{"id":129,"date":"2016-06-12T13:38:30","date_gmt":"2016-06-12T17:38:30","guid":{"rendered":"http:\/\/www.hackspot.net\/CircleBlog\/?p=129"},"modified":"2017-05-15T17:49:29","modified_gmt":"2017-05-15T21:49:29","slug":"creating-a-custom-firmware-image-which-gives-you-ssh-access","status":"publish","type":"post","link":"http:\/\/www.hackspot.net\/CircleBlog\/2016\/06\/12\/creating-a-custom-firmware-image-which-gives-you-ssh-access\/","title":{"rendered":"Creating a custom firmware image which gives you ssh access"},"content":{"rendered":"

Update:<\/strong> ‘eku952’ posted a comment letting me know that this no longer works. \u00a0I’ve done some investigation, and found that Circle now does an RSA signature verification of the downloaded firmware (a 512-byte RSA signature is appended to the end of the firmware image). \u00a0If the RSA verify operation fails, the firmware image will not be installed.<\/em><\/p>\n

So, unless another exploit is found, there is no way to patch Circle’s firmware\/push that firmware image to your Circle device. \u00a0I am not actively working on this (too busy with other things), so don’t expect another exploit from me. \u00a0<\/em><\/p>\n

It may still be possible to gain access via the serial port, at which point you could manually install your own firmware image.<\/em><\/p>\n

In my earlier\u00a0Firmware Updates<\/a>\u00a0post, I mentioned that it’s possible to download an official Circle firmware update, modify it to add a custom user\/password to \/etc\/passwd and \/etc\/shadow, then upload that firmware to your Circle device. \u00a0I’ll describe how to do that here (along with scripts to make it easier).<\/p>\n

WARNING<\/strong>: Please be very careful when updating the firmware on your Circle device – a corrupted firmware image could ‘brick’ your device. \u00a0Please carefully review the scripts I’ve included here and make sure you understand them and are comfortable with the changes before installing any hacked firmware.<\/p>\n

Yesterday, I pointed out<\/a> the fact that the latest firmware will delete the ‘root’ password from \/etc\/shadow (as part of a switch to using key-based ssh access). \u00a0So, this example will add a ‘hackme’ user (with password ‘hackme’) with root privileges. \u00a0Once logged-in as ‘hackme’, you can change the ‘root’ password to whatever you like (although, keep in mind that a future firmware update may reset the ‘root’ password again).<\/p>\n

I’ve written a script (called\u00a0fw_hackify.sh<\/a>) which will optionally download (if –fetch option specified), then modify an official Circle firmware image to include\/run a new script (for this example, that script is\u00a0hackme_add_user.sh<\/a>) as the final step of the firmware installation (before the reboot).<\/p>\n

A standard firmware update image from Circle includes a script called update_firmware.sh which is run as the final step of the installation. \u00a0fw_hackify.sh<\/a>\u00a0modifies this script in the firmware to first run a script called ‘hackme.sh’, which (in this example) is the\u00a0hackme_add_user.sh<\/a>\u00a0script which you’ll pass to the script as an option.<\/p>\n

Building the modified firmware image<\/h5>\n

Prerequisite: you will need the ‘aescrypt’ command installed on your system (can be found here).<\/p>\n

Here’s the command to download the latest firmware from Circle and generate the hacked firmware:<\/p>\n

