Jump to content

  •  

CNers have asked about a donation box for Cloudy Nights over the years, so here you go. Donation is not required by any means, so please enjoy your stay.

Photo

Seestar S50/ASIAIR Jailbreak + SSH

Software
  • Please log in to reply
182 replies to this topic

#1 joshumax

joshumax

    Vostok 1

  • -----
  • topic starter
  • Posts: 104
  • Joined: 13 Mar 2013
  • Loc: Seattle

Posted 22 November 2023 - 11:41 PM

FIRST OF ALL, THIS IS ALL ESSENTIALLY ONE GIANT HACK. IT HAS WORKED FOR ME BUT IT COULD BRICK YOUR DEVICE, OR WORSE. THIS IS FOR DEVELOPERS ONLY. IF YOU AREN'T FAMILIAR WITH SSH OR LINUX, DON'T USE THIS!

Hi everyone,

With the release of ZWO's new Seestar S50, I'm finally releasing a tool I've been using internally to gain root SSH access to both my Seestar and ASIAIR devices. I was originally hoping that ZWO would reduce their rampant open source software license violations and vendor lock-in, but it's only gotten worse. This has made me decide to create a completely FOSS integrated astrophotography solution that will totally replace their software while still leveraging the ASI hardware. I intend to release this project free of charge to the astronomical community shortly.

In the meantime, I am providing this jailbreak so that others can explore their ASIAIR device without the need of physically opening it and soldering on UART headers. To run it, all you need is a machine running a reasonably new Python 3 as well as the archive attached to this post.

[Current jailbreak release]

Run jailbreak:
python run_jailbreak.py [IP_ADDRESS_OF_DEVICE]
Connect to Seestar/ASIAIR:
ssh pi@[IP_ADDRESS_OF_DEVICE]
The password for SSH will be "raspberry" (no quotes) if the jailbreak ran successfully. You can access the root account via "sudo".

Edited by joshumax, 22 November 2023 - 11:47 PM.

  • Skywatchr, Lamia, lambermo and 22 others like this

#2 synfinatic

synfinatic

    Viking 1

  • *****
  • Posts: 850
  • Joined: 22 Dec 2013
  • Loc: San Jose, CA

Posted 23 November 2023 - 06:14 PM

Unfortunate that so many vendors in so many spaces (not just astronomy) continue to violate the GPL.

 

Also, LOL I just looked at what you did and it's so simple it's kinda stupid.  waytogo.gif


  • Skywatchr, tjay, Bob Denny and 4 others like this

#3 Bob Denny

Bob Denny

    ASCOM Initiative

  • -----
  • Organization
  • Posts: 1,145
  • Joined: 17 Mar 2009
  • Loc: Mesa AZ USA

Posted 23 November 2023 - 08:39 PM

 

Unfortunate that so many vendors in so many spaces (not just astronomy) continue to violate the GPL.

But it's CHEAP!!!



#4 Patrick Chevalley

Patrick Chevalley

    Mariner 2

  • -----
  • Vendors
  • Posts: 242
  • Joined: 04 Jul 2017

Posted 24 November 2023 - 09:58 AM

So you can make this devices to execute anything as root by simply sending a command to a remote socket without any kind of protection!

Fortunately they are not powered all the day making them not the best choice for a botnet.


  • lambermo and Bob Denny like this

#5 gmiller123456

gmiller123456

    Viking 1

  • -----
  • Posts: 863
  • Joined: 25 Dec 2020

Posted 25 November 2023 - 10:12 AM

Now that it's public, I wouldn't expect it to last for long. Since it's a remote root exploit, it should be taken pretty seriously.
  • kwelz likes this

#6 tjay

tjay

    Gemini

  • *****
  • Posts: 3,323
  • Joined: 03 Feb 2007
  • Loc: just outside of Toronto

Posted 25 November 2023 - 01:21 PM

It really is laughable that there is so little attention to security.  

