Gow IPTV, I broke

I do not like to do what most do. Perhaps that is why the pioneers accepted me as one of the last in the class, together with notorious losers, despite my good academic performance. And what is now occupied by the majority, what they do and for what devices? Yes, of course, these are the same “custom” for an innumerable army of devices on the android platform, further in the list can be followed by firmware for routers and modems, and you can close the list with firmware for end-of-life TV players. Such a hierarchy of devices with firmware is conditional here, but whether it will be an absolute fact, whether the presented material has any benefit for anyone, you can only answer by reading it.

The material is by no means a guide to action or inaction, moreover, its use for unlawful purposes can be pursued by law. In the case of not well thought out enough manipulations, there is a risk to damage the equipment.

It all started around noon. The rest of the day was to be free, and it was decided to do something. Glance fell on the IPTV set-top box by the name of Promsvyaz, nee ZTE, and with the name ZXV10 B600 V4C on the sticker.

I will not deny that interest in this box has arisen before, but something didn’t grow together: it was slightly googled, the boy scanned the ports, intercepted some traffic - nothing sensible. Even at that time, I saw references to successful unlocking of telnet on Chinese websites, but for this it was necessary to disassemble the device. This option has disappeared, because everywhere warranty stickers and, tearing them, would have to reimburse the cost of iron provider.
')
So this time, the bailiff for Google with the queries of “zxv10 b600” did not reveal anything except a couple of stupid questions and numerous Chinese websites for the sale of hardware. However, having noticed the page iknow.baidu.com , which turned out to be an analogue of otvety.google.com , I went there. No, something is not right again - not suitable, everyone can imagine what kind of information is there. It was decided to seriously and globally have them “banned” there. Some might think that I know Chinese, no, I only used ctrl + c / ctrl + v and translate.google.com to translate individual lines from Chinese into English, sometimes giving Google the opportunity to translate the entire page. After killing a couple of hours, I came across a service program for working with IPTV consoles, downloaded, looked - she wants to be activated with a license. Nah, we don’t need such hockey! Go ahead and look for the older version, find, and oddly enough, but without any registrations and other machinations of greedy people, download, run. Bah, yes she is in Chinese! Let it go. Everything is clear. Only two buttons.



We need the second button, and, running ahead, I will say that further, in the second menu item, we need the second position.
In the newly opened window, enter the IP address of the console and, after making sure that the console and the computer are on the same subnet, press the only available button. Voila, we are in contact, though not in the same. Therefore, we will rejoice, and we think what it gives us. It's time to go over the tabs and look around. "So why the second point and the second position?" - they will ask me. Indeed, little informative was seen among the tabs with a poorly understood set of characters. Then came the turn of the menu. We press in the menu the second pair of hieroglyphs, then again the second pair.



Very well, now, finally, you can see the descriptions of the settings in a human language that some people understand from childhood. Here we also see the possibility to read the settings from the device, write them to the device, load from a file or save to the file the settings available for the device.



Finish with the settings, this is not as interesting as the “Start INETD” button on the first tab.



Excellent! I thought that now a pair of idt: idt would be suitable, well, or root with an empty password. Hmm, well, in the extreme case of ldt: ldt or root: root plus a couple of other options on Chinese websites. Oh, not so simple. Is it really brutal? Let there be three letters in the login and password, and if there are more than six, and not just letters? Damn it, because otherwise a dead end, I will not knock on the keys myself. I turned on the software and decided to look in the direction of the update server, the address of which was found on the settings tab.

