Update: ‘eku952’ posted a comment letting me know that this no longer works. I’ve done some investigation, and found that Circle now does an RSA signature verification of the downloaded firmware (a 512-byte RSA signature is appended to the end of the firmware image). If the RSA verify operation fails, the firmware image will not be installed.
So, unless another exploit is found, there is no way to patch Circle’s firmware/push that firmware image to your Circle device. I am not actively working on this (too busy with other things), so don’t expect another exploit from me.
It may still be possible to gain access via the serial port, at which point you could manually install your own firmware image.
In my earlier Firmware Updates post, I mentioned that it’s possible to download an official Circle firmware update, modify it to add a custom user/password to /etc/passwd and /etc/shadow, then upload that firmware to your Circle device. I’ll describe how to do that here (along with scripts to make it easier).
WARNING: Please be very careful when updating the firmware on your Circle device – a corrupted firmware image could ‘brick’ your device. Please carefully review the scripts I’ve included here and make sure you understand them and are comfortable with the changes before installing any hacked firmware.
Yesterday, I pointed out the fact that the latest firmware will delete the ‘root’ password from /etc/shadow (as part of a switch to using key-based ssh access). So, this example will add a ‘hackme’ user (with password ‘hackme’) with root privileges. Once logged-in as ‘hackme’, you can change the ‘root’ password to whatever you like (although, keep in mind that a future firmware update may reset the ‘root’ password again).
I’ve written a script (called fw_hackify.sh) which will optionally download (if –fetch option specified), then modify an official Circle firmware image to include/run a new script (for this example, that script is hackme_add_user.sh) as the final step of the firmware installation (before the reboot).
A standard firmware update image from Circle includes a script called update_firmware.sh which is run as the final step of the installation. fw_hackify.sh modifies this script in the firmware to first run a script called ‘hackme.sh’, which (in this example) is the hackme_add_user.sh script which you’ll pass to the script as an option.
Building the modified firmware image
Prerequisite: you will need the ‘aescrypt’ command installed on your system (can be found here).
Here’s the command to download the latest firmware from Circle and generate the hacked firmware:
$ ./fw_hackify.sh --fetch fw_orig.bin hackme_add_user.sh fw_hacked.bin Fetching Circle firmware... Downloaded original firmware file: 'fw_orig.bin' Decrypting Circle firmware... Modifying Circle firmware Encrypting modified Circle firmware... Created hackified firmware file: 'fw_hacked.bin' from 'fw_orig.bin' and 'hackme_add_user.sh'
The ‘–fetch’ option tells the script to download the firmware from Circle (saving it as ‘fw_orig.bin’). If you already have a Circle firmware image, you can skip the ‘–fetch’ option (and just specify it as the first argument (‘fw_orig.bin’ in this example)).
The fw_hackify.sh script is meant to be generic. It will add a user-specified ‘hackme.sh’ script to the firmware and modify the firmware image to run that as the last step before rebooting. I’m including the hackme_add_user.sh as an example ‘hackme.sh’ script which will run on the Circle device and add the ‘hackme’ user/password. But, you can replace it with any script you want to run on the Circle device as the last step of the install.
Pushing the new firmware image to your Circle device
Ensure that your Circle device is in the proper subnet
The Circle API command “UPLOAD_FIRMWARE” can be used to upload/install the new firmware. It only works if your Circle device is in the default “10.123.234.xxx” subnet.
The ‘factory default’ IP address used for the Circle Wifi access point (when your device is in a unconfigured state) is “10.123.234.1”, so restoring your Circle device to factory defaults (and connecting to its Wifi AP, with a fixed “10.123.234.xxx” IP on your PC) will let you push the firmware to your device.
Another option is to setup a DHCP server on a wired network. When you connect your Circle device to a wired network, it will disable its Wifi AP and use DHCP to get an IP address on the wired network. If your DHCP server is on the “10.123.234.xxx” subnet and hands such an address to your Circle device (and your PC is on the same subnet/gets its IP from the same DHCP server), then you can push the firmware image to your device.
Push the firmware update image to your device
The following ‘curl’ command will push the modified firmware image to your Circle device (which will then decrypt/install the image) (this assumes your Circle device is at 10.123.234.1):
$ curl -k -F "file=@fw_hacked.bin;filename=nameinpost" https://10.123.234.1:4567/api/UPLOAD_FIRMWARE
{
"result":"success"
}
After the firmware install finishes, the “update_firmware.sh” script inside the firmware update will run, which will run the “hackme.sh” script. This will add the “hackme” user. Then, the device will reboot.
Logging in to your Circle device with ssh
Now that you have a ‘hackme’ user (password ‘hackme’), you can ssh into your device (assuming you are on the same subnet and know the Circle’s IP):
$ ssh hackme@10.123.234.1 hackme@10.123.234.1's password: BusyBox v1.22.1 (2014-09-20 22:01:35 CEST) built-in shell (ash) Enter 'help' for a list of built-in commands. _______ ________ __ | |.-----.-----.-----.| | | |.----.| |_ | - || _ | -__| || | | || _|| _| |_______|| __|_____|__|__||________||__| |____| |__| W I R E L E S S F R E E D O M ----------------------------------------------------- BARRIER BREAKER (14.07, r42625) ----------------------------------------------------- * 1/2 oz Galliano Pour all ingredients into * 4 oz cold Coffee an irish coffee mug filled * 1 1/2 oz Dark Rum with crushed ice. Stir. * 2 tsp. Creme de Cacao ----------------------------------------------------- root@circle:~#
That’s it – you’re in! At this point, I’d recommend changing the ‘hackme’ user’s password (use “passwd hackme” command). You can also change the ‘root’ user’s password (so you can login as root instead), although keep in mind that a new firmware update may delete that password.
Very informative. Thank you.
Great work! I knew that it was running Linux! OpenWRT no less!
I found this blog after attempting to ssh into a circle device. I figured out that you can completely bypass the circle AND it’s dirty ARP poisoning on Windows by using >netsh interface ip add neighbors to set a static ARP entry of the mac address of your router. The circle adds over 2ms on the ping timing to your actual router so it’s great that you can bypass it this easily.
Does this work with recent firmwares? Because I seem to be getting the error “Failed to extract ‘update_firmware.sh’ from ‘/tmp/tmp.cUkk2AxyWz/work/fw_decrypted.bin'”. Anyone know why?
I just tried this with the latest firmware. Unfortunately, Circle have changed their firmware file format where they now include a cryptographic hash, which is verified before the firmware installation process will proceed.
Because of this, recent Circle firmware will reject any ‘patched’ firmware, because it is not cryptographically signed. Unless another exploit is found, it won’t be possible to patch firmware/install it.
Dang that’s too bad, was looking forward to testing this.
WE HAVE A WAY!!! TALOS has identified multiple exploitable avenues of attacking the Disney Circle.
Including bypassing the cryptographic checks!!!!
https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0405