Hack'n'Load

TLDR ~ I had my iPhone disabled because I did too many attempts trying to figure out what was the passcode I’ve defined on it a couple of months ago. After messing up with iTunes I’ve figured a way to reset the pass code insertion and bruteforce until I’ve figured out it. The bruteforce took me about 20 minutes, and the hole process (without counting until it has been blocked) was about 40 minutes. FBI and NSA wouldn’t beat that.

I screwed up! I’ve changed the passcode of the iPhone I use for development only a couple of months ago, and didn’t remember it because my iPhone was off for a long time because I’ve lost the charger cable.

Today I needed it, so I had bought a new one on a Chinese store and put it on charge. Once it was charged I’ve tried to get my hands on it to upload something I needed to test, and guess what, didn’t remember the passcode.

After some attempts it has shown a message warning me that I have to wait a minute to give a new try, gosh, I’ve started to remember the FBI story about the thing, the high security behind a weak passcode, the holy reset. hahaha

I had it set as on, because there was some data that I didn’t want anybody to put their dirty hands on it. After the first attempt limit, a new try lead me to another wait time, but this time for 5 minutes.

I started to worry a little bit, after more two failed attempts I got the message “connect to iTunes”. Things weren’t going well.

I little research on it (Apple support, jailbreak sites and so on) told me that or I had a backup on my computer of the data or it was completely unrecoverable. Shit got serious, a couple of months ago I had to do a heavy cleaning of my computer because I was deploying large Docker images and the VM was eating all the space it had.

Just after I’ve lost all the hopes, I’ve tried every actions that iTunes was providing, the first one was to backup it without the apps, then I’ve tried anothers. My last attempt before doing a recovery reset was to backup with the apps, until I’ve realized it gave me more chances to try out more passwords.

It wasn’t making any sense, if it has deleted the keys, how could it was displaying the keypad again?

After some attempts it got blocked again, and a backup with apps got me, once again, more attempts. Shit, I got to grab this on video. And there it is:

I was seeing here three things, or the iPhone wasn’t deleting the keys as they say it does, or the system was malfunctioning and displaying a keypad to a non-existent keys, or the iTunes managed to replace the keys on the system. Hope lead me to the third.

I’ve pointed out the passwords that I’ve tried, figured out what numbers I have used on them and what numbers I would use. Did a js loop to give me a passcode bruteforce table and to exclude the ones I have already tried.

I’ve started to enter the passcodes the software was giving me. The whole process took me about 20 minutes, they were well spent:

I had my entire content I was expecting without having to factory reset the iPhone. My guess and instinct could be possibly right, and if it is, Apple is saving the keys on the synced computers or on the iCloud.

If you have an iPhone without important data laying arround, give it a try so we can check if my theory is right. Here are the steps for reproduction:

1. Sync the iPhone on your computer, remove the cable and delete all the backups on the iTunes. 2. Install any new app on the iPhone (don’t know if this step is necessary, because iTunes won’t have the backup) 3. Place up any passcode on it that you can remember 4. Enable Apple’s passcode data wipe protection 5. Lock it, unlock it and enter bad passcodes 6. Go through the whole process until it displays “connect to iTunes”, at this point you won’t be able to input any passcodes anymore 7. Do a backup, it will ask you if you want to backup also the new Apps it doesn’t have. 8. Check if you’re able to input passcodes.

There you go.

Zephyr is: Open-Source (yeahhh) and powered by the Linux foundation, Realtime Operative System (RTOS), incredible super small footprint (less than 10KB), modular and focused for the IoT world!

Everyone who is on both IoT and [Linux][Linux] worlds, knows that one of the major bottlenecks to bring they up together is the lack of Realtime processing on the Linux kernel. There has been some projects emerging the last decade that aimed to cover that gap, RTLinux was one of them. Unfortunately they seemed to be ahead of their time, since only last year the demanding for that functionality has been really growing compared to the last decade.

Linux is known to be extremely customizable and dynamic, being able to empower not only servers and super computers but most of our low-resources eletronic devices, such as routers, smartwatches and smartphones. In fact, it is so customizable that you could strip most of the thigs you won't use and being able to run on an environment with more or less 200KB of RAM and 1MB of flash. Ubuntu Core and OpenWRT are some of the distros that are well known for those capabilities.

Zephyr is gaining popularity and is being known as the Linux little brother. On its first major release, it is already able to run on Arduino's, Intel's  and other dev boards empowered with ARC/ARM based SoCs.

Wind River Rocket already ships with Zephyr. (Wind River which is a subsidiary of Intel)

Introduction

You made a Node.js app? Nice! Now you need to deploy it right?

There are lots of ways to deploy a Node.js application into the cloud, before Docker I was working with Packer which was a life saver at the time.

