cleanup commit, but check the end of REAMDE.md - is this solved\?

2018-05-22 22:06:20 -07:00 · 2018-05-22 22:06:20 -07:00 · a22a6fb8a2
commit a22a6fb8a2
parent a4bb31f084
2 changed files with 140 additions and 0 deletions
--- a/revolabs-flx_uc_1000/README.md
+++ b/revolabs-flx_uc_1000/README.md
@ -130,6 +130,86 @@ looking at the `S45Revo` file, a potential avenue to `uid=0`:
 more to come.
 ```
 $ tree /squash/
 ...
 │   └── modules
 │       └── 2.6.37+
 │           ├── build -> /home/hudson/jobs/Ruby1000-Tools/workspace/Ruby/dvsdk/psp/linux-2.6.37-psp03.21.00.04.sdk
 │           ├── kernel
 │           │   └── drivers
 │           │       ├── dsp
 │           │       │   └── dsplinkk.ko
 │           │       └── usb
 │           │           ├── core
 │           │           │   └── usbcore.ko
 │           │           ├── musb
 │           │           │   ├── da8xx.ko
 │           │           │   └── musb_hdrc.ko
 │           │           ├── otg
 │           │           │   └── nop-usb-xceiv.ko
 │           │           └── serial
 │           │               └── usbserial.ko
 ...
 ```
 well at least they're using CI..
 ```
 │   ├── USB_Digital_Audio1500_bb.cyacd
 │   ├── USB_Digital_Audio1500.cyacd
 │   ├── USB_Digital_Audio_bb.cyacd
 │   ├── USB_Digital_Audio.cyacd
 ```
 according to [a quick google search](http://www.cypress.com/knowledge-base-article/format-cyacd-file-psoc-3-or-psoc-5lp-bootloader-kba216138), these are 'Code Data Files' for the PSoC 3 or PSoC 5 Bootloader
 with a format of:
 ```
 [1-byte ArrayID][2-byte RowNumber][2-byte DataLength][N-byte Data][1byte Checksum]
 ```
 ```
 # head /squashy/sbin/USB_Digital_Audio1500_bb.cyacd
 1E07D0690301
 :0000280120022EE9008F828E83E0540100000070F82278FFE4F6D8FD022F18BB010689828A83E0225002E722BBFE02E32289828A83E49322BB010689828A83F0225002F722BBFE01F322C5F0F8A3E028F0C5F0F8E582158270021583E038F022A3F8E0C5F025F0F0E582158270021583E0C838F0E822BB010A89828A83E0F5F0A3E022500687F009E71922BBFE07E3F5F009E3192289828A83E493F5F074019322BB010A89828A83F0E5F0A3F0225006F70
 9A7F01922BBFE06F3E5F009F31922EF2BFFEE3AFEED39FDEC38FC22C3EF9BFFEE9AFEED99FDEC98FC22E88FF0A4CC8BF0A42CFCE98EF0A42CFC8AF0EDA42CFCEA8EF0A4CDA8F08BF0A42DCC3825F0FDE98FF0A4250045017E0
 20052040404104011C07C4000640527048203837F84078A7F0100A3
 :00002901202CCD35F0FCEB8EF0A4FEA9F0EB8FF0A4CFC5F02ECD39FEE43CFCEAA42DCE35F0FDE43CFC2275F008758200EF2FFFEE33FECD33CDCC33CCC58233C5829BED9AEC99E58298400CF582EE9BFEED9AFDEC99FC0FD5F0D6E4CEFBE4CDFAE4CCF9A88222B800C1B90059BA002DEC8BF084CFCECDFCE5F0CBF97818EF2FFFEE33FEED33FDEC33FCEB33FB10D703994004EB99FB0FD8E5E4F9FA227818EF2FFFEE33FEED33FDEC33FCC933C910D7059BE
 99A4007EC9BFCE99AF90FD8E0E4C9FAE4CCFB2275F010EF2FFFEE33FEED33FDCC33CCC833C810D7079BEC9AE899400AED9BFDEC9AFCE899F80FD5F0DAE4CDFBE4CCFAE4C8F922EF5BFFEE5AFEED59FDEC58FC225A0304040F0
 81109020A220B0D0C070E081480150616701709188019011A701C0B
 ```
 ```
 ...
    │   └── udev
    │       ├── saved.cmdline
 ...
 ```
 shows us that they are booting with ```mem=128M console=ttyS0,115200n8 root=/dev/ram0 rw initrd=0xc1180000,4m ip=off```, which should help with the TFTP booting attack
 ```js
 .call(this), function () {
    "use strict";
    angular.module("r1kApp").config(["$stateProvider", function (a) {
        return a.state("main.diag", {url: "diag", templateUrl: "app/diag/diag.html", controller: "DiagCtrl"})
    }]), angular.module("r1kApp").controller("DiagCtrl", ["$scope", "Device", "$rootScope", function (a, b) {
        return a.forms = diag.forms, a.diag = [], a.submitForm = function (c) {
            var d;
            return d = {}, d[c] = a.diag[c] || "", b.request("RequestStatus", d).then(function () {
                return a.buildToast("Command has been sent.")
            }, function () {
                return a.buildToast("Uh oh! Couldn't send command. Is the device available?")
            })
        }
    }])
 ```
 looking at this, it would appear that http://<device>/app/diag/diag.html exposes a mechanism to execute arbitrary commands. `/usr/sbin/telnetd` anyone?
 ### log mining and traffic sniffing
 using <dump logs?> functionality, and the high logging levels they provided, was able to determine a number of things:
--- a/revolabs-flx_uc_1000/uncyacd.rb
+++ b/revolabs-flx_uc_1000/uncyacd.rb
@ -0,0 +1,60 @@
 #!/usr/bin/env ruby
 ## uncyacd.rb -- reconstituting PSoC boot files from their proprietary format
 # .cyacd file format:
 #                 [4-byte SiliconID][1-byte SiliconRev][checksum type]
 # The data records have the format:
 #                               [1-byte ArrayID][2-byte RowNumber][2-byte DataLength][N-byte Data][1byte Checksum]
 # The Checksum is computed by summing all bytes (excluding the checksum itself) and then taking the 2's complement.
 filename = ARGV.first || sprintf('%s/git/rouster/USB_Digital_Audio1500_bb.cyacd', ENV['HOME']) if filename.nil?
 filename = sprintf('%s/git/h4ck/revolabs-flx_uc_1000/test.cyacd', ENV['HOME'])
 unless File.file?(filename)
  puts sprintf('USAGE: %s <file.cyacd>', File.basename(__FILE__))
  exit 0
 end
 File.open(filename, 'rb') do |f|
  to_read = 1
  array_id = f.read(to_read)
  to_read = 2
  row_number = f.read(to_read)
  to_read = 2
  data_length = f.read(to_read)
  to_read = data_length
  data = f.read(to_read) # TODO not sure that this will actually be an integer
  to_read = 1
  checksum = f.read(to_read)
  p 'DBGZ' if nil?
 end
 # current_bucket = 0
 # bucket_size    = 10
 #
 # File.open(filename, 'rb') do |f|
 #   p 'DBGZ' if nil?
 #   f.seek(current_bucket * bucket_size)
 #   s = f.read(bucket_size)
 #   current_bucket += 1
 #   p 'DBGZ' if nil?
 # end
 contents = File.read(filename)
 contents.split("\n").each do |line|
  # this should show us how to actually do this: https://github.com/gv1/hex2cyacd/blob/master/ihex2cyacd.pl
  split = line.split(':')
  label = split.first.chomp
  split[1..split.size].each do |data|
    p 'DBGZ' if nil?
  end
 end