Help activating options on CATV field meter

[Bicurico]

Hi,

I am trying for some time to hack a CATV field meter which I own - for the sake of it, to learn, as a challenge and because the options would be neat to have.
I bought it second hand, but this unit is still being used by installers.
It has 20+ options than can be activated, for instance for Browser/FTP, IPTV, VOIP, etc.
I asked the manufacturer for a quotation, but most options are not commercialized anymore and the remaining ones cost each about the same I paid for the device itself.
I am just an amateur and I don't intent to use the unit for any real work.
Because the unit is still under production/being sold/being used, I will not mention any brand or model.

Right now I can:

a) Access the device through telnet, as the root account does not have any password set
b) Open the firmware archives and see the contained images
c) Mount those images on Linux and browse them - they do contain more or less the same as if I accessed the device through telnet

The way the option are activated is as such:

You open the Windows application that manages the device and there is a menu to activate options. You check the option you want and enter the activation code. This then goes to the connected field meter. I tried random codes and obviously all were wrong. The check is made by the device, not the Windows application.

What I did so far:

I browsed the whole file system and found absolutely nothing containing the active options or the serial number of the device.
I copied the executable of the field meter app and run it on Notepad++ in HEX mode. I did find the strings mentioning each option.
I looked for some weird device that could be storing this data in /dev but found nothing.

So here is finally my question:

Do you have any tips on how to proceed to eventually find where the active options and serial number are stored? How would you i.e. access an EEPROM within this device through a normal Linux app?

I dismissed the idea of trying to use Wireshark to see how activation requests are sent from Windows App to Device to then write some brute force tool, that would over night send all combinations. The reasons are:

- very complicated to do
- I don't have any activation code, so I don't know if they contain numbers, letters, other characters and I don't know how many digits an activation code has
- I don't know if there is any protection against a brute force attack

I have not opened the device, as it has warranty seals and I might resell it in case I cannot find how to activate options, as the device pretty much sucks as it is and it frustrates me to have lots of menu options which only show "this option is not activated" when I select it.

Thanks,
Vitor

[bobaru]

Sorry, but I can't offer any advice on adding the options, but wanted to point out that you should list the Manufacturer and model number of the device in case there are people here familiar with that particular unit.     

It may be that a completely new firmware is downloaded to the meter after the options are selected.   This would explain why you didn't find the options in the software. 


-bob

[abyrvalg]

Post that executable where you see option strings.

[Bicurico]

Hi,

I don't feel comfortable posting parts of the FW, for obvious reasons.

The options are activated by a Code - no need to flash any activated FW. The one that is right now in the device has all functions, most of them just happen to be deactivated.

Regards,
Vitor

[Fraser]

You are asking a lot here me thinks....

No manufacturer, model number or code to view. It might as well be the SBC out of a washing machine !

Mentioning the manufacturer and model number is not a legal issue. Neither is a firmware dump. People may then assist you directly via PM of email. I.e. Not in public.

I cannot see this progressing further on this forum with the small amount of detail you have provide. Sorry..

Also, look in the test equipment area of this forum and you will see many examples of people unlocking capabilities. AFAIK Dave has not received any 'take down' requests for such.

Fraser

[Bicurico]

Hi,

The purpose of my initial post was not to have someone hack the field meter for me but rather getting some hints on where to look.
I wonder if under Linux it would be easy to access an EEPROM where this data could be stored.
Or would it be located on a special location in the flash? Would that be a mountable partition? Or some other device? I am pretty sure it is not stored in any file within the field meters file system.

So I was basically asking for generic info on how manufacturers store serial number and activated options and how a hacker would search for it.
I don't want to harm any manufacturer and posting brand and model wouldn't lead anywhere, as I doubt many people on this forum own such a device. And if they do, they probably use it for professional servicing and wouldn't dare to mess with the equipment.

If this is too generic a request, I am happy that this thread gets closed.

Regards,
Vitor

[Fraser]

Vitor,

No offence was intended by my post but the scenario you describe is very low on fine detail. When it comes to the activation of options on a SBC based appliance, the designer has many techniques available with regard to how the options are controlled.

I have met the following:

1. A code is stored in an EEPROM starting at a specific address. The code is a host serial number specific key that cannot be used on other units.
2. A piece of code is added to the host and branched to when an option is selected. This means an option does not truly exist until the appropriate 'driver' is installed via an I/O port. The code contains a serial number locked activation so cannot be transferred between units.
3. Simple configuration file that contains nothing more complex than a code to indicate a particular option is activated. This code often works on other units and this is not secure but you need the correct code per option.
4. Hardware option activation with SMD linking resistors. Unmarked and not easy to decipher with experimentation. Code in the firmware reads the connected pins that connect to the configuration matrix.
5. Installation of options via memory card with an encrypted key generator that has been pre-configured to enable certain options. The codes changed within the units firmware are well hidden or also encrypted to avoide detection.
6. HASP Dongles. A very secure means of controlling the use and configuration of a System.
7. Complete new firmware with built in support for the pre-configured options. Basically prevents unofficial enablement of options by exclusion of data so difficult to circumvent.
8. Encrypted data area that contains option codes. Software with appropriate host becrypter and encrypted can configure this area of memory.
9. It is common for file areas that contain configuration data to have a checksum associted with them changing such will lead to a bad file or configuration report. Worst case scenario, the computer goes into a boot loop.

There are a great many ways to control option activation. It just comes down to how hard the OEM wishes to make it for anyone wishing toactivate options without authorisation. There are many memory areas in modern equipment and any rewritable memory is a potential location of configuration data. An EEPROM is the simplest and most easily identified configuration memory. Some equipment just stores serial number and build details in the EEPROM  but it can contain a series of codes for options that are read our at boot by the computer. The codes are normall locked to the units serial number and the computer uses the serial number as part of the unlock key for the option data.

To find the option control method, you normally have to look for the hooks in the firmware that will lead you to any option activation sub routine. Such hooks in the code need not be obvious and coders rarely provide nice ASCII annotation indicating a sub routines purpose. Hackers are smart people who can unravel the maze that is an equipment firmware. Once you find the option control su routine you have to work out what it does and what is needed for it to output a valid activation statement to the computer at boot. Watching a computer system boot messages from a debug port cam assist in working out what is going on but not always.

If a copy of the firmware and any known activation codes or software are available, they are sometimes helpful in working out what is going on.

I wish you well in your search for the option activation process.

Best Wishes

Fraser

[Bicurico]

No offence taken.

In this particvular device, the options are activated by means of a code that has to be entered on a Windows application, while the device is connected through Ethernet.
The code is sent to the device and the device will reply to the Windows application if it was correct or not.
The Windows application just acts as a GUI - it does NOT do any encrypting/decrypting and traffic can be easily monitored with Wireshark.

My first idea was to do some kind of VB tool that would do a brute force attack: sending all combinations until I get options activated. This has serious issues:
a) It takes too long as there are potentially many combination
b) I don't even know how many characters an activation code requires
c) I don't know if the device has a routine to lock itself in case too many attempts have been tried

Next I looked at the file system to see if I find a file with with the serial number and activation keys. No luck.

Then I looked for any suspect partition, mounted or not. Nothing found.

So here are my questions:

Question 1: I do suspect that the activation state of the options is stored in an EEPROM, but I wonder how you would access such an EEPROM from within Linux. Would that be a special device?

Question 2: Having the executable, how would you decompile/disassemble it? I would use the location of the option strings to search for the routine looking up the option state. A hack could consist in just changing the branch command. Unfortunaltly I don't even know which CPU is being used. I suspect it is an ARM processor.

Regards,
Vitor