Okay, here's the scoop on the URB frames... Captured a bunch of stuff with wireshark, in this instance the software is sending commands for a 'device reset'. Thankfully some components of the app are written in .NET so I can run em through ILSpy, this gives me a great starting point in ghidra-
Okay, back to studying URB frames... It looks like the device goes into a uboot/debug mode but I'm unable to get my system to talk to it, unsure why. But I also noticed there are some yummy uart test points on the board.
You know, I poked at this thing for a decent amount of time, capturing URB messages, analyzing the windows binaries etc... I open it up and what do I see?? (Tiny internal button)
Holding this button while plugging in the device gives me a USB debugger, now to figure out if I can talk to it...
You know, I poked at this thing for a decent amount of time, capturing URB messages, analyzing the windows binaries etc... I open it up and what do I see?? (Tiny internal button)
Holding this button while plugging in the device gives me a USB debugger, now to figure out if I can talk to it...
Got a new piece of hardware, a streamdeck like apparatus from mountain gg. The hardware is simple and functional and their software is surprisingly customizable! The bad part is no Linux support π
Gonna take a shot at reversing the windows driver and writing some complementary python...
This would have taken you two seconds to look this up my guy. I'd think you'd be hard pressed to find a vehicle manufacturer that doesn't recommend hand washing for best results.
Printed a new case and put some new software paint on my portable wifi buddy. Took some liberties with reinforcing the clip area with some bent metal, heat, and epoxy. Not the prettiest but clearly sturdy and not janky.
Normally a user can access some internal address like 192.168.1.1 and get an admin panel but this one just gives you a lame portal and tells you to download the mobile app. There *is* a hidden warehouse mode so maybe I can hack that to flash stock OpenWRT without needing UART access.
More context on how I commandeered the root access. Once I got it connected with UART I noticed a fun little failsafe mode. Accessing that gave me the openwrt recovery shell where I was able to enumerate some scripts responsible for setting the root password.
I originally popped this one a while back but I'm diving back in for more. Of course the first thing I do on an unfamiliar device is look at /etc/ and the shadow file, ran this hash through hashcat and surprise surprise, it was weak.