Creating a custom firmware image which gives you ssh access

Update: ‘eku952’ posted a comment letting me know that this no longer works.  I’ve done some investigation, and found that Circle now does an RSA signature verification of the downloaded firmware (a 512-byte RSA signature is appended to the end of the firmware image).  If the RSA verify operation fails, the firmware image will not be installed.

So, unless another exploit is found, there is no way to patch Circle’s firmware/push that firmware image to your Circle device.  I am not actively working on this (too busy with other things), so don’t expect another exploit from me.  

It may still be possible to gain access via the serial port, at which point you could manually install your own firmware image.

In my earlier Firmware Updates post, I mentioned that it’s possible to download an official Circle firmware update, modify it to add a custom user/password to /etc/passwd and /etc/shadow, then upload that firmware to your Circle device.  I’ll describe how to do that here (along with scripts to make it easier).

WARNING: Please be very careful when updating the firmware on your Circle device – a corrupted firmware image could ‘brick’ your device.  Please carefully review the scripts I’ve included here and make sure you understand them and are comfortable with the changes before installing any hacked firmware.

Yesterday, I pointed out the fact that the latest firmware will delete the ‘root’ password from /etc/shadow (as part of a switch to using key-based ssh access).  So, this example will add a ‘hackme’ user (with password ‘hackme’) with root privileges.  Once logged-in as ‘hackme’, you can change the ‘root’ password to whatever you like (although, keep in mind that a future firmware update may reset the ‘root’ password again).

I’ve written a script (called fw_hackify.sh) which will optionally download (if –fetch option specified), then modify an official Circle firmware image to include/run a new script (for this example, that script is hackme_add_user.sh) as the final step of the firmware installation (before the reboot).

A standard firmware update image from Circle includes a script called update_firmware.sh which is run as the final step of the installation.  fw_hackify.sh modifies this script in the firmware to first run a script called ‘hackme.sh’, which (in this example) is the hackme_add_user.sh script which you’ll pass to the script as an option.

Building the modified firmware image

Prerequisite: you will need the ‘aescrypt’ command installed on your system (can be found here).

Here’s the command to download the latest firmware from Circle and generate the hacked firmware:

$ ./fw_hackify.sh --fetch fw_orig.bin hackme_add_user.sh fw_hacked.bin
Fetching Circle firmware...
Downloaded original firmware file: 'fw_orig.bin'
Decrypting Circle firmware...
Modifying Circle firmware
Encrypting modified Circle firmware...
Created hackified firmware file: 'fw_hacked.bin' from 'fw_orig.bin' and 'hackme_add_user.sh'

The ‘–fetch’ option tells the script to download the firmware from Circle (saving it as ‘fw_orig.bin’).  If you already have a Circle firmware image, you can skip the ‘–fetch’ option (and just specify it as the first argument (‘fw_orig.bin’ in this example)).

The fw_hackify.sh script is meant to be generic.  It will add a user-specified ‘hackme.sh’ script to the firmware and modify the firmware image to run that as the last step before rebooting.  I’m including the hackme_add_user.sh as an example ‘hackme.sh’ script which will run on the Circle device and add the ‘hackme’ user/password.  But, you can replace it with any script you want to run on the Circle device as the last step of the install.

Pushing the new firmware image to your Circle device
Ensure that your Circle device is in the proper subnet

The Circle API command “UPLOAD_FIRMWARE” can be used to upload/install the new firmware.  It only works if your Circle device is in the default “10.123.234.xxx” subnet.

The ‘factory default’ IP address used for the Circle Wifi access point (when your device is in a unconfigured state) is “10.123.234.1”, so restoring your Circle device to factory defaults (and connecting to its Wifi AP, with a fixed “10.123.234.xxx” IP on your PC) will let you push the firmware to your device.

Another option is to setup a DHCP server on a wired network. When you connect your Circle device to a wired network, it will disable its Wifi AP and use DHCP to get an IP address on the wired network. If your DHCP server is on the “10.123.234.xxx” subnet and hands such an address to your Circle device (and your PC is on the same subnet/gets its IP from the same DHCP server), then you can push the firmware image to your device.

