aboutsummaryrefslogtreecommitdiffhomepage
path: root/docs/dev/Updates.md
diff options
context:
space:
mode:
Diffstat (limited to 'docs/dev/Updates.md')
-rw-r--r--docs/dev/Updates.md13
1 files changed, 6 insertions, 7 deletions
diff --git a/docs/dev/Updates.md b/docs/dev/Updates.md
index 8a733b8..96430d9 100644
--- a/docs/dev/Updates.md
+++ b/docs/dev/Updates.md
@@ -8,14 +8,13 @@ Infomation about the QCs update process, and how we can use it should be placed
the update process first talks to an API to see if there's anything available and then downloads the update archive right
-## Man In The Middle updates
+## Patching the update file for persistent access
-SSL checks are disabled everywhere (in ZenUI too, not just the updater) ... this means that with some work we would have command execution on the unit without even opening it.
-In the middle, we can literally patch (from any laptop on the same wifi) the update archive as it arrives, using t a transparent http proxy that gives you a scripting engine to modify buffers on the fly.
+(Coming soon)
-we could do something simple ... download the original update file, apply our changes to it, [bindiff](https://www.daemonology.net/bsdiff/) the two archives and just apply the binpatch on the https buffers
+## Man In The Middle updates
-## Root Password
+SSL checks are disabled for the updater (see `cloud_updater.py`)... this means that on paper, we could have command execution on the unit without even opening it.
+In the middle, we can literally patch (from any device on the same network) the update archive as it arrives, using a transparent http proxy that gives you a scripting engine to modify buffers on the fly.
-Root password hash: root:$1$ExCeUIRg$umMdl8bKzRutUtKGFhUg10:10933:0:99999:7:::
-It is salted, and has not been cracked yet.
+we could do something simple ... download the original update file, apply our changes to it, [bindiff](https://www.daemonology.net/bsdiff/) the two archives and just apply the binpatch on the https buffers