SPIN: 1 - PhatBox: 0 (PhatBox Successfully Owned)

[spin]

Bling bling fellas. Finally popped this sucka. Absolutely drooling-on-itself stupid too. After ~25 attempts of hacking phatbox.ini, walking ~800 feet to the car, testing it, walking 800 feet back, and checking the logfile, the solution was dead simple: Just use plsign. Seriously. Replace a player with a shell script, execute plsign on it, add a menu item that executes a file handled by that player. Now that the cat is out of the bag, lets hope PhatNoise doesnt be mean and restrict the keys used to sign the players. If they do that, we will have to actually replace the pubkeys in the disk image...



 For example:

  PID  Uid     Stat Command
    1 0         S    init
    2 0         S    [keventd]
    3 0         S    [ksoftirqd_CPU0]
    4 0         S    [kswapd]
    5 0         S    [bdflush]
    6 0         S    [kupdated]
    7 0         S    /bin/sh /etc/init.d/rcS
    9 0         S    /bin/sh /etc/init.d/rcS
   12 0         S    /dos/phatd
   13 0         S    /dos/51d
   85 0         S    /bin/sh /dos/oggplay-ha /dos/tts/it_about.ogg 0
   86 0         S    /bin/sh /dos/hack.sh
   90 0         R    ps aux -wwwwwwwwwwwwwww
XXX: DISK
Filesystem                Size      Used Available Use% Mounted on
/dev/root               363.0k    342.0k      1.0k 100% /
/dev/hda1               259.5M      8.8M    250.7M   3% /dos
/dev/hda5                37.0G      1.5M     37.0G   0% /dos/Data
/dev/root on / type ext2 (rw)
proc on /proc type proc (rw)
/dev/hda1 on /dos type vfat (rw)
/dev/hda5 on /dos/Data type vfat (rw)
XXX: INFO
Processor       : ARM ARM720T rev 2 (v4l)
BogoMIPS        : 36.76
Features        : swp half thumb 26bit

