Pwning SriHome: Chapter 3

Pwning SriHome: Chapter 3


Research
srihome mobile android firmware

Introduction

After diving deep into Alibaba Cloud in my previous blog posts, I figured it was time to get hands-on with testing the actual Android application manually.

I swiftly connected my Android device to HTTP Toolkit and began intercepting the requests. It didn’t take long to notice that the application was fetching the device configuration from http://upg1.srikam.com:18086/app/SriHome/version_config.xml

I quickly checked out http://upg1.srikam.com:18086 and saw that directory listing was turned on.

I began grabbing all the files using wget -r http://upg1.srikam.com:18086/

The ‘app’ directory held some Android APKs for ‘SriHome’ and ‘ifHome’, but they weren’t particularly interesting.

tree app
app
├── 1
│   ├── 18.3.14.apk
│   ├── 18.3.2.apk
│   ├── 18.3.23.apk
│   ├── 18.3.9.apk
│   ├── 18.5.7.apk
│   ├── index.html
│   ├── update_content_en.html
│   ├── update_content_zh.html
│   └── version_config.xml
├── SriHome
│   ├── 18.10.11.apk
│   ├── 18.12.26.apk
│   ├── 18.3.23.apk
│   ├── 18.5.7.apk
│   ├── 18.6.20.apk
│   ├── 18.6.25.apk
│   ├── 18.7.12.apk
│   ├── 18.8.16.apk
│   ├── 18.8.2.apk
│   ├── 18.9.7.apk
│   ├── 19.03.12.apk
│   ├── 19.08.15.apk
│   ├── 20.08.17.apk
│   ├── index.html
│   ├── update_content_en.html
│   ├── update_content_zh.html
│   └── version_config.xml
├── ifHome
│   ├── 18.12.26.apk
│   ├── 18.9.7.apk
│   ├── 19.03.12.apk
│   ├── index.html
│   ├── update_content_en.html
│   ├── update_content_zh.html
│   └── version_config.xml
└── index.html

The device directory caught my attention, especially since it contained ‘.bin’ files which I suspect are various firmware versions of the device.

/Users/deathflash/Research/SriHome/upg1.srikam.com:18086/device/23033100002
ls -l
total 80944
-rw-r--r--@ 1 deathflash  staff  8285136 Oct 21 06:26 9.37.2.bin
-rw-r--r--@ 1 deathflash  staff  8285168 Oct 31 12:39 9.37.3.bin
-rw-r--r--@ 1 deathflash  staff  8286448 Oct 31 16:13 9.37.4.bin
-rw-r--r--@ 1 deathflash  staff  8286352 Oct 31 16:13 9.37.6.bin
-rw-r--r--@ 1 deathflash  staff  8286160 Jan 19 13:02 9.37.8.bin
-rw-r--r--@ 1 deathflash  staff        0 Oct 21 06:26 SH048
-rw-r--r--@ 1 deathflash  staff      802 Feb 24 23:56 index.html

I used binwalk to extract the latest firmware.

binwalk --dd='.*' 9.37.8.bin

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
2048          0x800           gzip compressed data, maximum compression, has 298 bytes of extra data, from Unix, last modified: 2023-11-06 07:14:15
3916067       0x3BC123        xz compressed data
4106367       0x3EA87F        xz compressed data
4164704       0x3F8C60        xz compressed data
4228061       0x4083DD        xz compressed data
4297535       0x41933F        xz compressed data
4367058       0x42A2D2        xz compressed data
4367330       0x42A3E2        xz compressed data
4423199       0x437E1F        xz compressed data
4579287       0x45DFD7        xz compressed data
4659339       0x47188B        xz compressed data
4771385       0x48CE39        xz compressed data
4796622       0x4930CE        xz compressed data
4840542       0x49DC5E        xz compressed data
4859972       0x4A2844        xz compressed data
4920169       0x4B1369        xz compressed data
5134838       0x4E59F6        xz compressed data
5176082       0x4EFB12        xz compressed data
5197119       0x4F4D3F        xz compressed data
5243563       0x5002AB        xz compressed data
5674353       0x569571        xz compressed data
5706265       0x571219        xz compressed data
5938054       0x5A9B86        xz compressed data
5970352       0x5B19B0        xz compressed data
6067557       0x5C9565        xz compressed data
6174258       0x5E3632        xz compressed data
6295276       0x600EEC        xz compressed data
6412054       0x61D716        xz compressed data
6529048       0x63A018        xz compressed data
6635146       0x653E8A        xz compressed data
6754148       0x670F64        xz compressed data
6853611       0x6893EB        xz compressed data
6919017       0x699369        xz compressed data
6931123       0x69C2B3        xz compressed data
6941295       0x69EA6F        xz compressed data
6980160       0x6A8240        gzip compressed data, maximum compression, has 154 bytes of extra data, from Unix, last modified: 2023-11-06 07:14:53
8144090       0x7C44DA        JFFS2 filesystem, little endian

When I ran the ‘file’ command on the extracted data, it unveiled a shell script.

/Users/deathflash/Research/SriHome/upg1.srikam.com:18086/device/23033100002/_9.37.8.bin.extracted
file *
...
...
69C2B3:    POSIX shell script executable (binary data)
...
...

After examining the code, I confirmed that it’s Sricam’s firmware.

...
sleep 2
debug_log
board_1800
Sricam
0x800000
fw_build_date=2023-11-06T15:13
fw_revision=8
fw_ver=20231106.1512.08
fw_ver_major=1
fw_ver_minor=0
SRA-MIOU-FH8626V200
IPCamera
1800
SRA-L73PW1800
681B1800
FH8626V200_IPC_V1.0.0_20220914
patch:FH8626V200_IPC_V1.0.0.FP5_20230517
...

While I did find the password for uboot, but I wasn’t able to crack the password hashes for ‘root’ and ‘user’ linux accounts.

root:$1$Qd5yEchg$b0BZAVmXD7ljW8/H.Xala/:19534:0:99999:7:::
user:$1$qd.POZbG$XkVRhInn5i2Vb9ZoQX1LI/:19534:0:99999:7:::
...
ubootpwd=b817359827ef9919b7a0b7326e8c23b680196490f951c57c7f268f476fc16358
...

I asked ChatGPT to whip up a quick bash script to extract all the ‘.bin’ files from every directory.

#!/bin/bash

# Loop through each directory in the current working directory
for dir in */; do
    # Check if the directory is not empty
    if [ -n "$(ls -A "$dir")" ]; then
        # Loop through each file in the directory with .bin extension
        for file in "$dir"*.bin; do
            # Check if the file exists and is a regular file
            if [ -f "$file" ]; then
                # Print the absolute path of the file
                echo "$(realpath "$file")"
                # Run binwalk on the file with --dd='.*' option
                binwalk --dd='.*' "$file"
            fi
        done
    fi
done
/Users/deathflash/Research/SriHome/upg1.srikam.com:18086/device

find . -type d -name '*.bin.extracted' -exec du -ch {} + | grep total$

9.1G	total

Wow! That’s a ton of firmware source code to go through. Let’s hope I uncover something interesting.