|
| 1 | +--- |
| 2 | +layout: post |
| 3 | +title: Spotify Car Thing - Root and Custom OS toolkit |
| 4 | +--- |
| 5 | + |
| 6 | +## "NotABug" - [superbird-bulkcmd](https://github.com/oddsolutions/superbird-bulkcmd) |
| 7 | + |
| 8 | +[Spotify Car Thing](https://carthing.spotify.com/) (superbird) resources to access U-Boot, and subsequently a root shell over USB. But according to Spotify this is not a bug. Therefore that means it must be a ["feature"](https://miro.medium.com/max/1200/1*KDfUqn6c66axcbsTPPWSpQ.jpeg). |
| 9 | + |
| 10 | + |
| 11 | + |
| 12 | +*Note: this method has been tested on the factory firmware (device never used/updated : App Version 0.24.107 - OS Version 6.3.29), but should work on all firmware versions released as of this article's writing.* |
| 13 | + |
| 14 | +# Standard Disclaimer |
| 15 | +You are solely responsible for any potential damage(s) caused to your device by this exploit. |
| 16 | + |
| 17 | +# Exploit Resources |
| 18 | +* [superbird-bulkcmd](https://github.com/oddsolutions/superbird-bulkcmd) |
| 19 | + |
| 20 | +# Whitepaper |
| 21 | + |
| 22 | +## Background |
| 23 | + |
| 24 | +When the Car Thing launched, it largely flew under most people's radar, and comically it wasn't until Spotify _deeply_ discounted it in late 2022, to $29.99 that it caught our eyes. |
| 25 | + |
| 26 | +This device was designed to be a simple music selection device that mounts to your car dashboard or air-vents. It is unfortunately very underpowered, with a lower-end Amlogic chip, the S905D2, paired with 500 _MB_ of RAM - ouch. |
| 27 | + |
| 28 | +Sadly, it has no documented method to run custom-code, let alone custom operating systems. |
| 29 | + |
| 30 | +When the device was discounted, I picked up a few units for security research, and messaged Fred shortly after starting to ask about collaborating on it - and comically he had independently already started. |
| 31 | + |
| 32 | +To start, U-boot and Linux kernel source code for this device is [public](https://github.com/spsgsb/) but advertised nowhere by Spotify. |
| 33 | + |
| 34 | +## Getting initial access |
| 35 | +Shortly into research, we discovered that holding buttons `1` & `4` (counting from the left) while connecting power would put the deivce into Amlogic's BootROM mode, where you can upload signed BL2 images over USB! Sweet. |
| 36 | + |
| 37 | +We were able to upload a signed BL2, and then from there, upload a signed BL33, which kicked us into Amlogic's Burn Mode. |
| 38 | + |
| 39 | +From here we were able to execute U-Boot shell commands via Amlogic's `update` command, and the `bulkcmd` feature it houses. |
| 40 | + |
| 41 | +## Getting UART access |
| 42 | +At this point, it became clear UART would aid our efforts, and with some simple voltage sniffing and an educated guess, we discerned the UART has the following pin-out: |
| 43 | + |
| 44 | + |
| 45 | +For our development case, we wanted more persistent access to the UART pins, so we removed the sticker on the rear of the device, dissasembled, removed the rear heat-shield, and then filed out part of the case, as shown below |
| 46 | + |
| 47 | + |
| 48 | +Once we had UART console, we crafted a method to enable a root shell over UART: |
| 49 | +``` |
| 50 | +sudo update bulkcmd 'amlmmc env' |
| 51 | +sudo update bulkcmd 'setenv initargs init=/sbin/pre-init' |
| 52 | +sudo update bulkcmd 'setenv initargs ${initargs} ramoops.pstore_en=1' |
| 53 | +sudo update bulkcmd 'setenv initargs ${initargs} ramoops.record_size=0x8000' |
| 54 | +sudo update bulkcmd 'setenv initargs ${initargs} ramoops.console_size=0x4000' |
| 55 | +sudo update bulkcmd 'setenv initargs ${initargs} rootfstype=ext4' |