Hardware        : CL-7312 (Phatnoise v1.1)
Revision        : 0000
Serial          : 0000000000000000
        total:    used:    free:  shared: buffers:  cached:
Mem:  13332480  4030464  9302016        0   233472  2256896
Swap:        0        0        0
MemTotal:        13020 kB
MemFree:          9084 kB
MemShared:           0 kB
Buffers:           228 kB
Cached:           2204 kB
SwapCached:          0 kB
Active:            964 kB
Inactive:         1988 kB
HighTotal:           0 kB
HighFree:            0 kB
LowTotal:        13020 kB
LowFree:          9084 kB
SwapTotal:           0 kB
SwapFree:            0 kB
XXX: DMESG
Linux version 2.4.18-rmk3-crypt1 (vince@VonHagen.phatnoise.com) (gcc version 2.95.3 20010315 (release)) #5 Thu May 29 11:53:53 PDT 2003
Processor: ARM ARM720T revision 2
Architecture: CL-7312 (Phatnoise v1.1)
Machine name is: CL-7312 (Phatnoise v1.1)
Param offset is: 0xC0023000
Tags  offset is: 0xC0023000
fixup_clep7312()
Converting old-style param struct to taglist
edb7211_map_io()
On node 0 totalpages: 4096
zone(0): 4096 pages.
zone(1): 0 pages.
zone(2): 0 pages.
Kernel command line: init=/bin/bash
Relocating machine vectors to 0xffff0000
clps711x_init_irq() begin NR_IRQS = 128
clps711x_init_irq() end
clps711x_setup_timer() SYSCON1 = 0xff000100 adding TC2S and TC2M bits
clps711x_setup_timer() SYSCON1 = 0xff0001c0
clps711x_setup_timer() SYSCON2 = 0xff000100
clps711x_setup_timer() SYSCON3 = 0xff000026
Calibrating delay loop... 36.76 BogoMIPS
initrd_start = 0xC0C00000
Memory: 16MB = 16MB total
Memory: 11952KB available (711K code, 2229K data, 44K init)
Dentry-cache hash table entries: 2048 (order: 2, 16384 bytes)
Inode-cache hash table entries: 1024 (order: 1, 8192 bytes)
Mount-cache hash table entries: 512 (order: 0, 4096 bytes)
Buffer-cache hash table entries: 1024 (order: 0, 4096 bytes)
Page-cache hash table entries: 4096 (order: 2, 16384 bytes)
POSIX conformance testing by UNIFIX
Linux NET4.0 for Linux 2.4
Based upon Swansea University Computer Society NET3.039
Initializing RT netlink socket
Starting kswapd
ttyAM0 at I/O 0x100 (irq = 12) is a CLPS711x
ttyAM1 at I/O 0x1100 (irq = 28) is a CLPS711x
pty: 256 Unix98 ptys configured
block: 64 slots per queue, batch=16
RAMDISK driver initialized: 16 RAM disks of 1048576K size 1024 blocksize
ide: Assuming 50MHz system bus speed for PIO modes; override with idebus=xx
PhatNoise ide_init_default_hwifs()
IO_SYSCON1 = 0x000401C0
IO_SYSCON2 = 0x00040100
IO_SYSCON3 = 0x00040026
IO_MEMCFG1 = 0x00000080
IO_MEMCFG2 = 0xFFFDBD00
hda: FUJITSU MHV2040AT, ATA DISK drive
ide0 at 0xfe100000-0xfe100007,0xfe10000e on irq 6
hda: 78140160 sectors (40008 MB) w/2048KiB Cache, CHS=77520/16/63
Partition check:
 hda: hda1 hda2 < hda5 >
DAI: Version 1.2
DAI: major 14
DAI: dai_init() initializing stuff
DAI: regs.ARM_ip = 0xff002000
DAI: dai_init() setting fiq handler
FIQ: copying code to 0xFFFF001C
DAI: dai_init() SYSCON1 (0x000401c0)
DAI: dai_init() SYSCON2 (0x00040100)
DAI: dai_init() SYSCON3 (0x00040026)
DAI: dai_init() INTMR1  (0x00040240)
DAI: dai_init() INTMR2  (0x00040000)
DAI: dai_init() INTMR3  (0x00040000)
DAI: dai_init() DAISR   (0x00001505)
DAI: dai_init() DAI64FS (0x00000000)
DAI: dai_init() setting PE.1
DAI: dai_init() setting DAI Control Register
DAI: dai_init() clearing DAI status register bits
DAI: dai_init() setting DAIR_DAIEN
DAI: dai_init() DAISR = 0x00009a00
DAI: dai_init() adding routine to task queue
DAI: dai_init() enabling DAI interrupt
PhatNoise Board v1.1
LED: major 13
NET4: Unix domain sockets 1.0/SMP for Linux NET4.0.
Fast Floating Point Emulator V0.9 (c) Peter Teichmann.
RAMDISK: ext2 filesystem found at block 0
RAMDISK: Loading 400 blocks [1 disk] into ram disk... done.
Freeing initrd memory: 1024K
VFS: Mounted root (ext2 filesystem).
Freeing init memory: 44K

[para]

Plsign? I thought the key used to sign the playlists differs from the one used for the "important" files? We'd already tried that AFAIK...

Para

[Genesis]

Ok, it may have been tried but tried wrong.

Explain the boot trace if it didn't work....

Better, try it and see what 'ya get.

[para]

Yep, looks to good to be a hoax

[ralph.deratt]

Bling bling fellas. Finally popped this sucka. Absolutely drooling-on-itself stupid too. After ~25 attempts of hacking phatbox.ini, walking ~800 feet to the car, testing it, walking 800 feet back, and checking the logfile, the solution was dead simple: Just use plsign. Seriously. Replace a player with a shell script, execute plsign on it, add a menu item that executes a file handled by that player. Now that the cat is out of the bag, lets hope PhatNoise doesnt be mean and restrict the keys used to sign the players. If they do that, we will have to actually replace the pubkeys in the disk image...

Would you please post the contents of your shell script and menu file.  Also a little more detail on the step by step process would be helpful

RdeR

[judb]

Yeah, that would be helpful.. I'd like to have someone dump the tty settings to a file on the DMS so we know what the TTYS0 is set to so we can get serial access nailed down.

can you show us the contents of hack.sh ?  thanks..

[bushing]

Argh!  You win.

I don't care what they do at this point.  Here's the path I want to go down at this point:

1. Dump the rom image
2. Patch the rom image to not check the drive signature (or any other signatures)
3. Find / write a utility to reflash the bios from linux, and do so
4. Patch phatd and 51d to not check signatures
5. ??
6. PROFIT!