$ .\/fw_hackify.sh --fetch fw_orig.bin hackme_add_user.sh fw_hacked.bin<\/strong>\r\nFetching Circle firmware...\r\nDownloaded original firmware file: 'fw_orig.bin'\r\nDecrypting Circle firmware...\r\nModifying Circle firmware\r\nEncrypting modified Circle firmware...\r\nCreated hackified firmware file: 'fw_hacked.bin' from 'fw_orig.bin' and 'hackme_add_user.sh'<\/pre>\n
The ‘–fetch’ option tells the script to download the firmware from Circle (saving it as ‘fw_orig.bin’). \u00a0If you already have a Circle firmware image, you can skip the ‘–fetch’ option (and just specify it as the first argument (‘fw_orig.bin’ in this example)).<\/p>\n
The fw_hackify.sh<\/a> script is meant to be generic. \u00a0It will add a user-specified ‘hackme.sh’ script to the firmware and modify the firmware image to run that as the last step before rebooting. \u00a0I’m including the\u00a0hackme_add_user.sh<\/a>\u00a0as an example ‘hackme.sh’ script which will run on the Circle device and add the ‘hackme’ user\/password. \u00a0But, you can replace it with any script you want to run on the Circle device as the last step of the install.<\/p>\n
Pushing the new firmware image to your Circle device<\/h5>\n
Ensure that your Circle device is in the proper subnet<\/h6>\n
The Circle API command “UPLOAD_FIRMWARE” can be used to upload\/install the new firmware. \u00a0It only works if your Circle device is in the default “10.123.234.xxx” subnet.<\/p>\n
The ‘factory default’ IP address used for the Circle Wifi access point (when your device is in a unconfigured state) is “10.123.234.1”, so restoring your Circle device to factory defaults (and connecting to its Wifi AP, with a fixed “10.123.234.xxx” IP on your PC) will let you push the firmware to your device.<\/p>\n
Another option is to setup a DHCP server on a wired network. When you connect your Circle device to a wired network, it will disable its Wifi AP and use DHCP to get an IP address on the wired network. If your DHCP server is on the “10.123.234.xxx” subnet and hands such an address to your Circle device (and your PC is on the same subnet\/gets its IP from the same DHCP server), then you can push the firmware image to your device.<\/p>\n
Push the firmware update image to your device<\/h6>\n
The following ‘curl’ command will push the modified firmware image to your Circle device (which will then decrypt\/install the image) (this assumes your Circle device is at 10.123.234.1):<\/p>\n
$ curl -k -F \"file=@fw_hacked.bin;filename=nameinpost\" https:\/\/10.123.234.1:4567\/api\/UPLOAD_FIRMWARE<\/strong>\r\n{\r\n\"result\":\"success\"\r\n}<\/pre>\n
After the firmware install finishes, the “update_firmware.sh” script inside the firmware update will run, which will run the “hackme.sh” script. \u00a0This will add the “hackme” user. \u00a0Then, the device will reboot.<\/p>\n
Logging in to your Circle device with ssh<\/h5>\n
Now that you have a ‘hackme’ user (password ‘hackme’), you can ssh into your device (assuming you are on the same subnet and know the Circle’s IP):<\/p>\n
$ ssh hackme@10.123.234.1\r\nhackme@10.123.234.1's password:\r\n\r\n\r\nBusyBox v1.22.1 (2014-09-20 22:01:35 CEST) built-in shell (ash)\r\nEnter 'help' for a list of built-in commands.\r\n\r\n _______ ________ __\r\n | |.-----.-----.-----.| | | |.----.| |_\r\n | - || _ | -__| || | | || _|| _|\r\n |_______|| __|_____|__|__||________||__| |____|\r\n |__| W I R E L E S S F R E E D O M\r\n -----------------------------------------------------\r\n BARRIER BREAKER (14.07, r42625)\r\n -----------------------------------------------------\r\n * 1\/2 oz Galliano Pour all ingredients into\r\n * 4 oz cold Coffee an irish coffee mug filled\r\n * 1 1\/2 oz Dark Rum with crushed ice. Stir.\r\n * 2 tsp. Creme de Cacao\r\n -----------------------------------------------------\r\nroot@circle:~#<\/pre>\n
That’s it – you’re in! \u00a0At this point, I’d recommend changing the ‘hackme’ user’s password (use “passwd hackme” command). \u00a0You can also change the ‘root’ user’s password (so you can login as root instead), although keep in mind that a new firmware update may delete that password.<\/p>\n
 <\/p>\n","protected":false},"excerpt":{"rendered":"
Update: ‘eku952’ posted a comment letting me know that this no longer works. \u00a0I’ve done some investigation, and found that Circle now does an RSA signature verification of the downloaded firmware (a 512-byte RSA signature is appended to the end of the firmware image). \u00a0If the RSA verify operation fails, the firmware image will not … Continue reading “Creating a custom firmware image which gives you ssh access”<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[1],"tags":[],"_links":{"self":[{"href":"http:\/\/www.hackspot.net\/CircleBlog\/wp-json\/wp\/v2\/posts\/129"}],"collection":[{"href":"http:\/\/www.hackspot.net\/CircleBlog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.hackspot.net\/CircleBlog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.hackspot.net\/CircleBlog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/www.hackspot.net\/CircleBlog\/wp-json\/wp\/v2\/comments?post=129"}],"version-history":[{"count":10,"href":"http:\/\/www.hackspot.net\/CircleBlog\/wp-json\/wp\/v2\/posts\/129\/revisions"}],"predecessor-version":[{"id":155,"href":"http:\/\/www.hackspot.net\/CircleBlog\/wp-json\/wp\/v2\/posts\/129\/revisions\/155"}],"wp:attachment":[{"href":"http:\/\/www.hackspot.net\/CircleBlog\/wp-json\/wp\/v2\/media?parent=129"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.hackspot.net\/CircleBlog\/wp-json\/wp\/v2\/categories?post=129"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.hackspot.net\/CircleBlog\/wp-json\/wp\/v2\/tags?post=129"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}