šŸ’¾ Archived View for alaskalinuxuser.ddns.net ā€ŗ 2022-12-30.gmi captured on 2024-09-29 at 00:21:08. Gemini links have been rewritten to link to archived content

View Raw

More Information

-=-=-=-=-=-=-

Hacking a power cord?

Okay, Iā€™m not really much of a ā€˜hackerā€™ in the sense that most people think of.

I donā€™t break into things, crack passwords, etc. However, I do like to tinker.

Recently, my co-workers and I decided to purchase and try out these handy new

ā€œsmartā€ power cords: the IPLC M4 CORD (M4-15-2S) [1].

\n

Note:

While plugging in your vehicle may sound odd to some of my readers,

here in Alaska it is so cold, that your vehicle will not start when

you need to drive it somewhere. So, when it is -40 F/C (both coincide

at that temperature), you need to heat the vehicle engine up first,

and we typically do this with electric heaters hooked to the engine

block. The problem is, if you want to go to work at 5:30 AM, then you

need to plug in the vehicle 3-4 hours prior to that to get it warm

enough. Since nobody wants to get up at 1 AM to plug in their

vehicle, most plug it in at night before bed, but this wastes

electricity and costs you more money on your electric bill. Most of

us use a timer circuit that turns on the power at a certain time.

This works great, except every power outage either resets your timer,

or at least gets it off of the correct time.

\n

What a cord like this M4 does, is it first has a delay, in this case of either

3 or 6 hours, depending on your setting. Then, once the delay is over, it

starts turning the power on and off, in accordance with how cold it is. So, if

it is too warm, it will not turn on the power to the heater, to save you money.

If it is cold enough, but not -30 F, then it will cycle the power on and off in

increments to keep your engine warm, but not leave it on all the time and waste

electricity. Very handy, and they work rather well. No need for a timer, and if

the power goes out, it is smart enough to assume that the delay time is over

and just start power cycling based on temperature.

For every action there must be a reason to pursue that course of action. And

this case is no exception. My co-worker wanted to change the default delay

times from 6 or 3 hours to 12 and 6 hours. So, we began to look deeper at the

controller to see what we could gain. The power cord has itā€™s own WIFI

connection so you can connect with your phone or home computer to it, and the

passwords were all provided in the documentation. We didnā€™t have to ā€œbreak inā€

to talk to it, since it was designed for us to connect to it.

Running nmap to check for any open ports.

First up, I wanted to see what ports were open. Sometimes manufacturers leave

open ports like FTP, or telnet, SSH, or others that give you an avenue to get

in. So, I check all possible ports, rather than just the standard, just in case

they used a non-traditional port number for something.

alaskalinuxuser@alaskalinuxuser-OptiPlex-790:~$ nmap 10.10.10.1 -p1-

65535\nStarting Nmap 7.80 ( https://nmap.org ) at 2022-12-30 06:41 AKST\nNmap

scan report for 10.10.10.1\nHost is up (0.035s latency).\nNot shown: 65534

closed ports\nPORT STATE SERVICE\n80/tcp open http\n\nNmap done: 1 IP

address (1 host up) scanned in 40.49 seconds

So, one port was open, port 80, and thatā€™s it. So, kudos to the manufacturer,

either for security or otherwise, it didnā€™t have any of the usual open ports

allowing entry.

Connecting to the web gui.

Overall the web gui seemed pretty simple and straightforward. Just a few

buttons to change between the gas or diesel profile, and to hook to your home

WIFI network. I inspected it with Firefox, but didnā€™t see anything unusual

about it. All of the buttons ran scripts or were links to other local web

pages. I thought I would check for robot.txt files and sitemap.xml files, but

didnā€™t find any, so no hidden pathways or avenues there. Although later I did

find a way to reboot the device and get to a special admin web page, but more

on that later. Here is a picture of the web gui:

">

024w, https://alaskalinuxuser3.ddns.net/wp-content/uploads/2022/12/m4_index-

300x163.png 300w, https://alaskalinuxuser3.ddns.net/wp-content/uploads/2022/12/

m4_index-768x417.png 768w, https://alaskalinuxuser3.ddns.net/wp-content/

uploads/2022/12/m4_index.png 1366w" sizes="(max-width: 1024px) 100vw,

1024px" />

Using curl to download all the web pages.

Having seen all I could in the browser, I used curl to download the main html

file. From there, I saw the buttons linked to other pages, so I downloaded them

as well using curl and their href location. Below is an example.

alaskalinuxuser@alaskalinuxuser-OptiPlex-790:~$ curl 10.10.10.1 > index.html\n

% Total % Received % Xferd Average Speed Time Time Time Current\n

Dload Upload Total Spent Left Speed\n100 12233 100 12233 0 0

197k 0 --:--:-- --:--:-- --:--:-- 202k\n\n<body onload='aRP(3000, "/

dd.stat");'>\n<header>\n <a id="m4Profile1" onClick="location.href= '/

DoGAS';" class="schedule">Gas</a>\n <a id="m4Profile2"

onClick="location.href= '/DoDIESEL';" class="schedule">Diesel</a>\n <a

onClick="location.href= '/doset';" class="schedule">></a>\n</header>\n<div

class="body">\n<div class="measure">\n <div class="grid">\n <div

class="equal">\n <a id="m4Boost1" onClick="location.href='/BOOST';"

