[IOT安全][原创]钉钉智能指纹考勤机M1智能硬件漏洞挖掘（一）

mailto:wangkai0351@gmail.com

【未经同意禁止转载】

钉钉智能指纹考勤机M1s，支持指纹、WIFI、蓝牙、GPS四种考勤方式，并且可实时查看考勤数据，自动生成考勤报表，告别人工核算，数据云端存储不易丢失。

1. 固件脆弱性分析

1.1 固件文件提取

1.1.1 固件文件提取方法

a. 直接读取spi flash芯片中的数据

b. 串口访问设备（使用boot命令upload）

c. 固件在线升级

1.2 固件文件升级

1 binwalk 2018_5_20.bin2
3 DECIMALHEXADECIMAL     DESCRIPTION4 --------------------------------------------------------------------------------
5 135388        0x210DC         Unix path: /usr/local/lib6 136444        0x214FC         Unix path: /dev/uart/0
7 136784        0x21650         Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/esp-idf/components/esp32/./heap_alloc_caps.c8 137592        0x21978         Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/esp-idf/components/esp32/./ipc.c9 138316        0x21C4C         Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/esp-idf/components/esp32/./intr_alloc.c10 151420        0x24F7C         Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/esp-idf/components/newlib/./locks.c11 153984        0x25980         Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/esp-idf/components/nvs_flash/src/nvs_pagemanager.cpp12 154936        0x25D38         Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/esp-idf/components/tcpip_adapter/./tcpip_adapter_lwip.c13 158188        0x269EC         Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/main/./bravo.c14 158608        0x26B90         Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/main/../embedded/dingtalk/base/dt_log.c15 160212        0x271D4         Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/esp-idf/components/driver/./rtc_module.c16 162508        0x27ACC         Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/esp-idf/components/esp32/./crosscore_int.c17 163212        0x27D8C         Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/esp-idf/components/esp32/./phy_init.c18 164840        0x283E8         Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/components/fingerprint/./fingerprint.c19 168032        0x29060         Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/components/fingerprint/./fingerprint_helper.c20 170560        0x29A40         Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/components/fingerprint/./userIdpool.c21 172452        0x2A1A4         Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/components/hardware/./alc5660.c22 173328        0x2A510         Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/components/hardware/./fd650b.c23 173548        0x2A5EC         Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/components/hardware/./gpio_helper..c24 173720        0x2A698         Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/components/hardware/./pcf8563.c25 174092        0x2A80C         Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/components/logcache/./dt_log_fireeye.c26 174372        0x2A924         Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/components/logcache/./dt_log_flash.c27 177628        0x2B5DC         Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/components/root/./dt_device.c28 178748        0x2BA3C         Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/components/root/./dt_fingerprint.c29 180436        0x2C0D4         Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/components/root/./dt_root.c30 184596        0x2D114         Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/components/root/./dt_coredump_upload.c31 185312        0x2D3E0         Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/components/wifi/./wifi.c32 192984        0x2F1D8         Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/main/../embedded/dingtalk/lwp/dt_lwp_response.c33 199756        0x30C4C         Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/main/../embedded/dingtalk/lwp/dt_lwp_mid.c34 429436        0x68D7C         Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/esp-idf/components/app_update/./esp_ota_ops.c35 430192        0x69070         Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/components/ble/./dt_ble.c36 432240        0x69870         Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/components/ble/./dt_npc.c37 433612        0x69DCC         Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/esp-idf/components/bt/bluedroid/device/controller.c38 434636        0x6A1CC         Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/esp-idf/components/bt/bluedroid/hci/hci_layer.c39 435060        0x6A374         Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/esp-idf/components/bt/bluedroid/hci/hci_packet_factory.c40 435564        0x6A56C         Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/esp-idf/components/bt/bluedroid/hci/packet_fragmenter.c41 436272        0x6A830         Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/esp-idf/components/bt/bluedroid/osi/fixed_queue.c42 436516        0x6A924         Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/esp-idf/components/bt/bluedroid/osi/future.c43 468964        0x727E4         Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/esp-idf/components/bt/bluedroid/stack/btu/btu_task.c44 491312        0x77F30         Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/esp-idf/components/bt/bluedroid/stack/l2cap/l2c_api.c45 502756        0x7ABE4         Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/esp-idf/components/bt/bluedroid/stack/l2cap/l2c_fcr.c46 534680        0x82898         Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/esp-idf/components/bt/bluedroid/bta/dm/bta_dm_pm.c47 540096        0x83DC0         Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/esp-idf/components/bt/bluedroid/bta/sys/bta_sys_main.c48 540940        0x8410C         Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/esp-idf/components/bt/bluedroid/btcore/bdaddr.c49 541200        0x84210         Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/esp-idf/components/bt/bluedroid/gki/gki_buffer.c50 555132        0x8787C         Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/esp-idf/components/bt/bluedroid/stack/btm/btm_ble_bgconn.c51 590680        0x90358         Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/esp-idf/components/bt/bluedroid/device/interop.c52 592260        0x90984         Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/esp-idf/components/driver/./i2c.c53 593324        0x90DAC         Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/esp-idf/components/driver/./i2s.c54 596092        0x9187C         Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/esp-idf/components/driver/./uart.c55 5980040x91FF4         SHA256 hash constants, little endian56 6002120x92894         PEM RSA private key57 6002760x928D4         PEM EC private key58 6037080x9363C         PEM certificate59 6445560x9D5CC         PEM RSA private key60 6462640x9DC78         PEM certificate61 6474760x9E134         PEM RSA private key62 6491840x9E7E0         PEM certificate63 6504000x9ECA0         PEM RSA private key64 6521840x9F398         PEM certificate65 6534920x9F8B4         PEM certificate66 662104        0xA1A58         Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/esp-idf/components/freertos/./heap_regions.c67 662296        0xA1B18         Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/esp-idf/components/freertos/./queue.c68 663168        0xA1E80         Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/esp-idf/components/freertos/./timers.c69 663532        0xA1FEC         Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/esp-idf/components/freertos/./ringbuf.c70 6426992       0x621170        Unix path: /dev/uart/0

直接拖入IDA Pro V6.8

strings工具得到该固件编译过程中include 的一些c语言代码文件的路径和文件名如下

ESP32 有 3 个 UART 接口，即 UART0、UART1 和 UART2。

查阅《ESP32 技术规格书》版本2.1可知

U0RXD 40 号引脚

U0TXD 41 号引脚

U1RXD 28 号引脚

U1TXD 29 号引脚

U2RXD 25 号引脚

U2TXD 27 号引脚

到PCB上看看，这三对引脚有没有露出来，如果有任意一对引脚引到了PCB的焊盘上，那么很可能就是这个PCB的串口调试端口。

转载于:https://www.cnblogs.com/bianmu-dadan/p/9060636.html

[IOT安全][原创]钉钉智能指纹考勤机M1智能硬件漏洞挖掘（一）相关推荐

撬动百亿智能办公市场　钉钉发布智能考勤机标准
智能家居.智慧医疗.智慧城市近几年被频繁提及,互联网时代智慧.智能化概念大大渗透到了生活方方面面."WIFI打卡.智能报表.视频会议--"在现在大中型企业早已不是新鲜事.智能办公也 ...
【钉钉-场景化能力包】IoT物联网设备协同
需求场景环境预警监控:企业与监控数据实时同步,当设备监测到环境异常时,需要通过机器人发送预警信息到个人或场景群,并呈现预警具体信息. 考勤机数据推送:员工通过考勤机完成一键考勤,考勤成功后通过机器人 ...
JAVA 对接钉钉API（人员、部门、官方智能工作流）20210527
前言应公司要求,公司人事HR系统需要对接钉钉考勤数据,所以需要获取钉钉的打卡记录.出差.外出.请假.调岗的数据,然后转换成HR系统数据. 对接前准备创建应用 1.首先需要管理员登录钉钉开放平台,创 ...
共享移动智能办公入口钉钉10亿加速企业数字化和智能化
打造智慧之都,用智能化落实高质量发展.上周,在重庆举办的首届智博会,一方面云集了智能化企业.技术与解决方案,另一方面也展示了重庆这座城市发展的目标与实践经验. 那么在移动智能办公时代,如何快速实现智能 ...
手把手教你阿里云钉钉智能前台如何实现0元购
2017年5月开始阿里巴巴旗下阿里云公司推出唯一一款针对用户的幸运券,这款幸运券就是大家俗称的优惠券了.目前钉钉智能前台m1已经上升为钉钉智能前台m2了,它们属于钉钉考勤机系列. 这款优惠券支持阿里 ...
与惠普合作智能打印云盒，钉钉会成为智能办公的小米么？
今天,阿里钉钉与惠普联合发布了一款智能硬件产品:钉钉智能打印云盒P1.P1具有"简单.安全和省钱"三大属性,具体来说,可以兼容惠普旗下的主流打印机,连接后企业员工可以在钉钉上简单操 ...
“2021ISIG中国产业智能大会低代码峰会”即将开幕，钉钉宜搭叶周全受邀出席
简介:2021年12月8-9日,"2021ISIG中国产业智能大会" 将在上海举行.阿里巴巴资深技术专家,钉钉宜搭创始人叶周全将作为特邀嘉宾出席大会. 2021年12月8-9日,由 ...
钉钉产品介绍_钉钉正式推出智能OA：免费开放、一站解决“人财物事”管理难题...
9月2日消息,阿里钉钉今日正式上线智能OA产品"OA审批",通过开放工作流.审批流引擎,向中小企业提供场景全面.定制简易.操作门槛低的OA协同服务,实现企业管理流程.业务流程的全链 ...
钉钉机器人智能回复_青岛市市南区税务局：“税博士”智能服务机器人亮相办税服务厅...
爆料请加小编微信:chenchenxiao798 商务合作添加微信:brandlongvp 近日,走进市南区税务局办税服务厅,不少纳税人.缴费人都被一个新来的"小家伙"吸引了注意力 ...

[IOT安全][原创]钉钉智能指纹考勤机M1智能硬件漏洞挖掘（一）

[IOT安全][原创]钉钉智能指纹考勤机M1智能硬件漏洞挖掘（一）相关推荐

最新文章

热门文章