Byte Capsule

[Dawnell Sechler]

Securityconferences always seem to have at least one interesting presentation that tells a fascinating story, albeit with a serious underlying security message. Here are three from the last few years (and this post is another one).

The key thing about this hotel, and many others, is that you can control many features of the room using an iPod Touch: you can change the shape of the adjustable bed, control the room light, turn ventilation on and off, and so on. Of course, as a security researcher, he immediately started to wonder about security. But he was on vacation in a foreign country and didn't have all his equipment with him, so while he liked the idea of investigating, he hesitated to get engrossed in it. Then he met Bob. Bob was in the next room making very loud phone calls at 2:00am. He asked him the next morning to be quieter, but he was not. So he decided to see if he could make the world a better place by giving Bob an unpleasant experience.

He started to investigate the equipment in the room. First he found a Nasnos CS8020-B, which was some sort of controller for the electric curtains, light dimmer, and so on. The bed contained a Deltadrive DS2 motor used to make the bed adjustable, perhaps wirelessly connected to the Nasnos. There turned out to be a Nasnos CS8700 router in each room that presumably communicated with the other controller with Wi-Fi, and allowed the room to be controlled with iOS or Android. It was actually hidden in the walls but he found it with a Wi-Fi scan. He had a photo of the router "taken from the internet, I didn't tear down the wall!"

He took a look at the iPod Touch that allowed you to control the room. It was running an application but you could not exit the application. If you triple-tapped the home button then it asked you for a passcode to exit, which of course he didn't know. This is called "guided access" where you can only run a single application and not get out to a home screen. But it is configured at run-time so it is not present if you turn off the device. But, of course, you can't reboot the device without leaving the app. But what if you drain the battery, and then reboot after connected back to a power supply.

He does a Wi-Fi scan to find a total of 119 Nasnos access points that can be detected. The SSID is based on the last bytes of the BSSID. Authentication mode is open. He doesn't have a lot of equipment with him, just two Wi-Fi cards that do not support injection. He needs to find a way to generate a lot of data.

Now he had a key, he could investigate what data was sent to do what. So he created an access mode with his iPod Touch, configured it to use the laptop as a gateway, and configured it as a router. Every packet sent by the iPod Touch passed through his laptop. So he could do a traffic analysis of the ports and packet contents. There was no authentication, no encryption. He could now control his bedroom from his laptop by creating packets with the data required to, say, turn off the light.

That didn't, however, allow him to control other bedrooms. Poking around on the internet, he still could not find how the key was generated and so he could not reverse engineer that. But he did find another vulnerability. Packets are sent to the Nasnos router on UDP port 988 for remote configuration, giving him read/write access to the router configuration.

At this point, he went to another city to continue his vacation. Later, he returned to the same capsule hotel. Of course he was assigned a new room. It turned out that the key varied only in the last four characters between the two rooms, so just 65,536 possibilities. He could simply search them all by leaving his laptop running all night. So that gave him access to all bedrooms.

Here are a few screenshots from his video. In the first pic on the left, he has turned the light off in the room on the right. In the middle, he has turned the middle room's bed from a sofa to a lie-flat bed (you can see the pillows are up in the other two photos) and finally on the right he could turn the light on and off in the leftmost room. In the top right is his laptop screen controlling everything.

It turned out that Bob was still at the hotel when Kya returned. Everyone staying in the hotel was out during the day, so he could experiment to identify which was his room. Then every two hours during the night he would turn the lights on or off, turn the bed into a sofa, and so on. Bob would have thought there was a ghost in his room. Of course, this was done with a script, so Kya did not need to wake up every two hours.

He told both the hotel and Nasnos. The hotel took it seriously and the problems have been fixed with a new architecture. He received no answer from Nasnos. Oh, and he changed some important details for this BlackHat presentation. It didn't work precisely like this.

In live streaming footage of the roundtrip flight, Blue Origin staffers at the 50 minute mark are seen trying to stamp down some stubborn shrubbery around the capsule with the space tourists inside, peering from the windows. Two staffers brought along a blue metal two-step ladder for the crew members to use to disembark, but it took several long minutes for the team to kick back the shrubs surrounding the vessel and position the ladder on the uneven ground.

Some in the online peanut gallery took the opportunity to gently poke fun at the shrub incident. In r/SpaceXMasterrace, one Redditor posted a meme with two pictures: a Blue Origin rocket launching into space and an image capture of the capsule on Sunday surrounded by shrubbery. The meme is titled "Who would win? Giant Dick Ship [versus] A Few Planty Bois." The Redditor labeled the post: "Unexpected Foliage Contingency."

Besides the foliage issue, this flight made history because one of its crew members, Ed Dwight, became the oldest astronaut in human history at 90 years old. He was also at one time the first Black astronaut candidate for America's space program back in the 1960s, but was passed over, making Sunday his chance for a spectacular redo.

The Sunday flight was also a triumph for Blue Origin after a hiatus of two years. The company had temporarily grounded operations in 2022 after its reusable rocket, New Shepard, suffered a booster malfunction mid-flight and was forced to eject its capsule of NASA experiments. Thankfully, the flight had no passengers.

After gathering required firmware binaries, capsule image can be generated using capsule generation tool. Please refer to Generating Component Binaries for Capsule for details about generating component binaries for capsule.

The following command generates a capsule image (FwuImage.bin) containing a container component TSN MAC address inside container IPFW (tsnmacaddr.bin)signed by key FirmwareUpdateTestKey_Priv_RSA2048.pem.:

If the updatable component is part of flash map, 4 byte string identifying the component should be the component id from flash map. During the runtime, firmware update payload will look for this 4 byte string in the flash map, if found, it will update the component.

Please refer to Slimbootloader binary for capsule image section of desired board page in Supported Hardware to understand how to generate Slimbootloader binary for capsule.

Configuration Data region inside SBL is padded and so for generating capsule image to update configuration data region, please use CFGDATA.pad file available after building Slim Bootloader. After building Slim Bootloader, CFGDATA.pad file is available at Build/BootloaderCorePkg/DEBUG_VS2015x86/FV/CFGDATA.pad

Slim Bootloader can update component regions inside container component in the BIOS region.GenContainer.py tool can help sign and create a component binary that can be used for updating a specific component region inside the container.

EFI_FIRMWARE_MANAGEMENT_CAPSULE_HEADER is followed by one or multiple update images each preceeded by EFI_FIRMWARE_MANAGEMENT_CAPSULE_IMAGE_HEADER header and is defined in UEFI specification as follows

SBL provides a platform independent abstracted way of triggering firmware update from operating system. SBL provides two ACPI methods, DWMI.WQ00 for read and DWMI.WS00 for write to a platform specific chipset register that can survive a reset to signal firmware update. Please refer to Triggering Firmware Update section of desired board page in Supported Hardware to find Sample implementation.

This means that there was no network connectivity to the remote storage provider. (In the example above, it is saying that after 25000 milliseconds (i.e. 25 seconds), 0 bytes (i.e. absolutely zero) of data had been transported).

Note that WP Time Capsule is engineered to re-try if there is a network problem. Network problems happen often enough. You should wait at least half an hour before reporting the problem to anyone, to make sure that it is not just a one-off glitch.

If this does resolve the issue, then you should definitely report this to your web hosting provider, so that they can fix the misconfiguration on their server, which is better than just working around it in WP Time Capsule.

I also tried replacing the xml with my custom one (the one I passed to flash.sh) in both BASE_BSP and TARGET_BSP prior to generating the capsule, so that it gets used, but still no luck, the firmware refuses to apply the capsule.

The use-case for having a replaced uefi_jetson.bin is to include symlinks support, which has been merged in a newer edk2 revision, and I want to use the capsule update to update the uefi firmware OTA, i.e from jumping from L4T 35.2.1 to 35.3.1, etc.

Yes, so simply booting into the Ubuntu rootfs once, without any other action, and then booting my OS and triggering the UEFI update does the job. Must be something in the rootfs then, some marking of a successful boot or slot perhaps

Looks like the script /opt/nvidia/l4t-bootloader-config/nv-l4t-bootloader-config.sh -v is run on startup in Ubuntu, and is the one that allows for updates to be triggered. It creates and updates some platform & platform compat spec UEFI variables in /sys/efi/efivars/. Not having those set was causing the update failure.

3a8082e126