Exploring my doorbell

Post Syndicated from original https://mjg59.dreamwidth.org/56345.html

I’ve talked about my doorbell before, but started looking at it again this week because sometimes it simply doesn’t send notifications to my Home Assistant setup – the push notifications appear on my phone, but the doorbell simply doesn’t trigger the HTTP callback it’s meant to[1]. This is obviously suboptimal, but it’s also tricky to debug a device when you have no access to it.

Normally I’d just head straight in with a screwdriver, but the doorbell is shared with the other units in this building and it seemed a little anti-social to interfere with a shared resource. So I bought some broken units from ebay and pulled one of them apart. There’s several boards inside, but one of them had a conveniently empty connector at the top with “TX”, “RX” and “GND” labelled. Sticking a USB-serial converter on this gave me output from U-Boot, and then kernel output. Confirmation that my doorbell runs Linux, but unfortunately it didn’t give me a shell prompt. My next approach would often me to just dump the flash and look for vulnerabilities that way, but this device uses TSOP-48 packaged NAND flash rather than the more convenient SPI NOR flash that I already have adapters to access. Dumping this sort of NAND isn’t terribly hard, but the easiest way to do it involves desoldering it from the board and plugging it into something like a Flashcat USB adapter, and my soldering’s not good enough to put it back on the board afterwards. So I wanted another approach.

Trending
Telstar 1 – The Satellite That Changed the World

U-Boot gave a short countdown to hit a key before continuing with boot, and for once hitting a key actually did something. Unfortunately it then prompted for a password, and giving the wrong one resulted in boot continuing[2]. In the past I’ve had good luck forcing U-Boot to drop to a prompt by simply connecting one of the data lines on SPI flash to ground while it’s trying to read the kernel – the failed read causes U-Boot to error out. It turns out the same works fine on raw NAND, so I just edited the kernel boot arguments to append “init=/bin/sh” and soon I had a shell.

From here on, things were made easier by virtue of the device using the YAFFS filesystem. Unlike many flash filesystems, it’s read/write, so I could make changes that would persist through to the running system. There was a convenient copy of telnetd included, but it segfaulted on startup, which reduced its usefulness. Fortunately there was also a copy of Netcat[3]. If you make a fifo somewhere on the filesystem, you can cat the fifo to a shell, pipe the shell to a netcat listener, and then pipe netcat’s output back to the fifo. The shell’s output all gets passed to whatever connects to netcat, and whatever’s sent to netcat gets passed through the fifo back to the shell. This is, obviously, horribly insecure, but it was enough to get a root shell over the network on the running device.

The doorbell runs various bits of software, one of which is Lighttpd to provide a local API and access to the device. Another component (“nxp-client”) connects to the vendor’s cloud infrastructure and passes cloud commands back to the local webserver. This is where I found something strange. Lighttpd was refusing to start because its modules wanted library symbols that simply weren’t present on the device. My best guess is that a firmware update went wrong and left the device in a partially upgraded state – and without a working local webserver, there was no way to perform any further updates. This may explain why this doorbell was sitting on ebay.

Anyway. Now that I had shell, I could simply dump the flash by copying it directly off the /dev/mtdblock devices – since I had netcat, I could just pipe stuff through that back to my actual computer. Now I had access to the filesystem I could extract that locally and start digging into it more deeply. One incredibly useful tool for this is qemu-user. qemu is a general purpose hardware emulation platform, usually used to emulate entire systems. But in qemu-user mode, it instead only emulates the CPU. When a piece of code tries to make a system call to access the kernel, qemu-user translates that to the appropriate calling convention for the host kernel and makes that call instead. Combined with binfmt_misc, you can configure a Linux system to be able to run Linux binaries from other architectures. One of the best things about this is that, because they’re still using the host convention for making syscalls, you can run the host strace on them and see what they’re doing.

What I found was that nxp-client was calling back to the cloud platform, setting up an encrypted communication channel (using ChaCha20 and a bunch of key setup stuff I couldn’t be bothered picking apart) and then waiting for commands from the cloud. It would then proxy those through to the local webserver. Since I couldn’t run the local lighttpd, I just wrote a trivial Python app using http.server and waited to see what requests I got. The first was a GET to a CGI script called editcgi.cgi, along with a path name. I mocked up the GET request to respond with what was on the actual filesystem. The cloud then proceeded to POST to editcgi.cgi, with the same pathname and with new file contents. editcgi.cgi is apparently able to read and write to files on the filesystem.

But this is on the interface that’s exposed to the cloud client, so this didn’t appear immediately useful – and, indeed, trying to hit the same CGI binary over the local network gave me a 401 unauthorized error. There’s a local API spec for these doorbells, but they all refer to scripts in the bha-api namespace, and this script was in the plain cgi-bin namespace. But then I noticed that the bha-api namespace didn’t actually exist in the filesystem – instead, lighttpd’s mod_alias was configured to rewrite requests to bha-api through to files in cgi-bin. And by using the documented API to get a session token, I could call editcgi.cgi to read and write arbitrary files on the doorbell. Which means I can drop an extra script in /etc/rc.d/rc3.d and get a shell on my doorbell.

This all requires the ability to have local authentication credentials, so it’s not a big security deal other than it allowing you to retain access to a monitoring device even after you’ve moved out and had your credentials revoked. I’m sure it’s all fine.

[1] I can ping the doorbell from the Home Assistant machine, so it’s not that the network is flaky
[2] The password appears to be hy9$gnhw0z6@ if anyone else ends up in this situation
[3] https://twitter.com/mjg59/status/654578208545751040

comment count unavailable comments