Commit f0ed7d53 authored by Chipp Jansen's avatar Chipp Jansen
Browse files

writing up openning the case

parent 53182aae
......@@ -29,14 +29,14 @@
\subsection*{Motivation and Vision}
The idea of reusing and reclaiming the devices, especially those discarded, that surround us. What if we could re-purpose these devices, and pool their resources to build our own duct-taped together ``cloud''?
The idea of reusing and reclaiming the devices, especially those discarded, that surround us. What if we could re-purpose these devices, and pool their resources to build our own duct-taped together ``cloud''?
\section*{Day 1}
\section{Hardware Hacking}
\subsection{Good devices to Hack}
Early IoT devices have the worst security. Also, lesser-known or ``generic'' brand of devices might not have the incentive or motivation to instill good security. For example, for Apple or Amazon, having an insecure device makes headlines and bad press. Also, larger companies have the resources to invest in security.
Early IoT devices have the worst security. Also, lesser-known or ``generic'' brand of devices might not have the incentive or motivation to instill good security. For example, for Apple or Amazon, having an insecure device makes headlines and bad press. Also, larger companies have the resources to invest in security.
Bad security is great, because it leave routes through which to access the device and allow us to modify it's behaviour.
......@@ -50,7 +50,7 @@ Often, security professionals probe at new devices to discover how vulnerable th
\subsubsection{Communication Compliance Databases}
Any wireless devices that requires certification or compliance, is required to deposit screenshots of their interior guts online.
Any wireless devices that requires certification or compliance, is required to deposit screenshots of their interior guts online.
Look-up the device on FCC's web-page. A device is required to have the FCC ID on the device or in the user manual. You can look up the device at \url{https://www.fcc.gov/oet/ea/fccid}. However, a better search engine for FCC registrations is at \url{https://fccid.io/}. Searching for ``NEOS'' reveals the original equipment manufacturer, TianJin HuaLai Technologies, and looking up their listing of registered products (\url{https://fccid.io/2ANJH}) reveals the WyzeCam 2, which is what the camera is branded for the US market. On that page (\url{https://fccid.io/2ANJHWYZEC2}), you can External and Internal photos of the device, which helps verifies that you found the correct device. While the filed schematic, block diagram and operators manual are confidential, the Internal photos are useful to see what is inside the device instead of tearing it apart (\url{https://fccid.io/2ANJHWYZEC02/Internal-Photos/Internal-Photos-4793839}).
......@@ -71,7 +71,7 @@ Security audits online have found that these NEOS Cameras make a series of conne
\subsubsection{Online Communities}
Hardware hacking communities spring-up around modifying these devices. Often hacking communities spring up around devices, as the challenge and curiosity to gain access and tinker with a device is compelling.
Hardware hacking communities spring-up around modifying these devices. Often hacking communities spring up around devices, as the challenge and curiosity to gain access and tinker with a device is compelling.
% They might also publish vulnerabilities via CVE. % TODO look-up certs
......@@ -79,7 +79,7 @@ For example, the IoT camera we are looking at had a flurry of hacking that got i
\subsubsection{Firmware Download}
You can download the firmware. Youtube \footnote{Back-dooring a IoT Camera \url{https://www.youtube.com/watch?v=hV8W4o-Mu2o}}).
You can download the firmware. Youtube \footnote{Back-dooring a IoT Camera \url{https://www.youtube.com/watch?v=hV8W4o-Mu2o}}).
Use \verb|binwalk| to see what is in the firmware.
......@@ -116,13 +116,13 @@ Here's a step-by-step tear down of the device. You'll need:
\label{fig:spudger}
\end{figure}
\paragraph{Opening the case}
You will see that the NEOS (Figure \ref{fig:outside-iso}) has a leg that unfolds (Figure \ref{fig:front}). Looking underneath the camera reveals some addition information (Figure \ref{fig:underneath}), notably the MAC (Media Access Control \footnote{\url{https://en.wikipedia.org/wiki/MAC_address}} address. The MAC address is handy to identify the device once it joins a network.
