Linux - QNX Systems and Hacking

A place For General Chit Chat Etc
User avatar
Tazzi
Posts: 3422
Joined: Thu May 17, 2012 8:53 pm
cars: VE SS Ute
Location: WA
Contact:

Linux - QNX Systems and Hacking

Post by Tazzi »

I have a GM module on bench which is running the opensource QNX system (With GMs tweaks of course), which Im trying to modify/edit the files on.

Usually speaking, an easy way to attack it is to mount a plugged in USB, then simply move the files to the linux system.

But.. on this bad boy... there are NO usb connections! Infact, when doing an update, the files are transferred over the MOST network where it does its RSA certificate check and blocks any edits that way.

So... in saying that, can files be manually edited when having root shell (terminal) access? As in, can the file be read byte byte through the serial terminal and saved to the PC, modify and finally send back through the terminal? I have had zero luck googling and trying to find some sort of answer to that. Almost everything I see says to do a image copy of the flash to an external memory device (like USB ect).

The commands we have available on the system are listed below. For those that look it it, youll see it mentions USB, but I can say now, its not pinned out to the board and unavailable, its just a default option available for QNX systems:

Code: Select all

.script                   io-blk.so                 libm.so
cam-disk.so               io-display                libm.so.2
cat                       io-gpumgr                 libsocket.so
chmod                     io-pkt-v4                 libsocket.so.3
cp                        io-usb                    libusbdi.so
dd                        ksh                       libusbdi.so.2
deva-ctrl-mlb.so          ldd                       ln
devb-umass                libEGL.so.1               ls
devc-pty                  libEGL_iMX5X.so           lshwi
devc-sermx1-mx53          libGLES_CM.so.1           mkdir
devf-generic              libGLESv1_CM.so.1         mount
devg-imx51.so             libGLESv1_CM_iMX5X.so     mqueue
devg-soft3d.so            libGLESv2.so.1            mv
devh-usb.so               libGLESv2_iMX5X.so        nanospin_measure
devn-asix.so              libOpenVG.so.1            nanospin_verify
devnp-shim.so             libOpenVGU.so.1           nicinfo
devu-ehci-mx31.so         libOpenVG_iMX5X.so        on
devu-ohci.so              libWFD.so.1               pdebug
dhcp.client               libWFDdevg.so             pidin
dumper                    libasound.so              ping
flashctl                  libasound.so.2            pipe
fs-cifs                   libc.so                   procnto-instr
fs-dos.so                 libc.so.3                 ps
fs-etfs-mx53-draco        libc2d_iMX5X.so.1         pwd
fs-ext2.so                libcam.so.2               qconn
fs-nfs2                   libcpp-ne.so.4            rm
fs-qnx4.so                libcpp.so.4               rmdir
ftp                       libcrypto.so.1            shutdown
gpu_iMX5X.so              libdma-sdma-imx53.so      slay
gzip                      libdma-sdma-imx53.so.1    sleep
hogs                      libffb.so                 slogger
if_up                     libffb.so.2               sloginfo
ifconfig                  libfont.so.1              telnetd
img_codec_bmp.so          libgf.a                   tftp
img_codec_gif.so          libgf.so                  top
img_codec_jpg.so          libgf.so.1                tracelogger
img_codec_pcx.so          libgfS.a                  umount
img_codec_png.so          libgsl_iMX5X.so.1         uname
img_codec_sgi.so          libhiddi.so               usb
img_codec_tga.so          libimg.so                 use
inetd                     libimg.so.1
io-audio                  libiow.so.1
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Image
User avatar
Holden202T
Posts: 10311
Joined: Sat Feb 28, 2009 9:05 pm
Location: Tenambit, NSW
Contact:

Re: Linux - QNX Systems and Hacking

Post by Holden202T »

dont let Antus see this thread, he wont be able to resist trying!! :lol:
User avatar
Tazzi
Posts: 3422
Joined: Thu May 17, 2012 8:53 pm
cars: VE SS Ute
Location: WA
Contact:

Re: Linux - QNX Systems and Hacking

Post by Tazzi »

Antus is a Wizard when it comes to Linux. Probably helps he thinks outside the box to.

Every single place I have spoken to and asked has said the same.. damn.. thing.. everytime.. which isnt helping!
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Image
User avatar
antus
Site Admin
Posts: 8237
Joined: Sat Feb 28, 2009 8:34 pm
cars: TX Gemini 2L Twincam
TX Gemini SR20 18psi
Datsun 1200 Ute
Subaru Blitzen '06 EZ30 4th gen, 3.0R Spec B
Contact:

Re: Linux - QNX Systems and Hacking

Post by antus »

you can use shell redirection to stream a file in our out. It might take a bit of messing around to chop off the start of the file, but you should be able to set your terminal to log to disc, then do something like "cat filename" no quotes, and your display will interpret the binary codes as control character and flash and beep and the cursor jump all over the place, but the binary should end up in tact in your terminal logs, then you need to chop the start and end off of it.

For the other direction run "cat < filename" and then in the terminal send the file then hit ctrl+d to end it. The problem here is any ctrl+d in your stream will close the file so you might need to send a script or a small binary that is a bit more capable, then send the real payload.

