From 07221766874e8a48273d409e2446de48af860319 Mon Sep 17 00:00:00 2001 From: Judah Fuller Date: Wed, 26 Apr 2023 11:19:30 +0100 Subject: Formatting --- README.md | 94 ++++++++++++++++++++++++++++++++++----------------------------- 1 file changed, 51 insertions(+), 43 deletions(-) diff --git a/README.md b/README.md index b60c182..09766eb 100644 --- a/README.md +++ b/README.md @@ -1,18 +1,22 @@ # OpenCortex + [![Discord Banner 1](https://discordapp.com/api/guilds/1064519311567360031/widget.png?style=banner2)](https://discord.gg/ef2gBDDSkm) -## A project that opens your Quad Cortex for homebrew software. +## A project that opens your Quad Cortex for homebrew software + Developing good software is hard, waiting for it might sometimes be equally as hard. With this project waiting might come to an end. Ever wondered: "A desktop file manager or editor might be useful"? You probably have at this point. The goal of OpenCortex is to open up the Quad Cortex and write the software as a community. This way we can get a taste of what is comming and maybe inspire new innovative features. Also if for some reason software support would be dropped , the maintenance could be continued by the community. It also drops the dependecy on the Cortex Cloud for preset sharing. For me personally, it's an awesome way to learn about embedded Linux and many more things. -## Disclaimer: +### Disclaimer + I am not responsible for any damage that might be done to your unit, software. Doing this might have the potential to void your warranty. This is a project for enthousiasts who like to tinker like myself. I do not intend to cause any difficulties for NDSP / myself and will approach this from an ethical standpoint. I do not condone any misuse of this project. This is purely for educational and quality of life purposes only. ### To NDSP -Unforunately it seems we got of on the wrong foot, for context I (Thomas) got banned on the Discord server for showing a 9 second clip of the RDP solution working and receiving a very positive reaction from the rest of the community. We respect the stance on the matter but not how it was handled. After all, no rules were breached. + +Unforunately it seems we got of on the wrong foot, for context I (Thomas) got banned on the Discord server for showing a 9 second clip of the RDP solution working and receiving a very positive reaction from the rest of the community. We respect the stance on the matter but not how it was handled. After all, no rules were breached. **Here I want to make clear we are willing to go into open dialog and plan to be 100% transparent about everything as we strongly believe we can provide some very valuable knowledge and advise. This only benefits all of us, including the community, which is the #1 priority** -# Table of contents +## Table of contents - [Summary](https://github.com/VanIseghemThomas/OpenCortex#summary) @@ -24,9 +28,9 @@ Unforunately it seems we got of on the wrong foot, for context I (Thomas) got ba - [External editor (VNC)](https://github.com/VanIseghemThomas/OpenCortex#external-editor-vnc) -# Summary +## Summary -## What is already possible (or in better terms discovered) +### What is already possible (or in better terms discovered) Before I start of listing everything that is discovered, I want to make clear that this is currently a 2 man project and we're doing our best to do as much as possible in the time we've got available. A lot of things are still in progress but every day new things get discovered. There is a lot to look at and not everything can be done at the same time. we'll try to prioritise but roadblocks will be hit. @@ -51,29 +55,28 @@ Before I start of listing everything that is discovered, I want to make clear th ## Currently being worked on - Building a Discord server - - Free from any censorship about the QC + + - Free from any censorship about the QC - Managing your files. - - - Manual backup management (Is it possible to load a backup saved externally? From what I've already seen, yes!) - - Captures are currently unsolved. They seem to be encrypted (for good reasons) and I don't know (yet) how they are referenced inside presets. But since the contents aren't really relevant, I just need to find a way to reference the files correctly. + - Manual backup management (Is it possible to load a backup saved externally? From what I've already seen, yes!) + - Captures are currently unsolved. They seem to be encrypted (for good reasons) and I don't know (yet) how they are referenced inside presets. But since the contents aren't really relevant, I just need to find a way to reference the files correctly. - Creating an external file manager - - It is now possible to view the available presets given the XML file. In the future this will be fetched from an API running on the QC - + - It is now possible to view the available presets given the XML file. In the future this will be fetched from an API running on the QC - Creating an external editor - - - Preset file stucture is fully reverse-engineered. - - - Building the UI - - - Testing external editing of presets and it's limitations. + - Preset file stucture is fully reverse-engineered. + + - Building the UI + + - Testing external editing of presets and it's limitations. ## Things that might work in the future + - Creating an external controller: it is possible to detect preset changes and which preset is currently loaded. This can be used together with MIDI commands to create a controller that could display the current preset (like the Kemper controller). - Bluetooth: I've stumbled upon some references to bluetooth but haven't looked into it. As far as I know it doesn't have the hardware for it, but maybe it secretly does? @@ -84,18 +87,17 @@ Before I start of listing everything that is discovered, I want to make clear th - SD-card upgrade: on paper, when partitioning the SD-card correctly and flashing those with the corresponding .img files (you can clone from the original), you should be able to -- Creating a OpenCortex update URL that can be accessed by the native update menu. +- Creating a OpenCortex update URL that can be accessed by the native update menu. - Expanding preset slots - - Got a pretty good idea how this can be done, still have to confirm it working. - + - Got a pretty good idea how this can be done, still have to confirm it working. # Opening a shell and gaining root access ## Summary -When searching for updates, the Quad Cortex uses a Python script to query NDSP's API for new updates. This can be used as an entry point for running custom code. We will swap out this file out for a custom Python script that allows us to open a reverse shell. We can use that reverse shell to give us persistent access. +When searching for updates, the Quad Cortex uses a Python script to query NDSP's API for new updates. This can be used as an entry point for running custom code. We will swap out this file out for a custom Python script that allows us to open a reverse shell. We can use that reverse shell to give us persistent access. ## Step 1: take out the SD-card @@ -103,9 +105,10 @@ Have you ever noticed that a Raspberry-Pi uses an SD-card to boot from, well the ### Before continuing make sure the QC is off and unplugged! -To get access to the SD-card, you'll have to take of the back of the QC. This is easily done by unscrewing the 4 screws in the corners. Once open, you should see the SD-card in it's slot with a retainer around it. Unscrew the retainer to get access to the SD-card. Now you can push on the SD-card to get it out. +To get access to the SD-card, you'll have to take of the back of the QC. This is easily done by unscrewing the 4 screws in the corners. Once open, you should see the SD-card in it's slot with a retainer around it. Unscrew the retainer to get access to the SD-card. Now you can push on the SD-card to get it out. ## Step 2: mounting the SD-card + **For this step it is useful to have a Linux system to work from.** When plugging the SD-card into your PC running Windows, it will prompt you that the SD-card is broken and you should format it. **Do not do this!** The reason it does this, is because you're trying to read Linux filesystems that are not supported on Windows. There might be ways to get around that but I'd still recommend just using a Linux system (or a VM) to do this. The guide will continue with this assumption. @@ -124,7 +127,7 @@ Partition 3 does not end on cylinder boundary /dev/mmcblk0p4 67617 973968 29003264 83 Linux ``` -these are used for various things. The ones we are interested in, are the first 2. Upon closer investigation you will realize 2 things. They are Linux installs and they seem to be identical. +these are used for various things. The ones we are interested in, are the first 2. Upon closer investigation you will realize 2 things. They are Linux installs and they seem to be identical. The partition we are interrested in, is the first one. This is the partition the QC will use to run it's software. The second one is for redundancy when something goes wrong in the update process from what I understand. @@ -132,8 +135,7 @@ The partition we are interrested in, is the first one. This is the partition the **Recommended:** Clone the drive partitions as .img files in case something goes wrong. -**Not Recommended:** If you want to open up the QC and take out the SD-card everytime you want to change something, you can skip the next steps and go to *Editing the default model names* - +**Not Recommended:** If you want to open up the QC and take out the SD-card everytime you want to change something, you can skip the next steps and go to _Editing the default model names_ ## Step 3: installing the exploit @@ -153,6 +155,7 @@ Once that's done, we can put the `cloud_updater_custom.py` file and take out the You can put the SD-card back in the QC and screw the lid back on. ## Step 4: running the exploit + Note: this might not work if an actual update is available. [Looking into creating a custom message, if this works update the documentation] @@ -168,10 +171,11 @@ thomas@pop-os:~/Repos/OpenCortex$ nc -lvp 4444 Listening on 0.0.0.0 4444 Connection received on 192.168.1.236 52824 /bin/sh: can't access tty; job control turned off -/opt/neuraldsp # +/opt/neuraldsp # ``` -### Congratulations, you are now inside your Quad Cortex! +### Congratulations, you are now inside your Quad Cortex! + Make sure to be responsible now. ## Step 5: persistent access @@ -186,7 +190,7 @@ You are now able to connect to your QC using SSH as root! Isn't that wonderfull! So to connect to your QC you can do the following -*Ip address can be found under `settings -> Wi-Fi`* +_Ip address can be found under `settings -> Wi-Fi`_ ```console ssh root@ -p 57284 @@ -195,21 +199,23 @@ ssh root@ -p 57284 It will prompt you for your password and after that for a fingerprint, just type "yes", enter and: ```console -Welcome to - _ _ _ ______ ___________ +Welcome to + _ _ _ ______ ___________ | \ | | | | | _ \/ ___| ___ \ | \| | ___ _ _ _ __ __ _| | | | | |\ `--.| |_/ / -| . ` |/ _ \ | | | '__/ _` | | | | | | `--. \ __/ -| |\ | __/ |_| | | | (_| | | | |/ / /\__/ / | -\_| \_/\___|\__,_|_| \__,_|_| |___/ \____/\_| - Quad Cortex -# +| . ` |/ _ \ | | | '__/ _` | | | | | | `--. \ __/ +| |\ | __/ |_| | | | (_| | | | |/ / /\__/ / | +\_| \_/\___|\__,_|_| \__,_|_| |___/ \____/\_| + Quad Cortex +# ``` ### BOOM WE'RE IN! + Now time for some cleanup. ## Step 6: restoring the update script + Now that you have persistent access, there is no need to have the exploit anymore. You can keep it, but it poses a security risk and disables the update functionality. To restore this, just remove the custom Python script, and replace it back with the original one. This can be done with the following commands: @@ -228,11 +234,13 @@ Still looking for the best way to do this, currenly using the `scp` command to s Example usage: #### from PC to QC: + ```console scp -P 57284 : ``` #### from QC to PC + ```console scp : ``` @@ -247,13 +255,13 @@ The models and their respective categories, names and parameters, are stored ins - Use the `model_renamer.py` script in this repo to generate the XML file - - Usage: - ```console - python model_renamer.py - ``` + - Usage: -- Use the pre-generated XML file inside `Model Repositories` (make sure to match it to your CorOS verion) + ```console + python model_renamer.py + ``` +- Use the pre-generated XML file inside `Model Repositories` (make sure to match it to your CorOS verion) Now replace the `ModelRepo.xml` file inside `/opt/neuraldsp` with the new file. Make sure this is called `ModelRepo.xml`. @@ -271,9 +279,9 @@ The VNC server we compiled is based on [this project](https://github.com/ponty/f **Note:** when connected to the QC over VNC, you might notice a dip in framerate on the device itself. This is normal. It is the device trying to encode the video feed and struggling. -*[Installer and auto-run on boot will be added later]* +_[Installer and auto-run on boot will be added later]_ -*For now you can use it the manual way* +_For now you can use it the manual way_ ## Installation -- cgit v1.2.3 From 87a132814425050e2e9c8079bd187fd23a22c2f1 Mon Sep 17 00:00:00 2001 From: Judah Fuller Date: Wed, 26 Apr 2023 11:32:01 +0100 Subject: Create Base Files --- docs/Control.md | 0 docs/Crypto.md | 0 docs/README.md | 5 +++++ docs/Updates.md | 0 docs/dsp.md | 0 5 files changed, 5 insertions(+) create mode 100644 docs/Control.md create mode 100644 docs/Crypto.md create mode 100644 docs/README.md create mode 100644 docs/Updates.md create mode 100644 docs/dsp.md diff --git a/docs/Control.md b/docs/Control.md new file mode 100644 index 0000000..e69de29 diff --git a/docs/Crypto.md b/docs/Crypto.md new file mode 100644 index 0000000..e69de29 diff --git a/docs/README.md b/docs/README.md new file mode 100644 index 0000000..83ab4e4 --- /dev/null +++ b/docs/README.md @@ -0,0 +1,5 @@ +# Documentation of all the discoveries about Quad Cortex + +## General Info + +## Misc Info diff --git a/docs/Updates.md b/docs/Updates.md new file mode 100644 index 0000000..e69de29 diff --git a/docs/dsp.md b/docs/dsp.md new file mode 100644 index 0000000..e69de29 -- cgit v1.2.3 From 7d15103bfbd00a096e460972a214f0f3b5a8cdff Mon Sep 17 00:00:00 2001 From: Judah Fuller Date: Wed, 26 Apr 2023 14:05:35 +0100 Subject: Create a Duplicate readme keeping the detailed info --- README Detailed.md | 302 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 302 insertions(+) create mode 100644 README Detailed.md diff --git a/README Detailed.md b/README Detailed.md new file mode 100644 index 0000000..292c507 --- /dev/null +++ b/README Detailed.md @@ -0,0 +1,302 @@ +# OpenCortex + +[![Discord Banner 1](https://discordapp.com/api/guilds/1064519311567360031/widget.png?style=banner2)](https://discord.gg/ef2gBDDSkm) + +## A project that opens your Quad Cortex for homebrew software + +Developing good software is hard, waiting for it might sometimes be equally as hard. With this project waiting might come to an end. Ever wondered: "A desktop file manager or editor might be useful"? You probably have at this point. The goal of OpenCortex is to open up the Quad Cortex and write the software as a community. This way we can get a taste of what is comming and maybe inspire new innovative features. Also if for some reason software support would be dropped , the maintenance could be continued by the community. It also drops the dependecy on the Cortex Cloud for preset sharing. For me personally, it's an awesome way to learn about embedded Linux and many more things. + +### Disclaimer + +I am not responsible for any damage that might be done to your unit, software. Doing this might have the potential to void your warranty. This is a project for enthousiasts who like to tinker like myself. I do not intend to cause any difficulties for NDSP / myself and will approach this from an ethical standpoint. I do not condone any misuse of this project. This is purely for educational and quality of life purposes only. + +### To NDSP + +Unforunately it seems we got of on the wrong foot, for context I (Thomas) got banned on the Discord server for showing a 9 second clip of the RDP solution working and receiving a very positive reaction from the rest of the community. We respect the stance on the matter but not how it was handled. After all, no rules were breached. +**Here I want to make clear we are willing to go into open dialog and plan to be 100% transparent about everything as we strongly believe we can provide some very valuable knowledge and advise. This only benefits all of us, including the community, which is the #1 priority** + +## Table of contents + +- [Summary](https://github.com/VanIseghemThomas/OpenCortex#summary) + +- [Opening a shell and gaining root access](https://github.com/VanIseghemThomas/OpenCortex#opening-a-shell-and-gaining-root-access) + +- [File access](https://github.com/VanIseghemThomas/OpenCortex#file-access) + +- [Editing the default model names](https://github.com/VanIseghemThomas/OpenCortex#editing-the-default-model-names) + +- [External editor (VNC)](https://github.com/VanIseghemThomas/OpenCortex#external-editor-vnc) + +## Summary + +### What is already possible (or in better terms discovered) + +Before I start of listing everything that is discovered, I want to make clear that this is currently a 2 man project and we're doing our best to do as much as possible in the time we've got available. A lot of things are still in progress but every day new things get discovered. There is a lot to look at and not everything can be done at the same time. we'll try to prioritise but roadblocks will be hit. + +**Everything you see here is tested as working in practice.