Unscrew the two bottom screws (Figure \ref{fig:underneath-screws})
%
% Opening the case
%
\paragraph{Opening the case}
You will see that the NEOS (Figure \ref{fig:outside-iso}) has a leg that unfolds (Figure \ref{fig:front}). Looking underneath the camera on its foot reveals some addition information (Figure \ref{fig:underneath}), notably the MAC (Media Access Control \footnote{\url{https://en.wikipedia.org/wiki/MAC_address}} address. The MAC address is handy to identify the device once it joins a network.
% - Outside
\begin{figure}[h!]
\centering
......@@ -147,6 +147,9 @@ Unscrew the two bottom screws (Figure \ref{fig:underneath-screws})
\label{fig:underneath}
\end{figure}
Extend the leg and unscrew the two bottom screws (Figure \ref{fig:underneath-screws}). You see that the bottom panel is tightly affixed to the rest of the body of the camera (Figure \ref{fig:underneath-back}). Carefully, insert the spudger (preferably metal) or a butter-knife to bend the sides to pry up the underneath panel. Work the spudger around the edge to pry up the panel (Figures \ref{fig:underneath-pried} and \ref{fig:underneath-pried2}). You can remove the entire panel to reveal the insides of the camera assembly (Figure \ref{fig:open-top}).
\begin{figure}[h!]
\centering
\includegraphics[width=0.3\textwidth]{figures/underneath-screws}
......@@ -189,6 +192,8 @@ Unscrew the two bottom screws (Figure \ref{fig:underneath-screws})
\label{fig:open-top}
\end{figure}
Using the spudger or butter-knife (Figure \ref{fig:open-pried}), start to pry the sides away from the back panel (the one with the micro USB port). You will be able to release the back panel (Figure \ref{fig:open-pried-released}). Unplug the speaker cable (Figure \ref{fig:open-pried-speaker-plug-highlighted}) before removing the back panel.
\begin{figure}[h!]
\centering
\includegraphics[width=0.3\textwidth]{figures/open-pried}
......@@ -196,6 +201,63 @@ Unscrew the two bottom screws (Figure \ref{fig:underneath-screws})
\label{fig:open-pried}
\end{figure}
\begin{figure}[h!]
\centering
\includegraphics[width=0.3\textwidth]{figures/open-pried-released}
\caption{Open pried with both sides released}
\label{fig:open-pried-released}
\end{figure}
\begin{figure}[h!]
\centering
\includegraphics[width=0.3\textwidth]{figures/open-pried-speaker-plug-highlighted}
\caption{Open pried showing the attached speaker plug, circled in red}
\label{fig:open-pried-speaker-plug-highlighted}
\end{figure}
With a fingernail or very gently with a spudger, unplug the antenna (highlighted in red on Figure \ref{open-antenna-highlighted}) from the circuit board. Try to pry the golden plug instead of pulling on the antenna wire (Figure \ref{fig:open-antenna-unplugged}). This is the WIFI antenna, so later in the workshop when we start using the WIFI on the device, we'll have to reattach the antenna.
\begin{figure}[h!]
\centering
\includegraphics[width=0.3\textwidth]{figures/open-antenna-highlighted}
\caption{Unplug the antenna, plug is circled in red}
\label{fig:open-antenna-highlighted}
\end{figure}
\begin{figure}[h!]
\centering
\includegraphics[width=0.3\textwidth]{figures/open-antenna-unplugged}
\caption{WIFI antenna unplugged}
\label{fig:open-antenna-unplugged}
\end{figure}
In order to remove the electronics assembly from the case, unscrew the third screw which is located at the bottom of a plastic screw well (Figure \ref{fig:open-third-screw}). In the case that you screw driver does not reach the screw, you might have to cut off a bit of the plastic screw well (Figures \ref{fig:open-third-screw-cutting-off} and \ref{fig:open-third-screw-cut-off}).
\begin{figure}[h!]
\centering
\includegraphics[width=0.3\textwidth]{figures/open-third-screw}
\caption{Remove the screw to release the assembly, you will need a longer necked Philips screw-driver}
\label{fig:open-third-screw}
\end{figure}
\begin{figure}[h!]
\centering
\includegraphics[width=0.3\textwidth]{figures/oopen-third-screw-cutting-off}
\caption{You may have to cut off some plastic from the assembly to reach the screw.}
\label{fig:open-third-screw-cutting-off}
\end{figure}
\begin{figure}[h!]
