search

ludwig-v / wireless-carplay-dongle-reverse-engineering

CPlay2Air / Carlinkit Wireless Apple CarPlay Dongle reverse engineering
GNU General Public License v3.0
683 stars 100 forks source link

Get Dropbear running? #4

Closed jsm174 closed 3 years ago

jsm174 commented 3 years ago

So while thinking about https://github.com/ludwig-v/wireless-carplay-dongle-reverse-engineering/issues/3, I wanted to see if I could get Dropbear running.

I compiled Dropbear on an RPI:

./configure --host arm-linux-gnueabihf
make

binwalk shows:

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             ELF, 32-bit LSB shared object, ARM, version 1 (SYSV)

When I try running it on the dongle, it says it can't find the binary.

So then I tried making a static build:

./configure --host arm-linux-gnueabihf --enable-static
make

binwalk now shows:

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             ELF, 32-bit LSB executable, ARM, version 1 (SYSV)

During the build, I did notice these warnings (which are probably important as I will get to later):

make[1]: Leaving directory '/home/pi/dropbear-2020.81/libtomcrypt'
arm-linux-gnueabihf-gcc  -static -o dropbear dbutil.o buffer.o dbhelpers.o dss.o bignum.o signkey.o rsa.o dbrandom.o queue.o atomicio.o compat.o fake-rfc2553.o ltc_prng.o ecc.o ecdsa.o crypto_desc.o curve25519.o ed25519.o dbmalloc.o gensignkey.o gendss.o genrsa.o gened25519.o common-session.o packet.o common-algo.o common-kex.o common-channel.o common-chansession.o termcodes.o loginrec.o tcp-accept.o listener.o process-packet.o dh_groups.o common-runopts.o circbuffer.o list.o netio.o chachapoly.o gcm.o svr-kex.o svr-auth.o sshpty.o svr-authpasswd.o svr-authpubkey.o svr-authpubkeyoptions.o svr-session.o svr-service.o svr-chansession.o svr-runopts.o svr-agentfwd.o svr-main.o svr-x11fwd.o svr-tcpfwd.o svr-authpam.o libtomcrypt/libtomcrypt.a libtommath/libtommath.a -lutil -lz  -lcrypt
/usr/bin/ld: svr-auth.o: in function `recv_msg_userauth_request':
svr-auth.c:(.text+0x638): warning: Using 'getgrouplist' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
/usr/bin/ld: svr-chansession.o: in function `execchild':
svr-chansession.c:(.text+0x794): warning: Using 'initgroups' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
/usr/bin/ld: sshpty.o: in function `pty_setowner':
sshpty.c:(.text+0x2ec): warning: Using 'getgrnam' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
/usr/bin/ld: common-session.o: in function `fill_passwd':
common-session.c:(.text+0xab4): warning: Using 'getpwnam' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
/usr/bin/ld: dbutil.o: in function `expand_homedir_path':
dbutil.c:(.text+0xc24): warning: Using 'getpwuid' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
/usr/bin/ld: netio.o: in function `connect_remote':
netio.c:(.text+0x120): warning: Using 'getaddrinfo' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
/usr/bin/ld: common-session.o: in function `fill_passwd':
common-session.c:(.text+0xafc): warning: Using 'getspnam' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking

So I start Dropbear in U2W.sh:

#!/bin/sh

# turn off red light
echo 1 >/sys/class/gpio/gpio2/value;

# copy dropbear to sbin
cp /mnt/UPAN/dropbear /usr/sbin/
chmod 775 /usr/sbin/dropbear

# launch dropbear
/usr/sbin/dropbear -F -E -B -v

# turn on red light
echo 0 >/sys/class/gpio/gpio2/value;

exit 0

I then connect to the dongle's wifi, and attempt to ssh into dropbear 1000 different ways. I tried authorized_keys, adding a new user account, no luck.

ssh -v root@192.168.50.2
ssh -v -i id_rsa root@192.168.50.2

(I noticed that in shadow- it was set to 123456, so I tried that too).

Anyway, since -F doesn't fork Dropbear, all the logs are getting written to U2W.txt

TRACE  (198) 54.491933: leave recv_msg_service_request: done ssh-userauth
TRACE  (198) 54.493978: empty queue dequeing
TRACE  (198) 54.494281: process_packet: packet type = 50,  len 40
TRACE  (198) 54.494417: enter recv_msg_userauth_request
TRACE  (198) 54.494516: enter checkusername
TRACE  (198) 54.511983: leave checkusername: user 'root' doesn't exist
[198] Jan 02 00:01:04 Login attempt for nonexistent user
TRACE  (198) 54.512243: recv_msg_userauth_request: 'none' request
TRACE  (198) 54.512318: enter send_msg_userauth_failure
TRACE  (198) 54.512399: auth fail: methods 6, 'publickey,password'

user 'root' doesn't exist is coming from:

https://github.com/mkj/dropbear/blob/master/svr-auth.c#L266

The user comes from a call to getpwnam which was one the warnings from above:

Using 'getpwnam' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking

Any thoughts on how to possibly link with the correct glibc?

jsm174 commented 3 years ago

Just to follow up on this. I think I am linking against the correct libs now:

export LDFLAGS="-L/home/pi/wireless-carplay-dongle-reverse-engineering/Extracted/28102020/lib"
/configure --host arm-linux-gnueabihf --enable-static --disable-zlib
make
.
.
arm-linux-gnueabihf-gcc -L/home/pi/wireless-carplay-dongle-reverse-engineering/Extracted/28102020/lib -static -o dropbear dbutil.o buffer.o dbhelpers.o dss.o bignum.o signkey.o rsa.o dbrandom.o queue.o atomicio.o compat.o fake-rfc2553.o ltc_prng.o ecc.o ecdsa.o crypto_desc.o curve25519.o ed25519.o dbmalloc.o gensignkey.o gendss.o genrsa.o gened25519.o common-session.o packet.o common-algo.o common-kex.o common-channel.o common-chansession.o termcodes.o loginrec.o tcp-accept.o listener.o process-packet.o dh_groups.o common-runopts.o circbuffer.o list.o netio.o chachapoly.o gcm.o svr-kex.o svr-auth.o sshpty.o svr-authpasswd.o svr-authpubkey.o svr-authpubkeyoptions.o svr-session.o svr-service.o svr-chansession.o svr-runopts.o svr-agentfwd.o svr-main.o svr-x11fwd.o svr-tcpfwd.o svr-authpam.o libtomcrypt/libtomcrypt.a libtommath/libtommath.a -lutil  -lcrypt
/usr/bin/ld: svr-auth.o: in function `recv_msg_userauth_request':
svr-auth.c:(.text+0x638): warning: Using 'getgrouplist' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
/usr/bin/ld: svr-chansession.o: in function `execchild':
svr-chansession.c:(.text+0x794): warning: Using 'initgroups' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
/usr/bin/ld: sshpty.o: in function `pty_setowner':
sshpty.c:(.text+0x2ec): warning: Using 'getgrnam' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
/usr/bin/ld: common-session.o: in function `fill_passwd':
common-session.c:(.text+0xad8): warning: Using 'getpwnam' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
/usr/bin/ld: dbutil.o: in function `expand_homedir_path':
dbutil.c:(.text+0xc24): warning: Using 'getpwuid' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
/usr/bin/ld: netio.o: in function `connect_remote':
netio.c:(.text+0x120): warning: Using 'getaddrinfo' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
/usr/bin/ld: common-session.o: in function `fill_passwd':
common-session.c:(.text+0xb20): warning: Using 'getspnam' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking

I'll start adding some debugs around checkusername...