[IOT安全][原创]钉钉智能指纹考勤机M1智能硬件漏洞挖掘(一)
mailto:wangkai0351@gmail.com
【未经同意禁止转载】
钉钉智能指纹考勤机M1s,支持指纹、WIFI、蓝牙、GPS四种考勤方式,并且可实时查看考勤数据,自动生成考勤报表,告别人工核算,数据云端存储不易丢失。
1. 固件脆弱性分析
1.1 固件文件提取
1.1.1 固件文件提取方法
a. 直接读取spi flash芯片中的数据
b. 串口访问设备(使用boot命令upload)
c. 固件在线升级
1.2 固件文件升级
a.
1 binwalk 2018_5_20.bin2 3 DECIMALHEXADECIMAL DESCRIPTION4 -------------------------------------------------------------------------------- 5 135388 0x210DC Unix path: /usr/local/lib6 136444 0x214FC Unix path: /dev/uart/0 7 136784 0x21650 Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/esp-idf/components/esp32/./heap_alloc_caps.c8 137592 0x21978 Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/esp-idf/components/esp32/./ipc.c9 138316 0x21C4C Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/esp-idf/components/esp32/./intr_alloc.c10 151420 0x24F7C Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/esp-idf/components/newlib/./locks.c11 153984 0x25980 Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/esp-idf/components/nvs_flash/src/nvs_pagemanager.cpp12 154936 0x25D38 Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/esp-idf/components/tcpip_adapter/./tcpip_adapter_lwip.c13 158188 0x269EC Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/main/./bravo.c14 158608 0x26B90 Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/main/../embedded/dingtalk/base/dt_log.c15 160212 0x271D4 Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/esp-idf/components/driver/./rtc_module.c16 162508 0x27ACC Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/esp-idf/components/esp32/./crosscore_int.c17 163212 0x27D8C Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/esp-idf/components/esp32/./phy_init.c18 164840 0x283E8 Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/components/fingerprint/./fingerprint.c19 168032 0x29060 Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/components/fingerprint/./fingerprint_helper.c20 170560 0x29A40 Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/components/fingerprint/./userIdpool.c21 172452 0x2A1A4 Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/components/hardware/./alc5660.c22 173328 0x2A510 Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/components/hardware/./fd650b.c23 173548 0x2A5EC Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/components/hardware/./gpio_helper..c24 173720 0x2A698 Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/components/hardware/./pcf8563.c25 174092 0x2A80C Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/components/logcache/./dt_log_fireeye.c26 174372 0x2A924 Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/components/logcache/./dt_log_flash.c27 177628 0x2B5DC Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/components/root/./dt_device.c28 178748 0x2BA3C Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/components/root/./dt_fingerprint.c29 180436 0x2C0D4 Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/components/root/./dt_root.c30 184596 0x2D114 Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/components/root/./dt_coredump_upload.c31 185312 0x2D3E0 Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/components/wifi/./wifi.c32 192984 0x2F1D8 Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/main/../embedded/dingtalk/lwp/dt_lwp_response.c33 199756 0x30C4C Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/main/../embedded/dingtalk/lwp/dt_lwp_mid.c34 429436 0x68D7C Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/esp-idf/components/app_update/./esp_ota_ops.c35 430192 0x69070 Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/components/ble/./dt_ble.c36 432240 0x69870 Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/components/ble/./dt_npc.c37 433612 