Hacking a Thin Client to Gain Root Access

[Roberto] recently discovered a clever way to gain root access to an HP t520 thin client computer. These computers run HP’s ThinPro operating system. The OS is based on Linux and is basically just a lightweight system designed to boot into a virtual desktop image loaded from a server. [Roberto’s] discovery works on systems that are running in “kiosk mode”.

The setup for the attack is incredibly simple. The attacker first stops the virtual desktop image from loading. Then, the connection settings are edited. The host field is filled with garbage, which will prevent the connection from actually working properly. The real trick is in the “command line arguments” field. The attacker simply needs to add the argument “&& xterm”. When the connection is launched, it will first fail and then launch the xterm program. This gives the attacker a command shell running under the context of whichever user the original software is running as.

The next step is to escalate privileges to root. [Roberto] discovered a special command that the default user can run as root using sudo. The “”hpobl” command launches the HP Easy Setup Wizard. Once the wizard is opened, the attacker clicks on the “Thank You” link, which will then load up the HP website in a version of Firefox. The final step is to edit Firefox’s default email program association to xterm. Now when the attacker visits an address like “mailto:test@test.com”, Firefox (running as root) launches xterm with full root privileges. These types of attacks are nothing new, but it’s interesting to see that they still persist even in newer software.

EddiePlus, the Edison based balancing robot

[Renee] dropped a tip to let us know about EddiePlus, her balancing robot creation. As its name might imply, EddiePlus is controlled by an Intel Edison processor. More specifically, [Renee] is using several of Sparkfun’s Edison Blocks to create Eddie’s brain. EddiePlus’ body is 3D printed, while his movement comes from two Pololu DC motors with wheels and encoders. The full build instructions are available as a PDF from [Renee’s] Google drive.

Eddie is able to balance and drive around on two wheels, much like a Segway. Sensor data for balance comes from Sparkfun’s LSM9DS0 based Inertial Measurement Unit (IMU) block. In this new “plus” version of Eddie, [Renee] has added encoders to the robot’s wheels. This makes it easier for him to adapt to changing loads – such as pumping iron (or banana plugs as the case may be). The encoders also help with varying terrain, as [Renee] demonstrates by tilting a board as Eddie drives on it. Eddie’s code is written in C, and available on Github.  Controlling Eddie is as easy as sending simple commands via UDP.

As you might imagine, the Intel Edison still has plenty of cycles left over after computing Eddie’s balance. [Renee] uses some of these with a webcam based teleoperation mode.

Click past the break to see Eddie in action!

Continue reading “EddiePlus, the Edison based balancing robot”

Unlock Your Demo Kindle Paperwhite

If you’ve been holding off on upgrading your kindle, this project might inspire you to finally bite the bullet. [WarriorRocker] recently saved quite a few dollars on his Kindle upgrade by using a demo unit. Of course, it’s not as simple as just finding a demo unit and booting it up. There’s some hacking involved.

[WarriorRocker] found his Kindle Paperwhite demo unit on an online auction site for just $20. Kindles are great for reading but also make popular displays for your own projects. This used display model was much less expensive than a new unit, which makes sense considering it had probably received its share of abuse from the consumers of some retail store. The problem with a demo unit is that the firmware that comes with it is very limited, and can’t be used to sync up with your Amazon account. That’s where the hacking comes in.

pwdu-01The first step was to crack open the case and locate the serial port. [WarriorRocker] soldered a small three pin header to the pads to make it easier to work on his device as needed. He then connected the Kindle to his PC using a small serial to USB adapter. Pulling up the command prompt was as simple as running Putty and connecting to the correct COM port. If the wires are hooked up correctly, then it just takes a press of the enter key to pull up the login prompt.

The next step requires root access. The root password for each unit is related to the unit’s serial number. [WarriorRocker] obtained the serial number by rebooting the Kindle while the Serial connection was still open. The boot sequence will spit out the number. This number can then be entered in to an online tool to generate possible root passwords. The tool is available on [WarriorRocker’s] project page linked above.

Next, the Kindle needs to be rebooted into diagnostic mode. This is because root logins are not allowed while the device is booted to the system partition. To enter diagnostic mode, [WarriorRocker] had to press enter over and over during the boot sequence in order to kill the automatic boot process. Then he checked some environment variables to locate the memory address where the diagnostic mode is stored. One more command tells the system to boot to that address and into diagnostic mode.

The last step of the process begins by mounting the Kindle as a USB storage device and copying over the stock Kindle firmware image. Next [WarriorRocker] had to exit the diagnostic menu and return to a root command prompt. Finally, he used the dd command to copy the image to the Kindle’s partition bit by bit. Fifteen minutes and one reboot later and the Kindle was working just as it should. [WarriorRocker] even notes that the 3G connection still works. Not bad for $20 and an hour or two of work.

