Interesting finds #2
Comments
|
As I can see from the |
|
Indeed, it looks like the SDK they use is a bit older, though. The file structure/path shown for the However, that was in a period when you needed an NDA with Realtek to have access to it. They've since noticed interest in the RTL87[XX] and released the SDK openly in that GitHub repo. I'm not sure if things might've also changed during this release, so what we have now may not be 1:1 with what was used to develop it. Nevertheless, useful info |
|
By offset |
|
Got really interesting fw for some fw_code, it's an android boot img 250M in size, gonna upload it today. |
|
File is too large, I'll try to figure out how to upload it, the firmwareCode is |
|
Have you looked into Git LFS? It's a Large File Storage extension which is designed for this situation specifically |
|
Yep, but I just never used it, so I decided to play around with fw first :) |
|
I'll handle the git then - Do you happen to know if this fw also doesn't respond to bing queries? It looks like you'll have to do this, since apparently GitHub doesn't support LFS on public forks according this this link. I get an error saying that
|
Looks like it's for something like Smart Voice Control for AC. Can you give some strings from the packets are used in bind requests/responses? Like json keys, etc. |
|
I documented some strings and protocols here: This is just the scan, to which my device responds, but is then unable to bind. I disconnected my ACs from WiFi, in the hope that they don't update (and ruin our research). When binding, you have the EDIT: Looks like my attempt was a bind attempt, so it looks about like that. The generic key is |
|
Here is the firmware I talked about |
|
Tadaaa! The file is in the squashfs, at Looks like the binary is not stripped, what a nice find! |
|
|
|
Looks like it may be vulnerable to an SQL injection?
EDIT: Do you happen to know if this particular firmware works locally with available local control tools? Is this a jackpot? |
|
Looks like 👍 I'm a little confused for what kind of device this fw for... |
|
From if (LOCAL_AESKEY_FLG == 0) {
puVar4 = aes_device_key;
}
else {
puVar4 = ecb_unify_key;
}
uVar7 = aes_ecb_encryption_t(puVar4,auStack_818);
memset(auStack_418,0,0x400);
base64_encode(auStack_418,0x400,auStack_818,uVar7);
uVar2 = cJSON_CreateObject();
uVar5 = cJSON_CreateString("pack");
cJSON_AddItemToObject(uVar2,"t",uVar5);
uVar5 = cJSON_CreateNumber(SUB84((double)(ulonglong)LOCAL_AESKEY_FLG,0));
cJSON_AddItemToObject(uVar2,"i",uVar5);
uVar5 = cJSON_CreateNumber(SUB84((double)(longlong)loginUid,0));
cJSON_AddItemToObject(uVar2,"uid",uVar5);
uVar5 = cJSON_CreateString(LOCAL_MAC);
cJSON_AddItemToObject(uVar2,"cid",uVar5);
uVar5 = cJSON_CreateString("");
cJSON_AddItemToObject(uVar2,"tcid",uVar5);
uVar5 = cJSON_CreateString(auStack_418);
cJSON_AddItemToObject(uVar2,"pack",uVar5);
local_reqJSON_out = (char *)cJSON_PrintUnformatted(uVar2); |
|
I wonder, did you upload the wrong MD file for this new firmware? It seems that the version it gives me is 1.38, whereas the one you uploaded is 1.55 |
|
Check the domains
{"CreateDate":"2022-12-06 01:00:21","commProtVer":"","desc":"","forcedUpgrade":0,"r":200,"url":"http://test.grih.gree.com/wifiModule/image/16988/254130648","ver":"1.55"}
{"CreateDate":"2022-05-31 08:23:21","commProtVer":"","desc":"优化已知功能","forcedUpgrade":0,"r":200,"url":"http://grih.gree.com/wifiModule/image/10463/193714648","ver":"1.38"} |
|
Well, well, looks like I need glasses after all. I was looking at V1.38, and some things weren't lining up with your findings. Haha, they had it with debugging symbols since 1.38! |
|
Hey! Got ESP32 firmware |
|
Really nice! Didn't get to looking into it just yet, but it's on the TODO list, as soon as possible. Did you find anything interesting in that one yet? |
|
Still investigating |
|
I convinced the automatic LLM friend to generate a python script for us which checks the links you suggested. I've tested and debugged this, seems to work nicely: import os
import sys
import json
import requests
def fetch_and_save_data(firmware_code, server):
# Define the URL
url = f'http://{server}/wifiModule/Lastversion?firmwareCode={firmware_code}'
try:
# Fetch JSON data using requests
response = requests.get(url,verify=False)
response.raise_for_status() # Raise an exception for 4xx and 5xx status codes
data = response.json()
# Check if the response status is 405
if data.get('r') == 405:
print(f"Ignore firmware code {firmware_code} from {server} due to response status 405")
return
# Prepare filename
version = data.get('ver')
filename = f"downloaded/{firmware_code}_v{version}_{server}.md"
# Write data to MD file
with open(filename, 'w') as file:
file.write(f"`{url}`\n\n")
file.write(f"```json\n")
json.dump(data, file, indent=2)
file.write(f"```")
print(f"Data saved for firmware code {firmware_code} from {server}")
except requests.RequestException as e:
print(f"Error fetching data for firmware code {firmware_code} from {server}: {str(e)}")
except json.JSONDecodeError as e:
