لدينا أنظمة آلية للعملاء ، من أجل إنشاء حساب تقييم وفواتير ، يمكن للعملاء التجديد عن طريق الدفع عبر الإنترنت على الموقع الإلكتروني. - لدينا أكثر من 9000 قناة HD و ...
so our future converse is gonna be super awesome wanting forward to this and We have got An additional Dwell demo we are gonna learn about the best way to mess using your Clever Television process and i am guessing possibly make it do things which it wasn't intended to at first is the fact that proper which is exceptional outstanding very well hopefully it does all the things that it absolutely was supposed for right now ideal yeah all proper all right all set to go all ideal well let's provide a large major get together keep track of welcome to Felix and let us get this issue commenced okay um can it be on are we however gotta have the video clip set up up since I want to tell you about Are living how to use the technique etc so I introduced a box but we need to swap to some video clip projector in between so we remain working on it ok lit up in this article we go ok there is not any audio commences extremely well This is certainly how my Tale commences who basically is familiar with what it truly is sorry which is Tata that's a German TV sequence It is a criminal offense series it's Pretty much as aged as Columbo the one change is they are still developing shows and It really is however managing so when some German family members it's a custom that once the weekend is around on Sunday night quarter previous eight you sit down you switch on the initial TV channel which was at any time there and that is however there and you also watched the clearly show new episode and as it's a tradition It is also something which my spouse And that i like to do and we moved to a distinct region a few years back and however we were not able to see this display anymore and it's form of sad and that's the start on the story so exactly where my my identify is Felix Lida and my enthusiasm will be to choose issues apart and also to place other things collectively that assistance to consider matters aside Moreover that I'd want to be out inside the snow or in the water and to elucidate you a tad more what I mean by using factors aside I like to hunt bugs and malware and collect them I also choose to study companion takeovers and countermeasures and I'm greatly involved with the unaired venture during my day work I perform all over cellular menace exploration at a very nice organization known as Blue Coat but this investigate I'm presenting is not simply my own operate you realize each analysis has some supporters and In cases like this It can be a gaggle of men and women from business known as enzymes and so they helped me with this And so the background in the story is always that we had this box a Western Digital TV daily life hub I actually have a single on phase right here and It is really It is a very high-quality piece of components basing tends to make your dumb Television set sensible and When you've got a smart Television you can get much more expert services plus much more choices to accomplish stuff the thing is below as HDMI output There's also two USB ports it supports Wi-Fi then and device TV connect a keyboard and stuff like this but what is much more attention-grabbing is as the instant it seems more like an Apple Television set or anything such as this Furthermore, it has a one particular terabyte harddisk in there and that's kind of neat since then you can add all of your flicks It really is all on 1 unit You do not require an extra storage like an ass or a thing in order that's extremely convenient the processor in There may be pretty of slower to MIPS processor but It is also not to blame for enjoying the movie actually the codecs are all and hardware to the process and so they make sure that you are able to Enjoy the movies rapidly more than enough back again towards the Tale so this box by now has all kinds of expert services on there that are quite nice like YouTube and Spotify and things similar to this and soon after we didn't have this Television present you're not tada laughter for quite a while my spouse really claimed you are aware of you happen to be constantly breaking stuff The complete time why don't you for at the time do one thing helpful with this and set my favored exhibit on this box and you understand Whenever your wife asks you a thing like this you greater make sure you remember to her in fact I hope my spouse is not here mainly because she would possibly comment perfectly what Are you aware of regarding how to be sure to me well which is another Tale ok alright so let's get started now right before we start out we are about to launch the modifications that Now we have carried out into the firmware so we want a disclaimer This is often for educational or analysis purposes only if you do what We've completed here so you break your box it isn't our fault and we will never have folks can not aid Additionally you if you utilize any kind of DRM keys and the like within the Box it's actually not our fault ok much to the disclaimer um starting point very first try was we did in offline in Investigation with the disk that's in there mainly taken it out plugging it into Laptop or computer see what is actually on there and it commenced pretty really Blessed we located A personal partition on there but immediately after a couple of minutes we located out there's basically practically nothing absolutely nothing of relevance on that partition just some offline storage for Spotify and hope htb and Apart from that there is just the partition that retains all the info all the movies that we upload and swap so which was very little however negative endeavor receiving some strain presently from my wife for losing time 2nd move this box has an update system it routinely reaches out to Western Digital to examine if there's a new firmware and when there is it asks if you want to put in it and it does all of that automatically you can even obtain the firmware manually when you go to their aid page and see what's in the update so as soon as we down load all of this we noticed that there is a zip file and inside the zip file we have five different other files and two that look like extremely appealing one particular is really