0x69DCC Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/esp-idf/components/bt/bluedroid/device/controller.c38 434636 0x6A1CC Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/esp-idf/components/bt/bluedroid/hci/hci_layer.c39 435060 0x6A374 Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/esp-idf/components/bt/bluedroid/hci/hci_packet_factory.c40 435564 0x6A56C Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/esp-idf/components/bt/bluedroid/hci/packet_fragmenter.c41 436272 0x6A830 Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/esp-idf/components/bt/bluedroid/osi/fixed_queue.c42 436516 0x6A924 Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/esp-idf/components/bt/bluedroid/osi/future.c43 468964 0x727E4 Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/esp-idf/components/bt/bluedroid/stack/btu/btu_task.c44 491312 0x77F30 Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/esp-idf/components/bt/bluedroid/stack/l2cap/l2c_api.c45 502756 0x7ABE4 Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/esp-idf/components/bt/bluedroid/stack/l2cap/l2c_fcr.c46 534680 0x82898 Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/esp-idf/components/bt/bluedroid/bta/dm/bta_dm_pm.c47 540096 0x83DC0 Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/esp-idf/components/bt/bluedroid/bta/sys/bta_sys_main.c48 540940 0x8410C Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/esp-idf/components/bt/bluedroid/btcore/bdaddr.c49 541200 0x84210 Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/esp-idf/components/bt/bluedroid/gki/gki_buffer.c50 555132 0x8787C Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/esp-idf/components/bt/bluedroid/stack/btm/btm_ble_bgconn.c51 590680 0x90358 Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/esp-idf/components/bt/bluedroid/device/interop.c52 592260 0x90984 Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/esp-idf/components/driver/./i2c.c53 593324 0x90DAC Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/esp-idf/components/driver/./i2s.c54 596092 0x9187C Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/esp-idf/components/driver/./uart.c55 5980040x91FF4 SHA256 hash constants, little endian56 6002120x92894 PEM RSA private key57 6002760x928D4 PEM EC private key58 6037080x9363C PEM certificate59 6445560x9D5CC PEM RSA private key60 6462640x9DC78 PEM certificate61 6474760x9E134 PEM RSA private key62 6491840x9E7E0 PEM certificate63 6504000x9ECA0 PEM RSA private key64 6521840x9F398 PEM certificate65 6534920x9F8B4 PEM certificate66 662104 0xA1A58 Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/esp-idf/components/freertos/./heap_regions.c67 662296 0xA1B18 Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/esp-idf/components/freertos/./queue.c68 663168 0xA1E80 Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/esp-idf/components/freertos/./timers.c69 663532 0xA1FEC Unix path: /home/admin/.jenkins/jobs/MUPP_2440311/workspace/esp-idf/components/freertos/./ringbuf.c70 6426992 0x621170 Unix path: /dev/uart/0
直接拖入IDA Pro V6.8
strings工具得到该固件编译过程中include 的一些c语言代码文件的路径和文件名如下
ESP32 有 3 个 UART 接口,即 UART0、UART1 和 UART2。
查阅《ESP32 技术规格书》版本2.1可知
U0RXD 40 号引脚
U0TXD 41 号引脚
U1RXD 28 号引脚
U1TXD 29 号引脚
U2RXD 25 号引脚
U2TXD 27 号引脚
到PCB上看看,这三对引脚有没有露出来,如果有任意一对引脚引到了PCB的焊盘上,那么很可能就是这个PCB的串口调试端口。
转载于:https://www.cnblogs.com/bianmu-dadan/p/9060636.html
[IOT安全][原创]钉钉智能指纹考勤机M1智能硬件漏洞挖掘(一)相关推荐
- 撬动百亿智能办公市场 钉钉发布智能考勤机标准
智能家居.智慧医疗.智慧城市近几年被频繁提及,互联网时代智慧.智能化概念大大渗透到了生活方方面面."WIFI打卡.智能报表.视频会议--"在现在大中型企业早已不是新鲜事.智能办公也 ...
- 【钉钉-场景化能力包】IoT物联网设备协同
需求场景 环境预警监控:企业与监控数据实时同步,当设备监测到环境异常时,需要通过机器人发送预警信息到个人或场景群,并呈现预警具体信息. 考勤机数据推送:员工通过考勤机完成一键考勤,考勤成功后通过机器人 ...
- JAVA 对接钉钉API(人员、部门、官方智能工作流)20210527
前言 应公司要求,公司人事HR系统需要对接钉钉考勤数据,所以需要获取钉钉的打卡记录.出差.外出.请假.调岗的数据,然后转换成HR系统数据. 对接前准备 创建应用 1.首先需要管理员登录钉钉开放平台,创 ...