 

I hope the FOSS solution comes along quickly!



#7 synfinatic

synfinatic

    Viking 1

  • *****
  • Posts: 850
  • Joined: 22 Dec 2013
  • Loc: San Jose, CA

Posted 01 December 2023 - 08:22 PM

Now that it's public, I wouldn't expect it to last for long. Since it's a remote root exploit, it should be taken pretty seriously.

I've been doing computer security since about 1997.  This made me laugh.  Thank you.


  • Taylor, Phil Cowell, Bob Denny and 7 others like this

#8 Artimon

Artimon

    Sputnik

  • -----
  • Posts: 33
  • Joined: 07 Dec 2023

Posted 07 December 2023 - 10:38 AM

Hello,

Thanks for this efforts, but since firmware update 1.91 this "hack" does not work anymore..

I found port TCP139 and UPD 137 / 138 /1900 / 5353 / 57668 that seem open, but I do not know how to use them.

would it be possible to update the crack and if possible, to re-activate the "hidden functions" that were made unavailable since this firmware update, as ZWO refuse to open it again for now ...

It would be very appreciated, and helpful, as I tried some settings with 30 sec. shots and Comet C2 Swan filter when this firmware was installed. I cannot then continue my testing!

Thanks in advance for any help !!

Stephane. 



#9 Artimon

Artimon

    Sputnik

  • -----
  • Posts: 33
  • Joined: 07 Dec 2023

Posted 07 December 2023 - 10:40 AM

... by the way, any idea on how to downgrade a firmware, and where to find a copy of the former one that worked?

Thkx a lot.

Stephane.



#10 billndotnet

billndotnet

    Explorer 1

  • -----
  • Posts: 61
  • Joined: 31 May 2022

Posted 08 December 2023 - 02:50 AM

Unfortunate that so many vendors in so many spaces (not just astronomy) continue to violate the GPL.

 

Also, LOL I just looked at what you did and it's so simple it's kinda stupid.  waytogo.gif

There is very little security baked into the AAP. I'm glad someone else found it, I was starting to get tired of being the only one poking around in there.



#11 billndotnet

billndotnet

    Explorer 1

  • -----
  • Posts: 61
  • Joined: 31 May 2022

Posted 08 December 2023 - 02:52 AM

Now that it's public, I wouldn't expect it to last for long. Since it's a remote root exploit, it should be taken pretty seriously.

If ZWO 'strictly followed open source standards' like they claim to, it wouldn't matter, the whole platform should be open source. 


  • edjuh likes this

#12 billndotnet

billndotnet

    Explorer 1

  • -----
  • Posts: 61
  • Joined: 31 May 2022

Posted 08 December 2023 - 02:53 AM

So you can make this devices to execute anything as root by simply sending a command to a remote socket without any kind of protection!

Fortunately they are not powered all the day making them not the best choice for a botnet.

Additionally, they're intended to/designed to run as an isolated device, it's relatively low risk unless it's connected to your home network 24/7.



#13 billndotnet

billndotnet

    Explorer 1

  • -----
  • Posts: 61
  • Joined: 31 May 2022

Posted 08 December 2023 - 02:54 AM

... by the way, any idea on how to downgrade a firmware, and where to find a copy of the former one that worked?

Thkx a lot.

Stephane.

The Plus and Mini have a built-in reset image stored on an internal MMC, there's a physical button you can hold to reset it. The Pro, you can pop out the SD card and re-image it, instructions are here: https://astronomy-im...e_ASIAIR_OS.pdf



#14 billndotnet

billndotnet

    Explorer 1

  • -----
  • Posts: 61
  • Joined: 31 May 2022

Posted 08 December 2023 - 02:56 AM

Hello,

Thanks for this efforts, but since firmware update 1.91 this "hack" does not work anymore..