\centering
\includegraphics[width=0.3\textwidth]{figures/open-third-screw-cut-off}
\caption{Here is the plasic bit cut off}
\label{fig:open-third-screw-cut-off}
\end{figure}
Now remove the assembly from the plastic casing...
% TODO - need to get assembly with plastic interior, and show step-by-step removable.
% \paragraph{Removing the Assembly}
\paragraph{Tour of the boards}
......@@ -250,7 +312,7 @@ Probing possible debug ports on the device.
Attaching the Raspberry-PI to a port.
% https://pinout.xyz/pinout/uart#
% https://www.raspberrypi.org/documentation/computers/configuration.html
We need to connect GND, TX, and RX.
We need to connect GND, TX, and RX.
Also, an important thing to consider here is the operating voltages of the boards. The Raspberry PI's I/O and board operates at 3.3V (which is a common voltage for modern IoT devices). This device also operates at 3.3V. However, older devices might run at 5V (like Arduino baords). Using a multi-meter first on the device to see at what voltage level the board is powered. If you have different voltages, you'll need to add level-shiftwers to the UART lines.
......@@ -266,7 +328,7 @@ In the next part we look at how people access and modify the firmware for the de
U-Boot % https://source.denx.de/u-boot/u-boot/blob/HEAD/doc/README.autoboot
Screenshots of loading.
Help menu of U-Boot. What you can access.
SPI Sub system. You can access the memory of the FLASH.
SPI Sub system. You can access the memory of the FLASH.
% http://eng.fmsh.com/nvm/FM25Q64_ds_eng.pdf
% Dumping flash memory.
Printenv.
......@@ -274,7 +336,7 @@ Updating the bootargs to access the device.
\subsection{Rooting the Device}
Now you have access to a shell like environment on the device.
Now you have access to a shell like environment on the device.
Pretty empty and sparse, and does not have the kernel loaded.
You could load you're own system in this case.
But we don't have to, because had a way to load new firmware from the sdcard, which we will see in the next section.
......@@ -288,14 +350,14 @@ Here is how we'll install the new firmware.
Prepare the SDCARD with the new firmware.
Hold down the button and boot the device.
Now, we will prepare the SDCARD with the filesystem for the new device.
Now, we will prepare the SDCARD with the filesystem for the new device.
Now the firmware on the device will first look for a filesystem on the SDCARD to boot from. If nothing is found, it will boot the default factory firmware.
\subsection{Tour of the System}
The system runs off of the sdcard. Ignore stuff not in /system/sdcard.
First we want to set-up a unique hostname. By default it is dafang. We can modify the hostname with the hostname.conf file. We do this also because we'll access the interface through a .local domain. Since there many of us in the room, there would be mix-up of dafang.local.
First we want to set-up a unique hostname. By default it is dafang. We can modify the hostname with the hostname.conf file. We do this also because we'll access the interface through a .local domain. Since there many of us in the room, there would be mix-up of dafang.local.
The main thing here will be to set-up WI-FI. We want to do this so we can access the device both from the internet, and also to see the web interface that is running on this device.
......@@ -357,7 +419,7 @@ Information and Documentation about the Ingenic-T10 and 20 chips.
% - Reading/Writing I/O - Buttons and Blinking LEDs
% - Sensor Data
% - Drawing on the Device Screen
% - Drawing on the Device Screen
% - Audio
% - Images from Camera
......@@ -365,7 +427,7 @@ Information and Documentation about the Ingenic-T10 and 20 chips.
% Adding Device to your own ``Cloud''
% \section{Connecting two Devices Together}
% Brainstorming workshop to discuss ways that hardware devices can be connected together.
% Brainstorming workshop to discuss ways that hardware devices can be connected together.
% The “Cloud” idea of Frankensteining two devices together
% \section{Running Blinka}
......@@ -379,7 +441,7 @@ Information and Documentation about the Ingenic-T10 and 20 chips.
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
% \href{https://www.overleaf.com/user/subscription/plans}{choose your plan}.
% \verb|.bib|
% \verb|.bib|
% \begin{figure}
% \centering
......@@ -391,4 +453,4 @@ Information and Documentation about the Ingenic-T10 and 20 chips.
% \bibliographystyle{alpha}
% \bibliography{sample}
\end{document}
\ No newline at end of file
\end{document}
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment