Today I was going to make a Python course about using Python with Raspberry Pi at our hackerspace. However, it's a national holiday and nobody came, so I'll work on ICeeData. I'll make a capture routine, integrated with pyLCI, and capture the data using independent capture units...

Instead, I went on hacking the base station. That looked more interesting.

Bootlog:

Post device verification...
Serial2In string: ATi0
Serial2In string:
56000
Modem Post : Passed with retries = 0

Time taken by POST : [1.197000] seconds
nand_init: manuf=0x000000EC  device=0x000000F1
scanning for bad blocks...
nand_check_blocks: nand_read_page() failed, addr=0x04A20000
nand_check_blocks: nand_read_page() failed, addr=0x05F80000

Consider yourself BLOBed!

blob version 2.0.5-pre2 for Tanto Basic Device
Copyright (C) 1999 2000 2001 Jan-Derk Bakker and Erik Mouw
blob comes with ABSOLUTELY NO WARRANTY; read the GNU GPL for details.
This is free software, and you are welcome to redistribute it
under certain conditions; read the GNU GPL for details.
blob release: d20081014_platform_4_16
Memory map:
  0x02000000 @ 0xc0000000 (32 MB)

ram_post executing...
Data Bus Test
Address Bus Test
Data Qualifer Test
Device Test
c0200000status_next, board type = RF board revision =  (3)
c1e00000r14_svc = 0x0000034d
Autoboot in progress, press any key to stop ...
Loading kernel from flash ........ done
.
Starting kernel ...