I found port TCP139 and UPD 137 / 138 /1900 / 5353 / 57668 that seem open, but I do not know how to use them.

would it be possible to update the crack and if possible, to re-activate the "hidden functions" that were made unavailable since this firmware update, as ZWO refuse to open it again for now ...

It would be very appreciated, and helpful, as I tried some settings with 30 sec. shots and Comet C2 Swan filter when this firmware was installed. I cannot then continue my testing!

Thanks in advance for any help !!

Stephane. 

Firmware updates make very limited changes to the existing OS. You can run this hack on an earlier version, add a new user/password, add it to sudoers, and upgrade to newer firmwares without losing that user. My Pro has been rooted for a couple of years now with no issues.



#15 billndotnet

billndotnet

    Explorer 1

  • -----
  • Posts: 61
  • Joined: 31 May 2022

Posted 08 December 2023 - 03:03 AM

FIRST OF ALL, THIS IS ALL ESSENTIALLY ONE GIANT HACK. IT HAS WORKED FOR ME BUT IT COULD BRICK YOUR DEVICE, OR WORSE. THIS IS FOR DEVELOPERS ONLY. IF YOU AREN'T FAMILIAR WITH SSH OR LINUX, DON'T USE THIS!

Hi everyone,

With the release of ZWO's new Seestar S50, I'm finally releasing a tool I've been using internally to gain root SSH access to both my Seestar and ASIAIR devices. I was originally hoping that ZWO would reduce their rampant open source software license violations and vendor lock-in, but it's only gotten worse. This has made me decide to create a completely FOSS integrated astrophotography solution that will totally replace their software while still leveraging the ASI hardware. I intend to release this project free of charge to the astronomical community shortly.

In the meantime, I am providing this jailbreak so that others can explore their ASIAIR device without the need of physically opening it and soldering on UART headers. To run it, all you need is a machine running a reasonably new Python 3 as well as the archive attached to this post.

[Current jailbreak release]

Run jailbreak:

python run_jailbreak.py [IP_ADDRESS_OF_DEVICE]
Connect to Seestar/ASIAIR:
ssh pi@[IP_ADDRESS_OF_DEVICE]
The password for SSH will be "raspberry" (no quotes) if the jailbreak ran successfully. You can access the root account via "sudo".

 

Nicely done. I laughed pretty hard when I saw this hole while tcpflow-dumping the dialogues between the app and the gadget, especially after ZWO tried to make it seem like I cracked their ssh password to root mine. (I rooted the Pro with notepad.exe, your solution is far more elegant)

What are your thoughts on a proxy layer that sits on the imager's port and just does translation to a proper INDI server?


Edited by billndotnet, 08 December 2023 - 03:10 AM.


#16 Artimon

Artimon

    Sputnik

  • -----
  • Posts: 33
  • Joined: 07 Dec 2023

Posted 08 December 2023 - 04:53 AM

Hello Billndotnet, 

If I understand you well, you are talking about ZWO ASIAir, not Seestar S50? Am I wrong? My request was for Seestar S50. I did try the jailbreak, but it did not work on mine, unfortunately, maybe since firmware 1.91 done before testing the jailbreak.

If it still work, any "how to use more detailled" may help more than me on this topic. So, thanks a lot in advance for this!!

Clear skies to all.

Stephane.



#17 billndotnet

billndotnet

    Explorer 1

  • -----
  • Posts: 61
  • Joined: 31 May 2022

Posted 08 December 2023 - 01:43 PM

Hello Billndotnet, 

If I understand you well, you are talking about ZWO ASIAir, not Seestar S50? Am I wrong? My request was for Seestar S50. I did try the jailbreak, but it did not work on mine, unfortunately, maybe since firmware 1.91 done before testing the jailbreak.

If it still work, any "how to use more detailled" may help more than me on this topic. So, thanks a lot in advance for this!!

Clear skies to all.

Stephane.