class="boost">\n Boost\n </a>\n </div>\n <div

class="equal">\n <a onClick="location.href='/TOGT';"

class="temp">\n <span id="m4Temp">?</span><sup>&deg;<span

id="m4TempUnits">?</span></sup>\n </a>\n </div>\n </div>\n</

div>\n<div class="clock">\n <span id="timeData">?:?</span>\n <div

class="bottom"><span id="timeAmPm">?</span></div>\n</div>

What I did find was that there was a ā€˜resetā€™ page that is not reachable

normally, because the button was commented out, but that you could call it

directly and it would reboot the device. However, it didnā€™t bring you to any

special new pages, nor seem to do anything, so it was just an interesting

tidbit. All told, I found seven web pages and one icon, called favicon.ico,

which is used by the web browser to display the icon for the web pages. Nothing

too noteworthy.

Using netcat to check port 80.

Feeling a bit froggy, I then decided to use netcat (nc) to check port 80. Turns

out, this was very fortuitous!

alaskalinuxuser@alaskalinuxuser-OptiPlex-790:~$ nc 10.10.10.1 80\n\nCFGdbAddr:

00003D00\n\nready \n\nOK \n\nOK \n\nOK \n\nOK \n\nOK \n\n0,CONNECT Time

OUT\nM210dbAddr: 00007300\n\ntest\nDate: 00006228 Time: 00152047\n\n%%

\n\nhelp\n?\n\n%% ?\nv - Serial Number, JohnDra, and Code Ver.\nA - Get Ambient

Light\nP - Get Proximity\nF - Set R,G,B\nG - Get Gravimetric data

(accelerometer)\nR - RESET to BOOT\nS - Show Status\nV - VIEW MEM 1KB\nL - Load

ON/OFF\nw - Send WIFI directly\no - Get Proxy Value\ni - invalidate caches\nj -

get CRC 0-Iflash 1-SRAM, 2/3 QSPI\nN - Get VS,VL,IL,PL,QL\nW - SET Offsets\nH -

Write Cal Flash page0\nI - Erase Cal Flash sector0\nC - Cal VL = VS\nO - adjust

Proximity values\nK - PROXY CONFIGURATION\nU - match Vs to VAC sent\nE - ERASE

FLASH MEMORY\nY - XIP ON/OFF\ncopyright 1995-2021 Vantera Incorporated. ALL

RIGHTS RESERVED.\n\n%%

And just like that, we were in. I found that this was actually a telnet like

function, and I tested it with telnet, which ā€œworked betterā€, as it was the

expected format and escape character, etc. But nc worked very well also. The

menu was gained by pressing the ā€œ?ā€ question mark character, and that proved

very helpful. However, I found that there were other, unlisted commands as

well. Also, the commands are case sensitive, and using the wrong case may be a

different command entirely. Here are other commands I found:

\n%% f\nWhole DBase Erased, awaiting reset.\n\n%% g\ndbase started..\nVdbAddr:

00010000\nWave dbase started..\nWdbAddr: 00080000\n\n%% g\ndbase stopped at:

00010000\nVdbAddr: 00010000\nWave dbase stopped at: 00080000\nWdbAddr:

00080000\n\n%% M\n IL: 07E6\nIsense offset done\n\n%% p\nKTAU : 0.0170\nRtheta

: 10.0000\nTcomp : 0.0000\ntP : 0.0000\n\n%% Q\n(Did not return ? character,

so it did something, just not sure what.)\n\n%% t\nDate: 00006228 Time:

00230430\n\n%% u\n(Did not return ?, and did not return you to the prompt, so

it did something, but also seemed to lock it up. The green flashing color led

started flashing yellow then green over and over again. Had to power cycle unit

to use telnet/nc again.)\n

No function = a,b,B,c,d,D,e,h,J,k,l,m,n,q,r,s,T,x,X,y,z,Z,1,2,3,4,5,6,7,8,9,0

Also, no punctuation mark or special character, other than ? seemed to have any

function.

So, the completed menu should look like this:

A - Get Ambient Light\nC - Cal VL = VS\nE - ERASE FLASH MEMORY\nf - Format the

database\nF - Set R,G,B\ng - Start/stop database writing\nG - Get Gravimetric

data (accelerometer)\nH - Write Cal Flash page0\ni - invalidate caches\nI -

Erase Cal Flash sector0\nj - get CRC 0-Iflash 1-SRAM, 2/3 QSPI\nK - PROXY

CONFIGURATION\nL - Load ON/OFF\nM - Isense offset\nN - Get VS,VL,IL,PL,QL\no -

Get Proxy Value\nO - adjust Proximity values\np - Some sort of sensor

information\nP - Get Proximity\nQ - Unknown command that runs instantly but

seems to have no affect.\nR - RESET to BOOT\nS - Show Status\nt - Time and

date\nu - Unknown command that locks up the unit and flashes lights.\nU - match

Vs to VAC sent\nv - Serial Number, JohnDra, and Code Ver.\nV - VIEW MEM 1KB\nw

- Send WIFI directly\nW - SET Offsets\nY - XIP ON/OFF

Now that we have the completed list of commands, we will have to delve deeper

into their meanings and uses. Feel free to check out the next posts for where I

went from here!

Linux ā€“ keep it simple.

[1] https://www.buyiplc.com/view-product/m4