a bin file and a single is termed bi – They are really one hundred fifty megabytes about and we wish to see if we discover something which we can recognize in there and fortune we did there's a squash FS filesystem in there but it surely's at offset 32 so I continue to will need many people drinking with me tonight so you get a beer if you can answer what the primary 32 byte could be should you guess correct any Concepts what the primary 32 byte before the added file system graphic our signature Superb who claimed it to start with all appropriate return later on to me out bio bio beer ideal yeah it turns out It is an md5 signature of The entire image and so we started off looking into this a bit more closely how the images look like and actually Everything you see is you might have two distinctive pictures that compose The entire working process on the gadget it is a Linux process by which one particular is the basis filesystem mainly for anything from root downwards it's an finish signature such as the dimension and within the really beginning like the gentleman just outlined you can find the md5 of The complete impression this md5 is then also appended to the next image which is usually mounted at /choose and this all over again has another signature while in the pretty entrance to make certain they all healthy alongside one another and absolutely nothing's damaged and those two together in essence make up the impression now let us consider the written content which is somewhat little bit little I recognize that so I'll reveal it within the still left aspect the thing is the leading image the basis image and it's got the same old init method which initializes The entire product it's got a config file with a few static config and it has Yet another file with md5sum d5s in this presentation seems like Western Electronic likes md5 on the ideal facet there's the OP folder and there was 1 appealing folder known as web server which actually looked really appealing so with this there was sufficient information to actually modify the box but we were being a tiny bit hesitant about irrespective of whether we should just modify the firmware and upload a new one for the reason that we were not certain whenever they didn't have more md5 checks there and it looked like they'd a good deal so we were a little bit hesitant to switch the firmware and perhaps just split that solitary gadget that we had the opposite possibility was let us go hunt for some vulnerabilities may possibly choose much more time but it's also additional exciting ideal ok so a vulnerability obtaining initial thing was to look at the webserver um this issue provides a webserver allow me to also immediately switch to exactly where We have now Firefox here Now we have Firefox which is everyday living about the box now so you see that's the access when you if you log in you plus the password is admin Incidentally if you log in you get a remote control but You may as well change the password and so on so that search form of promising and Thankfully the PHP that is used to vary all the configuration is just not encoded encrypted or anything it's just These are in basic so that's normally a fantastic get started you recognize starting from the world wide web server SQL injection that was the 1st endeavor and as you'll be able to see there is a really wonderful SQL assertion at the bottom which happens to be composed of parameters suitable in the get requests like entry ID language ID great and that's applying SQLite so here's the assertion that could in fact build an SQLite database which is simultaneously an SQLite and a valid PHP file does any have any one here have knowledge Along with the PDO databases driver somebody about below what is actually the situation Do not see it PDO only makes it possible for 1 assertion at any given time and we wished to inject 5 statements below so Learn more unlucky failed to function and in some cases if it experienced worked we learned afterwards that this Element of the file devices essentially browse only so no chance in any respect bummer alright beyond the webserver track next thing to test was distant file inclusion and what we discovered is there's an remote file inclusion or a file inclusion probability according to the language and that is stored in the cookie so let me switch back again to the web server and you may see you there It's important to enter a password and down listed here You will need to can pick the language all right I have a cookie editor up in this article and when we refresh it you could see there's a language ID of a few in right here so we had been wanting to know ok can we just modify this incorporating several dots introducing a couple of slashes they push the best button screens a little far away yeah I did In order you'll be able to see now we get an mistake information stating oh it failed to discover the file open up or PHP and after that we assumed all right um why not simply add a file identified as property dot PHP towards the folder that we will obtain through SMB and after that modify the cookie to level to that and actually can compute the path just by investigating the firmware ok I press the incorrect button sorry the cookie editor is actually tiny and It is not easy to begin to see the display basically from here okay Wow nice now we obtained a PHP shell so those of you that have worked with PHP shells know that they are ache within the ass right so the very first thing you ought to do is test to figure out if you will find telling it on there and really tell it absolutely was on there so we wish to activate it and acquire on into the box and I've to admit my qualifications is normally not far too much the embedded units but extra similar to the PC world and usually any time you possess the web server the following factor you need to do is give thought to privilege escalation all right so um similar thing below let us go and switch it to the box and so that you can know like from which it depend to him escaped or to have the privileges initial you determine which account you happen to be and oh hey We have now Ruud previously this was significantly less complicated than I expected but You may as well see my stupidity about the display screen for the