Open arthurcanon opened 5 years ago
Try this https://github.com/D1W0U/vermagic
See if you get meaningful results with such patched binaries. Obviously there is chance for kernel panics, so be aware of this.
I patched the mips3.4 version of the module as follows: ../vermagic/vermagic -v '4.1.38 SMP preempt mod_unload MIPS32_R1 32BIT ' ./r2secr.mips.3.4-A.ko
Inserted it successfully on the router: insmod /tmp/run/mountd/sda1/vodafone_hub_plus/secr-master/r2secr.mips.3.4-A.ko && dmesg | tail -n 20
but there is nothing new in dmesg
What can we try next? I assume this tool is related to LiME? Do we need to compile LiME for this architecture & kernel, and get some dumps from that to help you see whats happening on this newer platform?
And if so, any tips on doing that? (I'm not sure where I should get the correct kernel headers etc)
do you have the toolchain ?
I don't have a toolchain that is exactly the same as the router, but I have other MIPS32 toolchains, using Debian in qemu, or OpenWRT/LEDE cross-compilation
It is not related to lime, the vermagic patch was just a free attempt that I didn't really expect to succeed. It is actually interesting to see tch ported this new kernel on mips devices as well. Check if you have any /dev/mem exposed. If yes, dump it with dd and look for ECK into that dump "manually".
ok . r2secr is not too exotic , just standard kmod stuff , i will publish the source and makefiles soon, and you see what you can do with it . stay tuned this week
/dev/mem is exposed. So I can successfully dump it with: dd if=/dev/mem of=/tmp/run/mountd/sda1/mem.dump bs=1024
The resulting output file is ~256MB which matches the RAM size.
I'll do some manual analysis to see what I can find. @LuKePicci - Thanks for the tip. I wasn't aware it was that easy to dump the RAM @pedro-n-rocha - yes, I'd be keen to see the source for r2secr
Now you just need to find within the ram dump the same struct exposed by r2secr, the erip one. You should see some erip contents in that same ram area, and the ECK as well.
what tool(s) do you recommend I use to find those same struct's in the ram dump? I don't yet have a Volatility profile for this kernel & MIPS architecture. (I'm not an expert at this...I am just learning as I go).
I used IDA Pro to perform a binary search in the whole dump. I searched for the ECK I knew already and found more than one instance of it here and there, but only one of them was in the middle of the erip struct. You should do the opposite, just search for some other known erip items and scroll down to the ECK instead.
@arthurcanon did you finally manage to find the r2secr struct into mem dump? Did you remove keymanager and ripdrv modules before inserting r2secr with patches vermagic?
better "latte" than never :P
https://github.com/pedro-n-rocha/secr/tree/master/src
@arthurcanon @LuKePicci
for some fun on the oldies : https://github.com/pedro-n-rocha/rev1900
Cheers
@arthurcanon read here https://github.com/kevdagoat/hack-technicolor/pull/5#issuecomment-509426976
@arthurcanon read here kevdagoat/hack-technicolor#5 (comment)
The string 'prozone' does not appear in the ttyS0 bootlog at all, so I cannot get the memory offset from there. This is what I see in the bootlog: ---- VBNT-Z ---- [ 0.000000] Kernel command line: memsize=0xFFDD000 btab=0xc004080c btab_bootid=1 tbbt_addr=0x7d20000 board=VBNT-Z console=ttyS0,115200 root=/dev/mtdblock1 rootfstype=squashfs irqaffinity=0 console=ttyS0,115200 root=/dev/mtdblock1 rootfstype=squashfs irqaffinity=0 console=ttyS0,115200 root=/dev/mtdblock1 rootfstype=squashfs irqaffinity=0
---- VANT-9 ---- [ 0.000000] Kernel command line: root=31:0 ro noinitrd memsize=0xFFDD000 btab=0xc004180c btab_bootid=2 tbbt_addr=0x7d20000 board=VANT-9 console=ttyS0,115200 root=/dev/mtdblock1 rootfstype=squashfs irqaffinity=0 console=ttyS0,115200 root=/dev/mtdblock1 rootfstype=squashfs irqaffinity=0
@arthurcanon did you finally manage to find the r2secr struct into mem dump? Did you remove keymanager and ripdrv modules before inserting r2secr with patches vermagic?
@LuKePicci I am working in Ghidra (I don't have IDA Pro), and I am not an expert. I started having a look for it but wasn't really sure what to look for, so no I have not found it yet.
Yes I did try removing keymanager and ripdrv modules before inserting r2secr with vermagic patched. But didnt get any output.
I'm interested to know if we could brute-force finding the key using a known-plaintext attack to try all possible keys from the memory dump? Would that be possible?
If you get stuck just share the dump with me and I can take a look.
