Products > Test Equipment

Trying to hack the DSOX1204(A/G) firmware

<< < (3/10) > >>

TK:

--- Quote from: stafil on April 06, 2020, 11:37:46 pm ---
--- Quote from: TK on April 06, 2020, 11:34:47 pm ---Which model did you buy

--- End quote ---

1204A, and before you ask, no I don't really *need* the extra BW. It's just a matter of why not :D

--- End quote ---
Of course, pure hacker spirit.  BTW, if you only do a SW hack, you can always go back to the official firmware and you are not voiding any warranty, I guess... unless you mod to add the wavegen HW (why not spirit, right?)

stafil:

--- Quote from: TK on April 06, 2020, 11:43:51 pm ---Of course, pure hacker spirit.  BTW, if you only do a SW hack, you can always go back to the official firmware and you are not voiding any warranty, I guess... unless you mod to add the wavegen HW (why not spirit, right?)

--- End quote ---

I like to believe that my software skills are much more advanced than the hardware ones, so no wavegen mod at the moment. But you never know what the future will bring :D

TK:
The 1200X software has a bunch of php scripts for remote control... maybe you can find a hole and execute linux commands remotely without ssh

stafil:

--- Quote from: TK on April 06, 2020, 11:54:20 pm ---The 1200X software has a bunch of php scripts for remote control... maybe you can find a hole and execute linux commands remotely without ssh

--- End quote ---

I had a look at that. The attack surface doesn't look that large. I saw a possible hole at `$response = $jService->ProcessExecRequest($saveType, $args);` but couldn't find a `saveType` that would actually execute something.

In the infiniiVisionCore binary I see in the data section a string "Unable to execute shell command", so maybe the have a way to execute shall commands somehow? Haven't figured out yet which function uses this.

tv84:

--- Quote from: stafil on April 07, 2020, 12:03:52 am ---In the infiniiVisionCore binary I see in the data section a string "Unable to execute shell command", so maybe the have a way to execute shall commands somehow? Haven't figured out yet which function uses this.

--- End quote ---

Also, didn't find any connection to that string.

Nonetheless, I confirmed that sw-description.sig is the RSA-1024 (with SHA256) signature of sw-description file. So we definitely need a way to change the Rocky-SWU-Signing-only.pem pubkey file in order to resign a "refreshed" sw-description.

Navigation

[0] Message Index

[#] Next page

[*] Previous page

There was an error while thanking
Thanking...
Go to full version
Powered by SMFPacks Advanced Attachments Uploader Mod