Unlock SSH Access on Bobcat Miner 300 (2023)

Introduction

I have always been a cryptocurrency enthusiast, one day I discovered this cryptocurrency called Helium (HNT), which is a very particular cryptocurrency and different from the usual ones, it is a cryptocurrency developed for IoT applications via the LoRaWAN network. The token is not generated through PoW like BTC but through PoC with this device called "Hotspots" which are basically the mining part of the Network.

Hotspots provide miles of wireless network coverage to millions of devices around you using Helium LongFi, and you get rewarded in HNT for that. And because of an innovative proof-of-work model (we call it the "Coverage Test"), your Hotspot uses only 5W of power.

https://www.helio.com/mine

Obviously the function is quite complex and articulate, I'm not the best person to explain it, but I invite you towe informbecause it's very interesting and could be a very good technology for the future of IoT.

all very cool right? But one of the first things that disappointed me is that to do this mining currently you cannot use your computer connected to a simple LoRa card or create your own miner like with a Rasperry pi, but you must necessarily use a dedicated miner made by a company . authorized by the project management company.

Why?..

But despite that, moved by the hype, I decided to try this "revolution" of cryptocurrencies, not wanting to wait 6 months for delivery ordering on official websites, I went on Ebay and bought one with 24h shipping, spending practically twice as much. original price. I bought a Bobcat 300 miner, which has to be one of the best miners on the market.

I also bought a nice powerful antenna, installed everything on the roof of my house, created a VPN system on my network to publicly expose a specific port needed for mining.

At first everything worked very well and the first mining profits arrived, not too high and lower than I expected, but acceptable.

But after a few months mining profits were well below zero, it seems that everyone in my area decided to mine HNT as well. Anyway, among so many problems and ridiculous profits I realized that I will never recover my investment, so at least let's see what I get...

Device and security concerns

The HNT miner usually needs to publicly open TCP port 44158 to communicate with the HNT blockchain, so port forwarding is required for it to work properly, and this will expose our private IP, which is not good, but you can use a VPN with a VPS, this should be best practice

But do we really manufacture this device?

After some research, I found this photo of an old model, where "EasyLinkin" is written as the manufacturer on the back:https://fccid.io/2AZCK-MINER300/External-Photos/External-Photos-5413181

So the real factory is this Chinese company: http://www.easylinkin.net/, we can see from the homepage that there is a device identical to our Bobcat 300. This product is used in industrial level for different applications and modes. For this reason, on the motherboard we find several slots for things not related to HNT or empty, such as GPS, etc.

On the internet there are scary stories of people who also opened port 22 and found themselves in their own compromised network.

Clearly, Bobcat support can access our device remotely if port 22 is exposed...
Then unknown people from an unknown country (probably China) can access our personal device and do any operation... other devices on the network, try to hack into them, steal private data or compromise our network in general. Or whoever has that SSH key can use these devices to create a botnet and carry out malicious attacks from our ISP.

This raises several questions: Who has access to SSH keys? Are these keys unique to each device or is it just one for all? How are these keys stored? Who has access to it?

So, with all these security concerns, it's time to take full control of this miner and stop anyone from accessing it without permission. But before continuing with this reading, make sure your Bobcat is not currently showing port 22 on the Internet.

blow

Warning: The following procedure may void the device's warranty and potentially break the device or compromise its behavior.

Proceed at your own risk, I am not responsible for any damage you may cause.

Before starting:

• This guide tries to be as simple and clear as possible for everyone, but some IT knowledge assumptions are accepted, especially about using a Unix shell.
• Not sure if the technique below works on all Bobcat 300s as there are multiple hardware versions and revisions so it may not work on your device or the exploit has been fixed with a firmware update.
• This was made on board: TU-GM1002Z, RockChip RK3566 CPU, firmware version: V.1.0.2.91
• Pro Tips: If there is no recovery button on your device's motherboard but there are 'holes' where it should be or somewhere similar, if you have the skills, try soldering a button :)

The device offers some open TCP ports, we have port 22 for SSH, port 80 for the web interface and port 44158 which is the main port for the HNT protocol.

The web server doesn't expose many specific functions or pages that could be vulnerable to an exploit, and the other ports don't offer anything interesting.

So, it's time to see what's under the hood. The interesting parts are the "recovery" button and the 2 micro USB ports "USB_OTG" and "DEBUG". Initially I thought that debugging was the most important thing, but actually it's the "USB_OTG" we are interested in. The "DEBUG" port can probably be used to upload and download firmware, but the manufacturer's drivers and applications are required.

