I-Appliance BBS The Official Source for Internet Appliance Upgrades and Mods Click Here! BBS Main List | Sign In | Sign Up | Search | Help | Linux-Hacker.net Reply to Thread | Printer |

Home / MISC Areas / Mattel JuiceBox Possible control exploit using JBP file?

Possible control exploit using JBP file? (modified 0 times) EmbedSysDev Profile Can we use an exploit to load and execute code in the JuiceBox to gain control ?. 1. Loading executable code : When a JBP file is loaded from the SD card, it always appears at $C1F40C0. The JBP file is not checked for content or checksum when loaded. If you create an arm executable binary and place it in a JBP file on the SD card it will load without error. 2: Executing the code: Now we need a way to execute this code , some sort of exploit. You can always use JTAG to execute the code but is there another method which would work for those without JTAG?. 3: External control: The tx and rx for the second serial port are available on the expansion slot. You can wired up a tx/rx serial port to the SD interface card. If you don't use the SD and the serial at the same instant they both will work. I am using a DIY Jtag and both serial port connections to experiment with the Juicebox. I use WinArm to compile test code. 10-13-2006 14:16:25

RE:Possible control exploit using JBP file? (modified 1 times) jasonharper Profile There's no realistic chance of an exploit involving only .JBP files, since they're just read into memory without interpretation. An .MP3 exploit is much more likely, and there are documented cases of arbitrary code being executed on a PC by playing a malformed .MP3 in a specific player, but would be difficult without the source to the JB's player. However, your idea of loading code in a .JBP would work well with my idea of hooking a microcontroller to the JTAG port. The micro would no longer need to load any boot code into the ARM; it would just set up a data-dependent watchpoint on the last word of the screen memory, wait for the watchpoint to be triggered (by the loading of an .JBP with the right value in its last word), then jump to 0xC1F40C0. The necessary JTAG code shouldn't take more than a K or two, so a much smaller/cheaper micro could be used than if it needed to contain the actual application or bootloader code. Furthermore, the code would never need to be changed once it's debugged, so users wouldn't need any in-circuit programming capability for the micro. The result: for the effort of soldering a pre-programmed 8-pin PIC (or similar microcontroller) to the JTAG pads, you'd be able to run arbitrary programs of up to 56K in size, which could either be self-contained applications or something like a uCLinux bootloader, just by storing them on a SD/MMC card and selecting them in the built-in picture viewer. Normal operation of the JuiceBox would not be affected except for the slight chance of a video or picture containing the 32-bit trigger value in its lower-right corner. 10-13-2006 16:26:33

RE:Possible control exploit using JBP file? (modified 0 times) EmbedSysDev Profile The size of code is only limited by the SD card. Once the JBP binary starts it can load additional code from the SD card. Once you have your 'foot in the door' you have unlimited control. Seems that we could leverage the fact that Linux is already loaded and running to our advantage. The JBP exploit could start a shell such as 'ash' so we would have control via a serial port. I have looked at the 'PIC/JTAG' control aspect also but would like to find a method to start the JBP code by using the connections available at the expansion port. A PIC might be used here for instance, once the JBP code is loaded do a reset. The boot will try to read from the expansion port, the pic could send the arm code bytes for a jmp to $C1F10C0. 10-13-2006 18:02:11

RE:Possible control exploit using JBP file? (modified 0 times) Dgoreth Profile ________________________________________________________________________________________ The JBP exploit could start a shell such as 'ash' so we would have control via a serial port. ________________________________________________________________________________________ the only problem I see with this idea is here in the bootup info: ttyS0 (irq = 3) is a builtin Samsung S3C44B0X UART UART Rx disabled for production release correct me if I am wrong, but doesn't that mean that it cannot accept serial input using the OS that would be running? or am I missing a way to bypass this? 10-21-2006 03:18:33

Reply to Thread | Printer | All times are PST Powered by UltraBoard v1.62

I-Appliance BBS General - NEWS, Breaking NEWS - linux-hacker.net BBS on CD Questions - User Groups in Your Town - E-Bay, Yahoo Auction LINKS ONLY (MODERATED) - Jokes & Humor - usdtv box I-Opener Areas - I-Opener General Posts - I-Opener Technical Stuff - I-Opener Technical Info Reference (MODERATED) WebSurfer Areas - WebSurfer General Posts - WebSurfer Technical Stuff - WebSurfer Technical Info Reference (MODERATED) Other I-Appliances - Virgin Webplayer - WebPal - MailStation - 3Com Audrey - ThinkNIC / Oracle NIC - Gateway/AOL Connected Touch Pad - Philips/AOL-TV - ACER NT-150 STB - MSN Companion - Compaq IA - Emachines IA - IBM NetVista IA - Intel dot.station - MSNTV2 Network Computers - Fujitsu-Siemens Scovery Linux Net Computers - GallantWeb Server Consoles - Dreamcast - xbox hacking Web Pads - Epods One General Post - Panasonic CF-01 - Fujitsu Stylistic 1200 - Cybiko Thin Clients - Thin Clients DigitalVideoRecorders - DTV Recorders, Replay, TiVo, Etc... - Tivo Hacks Linux - Midori Linux General Board - ITX MotherBoards Single Board Computers - Earth Computers mARMalade Elite Member Area MISC Areas - The Swap Meet WE TAKE NO RESPONSIBILITY FOR ANY TRANSACTION HERE AND NO COMMERCIAL POST PERIOD !!! - Wireless Net - Cameras - Robotics - Routers/Gateways - Mattel JuiceBox