How to break in / enable telnet on a OpenPeak 2 / Telio Touch with disabled USB boot and telnet
Posted: Wed Oct 20, 2021 9:54 am
I've finally been able to break in to my Telio Touch. After trying blind typing on all the USB sticks I could dig up, I realized that USB boot must have been disabled.
After reading through old posts I realized that it's sending a heartbeat http request to https://services.openpeak.net/dms/devic ... MACADDRESS
The heartbeat rate seems to vary between a few seconds and a few minutes, it seems to slow down if it fails and run fast if it works.
@roobarb! posted the default response in another thread:
I disassembled the responsible file, libopdms.so, and found out that the command tag can contain one or more or the following commands:
Returns a long list of settings and data on the device, partitions, versions etc.
Update firmware. Don't know what kind if file it expects, probably a .tgz-file similar to what was used by the automatic updates.
Can probably be used to start playback of media from a url.
Message of the day? Don't know what it does.
Execute a shell command. The callback always tells me that the command timed out even if it was successful.
Don't know what this does
Change one of the settings in opservices.ini, can be used to enable telnet
I've only tested postDeviceDetails, configuration and remoteExec.
To enable telnet, I first set up a web server and a DNS server to forward requests to services.openpeak.net to my web server.
I created a file on the server called /dms/device/heartbeat
Then, to enable telnet I put this in the file:
I also had to create a new user. Because this is executed every few seconds, I didn't want to directly write to /etc/passwd because then many lines might be added and I don't know how linux handles that.
I copied the file to a USB stick, edited the file on another computer and copied it back, using a combination of there commands in remoteExec:
Had to remount it as it's mounted as read only by the OS.
Copy the file to the USB stick
Added the following line to the end of the file:
Copy the file back
After this I could log in using telnet with username letmein and no password.
After reading through old posts I realized that it's sending a heartbeat http request to https://services.openpeak.net/dms/devic ... MACADDRESS
The heartbeat rate seems to vary between a few seconds and a few minutes, it seems to slow down if it fails and run fast if it works.
@roobarb! posted the default response in another thread:
Code: Select all
<?xml version="1.0" encoding="UTF-8"?>
<command><postDeviceDetails url="https://services.openpeak.net/dms/postDeviceDetails/12344844" method="post" /></command>
Code: Select all
<postDeviceDetails url="https://example.com/deviceDetails" />
Code: Select all
<downloadFirmware mode="" reboot="">
<downloadURL>http://example.com/firmware_file.ext</downloadURL>
<successURL>http://example.com/success</successURL>
<failureURL>http://example.com/failure</failureURL>
<notesURL>http://example.com/notes</notesURL>
</downloadFirmware>
Code: Select all
<mediaDisplay contentType="application/x-shockwave-flash">
<mediaURL>http://example.com/media.swf</mediaURL>
</mediaDisplay>
Code: Select all
<motd />
Code: Select all
<remoteExec commandId="1" timeout="5">
<callbackURL>http://example.com/callback</callbackURL>
<shText>cp /mnt/sda1/passwd /etc/</shText>
</remoteExec>
Code: Select all
<publishMessage channel="" />
Code: Select all
<configuration>
<device>
<telnetEnabled>true</telnetEnabled>
</device>
</configuration>
I've only tested postDeviceDetails, configuration and remoteExec.
To enable telnet, I first set up a web server and a DNS server to forward requests to services.openpeak.net to my web server.
I created a file on the server called /dms/device/heartbeat
Then, to enable telnet I put this in the file:
Code: Select all
<?xml version="1.0" encoding="UTF-8"?>
<command>
<configuration>
<device>
<telnetEnabled>true</telnetEnabled>
</device>
</configuration>
</command>
I copied the file to a USB stick, edited the file on another computer and copied it back, using a combination of there commands in remoteExec:
Code: Select all
umount /dev/sda1
mount -t vfat /dev/sda1 /mnt
Code: Select all
cp /etc/passwd /mnt/
Added the following line to the end of the file:
Code: Select all
letmein::0:0:root:/:/bin/sh
Code: Select all
cp /mnt/passwd /etc/
After this I could log in using telnet with username letmein and no password.