You're correct, I was speaking of the ASIair. Looking at the Seestar manual, I don't see any instructions on how to revert the firmware. I believe it uses the same base board as the ASIair Plus, so there's likely a process for reverting to the OS version stored on the internal MMC, but it looks like they've overlooked adding instructions to the manual for it. You'll have to ask support.


Edited by billndotnet, 08 December 2023 - 01:44 PM.


#18 joshumax

joshumax

    Vostok 1

  • -----
  • topic starter
  • Posts: 104
  • Joined: 13 Mar 2013
  • Loc: Seattle

Posted 09 December 2023 - 02:08 PM

Hello,
Thanks for this efforts, but since firmware update 1.91 this "hack" does not work anymore..
I found port TCP139 and UPD 137 / 138 /1900 / 5353 / 57668 that seem open, but I do not know how to use them.
would it be possible to update the crack and if possible, to re-activate the "hidden functions" that were made unavailable since this firmware update, as ZWO refuse to open it again for now ...
It would be very appreciated, and helpful, as I tried some settings with 30 sec. shots and Comet C2 Swan filter when this firmware was installed. I cannot then continue my testing!
Thanks in advance for any help !!
Stephane.


I'll take a look at what happened later this week when I have a moment of free time. Even if they added a signature mechanism to their updates, there's a hundred or so other critical, exploitable vulnerabilities I ran into when reverse engineering both the AIR's imager and updater binaries. I actually lost count of keeping track of them there were so many.

I've also been busy writing INDI drivers for the S50 "filter wheel" and dew heater (controlled over the GPIO pins), as well as a FOSS libusb library to control their cameras without having to use ZWO's buggy SDK. I'll be upstreaming those to indilib as soon as they're stable.

Edited by joshumax, 09 December 2023 - 02:09 PM.

  • Skywatchr, joeytroy and billndotnet like this

#19 Artimon

Artimon

    Sputnik

  • -----
  • Posts: 33
  • Joined: 07 Dec 2023

Posted 09 December 2023 - 03:32 PM

Waouw !! Nice job yet done, Joshumax !! Deeply interested by all of these tries you've done! If you post once these, they will be welcome for all community, I guess.

So, take your time ... I am happy to read that someone with this kind of competencies share it. Thank you so much. Indi should be interesting as well as FossUSB.

By my side, I try to use Seestar for comets capturing, and so, 30 sec is more than usefull, with C2 Swan band filter (10 sec. is too short for m9.5 and above! particulary in my Bortel 5 pollutated sky!) 

 

Clear skies to you,

Stephane, from Belgium.


  • Skywatchr likes this

#20 Artimon

Artimon

    Sputnik

  • -----
  • Posts: 33
  • Joined: 07 Dec 2023

Posted 20 December 2023 - 03:54 PM

Hello Joshumax,

any news about any breach you could exploit on Seestar S50? If any, please post it in this topic, it will help more than me ;) 

Thanks for your job on it.

Stephane.



#21 billndotnet

billndotnet

    Explorer 1

  • -----
  • Posts: 61
  • Joined: 31 May 2022

Posted 27 December 2023 - 07:14 PM

Hello Joshumax,

any news about any breach you could exploit on Seestar S50? If any, please post it in this topic, it will help more than me wink.gif

Thanks for your job on it.

Stephane.

Have you hit up support for backrev/reset instructions?



#22 Artimon

Artimon

    Sputnik

  • -----
  • Posts: 33
  • Joined: 07 Dec 2023

Posted 28 December 2023 - 06:10 AM

Have you hit up support for backrev/reset instructions?

not yet ...



#23 joeytroy

joeytroy

    Viking 1

  • *****
  • Posts: 745
  • Joined: 14 Aug 2020
  • Loc: Belen, NM, USA

Posted 06 January 2024 - 05:33 PM

Just tested the script on the ASIAIR Pro. It did not work as the port number on line 36 needed to be change to 4360 as 4361 is not an open port. After making the following changes and running the script it worked!