There should be options available in off the shelf toolkits like metasploit if you find the right keywords to search for. Thats full of stubs designed to achieve and end under very particular circumstances like this.

You might also be able to use that ksh (kshell) binary to convert ascii hex to binary to generate a new executable on disk if you can make something built for purpose the device will run. Im not a kshell guru but shells usually can manipulate and redirect data streams.
Have you read the FAQ? For lots of information and links to significant threads see here: http://pcmhacking.net/forums/viewtopic.php?f=7&t=1396
User avatar
Tazzi
Posts: 3422
Joined: Thu May 17, 2012 8:53 pm
cars: VE SS Ute
Location: WA
Contact:

Re: Linux - QNX Systems and Hacking

Post by Tazzi »

OOohhhhh I didnt know it could do that, thankyou Ant!!
Imm pretty sure it didnt support the CAT command, Ill double check, but Im sure CAT wasnt a command that worked or was supported.

Only the above commands are the only ones allowed to run on the QNX system. I will double check that CAT definitely did not work, but the entire file structure has no mention of CAT at all.
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Image
User avatar
Tazzi
Posts: 3422
Joined: Thu May 17, 2012 8:53 pm
cars: VE SS Ute
Location: WA
Contact:

Re: Linux - QNX Systems and Hacking

Post by Tazzi »

Oh it is there! I take it back!

Right... time to work out how to make a script...
Last edited by Tazzi on Fri Jul 26, 2019 1:37 pm, edited 1 time in total.
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Image
User avatar
antus
Site Admin
Posts: 8237
Joined: Sat Feb 28, 2009 8:34 pm
cars: TX Gemini 2L Twincam
TX Gemini SR20 18psi
Datsun 1200 Ute
Subaru Blitzen '06 EZ30 4th gen, 3.0R Spec B
Contact:

Re: Linux - QNX Systems and Hacking

Post by antus »

i missed an even easier option.. dd will do exactly what you want.. if you run something like dd of=filename bs=1 count=<size> then send a file it'll default to STDIN for input and stop when the right number of bytes have been received.
Have you read the FAQ? For lots of information and links to significant threads see here: http://pcmhacking.net/forums/viewtopic.php?f=7&t=1396
User avatar
Tazzi
Posts: 3422
Joined: Thu May 17, 2012 8:53 pm
cars: VE SS Ute
Location: WA
Contact:

Re: Linux - QNX Systems and Hacking

Post by Tazzi »

antus wrote:dd of=filename bs=1 count=<size>
so example would be:

dd of=MyFileSavedToGMModule.bin bs1 count= 1000
cat < C:\Users\Jason\Desktop\MyFileSavedToGMModule.bin

Or have I completely miss-interpreted what you said?
Your Local Aussie Reverse Engineer
Contact for Software/Hardware development and Reverse Engineering
Site:https://www.envyouscustoms.com
Mob:+61406 140 726
Image
User avatar
antus
Site Admin
Posts: 8237
Joined: Sat Feb 28, 2009 8:34 pm
cars: TX Gemini 2L Twincam
TX Gemini SR20 18psi
Datsun 1200 Ute
Subaru Blitzen '06 EZ30 4th gen, 3.0R Spec B
Contact:

Re: Linux - QNX Systems and Hacking

Post by antus »

Yeah that should work... Some terminal apps have a menu item to load and send a file too. You can do 3 bytes and just hit 3 keys to check the file was created on the device first, then try and find a working way to feed in the payload on the pc side with the tools available.

Edit: I just tested and noticed you dropped the = from bs (block size). bs=1 will mean it processes 1 byte at a time, you can bs=1k then count=5 for 5k of data and block size speeds things up when your talking block storage device copies, but bs=1 keeps count exact which is probably easier for this, and the size is small enough that the overhead of writing 1 byte at a time on the device wont hurt.

I did notice that dd echo'd the text I typed back to me, and I had to hit enter at the end. So I might just RTFM and see it thought it did something smart because it was stdin, maybe it needs another switch.
Have you read the FAQ? For lots of information and links to significant threads see here: http://pcmhacking.net/forums/viewtopic.php?f=7&t=1396
User avatar
antus
Site Admin
Posts: 8237
Joined: Sat Feb 28, 2009 8:34 pm
cars: TX Gemini 2L Twincam
TX Gemini SR20 18psi
Datsun 1200 Ute
Subaru Blitzen '06 EZ30 4th gen, 3.0R Spec B
Contact:

Re: Linux - QNX Systems and Hacking

Post by antus »

Actually it seems to work fine, with an echo back to the screen and needing an enter afterwards. eg...

Code: Select all

$ dd of=testfile bs=1 count=5 


1
1
5+0 records in
5+0 records out
5 bytes (5 B) copied, 1.88701 s, 0.0 kB/s

$ hexdump testfile 
0A 0A 31 0A 31
So im on linux where enter (carriage return) is 0A, so I typed: enter enter 1 enter 1 enter (6 keys with dd looking for 5 bytes) and it took exactly the first 5 bytes as I sent them then stopped on the enter that was the 6th byte.
Have you read the FAQ? For lots of information and links to significant threads see here: http://pcmhacking.net/forums/viewtopic.php?f=7&t=1396
Post Reply