Disconnect all cables from the device, including the power supply, press and hold the "recovery" button while inserting the power cable and wait a few seconds with the button pressed before releasing it.

If after that the light on the LoRa antenna board turns on and the main LED remains off, it means that we have successfully entered recovery mode.

Now, just insert a micro USB cable into the "USB_OTG" port (the one exposed on the panel, not the internal "debug" port) and connect it to your computer. In the computer's device manager, we will find a device "Android ADB interface" connected.

If no device is found or the computer cannot identify the device type, it may be helpful to install theRockChip controlleror other useful drivers for the ADB interface.

LosAndroid Debug Bridge (ADB)is a versatile command line tool that allows you to communicate with a device, basically it is a tool that creates a UNIX-like shell on an Android/ARM based device. We just need to download the Android SDK tool fromhereand open cmd in the directory containing adb.exe.

First, use the command "adb devices" to get the list of devices, if everything worked, we should have a device in the results. And now just run the "shell adb" and as a result we will have a UNIX like shell directly in the miner as we can see in "admin@bobcatminer"

This shell has the Unix user called 'admin' and we have root permissions, but it's an incomplete operating system, this is a recovery, it's a fake operating system. used for debugging purposes. We can have fun exploring the file system, but there isn't much, the only interesting thing is inside the /userdata directory, where the scripts and test results performed at the factory to verify the device's operation are present, as well as the keys/certificates (generated based on the MAC address of the device) which at first glance seem to be used for OpenVPN (maybe for OTA update(?), very interesting... but that's not what we're interested in unlocking that device, maybe it'll come back on another time to take a look at this folder...

After exploring a bit, I found that the disk is partitioned and divided into multiple sectors to check this, just use the commandfdisk - lto see the partitions inside the disk.

By far the most interesting partition is the one called "rootfs", which should contain the entire filesystem and none of them implement any security checks or encryption, so... why not try just mounting them?

Use the command "montar /dev/block/by-name/rootfs /mnt/sdcard" to mount the "rootfs" sector in the /mnt/sdcard folder (you can use any empty folder).

Now in this folder we mount the actual device file system which will be used in its normal operation and we have full read and write permissions so we can modify it to our liking. There are several interesting files and folders, but our goal is to take control of the device and we can explore the file system later once we've established solid access.

So I'll get straight to the point.

As we said before, there is an SSH port, let's check who has access to this port with the command "cat /mnt/sdcard/home/admin/.ssh/authorized_keys"

This file contains a public key basically anyone who has the corresponding private key can login directly from SSH and have full control of the device, this must just be the manufacturing company for support reasons right?

Also, it would be interesting to know if the keys are uniquely generated for each device or if it is the same for each device, so whoever finds this key will possibly compromise all the miners and create a botnet.

If we replace this key with another one under our control, we will have access to the SSH service with the user administrator. To do this, we can use PuttyGen to create our keyring and use the echo command to replace it on the authorized host. You can also add it after what's already in use if you want to keep it for support (or if you like the idea of ​​a stranger being able to connect to your device :D ) or just make a backup and change it if needed. 🇧🇷

After generating the keys, use the "echo "ssh-rsa AAAAB3Nza…….." > /mnt/sdcard/home/admin/.ssh/authorized_keys" by inserting in it the output of putty gen which is the public key but already structured for this file, and save the corresponding private key with the "Save Private Key" button.

To enter the device it is established that in addition to the private key, the user password is also required, so in this case the administrator user password, we can try to force the user password present in the file shadow. or we can simply modify the file/mnt/sdcard/home/admin/.ssh/autorizadas_claveschange the last string from "Public key, password authentication methods" one "Public key authentication methods"

For this, we modified the SSH service configuration file, establishing only the exchange of certificates without the password as an authentication method.

And now restart the device and reconnect as usual, it will start its normal work no difference... But now you can use Putty, or your favorite remote connection tool, to SSH to your normal IP and set the authentication method. the private key generated by us and as an admin user.

By doing this we have full control of the device as root user, we can see everything and fully control it; so in case HNT mining becomes useless one day, we can at least use this device as a personal one. miniserver :)

conclusion

Unfortunately due to lack of time and experience on this type of device I didn't delve into exploring the file system in depth, it will be interesting to see if someone finds something interesting inside or finds ways to improve the device. It will certainly be interesting to see what the community comes up with.

And please, before putting any strange device on your home network, check well what it is and if it can be a cyber attack vector and, above all, never expose ports (such as 22) freely on the Internet if you don't have full control access. from that

If you have any problems or you are unable to follow this guide, please contact me directly, I will try to respond as soon as possible.

Thanks for reading.