Da: arthurcanon Inviato: giovedì 11 luglio 2019 04:49 A: pedro-n-rocha/secr Cc: Luca Piccirillo; Mention Oggetto: Re: [pedro-n-rocha/secr] DNA0130VDF VBNT-Z & VANT-9 uses 4.1.38 MIPSKernel (#7)
@arthurcanon did you finally manage to find the r2secr struct into mem dump? Did you remove keymanager and ripdrv modules before inserting r2secr with patches vermagic? @LuKePicci I am working in Ghidra (I don't have IDA Pro), and I am not an expert. I started having a look for it but wasn't really sure what to look for, so no I have not found it yet. Yes I did try removing keymanager and ripdrv modules before inserting r2secr with vermagic patched. But didnt get any output. I'm interested to know if we could brute-force finding the key using a known-plaintext attack to try all possible keys from the memory dump? Would that be possible? — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or mute the thread.
@LuKePicci - how can I share with you privately?
Good point. Drop it there: https://mega.nz/megadrop/9Sg4aOl572I
Da: arthurcanon notifications@github.com Inviato: Thursday, July 11, 2019 5:08:43 PM A: pedro-n-rocha/secr Cc: Luca Piccirillo; Mention Oggetto: Re: [pedro-n-rocha/secr] DNA0130VDF VBNT-Z & VANT-9 uses 4.1.38 MIPS Kernel (#7)
@LuKePiccihttps://github.com/LuKePicci - how can I share with you privately?
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://github.com/pedro-n-rocha/secr/issues/7?email_source=notifications&email_token=ACCRPNR7VG3HMVX4WPAWH7DP65EHXA5CNFSM4HPUCSRKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODZXAHLY#issuecomment-510526383, or mute the threadhttps://github.com/notifications/unsubscribe-auth/ACCRPNUEZ7YYFRTAGX5DROLP65EHXANCNFSM4HPUCSRA.
Good point. Drop it there: https://mega.nz/megadrop/9Sg4aOl572I … ____ Da: arthurcanon notifications@github.com Inviato: Thursday, July 11, 2019 5:08:43 PM A: pedro-n-rocha/secr Cc: Luca Piccirillo; Mention Oggetto: Re: [pedro-n-rocha/secr] DNA0130VDF VBNT-Z & VANT-9 uses 4.1.38 MIPS Kernel (#7) @LuKePiccihttps://github.com/LuKePicci - how can I share with you privately? — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub<#7?email_source=notifications&email_token=ACCRPNR7VG3HMVX4WPAWH7DP65EHXA5CNFSM4HPUCSRKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODZXAHLY#issuecomment-510526383>, or mute the threadhttps://github.com/notifications/unsubscribe-auth/ACCRPNUEZ7YYFRTAGX5DROLP65EHXANCNFSM4HPUCSRA.
@LuKePicci - please check the mega.nz drop
@arthurcanon I need to contact you again, plz drop me another email.
Hi - How can we extract OSCK from these devices?
dmesg
[ 1828.776621] r2secr: version magic '2.6.30 mod_unload MIPS32_R1 32BIT ' should be '4.1.38 SMP preempt mod_unload MIPS32_R1 32BIT ' [ 2034.171966] r2secr: version magic '3.4.11-rt19 SMP preempt mod_unload MIPS32_R1 32BIT ' should be '4.1.38 SMP preempt mod_unload MIPS32_R1 32BIT '
uname -a Linux ultraplus.hub 4.1.38 #1 SMP PREEMPT Mon Jan 22 05:52:44 UTC 2018 mips GNU/Linux
file busybox busybox: ELF 32-bit MSB executable, MIPS, MIPS32 version 1 (SYSV), dynamically linked, interpreter /lib/ld-uClibc.so.0, no section header
cat /proc/cpuinfo system type : VBNT-Z machine : Unknown processor : 0 cpu model : Broadcom BMIPS4350 V8.0 BogoMIPS : 397.31 wait instruction : yes microsecond timers : yes tlb_entries : 32 extra interrupt vector : no hardware watchpoint : no isa : mips1 mips2 mips32r1 ASEs implemented : shadow register sets : 1 kscratch registers : 0 package : 0 core : 0 VCED exceptions : not available VCEI exceptions : not available
processor : 1 cpu model : Broadcom BMIPS4350 V8.0 BogoMIPS : 403.45 wait instruction : yes microsecond timers : yes tlb_entries : 32 extra interrupt vector : no hardware watchpoint : no isa : mips1 mips2 mips32r1 ASEs implemented : shadow register sets : 1 kscratch registers : 0 package : 0 core : 0 VCED exceptions : not available VCEI exceptions : not available
cat /proc/mtd dev: size erasesize name mtd0: 08000000 00020000 "brcmnand.0" mtd1: 02c60000 00020000 "rootfs" mtd2: 01f80000 00020000 "rootfs_data" mtd3: 02e60000 00020000 "bank_1" mtd4: 02e60000 00020000 "bank_2" mtd5: 00020000 00020000 "eripv2" mtd6: 00040000 00020000 "rawstorage" mtd7: 00000003 00020000 "blversion"