| 56 | +sudo update bulkcmd 'setenv initargs ${initargs} console=ttyS0,115200n8' |
| 57 | +sudo update bulkcmd 'setenv initargs ${initargs} no_console_suspend' |
| 58 | +sudo update bulkcmd 'setenv initargs ${initargs} earlycon=aml-uart,0xff803000' |
| 59 | +sudo update bulkcmd 'setenv storeargs ${storeargs} setenv avb2 0\;' |
| 60 | +sudo update bulkcmd 'setenv initargs ${initargs} ro root=/dev/mmcblk0p15' |
| 61 | +sudo update bulkcmd 'env save' |
| 62 | +``` |
| 63 | + |
| 64 | +This gave us a local root shell, but still required UART access which is inconvienient for end-users. |
| 65 | + |
| 66 | +## Getting an ADB root shell |
| 67 | +We took note that the device happened to have `adbd` locally installed, but not running. |
| 68 | + |
| 69 | +We realized it wasn't as simple as _just_ starting the daemon, we had to [disable](https://github.com/oddsolutions/superbird-bulkcmd/blob/main/scripts/disable-avb2.sh) [Android Verified Boot](https://source.android.com/docs/security/features/verifiedboot), and configure the device's USB connection in an `init.d` script, as shown in [scripts/enable-adb.sh.client](https://github.com/oddsolutions/superbird-bulkcmd/blob/main/scripts/enable-adb.sh.client). |
| 70 | + |
| 71 | +At this point we had full u-boot access, as well as persistent ADB (root) access, we initially wanted to try to bring-up Android Automotive on the device, but 500 MB of RAM made Android near-impossible to port. |
| 72 | + |
| 73 | +We also tried to get other GUI applications _cough_ maybe doom _cough_ running, but this device utilizes a QT feature called [EGLFS](https://doc.qt.io/qt-6/embedded-linux.html), which doesn't have a window management system like X11 or Wayland, so it is hard to get additional applications running on the device, but hey, maybe someone in the community can get it working using the access we're providing! |
| 74 | + |
| 75 | +We ended up settling on using a modified init-ramdisk loaded via USB to simplify attaining root-access for the end-user. Hope you enjoy! |
| 76 | + |
| 77 | +## Warning |
| 78 | +- Many developers may (as we did) think that the easiest path to running custom code on this device would be to use the provided burn-mode access to run `update bulkcmd fastboot` and then `fastboot flashing unlock` the device. *BE WARNED*, this bricked every device we tried it on. You will end up with a blank, black screen on boot, and we have yet to discern how to recover from this. This will be updated if this type of bricked device is recoverable. |
| 79 | + |
| 80 | +# Disclosure Timeline |
| 81 | +- October 20, 2022 - Intitial notice sent to Spotify |
| 82 | +- October 21, 2022 - Spotify responded on HackerOne stating that the product is unsupported, and end-of-life, and therefore no bugs would be accepted pertaining to the product |
| 83 | + |
| 84 | +*Note: This "exploit" didn't technically warrant disclosure, as it doesn't leverage any specific vulnerabillities, utilizes existing functionallity to get root access over USB.* |
| 85 | + |
| 86 | +# Credits |
| 87 | +- Frederic Bassé (frederic): The "exploit", writeup, debugging/developing/theorizing the methodologies used. |
| 88 | +- Nolen Johnson (npjohnson): The "exploit", writeup, debugging/developing/theorizing the methodologies used. |
| 89 | + |
| 90 | +# Special Thanks |
| 91 | +- Sean Hoyt (deadman): The awesome hacked-logo image. |
| 92 | + |
| 93 | +# Contribute to FOSS development on this device |
| 94 | +- U-Boot: [superbird-uboot](https://github.com/spsgsb/uboot/tree/buildroot-openlinux-201904-g12a) |
| 95 | +- GNU/Linux: [superbird-linux](https://github.com/spsgsb/kernel-common) |
0 commit comments