The prefix is ​​updated from the server of the provider, and as it became clear from the settings, it does this automatically after turning on and receiving the IP address if there is a new firmware on the server. By the way, the auto-update feature can be disabled, as well as no one forbids specifying any address of the update server. So where is the firmware? What is she like?
We follow the update directory on the server. We see a bunch of jpg files and some cfg. Looking at zteSTBVer.cfg and zteSTBVer2.cfg the picture becomes clearer. Below is visible part of the contents of these files related to the model ZXV10 B600 V4C.

zteSTBVer.cfg

[Model=ZXB600V4C(STBSG-BCM7466-00000)] AppName=Safe Version=403035 Location="safe_40332817.jpg" Destination="/dev/mtd1" Rules={Y(!403035)} AppName=StbCfgInfo Version=32810 Location="stb_32808.cfg" Destination="/etc/stb.cfg" Rules={Y(!32810)} AppName=logo Version=403003 Location="logo_B600v4c_403003.jpg" Destination="/dev/mtd4" Rules={Y(!403003)} AppName=allmtd Version=40332822 Location="allmtd_40332822.jpg" Rules={Y(<40332822)} 

zteSTBVer2.cfg

 [Model=ZXB600V4C(STBSG-BCM7466-00000)] AppName=allmtd Version=40332822 Location="allmtd_40332822.jpg" Destination="/dev/mtd6" Rules={Y(=999999)} 

I am taking files for my model of the console, according to the above configs. I remember that I saw some information on the composition of the firmware of the Chinese, looking again at them, I come across the mention of some utility SplitFile.exe cleaning 16 bytes ECC after every 512 bytes in the file and breaking the composite firmware into parts. The search for the utility yielded absolutely nothing. “Clamped!” I thought in my hearts, and with the help of a Swiss knife, TextPipe cleared the firmware. We are inciting binwalk.

 DECIMAL HEX DESCRIPTION ------------------------------------------------------------------------------------------------------- 96 0x60 gzip compressed data, was "vmlinux", from Unix, last modified: Tue Oct 11 15:16:16 2011 2621440 0x280000 JFFS2 filesystem, little endian 6815744 0x680000 CramFS filesystem, little endian size 18268160 version #2 sorted_dirs CRC 0x5a011db9, edition 0, 9846 blocks, 584 files 

With the addressing that was mentioned on the Internet coincides, however. I continue with WinHex, which helps to scatter the whole thing into three files in accordance with the necessary addresses, called them trivially: kernel.bin, jffs2.bin and cramfs.bin. Where now? That's right, in the jffs2.bin image in the / etc / passwd file. The New TuxBox Flash Tool program for the Windows platform that came to my hand successfully coped with connecting and viewing the contents of two images of the jffs2 and cramfs file systems. So what about passwd?

 root:x:0:0:root:/root:/bin/sh bin:*:1:1:bin:/bin:/dev/null daemon:*:2:2:daemon:/sbin:/dev/null adm:*:3:4:adm:/var/tmp:/dev/null ftp:*:14:50:FTP User:/var/tmp:/dev/null nobody:*:99:99:Nobody:/:/dev/null rpcuser:x:29:29:RPC Service User:/var/tmp:/dev/null nfsnobody:x:65534:65534:Anonymous NFS User:/var/tmp:/dev/null 

Or maybe / etc / shadow? There is no it ... I don’t want to change and rebuild the firmware. Again a dead end.

Switching activities from one to another sometimes gives excellent results. I open the browser and seemingly aimlessly spend about an hour looking for any useful information on the subject of my interest. Link by reference, transition by transition. I am looking for the Linux version, the processor model and its manufacturer. It's getting late, I want to sleep, the content being viewed is somewhat removed even from the processor model, and now, stop, and how is that? "Control-C and login with root and now password." I'm running pytty, trying to connect. Of course, it will not work, there is a selection of passwords to the login root. I stop brute forceing passwords, save brute force session to continue in the morning Run the putty again, I go:

 login:root password:ctrl+c 

What?! I could not believe my own eyes:

 encrypted:null, unencrypted:_ 

Yes, I did not follow the clearly described method, pressed the ctrl + c combination not at that moment, but firstly, the pieces of iron are different, like the connection method, and secondly, I, in my time, are not particularly in the pioneers in a hurry.

My interest in the console faded literally the next morning after receiving the password, leaving behind me the process of changing the firmware, the possibility of adding functionality, as well as testing and installing the firmware in the console. I do not like to do what most do.