Pwning SriHome: Chapter 3
Introduction
After diving deep into Alibaba Cloud in my previous blog posts, I figured it was time to get hands-on with testing the actual Android application manually.
I swiftly connected my Android device to HTTP Toolkit and began intercepting the requests. It didn’t take long to notice that the application was fetching the device configuration from http://upg1.srikam.com:18086/app/SriHome/version_config.xml
I quickly checked out http://upg1.srikam.com:18086 and saw that directory listing was turned on.
I began grabbing all the files using wget -r http://upg1.srikam.com:18086/
The ‘app’ directory held some Android APKs for ‘SriHome’ and ‘ifHome’, but they weren’t particularly interesting.
tree app
app
├── 1
│ ├── 18.3.14.apk
│ ├── 18.3.2.apk
│ ├── 18.3.23.apk
│ ├── 18.3.9.apk
│ ├── 18.5.7.apk
│ ├── index.html
│ ├── update_content_en.html
│ ├── update_content_zh.html
│ └── version_config.xml
├── SriHome
│ ├── 18.10.11.apk
│ ├── 18.12.26.apk
│ ├── 18.3.23.apk
│ ├── 18.5.7.apk
│ ├── 18.6.20.apk
│ ├── 18.6.25.apk
│ ├── 18.7.12.apk
│ ├── 18.8.16.apk
│ ├── 18.8.2.apk
│ ├── 18.9.7.apk
│ ├── 19.03.12.apk
│ ├── 19.08.15.apk
│ ├── 20.08.17.apk
│ ├── index.html
│ ├── update_content_en.html
│ ├── update_content_zh.html
│ └── version_config.xml
├── ifHome
│ ├── 18.12.26.apk
│ ├── 18.9.7.apk
│ ├── 19.03.12.apk
│ ├── index.html
│ ├── update_content_en.html
│ ├── update_content_zh.html
│ └── version_config.xml
└── index.html
The device directory caught my attention, especially since it contained ‘.bin’ files which I suspect are various firmware versions of the device.
/Users/deathflash/Research/SriHome/upg1.srikam.com:18086/device/23033100002
ls -l
total 80944
-rw-r--r--@ 1 deathflash staff 8285136 Oct 21 06:26 9.37.2.bin
-rw-r--r--@ 1 deathflash staff 8285168 Oct 31 12:39 9.37.3.bin
-rw-r--r--@ 1 deathflash staff 8286448 Oct 31 16:13 9.37.4.bin
-rw-r--r--@ 1 deathflash staff 8286352 Oct 31 16:13 9.37.6.bin
-rw-r--r--@ 1 deathflash staff 8286160 Jan 19 13:02 9.37.8.bin
-rw-r--r--@ 1 deathflash staff 0 Oct 21 06:26 SH048
-rw-r--r--@ 1 deathflash staff 802 Feb 24 23:56 index.html
I used binwalk to extract the latest firmware.
binwalk --dd='.*' 9.37.8.bin
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
2048 0x800 gzip compressed data, maximum compression, has 298 bytes of extra data, from Unix, last modified: 2023-11-06 07:14:15
3916067 0x3BC123 xz compressed data
4106367 0x3EA87F xz compressed data
4164704 0x3F8C60 xz compressed data
4228061 0x4083DD xz compressed data
4297535 0x41933F xz compressed data
4367058 0x42A2D2 xz compressed data
4367330 0x42A3E2 xz compressed data
4423199 0x437E1F xz compressed data
4579287 0x45DFD7 xz compressed data
4659339 0x47188B xz compressed data
4771385 0x48CE39 xz compressed data
4796622 0x4930CE xz compressed data
4840542 0x49DC5E xz compressed data
4859972 0x4A2844 xz compressed data
4920169 0x4B1369 xz compressed data
5134838 0x4E59F6 xz compressed data
5176082 0x4EFB12 xz compressed data
5197119 0x4F4D3F xz compressed data
5243563 0x5002AB xz compressed data
5674353 0x569571 xz compressed data
5706265 0x571219 xz compressed data
5938054 0x5A9B86 xz compressed data
5970352 0x5B19B0 xz compressed data
6067557 0x5C9565 xz compressed data
6174258 0x5E3632 xz compressed data
6295276 0x600EEC xz compressed data
6412054 0x61D716 xz compressed data
6529048 0x63A018 xz compressed data
6635146 0x653E8A xz compressed data
6754148 0x670F64 xz compressed data
6853611 0x6893EB xz compressed data
6919017 0x699369 xz compressed data
6931123 0x69C2B3 xz compressed data
6941295 0x69EA6F xz compressed data
6980160 0x6A8240 gzip compressed data, maximum compression, has 154 bytes of extra data, from Unix, last modified: 2023-11-06 07:14:53
8144090 0x7C44DA JFFS2 filesystem, little endian
When I ran the ‘file’ command on the extracted data, it unveiled a shell script.
/Users/deathflash/Research/SriHome/upg1.srikam.com:18086/device/23033100002/_9.37.8.bin.extracted
file *
...
...
69C2B3: POSIX shell script executable (binary data)
...
...
After examining the code, I confirmed that it’s Sricam’s firmware.
...
sleep 2
debug_log
board_1800
Sricam
0x800000
fw_build_date=2023-11-06T15:13
fw_revision=8
fw_ver=20231106.1512.08
fw_ver_major=1
fw_ver_minor=0
SRA-MIOU-FH8626V200
IPCamera
1800
SRA-L73PW1800
681B1800
FH8626V200_IPC_V1.0.0_20220914
patch:FH8626V200_IPC_V1.0.0.FP5_20230517
...
While I did find the password for uboot, but I wasn’t able to crack the password hashes for ‘root’ and ‘user’ linux accounts.
root:$1$Qd5yEchg$b0BZAVmXD7ljW8/H.Xala/:19534:0:99999:7:::
user:$1$qd.POZbG$XkVRhInn5i2Vb9ZoQX1LI/:19534:0:99999:7:::
...
ubootpwd=b817359827ef9919b7a0b7326e8c23b680196490f951c57c7f268f476fc16358
...
I asked ChatGPT to whip up a quick bash script to extract all the ‘.bin’ files from every directory.
#!/bin/bash
# Loop through each directory in the current working directory
for dir in */; do
# Check if the directory is not empty
if [ -n "$(ls -A "$dir")" ]; then
# Loop through each file in the directory with .bin extension
for file in "$dir"*.bin; do
# Check if the file exists and is a regular file
if [ -f "$file" ]; then
# Print the absolute path of the file
echo "$(realpath "$file")"
# Run binwalk on the file with --dd='.*' option
binwalk --dd='.*' "$file"
fi
done
fi
done
/Users/deathflash/Research/SriHome/upg1.srikam.com:18086/device
find . -type d -name '*.bin.extracted' -exec du -ch {} + | grep total$
9.1G total
Wow! That’s a ton of firmware source code to go through. Let’s hope I uncover something interesting.