** + +- Gaining persistent access over a network connection. + +- Building an RDP solution to use the native CorOS UI live on your pc. + +- Renaming the built in amps, pedals, etc. to whatever you like. (reboot required for changes to take effect) + +- Getting access to your backup to keep it yourself. + +- Deleting / adding presets from another device without reboot. + +- Detecting preset switches and which one is loaded. + +- Calibrating / testing the touchscreen + +- Running a webserver + +### Currently being worked on + +- Building a Discord server + + - Free from any censorship about the QC + +- Managing your files. + + - Manual backup management (Is it possible to load a backup saved externally? From what I've already seen, yes!) + + - Captures are currently unsolved. They seem to be encrypted (for good reasons) and I don't know (yet) how they are referenced inside presets. But since the contents aren't really relevant, I just need to find a way to reference the files correctly. + +- Creating an external file manager + + - It is now possible to view the available presets given the XML file. In the future this will be fetched from an API running on the QC + +- Creating an external editor + + - Preset file stucture is fully reverse-engineered. + + - Building the UI + + - Testing external editing of presets and it's limitations. + +### Things that might work in the future + +- Creating an external controller: it is possible to detect preset changes and which preset is currently loaded. This can be used together with MIDI commands to create a controller that could display the current preset (like the Kemper controller). + +- Bluetooth: I've stumbled upon some references to bluetooth but haven't looked into it. As far as I know it doesn't have the hardware for it, but maybe it secretly does? + +- USB connectivity: Haven't looked into this at all but this may end up in having some interesting things uncovered. + +- Remote brightness control: saw some interesting references but haven't looked into it yet. + +- SD-card upgrade: on paper, when partitioning the SD-card correctly and flashing those with the corresponding .img files (you can clone from the original), you should be able to + +- Creating a OpenCortex update URL that can be accessed by the native update menu. + +- Expanding preset slots + + - Got a pretty good idea how this can be done, still have to confirm it working. + +## Opening a shell and gaining root access + +When searching for updates, the Quad Cortex uses a Python script to query NDSP's API for new updates. This can be used as an entry point for running custom code. We will swap out this file out for a custom Python script that allows us to open a reverse shell. We can use that reverse shell to give us persistent access. + +### Step 1: take out the SD-card + +Have you ever noticed that a Raspberry-Pi uses an SD-card to boot from, well the QC does pretty much the same in a bit more sophisticated way. I could go into detail how this works but that's for another section. + +#### Before continuing make sure the QC is off and unplugged + +To get access to the SD-card, you'll have to take of the back of the QC. This is easily done by unscrewing the 4 screws in the corners. Once open, you should see the SD-card in it's slot with a retainer around it. Unscrew the retainer to get access to the SD-card. Now you can push on the SD-card to get it out. + +### Step 2: mounting the SD-card + +**For this step it is useful to have a Linux system to work from.** +When plugging the SD-card into your PC running Windows, it will prompt you that the SD-card is broken and you should format it. **Do not do this!** The reason it does this, is because you're trying to read Linux filesystems that are not supported on Windows. There might be ways to get around that but I'd still recommend just using a Linux system (or a VM) to do this. The guide will continue with this assumption. + +When plugging it into your PC running Linux, you should see 3 partitions being mounted in your file manager. With a bit of luck there might be 4. + +The SD-card does in fact contain 4 partitions: + +```bash + Device Boot Start End Blocks Id System +/dev/mmcblk0p1 33 32800 1048576 83 Linux +Partition 1 does not end on cylinder boundary +/dev/mmcblk0p2 32801 65568 1048576 83 Linux +Partition 2 does not end on cylinder boundary +/dev/mmcblk0p3 65569 67616 65536 c Win95 FAT32 (LBA) +Partition 3 does not end on cylinder boundary +/dev/mmcblk0p4 67617 973968 29003264 83 Linux +``` + +these are used for various things. The ones we are interested in, are the first 2. Upon closer investigation you will realize 2 things. They are Linux installs and they seem to be identical. + +The partition we are interrested in, is the first one. This is the partition the QC will use to run it's software. The second one is for redundancy when something goes wrong in the update process from what I understand. + +### Step 2.5: optional + +**Recommended:** Clone the drive partitions as .img files in case something goes wrong. + +**Not Recommended:** If you want to open up the QC and take out the SD-card everytime you want to change something, you can skip the next steps and go to _Editing the default model names_ + +### Step 3: installing the exploit + +**Warning! Do not install this file from any shady places and verify the code matches the repository's code. This can be used to leak some very personal information present on the QC.** + +Once inside the first partition, you want to go to the following path: `/opt/neuraldsp`. In here you will see a file called `cloud_updater.py`. **Make sure to back this up!** You will need to temporarily change this out for the `cloud_updater_custom.py` file inside this repo. Before you change this out, you will have to edit the file. + +The `cloud_updater_custom.py` script, opens a simple reverse shell. In order for this to work, we have to listen for a reverse shell to be spawned on our PC. The script needs to now where to connect to. This is where we edit the 2 lines. At the top of the file you should see 2 variables, edit these accordingly. + +```python +YOUR_IP = "192.168.1.2" # <--- Edit this to match your PC's ip. Make sure it's on the same subnet. +YOUR_PORT = 4444 # Can stay the same or something else, rember what this is +``` + +Once that's done, we can put the `cloud_updater_custom.py` file and take out the `cloud_updater.py` file. Again make sure you keep this file! I suggest you save this copy as `cloud_updater_backup.py` and keep it on the QC and also on your own PC. Now rename the `cloud_updater_custom.py` to `cloud_updater.py`. Next time you go to check for updates on the QC, your custom code will be ran. + +You can put the SD-card back in the QC and screw the lid back on. + +### Step 4: running the exploit + +Note: this might not work if an actual update is available. + +[Looking into creating a custom message, if this works update the documentation] + +Before doing that, we'll need to listen for the reverse shell. This can be done using a tool called netcat. Open up a terminal and type `nc -lvnp 4444` (or your custom set port). + +Now on the QC, go to `Settings -> Device Options -> Device Updates`. When you press the button to start looking for updates, your PC should open a reverse shell. + +It should look something like this: + +```console +thomas@pop-os:~/Repos/OpenCortex$ nc -lvp 4444 +Listening on 0.0.0.0 4444 +Connection received on 192.168.1.236 52824 +/bin/sh: can't access tty; job control turned off +/opt/neuraldsp # +``` + +#### Congratulations, you are now inside your Quad Cortex + +Make sure to be responsible now. + +### Step 5: persistent access + +[This might be automated in the future using the exploit script] + +When running the `whoami` commmand, you can see that the Python script was being ran as root. This means you now have root access! With this you can do pretty much anything you want, including changing the password to something else. + +Run the command `passwd`. This will prompt you to change the root user's password, without confirming the current password. + +You are now able to connect to your QC using SSH as root! Isn't that wonderfull! But you may find it won't work for you. No worries this is normal. SSH defaults to port 22. At some point, the QC actually had SSH running on the default port 22 (alongside FTP), but they got rid of those services. So I thought. After a little digging inside the SSH files, I figured out that they didn't get rid of SSH, but they just moved it to port `57284`. + +So to connect to your QC you can do the following + +_Ip address can be found under `settings -> Wi-Fi`_ + +```console +ssh root@ -p 57284 +``` + +It will prompt you for your password and after that for a fingerprint, just type "yes", enter and: + +```console +Welcome to + _ _ _ ______ ___________ +| \ | | | | | _ \/ ___| ___ \ +| \| | ___ _ _ _ __ __ _| | | | | |\ `--.| |_/ / +| . ` |/ _ \ | | | '__/ _` | | | | | | `--. \ __/ +| |\ | __/ |_| | | | (_| | | | |/ / /\__/ / | +\_| \_/\___|\__,_|_| \__,_|_| |___/ \____/\_| + Quad Cortex +# +``` + +#### BOOM WE'RE IN + +Now time for some cleanup. + +### Step 6: restoring the update script + +Now that you have persistent access, there is no need to have the exploit anymore. You can keep it, but it poses a security risk and disables the update functionality. + +To restore this, just remove the custom Python script, and replace it back with the original one. This can be done with the following commands: + +```console +rm cloud_updater.py +mv cloud_updater_backup.py cloud_updater.py +``` + +Now reboot the QC and test if the updater works like it's supposed to. + +## File access + +Still looking for the best way to do this, currenly using the `scp` command to send and receive files from the QC. + +Example usage: + +### from PC to QC + +```console +scp -P 57284 : +``` + +### from QC to PC + +```console +scp : +``` + +## Editing the default model names + +One thing bothering me (and I think a lot of other people) is the fact that companies like NDSP aren't allowed to ship their models under the real name it is based on. Luckly they keep track of it in the actual model list, but it isn't displayed to the user. + +The models and their respective categories, names and parameters, are stored inside `/opt/neuraldsp/ModelRepo.xml`. In order to rename these files to the real deal, you've got a couple of options. + +- Rename them manually inside the XML file + +- Use the `model_renamer.py` script in this repo to generate the XML file + + - Usage: + + ```console + python model_renamer.py + ``` + +- Use the pre-generated XML file inside `Model Repositories` (make sure to match it to your CorOS verion) + +Now replace the `ModelRepo.xml` file inside `/opt/neuraldsp` with the new file. Make sure this is called `ModelRepo.xml`. + +Finally reboot your QC, now you should have all models (except captures) renamed to their real names. + +![IMG20221218151130](https://user-images.githubusercontent.com/55881698/208303182-8554e62c-96a9-41f2-be0d-1f1f4f564506.jpg) + +## External editor (VNC) + +![image](https://user-images.githubusercontent.com/55881698/214691276-bbd161bf-eb72-4f96-87ec-aa4255c75e7e.png) + +Since we've figured out how to cross-compile our own binaries, we were able to compile a VNC solution for the Quad Cortex. + +The VNC server we compiled is based on [this project](https://github.com/ponty/framebuffer-vncserver). We had to modify the source code a bit to make it work with the touchscreen. But besides that, it is identical. This patch was necesarry because the touchscreen doesn't report it's width and height in a propper way. + +**Note:** when connected to the QC over VNC, you might notice a dip in framerate on the device itself. This is normal. It is the device trying to encode the video feed and struggling. + +_[Installer and auto-run on boot will be added later]_ +_For now you can use it the manual way_ + +### Installation + +In the `External VNC` folder you will find the files `qc_vnc` and `libvncserver.so.1`. Move these to the following locations on the QC: + +- **qc_vnc:** `/bin` + +- **libvncserver.so.1**: `/lib` + +That's it. You can now start the server! + +### Usage + +```console +qc_vnc -f /dev/fb0 -t /dev/input/event0 +``` + +## Accessing your backup + +Your backup is available as a compressed archive under `/media/p4/downloaded_backup.tar.gz` +It only contains your personal files such as captures, presets, ... It does not contain any system files, so it can't be modify -- cgit v1.2.3 From a448b26dcf1bb189d9eb3d873da519036b07273b Mon Sep 17 00:00:00 2001 From: Judah Fuller Date: Wed, 26 Apr 2023 14:06:54 +0100 Subject: Make the Readme MarkDown Lint compliant --- README.md | 49 +++++++++++++++++++++++-------------------------- 1 file changed, 23 insertions(+), 26 deletions(-) diff --git a/README.md b/README.md index 09766eb..292c507 100644 --- a/README.md +++ b/README.md @@ -13,7 +13,6 @@ I am not responsible for any damage that might be done to your unit, software. D ### To NDSP Unforunately it seems we got of on the wrong foot, for context I (Thomas) got banned on the Discord server for showing a 9 second clip of the RDP solution working and receiving a very positive reaction from the rest of the community. We respect the stance on the matter but not how it was handled. After all, no rules were breached. - **Here I want to make clear we are willing to go into open dialog and plan to be 100% transparent about everything as we strongly believe we can provide some very valuable knowledge and advise. This only benefits all of us, including the community, which is the #1 priority** ## Table of contents @@ -52,7 +51,7 @@ Before I start of listing everything that is discovered, I want to make clear th - Running a webserver -## Currently being worked on +### Currently being worked on - Building a Discord server @@ -69,13 +68,14 @@ Before I start of listing everything that is discovered, I want to make clear th - It is now possible to view the available presets given the XML file. In the future this will be fetched from an API running on the QC - Creating an external editor + - Preset file stucture is fully reverse-engineered. - Building the UI - Testing external editing of presets and it's limitations. -## Things that might work in the future +### Things that might work in the future - Creating an external controller: it is possible to detect preset changes and which preset is currently loaded. This can be used together with MIDI commands to create a controller that could display the current preset (like the Kemper controller). @@ -93,21 +93,19 @@ Before I start of listing everything that is discovered, I want to make clear th - Got a pretty good idea how this can be done, still have to confirm it working. -# Opening a shell and gaining root access - -## Summary +## Opening a shell and gaining root access When searching for updates, the Quad Cortex uses a Python script to query NDSP's API for new updates. This can be used as an entry point for running custom code. We will swap out this file out for a custom Python script that allows us to open a reverse shell. We can use that reverse shell to give us persistent access. -## Step 1: take out the SD-card +### Step 1: take out the SD-card Have you ever noticed that a Raspberry-Pi uses an SD-card to boot from, well the QC does pretty much the same in a bit more sophisticated way. I could go into detail how this works but that's for another section. -### Before continuing make sure the QC is off and unplugged! +#### Before continuing make sure the QC is off and unplugged To get access to the SD-card, you'll have to take of the back of the QC. This is easily done by unscrewing the 4 screws in the corners. Once open, you should see the SD-card in it's slot with a retainer around it. Unscrew the retainer to get access to the SD-card. Now you can push on the SD-card to get it out. -## Step 2: mounting the SD-card +### Step 2: mounting the SD-card **For this step it is useful to have a Linux system to work from.** When plugging the SD-card into your PC running Windows, it will prompt you that the SD-card is broken and you should format it. **Do not do this!** The reason it does this, is because you're trying to read Linux filesystems that are not supported on Windows. There might be ways to get around that but I'd still recommend just using a Linux system (or a VM) to do this. The guide will continue with this assumption. @@ -116,7 +114,7 @@ When plugging it into your PC running Linux, you should see 3 partitions being m The SD-card does in fact contain 4 partitions: -``` +```bash Device Boot Start End Blocks Id System /dev/mmcblk0p1 33 32800 1048576 83 Linux Partition 1 does not end on cylinder boundary @@ -131,13 +129,13 @@ these are used for various things. The ones we are interested in, are the first The partition we are interrested in, is the first one. This is the partition the QC will use to run it's software. The second one is for redundancy when something goes wrong in the update process from what I understand. -## Step 2.5: optional +### Step 2.5: optional **Recommended:** Clone the drive partitions as .img files in case something goes wrong. **Not Recommended:** If you want to open up the QC and take out the SD-card everytime you want to change something, you can skip the next steps and go to _Editing the default model names_ -## Step 3: installing the exploit +### Step 3: installing the exploit **Warning! Do not install this file from any shady places and verify the code matches the repository's code. This can be used to leak some very personal information present on the QC.** @@ -154,7 +152,7 @@ Once that's done, we can put the `cloud_updater_custom.py` file and take out the You can put the SD-card back in the QC and screw the lid back on. -## Step 4: running the exploit +### Step 4: running the exploit Note: this might not work if an actual update is available. @@ -174,11 +172,11 @@ Connection received on 192.168.1.236 52824 /opt/neuraldsp # ``` -### Congratulations, you are now inside your Quad Cortex! +#### Congratulations, you are now inside your Quad Cortex Make sure to be responsible now. -## Step 5: persistent access +### Step 5: persistent access [This might be automated in the future using the exploit script] @@ -210,11 +208,11 @@ Welcome to # ``` -### BOOM WE'RE IN! +#### BOOM WE'RE IN Now time for some cleanup. -## Step 6: restoring the update script +### Step 6: restoring the update script Now that you have persistent access, there is no need to have the exploit anymore. You can keep it, but it poses a security risk and disables the update functionality. @@ -227,25 +225,25 @@ mv cloud_updater_backup.py cloud_updater.py Now reboot the QC and test if the updater works like it's supposed to. -# File access +## File access Still looking for the best way to do this, currenly using the `scp` command to send and receive files from the QC. Example usage: -#### from PC to QC: +### from PC to QC ```console scp -P 57284 : ``` -#### from QC to PC +### from QC to PC ```console scp : ``` -# Editing the default model names +## Editing the default model names One thing bothering me (and I think a lot of other people) is the fact that companies like NDSP aren't allowed to ship their models under the real name it is based on. Luckly they keep track of it in the actual model list, but it isn't displayed to the user. @@ -269,7 +267,7 @@ Finally reboot your QC, now you should have all models (except captures) renamed ![IMG20221218151130](https://user-images.githubusercontent.com/55881698/208303182-8554e62c-96a9-41f2-be0d-1f1f4f564506.jpg) -# External editor (VNC) +## External editor (VNC) ![image](https://user-images.githubusercontent.com/55881698/214691276-bbd161bf-eb72-4f96-87ec-aa4255c75e7e.png) @@ -280,10 +278,9 @@ The VNC server we compiled is based on [this project](https://github.com/ponty/f **Note:** when connected to the QC over VNC, you might notice a dip in framerate on the device itself. This is normal. It is the device trying to encode the video feed and struggling. _[Installer and auto-run on boot will be added later]_ - _For now you can use it the manual way_ -## Installation +### Installation In the `External VNC` folder you will find the files `qc_vnc` and `libvncserver.so.1`. Move these to the following locations on the QC: @@ -293,13 +290,13 @@ In the `External VNC` folder you will find the files `qc_vnc` and `libvncserver. That's it. You can now start the server! -## Usage +### Usage ```console qc_vnc -f /dev/fb0 -t /dev/input/event0 ``` -# Accessing your backup +## Accessing your backup Your backup is available as a compressed archive under `/media/p4/downloaded_backup.tar.gz` It only contains your personal files such as captures, presets, ... It does not contain any system files, so it can't be modify -- cgit v1.2.3 From 006ed3ec28e3211a02fdb9baee1aba77581592d7 Mon Sep 17 00:00:00 2001 From: Judah Fuller Date: Wed, 26 Apr 2023 17:34:37 +0100 Subject: Auto stash before merge of "Docs" and "upstream/main" --- README Detailed.md | 302 ----------------------------------------- README.md | 104 ++------------ README_Detailed.md | 287 +++++++++++++++++++++++++++++++++++++++ docs/README.md | 5 - docs/consumer/Model_Renamer.md | 22 +++ docs/consumer/VNC.md | 23 ++++ docs/dev/Control.md | 0 docs/dev/Crypto.md | 0 docs/dev/README.md | 5 + docs/dev/Updates.md | 0 docs/dev/dsp.md | 0 11 files changed, 346 insertions(+), 402 deletions(-) delete mode 100644 README Detailed.md create mode 100644 README_Detailed.md delete mode 100644 docs/README.md create mode 100644 docs/consumer/Model_Renamer.md create mode 100644 docs/consumer/VNC.md create mode 100644 docs/dev/Control.md create mode 100644 docs/dev/Crypto.md create mode 100644 docs/dev/README.md create mode 100644 docs/dev/Updates.md create mode 100644 docs/dev/dsp.md diff --git a/README Detailed.md b/README Detailed.md deleted file mode 100644 index 292c507..0000000 --- a/README Detailed.md +++ /dev/null @@ -1,302 +0,0 @@ -# OpenCortex - -[![Discord Banner 1](https://discordapp.com/api/guilds/1064519311567360031/widget.png?style=banner2)](https://discord.gg/ef2gBDDSkm) - -## A project that opens your Quad Cortex for homebrew software - -Developing good software is hard, waiting for it might sometimes be equally as hard. With this project waiting might come to an end. Ever wondered: "A desktop file manager or editor might be useful"? You probably have at this point. The goal of OpenCortex is to open up the Quad Cortex and write the software as a community. This way we can get a taste of what is comming and maybe inspire new innovative features. Also if for some reason software support would be dropped , the maintenance could be continued by the community. It also drops the dependecy on the Cortex Cloud for preset sharing. For me personally, it's an awesome way to learn about embedded Linux and many more things. - -### Disclaimer - -I am not responsible for any damage that might be done to your unit, software. Doing this might have the potential to void your warranty. This is a project for enthousiasts who like to tinker like myself. I do not intend to cause any difficulties for NDSP / myself and will approach this from an ethical standpoint. I do not condone any misuse of this project. This is purely for educational and quality of life purposes only. - -### To NDSP - -Unforunately it seems we got of on the wrong foot, for context I (Thomas) got banned on the Discord server for showing a 9 second clip of the RDP solution working and receiving a very positive reaction from the rest of the community. We respect the stance on the matter but not how it was handled. After all, no rules were breached. -**Here I want to make clear we are willing to go into open dialog and plan to be 100% transparent about everything as we strongly believe we can provide some very valuable knowledge and advise. This only benefits all of us, including the community, which is the #1 priority** - -## Table of contents - -- [Summary](https://github.com/VanIseghemThomas/OpenCortex#summary) - -- [Opening a shell and gaining root access](https://github.com/VanIseghemThomas/OpenCortex#opening-a-shell-and-gaining-root-access) - -- [File access](https://github.com/VanIseghemThomas/OpenCortex#file-access) - -- [Editing the default model names](https://github.com/VanIseghemThomas/OpenCortex#editing-the-default-model-names) - -- [External editor (VNC)](https://github.com/VanIseghemThomas/OpenCortex#external-editor-vnc) - -## Summary - -### What is already possible (or in better terms discovered) - -Before I start of listing everything that is discovered, I want to make clear that this is currently a 2 man project and we're doing our best to do as much as possible in the time we've got available. A lot of things are still in progress but every day new things get discovered. There is a lot to look at and not everything can be done at the same time. we'll try to prioritise but roadblocks will be hit. - -**Everything you see here is tested as working in practice.** - -- Gaining persistent access over a network connection. - -- Building an RDP solution to use the native CorOS UI live on your pc. - -- Renaming the built in amps, pedals, etc. to whatever you like. (reboot required for changes to take effect) - -- Getting access to your backup to keep it yourself. - -- Deleting / adding presets from another device without reboot. - -- Detecting preset switches and which one is loaded. - -- Calibrating / testing the touchscreen - -- Running a webserver - -### Currently being worked on - -- Building a Discord server - - - Free from any censorship about the QC - -- Managing your files. - - - Manual backup management (Is it possible to load a backup saved externally? From what I've already seen, yes!) - - - Captures are currently unsolved. They seem to be encrypted (for good reasons) and I don't know (yet) how they are referenced inside presets. But since the contents aren't really relevant, I just need to find a way to reference the files correctly. - -- Creating an external file manager - - - It is now possible to view the available presets given the XML file. In the future this will be fetched from an API running on the QC - -- Creating an external editor - - - Preset file stucture is fully reverse-engineered. - - - Building the UI - - - Testing external editing of presets and it's limitations. - -### Things that might work in the future - -- Creating an external controller: it is possible to detect preset changes and which preset is currently loaded. This can be used together with MIDI commands to create a controller that could display the current preset (like the Kemper controller). - -- Bluetooth: I've stumbled upon some references to bluetooth but haven't looked into it. As far as I know it doesn't have the hardware for it, but maybe it secretly does? - -- USB connectivity: Haven't looked into this at all but this may end up in having some interesting things uncovered. - -- Remote brightness control: saw some interesting references but haven't looked into it yet. - -- SD-card upgrade: on paper, when partitioning the SD-card correctly and flashing those with the corresponding .img files (you can clone from the original), you should be able to - -- Creating a OpenCortex update URL that can be accessed by the native update menu. - -- Expanding preset slots - - - Got a pretty good idea how this can be done, still have to confirm it working. - -## Opening a shell and gaining root access - -When searching for updates, the Quad Cortex uses a Python script to query NDSP's API for new updates. This can be used as an entry point for running custom code. We will swap out this file out for a custom Python script that allows us to open a reverse shell. We can use that reverse shell to give us persistent access. - -### Step 1: take out the SD-card - -Have you ever noticed that a Raspberry-Pi uses an SD-card to boot from, well the QC does pretty much the same in a bit more sophisticated way. I could go into detail how this works but that's for another section. - -#### Before continuing make sure the QC is off and unplugged - -To get access to the SD-card, you'll have to take of the back of the QC. This is easily done by unscrewing the 4 screws in the corners. Once open, you should see the SD-card in it's slot with a retainer around it. Unscrew the retainer to get access to the SD-card. Now you can push on the SD-card to get it out. - -### Step 2: mounting the SD-card - -**For this step it is useful to have a Linux system to work from.** -When plugging the SD-card into your PC running Windows, it will prompt you that the SD-card is broken and you should format it. **Do not do this!** The reason it does this, is because you're trying to read Linux filesystems that are not supported on Windows. There might be ways to get around that but I'd still recommend just using a Linux system (or a VM) to do this. The guide will continue with this assumption. - -When plugging it into your PC running Linux, you should see 3 partitions being mounted in your file manager. With a bit of luck there might be 4. - -The SD-card does in fact contain 4 partitions: - -```bash - Device Boot Start End Blocks Id System -/dev/mmcblk0p1 33 32800 1048576 83 Linux -Partition 1 does not end on cylinder boundary -/dev/mmcblk0p2 32801 65568 1048576 83 Linux -Partition 2 does not end on cylinder boundary -/dev/mmcblk0p3 65569 67616 65536 c Win95 FAT32 (LBA) -Partition 3 does not end on cylinder boundary -/dev/mmcblk0p4 67617 973968 29003264 83 Linux -``` - -these are used for various things. The ones we are interested in, are the first 2. Upon closer investigation you will realize 2 things. They are Linux installs and they seem to be identical. - -The partition we are interrested in, is the first one. This is the partition the QC will use to run it's software. The second one is for redundancy when something goes wrong in the update process from what I understand. - -### Step 2.5: optional - -**Recommended:** Clone the drive partitions as .img files in case something goes wrong. - -**Not Recommended:** If you want to open up the QC and take out the SD-card everytime you want to change something, you can skip the next steps and go to _Editing the default model names_ - -### Step 3: installing the exploit - -**Warning! Do not install this file from any shady places and verify the code matches the repository's code. This can be used to leak some very personal information present on the QC.** - -Once inside the first partition, you want to go to the following path: `/opt/neuraldsp`. In here you will see a file called `cloud_updater.py`. **Make sure to back this up!** You will need to temporarily change this out for the `cloud_updater_custom.py` file inside this repo. Before you change this out, you will have to edit the file. - -The `cloud_updater_custom.py` script, opens a simple reverse shell. In order for this to work, we have to listen for a reverse shell to be spawned on our PC. The script needs to now where to connect to. This is where we edit the 2 lines. At the top of the file you should see 2 variables, edit these accordingly. - -```python -YOUR_IP = "192.168.1.2" # <--- Edit this to match your PC's ip. Make sure it's on the same subnet. -YOUR_PORT = 4444 # Can stay the same or something else, rember what this is -``` - -Once that's done, we can put the `cloud_updater_custom.py` file and take out the `cloud_updater.py` file. Again make sure you keep this file! I suggest you save this copy as `cloud_updater_backup.py` and keep it on the QC and also on your own PC. Now rename the `cloud_updater_custom.py` to `cloud_updater.py`. Next time you go to check for updates on the QC, your custom code will be ran. - -You can put the SD-card back in the QC and screw the lid back on. - -### Step 4: running the exploit - -Note: this might not work if an actual update is available. - -[Looking into creating a custom message, if this works update the documentation] - -Before doing that, we'll need to listen for the reverse shell. This can be done using a tool called netcat. Open up a terminal and type `nc -lvnp 4444` (or your custom set port). - -Now on the QC, go to `Settings -> Device Options -> Device Updates`. When you press the button to start looking for updates, your PC should open a reverse shell. - -It should look something like this: - -```console -thomas@pop-os:~/Repos/OpenCortex$ nc -lvp 4444 -Listening on 0.0.0.0 4444 -Connection received on 192.168.1.236 52824 -/bin/sh: can't access tty; job control turned off -/opt/neuraldsp # -``` - -#### Congratulations, you are now inside your Quad Cortex - -Make sure to be responsible now. - -### Step 5: persistent access - -[This might be automated in the future using the exploit script] - -When running the `whoami` commmand, you can see that the Python script was being ran as root. This means you now have root access! With this you can do pretty much anything you want, including changing the password to something else. - -Run the command `passwd`. This will prompt you to change the root user's password, without confirming the current password. - -You are now able to connect to your QC using SSH as root! Isn't that wonderfull! But you may find it won't work for you. No worries this is normal. SSH defaults to port 22. At some point, the QC actually had SSH running on the default port 22 (alongside FTP), but they got rid of those services. So I thought. After a little digging inside the SSH files, I figured out that they didn't get rid of SSH, but they just moved it to port `57284`. - -So to connect to your QC you can do the following - -_Ip address can be found under `settings -> Wi-Fi`_ - -```console -ssh root@ -p 57284 -``` - -It will prompt you for your password and after that for a fingerprint, just type "yes", enter and: - -```console -Welcome to - _ _ _ ______ ___________ -| \ | | | | | _ \/ ___| ___ \ -| \| | ___ _ _ _ __ __ _| | | | | |\ `--.| |_/ / -| . ` |/ _ \ | | | '__/ _` | | | | | | `--. \ __/ -| |\ | __/ |_| | | | (_| | | | |/ / /\__/ / | -\_| \_/\___|\__,_|_| \__,_|_| |___/ \____/\_| - Quad Cortex -# -``` - -#### BOOM WE'RE IN - -Now time for some cleanup. - -### Step 6: restoring the update script - -Now that you have persistent access, there is no need to have the exploit anymore. You can keep it, but it poses a security risk and disables the update functionality. - -To restore this, just remove the custom Python script, and replace it back with the original one. This can be done with the following commands: - -```console -rm cloud_updater.py -mv cloud_updater_backup.py cloud_updater.py -``` - -Now reboot the QC and test if the updater works like it's supposed to. - -## File access - -Still looking for the best way to do this, currenly using the `scp` command to send and receive files from the QC. - -Example usage: - -### from PC to QC - -```console -scp -P 57284 : -``` - -### from QC to PC - -```console -scp : -``` - -## Editing the default model names - -One thing bothering me (and I think a lot of other people) is the fact that companies like NDSP aren't allowed to ship their models under the real name it is based on. Luckly they keep track of it in the actual model list, but it isn't displayed to the user. - -The models and their respective categories, names and parameters, are stored inside `/opt/neuraldsp/ModelRepo.xml`. In order to rename these files to the real deal, you've got a couple of options. - -- Rename them manually inside the XML file - -- Use the `model_renamer.py` script in this repo to generate the XML file - - - Usage: - - ```console - python model_renamer.py - ``` - -- Use the pre-generated XML file inside `Model Repositories` (make sure to match it to your CorOS verion) - -Now replace the `ModelRepo.xml` file inside `/opt/neuraldsp` with the new file. Make sure this is called `ModelRepo.xml`. - -Finally reboot your QC, now you should have all models (except captures) renamed to their real names. - -![IMG20221218151130](https://user-images.githubusercontent.com/55881698/208303182-8554e62c-96a9-41f2-be0d-1f1f4f564506.jpg) - -## External editor (VNC) - -![image](https://user-images.githubusercontent.com/55881698/214691276-bbd161bf-eb72-4f96-87ec-aa4255c75e7e.png) - -Since we've figured out how to cross-compile our own binaries, we were able to compile a VNC solution for the Quad Cortex. - -The VNC server we compiled is based on [this project](https://github.com/ponty/framebuffer-vncserver). We had to modify the source code a bit to make it work with the touchscreen. But besides that, it is identical. This patch was necesarry because the touchscreen doesn't report it's width and height in a propper way. - -**Note:** when connected to the QC over VNC, you might notice a dip in framerate on the device itself. This is normal. It is the device trying to encode the video feed and struggling. - -_[Installer and auto-run on boot will be added later]_ -_For now you can use it the manual way_ - -### Installation - -In the `External VNC` folder you will find the files `qc_vnc` and `libvncserver.so.1`. Move these to the following locations on the QC: - -- **qc_vnc:** `/bin` - -- **libvncserver.so.1**: `/lib` - -That's it. You can now start the server! - -### Usage - -```console -qc_vnc -f /dev/fb0 -t /dev/input/event0 -``` - -## Accessing your backup - -Your backup is available as a compressed archive under `/media/p4/downloaded_backup.tar.gz` -It only contains your personal files such as captures, presets, ... It does not contain any system files, so it can't be modify diff --git a/README.md b/README.md index 8b8be13..d53b998 100644 --- a/README.md +++ b/README.md @@ -31,74 +31,48 @@ Unforunately it seems we got of on the wrong foot, for context I (Thomas) got ba ### What is already possible (or in better terms discovered) -Before I start of listing everything that is discovered, I want to make clear that this is currently a 2 man project and we're doing our best to do as much as possible in the time we've got available. A lot of things are still in progress but every day new things get discovered. There is a lot to look at and not everything can be done at the same time. we'll try to prioritise but roadblocks will be hit. +Before I start of listing everything that is discovered, I want to make clear that this project has a small team and we're doing our best to do as much as possible in the time we've got available. A lot of things are still in progress but every day new things get discovered. There is a lot to look at and not everything can be done at the same time. we'll try to prioritise but roadblocks will be hit. **Everything you see here is tested as working in practice.** - Gaining persistent access over a network connection. - - Building an RDP solution to use the native CorOS UI live on your pc. - - Renaming the built in amps, pedals, etc. to whatever you like. (reboot required for changes to take effect) - - Getting access to your backup to keep it yourself. - - Deleting / adding presets from another device without reboot. - - Detecting preset switches and which one is loaded. - - Calibrating / testing the touchscreen - - Running a webserver +- Building a Discord server (lots of dev work is now done here) +- Captures are currently unsolved now solved. They can be decrypted using the [OpenCortex decryptor](https://vaniseghemthomas.github.io/OpenCortex/File-decryption/webapp/). ### Currently being worked on -- Building a Discord server - - - Free from any censorship about the QC - -- Managing your files. - - - Manual backup management (Is it possible to load a backup saved externally? From what I've already seen, yes!) - - - Captures are currently unsolved. They seem to be encrypted (for good reasons) and I don't know (yet) how they are referenced inside presets. But since the contents aren't really relevant, I just need to find a way to reference the files correctly. - +- Manual backup management (Is it possible to load a backup saved externally? From what I've already seen, yes!) - Creating an external file manager - It is now possible to view the available presets given the XML file. In the future this will be fetched from an API running on the QC - Creating an external editor - - Preset file stucture is fully reverse-engineered. - - Building the UI - - Testing external editing of presets and it's limitations. ### Things that might work in the future - Creating an external controller: it is possible to detect preset changes and which preset is currently loaded. This can be used together with MIDI commands to create a controller that could display the current preset (like the Kemper controller). - -- Bluetooth: I've stumbled upon some references to bluetooth but haven't looked into it. As far as I know it doesn't have the hardware for it, but maybe it secretly does? - -- USB connectivity: Haven't looked into this at all but this may end up in having some interesting things uncovered. - -- Remote brightness control: saw some interesting references but haven't looked into it yet. - -- SD-card upgrade: on paper, when partitioning the SD-card correctly and flashing those with the corresponding .img files (you can clone from the original), you should be able to - +- Bluetooth +- Custom USB connectivity +- Remote brightness control +- SD-card upgrade - Creating a OpenCortex update URL that can be accessed by the native update menu. - - Expanding preset slots - - Got a pretty good idea how this can be done, still have to confirm it working. ## Opening a shell and gaining root access ### Step 1: take out the SD-card -Have you ever noticed that a Raspberry-Pi uses an SD-card to boot from, well the QC does pretty much the same in a bit more sophisticated way. I could go into detail how this works but that's for another section. - #### Before continuing make sure the QC is off and unplugged To get access to the SD-card, you'll have to take of the back of the QC. This is easily done by unscrewing the 4 screws in the corners. Once open, you should see the SD-card in it's slot with a retainer around it. Unscrew the retainer to get access to the SD-card. Now you can push on the SD-card to get it out. @@ -110,8 +84,6 @@ When plugging the SD-card into your PC running Windows, it will prompt you that When plugging it into your PC running Linux, you should see 3 partitions being mounted in your file manager. With a bit of luck there might be 4. -The SD-card does in fact contain 4 partitions: - ```bash Device Boot Start End Blocks Id System /dev/mmcblk0p1 33 32800 1048576 83 Linux @@ -123,14 +95,11 @@ Partition 3 does not end on cylinder boundary /dev/mmcblk0p4 67617 973968 29003264 83 Linux ``` -these are used for various things. The ones we are interested in, are the first 2. Upon closer investigation you will realize 2 things. They are Linux installs and they seem to be identical. - The partition we are interrested in, is the first one. This is the partition the QC will use to run it's software. The second one is for redundancy when something goes wrong in the update process from what I understand. ### Step 2.5: optional **Recommended:** Clone the drive partitions as .img files in case something goes wrong. - **Not Recommended:** If you want to open up the QC and take out the SD-card everytime you want to change something, you can skip the next steps and go to _Editing the default model names_ ## Step 3: swapping out the shadow file @@ -145,9 +114,7 @@ You will be able to log in with this password when using SSH. ### Step 4: persistent access -You are now able to connect to your QC using SSH as root! Isn't that wonderfull! But you may find it won't work for you. No worries this is normal. SSH defaults to port 22. At some point, the QC actually had SSH running on the default port 22 (alongside FTP), but they got rid of those services. So I thought. After a little digging inside the SSH files, I figured out that they didn't get rid of SSH, but they just moved it to port `57284`. - -So to connect to your QC you can do the following +You are now able to connect to your QC using SSH as root! But you may find it won't work for you. SSH defaults to port 22, but the QC uses port `57284` for SSH. So to connect to your QC you can do the following: _Ip address can be found under `settings -> Wi-Fi`_ @@ -195,59 +162,6 @@ scp -P 57284 : scp : ``` -## Editing the default model names - -One thing bothering me (and I think a lot of other people) is the fact that companies like NDSP aren't allowed to ship their models under the real name it is based on. Luckly they keep track of it in the actual model list, but it isn't displayed to the user. - -The models and their respective categories, names and parameters, are stored inside `/opt/neuraldsp/ModelRepo.xml`. In order to rename these files to the real deal, you've got a couple of options. - -- Rename them manually inside the XML file - -- Use the `model_renamer.py` script in this repo to generate the XML file - - - Usage: - - ```console - python model_renamer.py - ``` - -- Use the pre-generated XML file inside `Model Repositories` (make sure to match it to your CorOS verion) - -Now replace the `ModelRepo.xml` file inside `/opt/neuraldsp` with the new file. Make sure this is called `ModelRepo.xml`. - -Finally reboot your QC, now you should have all models (except captures) renamed to their real names. - -![IMG20221218151130](https://user-images.githubusercontent.com/55881698/208303182-8554e62c-96a9-41f2-be0d-1f1f4f564506.jpg) - -## External editor (VNC) - -![image](https://user-images.githubusercontent.com/55881698/214691276-bbd161bf-eb72-4f96-87ec-aa4255c75e7e.png) - -Since we've figured out how to cross-compile our own binaries, we were able to compile a VNC solution for the Quad Cortex. - -The VNC server we compiled is based on [this project](https://github.com/ponty/framebuffer-vncserver). We had to modify the source code a bit to make it work with the touchscreen. But besides that, it is identical. This patch was necesarry because the touchscreen doesn't report it's width and height in a propper way. - -**Note:** when connected to the QC over VNC, you might notice a dip in framerate on the device itself. This is normal. It is the device trying to encode the video feed and struggling. - -_[Installer and auto-run on boot will be added later]_ -_For now you can use it the manual way_ - -### Installation - -In the `External VNC` folder you will find the files `qc_vnc` and `libvncserver.so.1`. Move these to the following locations on the QC: - -- **qc_vnc:** `/bin` - -- **libvncserver.so.1**: `/lib` - -That's it. You can now start the server! - -### Usage - -```console -qc_vnc -f /dev/fb0 -t /dev/input/event0 -``` - ## Accessing your