Hi,
I am trying for some time to hack a CATV field meter which I own - for the sake of it, to learn, as a challenge and because the options would be neat to have.
I bought it second hand, but this unit is still being used by installers.
It has 20+ options than can be activated, for instance for Browser/FTP, IPTV, VOIP, etc.
I asked the manufacturer for a quotation, but most options are not commercialized anymore and the remaining ones cost each about the same I paid for the device itself.
I am just an amateur and I don't intent to use the unit for any real work.
Because the unit is still under production/being sold/being used, I will not mention any brand or model.
Right now I can:
a) Access the device through telnet, as the root account does not have any password set
b) Open the firmware archives and see the contained images
c) Mount those images on Linux and browse them - they do contain more or less the same as if I accessed the device through telnet
The way the option are activated is as such:
You open the Windows application that manages the device and there is a menu to activate options. You check the option you want and enter the activation code. This then goes to the connected field meter. I tried random codes and obviously all were wrong. The check is made by the device, not the Windows application.
What I did so far:
I browsed the whole file system and found absolutely nothing containing the active options or the serial number of the device.
I copied the executable of the field meter app and run it on Notepad++ in HEX mode. I did find the strings mentioning each option.
I looked for some weird device that could be storing this data in /dev but found nothing.
So here is finally my question:
Do you have any tips on how to proceed to eventually find where the active options and serial number are stored? How would you i.e. access an EEPROM within this device through a normal Linux app?
I dismissed the idea of trying to use Wireshark to see how activation requests are sent from Windows App to Device to then write some brute force tool, that would over night send all combinations. The reasons are:
- very complicated to do
- I don't have any activation code, so I don't know if they contain numbers, letters, other characters and I don't know how many digits an activation code has
- I don't know if there is any protection against a brute force attack
I have not opened the device, as it has warranty seals and I might resell it in case I cannot find how to activate options, as the device pretty much sucks as it is and it frustrates me to have lots of menu options which only show "this option is not activated" when I select it.
Thanks,
Vitor