Push the firmware update image to your device

The following ‘curl’ command will push the modified firmware image to your Circle device (which will then decrypt/install the image) (this assumes your Circle device is at 10.123.234.1):

$ curl -k -F "file=@fw_hacked.bin;filename=nameinpost" https://10.123.234.1:4567/api/UPLOAD_FIRMWARE
{
"result":"success"
}

After the firmware install finishes, the “update_firmware.sh” script inside the firmware update will run, which will run the “hackme.sh” script.  This will add the “hackme” user.  Then, the device will reboot.

Logging in to your Circle device with ssh

Now that you have a ‘hackme’ user (password ‘hackme’), you can ssh into your device (assuming you are on the same subnet and know the Circle’s IP):

$ ssh hackme@10.123.234.1
hackme@10.123.234.1's password:


BusyBox v1.22.1 (2014-09-20 22:01:35 CEST) built-in shell (ash)
Enter 'help' for a list of built-in commands.

 _______ ________ __
 | |.-----.-----.-----.| | | |.----.| |_
 | - || _ | -__| || | | || _|| _|
 |_______|| __|_____|__|__||________||__| |____|
 |__| W I R E L E S S F R E E D O M
 -----------------------------------------------------
 BARRIER BREAKER (14.07, r42625)
 -----------------------------------------------------
 * 1/2 oz Galliano Pour all ingredients into
 * 4 oz cold Coffee an irish coffee mug filled
 * 1 1/2 oz Dark Rum with crushed ice. Stir.
 * 2 tsp. Creme de Cacao
 -----------------------------------------------------
root@circle:~#

That’s it – you’re in!  At this point, I’d recommend changing the ‘hackme’ user’s password (use “passwd hackme” command).  You can also change the ‘root’ user’s password (so you can login as root instead), although keep in mind that a new firmware update may delete that password.

 

There’s no longer any point to cracking the root password

When I first got serial port access to my Circle, I grabbed the /etc/shadow file and started running “John The Ripper” to attempt to crack the root password (it’s been running for 47 days).  The hope was that I could crack the password, making it easier for others to get into their Circle devices (without requiring a serial port).

Well, I just installed the latest firmware from Circle, and found that they have changed to using key-based ssh login instead of password.  In the process, they’ve removed the root password (so you can’t login as root anymore, unless you have their private ssh key).

The new /mnt/shares/usr/bin/startcircle script has the following line:

[ -f $DIR/scripts/authorized_keys ] && { diff $DIR/scripts/authorized_keys /etc/dropbear/authorized_keys > /dev/null || { cp -f $DIR/scripts/authorized_keys /etc/dropbear/authorized_keys; sed -i -e 's/root:[^:]*:/root:*:/g' /etc/shadow; } }

The above line copies an ssh ‘authorized_keys’ file from /mnt/shares/usr/bin/scripts to /etc/dropbear.  It also removes the password for the user ‘root’ in ‘/etc/shadow’.

The new ‘/etc/dropbear/authorized_keys’ has one entry for Circle’s key:

ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAuIaD23ac41XZp5AcSSOunHXHYN38dF2YX+rmb0QT4zxKFnccl6BpzoxGb604rPc4eQ477glWyM4D/jTIyaKqmA7P1iVMym8v5nSXH6haSc/KrzV5EizmalXd4+eoK8ddSgpoci0P9oul3yiWtvccwN5WQ5H/DZhyYvdM73kKnYh3JUllx8JnGi1Qa0nhNGfrhIqaApTc/AyIAFR9I8wtp5KR98xRH5u/hEm1IMB5lo7yS6yJUcupIctnW/C2qUOD7WtWzZvJtgAmmhh+A1XLU42PruPtTfQ2EAHUmNJ+xVssUl3N2cIhvCt1sm5o8DymttOS4xot6Ni06UZ/LK/iKw== tzhang@gateway

It’s not possible to brute-force an ssh RSA key, and it’s no longer possible to login as ‘root’ with a password, so there’s no longer any point to continue the password cracking process.

No worries, though – we can still get in without a serial port or the root password.  I’ll post details on modifying a firmware update image to add a new user (with root privileges) soon.