Along those lines ... since my board is out and sitting on my workbench, it'll be a couple days before I get a chance to put it back in my car and test this out.  Will someone out there do me a HUGE favor?

Page 1-3 of the EP73xx User's Guide (linked to in the FAQ section) gives a memory map that says that the ROM bank 0 should start at 0x00000000 in memory.

With that in mind, can someone get the box to run this command:

Code Select Expand

dd if=/dev/mem of=/dos/rom.bin bs=1024 count=128

... and email the rom.bin file produced to bushing at  gmail.com ?? I'd really appreciate it, and the sooner someone can do that, the sooner I can start working on a packaged solution to reflash and / or upgrade drives.

Ben

[judb]

@ Bushing: I dont have a working linux box to run plsign on.. can you whip up a shell script and plsign that bad boy and send me the plsigned file and the sig.. I have a kenwood FM modulator set up so I can run a phatbox right nex to me and see it work or not.  easy to whip the DMS in and out.. hehe

[judb]

i am pretty sure that stty command is in the busybox IIRC.. so just run a stty..
maybe
stty -F /dev/ttyS0 -a > /dos/ttyS0
stty -F /dev/ttyS1 -a > /dos/ttyS1
stty -F /dev/ttyAM0 -a > /dos/ttyAM0
stty -F /dev/ttyAM1 -a > /dos/ttyAM1

edit.. also an ls -la /dev would be useful to figure out if any other device names are not present in the ramdisk image.. the post log he shows and the tty names in the ramdisk differ.. so im thinking its stock stuff in there. /dev/console might be redirected to TTYS0 which doesnt exist.. we may need to modify it to /dev/ttyAM0 to reall see the console output.

[spin]

A HOAX?!?!!??! You think I just *MADE UP* a kernel log? WTF. No. Try this:

1) Create a shell script that does something. I called mine hack.sh. The /dos and /dos/Data partitions are mounted r/w, so just run some command and write the output to a file.

2) Rename your shell script to phatwma or oogplay-la or something. Replace one of the players (aadec, phatwma, oggplay*, etc).

3) Use plsign to sign the renamed shell script.

4) Edit PhatBox.ini. Go to the menu and add a new menu item that plays a non-existent file ENDING with the extension that is handled by the player you are backdooring. Make sure you change the menu item count if you didn't before.

5) Plug the box into your car. Browse to the menu item. When it hits it, and tries to play the audio for it, it will run your player.

This is a nice method because you can take an unused extension, replace the player, and make this a generic command handler based on the name of the audio file. From this point, you can run any code on the DMS, jack with the hardware, try to dump the flash, read /proc/kcore, etc, etc.

[spin]

Oh, FYI, you can't use plsign to replace phatd or many of the other utiltiies. I only had luck replacing some of the player commands (oggplay, phatwma, aadec).

[judb]

can you show me an example entry from the phatbox.ini?

[spin]

[ phatbox.ini - under BMW ]
menu.7.text=BACKDOOR FLAC
menu.7.audio=/dos/tts/it_about.flac
menu.7.action=FIRMWARE_VERSION

[ /dos/flacplay ]
#!/bin/sh
/dos/hack.sh >> /dos/hack.log 2>&1

root@slasher mnt # /downloads/phatbox/plsign flacplay
Signature file for the playlist flacplay.sig has been generated.
root@slasher mnt # ls -al flacplay.sig
-rwxr--r--    1 root     root          240 Jun  5 13:14 flacplay.sig

[spin]

BTW, I will do a kcore | /dev/mem dump later this evening, got to run though. Any ideas for adding peripheals to the PB? A working serial port would be nice, but attaching a CF/USB to it would be nicer. I am working on getting the pinouts for BMW GPS... It would rock to make my own voice-nav system... or use serial cable to interface with another box.. say with wifi.. and have audio-driven gps-enabled wardriving kit ;-)

[LindsayLohan]

Let me say congratulations to Spin for finding and Vince for enabling this avenue of software exploit.

[judb]

if someone could make a copy of spin's posted flacplay script and sign it.. then send me both the flacplay and the .sig file created for it I can do all this stuff pretty quickly.  I just tried using a knoppix boot CD to mount my DMS to try using plsign that way but it doesnt like my USB controller I guess.  Stupid XPS2 Dell laptop!

