exploring and reversring (?) go2 unitree in midair
posted on : 7/3/2024
im decomping as registers, might switch that later, not super set in stone with that... anyways here's a series of registers and variables i found at the top of the file.
00000400 90 97 05 ext4_sup
00 c5 1b
16 00 a6
00000400 90 97 05 00 ddw 90970500h s_inodes_count
00000404 c5 1b 16 00 ddw C51B1600h s_blocks_cou
00000408 a6 38 00 00 ddw A6380000h s_r_blocks_c
0000040c 33 f0 01 00 ddw 33F00100h s_free_block
00000410 6c db 03 00 ddw 6CDB0300h s_free_inode
00000414 00 00 00 00 ddw 0h s_first_data
00000418 02 00 00 00 ddw 2000000h s_log_block_
0000041c 02 00 00 00 ddw 2000000h s_log_cluste
00000420 00 80 00 00 ddw 800000h s_blocks_per
00000424 00 80 00 00 ddw 800000h s_clusters_p
00000428 d0 1f 00 00 ddw D01F0000h s_inodes_per
0000042c db bc 47 66 ddw DBBC4766h s_mtime
00000430 00 c0 47 66 ddw C04766h s_wtime
00000434 01 00 dw 100h s_mnt_count
00000436 ff ff dw FFFFh s_max_mnt_co
00000438 53 ef dw 53EFh s_magic
0000043a 01 00 dw 100h s_state
0000043c 01 00 dw 100h s_errors
0000043e 00 00 dw 0h s_minor_rev_
00000440 1c bc 47 66 ddw 1CBC4766h s_lastcheck
00000444 00 00 00 00 ddw 0h s_checkinter
00000448 00 00 00 00 ddw 0h s_creator_os
0000044c 01 00 00 00 ddw 1000000h s_rev_level
00000450 00 00 dw 0h s_def_resuid
00000452 00 00 dw 0h s_def_resgid
00000454 0b 00 00 00 ddw B000000h s_first_ino
00000458 00 01 dw 1h s_inode_size
0000045a 00 00 dw 0h s_block_grou
0000045c 3c 00 00 00 ddw 3C000000h s_feature_co
00000460 c2 02 00 00 ddw C2020000h s_feature_in
00000464 6b 04 00 00 ddw 6B040000h s_feature_ro
00000468 c4 68 74 64 db db[16] s_uuid
09 46 e1 85 d1
0f 90 57 0b 7c
not fully sure about what all of these mean, but s_uuid makes me wonder if there's a way to abuse that for some sort of uac escalation. i need to test more, but i will search in the dump to see if it's called or reapeated anywhere else. its an array of bytes 16 lengthwise. s_magic looks a little silly teehee....
at memory location of 09efc543 and extending to 09efcca4 seems to be series of symbols related to math/distance and some form of calulcation. next, going deeper, this seemed interesting, but i think it's jsut part of the setup of how the firm ware works, and it seeems to set up utf and some error catching.
0ee5731f 41 42 43 ds "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrs
44 45 46
47 48 49
0ee5737e 42 61 64 ds "BadUnit~"
55 6e 69
74 7e 00
0ee57387 6f 70 65 ds "operator~"
72 61 74
6f 72 7e 00
okay werk next i was snooping around and found this ...
18000076 7c 4a 6c ds "|Jlinuxroot"
69 6e 75
78 72 6f
18000084 00 ?? 00h
18000085 00 ?? 00h
18000086 00 ?? 00h
18000087 00 ?? 00h
18000088 2f 68 6f ds "/home/legion/rootfs_mount"
6d 65 2f
6c 65 67
this seems glaringly interesting to be something related to a nfs root share?? not sure if this is how rooting is achived, but i wanted to highlight this because if it's possible to abuse this without needing to reflash the entire robot :whoag: if there is a user named legion, and they have some sorta root share, we should attempt to acccess legion. there are large portions of the dump filled with 00h btyes which i belive are nullbytes and not something i need to foucs on too much. im doign this decomp again in the air, no google. i found this string in the dump too '"RAybRAy!"', no clue what that means but maybe a password or smth dot dot dot
qucik break to put on a movie on the seatback tv (i chose twilight)
i then found a section that seems to describe debugging :woahg: :wolf_o_face:
1dffea01 2e 73 79 ds ".symtab"
6d 74 61
62 00
1dffea09 2e 73 74 ds ".strtab"
72 74 61
62 00
1dffea11 2e 73 68 ds ".shstrtab"
73 74 72
74 61 62 00
1dffea1b 2e 72 65 ds ".rela.text"
6c 61 2e
74 65 78
1dffea26 2e 72 65 ds ".rela.init.text"
6c 61 2e
69 6e 69
1dffea36 2e 72 65 ds ".rela.exit.text"
6c 61 2e
65 78 69
1dffea46 2e 6d 6f ds ".modinfo"
64 69 6e
66 6f 00
1dffea4f 2e 6e 6f ds ".note.gnu.property"
74 65 2e
67 6e 75
1dffea62 2e 6e 6f ds ".note.gnu.build-id"
74 65 2e
67 6e 75
1dffea75 2e 6e 6f ds ".note.Linux"
74 65 2e
4c 69 6e
1dffea81 5f 5f 76 ds "__versions"
65 72 73
69 6f 6e
1dffea8c 2e 69 6e ds ".init.plt"
69 74 2e
70 6c 74 00
1dffea96 2e 74 65 ds ".text.ftrace_trampoline"
78 74 2e
66 74 72
1dffeaae 2e 72 65 ds ".rela.data"
6c 61 2e
64 61 74
1dffeab9 2e 72 65 ds ".rela.gnu.linkonce.this_module"
6c 61 2e
67 6e 75
1dffead8 2e ?? 2Eh .
