Reversing the e5573 – Completing the Compromise

Recently, I picked up reverse engineering of the E5573 device. The overall goal was to compromise the “authconsole” binary, and gain access to a shell on the device, without use of the “reset pin” trick outlined by forth32 (and therefore, preserving NVRAM).

We can accomplish this via the JTAG interface, using a J-Link to affect compromise. From previous extraction of vendor firmware, we know that the binary controlling authentication is “authconsole”. We first locate this in memory: from practice, I’ve found that this is generally located within 0x200000 from 0xc3000000. Ensure that you do not dump too much memory at once, or your device’s watchdog timer will complain.

You can quickly check for the presence of this binary by searching for “Welcom to enter” or any of the binary blocks below. Once identified, we can patch two key code paths within the authconsole binary. Firstly, the password check itself (replacing 20 B9 with 05 46 is fine):

As well as a “return code” check for the application:

Here, we replace the offending instruction with 00 20 (mov r0,#0), therefore passing the next check, and avoiding the “eUAP login return” path.

Once this is done, you should get the “eUAP>” prompt, which acts as a shell. Simply use “sh” to turn this into an actual shell, on which you will be the root user.

At this point, I have derived a second method to access the e5573 device, without resetting the non-volatile RAM or overwriting the firmware completely. In hindsight, I had been extremely close to this solution before, but was unable to identify the authconsole binary in memory, due to subtle changes in code between the version running on my device, and the version running on the target.

Success!

About Norman

Sometimes, I write code. Occasionally, it even works.
This entry was posted in Bards, Computers, Jesting. Bookmark the permalink.

6 Responses to Reversing the e5573 – Completing the Compromise

  1. Hilton says:

    Hey Norman, do you think this would be possible with a Raspberry Pi? I have 5xE5573 and am not sure what I want to do with them quite yet. Any thoughts?

    • Norman says:

      Do you mean to repeat this specific attack scenario (editing authconsole in memory via JTAG) using a RPi as an interface? In theory yes, I don’t know any tools which will let you do it though.

      • Hilton says:

        I was thinking OpenOCD. Either way I appreciate your hard work and photos, saves me a lot of work with tools I do not have at my disposal.

  2. Hilton says:

    Any Idea what the 5 pins on the opposite side are? They are accessible through the case?

    • Norman says:

      I don’t have the device with me to confirm, but if you mean the 5 pins near the USB port – I don’t, and I don’t recall seeing any apparent traffic on them (it’s been a while though). Is there anything interesting you can see on them?

      • Hilton says:

        I only have the Pi and Arduino. I think I need to purchase a Logic Analyzer. might be a way with the Pi but being lazy.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s