š¾ Archived View for alaskalinuxuser.ddns.net āŗ 2022-12-30.gmi captured on 2024-09-29 at 00:21:08. Gemini links have been rewritten to link to archived content
-=-=-=-=-=-=-
Okay, Iām not really much of a āhackerā in the sense that most people think of.
I donāt break into things, crack passwords, etc. However, I do like to tinker.
Recently, my co-workers and I decided to purchase and try out these handy new
āsmartā power cords: the IPLC M4 CORD (M4-15-2S) [1].
\n
Note:
While plugging in your vehicle may sound odd to some of my readers,
here in Alaska it is so cold, that your vehicle will not start when
you need to drive it somewhere. So, when it is -40 F/C (both coincide
at that temperature), you need to heat the vehicle engine up first,
and we typically do this with electric heaters hooked to the engine
block. The problem is, if you want to go to work at 5:30 AM, then you
need to plug in the vehicle 3-4 hours prior to that to get it warm
enough. Since nobody wants to get up at 1 AM to plug in their
vehicle, most plug it in at night before bed, but this wastes
electricity and costs you more money on your electric bill. Most of
us use a timer circuit that turns on the power at a certain time.
This works great, except every power outage either resets your timer,
or at least gets it off of the correct time.
\n
What a cord like this M4 does, is it first has a delay, in this case of either
3 or 6 hours, depending on your setting. Then, once the delay is over, it
starts turning the power on and off, in accordance with how cold it is. So, if
it is too warm, it will not turn on the power to the heater, to save you money.
If it is cold enough, but not -30 F, then it will cycle the power on and off in
increments to keep your engine warm, but not leave it on all the time and waste
electricity. Very handy, and they work rather well. No need for a timer, and if
the power goes out, it is smart enough to assume that the delay time is over
and just start power cycling based on temperature.
For every action there must be a reason to pursue that course of action. And
this case is no exception. My co-worker wanted to change the default delay
times from 6 or 3 hours to 12 and 6 hours. So, we began to look deeper at the
controller to see what we could gain. The power cord has itās own WIFI
connection so you can connect with your phone or home computer to it, and the
passwords were all provided in the documentation. We didnāt have to ābreak inā
to talk to it, since it was designed for us to connect to it.
Running nmap to check for any open ports.
First up, I wanted to see what ports were open. Sometimes manufacturers leave
open ports like FTP, or telnet, SSH, or others that give you an avenue to get
in. So, I check all possible ports, rather than just the standard, just in case
they used a non-traditional port number for something.
alaskalinuxuser@alaskalinuxuser-OptiPlex-790:~$ nmap 10.10.10.1 -p1-
65535\nStarting Nmap 7.80 ( https://nmap.org ) at 2022-12-30 06:41 AKST\nNmap
scan report for 10.10.10.1\nHost is up (0.035s latency).\nNot shown: 65534
closed ports\nPORT STATE SERVICE\n80/tcp open http\n\nNmap done: 1 IP
address (1 host up) scanned in 40.49 seconds
So, one port was open, port 80, and thatās it. So, kudos to the manufacturer,
either for security or otherwise, it didnāt have any of the usual open ports
allowing entry.
Connecting to the web gui.
Overall the web gui seemed pretty simple and straightforward. Just a few
buttons to change between the gas or diesel profile, and to hook to your home
WIFI network. I inspected it with Firefox, but didnāt see anything unusual
about it. All of the buttons ran scripts or were links to other local web
pages. I thought I would check for robot.txt files and sitemap.xml files, but
didnāt find any, so no hidden pathways or avenues there. Although later I did
find a way to reboot the device and get to a special admin web page, but more
on that later. Here is a picture of the web gui:
">
024w, https://alaskalinuxuser3.ddns.net/wp-content/uploads/2022/12/m4_index-
300x163.png 300w, https://alaskalinuxuser3.ddns.net/wp-content/uploads/2022/12/
m4_index-768x417.png 768w, https://alaskalinuxuser3.ddns.net/wp-content/
uploads/2022/12/m4_index.png 1366w" sizes="(max-width: 1024px) 100vw,
1024px" />
Using curl to download all the web pages.
Having seen all I could in the browser, I used curl to download the main html
file. From there, I saw the buttons linked to other pages, so I downloaded them
as well using curl and their href location. Below is an example.
alaskalinuxuser@alaskalinuxuser-OptiPlex-790:~$ curl 10.10.10.1 > index.html\n
% Total % Received % Xferd Average Speed Time Time Time Current\n
Dload Upload Total Spent Left Speed\n100 12233 100 12233 0 0
197k 0 --:--:-- --:--:-- --:--:-- 202k\n\n<body onload='aRP(3000, "/
dd.stat");'>\n<header>\n <a id="m4Profile1" onClick="location.href= '/
DoGAS';" class="schedule">Gas</a>\n <a id="m4Profile2"
onClick="location.href= '/DoDIESEL';" class="schedule">Diesel</a>\n <a
onClick="location.href= '/doset';" class="schedule">></a>\n</header>\n<div
class="body">\n<div class="measure">\n <div class="grid">\n <div
class="equal">\n <a id="m4Boost1" onClick="location.href='/BOOST';"
class="boost">\n Boost\n </a>\n </div>\n <div
class="equal">\n <a onClick="location.href='/TOGT';"
class="temp">\n <span id="m4Temp">?</span><sup>°<span
id="m4TempUnits">?</span></sup>\n </a>\n </div>\n </div>\n</
div>\n<div class="clock">\n <span id="timeData">?:?</span>\n <div
class="bottom"><span id="timeAmPm">?</span></div>\n</div>
What I did find was that there was a āresetā page that is not reachable
normally, because the button was commented out, but that you could call it
directly and it would reboot the device. However, it didnāt bring you to any
special new pages, nor seem to do anything, so it was just an interesting
tidbit. All told, I found seven web pages and one icon, called favicon.ico,
which is used by the web browser to display the icon for the web pages. Nothing
too noteworthy.