 

Edited Code line 36

    s_ota.connect((address, 4360))

Command run

python run_jailbreak.py x.x.x.x
Got: {"Event":"Version","Timestamp":"608.911992117","name":"ASI AIR updater","svr_ver_string":"1.6","svr_ver_int":6}

Sending RPC: {"id":1,"method":"begin_recv","params":[{"file_len":222,"file_name":"air","run_update":true,"md5":"aa97db2d4de1c335f810ed44254447dc"}]}

Got back: {"jsonrpc":"2.0","result":0,"code":0,"id":1}

So easy to root a device now! Very well done! Can we look at adding this code to GitHub?


Edited by joeytroy, 06 January 2024 - 05:35 PM.

  • DBullard and anewton81 like this

#24 DBullard

DBullard

    Vostok 1

  • -----
  • Posts: 157
  • Joined: 04 Aug 2020
  • Loc: Los Angeles

Posted 07 January 2024 - 01:39 AM

Thank you!

 

I have been itching to try the beta with AA+ because it finally allows a guiding speed changes for the AM3/5 but the minmo change to 0.2 was a deal breaker as it seemed to cause issues with guiding...

 

In case any one is interested the guide config is /home/pi/.ZWO/ASIAIR_guider.xml and the minMove section for each axis isn't hard to find...

 

aaand I jumped the gun on this, the zwoair_guider immediately overwrites the config on run..

.


Edited by DBullard, 07 January 2024 - 02:02 AM.


#25 joeytroy

joeytroy

    Viking 1

  • *****
  • Posts: 745
  • Joined: 14 Aug 2020
  • Loc: Belen, NM, USA

Posted 07 January 2024 - 01:22 PM

Hello,

Thanks for this efforts, but since firmware update 1.91 this "hack" does not work anymore..

I found port TCP139 and UPD 137 / 138 /1900 / 5353 / 57668 that seem open, but I do not know how to use them.

would it be possible to update the crack and if possible, to re-activate the "hidden functions" that were made unavailable since this firmware update, as ZWO refuse to open it again for now ...

It would be very appreciated, and helpful, as I tried some settings with 30 sec. shots and Comet C2 Swan filter when this firmware was installed. I cannot then continue my testing!

Thanks in advance for any help !!

Stephane. 

Stephane,

 

Assuming those are all the open ports you may want to simply change the port in the script like I have listed in post #23. I don't know what you used to scan it, I am using MobaXterm on Windows and scanning the ASIAIR Pro with the stock ASIAIR_PRO_OS_V1.4.zip from their site and see the following open ports

 

FIRMWARE 4.35

- Port #22 (ssh):  listening
- Port #139 (netbios-ssn):  listening
- Port #445 (microsoft-ds):  listening
- Port #4030:  listening
- Port #4040:  listening
- Port #4350:  listening
- Port #4360:  listening
- Port #4400:  listening
- Port #4500:  listening
- Port #4700:  listening
- Port #4800:  listening
- Port #8888:  listening

 

What is inserting with the newer update they have the following ports open

 

FIRMWARE 10.74

- Port #22 (ssh):  listening
- Port #139 (netbios-ssn):  listening
- Port #445 (microsoft-ds):  listening
- Port #4030:  listening
- Port #4040:  listening
- Port #4350:  listening
- Port #4360:  listening
- Port #4400:  listening
- Port #4500:  listening
- Port #4700:  listening
- Port #4800:  listening
- Port #4801:  listening
- Port #8888:  listening

 

What I wanted to share in this post was the history command from the stock ASIAIR_PRO_OS_V1.4.zip image.

 

https://pastebin.com/31189rxq


Edited by joeytroy, 07 January 2024 - 02:02 PM.



CNers have asked about a donation box for Cloudy Nights over the years, so here you go. Donation is not required by any means, so please enjoy your stay.


Recent Topics





Also tagged with one or more of these keywords: Software



Cloudy Nights LLC
Cloudy Nights Sponsor: Astronomics