Total blob time : [23.862000] seconds
Uncompressing Linux........................................................... done, booting the kernel.
Linux version 2.4.20_mvl31-tantobasic (iyera01@ussy-tanto01) (gcc version 3.3.1 (MontaVista 3.3.1-3.0.10.0300532 2003-12-24)) #d20081014_platform_4_16 Fri Sep 4 22:19:17 PDT 2009
CPU: ARM926EJ-Sid(wb) [41069264] revision 4 (ARMv?(8))
CPU: D undefined 14 cache
CPU: I cache: 16384 bytes, associativity 4, 32 byte lines, 128 sets
CPU: D cache: 16384 bytes, associativity 4, 32 byte lines, 128 sets
Machine: Motorola MX2ADS
On node 0 totalpages: 8192
zone(0): 8192 pages.
zone(1): 0 pages.
zone(2): 0 pages.
Kernel command line: console=ttyMX0,115200n8 root=/dev/mtdblock6 ip=dhcp BOARD_REVISION=
boot_leds.c: RF boardRevision =  (3)
Calibrating delay loop... 119.60 BogoMIPS
Memory: 32MB = 32MB total
Memory: 30332KB available (1592K code, 391K data, 64K init)
Dentry cache hash table entries: 4096 (order: 3, 32768 bytes)
Inode cache hash table entries: 2048 (order: 2, 16384 bytes)
Mount-cache hash table entries: 512 (order: 0, 4096 bytes)
Buffer-cache hash table entries: 1024 (order: 0, 4096 bytes)
Page-cache hash table entries: 8192 (order: 3, 32768 bytes)
POSIX conformance testing by UNIFIX
Linux NET4.0 for Linux 2.4
Based upon Swansea University Computer Society NET3.039
Initializing RT netlink socket
LSP Revision 97
ikconfig 0.5 with /proc/ikconfig
Starting kswapd
Disabling the Out Of Memory Killer
Journalled Block Device driver loaded
devfs: v1.12c (20020818) Richard Gooch (rgooch@atnf.csiro.au)
devfs: boot_options: 0x1
JFFS2 version 2.2. (NAND) (C) 2001-2003 Red Hat, Inc.
i2c-core.o: i2c core module version 2.6.2 (20011118)
i2c-dev.o: i2c /dev entries driver module version 2.6.2 (20011118)
i2c-proc.o version 2.6.2 (20011118)
pty: 256 Unix98 ptys configured
Real Time Clock Driver
cs89x0:cs89x0_probe(0x0)
eth0: incorrect signature 0x65b4
cs89x0: no cs8900 or cs8920 detected.  Be sure to disable PnP with SETUP
loop: loaded (max 8 devices)
ttyMX%d0 at MEM 0xe400a000 (irq = 20) is a mx2ads
ttyMX%d1 at MEM 0xe400b000 (irq = 19) is a mx2ads
ttyMX%d2 at MEM 0xe400c000 (irq = 18) is a mx2ads
SCSI subsystem driver Revision: 1.00
kmod: failed to exec /sbin/modprobe -s -k scsi_hostadapter, errno = 2
kmod: failed to exec /sbin/modprobe -s -k scsi_hostadapter, errno = 2
NAND device: Manufacturer ID: 0xec, Chip ID: 0xf1 (Samsung NAND 128MiB 3,3V 8-bit)
Scanning device for bad blocks
Registering NAND 128MiB 3,3V 8-bit as parts
Creating 10 MTD partitions on "NAND 128MiB 3,3V 8-bit":
0x00000000-0x00040000 : "Blob"
0x00040000-0x00060000 : "Param"
0x00060000-0x00260000 : "Kernel"
0x00260000-0x00460000 : "Recovery"
0x00460000-0x00480000 : "Errlog"
0x00480000-0x01c80000 : "Apps"
0x01c80000-0x03c80000 : "Root"
0x03c80000-0x04140000 : "Var"
0x04140000-0x04340000 : "Vpd"
0x04340000-0x08000000 : "Data"
usb.c: registered new driver usbdevfs
usb.c: registered new driver hub
usb_suspend_proc_init: MODULE loaded.
pegasus.c: v0.4.26 (2002/03/21):Pegasus/Pegasus II USB Ethernet driver
usb.c: registered new driver pegasus
usb.c: registered new driver usbnet
Initializing USB Mass Storage driver...
usb.c: registered new driver usb-storage
USB Mass Storage support registered.
NET4: Linux TCP/IP 1.0 for NET4.0
IP Protocols: ICMP, UDP, TCP
IP: routing cache hash table of 512 buckets, 4Kbytes
TCP: Hash tables configured (established 2048 bind 4096)
IP-Config: No network devices available.
NET4: Unix domain sockets 1.0/SMP for Linux NET4.0.
usb.c: new USB bus registered, assigned bus number 1
cramfs: wrong magic
FAT: bogus logical sector size 65535
FAT: bogus logical sector size 65535
Empty flash at 0x007421dc ends at 0x00742800
Empty flash at 0x00747b5c ends at 0x00748000
jffs2_scan_eraseblock(): Node at 0x007537fc {0x1985, 0xe002, 0xe0021985) has invalid CRC 0x00000044 (calculated 0xd7cd6a7b)
hub.c: USB hub found
hub.c: 3 ports detected
VFS: Mounted root (jffs2 filesystem).
Mounted devfs on /dev
Freeing init memory: 64K
INIT: version 2.78 booting
Activating swap...
Calculating module dependencies... done.
Loading modules: mx2ads-pwm button led Warning: loading /lib/modules/2.4.20_mvl31-tantobasic/kernel/drivers/merlin_basic/led.o will taint the kernel: non-GPL license - Copyright (c) 2007, St. Jude Medical
  See http://www.tux.org/lkml/#export-tainted for information about tainted modules
Module led loaded, with warnings
mics_radio Warning: loading /lib/modules/2.4.20_mvl31-tantobasic/kernel/drivers/merlin_basic/mics_radio.o will taint the kernel: non-GPL license - Copyright (c) 2007, St. Jude Medical
  See http://www.tux.org/lkml/#export-tainted for information about tainted modules
Module mics_radio loaded, with warnings
spi Warning: loading /lib/modules/2.4.20_mvl31-tantobasic/kernel/drivers/merlin_basic/spi.o will taint the kernel: non-GPL license - Copyright (c) 2007, St. Jude Medical
  See http://www.tux.org/lkml/#export-tainted for information about tainted modules
Module spi loaded, with warnings
usermode_access Warning: loading /lib/modules/2.4.20_mvl31-tantobasic/kernel/drivers/merlin_basic/usermode_access.o will taint the kernel: non-GPL license - Copyright (c) 2007, St. Jude Medical
  See http://www.tux.org/lkml/#export-tainted for information about tainted modules
Module usermode_access loaded, with warnings
ppp_generic CSLIP: code copyright 1989 Regents of the University of California
PPP generic driver version 2.4.2
modem_reset Warning: loading /lib/modules/2.4.20_mvl31-tantobasic/kernel/drivers/merlin_basic/modem_reset.o will taint the kmernel: non-GPL license - Copyright (c) 2007, St.o Jude Medical
 d See http://www.tux.org/lkml/#export-tainted for information about tainted modulees
m_reset: MODULE loaded.
Module modem_reset loaded, with warnings