Using netcat to check port 80.
Feeling a bit froggy, I then decided to use netcat (nc) to check port 80. Turns
out, this was very fortuitous!
alaskalinuxuser@alaskalinuxuser-OptiPlex-790:~$ nc 10.10.10.1 80\n\nCFGdbAddr:
00003D00\n\nready \n\nOK \n\nOK \n\nOK \n\nOK \n\nOK \n\n0,CONNECT Time
OUT\nM210dbAddr: 00007300\n\ntest\nDate: 00006228 Time: 00152047\n\n%%
\n\nhelp\n?\n\n%% ?\nv - Serial Number, JohnDra, and Code Ver.\nA - Get Ambient
Light\nP - Get Proximity\nF - Set R,G,B\nG - Get Gravimetric data
(accelerometer)\nR - RESET to BOOT\nS - Show Status\nV - VIEW MEM 1KB\nL - Load
ON/OFF\nw - Send WIFI directly\no - Get Proxy Value\ni - invalidate caches\nj -
get CRC 0-Iflash 1-SRAM, 2/3 QSPI\nN - Get VS,VL,IL,PL,QL\nW - SET Offsets\nH -
Write Cal Flash page0\nI - Erase Cal Flash sector0\nC - Cal VL = VS\nO - adjust
Proximity values\nK - PROXY CONFIGURATION\nU - match Vs to VAC sent\nE - ERASE
FLASH MEMORY\nY - XIP ON/OFF\ncopyright 1995-2021 Vantera Incorporated. ALL
RIGHTS RESERVED.\n\n%%
And just like that, we were in. I found that this was actually a telnet like
function, and I tested it with telnet, which āworked betterā, as it was the
expected format and escape character, etc. But nc worked very well also. The
menu was gained by pressing the ā?ā question mark character, and that proved
very helpful. However, I found that there were other, unlisted commands as
well. Also, the commands are case sensitive, and using the wrong case may be a
different command entirely. Here are other commands I found:
\n%% f\nWhole DBase Erased, awaiting reset.\n\n%% g\ndbase started..\nVdbAddr:
00010000\nWave dbase started..\nWdbAddr: 00080000\n\n%% g\ndbase stopped at:
00010000\nVdbAddr: 00010000\nWave dbase stopped at: 00080000\nWdbAddr:
00080000\n\n%% M\n IL: 07E6\nIsense offset done\n\n%% p\nKTAU : 0.0170\nRtheta
: 10.0000\nTcomp : 0.0000\ntP : 0.0000\n\n%% Q\n(Did not return ? character,
so it did something, just not sure what.)\n\n%% t\nDate: 00006228 Time:
00230430\n\n%% u\n(Did not return ?, and did not return you to the prompt, so
it did something, but also seemed to lock it up. The green flashing color led
started flashing yellow then green over and over again. Had to power cycle unit
to use telnet/nc again.)\n
No function = a,b,B,c,d,D,e,h,J,k,l,m,n,q,r,s,T,x,X,y,z,Z,1,2,3,4,5,6,7,8,9,0
Also, no punctuation mark or special character, other than ? seemed to have any
function.
So, the completed menu should look like this:
A - Get Ambient Light\nC - Cal VL = VS\nE - ERASE FLASH MEMORY\nf - Format the
database\nF - Set R,G,B\ng - Start/stop database writing\nG - Get Gravimetric
data (accelerometer)\nH - Write Cal Flash page0\ni - invalidate caches\nI -
Erase Cal Flash sector0\nj - get CRC 0-Iflash 1-SRAM, 2/3 QSPI\nK - PROXY
CONFIGURATION\nL - Load ON/OFF\nM - Isense offset\nN - Get VS,VL,IL,PL,QL\no -
Get Proxy Value\nO - adjust Proximity values\np - Some sort of sensor
information\nP - Get Proximity\nQ - Unknown command that runs instantly but
seems to have no affect.\nR - RESET to BOOT\nS - Show Status\nt - Time and
date\nu - Unknown command that locks up the unit and flashes lights.\nU - match
Vs to VAC sent\nv - Serial Number, JohnDra, and Code Ver.\nV - VIEW MEM 1KB\nw
- Send WIFI directly\nW - SET Offsets\nY - XIP ON/OFF
Now that we have the completed list of commands, we will have to delve deeper
into their meanings and uses. Feel free to check out the next posts for where I
went from here!
Linux ā keep it simple.
[1] https://www.buyiplc.com/view-product/m4