Reversing the e5573 – Completing the Compromise

Recently, I picked up reverse engineering of the E5573 device. The overall goal was to compromise the “authconsole” binary, and gain access to a shell on the device, without use of the “reset pin” trick outlined by forth32 (and therefore, preserving NVRAM).

We can accomplish this via the JTAG interface, using a J-Link to affect compromise. From previous extraction of vendor firmware, we know that the binary controlling authentication is “authconsole”. We first locate this in memory: from practice, I’ve found that this is generally located within 0x200000 from 0xc3000000. Ensure that you do not dump too much memory at once, or your device’s watchdog timer will complain.

You can quickly check for the presence of this binary by searching for “Welcom to enter” or any of the binary blocks below. Once identified, we can patch two key code paths within the authconsole binary. Firstly, the password check itself (replacing 20 B9 with 05 46 is fine):

As well as a “return code” check for the application:

Here, we replace the offending instruction with 00 20 (mov r0,#0), therefore passing the next check, and avoiding the “eUAP login return” path.

Once this is done, you should get the “eUAP>” prompt, which acts as a shell. Simply use “sh” to turn this into an actual shell, on which you will be the root user.

At this point, I have derived a second method to access the e5573 device, without resetting the non-volatile RAM or overwriting the firmware completely. In hindsight, I had been extremely close to this solution before, but was unable to identify the authconsole binary in memory, due to subtle changes in code between the version running on my device, and the version running on the target.

Success!

About Norman

Sometimes, I write code. Occasionally, it even works.
This entry was posted in Bards, Computers, Jesting. Bookmark the permalink.

8 Responses to Reversing the e5573 – Completing the Compromise

  1. Hilton says:

    Hey Norman, do you think this would be possible with a Raspberry Pi? I have 5xE5573 and am not sure what I want to do with them quite yet. Any thoughts?

    • Norman says:

      Do you mean to repeat this specific attack scenario (editing authconsole in memory via JTAG) using a RPi as an interface? In theory yes, I don’t know any tools which will let you do it though.

      • Hilton says:

        I was thinking OpenOCD. Either way I appreciate your hard work and photos, saves me a lot of work with tools I do not have at my disposal.

  2. Hilton says:

    Any Idea what the 5 pins on the opposite side are? They are accessible through the case?

    • Norman says:

      I don’t have the device with me to confirm, but if you mean the 5 pins near the USB port – I don’t, and I don’t recall seeing any apparent traffic on them (it’s been a while though). Is there anything interesting you can see on them?

      • Hilton says:

        I only have the Pi and Arduino. I think I need to purchase a Logic Analyzer. might be a way with the Pi but being lazy.

  3. b says:

    Any chance you could dump the nvram at 22 for 128 bytes?
    That appears to be the password to crack, it’s a byte string not actual hex encoded, wanted to try some of your research but don’t have the tools around and wanted to get a head start.

    • Norman says:

      Unfortunately, I don’t have any devices left in working order to test.

      That said, you may be able to abuse the nvram capability of the M3 console to do the same thing without an actual password: you can use something like this to replace the “help” command at 10000fcc with an nvram loader:

      m 0x10000fcc 0x2001b570
      m 0x10000fd0 0x110ff24d
      m 0x10000fd4 0x23144a06
      m 0x10000fd8 0x47a04c04
      m 0x10000fdc 0x4c024801
      m 0x10000fe0 0xbd7047a0
      m 0x10000fe4 0x100098a0
      m 0x10000fe8 0x10000f51
      m 0x10000fec 0x100022a5
      m 0x10000ff0 0x100098a0
      help
      d 0x100098a0 0x20

      Good luck!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.