How would I go about gaining access to a locked-down Linux device I own.
from smiletolerantly@awful.systems to linux@lemmy.ml on 25 Nov 16:20
https://awful.systems/post/2924606

Five years ago, I bought a Supernote A5. It was (and mostly still is) a great device for reading and writing on an eInk display, and it runs plain old linux.

The deciding reason I went for this device instead of the competition is that I was “under the impression” that they were about to enable full SSH access to the device! Awesome!

“Why were you under that impression?”, I hear the skeptics ask. Well, their spokesperson has stated that they would do so. Via mail, and on reddit, publicly, multiple times. I was still torn, so sent them a DM, asking if this was ineed factual. “Yes”, they said, “the next quarterly update will enable SSH access!”.

Great!

Well, it’s been 5 years. They did not follow through. A couple updates were published, none contained the promised functionality, the spokesperson stopped answering questions about SSH. The last software update I received is from 2.5yrs ago. Mentions of the original Supernote A5 have largely been scrubbed from their website.

Let me be clear, the device still functions perfectly. But it is in danger of becoming e-waste because it is so needlessly complicated to get stuff on the device. I’m currently in need of an ebook reader with (ideally) OPDS capability, and I am pretty confident I’d be able to get something like koreader running on this, or at least just run a script to sync files over SSH. Also, I frankly feel wounded in my pride having a Linux device in my possession which refuses to do my bidding (I’m joking of course, but also I am 100% serious).

Here’s all I know:

I’m a software engineer, but I have zero knowledge of the “dark arts”, so to speak. If anyone could help me (or point me into the right direction!), I would really be grateful. I don’t want this (generally nice) product to turn into a paperweight instead of a paper replacement :(

#linux

threaded - newest

iii@mander.xyz on 25 Nov 16:33 next collapse

This repo claims to have found a way to get root on the device: github.com/TA1312/supernote-a5x/…/sideload.md

smiletolerantly@awful.systems on 25 Nov 16:38 collapse

Thanks, but that’s the A5x, a newer Android version of the tablet (hard- and software are different)

ikidd@lemmy.world on 25 Nov 16:33 next collapse

If you get an OTG dongle, you might be able to get a keyboard on it and interrupt the bootloader, and/or boot to a USB thumbdrive.

smiletolerantly@awful.systems on 25 Nov 16:40 collapse

Hmm, certainly worth a try! Thanks for the idea!!

ikidd@lemmy.world on 25 Nov 16:51 collapse

Doing a bit more searching, it seems wishful. There’s no hacker community around for it like the reMarkable so I’m not very hopeful for you. OTOH, an OTG dongle is pretty cheap.

Good luck.

smiletolerantly@awful.systems on 25 Nov 16:53 collapse

Yeah, should have gone with that one… :D

0v0@sopuli.xyz on 25 Nov 19:31 next collapse

The entries in update.zip are encrypted using the weak ZipCrypto scheme, which is known to be seriously flawed. If you feel motivated, and can guess at least 12 bytes of plaintext for an entry, it is possible to recover the internal state of the generator, which is enough to decipher the data entirely, as well as other entries which were encrypted with the same password. The bkcrack project implements this attack.

Since some of the entries are zip files themselves, it is within the realm of possibility to guess 12 bytes of plaintext. Parts of the zip local file header are pretty static, and you can use some of the values from the local file header of update.zip itself. Still, this would require a bit of luck / inspired guesswork.

smiletolerantly@awful.systems on 25 Nov 19:53 next collapse

Oh, wow. I am so giving this a try. Huge kudos for checking the zip itself, btw! Thank you :D

Just for clarification though, do I need 12 bytes of the original content or of the compressed (but unencrypted) byte-representation of the zip file?

Edit: Ah, the repo links the paper. Reading now :)

0v0@sopuli.xyz on 25 Nov 20:25 next collapse

The inner zip files are just stored, uncompressed:

Archive: update.zip
Index Encryption Compression CRC32    Uncompressed  Packed size Name
----- ---------- ----------- -------- ------------ ------------ ----------------
    0 ZipCrypto  Store       d1bca061     65761967     65761979 system_lib.zip
    1 ZipCrypto  Deflate     64a3f383         2183          741 config.json
    2 ZipCrypto  Store       3731280f     89300292     89300304 app.zip
    3 ZipCrypto  Store       a2bd64f5    135518964    135518976 app_lib.zip
    4 ZipCrypto  Store       700eb186      5996410      5996422 system.zip

So 12 bytes from the original content.

Petter1@lemm.ee on 26 Nov 18:50 collapse
0v0@sopuli.xyz on 26 Nov 17:05 collapse

The attack worked, the password is cmF0dGEK.

This was obtained by generating 32 possible plaintexts for the first 10 bytes of system.zip (based on the different values in the headers of ~300 zip files on my system), plus three null bytes for the high bytes of compressed size, file name length and extra field length.

smiletolerantly@awful.systems on 26 Nov 18:28 collapse

No way!! You’re the goat. I spent the day trying to get behind how the cracking worked by making simple examples, and you just… Solve the puzzle :D

Awesoms, thank you so much!! I’ll appreciate update this thread if this leads to something :D

MTK@lemmy.world on 26 Nov 18:40 next collapse

Check out the file update.zip > system.zip > zImage

It’s the image for the device probably, check this guide out

jamchamb.net/2022/01/02/modify-vmlinuz-arm.html

You can probably get some sort of boot script implanted in there, or even just load the image in a vm, modify it, and recreate it.

