#JavaScript help

56 messages · Page 1 of 1 (latest)

wispy rapids
#

Hey all. I've been trying to repurpose an old Linux based STB for a while. After taking a break, I came back to it today and investigated the upgrade script. It's an HTML file which contains some JavaScript. I was wondering if it would be possible to write my own commands in there and get the box to run them. I'll post the original script as I'm sure it'd help. Thanks in advance!

prime spadeBOT
#

@wispy rapids

Technocat Uploaded Some Code
Uploaded these files to a Gist

autorun.html

View The Gist

For safety reasons we do not allow file attachments.
wispy rapids
#

Here's everything we've tried so far

#

Just to clarify, I want to either craft a new autorun.html to run my code, or put new code into the existing autorun.html

rain wren
#

What would you want the code to do though?

#

You seem to have access to the box itself in some form or way

#

Or do you have access to the firmware binaries?

wispy rapids
wispy rapids
#

I have plenty of upgrade files for it

rain wren
#

Have those been binwalked?

wispy rapids
#

Nope, don't think so

#

They might have been

#

But I'm not too sure

#

I can upload one of those

rain wren
#

Hmm, I'm not too sure if you're able to do the whole information reading. I'm assuming the autorun is from the non-box upgrade side?

wispy rapids
#

No, it's from the box

rain wren
#

So someone has got some form of file access on the device itself?

wispy rapids
#

You plug in a USB stick with the upgrade.bin and the autorun.html and it'll upgrade

rain wren
#

Ah

wispy rapids
#

There is no file browser

prime spadeBOT
#

@wispy rapids

File Attachments Not Allowed

For safety reasons we do not allow file and video attachments.

Code Formatting

You can share your code using triple backticks like this:
```
YOUR CODE
```

Large Portions of Code

For longer scripts use Hastebin or GitHub Gists and share the link here

Ignored these files
  • upgrade.bin
rain wren
#

Ah, forgot file uploads are not allowed

#

hmm

prime spadeBOT
#

@wispy rapids

File Attachments Not Allowed

For safety reasons we do not allow file and video attachments.

Code Formatting

You can share your code using triple backticks like this:
```
YOUR CODE
```

Large Portions of Code

For longer scripts use Hastebin or GitHub Gists and share the link here

Ignored these files
  • upgrade.bin.force.zip
wispy rapids
#

There we go

rain wren
#

Gimme a sec to see if binwalk can make any sense of that

wispy rapids
#

Thank you!

rain wren
#

But, it's gonna be a bit difficult trying to access the box from outside if there's nothing open on it

wispy rapids
#

Yeah, that's why we've been trying for 13 years

rain wren
#

Best bet would be to supply a modified firmware binary with the things you need

wispy rapids
#

That's what we want to do

#

Ideally, we'd edit the upgrade file, then pass it to the box and let it flash it

#

But because of the md5 in the autorun.html, you can't really do that

#

We also haven't been able to successfully decompile the upgrade file

rain wren
#

Generate a new md5 and modify the script to be that?

wispy rapids
#

Tried that

rain wren
#

I guarantee it's just a checksum for the binary file itself

wispy rapids
#

The script won't run, because it's signed

rain wren
wispy rapids
#

Right

#

Wait

#

There's a cert in the file?

rain wren
#

And, yea, the md5 in the file is just the file signature

#

There's a PKCS + it's cert in the binary, yes

wispy rapids
#

Would you be able to extract those?

#

And would I be able to use the cert in a different binary if I modified one

rain wren
#

Hmm

#

Not much going on with the files, can't get them extracted properly

#

I can get some cleartext out, but seems like the whole thing is pretty much encrypted

#

I'll figure that out a bit more at some other time

wispy rapids
# rain wren Hmm

But theoretically, is this how I'd pass a custom firmware to the device? (By using the certs from another firmware version)

wispy rapids
#

Because I think that could work