Hello, newbie to this forum. Please let me know if this is not appropriate or if there’s a better place for it.
I just received a Livongo Connected Blood Glucose meter, and decided to try to dump it’s data. I’m uncomfortable with it reporting all it’s data to a cloud, so I immediately turn on ‘Airplane mode.’
Plugging it into my Linux Ubuntu system and running ‘dmesg’ gave:
[1291961.740887] usb 3-4: new full-speed USB device number 11 using xhci_hcd
[1291961.868438] usb 3-4: New USB device found, idVendor=0483, idProduct=5740
[1291961.868443] usb 3-4: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[1291961.868447] usb 3-4: Product: InTouch Virtual ComPort in FS Mode
[1291961.868449] usb 3-4: Manufacturer: LivongoHealth
[1291961.868452] usb 3-4: SerialNumber: 3439394D3039
[1291961.917341] cdc_acm 3-4:1.0: ttyACM0: USB ACM device
[1291961.917678] usbcore: registered new interface driver cdc_acm
[1291961.917680] cdc_acm: USB Abstract Control Model driver for USB modems and ISDN adapters
[1291962.810982] usb 3-4: USB disconnect, device number 11
[1291963.091923] usb 3-4: new full-speed USB device number 12 using xhci_hcd
[1291963.219324] usb 3-4: New USB device found, idVendor=0483, idProduct=5740
[1291963.219329] usb 3-4: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[1291963.219333] usb 3-4: Product: InTouch Virtual ComPort in FS Mode
[1291963.219336] usb 3-4: Manufacturer: LivongoHealth
[1291963.219338] usb 3-4: SerialNumber: 3439394D3039
[1291963.220267] cdc_acm 3-4:1.0: ttyACM0: USB ACM device
I ran the terminal emulation program ‘miniterm’ with --device=/dev/ttyACM0 and the serial protocol ‘4800 8N2’ and got a ‘>’ prompt. Typing ‘help’ got me:
>help
Command Description
------------------------------------------
factory Set factory defaults
about Show information
date Show current RTC date and time
>date
Mon May 10 11:48:34 2021
>about
Version: 2.4.1
CCID: 8901260882274736393
IMEI: 354596110757035
>
Can anyone suggest other commands to try? Does this look familiar to anything you’ve seen before?
Yeah I mean on first glance it looks like a shell with the prompt set to >.
Could be protected, like sandboxed or it could be some text based menu.
My first step would be to answer “is this a real shell?”. Maybe those are real binaries you are executing.
Try ls or dir. Try echo test. Try to press tab. Try whatever really.
If you can’t determine it’s a shell, or if it’s sandboxed well or just not a real shell, you could try to inject commands (as command and as arguments to the other commands).
You could try buffer overflows, you could activate the cloud stuff and intercept the responses and inject stuff, you could try to find commands that are not shown in help…
There’s just so much to try.
Idk, it’s kinda like “how to hack stuff” at this point, maybe you’ll find something here: OTGv4. That’s kinda the nearest thing to a “how to hack stuff step by step guide”.
The ID of the phone I think. IMSI is the SIMs ID, IMEI the phones ID.
>ls
Size Date Time Name
665157 00/01/01 00:23:48 FW000121.PKG
380 01/05/01 01:21:20 LHBOOT.LOG
D 0 00/01/01 00:25:16 L
D 0 00/01/01 00:24:06 A
files: 4, bytes: 665537
>dir
>cat lhboot.log
>cd L
>pwd
>ls
Size Date Time Name
665157 00/01/01 00:23:48 FW000121.PKG
380 01/05/01 01:21:20 LHBOOT.LOG
D 0 00/01/01 00:25:16 L
D 0 00/01/01 00:24:06 A
files: 4, bytes: 665537
>cat LHBOOT.LOG
>[A
>type LHBOOT.LOG
>
I executed this after I choose the factory reset option, so it could have erased the data I entered when I tested my blood sugar this morning. I’ll test my BS again now, and see if anything changes.
Well, some changes:
>ls
Size Date Time Name
665157 00/01/01 00:23:48 FW000121.PKG
380 01/05/01 01:21:20 LHBOOT.LOG
D 0 00/01/01 00:25:16 L
D 0 00/01/01 00:24:06 A
D 0 21/05/10 17:23:34 M
D 0 21/05/10 17:23:34 BANNER
files: 6, bytes: 665537
>
This gave me an idea:
>ls -la
error (4): cannot f_stat file ‘-la’
>ls L
Size Date Time Name
7842 21/05/10 17:30:36 SYSLOG.LOG
files: 1, bytes: 7842
>ls A
Size Date Time Name
113 00/01/01 00:24:06 ES219.TXT
17 00/01/01 00:24:06 ES225.TXT
26 00/01/01 00:24:06 ES231.TXT
12 00/01/01 00:24:06 EN412.TXT
…
2 00/01/01 00:24:44 EN392.TXT
15 00/01/01 00:24:44 ES228.TXT
16 00/01/01 00:24:44 ES214.TXT
7 00/01/01 00:24:44 ES200.TXT
files: 652, bytes: 1480759
>
These seem to be configuration and screen prompt files.
This has today’s date, but still can’t dump the contents:
>ls M
Size Date Time Name
D 0 21/05/10 17:23:34 000
files: 1, bytes: 0
>[A[B
>ls M/000
Size Date Time Name
43 21/05/10 17:23:34 TEXT.MSG
files: 1, bytes: 43
>[A[B[B[
>ls M/000/TEXT.MSG
Size Date Time Name
43 21/05/10 17:23:34 TEXT.MSG
>cat M/000/TEXT.MSG
>type M/000/TEXT.MSG
>
Still trying other commands.
@yeka I do think this is Unix-like. Wasn’t there a project like ‘something-box’ that was a lightweight shell? I tried ‘su’ without success to gain root.
Thanks for the help and suggestions. Keep 'em coming.
Hi, @yeka, no joy with these trials:
>ls /
error (6): cannot f_stat file ‘/’
>ls /etc
error (4): cannot f_stat file ‘/etc’
>ls …
error (6): cannot f_stat file ‘…’
>
(Those are two periods above, not three.)
Yeah, I was thinking of busybox. That’s the only lightweight shell that’s sometimes used for embedded systems that I know of.
Sorry, I’m not on discord, and I’m in the middle of getting my homework done for another class today, so no time for a call. Thanks for your offer, though.
You could try ‘env’ to show you any environment variables. Just because they are using an embedded shell doesn’t mean that they have the file systems, or any of the standard utilities of a full OS. Given that ‘ls -la’ complains about -la’ not being a file I suspect that this is a very limited implementation.