reason that in fact the PHP shell previously tells you that you're route all right good so this was just the beginning simply because we had been in the position to get route but a lesson which i had to discover in the course of the practical experience is You should not start with SQL injection don't get started with a remote file inclusion Really don't begin with SQLite privilege a privilege escalation stuff like this seek out the actually low hanging fruits so investigating the impression label even more I found that actually the fellows from Western Digital had put up a symlink from your Net assistance root Listing proper on the disk so it was not even necessary to add or to try to take advantage of the method and I'm not fairly confident if they may have just neglected it or whether or not they desired to make it simple for individuals simply because if I just say consumer maintain or PHP and that's priya authentication no authentication at this stage I also receive the shell just in a different directory ah that is pleasant so but I thought nicely if It really is that straightforward we almost certainly discover all the more stuff so hum For those who have noticed the main converse this morning hacking 22 things in forty five minutes it was a fantastic discuss the blokes have taken a part the Google Television set in the past and they went for UART so we attempted exactly the same we also had a look on the board and tried using to determine where our pins or where our soloing details the place we may perhaps insert some pins and we uncovered that there are two pins that really are candidates the thing is them each in the picture below and a small amount of measuring close to and things such as this we discovered that the a single while in the entrance that's nearer into the chasis that's really a standard u art which are X you can find tx2 ground as well as a three.
3 volt pin and This is the warning if you would like Do this at home it's a 3.
three volts and your Laptop is five volts you may burn up either your Laptop it is possible to burn off the box or you can melt away there by way of example USB to UART converter I've burned 3 there was there was my lesson learned of not purchasing affordable things from Taiwan What exactly do you obtain When you attach a serial console so after you set up you obtain all kinds of specifics of the process the place the image is stored what else is where configurations what is at this time loaded which motorists are loaded and truly When you've got the method up and jogging and see the display with the program therefore you press a button to the handheld remote control or anything it informs you just which button you happen to be pressed and which actions are taken in an effort to get there so this is ideal debugging perfect when it absolutely was concluded umm you see a little something such as this I informed you they like md5 so you see an md5 and the thing is login what is the password which is an opportunity for successful Yet another beard tonight person it is not that uncomplicated it isn't as easy as hacker as admin as OAM root or one thing these men like md5 let's take a look sorry md5 half which at yeah It really is shut but it is not fairly it's a little bit more refined basically I talked to a different male a couple of minutes before he explained in fact at the very least I did one thing suitable but let's have a better glimpse so um the shadow file that truly exists in TMP shadow and et Cie shadow is simply a hyperlink to that and we found the hash in there and began to on the Ripper of course simply because we want to find out what it is but that does not failed to get us incredibly significantly immediately so we begun investigating a little closer And that i told you the serial line may be very helpful for debugging there was basically one particular line saying password for root improved as you can see from the screenshot there also like other facts but like which modules are started off prior to which modules are started out and loaded just after plenty of things such as this so this was actually valuable to trace triage which module which program was really to blame for this there is a Device termed G bus browse serial selection and that is located in a folder that isn't inside of the original firmware graphic It can be basically an encrypted addition to your file method employing AES encryption that's later total to make use of a neighborhood s pin and right here you discover some safety by obscurity mainly because it's located in slash home slash file and that's that contains plenty of fascinating information and facts I have also put the knowledge listed here the way you can actually extract the AES key but I'm not heading to go into the main points that's far more for reference so here's how it appears to be visually We've got in the house folder a file code file we contain the AES critical in ROM and afterwards things is extracted to some folder or mounted into a entire a consumer area s bin and We now have this method and there's also A further plan in there which happens to be thirteen megabytes in sizing named DMA OSD since This is certainly an encrypted folder we now imagined this is probably quite pursuits thing let's have a better glimpse but let us get back to what is the password so at the time We now have the program we have been essentially able to reverse engineer the cheapest beats arena and we discovered It is really performing a system phone some technique operate get in touch with not a technique call wherever the serial numbers applied the md5 of that is definitely developed and it is the password How would you receive the serial variety Possess a look at the box yeah you will find essentially A better way have a consider the login display screen because the serial quantity is definitely the md5 appropriate in front of login I failed to provide the serial cable or I in fact introduced a co a cable but considering that I blue display my Home windows a handful of occasions Along with the serial cable I don't need to test it out here we will try out it out with Linux later on since that actually works a lot better but I however want to demo to you personally fellas how this essentially looks like all right