NetLiteII: Difference between revisions

From Noisebridge
Jump to navigation Jump to search
No edit summary
m (nburl)
(11 intermediate revisions by 6 users not shown)
Line 1: Line 1:
*Symon NetLite II [http://symondacon.com/content/view/122/267/]
*Symon NetLite II [http://symondacon.com/content/view/122/267/]
* [http://www.flickr.com/photos/edrabbit/sets/72157617917163530/ Photos]
 
*Has DHCP client and grabs an IP address with no problem
*Has DHCP client and grabs an IP address with no problem


<pre>
<pre>
Starting Nmap 4.85BETA8 ( http://nmap.org ) at 2009-05-09 20:40 PDT
Starting Nmap 4.85BETA8 ( http://nmap.org ) at 2009-05-09 20:40 PDT
Interesting ports on 172.30.0.107:
Interesting ports on 192.168.3.157 (old: 172.30.0.107):
Not shown: 997 closed ports
Not shown: 997 closed ports
PORT    STATE SERVICE
PORT    STATE SERVICE
Line 11: Line 11:
80/tcp  open  http
80/tcp  open  http
700/tcp open  unknown
700/tcp open  unknown
</pre>
<pre>
Starting Nmap 4.20 ( http://insecure.org ) at 2009-09-25 19:18 PDT
Interesting ports on 192.168.3.157:
Not shown: 1485 closed ports
PORT    STATE        SERVICE
69/udp  open|filtered tftp
137/udp open|filtered netbios-ns
161/udp open|filtered snmp
MAC Address: 00:00:E0:BC:2C:9B (Quadram)
</pre>
</pre>


Line 48: Line 59:
*Appears to require proprietary [http://symon.com/index.asp?bid=146 Symon Enterprise Server software] in order to display messages.
*Appears to require proprietary [http://symon.com/index.asp?bid=146 Symon Enterprise Server software] in order to display messages.
*It is running a TFTP server
*It is running a TFTP server
*It's running a web server for configuring things. Running Micro-Web


*Outdated setup manual for an old model: [http://209.85.173.132/search?q=cache:C969mUrZIagJ:foorum.hinnavaatlus.ee/download.php%3Fid%3D1984%26sid%3Da8c3da9e2b2d42e480e01fcb23ce502a+Symon+NetLIte+II+sign+hack&cd=2&hl=en&ct=clnk&gl=us]
*Outdated setup manual for an old model: [http://209.85.173.132/search?q=cache:C969mUrZIagJ:foorum.hinnavaatlus.ee/download.php%3Fid%3D1984%26sid%3Da8c3da9e2b2d42e480e01fcb23ce502a+Symon+NetLIte+II+sign+hack&cd=2&hl=en&ct=clnk&gl=us]


*Other Mentions: [http://www.avayausers.com/showthread.php?t=16300] [http://groups.google.com/group/symon-digital-signage/msg/6b7f54362da8125e?pli=1] (already emailed user)
*Other Mentions: [http://www.avayausers.com/showthread.php?t=16300] [http://groups.google.com/group/symon-digital-signage/msg/6b7f54362da8125e?pli=1] (already emailed user)
== Hardware ==
* Running on an ARM-based Sharp SOC (Sharp LH7A400-N0B)
* Marked "Symon Communications / 201-1700-A01 / Rev D / 12/03/03"
* 20-pin header marked "JTAG" -- presumably regular 20-pin ARM JTAG.
* Some photos of the board [http://www.flickr.com/photos/thejof/tags/symon/ here] from [[User:Jof|jof]]
* [http://www.flickr.com/photos/edrabbit/sets/72157617917163530/ Photos from edrabbit]
* On-board flash -- 2x Sharp LH28F320BFE. Datasheet: [[Image:SharpLH28F320BFE.pdf]]
* On-board SDRAM -- 2x Samsung K4S281632F. Datasheet: [[Image:SamsungK4S281632F.pdf]]
== Observations ==
* The sign appears to reboot if you write a null byte '\x00' to port 700
* The read only snmp community is "public".
== Location ==
It's on the shop wall next to the mooninite. It has a network address and a usb cable hanging down next to the SIP phone. You can see the IP address on the display. Pwn it.
[[Category:Pages with a Noisebridge Tiny URL]]