backup Your backup is available as a compressed archive under `/media/p4/downloaded_backup.tar.gz` diff --git a/README_Detailed.md b/README_Detailed.md new file mode 100644 index 0000000..bb08fb3 --- /dev/null +++ b/README_Detailed.md @@ -0,0 +1,287 @@ +# OpenCortex + +[![Discord Banner 1](https://discordapp.com/api/guilds/1064519311567360031/widget.png?style=banner2)](https://discord.gg/ef2gBDDSkm) + +## A project that opens your Quad Cortex for homebrew software + +Developing good software is hard, waiting for it might sometimes be equally as hard. With this project waiting might come to an end. Ever wondered: "A desktop file manager or editor might be useful"? You probably have at this point. The goal of OpenCortex is to open up the Quad Cortex and write the software as a community. This way we can get a taste of what is comming and maybe inspire new innovative features. Also if for some reason software support would be dropped , the maintenance could be continued by the community. It also drops the dependecy on the Cortex Cloud for preset sharing. For me personally, it's an awesome way to learn about embedded Linux and many more things. + +### Disclaimer + +I am not responsible for any damage that might be done to your unit, software. Doing this might have the potential to void your warranty. This is a project for enthousiasts who like to tinker like myself. I do not intend to cause any difficulties for NDSP / myself and will approach this from an ethical standpoint. I do not condone any misuse of this project. This is purely for educational and quality of life purposes only. + +### To NDSP + +Unforunately it seems we got of on the wrong foot, for context I (Thomas) got banned on the Discord server for showing a 9 second clip of the RDP solution working and receiving a very positive reaction from the rest of the community. We respect the stance on the matter but not how it was handled. After all, no rules were breached. +**Here I want to make clear we are willing to go into open dialog and plan to be 100% transparent about everything as we strongly believe we can provide some very valuable knowledge and advise. This only benefits all of us, including the community, which is the #1 priority** + +## Table of contents + +- [Summary](https://github.com/VanIseghemThomas/OpenCortex#summary) + +- [Opening a shell and gaining root access](https://github.com/VanIseghemThomas/OpenCortex#opening-a-shell-and-gaining-root-access) + +- [File access](https://github.com/VanIseghemThomas/OpenCortex#file-access) + +- [Editing the default model names](https://github.com/VanIseghemThomas/OpenCortex#editing-the-default-model-names) + +- [External editor (VNC)](https://github.com/VanIseghemThomas/OpenCortex#external-editor-vnc) + +## Summary + +### What is already possible (or in better terms discovered) + +Before I start of listing everything that is discovered, I want to make clear that this project has a small team and we're doing our best to do as much as possible in the time we've got available. A lot of things are still in progress but every day new things get discovered. There is a lot to look at and not everything can be done at the same time. we'll try to prioritise but roadblocks will be hit. + +**Everything you see here is tested as working in practice.** + +- Gaining persistent access over a network connection. +- Building an RDP solution to use the native CorOS UI live on your pc. +- Renaming the built in amps, pedals, etc. to whatever you like. (reboot required for changes to take effect) +- Getting access to your backup to keep it yourself. +- Deleting / adding presets from another device without reboot. +- Detecting preset switches and which one is loaded. +- Calibrating / testing the touchscreen +- Running a webserver +- Building a Discord server (lots of dev work is now done here) +- Captures are currently unsolved now solved. They can be decrypted using the [OpenCortex decryptor](https://vaniseghemthomas.github.io/OpenCortex/File-decryption/webapp/). + +### Currently being worked on + +- Managing your files. + + - Manual backup management (Is it possible to load a backup saved externally? From what I've already seen, yes!) + +- Creating an external file manager + + - It is now possible to view the available presets given the XML file. In the future this will be fetched from an API running on the QC + +- Creating an external editor + - Preset file stucture is fully reverse-engineered. + - Building the UI + - Testing external editing of presets and it's limitations. + +### Things that might work in the future + +- Creating an external controller: it is possible to detect preset changes and which preset is currently loaded. This can be used together with MIDI commands to create a controller that could display the current preset (like the Kemper controller). + +- Bluetooth: I've stumbled upon some references to bluetooth but haven't looked into it. As far as I know it doesn't have the hardware for it, but maybe it secretly does? + +- USB connectivity: Haven't looked into this at all but this may end up in having some interesting things uncovered. + +- Remote brightness control: saw some interesting references but haven't looked into it yet. + +- SD-card upgrade: on paper, when partitioning the SD-card correctly and flashing those with the corresponding .img files (you can clone from the original), you should be able to + +- Creating a OpenCortex update URL that can be accessed by the native update menu. + +- Expanding preset slots + - Got a pretty good idea how this can be done, still have to confirm it working. + +## Opening a shell and gaining root access + +When searching for updates, the Quad Cortex uses a Python script to query NDSP's API for new updates. This can be used as an entry point for running custom code. We will swap out this file out for a custom Python script that allows us to open a reverse shell. We can use that reverse shell to give us persistent access. + +### Step 1: take out the SD-card + +Have you ever noticed that a Raspberry-Pi uses an SD-card to boot from, well the QC does pretty much the same in a bit more sophisticated way. I could go into detail how this works but that's for another section. + +#### Before continuing make sure the QC is off and unplugged + +To get access to the SD-card, you'll have to take of the back of the QC. This is easily done by unscrewing the 4 screws in the corners. Once open, you should see the SD-card in it's slot with a retainer around it. Unscrew the retainer to get access to the SD-card. Now you can push on the SD-card to get it out. + +### Step 2: mounting the SD-card + +**For this step it is useful to have a Linux system to work from.** +When plugging the SD-card into your PC running Windows, it will prompt you that the SD-card is broken and you should format it. **Do not do this!** The reason it does this, is because you're trying to read Linux filesystems that are not supported on Windows. There might be ways to get around that but I'd still recommend just using a Linux system (or a VM) to do this. The guide will continue with this assumption. + +When plugging it into your PC running Linux, you should see 3 partitions being mounted in your file manager. With a bit of luck there might be 4. + +The SD-card does in fact contain 4 partitions: + +```bash + Device Boot Start End Blocks Id System +/dev/mmcblk0p1 33 32800 1048576 83 Linux +Partition 1 does not end on cylinder boundary +/dev/mmcblk0p2 32801 65568 1048576 83 Linux +Partition 2 does not end on cylinder boundary +/dev/mmcblk0p3 65569 67616 65536 c Win95 FAT32 (LBA) +Partition 3 does not end on cylinder boundary +/dev/mmcblk0p4 67617 973968 29003264 83 Linux +``` + +these are used for various things. The ones we are interested in, are the first 2. Upon closer investigation you will realize 2 things. They are Linux installs and they seem to be identical. + +The partition we are interrested in, is the first one. This is the partition the QC will use to run it's software. The second one is for redundancy when something goes wrong in the update process from what I understand. + +### Step 2.5: optional + +**Recommended:** Clone the drive partitions as .img files in case something goes wrong. + +**Not Recommended:** If you want to open up the QC and take out the SD-card everytime you want to change something, you can skip the next steps and go to _Editing the default model names_ + +### Step 3: installing the exploit + +**Warning! Do not install this file from any shady places and verify the code matches the repository's code. This can be used to leak some very personal information present on the QC.** + +Once inside the first partition, you want to go to the following path: `/opt/neuraldsp`. In here you will see a file called `cloud_updater.py`. **Make sure to back this up!** You will need to temporarily change this out for the `cloud_updater_custom.py` file inside this repo. Before you change this out, you will have to edit the file. + +The `cloud_updater_custom.py` script, opens a simple reverse shell. In order for this to work, we have to listen for a reverse shell to be spawned on our PC. The script needs to now where to connect to. This is where we edit the 2 lines. At the top of the file you should see 2 variables, edit these accordingly. + +```python +YOUR_IP = "192.168.1.2" # <--- Edit this to match your PC's ip. Make sure it's on the same subnet. +YOUR_PORT = 4444 # Can stay the same or something else, rember what this is +``` + +Once that's done, we can put the `cloud_updater_custom.py` file and take out the `cloud_updater.py` file. Again make sure you keep this file! I suggest you save this copy as `cloud_updater_backup.py` and keep it on the QC and also on your own PC. Now rename the `cloud_updater_custom.py` to `cloud_updater.py`. Next time you go to check for updates on the QC, your custom code will be ran. + +You can put the SD-card back in the QC and screw the lid back on. + +### Step 4: running the exploit + +Note: this might not work if an actual update is available. + +[Looking into creating a custom message, if this works update the documentation] + +Before doing that, we'll need to listen for the reverse shell. This can be done using a tool called netcat. Open up a terminal and type `nc -lvnp 4444` (or your custom set port). + +Now on the QC, go to `Settings -> Device Options -> Device Updates`. When you press the button to start looking for updates, your PC should open a reverse shell. + +It should look something like this: + +```console +thomas@pop-os:~/Repos/OpenCortex$ nc -lvp 4444 +Listening on 0.0.0.0 4444 +Connection received on 192.168.1.236 52824 +/bin/sh: can't access tty; job control turned off +/opt/neuraldsp # +``` + +#### Congratulations, you are now inside your Quad Cortex + +Make sure to be responsible now. + +### Step 5: persistent access + +[This might be automated in the future using the exploit script] + +When running the `whoami` commmand, you can see that the Python script was being ran as root. This means you now have root access! With this you can do pretty much anything you want, including changing the password to something else. + +Run the command `passwd`. This will prompt you to change the root user's password, without confirming the current password. + +You are now able to connect to your QC using SSH as root! Isn't that wonderfull! But you may find it won't work for you. No worries this is normal. SSH defaults to port 22. At some point, the QC actually had SSH running on the default port 22 (alongside FTP), but they got rid of those services. So I thought. After a little digging inside the SSH files, I figured out that they didn't get rid of SSH, but they just moved it to port `57284`. + +So to connect to your QC you can do the following + +_Ip address can be found under `settings -> Wi-Fi`_ + +```console +ssh root@ -p 57284 +``` + +It will prompt you for your password and after that for a fingerprint, just type "yes", enter and: + +```console +Welcome to + _ _ _ ______ ___________ +| \ | | | | | _ \/ ___| ___ \ +| \| | ___ _ _ _ __ __ _| | | | | |\ `--.| |_/ / +| . ` |/ _ \ | | | '__/ _` | | | | | | `--. \ __/ +| |\ | __/ |_| | | | (_| | | | |/ / /\__/ / | +\_| \_/\___|\__,_|_| \__,_|_| |___/ \____/\_| + Quad Cortex +# +``` + +#### BOOM WE'RE IN + +Now time for some cleanup. + +### Step 6: restoring the update script + +Now that you have persistent access, there is no need to have the exploit anymore. You can keep it, but it poses a security risk and disables the update functionality. + +To restore this, just remove the custom Python script, and replace it back with the original one. This can be done with the following commands: + +```console +rm cloud_updater.py +mv cloud_updater_backup.py cloud_updater.py +``` + +Now reboot the QC and test if the updater works like it's supposed to. + +## File access + +Still looking for the best way to do this, currenly using the `scp` command to send and receive files from the QC. + +Example usage: + +### from PC to QC + +```console +scp -P 57284 : +``` + +### from QC to PC + +```console +scp : +``` + +## Editing the default model names + +One thing bothering me (and I think a lot of other people) is the fact that companies like NDSP aren't allowed to ship their models under the real name it is based on. Luckly they keep track of it in the actual model list, but it isn't displayed to the user. + +The models and their respective categories, names and parameters, are stored inside `/opt/neuraldsp/ModelRepo.xml`. In order to rename these files to the real deal, you've got a couple of options. + +- Rename them manually inside the XML file + +- Use the `model_renamer.py` script in this repo to generate the XML file + + - Usage: + + ```console + python model_renamer.py + ``` + +- Use the pre-generated XML file inside `Model Repositories` (make sure to match it to your CorOS verion) + +Now replace the `ModelRepo.xml` file inside `/opt/neuraldsp` with the new file. Make sure this is called `ModelRepo.xml`. + +Finally reboot your QC, now you should have all models (except captures) renamed to their real names. + +![IMG20221218151130](https://user-images.githubusercontent.com/55881698/208303182-8554e62c-96a9-41f2-be0d-1f1f4f564506.jpg) + +## External editor (VNC) + +![image](https://user-images.githubusercontent.com/55881698/214691276-bbd161bf-eb72-4f96-87ec-aa4255c75e7e.png) + +Since we've figured out how to cross-compile our own binaries, we were able to compile a VNC solution for the Quad Cortex. + +The VNC server we compiled is based on [this project](https://github.com/ponty/framebuffer-vncserver). We had to modify the source code a bit to make it work with the touchscreen. But besides that, it is identical. This patch was necesarry because the touchscreen doesn't report it's width and height in a propper way. + +**Note:** when connected to the QC over VNC, you might notice a dip in framerate on the device itself. This is normal. It is the device trying to encode the video feed and struggling. + +_[Installer and auto-run on boot will be added later]_ +_For now you can use it the manual way_ + +### Installation + +In the `External VNC` folder you will find the files `qc_vnc` and `libvncserver.so.1`. Move these to the following locations on the QC: + +- **qc_vnc:** `/bin` + +- **libvncserver.so.1**: `/lib` + +That's it. You can now start the server! + +### Usage + +```console +qc_vnc -f /dev/fb0 -t /dev/input/event0 +``` + +## Accessing your backup + +Your backup is available as a compressed archive under `/media/p4/downloaded_backup.tar.gz` +It only contains your personal files such as captures, presets, ... It does not contain any system files, so it can't be modify diff --git a/docs/README.md b/docs/README.md deleted file mode 100644 index 83ab4e4..0000000 --- a/docs/README.md +++ /dev/null @@ -1,5 +0,0 @@ -# Documentation of all the discoveries about Quad Cortex - -## General Info - -## Misc Info diff --git a/docs/consumer/Model_Renamer.md b/docs/consumer/Model_Renamer.md new file mode 100644 index 0000000..43ab007 --- /dev/null +++ b/docs/consumer/Model_Renamer.md @@ -0,0 +1,22 @@ +# Editing the default model names + +Companies like NDSP aren't allowed to ship their models under the real name it is based on. Luckly they keep track of it in the actual model list. + +The models and their respective categories, names and parameters, are stored inside `/opt/neuraldsp/ModelRepo.xml`. In order to rename these files to the real deal, you need to edit the file. + +If you don't want to rename the files manually you can: + +- Use the `model_renamer.py` script in this repo to generate the XML file + + - Usage: + + ```console + python model_renamer.py + ``` + +- Use the pre-generated XML file inside `Model Repositories` (make sure to match it to your CorOS verion) + +Now replace the `ModelRepo.xml` file inside `/opt/neuraldsp` with the new file. Make sure this is called `ModelRepo.xml`. +Finally reboot your QC, now you should have all models (except captures) renamed to their real names. + +![IMG20221218151130](https://user-images.githubusercontent.com/55881698/208303182-8554e62c-96a9-41f2-be0d-1f1f4f564506.jpg) diff --git a/docs/consumer/VNC.md b/docs/consumer/VNC.md new file mode 100644 index 0000000..05b9b3a --- /dev/null +++ b/docs/consumer/VNC.md @@ -0,0 +1,23 @@ +# External editor (VNC) + +![image](https://user-images.githubusercontent.com/55881698/214691276-bbd161bf-eb72-4f96-87ec-aa4255c75e7e.png) + +Since we've figured out how to cross-compile our own binaries, we were able to compile a VNC solution for the Quad Cortex. The VNC server we compiled is based on [this project](https://github.com/ponty/framebuffer-vncserver). We had to modify the source code a bit to make it work with the touchscreen, But besides that, it is identical. + +**Note:** when connected to the QC over VNC, you might notice a dip in framerate on the device itself. This is normal. It is the device trying to encode the video feed and struggling. +**Note:** _Installer and auto-run on boot will be added later, For now you can use it the manual way_ + +## Installation + +In the `External VNC` folder you will find the files `qc_vnc` and `libvncserver.so.1`. Move these to the following locations on the QC: + +- **qc_vnc:** `/bin` +- **libvncserver.so.1**: `/lib` + +That's it. You can now start the server! + +## Usage + +```console +qc_vnc -f /dev/fb0 -t /dev/input/event0 +``` diff --git a/docs/dev/Control.md b/docs/dev/Control.md new file mode 100644 index 0000000..e69de29 diff --git a/docs/dev/Crypto.md b/docs/dev/Crypto.md new file mode 100644 index 0000000..e69de29 diff --git a/docs/dev/README.md b/docs/dev/README.md new file mode 100644 index 0000000..83ab4e4 --- /dev/null +++ b/docs/dev/README.md @@ -0,0 +1,5 @@ +# Documentation of all the discoveries about Quad Cortex + +## General Info + +## Misc Info diff --git a/docs/dev/Updates.md b/docs/dev/Updates.md new file mode 100644 index 0000000..e69de29 diff --git a/docs/dev/dsp.md b/docs/dev/dsp.md new file mode 100644 index 0000000..e69de29 -- cgit v1.2.3 From b367ab0dfa6f08c53940d2ae9abc655b46fc8172 Mon Sep 17 00:00:00 2001 From: Judah Fuller Date: Wed, 26 Apr 2023 18:08:41 +0100 Subject: Cleanup after pulling from upstream --- README.md | 40 ++++++++++----------------------------- docs/Control.md | 0 docs/Crypto.md | 0 docs/Updates.md | 0 docs/dev/README.md | 12 ++++++++++++ docs/dsp.md | 0 docs/resources/RenamedModels.png | Bin 0 -> 27896 bytes docs/resources/VNC.png | Bin 0 -> 30165 bytes 8 files changed, 22 insertions(+), 30 deletions(-) delete mode 100644 docs/Control.md delete mode 100644 docs/Crypto.md delete mode 100644 docs/Updates.md delete mode 100644 docs/dsp.md create mode 100644 docs/resources/RenamedModels.png create mode 100644 docs/resources/VNC.png diff --git a/README.md b/README.md index d53b998..fef7537 100644 --- a/README.md +++ b/README.md @@ -17,23 +17,27 @@ Unforunately it seems we got of on the wrong foot, for context I (Thomas) got ba ## Table of contents -- [Summary](https://github.com/VanIseghemThomas/OpenCortex#summary) +Want a more detailed file? Go [here](README_Detailed.md) -- [Opening a shell and gaining root access](https://github.com/VanIseghemThomas/OpenCortex#opening-a-shell-and-gaining-root-access) +- [Summary](#summary) -- [File access](https://github.com/VanIseghemThomas/OpenCortex#file-access) +- [Opening a shell and gaining root access](#opening-a-shell-and-gaining-root-access) -- [Editing the default model names](https://github.com/VanIseghemThomas/OpenCortex#editing-the-default-model-names) +- [File access](#file-access) -- [External editor (VNC)](https://github.com/VanIseghemThomas/OpenCortex#external-editor-vnc) +- [Editing the default model names](docs/consumer/Model_Renamer.md) + +- [External editor (VNC)](docs/consumer/VNC.md) ## Summary ### What is already possible (or in better terms discovered) +**For detailed research go to the [Dev Docs](docs/dev/README.md)** + Before I start of listing everything that is discovered, I want to make clear that this project has a small team and we're doing our best to do as much as possible in the time we've got available. A lot of things are still in progress but every day new things get discovered. There is a lot to look at and not everything can be done at the same time. we'll try to prioritise but roadblocks will be hit. -**Everything you see here is tested as working in practice.** +#### Currently Working Features - Gaining persistent access over a network connection. - Building an RDP solution to use the native CorOS UI live on your pc. @@ -42,33 +46,9 @@ Before I start of listing everything that is discovered, I want to make clear th - Deleting / adding presets from another device without reboot. - Detecting preset switches and which one is loaded. - Calibrating / testing the touchscreen -- Running a webserver - Building a Discord server (lots of dev work is now done here) - Captures are currently unsolved now solved. They can be decrypted using the [OpenCortex decryptor](https://vaniseghemthomas.github.io/OpenCortex/File-decryption/webapp/). -### Currently being worked on - -- Manual backup management (Is it possible to load a backup saved externally? From what I've already seen, yes!) -- Creating an external file manager - - - It is now possible to view the available presets given the XML file. In the future this will be fetched from an API running on the QC - -- Creating an external editor - - Preset file stucture is fully reverse-engineered. - - Building the UI - - Testing external editing of presets and it's limitations. - -### Things that might work in the future - -- Creating an external controller: it is possible to detect preset changes and which preset is currently loaded. This can be used together with MIDI commands to create a controller that could display the current preset (like the Kemper controller). -- Bluetooth -- Custom USB connectivity -- Remote brightness control -- SD-card upgrade -- Creating a OpenCortex update URL that can be accessed by the native update menu. -- Expanding preset slots - - Got a pretty good idea how this can be done, still have to confirm it working. - ## Opening a shell and gaining root access ### Step 1: take out the SD-card diff --git a/docs/Control.md b/docs/Control.md deleted file mode 100644 index e69de29..0000000 diff --git a/docs/Crypto.md b/docs/Crypto.md deleted file mode 100644 index e69de29..0000000 diff --git a/docs/Updates.md b/docs/Updates.md deleted file mode 100644 index e69de29..0000000 diff --git a/docs/dev/README.md b/docs/dev/README.md index 83ab4e4..42edede 100644 --- a/docs/dev/README.md +++ b/docs/dev/README.md @@ -1,5 +1,17 @@ # Documentation of all the discoveries about Quad Cortex +## Known Topics + +- [Decrypt Captures](Crypto.md#Captures) + +## Research In Progress + +- [Custom DSP](DSP.md) + +## Planned Research + +- [Live Update Patchers](Updates.md) + ## General Info ## Misc Info diff --git a/docs/dsp.md b/docs/dsp.md deleted file mode 100644 index e69de29..0000000 diff --git a/docs/resources/RenamedModels.png b/docs/resources/RenamedModels.png new file mode 100644 index 0000000..220cda2 Binary files /dev/null and b/docs/resources/RenamedModels.png differ diff --git a/docs/resources/VNC.png b/docs/resources/VNC.png new file mode 100644 index 0000000..da44bd3 Binary files /dev/null and b/docs/resources/VNC.png differ -- cgit v1.2.3 From a4a6fd4e08adf2458979eb25bbaac9d19732b784 Mon Sep 17 00:00:00 2001 From: Judah Fuller Date: Wed, 26 Apr 2023 18:13:41 +0100 Subject: Add images to MD files --- docs/consumer/Model_Renamer.md | 2 +- docs/consumer/RenamedModels.png | Bin 0 -> 27896 bytes docs/consumer/VNC.md | 2 +- docs/consumer/VNC.png | Bin 0 -> 30165 bytes docs/resources/RenamedModels.png | Bin 27896 -> 0 bytes docs/resources/VNC.png | Bin 30165 -> 0 bytes 6 files changed, 2 insertions(+), 2 deletions(-) create mode 100644 docs/consumer/RenamedModels.png create mode 100644 docs/consumer/VNC.png delete mode 100644 docs/resources/RenamedModels.png delete mode 100644 docs/resources/VNC.png diff --git a/docs/consumer/Model_Renamer.md b/docs/consumer/Model_Renamer.md index 43ab007..293daac 100644 --- a/docs/consumer/Model_Renamer.md +++ b/docs/consumer/Model_Renamer.md @@ -19,4 +19,4 @@ If you don't want to rename the files manually you can: Now replace the `ModelRepo.xml` file inside `/opt/neuraldsp` with the new file. Make sure this is called `ModelRepo.xml`. Finally reboot your QC, now you should have all models (except captures) renamed to their real names. -![IMG20221218151130](https://user-images.githubusercontent.com/55881698/208303182-8554e62c-96a9-41f2-be0d-1f1f4f564506.jpg) +![IMG20221218151130](RenamedModels.png) diff --git a/docs/consumer/RenamedModels.png b/docs/consumer/RenamedModels.png new file mode 100644 index 0000000..220cda2 Binary files /dev/null and b/docs/consumer/RenamedModels.png differ diff --git a/docs/consumer/VNC.md b/docs/consumer/VNC.md index 05b9b3a..2a94488 100644 --- a/docs/consumer/VNC.md +++ b/docs/consumer/VNC.md @@ -1,6 +1,6 @@ # External editor (VNC) -![image](https://user-images.githubusercontent.com/55881698/214691276-bbd161bf-eb72-4f96-87ec-aa4255c75e7e.png) +![image](VNC.png) Since we've figured out how to cross-compile our own binaries, we were able to compile a VNC solution for the Quad Cortex. The VNC server we compiled is based on [this project](https://github.com/ponty/framebuffer-vncserver). We had to modify the source code a bit to make it work with the touchscreen, But besides that, it is identical. diff --git a/docs/consumer/VNC.png b/docs/consumer/VNC.png new file mode 100644 index 0000000..da44bd3 Binary files /dev/null and b/docs/consumer/VNC.png differ diff --git a/docs/resources/RenamedModels.png b/docs/resources/RenamedModels.png deleted file mode 100644 index 220cda2..0000000 Binary files a/docs/resources/RenamedModels.png and /dev/null differ diff --git a/docs/resources/VNC.png b/docs/resources/VNC.png deleted file mode 100644 index da44bd3..0000000 Binary files a/docs/resources/VNC.png and /dev/null differ -- cgit v1.2.3 From 249f54810acc42723a5997f135f2a4d53a02df1c Mon Sep 17 00:00:00 2001 From: Judah Fuller Date: Wed, 26 Apr 2023 18:30:12 +0100 Subject: Bring detailed readme up to scratch --- README_Detailed.md | 128 ++++++++--------------------------------------------- 1 file changed, 19 insertions(+), 109 deletions(-) diff --git a/README_Detailed.md b/README_Detailed.md index bb08fb3..4a64f86 100644 --- a/README_Detailed.md +++ b/README_Detailed.md @@ -17,20 +17,20 @@ Unforunately it seems we got of on the wrong foot, for context I (Thomas) got ba ## Table of contents -- [Summary](https://github.com/VanIseghemThomas/OpenCortex#summary) +Want a more simpler file? Go [here](README.md) -- [Opening a shell and gaining root access](https://github.com/VanIseghemThomas/OpenCortex#opening-a-shell-and-gaining-root-access) - -- [File access](https://github.com/VanIseghemThomas/OpenCortex#file-access) - -- [Editing the default model names](https://github.com/VanIseghemThomas/OpenCortex#editing-the-default-model-names) - -- [External editor (VNC)](https://github.com/VanIseghemThomas/OpenCortex#external-editor-vnc) +- [Summary](#summary) +- [Opening a shell and gaining root access](#opening-a-shell-and-gaining-root-access) +- [File access](#file-access) +- [Editing the default model names](docs/consumer/Model_Renamer.md) +- [External editor (VNC)](docs/consumer/VNC.md) ## Summary ### What is already possible (or in better terms discovered) +**For detailed research go to the [Dev Docs](docs/dev/README.md)** + Before I start of listing everything that is discovered, I want to make clear that this project has a small team and we're doing our best to do as much as possible in the time we've got available. A lot of things are still in progress but every day new things get discovered. There is a lot to look at and not everything can be done at the same time. we'll try to prioritise but roadblocks will be hit. **Everything you see here is tested as working in practice.** @@ -80,8 +80,6 @@ Before I start of listing everything that is discovered, I want to make clear th ## Opening a shell and gaining root access -When searching for updates, the Quad Cortex uses a Python script to query NDSP's API for new updates. This can be used as an entry point for running custom code. We will swap out this file out for a custom Python script that allows us to open a reverse shell. We can use that reverse shell to give us persistent access. - ### Step 1: take out the SD-card Have you ever noticed that a Raspberry-Pi uses an SD-card to boot from, well the QC does pretty much the same in a bit more sophisticated way. I could go into detail how this works but that's for another section. @@ -110,7 +108,7 @@ Partition 3 does not end on cylinder boundary /dev/mmcblk0p4 67617 973968 29003264 83 Linux ``` -these are used for various things. The ones we are interested in, are the first 2. Upon closer investigation you will realize 2 things. They are Linux installs and they seem to be identical. +These are used for various things. The ones we are interested in, are the first 2. Upon closer investigation you will realize 2 things. They are Linux installs and they seem to be identical. The partition we are interrested in, is the first one. This is the partition the QC will use to run it's software. The second one is for redundancy when something goes wrong in the update process from what I understand. @@ -123,51 +121,17 @@ The partition we are interrested in, is the first one. This is the partition the ### Step 3: installing the exploit **Warning! Do not install this file from any shady places and verify the code matches the repository's code. This can be used to leak some very personal information present on the QC.** +Swap out the `/etc/shadow` file in with the one in this repository. This file is and encrypted linux password, and will change the root password to: -Once inside the first partition, you want to go to the following path: `/opt/neuraldsp`. In here you will see a file called `cloud_updater.py`. **Make sure to back this up!