Docker is becoming a trending since they launched the Docker Hub service for Open-Source projects. It has the hability to be portable and immutable at the same time, that reduced my headheaches between deploying from a Mac OS X to an Ubuntu server, since Mac OS X file system isn't case sensitive by default, my app was throwing lot of errors related with case-mismach between files relations and their file names.

I was developing btsync.docker when I did some experiments with default node docker image but I had lots of problems with it. On of the major ones was the size, IT WAS TOO BIG, oversized docker images delays development and production deployments. So, instead of using node docker image, I went into the adventure of creating one could easily resolve my future problems.

Node.docker was my first attempt to accelerate development of all my apps by bringing them up on all environments, allways on top of docker.

Preparing your app

You app should be divided into two steps: * building * running

Building

If you know what we are talking about jump to the next paragraph, if you don't, this is the preparation stage for your app before running. I've seen lot of mistakes on some app scenarious where developers were building assets inside they app servers runtime (there are a lot of tuts that teaches wrongly behaviors into newbies unfortunattely). So, if your server is building up resources for clients, or you have code that only runs once the server is being up, usually that should belong to the build process. Take a look at gulp, grunt and webpack.

Usually community modules have a build script on package.json and runs from it:

npm run build

If you don't have a build process, you will need to add one like echo Nothing to build into package.json.

{ "name": "your app", "scripts": { "build": "echo Nothing to build" } }

Running

If you're starting your app with node your-file.js, you're doing it wrong.

Usually community modules have a start script on package.json and runs from it:

npm start

Your package json should always have a start script:

{ "name": "your app", "scripts": { "build": "echo Nothing to build", "start": "node your-file.js" } }

Deploying on docker

Create a Dockerfile on your app's root directory:

FROM cusspvz/node:0.12.7-onbuild # Add this line in case your app exposes one or more ports EXPOSE 80/tcp 443/tcp 8080/udp

Now we're gonna build your app's docker image (cross your fingers):

cd /path/to/your/nodejs/app docker build -t your_username_or_company/your_app_name .

Command above explaination: * cd /path/to/your/nodejs/app - change to your app's directory * doker build - tell docker we will gonna build an image * -t your_username_or_company/your_app_name - specify how we wan't to refer later to the image thats gonna to be built * . - Tell directory to be used as Image root, since we are already on you app's directory, it will be ., /path/to/your/nodejs/app or ./ (which are all the same).

If everything went well, you could launch an instance and see how it went:

docker run --rm -ti your_username_or_company/your_app_name

Command above explaination: * docker run - tell docker to run a container from an image * --rm- tell docker to remove the container once it is stopped * -ti - those are two options that mean terminal interative, telling docker to proxy containers stdin and stdout to the docker run... process. This allows us to see whats going on and interact with it, such as sending a SIGTERM signal with: CTRL + C * your_username_or_company/your_app_name - image to be used *

Experience sharing

It was an pleasant night on Oporto, Portugal, 2 a.m. on a Tuesday. Me and my friends went to a Coffee/Pub to take a drink after a concert. Music was awful and someone tried to change TV Channel (not so hard since you can download an app for that). One of my friends challenged me to also hack the television but as I said that it was too easy, instead he said to turn router off.

In that moment I tough, why not redirect all google.com, facebook.com and some other top sites traffic to some p*rn sites? Well, seems legit.

The router was a Technicolor TG784n v3, running a thomson software. Vodafone defaulted Administrator account with an empty passoword but coffee's owner must changed it.

After 2min of research, found that no available usernames or passwords for Administrator or a more basic access worked, so I've tried another approach and searched for software upgrades account. One of them worked out, account upgrade with Th0ms0n! password. Tested over telnet and I've been warned that upgrade doesn't have telnet access.

Next step was to log on web interface. But it just offered me an interface for firmware uploading.

I’ve recalled some other experiences with Thomson’s routers and they had an FTP Server that allows access to router’s config files, so i was thinking: ”maybe upgrade does that also...” and I was right!

Config file was there and user’s password hash was there also (a little search for Administrator worked out)

Next question for my next step was: “How da fuck do i fool router’s with its hash?”. Then I remembered that Thomson routers, for a security propose, hashes the password with a given crypto before POSTing it to HTTP Server. I was like: “exploit on a security measure, cool!!”.

Based on some snippets that I had on my computer, I’ve made a javascript code that tooks an username and the hash grabbed from config file to login:

var user = "Administrator"; var hash2 = "Administrator hash grabbed from config"; var HA2 = MD5("GET" + ":" + uri); document.getElementById("user").value = user; document.getElementById("hidepw").value = MD5(hash2 + ":" + nonce +":" + "00000001" + ":" + "xyz" + ":" + qop + ":" + HA2); document.authform.submit();