-
Notifications
You must be signed in to change notification settings - Fork 0
Home
- Access to PCB by removing the 6 screws hidden under the padded bottom plate. Just punch through with a screw driver
- Internal PCB shows Swann InTouch HUB REV C-0
- Purchased at OfficeWorks
- AM3352BZCZ60 TI AM335x chip
- 128M NAND
- ZigBee chip CC2538NF23
- Username root, password has is tbKdyTU4E5hZc which is DES for sjcwoz3r in my version of firmware
- Talks via XMPP using client certificates.
- No open ports it seems.
Six screw holes under the foam. Foam is hard to remove so just stab through the foam with the screw driver. Serial on J9. Top pin is GND, Bottom pin is VCC and two in the middle are RX/TX. Baud rate is 115200 8N1
Can send new SPL uBoot images via xModem 1K
Compile ti-sdk-am335x-evm-08.00.00.00/board-support/u-boot-2014.07-g7e537bf with much code comment out to disable the EEPROM lookup. Modify ./drivers/mtd/nand/am335x_spl_bch.c to dump NAND over serial.
int nand_spl_load_image(uint32_t offs, unsigned int size, void *dst)
{
unsigned int block, lastblock;
unsigned int page;
/*
* offs has to be aligned to a page address!
*/
//block = offs / CONFIG_SYS_NAND_BLOCK_SIZE;
//lastblock = (offs + size - 1) / CONFIG_SYS_NAND_BLOCK_SIZE;
block = 0;
lastblock = 33554432*32 / CONFIG_SYS_NAND_BLOCK_SIZE;
page = (offs % CONFIG_SYS_NAND_BLOCK_SIZE) / CONFIG_SYS_NAND_PAGE_SIZE;
char output[CONFIG_SYS_NAND_PAGE_SIZE*16+1];
size_t out_len = CONFIG_SYS_NAND_PAGE_SIZE+1;
while (block <= lastblock) {
if (!nand_is_bad_block(block)) {
/*
* Skip bad blocks
*/
while (page < CONFIG_SYS_NAND_PAGE_COUNT) {
nand_read_page(block, page, dst);
int ohno;
for (ohno=0; ohno < CONFIG_SYS_NAND_PAGE_SIZE; ohno++){
char test[2];
test[0] = *((char*)dst+ohno);
test[1] = '\0';
puts(test);
}
// dst += CONFIG_SYS_NAND_PAGE_SIZE;
page++;
puts("\n");
}
page = 0;
} else {
lastblock++;
}
block++;
}
return 0;
}
Firmware gets upgraded from https://apa01.upgrade.swann.intamac.com/upgrade/firmware/op-1.63_swann_one_intamac_swann.fw
/usr/bin # netstat
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 172.16.0.17:37669 ec2-34-228-123-189.compute-1.amazonaws.com:5222 ESTABLISHED
tcp 283 0 172.16.0.17:37658 ec2-34-228-123-189.compute-1.amazonaws.com:5222 CLOSE_WAIT
tcp 0 0 172.16.0.17:42773 ghs-vip-any-c101.ghs-ssl.googlehosted.com:443 ESTABLISHED
netstat: /proc/net/tcp6: No such file or directory
netstat: /proc/net/udp6: No such file or directory
netstat: /proc/net/raw6: No such file or directory
Active UNIX domain sockets (w/o servers)
Proto RefCnt Flags Type State I-Node Path
unix 4 [ ] DGRAM 6170 /var/run/wpa_supplicant/wlan0
unix 2 [ ] DGRAM 6373 /tmp/wpa_ctrl_897-1
unix 2 [ ] DGRAM 6375 /tmp/wpa_ctrl_897-2
Use this -> https://github.com/gaowanlong/snippets/blob/master/read_mem/read_mem.c against comms_handler process. netcat results. Need to do it for everything in /proc/processid/maps
NFS is enabled in the kernel, so for quick hacking you can mount the beaglebone black on the device
mount -o nolock 172.16.0.20:/abrams/swann/mount /file
mount -t proc /proc /file/proc
mount --rbind /dev /file/dev
mount --rbind /sys /file/sys
chroot file
Couldn't get an XMPP client to play nice but you can take the data from the XMPP log and just paste it to openssl s_client
openssl s_client -connect 001.sct.swann.intamac.com:5222 -key private.key -CAfile anotherchain.pem -cert 1.pem -servername xmpp-cls-01.ami01.intamac.com
The chain and private key can be extracted from the memory of comms_handler.
unzip this inside chroot bbb firmware https://github.com/kynesim/MTConsole
pip3 install pyserial
python3 MTConsole.py -s /dev/ttyO5