diff options
Diffstat (limited to 'README_Detailed.md')
-rw-r--r-- | README_Detailed.md | 128 |
1 files changed, 19 insertions, 109 deletions
diff --git a/README_Detailed.md b/README_Detailed.md index bb08fb3..4a64f86 100644 --- a/README_Detailed.md +++ b/README_Detailed.md @@ -17,20 +17,20 @@ Unforunately it seems we got of on the wrong foot, for context I (Thomas) got ba ## Table of contents -- [Summary](https://github.com/VanIseghemThomas/OpenCortex#summary) +Want a more simpler file? Go [here](README.md) -- [Opening a shell and gaining root access](https://github.com/VanIseghemThomas/OpenCortex#opening-a-shell-and-gaining-root-access) - -- [File access](https://github.com/VanIseghemThomas/OpenCortex#file-access) - -- [Editing the default model names](https://github.com/VanIseghemThomas/OpenCortex#editing-the-default-model-names) - -- [External editor (VNC)](https://github.com/VanIseghemThomas/OpenCortex#external-editor-vnc) +- [Summary](#summary) +- [Opening a shell and gaining root access](#opening-a-shell-and-gaining-root-access) +- [File access](#file-access) +- [Editing the default model names](docs/consumer/Model_Renamer.md) +- [External editor (VNC)](docs/consumer/VNC.md) ## Summary ### What is already possible (or in better terms discovered) +**For detailed research go to the [Dev Docs](docs/dev/README.md)** + Before I start of listing everything that is discovered, I want to make clear that this project has a small team and we're doing our best to do as much as possible in the time we've got available. A lot of things are still in progress but every day new things get discovered. There is a lot to look at and not everything can be done at the same time. we'll try to prioritise but roadblocks will be hit. **Everything you see here is tested as working in practice.** @@ -80,8 +80,6 @@ Before I start of listing everything that is discovered, I want to make clear th ## Opening a shell and gaining root access -When searching for updates, the Quad Cortex uses a Python script to query NDSP's API for new updates. This can be used as an entry point for running custom code. We will swap out this file out for a custom Python script that allows us to open a reverse shell. We can use that reverse shell to give us persistent access. - ### Step 1: take out the SD-card Have you ever noticed that a Raspberry-Pi uses an SD-card to boot from, well the QC does pretty much the same in a bit more sophisticated way. I could go into detail how this works but that's for another section. @@ -110,7 +108,7 @@ Partition 3 does not end on cylinder boundary /dev/mmcblk0p4 67617 973968 29003264 83 Linux ``` -these are used for various things. The ones we are interested in, are the first 2. Upon closer investigation you will realize 2 things. They are Linux installs and they seem to be identical. +These are used for various things. The ones we are interested in, are the first 2. Upon closer investigation you will realize 2 things. They are Linux installs and they seem to be identical. The partition we are interrested in, is the first one. This is the partition the QC will use to run it's software. The second one is for redundancy when something goes wrong in the update process from what I understand. @@ -123,51 +121,17 @@ The partition we are interrested in, is the first one. This is the partition the ### Step 3: installing the exploit **Warning! Do not install this file from any shady places and verify the code matches the repository's code. This can be used to leak some very personal information present on the QC.** +Swap out the `/etc/shadow` file in with the one in this repository. This file is and encrypted linux password, and will change the root password to: -Once inside the first partition, you want to go to the following path: `/opt/neuraldsp`. In here you will see a file called `cloud_updater.py`. **Make sure to back this up!** You will need to temporarily change this out for the `cloud_updater_custom.py` file inside this repo. Before you change this out, you will have to edit the file. - -The `cloud_updater_custom.py` script, opens a simple reverse shell. In order for this to work, we have to listen for a reverse shell to be spawned on our PC. The script needs to now where to connect to. This is where we edit the 2 lines. At the top of the file you should see 2 variables, edit these accordingly. - -```python -YOUR_IP = "192.168.1.2" # <--- Edit this to match your PC's ip. Make sure it's on the same subnet. -YOUR_PORT = 4444 # Can stay the same or something else, rember what this is +```bash +OpenCortex ``` -Once that's done, we can put the `cloud_updater_custom.py` file and take out the `cloud_updater.py` file. Again make sure you keep this file! I suggest you save this copy as `cloud_updater_backup.py` and keep it on the QC and also on your own PC. Now rename the `cloud_updater_custom.py` to `cloud_updater.py`. Next time you go to check for updates on the QC, your custom code will be ran. +You will be able to log in with this password when using SSH. You can put the SD-card back in the QC and screw the lid back on. -### Step 4: running the exploit - -Note: this might not work if an actual update is