pedro-n-rocha / secr

14 stars 7 forks source link

DNA0130VDF VBNT-Z & VANT-9 uses 4.1.38 MIPS Kernel #7

Open arthurcanon opened 5 years ago

arthurcanon commented 5 years ago

Hi - How can we extract OSCK from these devices?

dmesg

[ 1828.776621] r2secr: version magic '2.6.30 mod_unload MIPS32_R1 32BIT ' should be '4.1.38 SMP preempt mod_unload MIPS32_R1 32BIT ' [ 2034.171966] r2secr: version magic '3.4.11-rt19 SMP preempt mod_unload MIPS32_R1 32BIT ' should be '4.1.38 SMP preempt mod_unload MIPS32_R1 32BIT '


uname -a Linux ultraplus.hub 4.1.38 #1 SMP PREEMPT Mon Jan 22 05:52:44 UTC 2018 mips GNU/Linux

file busybox busybox: ELF 32-bit MSB executable, MIPS, MIPS32 version 1 (SYSV), dynamically linked, interpreter /lib/ld-uClibc.so.0, no section header

cat /proc/cpuinfo system type : VBNT-Z machine : Unknown processor : 0 cpu model : Broadcom BMIPS4350 V8.0 BogoMIPS : 397.31 wait instruction : yes microsecond timers : yes tlb_entries : 32 extra interrupt vector : no hardware watchpoint : no isa : mips1 mips2 mips32r1 ASEs implemented : shadow register sets : 1 kscratch registers : 0 package : 0 core : 0 VCED exceptions : not available VCEI exceptions : not available

processor : 1 cpu model : Broadcom BMIPS4350 V8.0 BogoMIPS : 403.45 wait instruction : yes microsecond timers : yes tlb_entries : 32 extra interrupt vector : no hardware watchpoint : no isa : mips1 mips2 mips32r1 ASEs implemented : shadow register sets : 1 kscratch registers : 0 package : 0 core : 0 VCED exceptions : not available VCEI exceptions : not available

cat /proc/mtd dev: size erasesize name mtd0: 08000000 00020000 "brcmnand.0" mtd1: 02c60000 00020000 "rootfs" mtd2: 01f80000 00020000 "rootfs_data" mtd3: 02e60000 00020000 "bank_1" mtd4: 02e60000 00020000 "bank_2" mtd5: 00020000 00020000 "eripv2" mtd6: 00040000 00020000 "rawstorage" mtd7: 00000003 00020000 "blversion"

LuKePicci commented 5 years ago

Try this https://github.com/D1W0U/vermagic

See if you get meaningful results with such patched binaries. Obviously there is chance for kernel panics, so be aware of this.

arthurcanon commented 5 years ago

I patched the mips3.4 version of the module as follows: ../vermagic/vermagic -v '4.1.38 SMP preempt mod_unload MIPS32_R1 32BIT ' ./r2secr.mips.3.4-A.ko

Inserted it successfully on the router: insmod /tmp/run/mountd/sda1/vodafone_hub_plus/secr-master/r2secr.mips.3.4-A.ko && dmesg | tail -n 20

but there is nothing new in dmesg

What can we try next? I assume this tool is related to LiME? Do we need to compile LiME for this architecture & kernel, and get some dumps from that to help you see whats happening on this newer platform?

And if so, any tips on doing that? (I'm not sure where I should get the correct kernel headers etc)

pedro-n-rocha commented 5 years ago

do you have the toolchain ?

arthurcanon commented 5 years ago

I don't have a toolchain that is exactly the same as the router, but I have other MIPS32 toolchains, using Debian in qemu, or OpenWRT/LEDE cross-compilation

LuKePicci commented 5 years ago

It is not related to lime, the vermagic patch was just a free attempt that I didn't really expect to succeed. It is actually interesting to see tch ported this new kernel on mips devices as well. Check if you have any /dev/mem exposed. If yes, dump it with dd and look for ECK into that dump "manually".

pedro-n-rocha commented 5 years ago

ok . r2secr is not too exotic , just standard kmod stuff , i will publish the source and makefiles soon, and you see what you can do with it . stay tuned this week

arthurcanon commented 5 years ago

/dev/mem is exposed. So I can successfully dump it with: dd if=/dev/mem of=/tmp/run/mountd/sda1/mem.dump bs=1024

The resulting output file is ~256MB which matches the RAM size.

I'll do some manual analysis to see what I can find. @LuKePicci - Thanks for the tip. I wasn't aware it was that easy to dump the RAM @pedro-n-rocha - yes, I'd be keen to see the source for r2secr

LuKePicci commented 5 years ago

Now you just need to find within the ram dump the same struct exposed by r2secr, the erip one. You should see some erip contents in that same ram area, and the ECK as well.

arthurcanon commented 5 years ago

what tool(s) do you recommend I use to find those same struct's in the ram dump? I don't yet have a Volatility profile for this kernel & MIPS architecture. (I'm not an expert at this...I am just learning as I go).

LuKePicci commented 5 years ago

I used IDA Pro to perform a binary search in the whole dump. I searched for the ECK I knew already and found more than one instance of it here and there, but only one of them was in the middle of the erip struct. You should do the opposite, just search for some other known erip items and scroll down to the ECK instead.