Boot time in seconds before mounting local filesystems = 5
Mounting local filesystems...
none on /proc/bus/usb type usbfs (rw)
tmpfs on /tmp type tmpfs (rw)
/dev/mtdblock/5 on /apps type jffs2 (ro)
jffs2_scan_inode_node(): CRC failed on node at 0x00000fec: Read 0xffffffff, calculated 0x643abd86
/dev/mtdblock/7 on /var type jffs2 (rw,sync)
Empty flash at 0x00001128 ends at 0x00001800
/dev/mtdblock/8 on /vpd type jffs2 (rw,noexec,sync)
Empty flash at 0x00006c44 ends at 0x00007000
Empty flash at 0x0000b03c ends at 0x0000b800
Empty flash at 0x0070191c ends at 0x00702000
Empty flash at 0x007039e0 ends at 0x00704000
Empty flash at 0x00705044 ends at 0x00705800
Empty flash at 0x00706924 ends at 0x00707000
/dev/mtdblock/9 on /data type jffs2 (rw,sync)
Boot time in seconds after mounting local filesystems  = 8
Starting devfsd: Started device management daemon for /dev
done.
Cleaning: /etc/network/ifstate.
Hostname: (none).
Setting up IP spoofing protection: rp_filter.
Disable TCP/IP Explicit Congestion Notification: done.
Configuring network interfaces: done.
** can't synthesize pci hotplug events

Setting the System Clock using the Hardware Clock as reference...
The Hardware Clock does not contain a valid time, so we cannot set the System Time from it.
Unable to set system clock.
System Clock set. Local time: Thu Jan  1 00:00:14 UTC 1970

Block size 131072, page size 2048, OOB size 64
Dumping data starting at 0x00000000 and ending at 0x00000080...
On Chip RTC Time: 00:51:03
SndBuf Size = 131070
Watchdog available
SndBuf Size = 131070
0
INIT: Entering runlevel: 3

[SJM_CONFIGURATION]
VERSION=EX2000 v4.6C PR_4.94
(none) login: CRM_PCDR1 = 0x2050704
CRM_PCCR0 = 0x5902e077
CRM_PCCR1 = 0x27000000
modprobe: Can't locate module /dev/usb/tts

[SJM_CONFIGURATION]
VERSION=EX2000 v4.6C PR_4.94

@[skaarj] had a useful hint I've forgottten about - passing parameters to the kernel so that it'd boot in the sigle-user mode and go straight to shell. BLOB bootloader was OK with that. The parameters ended up to be "boot single init=/bin/bash console=ttyMX0,115200n8 root=/dev/mtdblock6 ip=dhcp BOARD_REVISION=". Using them, I was able to clear root password, reboot and login as root. With all filesystems mounted, I could tar up the whole system and export it on a flash drive, so that I could explore it.

What did I find? The fact that inserting a prepared flash drive lets you pwn those base stations, launching your own scripts etc. There are compiled binaries (the applications interacting with the implant and presumably making the reports), and calling "strings" on them gives some insights into what we would get if we were to get a report straight from the base station.

Some facts:

• Base stations run MontaVista Linux with 2.4.20 kernel
• Software uses MQTT for something.
• Stations have a monitoring channel that streams data to somebody. Presumably, either healthcare provider or manufacturer of these devices, for monitoring etc.
• There's a script to update firmware on those stations. If a special file is found on the flash drive and some bytes at a specified offset are equal to a hard-coded sequence, it launches a script (again, with hard-coded path) from this drive.
• There's an auto-launchable script to export reports from the base station as well. This is wonderful for us, as this allows us to reach our goal.

I'm not publishing a lot of data since I'm not much of a black hat, though black hats can just buy a base station themselves (and everyone who needed it most likely bought one already). I'm not publishing the files as well.

I plan on publishing the "autopwn" script I'll make though, since it goes along the goal our project has to achieve, which is getting reports. After all, this thing doesn't need to be as secure as it could get because the only viable attack vector requires physical access to the base station. The developers of base station firmware have enough things to think about already (the amount of threads in the applications running is impressive by itself), and I'm sure they don't want any ill-informed bosses or managers telling them their software is insecure when we all understand securing those base stations this is too likely to cost more than it will give.

Expect the autopwn script soon!