p*******m
发帖数: 20761 | 1 Some users on DSLReports believe they've been able to patch the OBi1xx
firmware to work with Google's new certificates. There's also speculation
that using a similar technique, it will be possible to configure OBi1xx
devices to work with Google Voice without using the OBiTALK portal.
I realize Google has either rolled out old certificates or made them
available due to load balancing, however the user in question removed the
Equifax certificate and was not able to log in to the old servers. So, I
believe things are working as he intends.
This is still in the early stages of development, so making this upgrade
requires a fair amount of technical knowledge - for the moment. I'm
optimistic things will improve over the coming days.
https://www.dslreports.com/forum/r31741105-ObiHAI-Obi100-Obi110-Firmware-Mod
-Discussion | b***t
发帖数: 1248 | | f****l
发帖数: 8042 | | t*****e
发帖数: 15794 | 4 谁能简短说说这两段话啥意思啊?看不懂。
page: 1 · 2 · 3 · 4 · next
talkbot
join:2017-12-11
1 edit
ObiHAI Obi100/Obi110 Firmware Mod Discussion
So many of us have the Obi1xx series devices that recently stopped
connecting to google servers due to a certificate update. This thread is
intended to discuss the possibility of modifying the firmware to update the
certificate and let these devices work with Google Voice again.
These devices are based on a MIPS-X processor similar to the Sipura ATAs and
there is not a lot of tools/docs out there about them except for a Yahoo
Group mostly related to DVD player chipsets. The venerable DogFace05 who
was an expert with these types of devices once posted that he was able to
extract this firmware sucessfully. Not sure if he is still around. Anyone
else familiar with this architecture?
It seems that the place to start looking is the end of the firmware update
file which contains some kind of table. Then there seems to be a loader
section which presumably decompresses one or more other sections and loads
them to RAM before executing the firmware.
So the questions are:
Can we extract, modify, and repack the firmware and create proper checksums/
signatures?
Where is the certificate stored and in what format?
Can we drop in a new certificate without messing up other things (e.g. if
the length of the certificate has changed) or do we need to move the
certificate and patch the code pointing to it?
Is updating the certificate enough or is the codebase missing support that
is necessary (e.g. if key length has changed)?
Anyone who wants to participate please post your thoughts.
Thanks
· actions · 2017-Dec-11 11:59 pm ·
Stewart
join:2005-07-13
·AT&T U-verse Voice
Interesting project, though not for me personally, because:
1. IMO An ATA is a crude compromise solution. If I were to add an
enhancement to a VoIP device, it would most likely be an IP phone. I do own
an OBi110, but only the Line port is in use.
2. IMO GV is a mediocre service that happens to be priced at zero, only a
little less expensive than some good ones.
3. My 70+ year old brain can no longer simultaneously hold many details
about assembly code for an unfamiliar architecture. Reverse engineering (
for me) requires detailed documentation of each step, which I find very
tedious.
Some concerns:
The SPA firmware has two integrity checks, MD5 and a proprietary one that
preprocesses each byte with a 'secret' algorithm and takes MD5 of the result
. If the OBi does something similar, one would have to find the relevant
code and decompile it well enough to understand the algorithm. Worse, I am
guessing that they instead use a real (cryptographic) signature. Since it's
probably not possible to (legally) obtain the private key, one would need
to find a vulnerability that permits loading unsigned code.
I'm guessing that several devices will be bricked in the course of
development. It's of course possible to unbrick a device by saving the
flash before the experiment and restoring it afterwards. However, I don't
know whether that's possible by JTAG or other simple method, or whether
removal of the flash chip is needed.
Some rays of hope:
On a wired broadband connection, an MITM attack is unlikely, so merely
disabling the failing certificate check may be an adequate fix. There is
likely a place in the code where toggling a single bit will suffice,
certainly by changing one byte. This may be much easier than the proper mod.
One may be able to find a 'remote code execution' vulnerability that can be
used to make the patch (either one byte, or the proper one). This would
eliminate the need to satisfy the integrity checks.
I assume that ITSPs have a way to present config files by HTTPS, using a
cert that the OBi can verify. With that private key, one could write a
simple MITM script that would sit between Google and the device, accepting
or ignoring the Google cert and presenting the OBi with an acceptable one.
Many years ago, I did a crude MIPS-X disassembler in perl. If you get past
decryption / decompression and can't find anything better online, I'll try
to find it on an old backup.
【在 p*******m 的大作中提到】
: Some users on DSLReports believe they've been able to patch the OBi1xx
: firmware to work with Google's new certificates. There's also speculation
: that using a similar technique, it will be possible to configure OBi1xx
: devices to work with Google Voice without using the OBiTALK portal.
: I realize Google has either rolled out old certificates or made them
: available due to load balancing, however the user in question removed the
: Equifax certificate and was not able to log in to the old servers. So, I
: believe things are working as he intends.
: This is still in the early stages of development, so making this upgrade
: requires a fair amount of technical knowledge - for the moment. I'm
|
|
