Benutzer-Werkzeuge

Webseiten-Werkzeuge


hardware:chuangoaw1

Chuango AW1

Chuango AW1 Wifi Alarm System

Software

AW1 Alarm System can only controlled via Smartphone APP „AW1 Alarm“. The is no Webinterface. Cloud Connection?

Hardware AW1 v1.1

  • STM32 32-bit ARM Cortex-M0 MCUs - STM32F030C8T6 - LQFP48 Package
  • Mediatek MT7620A Wifi
  • DS1302Z Realtime Clock
  • 3.7V 600 mAh Li-ion Battery (UPS)
  • OS: OpenWRT Linux
  • FIXME

Firmware Version

  • v1.36 (06.12.2016)
    • Open Ports
      • 53 TCP (no text respons via Telnet)
      • 18924 TCP or UDP? (on Telnet Connect direct response with error and connection end)
    • Firmware Update Filename chuango_1_ramips_24kec.ipk (MD5: 9a414772d9d3d9a57557c18d2ce74494)

Firmware Analyse

Firmware v1.36

Update Process

Discovered some interesting Stuff about the Firmware Update check via Smartphone APP by capturing some Network Traffic from the AW1 and APP.

AW1 connect to FTP Server www.cgftpserver.com without Encryption, logs in and download File /W1/version. Firmware than Check the content of version file and download Firmware Update File chuango_1_ramips_24kec.ipk if necessary.

So lets have a look at the FTP Content, shall we?

$ ncftp
NcFTP 3.2.5 (Feb 02, 2011) by Mike Gleason (http://www.NcFTP.com/contact/).
ncftp> open -u chuangoftp -p 654321 www.cgftpserver.com
Connecting to www.cgftpserver.com...                                            
Microsoft FTP Service
Logging in...                                                                   
User logged in.
Logged in to www.cgftpserver.com.                                               
ncftp / > ls
225WifiCam/                            sl_X3_release.bin
aspnet_client/                         sl_X3_release_C.bin
B11Apk/                                sl_X3_release_CER_E.bin
B11_M66/                               sl_X5_release_6_DM.bin
g3_800h/                               sl_X5_release_6_E.bin
g5_800h/                               sl_X5_release_6_finnish.bin
G5_M66/                                sl_X5_release_6_Greek.bin
go2/                                   sl_X5_release_6_norsk.bin
h4_800h/                               sl_X5_release_6_svenska.bin
H4APK/                                 sl_X5_release_All_C.bin
IPCAMTEST/                             sl_X5_release_All_D.bin
KOne/                                  sl_X5_release_All_DM.bin
L020Apk/                               sl_X5_release_All_E.bin
o3/                                    sl_X5_release_All_ESP.bin
PIRWifiCam/                            sl_X5_release_All_F.bin
q300_800h/                             sl_X5_release_All_I.bin
sl_X3_release_All_Dansk.bin            sl_X5_release_All_N.bin
sl_X3_release_All_D.bin                sl_X5_release_All_P.bin
sl_X3_release_All_E.bin                sl_X5_release_All_R.bin
sl_X3_release_All_ESP.bin              sl_X5_release.bin
sl_X3_release_All_F.bin                sl_X5_release_C.bin
sl_X3_release_All_Finnish.bin          taiwan/
sl_X3_release_All_Greek.bin            W020Apk/
sl_X3_release_All_I.bin                W020_ESP8266/
sl_X3_release_All_N.bin                W1/
sl_X3_release_All_Norsk.bin            W100Apk/
sl_X3_release_All_P.bin                WifiCam/
sl_X3_release_All_R.bin                x300_800h/
sl_X3_release_All_Svenska.bin          x500_800h/
sl_X3_release_All_T.bin                x500_800h_1065N/
ncftp / > cd W1
ncftp /W1 > ls
chuango_1_ramips_24kec.ipk             version
ncftp /W1 > get chuango_1_ramips_24kec.ipk
ncftp /W1 > get version

version Content:

version:36;
md5:9a414772d9d3d9a57557c18d2ce74494

We get the Version and MD5 of the Firmware Update File chuango_1_ramips_24kec.ipk in the same directory as version: chuango_1_ramips_24kec.ipk.

chuango_1_ramips_24kec.ipk:

$ file chuango_1_ramips_24kec.ipk
chuango_1_ramips_24kec.ipk: gzip compressed data, last modified: Tue Dec  6 06:20:42 2016, from Unix

If we extract chuango_1_ramips_24kec.ipk we get chuango_1_ramips_24kec (Debian 2.0 Package):

$ file chuango_1_ramips_24kec
chuango_1_ramips_24kec: POSIX tar archive (GNU)

file chuango_1_ramips_24kec Content:

debian-binary
data.tar.gz
control.tar.gz

data.tar.gz finaly contains the Firmware Binary ELF File bin\chuango and bin\libpthread.so.0:

$ file chuango
chuango: ELF 32-bit LSB executable, MIPS, MIPS32 rel2 version 1, dynamically linked, interpreter /lib/ld-uClibc.so.0, corrupted section header size

IDA has no problem disassembling the Firmware Binary ELF File chuango ;-)

hardware/chuangoaw1.txt · Zuletzt geändert: 2016/12/29 02:26 von pixeldoc