Revision as of 04:04, 7 August 2012

  • Symon NetLite II [1]
  • Has DHCP client and grabs an IP address with no problem
Starting Nmap 4.85BETA8 ( http://nmap.org ) at 2009-05-09 20:40 PDT
Interesting ports on 192.168.3.157 (old: 172.30.0.107):
Not shown: 997 closed ports
PORT    STATE SERVICE
23/tcp  open  telnet
80/tcp  open  http
700/tcp open  unknown
Starting Nmap 4.20 ( http://insecure.org ) at 2009-09-25 19:18 PDT
Interesting ports on 192.168.3.157:
Not shown: 1485 closed ports
PORT    STATE         SERVICE
69/udp  open|filtered tftp
137/udp open|filtered netbios-ns
161/udp open|filtered snmp
MAC Address: 00:00:E0:BC:2C:9B (Quadram)
  • Telnet port is open and connects without password. Once connected, typing "Logon=" gives you access to more settings.
SYMON NetLite II, Ver 2.60(181.21) 16x128 (Boot:175.01-S3d.BFE.fd13)
  System up time = 01:55:23
     Waiting On Connection
Statistics:                         Memory:   31195120 
   recvd packets =         0          used =   1324544(  4.2%) 
     bad packets =         0          free =  29870576( 95.7%) 
  queued packets =         0          blks = 4/264
  bytes received =         4          Msgs = 8 


                                   Refresh =   63Hz 
Serial Number   = 00.00.E0.BC.2C.9B   Name = Llama
     IP Address = 172.30.0.107        DHCP = 172.30.0.1
    Subnet Mask = 255.255.255.0        DNS = 172.30.0.1
Default Gateway = 172.30.0.1

CMD: 
  • "help" (after "logon=") outputs:
CMD's = Set Ip=n.n.n.n, Set SubNetMask=n.n.n.n, Set DHCP
        Set Gateway=n.n.n.n, Set WINS=n.n.n.n[, n.n.n.n], Set DNS=n.n.n.n,
        Set Name=name, Set Password=password, 
        Help Wireless, Help SNTP, LogOff, Exit, Reset, Help
        Show BOOT|FONT|APPL|ANIMATION|SNTP|WIRELESS
        Ping n.n.n.n, Arp, Clear
        CTRL-R = refresh display, CTRL-S = switch statistics, CTRL-D = exit
  • Communication with the sign is over port 700, but protocol is unknown and probably proprietary
  • Appears to require proprietary Symon Enterprise Server software in order to display messages.
  • It is running a TFTP server
  • It's running a web server for configuring things. Running Micro-Web
  • Outdated setup manual for an old model: [2]
  • Other Mentions: [3] [4] (already emailed user)

Hardware

  • Running on an ARM-based Sharp SOC (Sharp LH7A400-N0B)
  • Marked "Symon Communications / 201-1700-A01 / Rev D / 12/03/03"
  • 20-pin header marked "JTAG" -- presumably regular 20-pin ARM JTAG.
  • Some photos of the board here from jof
  • Photos from edrabbit
  • On-board flash -- 2x Sharp LH28F320BFE. Datasheet: File:SharpLH28F320BFE.pdf
  • On-board SDRAM -- 2x Samsung K4S281632F. Datasheet: File:SamsungK4S281632F.pdf

Observations

  • The sign appears to reboot if you write a null byte '\x00' to port 700
  • The read only snmp community is "public".

Location

It's on the shop wall next to the mooninite. It has a network address and a usb cable hanging down next to the SIP phone. You can see the IP address on the display. Pwn it.