Reverse Engineering A Mimomax Radio

Sometimes I like mimomax radios, and sometimes I hate mimomax radios.  They are without doubt one of the best radios around for getting the most value out of a 25kHz radio channel.  However they have bugs.  Lots of bugs, sometimes big, sometimes little.  I have spent more time working out why these radios don't work or behave like I would expect than any other radio.  So I decided to break one.  Purely for academic purposes of course.

Mimomax radios have an open ssh port on port 22, and I happened across the root password for one radio in particular.  Unfortunately I can't say how I happened upon this password, but happen upon it I did.  It would seem from observation that the root password for every radio is different, the passwords are 8 characters long and only have lower case letters and digits.

Armed with the root password, one can download the entire file system and inspect the scripts that control the radio and so on.  From this the following information is discovered:

  • A file called passfile is used as an symmetric key for encrypting and decrypting custom scripts, firmware images, and SFE licence files.  We can assume that this file is the same on all radios, because firmware images are not issued per radio like license files are.
  • SFE files are compressed and encrypted sqlite databases (the one called dbsfe.sqlite3), and as such it would be trivial to generate new licenses for a radio.
  • Custom scripts are just a collection of files tarballed and encrypted using the passfile.  Therefore it is trivial for us to create our own custom script files.

In theory then, we could write a custom script to extract the password hashes for the radio which we could crack by brute force.  Using an Amazon EC2 16 GPU  VM with hashcat, we can achieve a md5crypt hash rate of 197.5 MH/s.  To hash the entire keyspace (36^8) of would take about 4 hours, so on average it should take 2 hours per hash, at a cost of roughly $50 USD.

The security of the radio could be increased greatly by encrypting custom scripts and license files using an asymmetric key instead of symmetric key.  This way even though we could decrypt existing scripts and license files we would not be able to generate new ones without further tampering with the radio.  Of course, once you have the root password all bets are off as we can change the keys to whatever we like.  To make cracking the password hashes more difficult, they could also increase the keyspace of the passwords by using upper case characters and making them at least 10 characters long.