1dffead9 62 ?? 62h b
1dffeada 73 ?? 73h s
1dffeadb 73 ?? 73h s
1dffeadc 00 ?? 00h
1dffeadd 2e 6e 6f ds ".note.GNU-stack"
74 65 2e
47 4e 55
1dffeaed 2e 63 6f ds ".comment"
6d 6d 65
6e 74 00
1dffeaf6 2e 72 65 ds ".rela.debug_info"
6c 61 2e
64 65 62
1dffeb07 2e 64 65 ds ".debug_abbrev"
62 75 67
5f 61 62
1dffeb15 2e 72 65 ds ".rela.debug_loc"
6c 61 2e
64 65
1dffeb25 2e 72 65 ds ".rela.debug_aranges"
6c 61 2e
64 65 62
1dffeb39 2e 72 65 ds ".rela.debug_ranges"
6c 61 2e
64 65 62
1dffeb4c 2e 72 65 ds ".rela.debug_line"
6c 61 2e
64 65 62
1dffeb5d 2e 64 65 ds ".debug_str"
62 75 67
5f 73 74
1dffeb68 2e 72 65 ds ".rela.debug_frame"
6c 61 2e
64 65 62
this is addmitedly very large and also kinda consfuing to read, i cannot fully tell if they are actual lke functions, but i don't think so. they seem more than anything like some sort of classes and otherwise. immedtialy following' its a bucnh of nullbytes...until you hit this
1f3b12b0 61 76 67 ds "avg_pixels8_l2_8"
5f 70 69
78 65 6c
this seems like something that bot can use to generate it's video or intake lidar/video. the pixels makes me think of that because it could be converting them into an array to process and pool. the avergaing could be for the pooling functions...hmmmmuhc to think about ..... immedtaialy following i want to feel like i am confirmed with averaging and image generation or processing
1f3b12d2 70 75 74 ds "put_pixels8_l4_8"
5f 70 69
78 65 6c
1f3b12e3 70 75 74 ds "put_no_rnd_pixels8_l4_8"
5f 6e 6f
5f 72 6e
1f3b12fb 70 75 74 ds "put_mpeg4_qpel8_h_lowpass"
5f 6d 70
65 67 34
1f3b1315 70 75 74 ds "put_mpeg4_qpel8_v_lowpass"
5f 6d 70
65 67 34
1f3b132f 70 75 74 ds "put_mpeg4_qpel16_h_lowpass"
5f 6d 70
65 67 34
1f3b134a 70 75 74 ds "put_mpeg4_qpel16_v_lowpass"
5f 6d 70
65 67 34
after this section, it seems to keep averaging out some pixels, which again, makes me think that this part could have to do with the picture or LiDAR, but i want to find some more evidence of the LiDAR being called or used or processed. im investigatng this in order to figured out more of it's fucntionality and see how it processes certain things.
poking around in some other places, there seems to be refs to a CRON job running in the background.
anyways i found a regex string, i;ll have to search later when i have net to figure out whats itds deounggg
314f3ae0 2d 44 20 ds "-D dcn=%d -D bidx=%d -D uidx=%d%s"
64 63 6e
3d 25 64
next, i found this piece of the dump
29a6e440 74 79 70 ds "typename boost::detail::sp_member_access::
65 6e 61
6d 65 20
29a6e530 2f 75 73 ds "/usr/include/boost/smart_ptr/shared_ptr.hpp"
72 2f 69
6e 63 6c
which actually looks like our first possible reference to cyclone dds....whoa... (bella's actress is so funny in twilight omg cloes your mouth divaaa)
alarm noise alarm noise alarm noise i found a reference to the websocket......
29a6e440 74 79 70 ds "typename boost::detail::sp_member_access::
65 6e 61
6d 65 20
29a6e530 2f 75 73 ds "/usr/include/boost/smart_ptr/shared_ptr.hpp"
72 2f 69
6e 63 6c
this goes til 2c61ab59, contained with all sorts of connection information, ping timeouts, which i can assume is helpful for the network connectivity as well as the wireless-controller.cpp file that i was looking at way eariler yesterday.... this could be where it is sending outbound informaitonnn this also keeps going til, which i am not sure but the directory seems to be referening some tws (which i am not sure whaht i means but i have included my theories..)
- twilight woke switch
- tcp wireless sent
- total wireless sendings
- telnet wireless stats
2c61ad4f 09 77 73 ds "\tws_serverr6"
5f 73 65
72 76 65
after this there's some system operations, with stderr and the like, but these looked interesting. (girl someone just ugly coughed in the plane oh my godddd)
330047b9 5f 5f 67 ds "__gmon_start__"
6d 6f 6e
5f 73 74
330047c8 5f 49 54 ds "_ITM_deregisterTMCloneTable"
4d 5f 64
65 72 65
330047e4 5f 49 54 ds "_ITM_registerTMCloneTable"
4d 5f 72
65 67 69
now a little further after all these fun types of functions (perhaps?) (api calls???), there's this interesting bit
33004cdf 78 73 68 ds "xshmfence_unmap_shm"
6d 66 65
6e 63 65
33004cf3 78 63 62 ds "xcb_get_geometry"
5f 67 65
74 5f 67
33004d04 78 63 62 ds "xcb_get_geometry_reply"
5f 67 65
74 5f 67
33004d1b 78 63 62 ds "xcb_unregister_for_special_event"
5f 75 6e
72 65 67
xcb_get_geometry...why are you fetching geo...because....because..bueacse LiDAR !!!! :gasp: after that its supposed to be a series of commands and bins and whoaaa as well as things to define how to interact with the GPU and LLVM.
thats what i have so far, some functions on how it processes data n stuff. im stopping at an arch call :3, specially the memory addr of `3432b9d0`
