Palms-On IoT Hacking: Rapid7 at DefCon 29 IoT Village, Half 3

Hands-On IoT Hacking: Rapid7 at DefCon 29 IoT Village, Part 3

In our first put up on this collection, we coated the setup of Rapid7’s hands-on train at Defcon 29’s IoT Village. Final week, we mentioned methods to decide the UART standing of the header we created and methods to really begin hacking on the IoT gadget. The objective on this subsequent section of the IoT hacking train is to show the console again on.

To perform this, we have to reenter the bootargs variable with out the console setting. To alter the bootargs variable, the “setenv” command needs to be used. Within the case of this train, enter the next command as proven in Determine 16. You may see that the “console=off” has been eliminated. This may overwrite the present bootargs atmosphere variable setting.

Determine 16: setenv command

As soon as you’ve got run this command, we advocate verifying that you’ve got appropriately made the modifications to the bootargs variable by operating the “printenv” command once more and observing that the output reveals that “console=off” has been eliminated. It is extremely widespread to by chance mistype an atmosphere variable, which is able to trigger errors on reboot or simply create a completely new variable that has no usable worth. The proper bootargs variable line ought to learn as proven in Determine 17:

Determine 17: bootargs setting

When you’re positive the modifications made to bootargs are right, you may want to save lots of the atmosphere variable settings. To do that, you may use the “saveenv” command. Enter this command within the UART console, and hit enter. In the event you miss this step, then not one of the modifications made to the atmosphere variables of U-Boot will probably be saved and all will probably be misplaced on reboot.

The saveenv ought to trigger the U-Boot atmosphere variables to be written to flash and return a response indicating it’s being saved. An instance of that is proven in Determine 18:

Determine 18: saveenv command response

Reboot and seize logs for evaluate

As soon as you’ve got made all of the wanted modifications to the U-Boot atmosphere variables and saved them, you may reboot the gadget, observe console logs from the boot course of, and save the console log information to a file for additional evaluate. The boot log information from the console will play a crucial position within the subsequent steps as you’re employed towards gaining full root entry to the gadget.

Subsequent, reboot the methods. You are able to do this in a few other ways. You may both sort the “reset” command inside the U-Boot console and hit enter, which tells the MCU to reset and causes the system to restart, or simply cycle the ability on the gadget. After getting into the reset command or energy biking the gadget, the gadget ought to reboot. The console ought to now be unlocked, and you must see the kernel boot up. In the event you nonetheless do not need a functioning console, you both entered the unsuitable information for bootargs or failed to save lots of the settings with the “saveenv” command. I need to admit I’m personally responsible of each many occasions.

Through the Defcon IoT Village train, we had the attendees seize console logs to a file for evaluate utilizing the next course of in GtkTerm. If you’re utilizing a special serial console utility, this course of will probably be completely different for seize and saving logs.

In GtkTerm, to seize logs for evaluate, choose “Log” on the duty bar pulldown menu on GtkTerm as proven beneath in Determine 19:

Determine 19: Allow logging

As soon as “Log” is chosen, a window will pop up. From right here, you want to choose the file to put in writing out the logs to. On this case, we had the attendees choose the defcon_log.txt file on the laptops desktop as proven beneath in Determine 20:

Determine 20: Choose defcon_log.txt file

As soon as you’ve got chosen a log file, you must now begin capturing logs to that file. From right here, the gadget will be powered again on or restarted to begin capturing logs for evaluate. Let the system boot up utterly. As soon as it seems to be up and operating, you may flip off logging by choosing “Log” after which choosing “Cease” within the dropdown, as proven in Determine 21:

Determine 21: Cease log seize

As soon as logging is stopped, you may open the captured log file and evaluate the contents. Through the Defcon IoT Village train, we had the contributors seek for the key phrase “failsafe” within the captured logs. Looking for failsafe ought to take you to the log entry containing the road:

  • “Press the [f] key and hit [enter] to enter failsafe mode”

It is a immediate that means that you can hit the “f” key adopted by return besides the system into single-user mode. You will not discover this mode on all IoT units, however you will see it on some, like on this case with the LUMA gadget. Single-user mode will begin the system up with restricted performance and is usually used for conducting upkeep on an working system – and, sure, that is root-level entry to the gadget, however with not one of the crucial system operate operating that may permit community service, USB entry, and purposes which are run as a part of the gadget’s regular operation options. Our objective later is to make use of this entry and the next information to finally acquire full operating system root entry.

There’s additionally one other crucial piece of knowledge within the log file simply shortly after the failsafe mode immediate, which we have to observe. Roughly 8 traces beneath failsafe immediate, there’s a reference to “rootfs_data” as proven in Determine 22:

Determine 22: Log evaluate

The piece of knowledge we want from this line is the Unsorted Block Picture File System (UBIFS) gadget quantity and the quantity quantity. This may allow us to correctly mount the rootfs_data partition later. With the LUMA, we discovered this to be one of many two following values.

  • Gadget 0, quantity 2
  • Gadget 0, quantity 3

Boot into single-user mode

Now that the captured logs have been reviewed, permitting us to establish the failsafe mode and the UBIFS mount information. The subsequent step is to reboot the system into single-user mode, so we are able to work on getting full root entry to the units. To do that, you may want to watch the system booting up within the UART console, waiting for the failsafe mode immediate as proven beneath in Determine 23:

Determine 23: Failsafe mode immediate

When this immediate reveals up, you’ll solely have a few seconds to press the “f” key adopted by the return key to get the system to launch into single-user root entry mode. In the event you miss this, you may have to reboot and begin over. In the event you’re profitable, the UART console ought to present the next immediate (Determine 24):

Determine 24: Single-user mode

In single-user mode, you may have root entry, though many of the partitions, purposes, networks, and related features is not going to be loaded or operating. Our objective will probably be to make modifications so you may boot the gadget up into full operation system mode and have root entry.

In our fourth and last installment of this collection, we’ll go over methods to configure person accounts, and at last, methods to reboot the gadget and login. Examine again with us subsequent week!


Get the newest tales, experience, and information about safety right now.



Rapid7 Inc. revealed this content material on 04 November 2021 and is solely accountable for the data contained therein. Distributed by Public, unedited and unaltered, on 04 November 2021 18:15:14 UTC.

Supply hyperlink

You may also like

Leave a Reply

Your email address will not be published. Required fields are marked *