** You will need to temporarily change this out for the `cloud_updater_custom.py` file inside this repo. Before you change this out, you will have to edit the file. - -The `cloud_updater_custom.py` script, opens a simple reverse shell. In order for this to work, we have to listen for a reverse shell to be spawned on our PC. The script needs to now where to connect to. This is where we edit the 2 lines. At the top of the file you should see 2 variables, edit these accordingly. - -```python -YOUR_IP = "192.168.1.2" # <--- Edit this to match your PC's ip. Make sure it's on the same subnet. -YOUR_PORT = 4444 # Can stay the same or something else, rember what this is +```bash +OpenCortex ``` -Once that's done, we can put the `cloud_updater_custom.py` file and take out the `cloud_updater.py` file. Again make sure you keep this file! I suggest you save this copy as `cloud_updater_backup.py` and keep it on the QC and also on your own PC. Now rename the `cloud_updater_custom.py` to `cloud_updater.py`. Next time you go to check for updates on the QC, your custom code will be ran. +You will be able to log in with this password when using SSH. You can put the SD-card back in the QC and screw the lid back on. -### Step 4: running the exploit - -Note: this might not work if an actual update is available. - -[Looking into creating a custom message, if this works update the documentation] - -Before doing that, we'll need to listen for the reverse shell. This can be done using a tool called netcat. Open up a terminal and type `nc -lvnp 4444` (or your custom set port). - -Now on the QC, go to `Settings -> Device Options -> Device Updates`. When you press the button to start looking for updates, your PC should open a reverse shell. - -It should look something like this: - -```console -thomas@pop-os:~/Repos/OpenCortex$ nc -lvp 4444 -Listening on 0.0.0.0 4444 -Connection received on 192.168.1.236 52824 -/bin/sh: can't access tty; job control turned off -/opt/neuraldsp # -``` - -#### Congratulations, you are now inside your Quad Cortex - -Make sure to be responsible now. - -### Step 5: persistent access - -[This might be automated in the future using the exploit script] - -When running the `whoami` commmand, you can see that the Python script was being ran as root. This means you now have root access! With this you can do pretty much anything you want, including changing the password to something else. - -Run the command `passwd`. This will prompt you to change the root user's password, without confirming the current password. +### Step 4: persistent access You are now able to connect to your QC using SSH as root! Isn't that wonderfull! But you may find it won't work for you. No worries this is normal. SSH defaults to port 22. At some point, the QC actually had SSH running on the default port 22 (alongside FTP), but they got rid of those services. So I thought. After a little digging inside the SSH files, I figured out that they didn't get rid of SSH, but they just moved it to port `57284`. @@ -195,20 +159,11 @@ Welcome to #### BOOM WE'RE IN -Now time for some cleanup. +Now time for some cleanup. Make sure to be responsible now. -### Step 6: restoring the update script +### Step 5 (optional) -Now that you have persistent access, there is no need to have the exploit anymore. You can keep it, but it poses a security risk and disables the update functionality. - -To restore this, just remove the custom Python script, and replace it back with the original one. This can be done with the following commands: - -```console -rm cloud_updater.py -mv cloud_updater_backup.py cloud_updater.py -``` - -Now reboot the QC and test if the updater works like it's supposed to. +It is good practice to run the `passwd` command to change your password. Having default passwords is never a good idea. ## File access @@ -230,56 +185,11 @@ scp : ## Editing the default model names -One thing bothering me (and I think a lot of other people) is the fact that companies like NDSP aren't allowed to ship their models under the real name it is based on. Luckly they keep track of it in the actual model list, but it isn't displayed to the user. - -The models and their respective categories, names and parameters, are stored inside `/opt/neuraldsp/ModelRepo.xml`. In order to rename these files to the real deal, you've got a couple of options. - -- Rename them manually inside the XML file - -- Use the `model_renamer.py` script in this repo to generate the XML file - - - Usage: - - ```console - python model_renamer.py - ``` - -- Use the pre-generated XML file inside `Model Repositories` (make sure to match it to your CorOS verion) - -Now replace the `ModelRepo.xml` file inside `/opt/neuraldsp` with the new file. Make sure this is called `ModelRepo.xml`. - -Finally reboot your QC, now you should have all models (except captures) renamed to their real names. - -![IMG20221218151130](https://user-images.githubusercontent.com/55881698/208303182-8554e62c-96a9-41f2-be0d-1f1f4f564506.jpg) +The Model Renaming instructions have moved to a [dedicated docs file](docs/consumer/Model_Renamer.md) ## External editor (VNC) -![image](https://user-images.githubusercontent.com/55881698/214691276-bbd161bf-eb72-4f96-87ec-aa4255c75e7e.png) - -Since we've figured out how to cross-compile our own binaries, we were able to compile a VNC solution for the Quad Cortex. - -The VNC server we compiled is based on [this project](https://github.com/ponty/framebuffer-vncserver). We had to modify the source code a bit to make it work with the touchscreen. But besides that, it is identical. This patch was necesarry because the touchscreen doesn't report it's width and height in a propper way. - -**Note:** when connected to the QC over VNC, you might notice a dip in framerate on the device itself. This is normal. It is the device trying to encode the video feed and struggling. - -_[Installer and auto-run on boot will be added later]_ -_For now you can use it the manual way_ - -### Installation - -In the `External VNC` folder you will find the files `qc_vnc` and `libvncserver.so.1`. Move these to the following locations on the QC: - -- **qc_vnc:** `/bin` - -- **libvncserver.so.1**: `/lib` - -That's it. You can now start the server! - -### Usage - -```console -qc_vnc -f /dev/fb0 -t /dev/input/event0 -``` +The VNC instructions have moved to a [dedicated docs file](docs/consumer/VNC.md) ## Accessing your backup -- cgit v1.2.3 From 01726169fbb07f32aa6cc26dfb144d454f724d22 Mon Sep 17 00:00:00 2001 From: Judah Fuller Date: Wed, 26 Apr 2023 18:41:47 +0100 Subject: Update Table of Contents --- README.md | 5 +---- README_Detailed.md | 1 + 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index fef7537..8c862cf 100644 --- a/README.md +++ b/README.md @@ -20,14 +20,11 @@ Unforunately it seems we got of on the wrong foot, for context I (Thomas) got ba Want a more detailed file? Go [here](README_Detailed.md) - [Summary](#summary) - - [Opening a shell and gaining root access](#opening-a-shell-and-gaining-root-access) - - [File access](#file-access) - - [Editing the default model names](docs/consumer/Model_Renamer.md) - - [External editor (VNC)](docs/consumer/VNC.md) +- [Developer Docs](docs/dev/README.md) ## Summary diff --git a/README_Detailed.md b/README_Detailed.md index 4a64f86..22e1c88 100644 --- a/README_Detailed.md +++ b/README_Detailed.md @@ -24,6 +24,7 @@ Want a more simpler file? Go [here](README.md) - [File access](#file-access) - [Editing the default model names](docs/consumer/Model_Renamer.md) - [External editor (VNC)](docs/consumer/VNC.md) +- [Developer Docs](docs/dev/README.md) ## Summary -- cgit v1.2.3 From ecd10d80bf47c48c7706baf085005f9a135a83c7 Mon Sep 17 00:00:00 2001 From: Judah Fuller Date: Wed, 26 Apr 2023 19:59:00 +0100 Subject: Made Requested Changes Removed images from repo, removed duplicate readme, --- README.md | 4 - README_Detailed.md | 198 ---------------------------------------- docs/consumer/Model_Renamer.md | 2 +- docs/consumer/RenamedModels.png | Bin 27896 -> 0 bytes docs/consumer/VNC.md | 2 +- docs/consumer/VNC.png | Bin 30165 -> 0 bytes 6 files changed, 2 insertions(+), 204 deletions(-) delete mode 100644 README_Detailed.md delete mode 100644 docs/consumer/RenamedModels.png delete mode 100644 docs/consumer/VNC.png diff --git a/README.md b/README.md index 8c862cf..319f45f 100644 --- a/README.md +++ b/README.md @@ -17,8 +17,6 @@ Unforunately it seems we got of on the wrong foot, for context I (Thomas) got ba ## Table of contents -Want a more detailed file? Go [here](README_Detailed.md) - - [Summary](#summary) - [Opening a shell and gaining root access](#opening-a-shell-and-gaining-root-access) - [File access](#file-access) @@ -115,8 +113,6 @@ Welcome to #### BOOM WE'RE IN -Now time for some cleanup. Make sure to be responsible now. - ### Step 5 (optional) It is good practice to run the `passwd` command to change your password. Having default passwords is never a good idea. diff --git a/README_Detailed.md b/README_Detailed.md deleted file mode 100644 index 22e1c88..0000000 --- a/README_Detailed.md +++ /dev/null @@ -1,198 +0,0 @@ -# OpenCortex - -[![Discord Banner 1](https://discordapp.com/api/guilds/1064519311567360031/widget.png?style=banner2)](https://discord.gg/ef2gBDDSkm) - -## A project that opens your Quad Cortex for homebrew software - -Developing good software is hard, waiting for it might sometimes be equally as hard. With this project waiting might come to an end. Ever wondered: "A desktop file manager or editor might be useful"? You probably have at this point. The goal of OpenCortex is to open up the Quad Cortex and write the software as a community. This way we can get a taste of what is comming and maybe inspire new innovative features. Also if for some reason software support would be dropped , the maintenance could be continued by the community. It also drops the dependecy on the Cortex Cloud for preset sharing. For me personally, it's an awesome way to learn about embedded Linux and many more things. - -### Disclaimer - -I am not responsible for any damage that might be done to your unit, software. Doing this might have the potential to void your warranty. This is a project for enthousiasts who like to tinker like myself. I do not intend to cause any difficulties for NDSP / myself and will approach this from an ethical standpoint. I do not condone any misuse of this project. This is purely for educational and quality of life purposes only. - -### To NDSP - -Unforunately it seems we got of on the wrong foot, for context I (Thomas) got banned on the Discord server for showing a 9 second clip of the RDP solution working and receiving a very positive reaction from the rest of the community. We respect the stance on the matter but not how it was handled. After all, no rules were breached. -**Here I want to make clear we are willing to go into open dialog and plan to be 100% transparent about everything as we strongly believe we can provide some very valuable knowledge and advise. This only benefits all of us, including the community, which is the #1 priority** - -## Table of contents - -Want a more simpler file? Go [here](README.md) - -- [Summary](#summary) -- [Opening a shell and gaining root access](#opening-a-shell-and-gaining-root-access) -- [File access](#file-access) -- [Editing the default model names](docs/consumer/Model_Renamer.md) -- [External editor (VNC)](docs/consumer/VNC.md) -- [Developer Docs](docs/dev/README.md) - -## Summary - -### What is already possible (or in better terms discovered) - -**For detailed research go to the [Dev Docs](docs/dev/README.md)** - -Before I start of listing everything that is discovered, I want to make clear that this project has a small team and we're doing our best to do as much as possible in the time we've got available. A lot of things are still in progress but every day new things get discovered. There is a lot to look at and not everything can be done at the same time. we'll try to prioritise but roadblocks will be hit. - -**Everything you see here is tested as working in practice.** - -- Gaining persistent access over a network connection. -- Building an RDP solution to use the native CorOS UI live on your pc. -- Renaming the built in amps, pedals, etc. to whatever you like. (reboot required for changes to take effect) -- Getting access to your backup to keep it yourself. -- Deleting / adding presets from another device without reboot. -- Detecting preset switches and which one is loaded. -- Calibrating / testing the touchscreen -- Running a webserver -- Building a Discord server (lots of dev work is now done here) -- Captures are currently unsolved now solved. They can be decrypted using the [OpenCortex decryptor](https://vaniseghemthomas.github.io/OpenCortex/File-decryption/webapp/). - -### Currently being worked on - -- Managing your files. - - - Manual backup management (Is it possible to load a backup saved externally? From what I've already seen, yes!) - -- Creating an external file manager - - - It is now possible to view the available presets given the XML file. In the future this will be fetched from an API running on the QC - -- Creating an external editor - - Preset file stucture is fully reverse-engineered. - - Building the UI - - Testing external editing of presets and it's limitations. - -### Things that might work in the future - -- Creating an external controller: it is possible to detect preset changes and which preset is currently loaded. This can be used together with MIDI commands to create a controller that could display the current preset (like the Kemper controller). - -- Bluetooth: I've stumbled upon some references to bluetooth but haven't looked into it. As far as I know it doesn't have the hardware for it, but maybe it secretly does? - -- USB connectivity: Haven't looked into this at all but this may end up in having some interesting things uncovered. - -- Remote brightness control: saw some interesting references but haven't looked into it yet. - -- SD-card upgrade: on paper, when partitioning the SD-card correctly and flashing those with the corresponding .img files (you can clone from the original), you should be able to - -- Creating a OpenCortex update URL that can be accessed by the native update menu. - -- Expanding preset slots - - Got a pretty good idea how this can be done, still have to confirm it working. - -## Opening a shell and gaining root access - -### Step 1: take out the SD-card - -Have you ever noticed that a Raspberry-Pi uses an SD-card to boot from, well the QC does pretty much the same in a bit more sophisticated way. I could go into detail how this works but that's for another section. - -#### Before continuing make sure the QC is off and unplugged - -To get access to the SD-card, you'll have to take of the back of the QC. This is easily done by unscrewing the 4 screws in the corners. Once open, you should see the SD-card in it's slot with a retainer around it. Unscrew the retainer to get access to the SD-card. Now you can push on the SD-card to get it out. - -### Step 2: mounting the SD-card - -**For this step it is useful to have a Linux system to work from.** -When plugging the SD-card into your PC running Windows, it will prompt you that the SD-card is broken and you should format it. **Do not do this!** The reason it does this, is because you're trying to read Linux filesystems that are not supported on Windows. There might be ways to get around that but I'd still recommend just using a Linux system (or a VM) to do this. The guide will continue with this assumption. - -When plugging it into your PC running Linux, you should see 3 partitions being mounted in your file manager. With a bit of luck there might be 4. - -The SD-card does in fact contain 4 partitions: - -```bash - Device Boot Start End Blocks Id System -/dev/mmcblk0p1 33 32800 1048576 83 Linux -Partition 1 does not end on cylinder boundary -/dev/mmcblk0p2 32801 65568 1048576 83 Linux -Partition 2 does not end on cylinder boundary -/dev/mmcblk0p3 65569 67616 65536 c Win95 FAT32 (LBA) -Partition 3 does not end on cylinder boundary -/dev/mmcblk0p4 67617 973968 29003264 83 Linux -``` - -These are used for various things. The ones we are interested in, are the first 2. Upon closer investigation you will realize 2 things. They are Linux installs and they seem to be identical. - -The partition we are interrested in, is the first one. This is the partition the QC will use to run it's software. The second one is for redundancy when something goes wrong in the update process from what I understand. - -### Step 2.5: optional - -**Recommended:** Clone the drive partitions as .img files in case something goes wrong. - -**Not Recommended:** If you want to open up the QC and take out the SD-card everytime you want to change something, you can skip the next steps and go to _Editing the default model names_ - -### Step 3: installing the exploit - -**Warning! Do not install this file from any shady places and verify the code matches the repository's code. This can be used to leak some very personal information present on the QC.