LuKePicci commented 5 years ago

@arthurcanon did you finally manage to find the r2secr struct into mem dump? Did you remove keymanager and ripdrv modules before inserting r2secr with patches vermagic?

pedro-n-rocha commented 5 years ago

better "latte" than never :P

https://github.com/pedro-n-rocha/secr/tree/master/src

@arthurcanon @LuKePicci

for some fun on the oldies : https://github.com/pedro-n-rocha/rev1900

Cheers

LuKePicci commented 5 years ago

@arthurcanon read here https://github.com/kevdagoat/hack-technicolor/pull/5#issuecomment-509426976

arthurcanon commented 5 years ago

@arthurcanon read here kevdagoat/hack-technicolor#5 (comment)

The string 'prozone' does not appear in the ttyS0 bootlog at all, so I cannot get the memory offset from there. This is what I see in the bootlog: ---- VBNT-Z ---- [ 0.000000] Kernel command line: memsize=0xFFDD000 btab=0xc004080c btab_bootid=1 tbbt_addr=0x7d20000 board=VBNT-Z console=ttyS0,115200 root=/dev/mtdblock1 rootfstype=squashfs irqaffinity=0 console=ttyS0,115200 root=/dev/mtdblock1 rootfstype=squashfs irqaffinity=0 console=ttyS0,115200 root=/dev/mtdblock1 rootfstype=squashfs irqaffinity=0

---- VANT-9 ---- [ 0.000000] Kernel command line: root=31:0 ro noinitrd memsize=0xFFDD000 btab=0xc004180c btab_bootid=2 tbbt_addr=0x7d20000 board=VANT-9 console=ttyS0,115200 root=/dev/mtdblock1 rootfstype=squashfs irqaffinity=0 console=ttyS0,115200 root=/dev/mtdblock1 rootfstype=squashfs irqaffinity=0

arthurcanon commented 5 years ago

@arthurcanon did you finally manage to find the r2secr struct into mem dump? Did you remove keymanager and ripdrv modules before inserting r2secr with patches vermagic?

@LuKePicci I am working in Ghidra (I don't have IDA Pro), and I am not an expert. I started having a look for it but wasn't really sure what to look for, so no I have not found it yet.

Yes I did try removing keymanager and ripdrv modules before inserting r2secr with vermagic patched. But didnt get any output.

I'm interested to know if we could brute-force finding the key using a known-plaintext attack to try all possible keys from the memory dump? Would that be possible?

LuKePicci commented 5 years ago

If you get stuck just share the dump with me and I can take a look.

Da: arthurcanon Inviato: giovedì 11 luglio 2019 04:49 A: pedro-n-rocha/secr Cc: Luca Piccirillo; Mention Oggetto: Re: [pedro-n-rocha/secr] DNA0130VDF VBNT-Z & VANT-9 uses 4.1.38 MIPSKernel (#7)

@arthurcanon did you finally manage to find the r2secr struct into mem dump? Did you remove keymanager and ripdrv modules before inserting r2secr with patches vermagic? @LuKePicci I am working in Ghidra (I don't have IDA Pro), and I am not an expert. I started having a look for it but wasn't really sure what to look for, so no I have not found it yet. Yes I did try removing keymanager and ripdrv modules before inserting r2secr with vermagic patched. But didnt get any output. I'm interested to know if we could brute-force finding the key using a known-plaintext attack to try all possible keys from the memory dump? Would that be possible? — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or mute the thread.

arthurcanon commented 5 years ago

@LuKePicci - how can I share with you privately?

LuKePicci commented 5 years ago

Good point. Drop it there: https://mega.nz/megadrop/9Sg4aOl572I


Da: arthurcanon notifications@github.com Inviato: Thursday, July 11, 2019 5:08:43 PM A: pedro-n-rocha/secr Cc: Luca Piccirillo; Mention Oggetto: Re: [pedro-n-rocha/secr] DNA0130VDF VBNT-Z & VANT-9 uses 4.1.38 MIPS Kernel (#7)

@LuKePiccihttps://github.com/LuKePicci - how can I share with you privately?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://github.com/pedro-n-rocha/secr/issues/7?email_source=notifications&email_token=ACCRPNR7VG3HMVX4WPAWH7DP65EHXA5CNFSM4HPUCSRKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODZXAHLY#issuecomment-510526383, or mute the threadhttps://github.com/notifications/unsubscribe-auth/ACCRPNUEZ7YYFRTAGX5DROLP65EHXANCNFSM4HPUCSRA.

arthurcanon commented 5 years ago

Good point. Drop it there: https://mega.nz/megadrop/9Sg4aOl572I ____ Da: arthurcanon notifications@github.com Inviato: Thursday, July 11, 2019 5:08:43 PM A: pedro-n-rocha/secr Cc: Luca Piccirillo; Mention Oggetto: Re: [pedro-n-rocha/secr] DNA0130VDF VBNT-Z & VANT-9 uses 4.1.38 MIPS Kernel (#7) @LuKePiccihttps://github.com/LuKePicci - how can I share with you privately? — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub<#7?email_source=notifications&email_token=ACCRPNR7VG3HMVX4WPAWH7DP65EHXA5CNFSM4HPUCSRKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODZXAHLY#issuecomment-510526383>, or mute the threadhttps://github.com/notifications/unsubscribe-auth/ACCRPNUEZ7YYFRTAGX5DROLP65EHXANCNFSM4HPUCSRA.

@LuKePicci - please check the mega.nz drop

LuKePicci commented 5 years ago

@arthurcanon I need to contact you again, plz drop me another email.