- 共享移动智能办公入口 钉钉10亿加速企业数字化和智能化
打造智慧之都,用智能化落实高质量发展.上周,在重庆举办的首届智博会,一方面云集了智能化企业.技术与解决方案,另一方面也展示了重庆这座城市发展的目标与实践经验. 那么在移动智能办公时代,如何快速实现智能 ...
- 手把手教你阿里云钉钉智能前台如何实现0元购
2017年5月开始阿里巴巴旗下阿里云公司推出唯一 一款针对用户的幸运券,这款幸运券就是大家俗称的优惠券了.目前钉钉智能前台m1已经上升为钉钉智能前台m2了,它们属于钉钉考勤机系列. 这款优惠券支持阿里 ...
- 与惠普合作智能打印云盒,钉钉会成为智能办公的小米么?
今天,阿里钉钉与惠普联合发布了一款智能硬件产品:钉钉智能打印云盒P1.P1具有"简单.安全和省钱"三大属性,具体来说,可以兼容惠普旗下的主流打印机,连接后企业员工可以在钉钉上简单操 ...
- “2021ISIG中国产业智能大会低代码峰会”即将开幕,钉钉宜搭叶周全受邀出席
简介:2021年12月8-9日,"2021ISIG中国产业智能大会" 将在上海举行.阿里巴巴资深技术专家,钉钉宜搭创始人叶周全将作为特邀嘉宾出席大会. 2021年12月8-9日,由 ...
- 钉钉产品介绍_钉钉正式推出智能OA:免费开放、一站解决“人财物事”管理难题...
9月2日消息,阿里钉钉今日正式上线智能OA产品"OA审批",通过开放工作流.审批流引擎,向中小企业提供场景全面.定制简易.操作门槛低的OA协同服务,实现企业管理流程.业务流程的全链 ...
- 钉钉机器人智能回复_青岛市市南区税务局:“税博士”智能服务机器人亮相办税服务厅...
爆料请加小编微信:chenchenxiao798 商务合作添加微信:brandlongvp 近日,走进市南区税务局办税服务厅,不少纳税人.缴费人都被一个新来的"小家伙"吸引了注意力 ...
最新文章
- linux的自定义input,Linux Input子系统之第一篇(input_dev/input_handle/input_handler)
- python 获取公网 外网 ip 几种方式
- 如何基于多线程队列简单实现mq
- java调用WCF问题
- TensorFlow学习笔记(二十一) tensorflow机器学习模型
- 从程序员到项目经理(12):如何管理自己的时间(上)
- Hibernate ,Mybatis 区别,以及各自的一级,二级缓存理解
- 虚拟机卸载ubuntu安装mysql_ubuntu 卸载与安装mysql
- Google Cloud大规模宕机;中国正式进入 5G 商用元年!苹果发布SwiftUI |开发者周刊...
- 卧槽!这个价值百万的Github开源项目绝对要火!涵盖OCR、目标检测,NLP,语音合成多方向...
- Eigen按行或列求和的使用
- 2019年VQA论文整理
- MySQL数据库恢复-勒索病毒 PLEASE_READ_ME_VVV、delete、drop,没有binlog 数据库恢复工具 持续更新2020.5.27
- 如何轻松查询分析多个快递单号物流到站派件延误件
- 智齿科技宣布完成1亿美元D轮融资,暂未取得有效专利
- 互联网人用什么软件画出大神级别的架构图?如何画出顶级架构图?
- The Preliminary Contest for ICPC Asia Shanghai 2019 B. Light bulbs(卡了线段树空间的思维题)
- 记一次网络故障排除:nat虚拟机不能ping外网 浏览器可以上网
- Android利用zxing生成二维码
- 一个有趣的博弈或推理游戏——除数博弈(动态规划与归纳法)