Let me say congratulations to Spin for finding and Vince for enabling this avenue of software exploit.

Well, lets not start celebrating yet.. we dont know if this will really work or not, much less that we can use it to crack the phatbox drive security.

BTW, I will do a kcore | /dev/mem dump later this evening, got to run though. Any ideas for adding peripheals to the PB? A working serial port would be nice, but attaching a CF/USB to it would be nicer. I am working on getting the pinouts for BMW GPS... It would rock to make my own voice-nav system... or use serial cable to interface with another box.. say with wifi.. and have audio-driven gps-enabled wardriving kit ;-)

Well, I highly doubt we would be able to get much more than serial access working without significant modifications to the phatbox board which would really mean if we can get the boot loader cracked we could make our own boards with whatever hardware we need (USB / Video etc) and update the kernel source from phatnoise to support it and then boot the system using our new kernel.  

The trick will be cracking the boot loader and then finding a source for the parts we need to build a board like that. (would still need to be ARM based.. maybe even Mavrick 7312 based.. depending on what phatd and 51d need to operate.  In fact if we crack the boot loader code we may be able to replace the keys and not have to change anything about the software in phatd or 51d to have it keep working.  thats cause we can insert a modified hdparm that reports whatever we want it to. hehe)

With all that said, I am not terribly interested in modifying the hardware design, im just pointing out the issues with the idea...  I think building / selling boards like that would QUICKLY get us in leagl trouble.

[judb]

Argh!  You win.

I don't care what they do at this point.  Here's the path I want to go down at this point:

1. Dump the rom image
2. Patch the rom image to not check the drive signature (or any other signatures)
3. Find / write a utility to reflash the bios from linux, and do so
4. Patch phatd and 51d to not check signatures
5. ??
6. PROFIT!

Along those lines ... since my board is out and sitting on my workbench, it'll be a couple days before I get a chance to put it back in my car and test this out.  Will someone out there do me a HUGE favor?

Page 1-3 of the EP73xx User's Guide (linked to in the FAQ section) gives a memory map that says that the ROM bank 0 should start at 0x00000000 in memory.

With that in mind, can someone get the box to run this command:

Code Select Expand


dd if=/dev/mem of=/dos/rom.bin bs=1024 count=128


... and email the rom.bin file produced to bushing at  gmail.com ?? I'd really appreciate it, and the sooner someone can do that, the sooner I can start working on a packaged solution to reflash and / or upgrade drives.

Ben

Is DD included with busybox?  we may need to complie a version for this box and put it on the phatsys partition...

[judb]

This is the hack.sh I want to try and run first....  Make sure that the directory stuff exists in the phatsys partition...

Code Select Expand

#!/bin/sh
echo "/bin/stty -F /dev/ttyS0 -a > /dos/stuff/ttyS0.txt"
/bin/stty -F /dev/ttyS0 -a > /dos/stuff/ ttyS0.txt
echo "/bin/stty -F /dev/ttyS1 -a > /dos/stuff/ttyS1.txt"
/bin/stty -F /dev/ttyS1 -a > /dos/stuff/ttyS1.txt
echo "/bin/stty -F /dev/ttyAM0 -a > /dos/stuff/ttyAM0.txt"
/bin/stty -F /dev/ttyAM0 -a > /dos/stuff/ttyAM0.txt
echo "/bin/stty -F /dev/ttyAM1 -a > /dos/stuff/ttyAM1.txt"
/bin/stty -F /dev/ttyAM1 -a > /dos/stuff/ttyAM1.txt
echo "/bin/ls -la /dev > /dos/stuff/devlist.txt"
/bin/ls -la /dev > /dos/stuff/devlist.txt
echo $PATH
set > /dos/stuff/set.txt
echo "dd if=/dev/mem of=/dos/rom.bin bs=1024 count=128"
dd if=/dev/mem of=/dos/rom.bin bs=1024 count=128


[para]

A HOAX?!?!!??! You think I just *MADE UP* a kernel log? WTF. No.

Hey, no offense Spin It's just hard to grasp that we finally make some progress! I appreciate your work mate...

@judb: hope my flacplay works...

[judb]

Well I dont have VIOT on this keg.. so I can get it to work.  any ideas?

That means the menuid options are missing for the kenwood headunits.