** -Swap out the `/etc/shadow` file in with the one in this repository. This file is and encrypted linux password, and will change the root password to: - -```bash -OpenCortex -``` - -You will be able to log in with this password when using SSH. - -You can put the SD-card back in the QC and screw the lid back on. - -### Step 4: persistent access - -You are now able to connect to your QC using SSH as root! Isn't that wonderfull! But you may find it won't work for you. No worries this is normal. SSH defaults to port 22. At some point, the QC actually had SSH running on the default port 22 (alongside FTP), but they got rid of those services. So I thought. After a little digging inside the SSH files, I figured out that they didn't get rid of SSH, but they just moved it to port `57284`. - -So to connect to your QC you can do the following - -_Ip address can be found under `settings -> Wi-Fi`_ - -```console -ssh root@ -p 57284 -``` - -It will prompt you for your password and after that for a fingerprint, just type "yes", enter and: - -```console -Welcome to - _ _ _ ______ ___________ -| \ | | | | | _ \/ ___| ___ \ -| \| | ___ _ _ _ __ __ _| | | | | |\ `--.| |_/ / -| . ` |/ _ \ | | | '__/ _` | | | | | | `--. \ __/ -| |\ | __/ |_| | | | (_| | | | |/ / /\__/ / | -\_| \_/\___|\__,_|_| \__,_|_| |___/ \____/\_| - Quad Cortex -# -``` - -#### BOOM WE'RE IN - -Now time for some cleanup. Make sure to be responsible now. - -### Step 5 (optional) - -It is good practice to run the `passwd` command to change your password. Having default passwords is never a good idea. - -## File access - -Still looking for the best way to do this, currenly using the `scp` command to send and receive files from the QC. - -Example usage: - -### from PC to QC - -```console -scp -P 57284 : -``` - -### from QC to PC - -```console -scp : -``` - -## Editing the default model names - -The Model Renaming instructions have moved to a [dedicated docs file](docs/consumer/Model_Renamer.md) - -## External editor (VNC) - -The VNC instructions have moved to a [dedicated docs file](docs/consumer/VNC.md) - -## Accessing your backup - -Your backup is available as a compressed archive under `/media/p4/downloaded_backup.tar.gz` -It only contains your personal files such as captures, presets, ... It does not contain any system files, so it can't be modify diff --git a/docs/consumer/Model_Renamer.md b/docs/consumer/Model_Renamer.md index 293daac..e91e431 100644 --- a/docs/consumer/Model_Renamer.md +++ b/docs/consumer/Model_Renamer.md @@ -19,4 +19,4 @@ If you don't want to rename the files manually you can: Now replace the `ModelRepo.xml` file inside `/opt/neuraldsp` with the new file. Make sure this is called `ModelRepo.xml`. Finally reboot your QC, now you should have all models (except captures) renamed to their real names. -![IMG20221218151130](RenamedModels.png) +![IMG20221218151130](https://cdn.discordapp.com/attachments/1064519312242638973/1100813500546285739/image.png) diff --git a/docs/consumer/RenamedModels.png b/docs/consumer/RenamedModels.png deleted file mode 100644 index 220cda2..0000000 Binary files a/docs/consumer/RenamedModels.png and /dev/null differ diff --git a/docs/consumer/VNC.md b/docs/consumer/VNC.md index 2a94488..05b9b3a 100644 --- a/docs/consumer/VNC.md +++ b/docs/consumer/VNC.md @@ -1,6 +1,6 @@ # External editor (VNC) -![image](VNC.png) +![image](https://user-images.githubusercontent.com/55881698/214691276-bbd161bf-eb72-4f96-87ec-aa4255c75e7e.png) Since we've figured out how to cross-compile our own binaries, we were able to compile a VNC solution for the Quad Cortex. The VNC server we compiled is based on [this project](https://github.com/ponty/framebuffer-vncserver). We had to modify the source code a bit to make it work with the touchscreen, But besides that, it is identical. diff --git a/docs/consumer/VNC.png b/docs/consumer/VNC.png deleted file mode 100644 index da44bd3..0000000 Binary files a/docs/consumer/VNC.png and /dev/null differ -- cgit v1.2.3 From 169dcd734c13db096b2b848e3f8ac34ba876e074 Mon Sep 17 00:00:00 2001 From: Judah Fuller Date: Thu, 27 Apr 2023 18:20:44 +0100 Subject: Add Content to Developer Docs --- docs/dev/Captures.md | 19 +++++++++++++++++++ docs/dev/Control.md | 0 docs/dev/Crypto.md | 0 docs/dev/README.md | 47 ++++++++++++++++++++++++++++++++++++++++------- docs/dev/Updates.md | 21 +++++++++++++++++++++ docs/dev/dsp.md | 48 ++++++++++++++++++++++++++++++++++++++++++++++++ 6 files changed, 128 insertions(+), 7 deletions(-) create mode 100644 docs/dev/Captures.md delete mode 100644 docs/dev/Control.md delete mode 100644 docs/dev/Crypto.md diff --git a/docs/dev/Captures.md b/docs/dev/Captures.md new file mode 100644 index 0000000..095ba74 --- /dev/null +++ b/docs/dev/Captures.md @@ -0,0 +1,19 @@ +# Captures + +[Back to developer documentaion main page](README.md) + +[Captures can now be decryped here](https://vaniseghemthomas.github.io/OpenCortex/File-decryption/webapp/) + +Infomation about how Captures on the QCs works. + +## How it works (Needs updating) + +Captures are encrypted protobufs, with local encryption use the serial number, global does not. + +After cracking the encryption to the Neural Captures, and writing some code to decode the captures to JSON format. I was shocked to see that there is very little "Neural" about it. Recently it was discovered that the training process involves some kind of genetic algorithm and until now we haven't found a conrete reference to any neural network training. Looking at one of the captures you can see that the network consists of a 13 parameter network. + +## Links + +- [Capture Demo](http://research.spa.aalto.fi/publications/papers/smc19-black-box/) +- [Patent](https://patentimages.storage.googleapis.com/0e/b9/35/293f5bf8c3340a/EP3828878A1.pdf) +- [Capture Article](https://www.smc2019.uma.es/articles/S5/S5_02_SMC2019_paper.pdf) diff --git a/docs/dev/Control.md b/docs/dev/Control.md deleted file mode 100644 index e69de29..0000000 diff --git a/docs/dev/Crypto.md b/docs/dev/Crypto.md deleted file mode 100644 index e69de29..0000000 diff --git a/docs/dev/README.md b/docs/dev/README.md index 42edede..8c1c6f6 100644 --- a/docs/dev/README.md +++ b/docs/dev/README.md @@ -1,17 +1,50 @@ # Documentation of all the discoveries about Quad Cortex -## Known Topics +## Table of Contents -- [Decrypt Captures](Crypto.md#Captures) - -## Research In Progress +[Back to Main README](../../README.md) +- [Decrypt Captures](Captures.md) - [Custom DSP](DSP.md) - -## Planned Research - - [Live Update Patchers](Updates.md) ## General Info +### UI + +Lots of stuff is a png and there are no vectors being used, its built on swapping pictures, And the setup is just a slideshow. +/usr/lib/libzenhal.so seems to be their library for interacting with things like footswitches/expression inputs/midi/encoder/touch screen/leds/etc. + ## Misc Info + +## Tools + +Languages for the Project: + +- Python - for simple Scripting +- Golang - for compiled binaries (like dsp) + - Idealy Rust would be used, but it has a steep learning curve + +Ghidra - a very powerful piece of kit brought to us by the NSA of all places. +use the string window to look for interesting stuff, click it, brings you to a function + +[webSSH](https://github.com/billchurch/webssh2) our webpage could connect to ssh and just fetch the files by itself + +## Hardware + +The QC uses the Cortex-A5 + +That the QC uses [this for it's usb audio](https://www.thesycon.de/eng/u-hear-st.shtml) + +## Files + +Presents are unencrypted protobufs. +There are 16 different protobuf message types that we have the protobuf spec files for + +Thomy - In the end it would be fun as a PoC if we were to make our own amp for the QC. "The OpenCortex Beast" +evilsocket - if we manage to understand how the dsp works, we can just rewrite ZenUI from scratch +Thomy — Lol you're crazy +evilsocket — yes +evilsocket — most of the logic is just to handle graphics and settings, the "core" logic is not that complex, and it's all in those LDR files +Thomy — Instead of "ZenUI" we call it "RelaxUI" +evilsocket — RaphaelUI diff --git a/docs/dev/Updates.md b/docs/dev/Updates.md index e69de29..8a733b8 100644 --- a/docs/dev/Updates.md +++ b/docs/dev/Updates.md @@ -0,0 +1,21 @@ +# Updates + +[Back to developer documentaion main page](README.md) + +Infomation about the QCs update process, and how we can use it should be placed here. + +## How it works + +the update process first talks to an API to see if there's anything available and then downloads the update archive right + +## Man In The Middle updates + +SSL checks are disabled everywhere (in ZenUI too, not just the updater) ... this means that with some work we would have command execution on the unit without even opening it. +In the middle, we can literally patch (from any laptop on the same wifi) the update archive as it arrives, using t a transparent http proxy that gives you a scripting engine to modify buffers on the fly. + +we could do something simple ... download the original update file, apply our changes to it, [bindiff](https://www.daemonology.net/bsdiff/) the two archives and just apply the binpatch on the https buffers + +## Root Password + +Root password hash: root:$1$ExCeUIRg$umMdl8bKzRutUtKGFhUg10:10933:0:99999:7::: +It is salted, and has not been cracked yet. diff --git a/docs/dev/dsp.md b/docs/dev/dsp.md index e69de29..ef0d230 100644 --- a/docs/dev/dsp.md +++ b/docs/dev/dsp.md @@ -0,0 +1,48 @@ +# DSP + +[Back to developer documentaion main page](README.md) + +Infomation about how the dsp on the QCs works, and how we can develop code for it. + +## How it works + +### LDR Files & DSP Loading + +A LDR is basically a sequence of 4 unsigned longs blocks where each is: + +```c +printf("block code: 0x%08x\n", bh[block_code_idx]); +printf("target address: 0x%08x\n", bh[target_address_idx]); +printf("byte count: 0x%08x\n", bh[byte_count_idx]); +printf("argument: 0x%08x\n", bh[argument_idx]); +``` + +It's not an executable format, but it tells the DSP to literally "load this code at this address" +The original code should be recoverable from these files + +the dsp loading process works via /dev/mem + +[Sharc Runtime Loader](https://github.com/analogdevicesinc/runtime-sharc-loaderGitHubGitHub) +[U-Boot LDR Files](https://www.analog.com/media/en/technical-documentation/application-notes/EE407v01.pdf) + +### Architecture + +A single binary is splitted into different chunks and each is executed by a specific core +core0 gets the actual arm code and the models are handled (maybe passed from the code in core0 to core1) by core1 and core2 + +#### MEMORY LAYOUT + +```c +0x001609a8 DATA | <0 bytes> +0x001609a8 CODE | 0xab9c8000 +0x001609a8 CODE | 0xab9c8000 +0x00161320 CODE | 0xab9c8000 +``` + +all the opcodes are the same (addeq sb, r0, fp, lsr #25) +they just increment the pointer to the data, meaning, the actual logic is in the data section +All the data sections are sized as a multiple of 4, this would suggest these are arm instructions as well + +## Links + +- [SDK Examples](https://github.com/analogdevicesinc/runtime-sharc-loader/blob/master/SharcLoader/loader.c#L228GitHubruntime-sharc-loader/loader.c) -- cgit v1.2.3 From 5a473415c283c5b068119875705c68aa3f52404e Mon Sep 17 00:00:00 2001 From: Thomas Van Iseghem <55881698+VanIseghemThomas@users.noreply.github.com> Date: Fri, 28 Apr 2023 13:50:26 +0200 Subject: Fixed small typo in Capture docs --- docs/dev/Captures.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/dev/Captures.md b/docs/dev/Captures.md index 095ba74..757660c 100644 --- a/docs/dev/Captures.md +++ b/docs/dev/Captures.md @@ -1,6 +1,6 @@ # Captures -[Back to developer documentaion main page](README.md) +[Back to developer documentation main page](README.md) [Captures can now be decryped here](https://vaniseghemthomas.github.io/OpenCortex/File-decryption/webapp/) -- cgit v1.2.3 From 8683ad8305dd7cf775fad6f11146e5ad1d2f3afd Mon Sep 17 00:00:00 2001 From: Thomas Van Iseghem <55881698+VanIseghemThomas@users.noreply.github.com> Date: Fri, 28 Apr 2023 13:57:25 +0200 Subject: Going to rewrite this in a little more detail later. --- docs/dev/README.md | 41 ----------------------------------------- 1 file changed, 41 deletions(-) diff --git a/docs/dev/README.md b/docs/dev/README.md index 8c1c6f6..40190c1 100644 --- a/docs/dev/README.md +++ b/docs/dev/README.md @@ -7,44 +7,3 @@ - [Decrypt Captures](Captures.md) - [Custom DSP](DSP.md) - [Live Update Patchers](Updates.md) - -## General Info - -### UI - -Lots of stuff is a png and there are no vectors being used, its built on swapping pictures, And the setup is just a slideshow. -/usr/lib/libzenhal.so seems to be their library for interacting with things like footswitches/expression inputs/midi/encoder/touch screen/leds/etc. - -## Misc Info - -## Tools - -Languages for the Project: - -- Python - for simple Scripting -- Golang - for compiled binaries (like dsp) - - Idealy Rust would be used, but it has a steep learning curve - -Ghidra - a very powerful piece of kit brought to us by the NSA of all places. -use the string window to look for interesting stuff, click it, brings you to a function - -[webSSH](https://github.com/billchurch/webssh2) our webpage could connect to ssh and just fetch the files by itself - -## Hardware - -The QC uses the Cortex-A5 - -That the QC uses [this for it's usb audio](https://www.thesycon.de/eng/u-hear-st.shtml) - -## Files - -Presents are unencrypted protobufs. -There are 16 different protobuf message types that we have the protobuf spec files for - -Thomy - In the end it would be fun as a PoC if we were to make our own amp for the QC. "The OpenCortex Beast" -evilsocket - if we manage to understand how the dsp works, we can just rewrite ZenUI from scratch -Thomy — Lol you're crazy -evilsocket — yes -evilsocket — most of the logic is just to handle graphics and settings, the "core" logic is not that complex, and it's all in those LDR files -Thomy — Instead of "ZenUI" we call it "RelaxUI" -evilsocket — RaphaelUI -- cgit v1.2.3 From f5108a66230817d88564c523a6b30000bb5126b5 Mon Sep 17 00:00:00 2001 From: Thomas Van Iseghem <55881698+VanIseghemThomas@users.noreply.github.com> Date: Fri, 28 Apr 2023 14:04:39 +0200 Subject: Some small changes and typo fixes Left out the hash since I'm not shure if that violates NDSP's IP. Because I'm in doubt, I'm leaving it out just to be shure. --- docs/dev/Updates.md | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/docs/dev/Updates.md b/docs/dev/Updates.md index 8a733b8..96430d9 100644 --- a/docs/dev/Updates.md +++ b/docs/dev/Updates.md @@ -8,14 +8,13 @@ Infomation about the QCs update process, and how we can use it should be placed the update process first talks to an API to see if there's anything available and then downloads the update archive right -## Man In The Middle updates +## Patching the update file for persistent access -SSL checks are disabled everywhere (in ZenUI too, not just the updater) ... this means that with some work we would have command execution on the unit without even opening it. -In the middle, we can literally patch (from any laptop on the same wifi) the update archive as it arrives, using t a transparent http proxy that gives you a scripting engine to modify buffers on the fly. +(Coming soon) -we could do something simple ... download the original update file, apply our changes to it, [bindiff](https://www.daemonology.net/bsdiff/) the two archives and just apply the binpatch on the https buffers +## Man In The Middle updates -## Root Password +SSL checks are disabled for the updater (see `cloud_updater.py`)... this means that on paper, we could have command execution on the unit without even opening it. +In the middle, we can literally patch (from any device on the same network) the update archive as it arrives, using a transparent http proxy that gives you a scripting engine to modify buffers on the fly. -Root password hash: root:$1$ExCeUIRg$umMdl8bKzRutUtKGFhUg10:10933:0:99999:7::: -It is salted, and has not been cracked yet. +we could do something simple ... download the original update file, apply our changes to it, [bindiff](https://www.daemonology.net/bsdiff/) the two archives and just apply the binpatch on the https buffers -- cgit v1.2.3