuff and didn't find anything that was an "easy" way in. I did locate a password that looks like it's the normal ADMIN password for the control protocol stuff "Cold,,2100". It was in the flash file in the /root directory of the JFFS image. What does it do? I'm not sure yet :-).
Enjoy the information, and please post any follow up information about this lovely thermostat that you might find!
Thanks!
mcarey42
commented
6 years ago Hey Jeff, I just realized that you work for TrustWave :-). I’m a Cylance researcher, here. :-). I also found your presentation, so you obviously already know how to extract the firmware…
The version that I have is older (by several years, by the look of things), so the regex format string is good for older versions, not newer one. If you’re interested in the older version, let me know and I’ll get it to you. I’d love to work on more exploits for this thing, if you’re interested. I get the feeling there’s a bunch of vulbs hidden in this thing.
I followed your download link on the vulnerable 3 series firmware and I’m extracting it and banging on it a bit to see if there are fun things in there. I’ll let you know :-).
Hope you had a great holiday :-)
-Mark.On Dec 24, 2017, at 3:11 PM, Jeff Kitson notifications@github.com wrote:
Thanks! I'll test this update against the XL850 I have. Do you mind providing information on the device you targeted (firmware version, device model)? I take it based on the update line this applies to tranewreck.rb?
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/JeffKitson/Tranewreck_tools/issues/1#issuecomment-353801305, or mute the thread https://github.com/notifications/unsubscribe-auth/ACEGIiYXp1LMxs4b6cHH8t-0P-UhAvpJks5tDrAAgaJpZM4RL0Wd.
mcarey42
commented
6 years ago Hey Jeff, I’ve uploaded the older Trane package that’s on my thermostat right now. I’m not sure if you are interested or not, but it’s up on my S3 public bucket now.
URL: https://phorkusshared.s3.amazonaws.com/Trane_Comfort_Link_II-rsup_138271353801.zip https://phorkusshared.s3.amazonaws.com/Trane_Comfort_Link_II-rsup_138271353801.zip
I’m not sure if you know me, or not, but I’m also a speaker at DEF CON / Black Hat in years past on hardware attack stuff. I’ve been in the community for around 25 years, as well. I’m excited to see if we can work on this stuff together. I love the idea of a collaborative thing :-). (I’m a total research geek and I love this stuff on a personal and professional level. :-) )
I love what you’ve already done on this stuff and I respect the work you’ve done. I didn’t get nearly this far when I did my initial research on this in 2014. You remind me that I should "try harder”. :-)
If you want me to stop bugging you (for any reason at all), just let me know, too, and I’ll stop bugging you :-).
Hope you’re well,
-Mark.On Dec 26, 2017, at 8:13 PM, Mark Carey mcarey@solcore.net wrote:
Hey Jeff, I just realized that you work for TrustWave :-). I’m a Cylance researcher, here. :-). I also found your presentation, so you obviously already know how to extract the firmware…
The version that I have is older (by several years, by the look of things), so the regex format string is good for older versions, not newer one. If you’re interested in the older version, let me know and I’ll get it to you. I’d love to work on more exploits for this thing, if you’re interested. I get the feeling there’s a bunch of vulbs hidden in this thing.
I followed your download link on the vulnerable 3 series firmware and I’m extracting it and banging on it a bit to see if there are fun things in there. I’ll let you know :-).
Hope you had a great holiday :-) -Mark.
On Dec 24, 2017, at 3:11 PM, Jeff Kitson <notifications@github.com mailto:notifications@github.com> wrote:
Thanks! I'll test this update against the XL850 I have. Do you mind providing information on the device you targeted (firmware version, device model)? I take it based on the update line this applies to tranewreck.rb?
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/JeffKitson/Tranewreck_tools/issues/1#issuecomment-353801305, or mute the thread https://github.com/notifications/unsubscribe-auth/ACEGIiYXp1LMxs4b6cHH8t-0P-UhAvpJks5tDrAAgaJpZM4RL0Wd.
JeffKitson
commented
6 years ago Hey Mark, the holidays have been keeping me busy. This is great stuff! Some of the info you posted above might go really well in a docs/ or maybe a wiki section for the project. I think right now it's pretty empty. Feel free to contribute in any way! I can probably get this integrated by this weekend. I'm also fairly confident there are more vulns in these devices. DM me on Twitter to get in touch about the research for these things and conferences. @itsokimjk
mcarey42
commented
6 years ago No worries, the holidays have nailed me between the eyes (and productivity, for that matter). I added you on twitter, but I have to approve you (thanks to the policy of the startup company I’m working with right now).
I also discovered that I’m confused on my versioning. I put a tap on the thermostat’s network link and have a snapshot of the upgrade protocol. The stream looks like:
http://xxlupgrade.trane.com/?i=0042A39C_1344AX7106&v=1382713538 http://xxlupgrade.trane.com/?i=0042A39C_1344AX7106&v=1382713538
Response is “uptodate” over the HTTP response.
I’ve attempted altering the values, but the response is the same.
I’ll keep digging and communicate over twitter going forward :-).
Thanks again,
-Mark.On Dec 28, 2017, at 11:57 AM, Jeff Kitson notifications@github.com wrote:
Hey Mark, the holidays have been keeping me busy. This is great stuff! Some of the info you posted above might go really well in a docs/ or maybe a wiki section for the project. I think right now it's pretty empty. Feel free to contribute in any way! I can probably get this integrated by this weekend. I'm also fairly confident there are more vulns in these devices. DM me on Twitter to get in touch about the research for these things and conferences. @itsokimjk
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/JeffKitson/Tranewreck_tools/issues/1#issuecomment-354319892, or mute the thread https://github.com/notifications/unsubscribe-auth/ACEGIqjGyCnmqSLwdNMYKyRhq0QxUgu5ks5tE8h7gaJpZM4RL0Wd.
Hello Jeff, thanks for your wonderful work. I wanted to update the regex used in the parsing of the scheduled events. It was crashing on a lack of data from the regex parsing on line 190.
New line follows: data = detail_data.scan( /1.8.1.[0-9].1.[0-9]::evData("([0-9A-Za-z]+)","([0-9A-Za-z]+)",([a-z]{3}),"([0-9]{2}:[0-9]{2})",([0-9]{2}.[0-9]{2}),([0-9]{2}.[0-9]{2}));/i)