Amazon Fire TV Update Bricks Hacked Devices

The Amazon Fire TV is Amazon’s answer to all of the other streaming media devices on the market today. Amazon is reportedly selling these devices at cost, making very little off of the hardware sales. Instead, they are relying on the fact that most users will rent or purchase digital content on these boxes, and they can make more money in the long run this way. In fact, the device does not allow users to download content directly from the Google Play store, or even play media via USB disk. This makes it more likely that you will purchase content though Amazon’s own channels.

We’re hackers. We like to make things do what they were never intended to do. We like to add functionality. We want to customize, upgrade, and break our devices. It’s fun for us. It’s no surprise that hackers have been jail breaking these devices to see what else they are capable of. A side effect of these hacks is that content can be downloaded directly from Google Play. USB playback can also be enabled. This makes the device more useful to the consumer, but obviously is not in line with Amazon’s business strategy.

Amazon’s response to these hacks was to release a firmware update that will brick the device if it discovers that it has been rooted. It also will not allow a hacker to downgrade the firmware to an older version, since this would of course remove the root detection features.

This probably doesn’t come as a surprise to most of us. We’ve seen this type of thing for years with mobile phones. The iPhone has been locked to the Apple Store since the first generation, but the first iPhone was jailbroken just days after its initial release. Then there was the PlayStation 3 “downgrade” fiasco that resulted in hacks to restore the functionality. It seems that hackers and corporations are forever destined to disagree on who actually owns the hardware and what ownership really means. We’re locked in an epic game of cat and mouse, but usually the hackers seem to triumph in the end.

How To Get 50 More Zed From Your Rigol DS1054Z

[Chris] has been spending a lot of time in the wife’s sewing room lately, and things got pretty serious late last night as he hacked his shiny new Rigol DS1054Z to unlock the 1104Z capabilities lurking within.

The rumors are true, and ungoverning the software is as simple as looking up your serial number and knowing the right URL for generating a valid license. [Chris] ran into a dud site, but that’s the price of doing business in the shadowy parking garage basements of the interwebs. Once he knocked on the right door and uttered the secret word, however, he became the proud owner of 50MHz additional bandwidth, decoders for SPI, I²C, and RS-232, twice the storage depth, and all teh triggers that ship with the 1104Z.

Stick around for [Chris]’s video walk-through. Can’t rationalize the purchase even at the ridiculously low price point? Here’s one way to make it happen. You’ll laugh, you’ll cry, you’ll learn some French.

Continue reading “How To Get 50 More Zed From Your Rigol DS1054Z”

Finding a Shell in a Bose SoundTouch

Bose, every salesperson’s favorite stereo manufacturer, has a line of WiFi connected systems available. It’s an impressively innovative product, able to connect to Internet Radio, Pandora, music libraries stored elsewhere on the network. A really great idea, and since this connects to a bunch of web services, you just know there’s a Linux shell in there somewhere. [Michael] found it.

The SoundTouch is actually rather easy to get into. The only real work to be done is connecting to port 17000, turning remote services on, and then connecting with telnet. The username is root.

The telnet service on port 17000 is actually pretty interesting, and we’re guessing this is what the SoundTouch iOS app uses for all its wizardry. [Michael] put a listing of the ‘help’ command up on pastebin, and it looks like there are commands for toggling GPIOs, futzing around with Pandora, and references to a Bluetooth module.

Interestingly, when [Michael] first suspected there could be Linux inside this box, he contacted Bose support for any information. He figured out how to get in on his own, before Bose emailed him back saying the information is proprietary in nature.

Chromecast Is Root

Image from [psouza4] on the xda-developers forum

Chromecast is as close as you’re going to get to a perfect device – plug it in the back of your TV, and instantly you have Netflix, Hulu, Pandora, and a web browser on the largest display in your house. It’s a much simpler device than a Raspi running XBMC, and we’ve already seen a few Chromecast hacks that stream videos from a phone and rickroll everyone around you.

Now the Chromecast has been rooted, allowing anyone to change the DNS settings (Netflix and Hulu users that want to watch content not available in their country rejoice), and loading custom apps for the Chromecast.

The process of rooting the Chromecast should be fairly simple for the regular readers of Hackaday. It requires a Teensy 2 or 2++ dev board, a USB OTG cable, and a USB flash drive. Plug the Teensy into the Chromecast and wait a minute. Remove the Teensy, plug in the USB flash drive, and wait several more minutes. Success is you, and your Chromecast is now rooted.

Member of Team-Eureka [riptidewave93] has put up a demo video of rooting a new in box Chromecast in just a few minutes. You can check that out below.

Continue reading “Chromecast Is Root”