From a22a6fb8a24ec6014d23e298b782d59b69c64617 Mon Sep 17 00:00:00 2001 From: Conor Horan-Kates Date: Tue, 22 May 2018 22:06:20 -0700 Subject: [PATCH] cleanup commit, but check the end of REAMDE.md - is this solved\? --- revolabs-flx_uc_1000/README.md | 80 +++++++++++++++++++++++++++++++++ revolabs-flx_uc_1000/uncyacd.rb | 60 +++++++++++++++++++++++++ 2 files changed, 140 insertions(+) create mode 100755 revolabs-flx_uc_1000/uncyacd.rb diff --git a/revolabs-flx_uc_1000/README.md b/revolabs-flx_uc_1000/README.md index 975459c..9fd9746 100644 --- a/revolabs-flx_uc_1000/README.md +++ b/revolabs-flx_uc_1000/README.md @@ -130,6 +130,86 @@ looking at the `S45Revo` file, a potential avenue to `uid=0`: more to come. +``` +$ tree /squash/ +... +│   └── modules +│   └── 2.6.37+ +│   ├── build -> /home/hudson/jobs/Ruby1000-Tools/workspace/Ruby/dvsdk/psp/linux-2.6.37-psp03.21.00.04.sdk +│   ├── kernel +│   │   └── drivers +│   │   ├── dsp +│   │   │   └── dsplinkk.ko +│   │   └── usb +│   │   ├── core +│   │   │   └── usbcore.ko +│   │   ├── musb +│   │   │   ├── da8xx.ko +│   │   │   └── musb_hdrc.ko +│   │   ├── otg +│   │   │   └── nop-usb-xceiv.ko +│   │   └── serial +│   │   └── usbserial.ko +... +``` + +well at least they're using CI.. + + +``` +│   ├── USB_Digital_Audio1500_bb.cyacd +│   ├── USB_Digital_Audio1500.cyacd +│   ├── USB_Digital_Audio_bb.cyacd +│   ├── USB_Digital_Audio.cyacd +``` + +according to [a quick google search](http://www.cypress.com/knowledge-base-article/format-cyacd-file-psoc-3-or-psoc-5lp-bootloader-kba216138), these are 'Code Data Files' for the PSoC 3 or PSoC 5 Bootloader + +with a format of: +``` +[1-byte ArrayID][2-byte RowNumber][2-byte DataLength][N-byte Data][1byte Checksum] +``` + +``` +# head /squashy/sbin/USB_Digital_Audio1500_bb.cyacd +1E07D0690301 +:0000280120022EE9008F828E83E0540100000070F82278FFE4F6D8FD022F18BB010689828A83E0225002E722BBFE02E32289828A83E49322BB010689828A83F0225002F722BBFE01F322C5F0F8A3E028F0C5F0F8E582158270021583E038F022A3F8E0C5F025F0F0E582158270021583E0C838F0E822BB010A89828A83E0F5F0A3E022500687F009E71922BBFE07E3F5F009E3192289828A83E493F5F074019322BB010A89828A83F0E5F0A3F0225006F70 +9A7F01922BBFE06F3E5F009F31922EF2BFFEE3AFEED39FDEC38FC22C3EF9BFFEE9AFEED99FDEC98FC22E88FF0A4CC8BF0A42CFCE98EF0A42CFC8AF0EDA42CFCEA8EF0A4CDA8F08BF0A42DCC3825F0FDE98FF0A4250045017E0 +20052040404104011C07C4000640527048203837F84078A7F0100A3 +:00002901202CCD35F0FCEB8EF0A4FEA9F0EB8FF0A4CFC5F02ECD39FEE43CFCEAA42DCE35F0FDE43CFC2275F008758200EF2FFFEE33FECD33CDCC33CCC58233C5829BED9AEC99E58298400CF582EE9BFEED9AFDEC99FC0FD5F0D6E4CEFBE4CDFAE4CCF9A88222B800C1B90059BA002DEC8BF084CFCECDFCE5F0CBF97818EF2FFFEE33FEED33FDEC33FCEB33FB10D703994004EB99FB0FD8E5E4F9FA227818EF2FFFEE33FEED33FDEC33FCC933C910D7059BE +99A4007EC9BFCE99AF90FD8E0E4C9FAE4CCFB2275F010EF2FFFEE33FEED33FDCC33CCC833C810D7079BEC9AE899400AED9BFDEC9AFCE899F80FD5F0DAE4CDFBE4CCFAE4C8F922EF5BFFEE5AFEED59FDEC58FC225A0304040F0 +81109020A220B0D0C070E081480150616701709188019011A701C0B +``` + + +``` +... + │   └── udev + │   ├── saved.cmdline +... +``` + +shows us that they are booting with ```mem=128M console=ttyS0,115200n8 root=/dev/ram0 rw initrd=0xc1180000,4m ip=off```, which should help with the TFTP booting attack + +```js +.call(this), function () { + "use strict"; + angular.module("r1kApp").config(["$stateProvider", function (a) { + return a.state("main.diag", {url: "diag", templateUrl: "app/diag/diag.html", controller: "DiagCtrl"}) + }]), angular.module("r1kApp").controller("DiagCtrl", ["$scope", "Device", "$rootScope", function (a, b) { + return a.forms = diag.forms, a.diag = [], a.submitForm = function (c) { + var d; + return d = {}, d[c] = a.diag[c] || "", b.request("RequestStatus", d).then(function () { + return a.buildToast("Command has been sent.") + }, function () { + return a.buildToast("Uh oh! Couldn't send command. Is the device available?") + }) + } + }]) +``` + +looking at this, it would appear that http:///app/diag/diag.html exposes a mechanism to execute arbitrary commands. `/usr/sbin/telnetd` anyone? + ### log mining and traffic sniffing using functionality, and the high logging levels they provided, was able to determine a number of things: diff --git a/revolabs-flx_uc_1000/uncyacd.rb b/revolabs-flx_uc_1000/uncyacd.rb new file mode 100755 index 0000000..703abbc --- /dev/null +++ b/revolabs-flx_uc_1000/uncyacd.rb @@ -0,0 +1,60 @@ +#!/usr/bin/env ruby +## uncyacd.rb -- reconstituting PSoC boot files from their proprietary format + +# .cyacd file format: +# [4-byte SiliconID][1-byte SiliconRev][checksum type] +# The data records have the format: +# [1-byte ArrayID][2-byte RowNumber][2-byte DataLength][N-byte Data][1byte Checksum] +# The Checksum is computed by summing all bytes (excluding the checksum itself) and then taking the 2's complement. + +filename = ARGV.first || sprintf('%s/git/rouster/USB_Digital_Audio1500_bb.cyacd', ENV['HOME']) if filename.nil? +filename = sprintf('%s/git/h4ck/revolabs-flx_uc_1000/test.cyacd', ENV['HOME']) + +unless File.file?(filename) + puts sprintf('USAGE: %s ', File.basename(__FILE__)) + exit 0 +end + +File.open(filename, 'rb') do |f| + + to_read = 1 + array_id = f.read(to_read) + + to_read = 2 + row_number = f.read(to_read) + + to_read = 2 + data_length = f.read(to_read) + + to_read = data_length + data = f.read(to_read) # TODO not sure that this will actually be an integer + + to_read = 1 + checksum = f.read(to_read) + + p 'DBGZ' if nil? +end + +# current_bucket = 0 +# bucket_size = 10 +# +# File.open(filename, 'rb') do |f| +# p 'DBGZ' if nil? +# f.seek(current_bucket * bucket_size) +# s = f.read(bucket_size) +# current_bucket += 1 +# p 'DBGZ' if nil? +# end + +contents = File.read(filename) + +contents.split("\n").each do |line| + # this should show us how to actually do this: https://github.com/gv1/hex2cyacd/blob/master/ihex2cyacd.pl + split = line.split(':') + label = split.first.chomp + split[1..split.size].each do |data| + p 'DBGZ' if nil? + end + +end +