Test

Contents

  1. Dismantling and getting a serial port connection
  2. Exploiting the camera using the uboot shell
  3. Analyzing the console login script
  4. Getting the firmware update
  1. asd
#!/system/bin/sh

# A simple "login" equivalent to replace the open serial console on production,
# to slow-down reverse-engineering.
# If you can read this, it didn't work.

if [ -e /system/etc/netatmo-production.txt ]; then
  PRODFLAG=`cat /system/etc/netatmo-production.txt`
  if [ "$PRODFLAG" -eq 0 ]; then
    exec /system/bin/sh
  fi
  # prod=1 or file missing : ask for password
fi

DBLIBTOOL=/system/bin/dblibtool
# md5 of the md5 of rsa
BIGSECRET="4ca9f3a5ce53a81a12af0f6c22a5775d"

while true; do
  MAC=`${DBLIBTOOL} -get 1`
  SECRET=`${DBLIBTOOL} -get 3`

  echo -n "Firmware version: "
  cat /system/etc/netatmo-version.txt

  VALIDSECRET=1
  if [ -z "$MAC" -o -z "$SECRET" ]; then
    echo "NSC[] : dblib not configured yet"
    VALIDSECRET=0
  fi

  if [ ${#SECRET} -lt 6 ]; then
    echo "NSC[$MAC] dblib secret invalid"
    VALIDSECRET=0
  fi

  # Only need to type first 6 characters of SECRET
  SHORTSECRET=`echo -n "$SECRET" | /system/bin/busybox cut -c 1-6`

  echo -n "NSC[$MAC] password: "

#!/system/bin/sh

# A simple "login" equivalent to replace the open serial console on production,
# to slow-down reverse-engineering.
# If you can read this, it didn't work.

if [ -e /system/etc/netatmo-production.txt ]; then
  PRODFLAG=`cat /system/etc/netatmo-production.txt`
  if [ "$PRODFLAG" -eq 0 ]; then
    exec /system/bin/sh
  fi
  # prod=1 or file missing : ask for password
fi

DBLIBTOOL=/system/bin/dblibtool
# md5 of the md5 of rsa
BIGSECRET="4ca9f3a5ce53a81a12af0f6c22a5775d"

while true; do
  MAC=`${DBLIBTOOL} -get 1`
  SECRET=`${DBLIBTOOL} -get 3`

  echo -n "Firmware version: "
  cat /system/etc/netatmo-version.txt

  VALIDSECRET=1
  if [ -z "$MAC" -o -z "$SECRET" ]; then
    echo "NSC[] : dblib not configured yet"
    VALIDSECRET=0
  fi

  if [ ${#SECRET} -lt 6 ]; then
    echo "NSC[$MAC] dblib secret invalid"
    VALIDSECRET=0
  fi

  # Only need to type first 6 characters of SECRET
  SHORTSECRET=`echo -n "$SECRET" | /system/bin/busybox cut -c 1-6`

  echo -n "NSC[$MAC] password: "

Germany

softScheck GmbH
Bonner Str. 108
53757 Sankt Augustin
+49 2241 255 43 0
info@softScheck.com (PGP)

+49 2241 255 43 0
+65 6632 3680
info@softscheck.com
© softScheck GmbH - All rights reserved.

Singapore

softScheck Singapore Pte Ltd
24 Raffles Place #28-00
Clifford Centre
Singapore 048621
+65 6632 3680
info@softScheck.sg