print(f"Error decoding JSON response for firmware code {firmware_code} from {server}: {str(e)}")
if __name__ == "__main__":
if len(sys.argv) < 2:
print("Usage: python script.py <firmware_code>")
sys.exit(1)
firmware_code = sys.argv[1]
servers = [
"grih.gree.com",
"test.grih.gree.com",
"ru.grih.gree.com",
"na.grih.gree.com",
"hk.grih.gree.com",
"eu.grih.gree.com",
"in.grih.gree.com",
"sa.grih.gree.com"
]
# Create the "downloaded" directory if it doesn't exist
os.makedirs("downloaded", exist_ok=True)
for server in servers:
fetch_and_save_data(firmware_code, server)If you find this useful, would you mind adding it? Also, we have a new firmware code contribution for Would you mind adding that as well? I'm currently away from my broadband connection, and cloning the repo for a PR would eat my data. Still, that one seems to be yet again, 750 KB with the codename |
|
Managed to query the DNS requetss of my app. Seems it contacts: eu12.as.gree.com, eugrih.gree.com |
|
Looks like V1.53 does indeed fix fetching. It's only available on test.grih.gree.com, but it fixes these issues. |
|
Just to clarify |
|
Maybe someone can try to downgrade the firmware with DNS spoofing? I don't have any ACs with WiFi modules :) |
Hey, I could try it (have a unit), but not sure where to begin. |
|
@wangeris do you know your |
sadly I do not, tried to find out by intercepting dns queries, but no luck with that due to SSL i believe |
|
@wangeris is there any labels/stickers on your wifi module? |
|
I'll have to open up my AC unit to look when I'm home |
|
Here's a picture of mine if it helps. I attempted to upgrade my AC using DNS spoofing. You have to have the EWPE Smart / GREE+ app launched with a debugger attached, and then all regions map to the test server, and you can perform the upgrade (thanks to Urusus2 for this discovery) . I'm now running 1.53, which works with Home Assistant and existing tools. If you simply change the default domain it's looking for to the IP of the testing server, you get the popup for a firmware upgrade but it never completes. There's no "upgrade firmware" button, it just shows it's available. The app may have trouble with SSL for actually downloading the image (who knows?). Still, there is a way to make it ignore SSL certificates, and perform a MITM attack on it. If you run Windows, there's this web debugger called "Telerik Fiddler". It can decrypt HTTPs, but it requires that you install a CA certificate which simply trusts everything (which is also generates). Using this certificate, install it on the mobile device, and then connect the phone to a hotspot you control, where you can then play with routing (such as, with iptables) and with DNS queries as well. It seems that the installation of this all-trusting certificate spreads it's effects even in apps. I haven't done this in a long while, but theory says it should still work. If anything, you can set a proxy on your device's wifi connection to point to Fiddler, and then you'll see all HTTPs traffic intercepted in there, including GREE traffic. The device itself seems to have an SSL certificate embedded, for the "gree.com" domain, which expires in about 10 years. It was visible in the firmware I uploaded. If firmware update is done through the cloud, then I doubt downgrade would work with manually provided firmware, but it could work if the AC's DNS queries are poisoned to report a custom (locally-hosted) "image meta server", while still downloading the files from China cloud. The prompts for firmware data seem to go over HTTP (since the app worked with poisoned DNS). |
it doesn't work, it doesn't downgrade... |
|
As I saw from different firmware files, looks like the app provides an fw link to the module, and module proceeds with the update by itself. May be try to change the link on that stage? |
|
I change link, if version is greater it update successfully, but if version is smaller it not downgrade... |
I ran a
stringson theU-WB05RT13V1.21-4307516678339185323.binfile, and I came across this:../../../component/common/drivers/wlan/realtek/src/osdep/lwip_intf.cWhich is actually this file:
https://github.com/ambiot/ambd_sdk/blob/dev/component/common/drivers/wlan/realtek/src/osdep/lwip_intf.h
Might help with reverse engineering some of the code.
Found this as well:
../../../component/os/freertos/freertos_v10.0.1/Source/portable/GCC/ARM_RTL8710C/port.cAs well as
[I]: create_DeviceKey :%s- Which may indicate where the encryption key is generated (and how).It looks like the device was (is) based on an
AmebaZ2 RTL8710C, although the FCC pictures show anRTL8720CF: https://device.report/m/68a82c07c0a456cd60cb23c4e70f1e84d20fe8af49c3f36a73e89fd74cd5af95That device has a
Cortex M4MCU, namedKM4 MCUwhich is 32 bit, and likely little endian.From here, Ghidra can help with ARM Aggresive Instruction finding, according to: https://blog.feabhas.com/2022/12/disassembling-a-cortex-m-raw-binary-file-with-ghidra/
The text was updated successfully, but these errors were encountered: