Mitsubishi Stuff (MAC-577IF2-E)

1. Device: Ameba1
2. Processor: ARM Little Endian
3. Arch: Arm Cortex-M-Family (Armv7-M) ---> ARMv7-M: Cortex-M3 (@166MHz)
4. Newest firmware: 2021/06/07-22:36:47
5.  
6. section 1: RAM
7. start: 0x10
8. length: 306 940 (0x4AEFC)
9. mapped to: 0x10006000
10. SRAM (code/data)
11.  
12. section 2: ROM
13. start: 0x4AF1C
14. length: 1 101 476 (0x10CEA4)
15. mapped to: 0x30000000
16. SDRAM (code/data)
17.  
18. ESV:
19. 1. Base 64 decode it
20. 2. AES decrypt it
21. 3. Resulting data should start with a CSV tag
22.  
23. AES:
24. 128 bit (16 bytes, 32 bytes as a string) key. 10 rounds. Likely static IV
25. code reads 0x21 = 33 bytes (32 bytes + 00 terminator?) from flash memory at position 0xE7
26.  
27. R4 = R1 from input
28. R8 = 0x100533AC
29.  
30. key from: 10056C10
31.  
32. Flash Memory:
33. -BA = Device WPA Key
34. -C4 = melcloud domain name (form addr: 0x10057BCC)
35. -E7 = AES key (16 bytes, 128 bit)
36. -EB = active unique cert (only applies when use unique is true) (form addr: 0x10057C40)
37. -FD = use unique client cert (form addr: 0x100649F2) (might be exactly the reverse with the above)
38.  
39. -Key is send to server (described as HTTPC frameDataGet_fd() decsec_getdata_fi DECSEC_KEYCODE NG)
40. -Key is likely updated or can be updated by the server (see readAndWriteKeyFromFlash)
41. -It seems the key is updated only when it already was set to something else
42. -Seems viable that the key can be sniffed, but then MelCloud connection might need to be blocked forever to avoid key updates (if melcloud even currently does update it since it has no support for it, with extreme luck the key could be factory flashed to 0)
43. -Key could be leaked by posing as the server with a trusted CA cert (Amazon or Verisign)
44.  
45. Useful links:
46. https://blog.dest-unreach.be/2022/06/04/mitsubishi-wifi-adapter/
47. https://github.com/zacharyrs/ha-melview/issues/2
48.  
49. Contains CA certs for Amazon IoT Core (VeriSign and Amazon Root CA 1)
50.  
51. Routes:
52. Device allows config changes via web forms:
53. -Debug settings (publishes to /analyze with post)
54. -Function settings (publishes to /config with post)
55. -Factory reset (publishes to /default with post)
56. -Network settings (publishes to /network with post)
57. -Server settings (publishes to /server with post)
58. -Service settings (publishes to /service with post)
59. -Unit Information (gets from /unitinfo)
60. -Firmware/Application Update (publishes to /update with post)
61.  
62. Debug settings:
63. -Analyze (debugStatus to off or on, probably enables the logger)
64.  
65. Function settings:
66. -Connect internet (serverStatus to yes or no)
67.  
68. Factory reset:
69. -Factory default configuration (Factory Reset or normal Reset)
70.  
71. Server settings is probably secured, but allows interesting changes:
72. -Server URL (API Url?)
73. -Polling cycle (1 to 59 seconds secs/mins/hours/days)
74. -SPMODE timeout (5, 10, 15 or 20 minutes)
75. -Default client certificate
76. -Client certificate (unique or default)
77.  
78. Service settings allows to enable echonet!:
79. -Enable ecomode (Echonet) (Enable, Disable)
80.  
81. Unit Informations:
82. -Adapter info (name, version, mac, thermal image timestamp etc.)
83. -Unit info (unit type, IT version, last error)
84. -Reload button
85.  
86. Firmware Update:
87. -chkFirmFile(). Allows user to drop a firmware bin file which is uploaded via multipart/form-data
88.  
89. free routes:
90. /smart
91. /adapter_image2.gif
92. /javaScript.js
93. /common.css
94. /license
95.  
96. partially free:
97. /network apparently on first ever use (root also directs to /network probably)
98. auth, but accessible as user:
99. /config because the user password is known (username: user and the KEY password printed on the device sticker, 12 chars, only uppercase and numbers)
100. auth, locked behind root:
101. /network
102. /unitinfo
103. /service (highly desirable)
104. /apinfo
105. / (root maybe)
106.  
107. auth, locked behind super user:
108. /server (desirable)
109. /update
110. /updateFinish
111. /updateFail
112. /default
113.  
114. auth, locked behind admin:
115. /analyze
116.  
117. Server page settings:
118. url: Server URL
119. cycle: Polling Cycle
120. unit: min/sec/hour/day
121. spmode: SPMODE timeout (5 to 20 min)
122. DefCliCert: Default client certificate (dynamically populated list of options)
123. CliCert: Client certificate (unique/default)
124.  
125. If DefCliCert is set, it seemingly always forces CliCert to unique and sets it as the new default cert. CliCert to unique without actually setting a cert does nothing. If DefCliCert is not set, nothing will happen unless CliCert was set to default and differs from the current value on storage, if so it will switch back to default cert
126.  
127.  
128. Cipher Suites supported:
129. Weak:
130. TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA (weak, TLS 1.0 to 1.3)
131. TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA (weak, TLS 1.0 to 1.3)
132. TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256 (weak, TLS 1.2 to 1.3)
133.  
134. Secure:
135. TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 (secure, TLS 1.2 to 1.3)
136.  
137. Weak:
138. TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA (weak, TLS 1.0 to 1.3) (probably weakest total?)
139. TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA (weak, TLS 1.0 to 1.3)
140. TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256 (weak, TLS 1.2 to 1.3)
141.  
142. Secure:
143. TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256 (secure, TLS 1.2 to 1.3)
144.  
145. Secure:
146. TLS-RSA-WITH-AES-128-GCM-SHA256 (secure, TLS 1.2 to 1.3)
147.  
148. Weak:
149. TLS-RSA-WITH-AES-128-CBC-SHA256 (weak, TLS 1.2 to 1.3)
150. TLS-RSA-WITH-AES-256-CBC-SHA256 (weak, TLS 1.2 to 1.3)
151. TLS-RSA-WITH-AES-128-CBC-SHA (TLS 1.0 to TLS 1.3) (probably weakest total?)
152. TLS-RSA-WITH-AES-256-CBC-SHA (TLS 1.0 to TLS 1.3)
153.  
154. Curves supported:
155. secp256r1
156.  
157. Signature algorithms supported:
158. RSA_MD5 (weakest)
159. RSA_SHA1
160. RSA_SHA224
161. RSA_SHA256
162. ECDSA_SHA1
163. ECDSA_SHA224
164. ECDSA_SHA256
165.  
166. Symmetric block cipher algorithms:
167. AES-256-CBC
168.  
169. Message digest algos:
170. md5 (weakest)
171. sha1
172. sha224
173. sha256
174.  
175.  
176.  
177. Possible avenues into the device:
178. 1. Crack the user:admin password, then can enable echonet on the service page for local control. For complete control can also manipulate server page settings. Can possibly switch CA between VeriSign and Amazon with the default/unique option. Amazon might be enabled by default on top of the custom CA. Get a valid signed Amazon cert by hosting on their servers. However can not switch the URL without access to the server page, since dynamic manipulation would break TLS
179.  
180. 2. Read out flash memory from NVRAM to read the AES key, then block MelCloud to avoid updates of the key and can use the /smart API with encrypt/decrypt
181.  
182. 3. Abuse some vulnerability in the TLS ciphers to decrypt the traffic and obtain the AES key. Since the server still supports http fallback, maybe it also supports some very old insecure ciphers, so you could try something like Logjam: https://github.com/concise/logjam-attack-poc
183. Also see: https://security.stackexchange.com/questions/197028/how-to-eavesdrop-and-decrypt-the-https-communication-of-an-iot-device
184.  
185.  
186. 1 in more detail with ideal attack vector:
187. Crack the user: admin password by ensuring wifi controller is set to factory settings, then connect laptop directly to it. Position laptop as close as possible, eliminate all background processing. Run berkeley sockets in small C visual studio app or maybe a linux system to further reduce timing inconsistencies. Test it out by authing to the /config page with user:KEY scheme and see if you get a 200 success response for a GET. Measure time from upon finishing sending the last block of data before server starts to work to the incoming of the result as precise as possible with the highest accuracy available clock. Do a few tests to the /config page by only getting one base64 character right vs getting all but one right and also test difference between 1 and 2 right. With enough background data begin targeting the /analyze page which will only have one match for the user admin. Try unknown 2 base64 characters (starting from past colon since admin is perfect) at a time (64 * 64 possibilities = 4096 tries) and record each timing for the first character [0-63]. Note which FIRST character to be tested out of the 64 possibilities got the longest avg timing by checking each list all entries. If difference is apparent right away, can try to reduce further loops by detecting early if a character's avg is higher upon finishing the 64 loops than the prior checked character by a significant enough margin. Eventually will get a full match and a 200 success response
188.  
189. With user: admin and the admin password, can access the /service page (that root also can access) and enable echonet (easy API for everyone with existing libraries)
190. With the admin credentials, can access the /server page (that super user also can access), backup existing server url and cert settings and then set the server url to a AWS IoT Core or API Gateway domain (with matching cert setting), which allows dumping the client-server communication and the device AES key for the /smart route
191.  
192. Mitsubishi uses AWS IoT Core with MQTT for debug/dev. That's why they added the following 2 CAs to their trust store:
193. VeriSign (legacy so probably no longer the default) (might be 'unique' now) for iot:Data. VeriSign Class 3 Public Primary G5 root CA certificate
194.  
195. Amazon CA (hopefully the default) for iot:Data-ATS. Amazon Trust Services
196.  
197. Device uses RSA-based certificate validation and not ECC because it omits the other Amazon CA certs outside 1:
198. "If you cannot store all of these certificates on your device and if your devices do not use ECC-based validation, you can omit the Amazon Root CA 3 and Amazon Root CA 4 ECC certificates. If your devices do not implement RSA-based certificate validation omit Amazon Root CA 1"
199.  
200. Could also use the AWS API Gateway: https://docs.aws.amazon.com/apigateway/latest/developerguide/getting-started.html
201.  
202.  
203. Cracking the admin password info:
204. -Max password plain text length: 65 characters
205. -User password comes from flash memory: 0xBA (Wifi Key) (64 chars max, in practice only 12), the other 3 passwords come from a secret store:
206. secret 0 = decsec_keycode: offset 0, 32 byte length
207. secret 1-2: 65 byte length max
208. secret 3 = root pw: offset 0xA2, 65 byte length max
209. secret 4 = super user pw: offset 0xE3, 65 byte length max
210. secret 5 = admin pw: offset 0x124, 65 byte length max
211. secret 6 = offset 0x400, 9216 byte length max (maybe root cert?)
212. secret 7-8: 3072 byte length max (likely certs?)
213. This data might get populated from some other non reprogrammable memory set
214.  
215. secretBase = 0x30087AD4
216.  
217. Only reasonable way of attack would be via a timed side channel attack since the password comparison is done using strcmp on base64 hashes.
218. Use Linux. Use hardware timestamps at the nanosecond level. Directly capture network traffic at the adapter level to get the most accurate timings free from application noise
219.  
220. @166MHz
221. 166 000 000 cycles per second
222. 8-18 instruction difference between matching 0-2 characters
223. 166 000 instructions per ms
224. 0,166 instructions per ns
225. 108 ns difference at max