Reverse Engineering A Mimomax Radio

Sometimes I like mimomax radios, and sometimes I hate mimomax radios.  They are without doubt one of the best radios around for getting the most value out of a 25kHz radio channel.  However they have bugs.  Lots of bugs, sometimes big, sometimes little.  I have spent more time working out why these radios don't work or behave like I would expect than any other radio.  So I decided to break one.  Purely for academic purposes of course.

Mimomax radios have an open ssh port on port 22, and I happened across the root password for one radio in particular.  Unfortunately I can't say how I happened upon this password, but happen upon it I did.  It would seem from observation that the root password for every radio is different, the passwords are 8 characters long and only have lower case letters and digits.

Armed with the root password, one can download the entire file system and inspect the scripts that control the radio and so on.  From this the following information is discovered:

  • A file called passfile is used as an symmetric key for encrypting and decrypting custom scripts, firmware images, and SFE licence files.  We can assume that this file is the same on all radios, because firmware images are not issued per radio like license files are.
  • SFE files are compressed and encrypted sqlite databases (the one called dbsfe.sqlite3), and as such it would be trivial to generate new licenses for a radio.
  • Custom scripts are just a collection of files tarballed and encrypted using the passfile.  Therefore it is trivial for us to create our own custom script files.

In theory then, we could write a custom script to extract the password hashes for the radio which we could crack by brute force.  Using an Amazon EC2 16 GPU  VM with hashcat, we can achieve a md5crypt hash rate of 197.5 MH/s.  To hash the entire keyspace (36^8) of would take about 4 hours, so on average it should take 2 hours per hash, at a cost of roughly $50 USD.

The security of the radio could be increased greatly by encrypting custom scripts and license files using an asymmetric key instead of symmetric key.  This way even though we could decrypt existing scripts and license files we would not be able to generate new ones without further tampering with the radio.  Of course, once you have the root password all bets are off as we can change the keys to whatever we like.  To make cracking the password hashes more difficult, they could also increase the keyspace of the passwords by using upper case characters and making them at least 10 characters long.



Repairing 'corrupt' ASE 1.x capture files

Recently I captured a whole bunch of data using an ASE V1 RTU test set to trouble shoot a comms issue, with the intention of analyzing the data once I got back to the office. Well when I did get back to the office and tried to open my files, ASE just sat there, blank, looking at me as if I were stupid. I only had one capture file out of a dozen that actually opened and it happened to be the smallest one. I figured that ASE had an issue opening large capture files, so I fired off an email to support asking for haaaaalp.

I was told that there was no issues viewing large files, but that I had likely following the incorrect procedure for capturing files which must be closed properly.  There was no hope of recovering my data.

Read the rest of this entry »

| Posted in Reversing | No Comments »