Console access on Stretch

[Post-IT]

Did anyone manage to get a working console on the Stretch already?

Looking at the Omnima HMP documentation the serial connection is on jumper 12 pin 4,6,8 (TxD,GND,RxD) using setting 115200/8/N/1. I do get output during boot, however it is unreadable/scrambled.

[Phoenix]

Console access is working, at least on my Stretch 2.0, they did remove the FAILSAVE mode ;-(
http://phoenixinteractive.mine.nu/websi ... ?f=27&t=44

[Post-IT]

I've tried this using pin 4,6 &8 and at 115200 baud and with two different usb/serial cables on a linux system and on windows... but no luck for me yet. Only scrambled output.

Did you have system access?

[Phoenix]

Hi POST-IT

You need some learning in Serial connections , most connections nowadays on hardware are UART connections!

You need a USB <--> UART TTL cable, not a USB <---> Serial RS232 (you can even damage your hardware if the Serial RSR232 is directly from computer (USB may not damage it since it's not >5v)

UART TTL:
+5v = 1
0v = 0

Serial RS232:
+3v t/m +15v = 0
-3v t/m -15v = 1

That's why your data is scrambled up

For more on this, read my website on the stuff, it will help you understand serial connections
SERIAL RS232: http://phoenixinteractive.mine.nu/websi ... ?f=22&t=26
UART TTL: http://phoenixinteractive.mine.nu/websi ... ?f=22&t=27

[Phoenix]

Did you have system access?

No, they removed the failsave mode in the Stretch 2.0 , i've already jailbreaked the Smile P1 in 2012: http://phoenixinteractive.mine.nu/websi ... ?f=26&t=63
Otherwise read all the info's here (Dutch): http://phoenixinteractive.mine.nu/websi ... m.php?f=26

They where not happy but they could not prevent it , haha , there are other ways to JailBreak the Stretch 2.0, here in Dutch (i am to lazy atm to translate it )

In de Openwrt software zit standaard een "Failsave" modus, deze modus is te vergelijken met de veilige modus van Windows, je kan wat diagnostische programma's draaien etc, echter heeft plugwise deze modus eruit gehaald in de Stratch 2.0...hier is nog onderzoek nodig...to be continued!

Er zijn 2-tal oplossingen voor een Jailbreak (in theorie):
1a) Memory dump (firmware) met JTAG pins op de stretch.
1b) Upload new firmware op de stretch en gebruik een sniffer om de pakketten te onderscheppen (firmware catch).

Nadat firmware bemachtigd is (img bestand)
2) Splits het firmware bestand welke een SquashFS partitie bevat, en haal deze partitie eruit (dump)
3) Mount in Linux de uitgenomen SquashFS partitie.
4) Er is software (John the Ripper) om de SSH HASH van DropBear (etc/shadow) de ontcijferen...

Bronnen:
Voorbeeld unpack: http://dns-300.sergeyzh.org/wiki/howto/ ... k_firmware
DropBear: https://matt.ucc.asn.au/dropbear/dropbear.html
Shadow bestand: http://www.cyberciti.biz/faq/understand ... adow-file/
Shadow bestand: decode ja/nee?: http://forums.cpanel.net/f5/can-etc-sha ... -4660.html
John the Ripper: http://www.openwall.com/john/

[Post-IT]

Thanks, the guys from Omnima forgot to tell me that. I just ordered a stick on Marktplaats for €6.

Allready tried a bruteforce on the ssh deamon, but I think it has no password set as it returns a notice which states public key as primary authentication method.

Also tried searching for exploits on the services, however I need a working shell from any user before priviliged access is possible.

I've noticed the device sends a HTTP request to a PW server to check for updated firmware. Maybe we could adjust the request body to state an old firmware version so it returns current firmware?

[Phoenix]

@Post-it
I got the whole 1.1.9 firmware and source from the smile, i have found the "firmware server" but it seems it is protected, likely the smile sends a "verification" key to it, so i have to browse and look in the firmware some more to understand the smile much better before attempting something... but i am rather busy with everything, so i will se if i could make some time nowadays!

[Phoenix]

You can already SSH your Stretch 2.0, it will ask for a username and password....i tried many, many passwords (like Stretch ID's / MAC's etc...) but no luck (assuming root access is always: username=root, at least on the Smile P1 it was) i doubt if it would be a common password!

What i want?
- Understand the Stretch 2.0, like how to control a zigbee stick in Linux!
- Understand the ZigBee stick, and get it to work on a Windows machine! (i tried with zigbee software but the stick didn't work, so it may be a "fork of ZigBee" communication protocol)

Let's see if we can get into the Stretch 2.0! Game ON!

[Phoenix]

Ok, i got some firmwares as Linux BIN/IMG files, the Linux headers are inside, so this is the first step!

Does anyone know more firmware versions?, i got:

Smile:
1.2.8 (released 2013)
1.1.9 (as released late 2012)
15.3.7 (old version, no GUI interface?)
15.3.11 (old version, no GUI interface?)
15.3.12 (old version, no GUI interface?)

As with the trick to get firmwares for the Smile the same can be done for the Stretch by adjusting some variables

Stretch
1.0.38 (?)
1.0.40 (released 2013?)
1.0.41 (released 2013)

Desktop software message:

stretch update.png (21.7 KiB) Viewed 23091 times

Capturing and copying:


The Linux header is inside, this is a example from the Smile firmware (Stretch = Linux v3.3.7)

smile update check 05.png (29.35 KiB) Viewed 23091 times

[Post-IT]

I thought about getting it through the JTAG, but I'm a bit concerned there is a JTAG watchdog running. And I don't have any experience on that side or enough spare Stretches to waste on that...

I've pushed the top 3 libraries through a ssh script without luck.

My goal is to be see more of the XML info and data collection. In source I could fetch total usage of a certain stick which is now missing in de known xml output of the stretch.

[Phoenix]

I thought about getting it through the JTAG, but I'm a bit concerned there is a JTAG watchdog running. And I don't have any experience on that side or enough spare Stretches to waste on that...

Just Jailbreak the Smile P1 and use the CURL command (with certificates and key) to download the firmwares from the Plugwise update server, more described here on my website (made the topic today! ): http://phoenixinteractive.mine.nu/websi ... f=27&t=128

Now we need to extract the SquashFS partition and "mount" it in linux to see what's in there...

[Post-IT]

If I have the binfile I could use binwalk and dd to extract the SquashFS. I've unsquashed something years ago, but I've noticed there are new FS types on the market today... although it looks mainly a compression type thing.

[Post-IT]

Bingo! Just got the T-shirt.

[Post-IT]

Fortunately the shadowfile contained MD5 passwords. The root password is just "root". However I'm unable to access the root shell remotely using that account.

Also Dropbear seems to be configured to allow root access and root password access. So I have to dig in to this some more to see why ssh access is still not possible.

/etc/shadow contains only 1 user with a password hash, which is root.
/etc/passwd contains 2 more users with a password hash, stretch (with password "stretch") and userp1 (with password "userp1")

[Phoenix]

Fortunately the shadowfile contained MD5 passwords. The root password is just "root". However I'm unable to access the root shell remotely using that account.

Also Dropbear seems to be configured to allow root access and root password access. So I have to dig in to this some more to see why ssh access is still not possible.

/etc/shadow contains only 1 user with a password hash, which is root.
/etc/passwd contains 2 more users with a password hash, stretch (with password "stretch") and userp1 (with password "userp1")

Have you used Binwalk?, can you discribe your steps?