You might also need to modify the install script there since it seems to check if the update already exists and it might not run thinking you are up to date.

smiletolerantly@awful.systems on 26 Nov 18:44 collapse

Fantastic.

Since the zip also includes a bunch of shell scripts, I think it’s possible I could also just install ssh directly - but the image will certainly make experimenting in a VM the safer option until something works out… ^^

Oh man, I can’t wait to get home from work on Friday (currently stuck on the other side of the country 🫠)

Edit: also, can I somehow buy you a beer/coffee somewhere?

MTK@lemmy.world on 26 Nov 18:50 collapse

Nah, I’m good, 0v0 did the work. this was fun!

Keep us posted :)

smiletolerantly@awful.systems on 26 Nov 19:54 collapse

Oh whoops I thought you were 0v0 🤦🏼‍♀️ Thanks anyways though :D

IsoKiero@sopuli.xyz on 26 Nov 19:19 collapse

I did quickly check the files on update.zip and it looks like they’re tarballs embedded in a shell script and image files including pretty much the whole operating system on the thing.

You can extract those even without a VM and do whatever you want with the files and package them back up, so, you can override version checks and you can inject init.d scripts, binaries and pretty much everything to the device, including changing passwords to /etc/shadow and so on.

I don’t know how the thing actually operates, but if it isn’t absolutely necessary I’d leave bootloader (appears to be uboot) and kernel untouched as messing up those might end up with a bricked device and then easy options are broken and you’ll need to try to gain access via other means, like interfacing directly with the storage on the device (which most likely includes opening the thing up and wiring something like arduino or an serial cable to it).

But beyond that, once you override version checks, it should be possible to upload the same version number over and over again until you have what you need. After that you just need suitable binaries for the hardware/kernel, likely some libraries from the same package and a init-script and you should be good to go.

The other way you can approach this is to look for web server configurations from the image and see if there’s any vulnerabilities (like apache running as root and insecure script on top of that to inject system files via http), which might be the safest route at least for a start.

I’m not really experienced on a things like this, but I know a thing or two about linux, so do your homework before attempting anything, have a good luck and have fun while tinkering!

smiletolerantly@awful.systems on 26 Nov 19:58 collapse

Thanks! Yep, same thought about the version checks. I’ll spin up a VM for now and see if that allows for suitable experimentation, otherwise fingers crossed I don’t brick the device.

The web-server thing is probably safer, agreed, but packaging my own update is just so much more tempting… :D

56_@lemmy.ml on 25 Nov 21:56 collapse

I had the same idea, and I’m trying it right now… Not something I’ve ever done before though.

UnH1ng3d@lemmy.world on 25 Nov 22:39 next collapse

Are you able to see what kernel version it’s running?

[deleted] on 26 Nov 01:37 next collapse

.

Atemu@lemmy.ml on 26 Nov 08:52 next collapse

Have you checked for open ports?

There’s a non-zero chance that there’s a long out of date apache or something running on it.

smiletolerantly@awful.systems on 26 Nov 09:58 collapse

Yeah, good idea. They added a network “mirroring” functionality at some point, so SOMETHING is listening on some port.

Coreidan@lemmy.world on 26 Nov 13:50 next collapse

Format and reinstall.

Reddfugee42@lemmy.world on 26 Nov 17:04 collapse

Without SSH. Easy peasy right?

Coreidan@lemmy.world on 26 Nov 17:40 collapse

Do you have physical access to the hardware? If so SSH is irrelevant.

smiletolerantly@awful.systems on 26 Nov 18:25 next collapse

The device, if connected, reads as mtp. Can’t reformat.

Reddfugee42@lemmy.world on 27 Nov 17:49 collapse

In theory? Sure. In practice? Often not so trivial.

Coreidan@lemmy.world on 27 Nov 22:51 collapse

Then throw that shit in the trash

Melatonin@lemmy.dbzer0.com on 26 Nov 14:11 next collapse

Oh FBI…

smiletolerantly@awful.systems on 26 Nov 18:25 collapse

I own the goddamn device, I should be able to do whatever I want with it…

Adanisi@lemmy.zip on 26 Nov 15:25 next collapse

Taking this to an extreme, if you can’t gain access via software (unlikely if it hasn’t been updated in 5 years), you could disassemble it, locate the SPI interface for the NAND (assuming it uses SPI), and use something like an arduino with a loaded SPI reader sketch to read it. You can then pick it apart to find vulnerabilities, or just replace it.

smiletolerantly@awful.systems on 26 Nov 18:26 collapse

Theoretically… But this is 5 levels of knowledge above my head, I fear :D

Petter1@lemm.ee on 26 Nov 18:49 collapse

Maybe start with trying to understand this first:

github.com/TA1312/supernote-a5x

Good news: apparently, it has bad security 😇

smiletolerantly@awful.systems on 26 Nov 19:53 collapse

Hey, thanks, but that’s the A5x, a newer Android tablet. Different hard and software

Petter1@lemm.ee on 27 Nov 07:03 collapse

🤪woops

Strit@lemmy.linuxuserspace.show on 27 Nov 09:12 collapse

Sounds more like an android device that an actual Linux device. Especially since it gets detected as an MTP device via USB.

Maybe adb can see it.