available. - -[Looking into creating a custom message, if this works update the documentation] - -Before doing that, we'll need to listen for the reverse shell. This can be done using a tool called netcat. Open up a terminal and type `nc -lvnp 4444` (or your custom set port). - -Now on the QC, go to `Settings -> Device Options -> Device Updates`. When you press the button to start looking for updates, your PC should open a reverse shell. - -It should look something like this: - -```console -thomas@pop-os:~/Repos/OpenCortex$ nc -lvp 4444 -Listening on 0.0.0.0 4444 -Connection received on 192.168.1.236 52824 -/bin/sh: can't access tty; job control turned off -/opt/neuraldsp # -``` - -#### Congratulations, you are now inside your Quad Cortex - -Make sure to be responsible now. - -### Step 5: persistent access - -[This might be automated in the future using the exploit script] - -When running the `whoami` commmand, you can see that the Python script was being ran as root. This means you now have root access! With this you can do pretty much anything you want, including changing the password to something else. - -Run the command `passwd`. This will prompt you to change the root user's password, without confirming the current password. +### Step 4: persistent access You are now able to connect to your QC using SSH as root! Isn't that wonderfull! But you may find it won't work for you. No worries this is normal. SSH defaults to port 22. At some point, the QC actually had SSH running on the default port 22 (alongside FTP), but they got rid of those services. So I thought. After a little digging inside the SSH files, I figured out that they didn't get rid of SSH, but they just moved it to port `57284`. @@ -195,20 +159,11 @@ Welcome to #### BOOM WE'RE IN -Now time for some cleanup. +Now time for some cleanup. Make sure to be responsible now. -### Step 6: restoring the update script +### Step 5 (optional) -Now that you have persistent access, there is no need to have the exploit anymore. You can keep it, but it poses a security risk and disables the update functionality. - -To restore this, just remove the custom Python script, and replace it back with the original one. This can be done with the following commands: - -```console -rm cloud_updater.py -mv cloud_updater_backup.py cloud_updater.py -``` - -Now reboot the QC and test if the updater works like it's supposed to. +It is good practice to run the `passwd` command to change your password. Having default passwords is never a good idea. ## File access @@ -230,56 +185,11 @@ scp <PC-ip-address>:<file-path> ## Editing the default model names -One thing bothering me (and I think a lot of other people) is the fact that companies like NDSP aren't allowed to ship their models under the real name it is based on. Luckly they keep track of it in the actual model list, but it isn't displayed to the user. - -The models and their respective categories, names and parameters, are stored inside `/opt/neuraldsp/ModelRepo.xml`. In order to rename these files to the real deal, you've got a couple of options. - -- Rename them manually inside the XML file - -- Use the `model_renamer.py` script in this repo to generate the XML file - - - Usage: - - ```console - python model_renamer.py <original-modelrepo> <output-file-path> - ``` - -- Use the pre-generated XML file inside `Model Repositories` (make sure to match it to your CorOS verion) - -Now replace the `ModelRepo.xml` file inside `/opt/neuraldsp` with the new file. Make sure this is called `ModelRepo.xml`. - -Finally reboot your QC, now you should have all models (except captures) renamed to their real names. - -![IMG20221218151130](https://user-images.githubusercontent.com/55881698/208303182-8554e62c-96a9-41f2-be0d-1f1f4f564506.jpg) +The Model Renaming instructions have moved to a [dedicated docs file](docs/consumer/Model_Renamer.md) ## External editor (VNC) -![image](https://user-images.githubusercontent.com/55881698/214691276-bbd161bf-eb72-4f96-87ec-aa4255c75e7e.png) - -Since we've figured out how to cross-compile our own binaries, we were able to compile a VNC solution for the Quad Cortex. - -The VNC server we compiled is based on [this project](https://github.com/ponty/framebuffer-vncserver). We had to modify the source code a bit to make it work with the touchscreen. But besides that, it is identical. This patch was necesarry because the touchscreen doesn't report it's width and height in a propper way. - -**Note:** when connected to the QC over VNC, you might notice a dip in framerate on the device itself. This is normal. It is the device trying to encode the video feed and struggling. - -_[Installer and auto-run on boot will be added later]_ -_For now you can use it the manual way_ - -### Installation - -In the `External VNC` folder you will find the files `qc_vnc` and `libvncserver.so.1`. Move these to the following locations on the QC: - -- **qc_vnc:** `/bin` - -- **libvncserver.so.1**: `/lib` - -That's it. You can now start the server! - -### Usage - -```console -qc_vnc -f /dev/fb0 -t /dev/input/event0 -``` +The VNC instructions have moved to a [dedicated docs file](docs/consumer/VNC.md) ## Accessing your backup |