This repository contains scripts, notes, and dumps of the Petlibro Pet Feeder model PLAF203.
By utilizing the SD card slot, one can place a bash script named tmp_test.sh at the root of the SD card. This script will run with root privileges, allowing us to extract information about the system using this debug feature.
There are two methods to gain root access to the device without physically opening it. The simpler approach involves checking if the telnet port (21) is open and attempting to connect using the username root and password AK2040jk.
For those interested in a more detailed explanation of my access method, it involved leveraging the device's boot sequence flow and introducing a custom bash script via the SD card. By placing a bash script named tmp_test.sh at the root of the SD card and powering on the device from a powered-off state, the script is executed during boot.
Since we intercept the boot sequence flow, certain considerations are necessary. Initially, when using a bash script from the SD card, the device lacks network connectivity until later in the boot process. We can leverage existing scripts on the device to manually establish network connections. Using the built-in BusyBox command nc (netcat), we can create a reverse tunnel. By running netcat on another computer on the network and listening for incoming tunnel requests, modifying tmp_test.sh enables us to connect the device to Wi-Fi and establish a temporary reverse tunnel. This grants root access on the computer listening for tunnel requests. However, note that this tunnel is transient; it needs to be re-established if netcat is exited or the device is rebooted.
Through the reverse tunnel, we gain access to the /etc/shadow file, which contains hashed passwords for users, including root. Tools like hashcat can then be used to crack these hashed passwords.
-
rcS - file_system/etc/init.d/rcS
- inittab - file_system/etc/inittab - Controls the init process.
-
app_init.sh - file_system/system/init/app_init.sh
-
upgrade_on_sdcard.sh - file_system/usr/sbin/upgrade_on_sdcard.sh
tmp_test.shwill be called if the file exists in/mnt/config/record
-
start_tuya_ipc.sh - file_system/usr/sbin/start_tuya_ipc.sh
Early on in the PLAF203 release, there were reported issues with WiFi on some customers' networks. Due to these issues, Petlibro released instructions on how to manually update the firmware. This gives us insight into the update process and potential access points to the device.
Please refer to the README.md for detailed instructions.
Within the root of this repository, you will encounter several folders containing valuable insights into the Petlibro Pet Feeder (PLAF203) device.
-
file_system: This directory houses a dump of the device's file system. It includes numerous intriguing bash scripts and binaries that I explored extensively to unravel the device's operations. Please explore it yourself to delve into the inner workings of the device. Certain files such as tuya_config.txt and wpa_conf have been censored to protect sensitive information such as usernames and passwords.
-
findings: This folder contains dumps of various information about the device, including details about running processes, available executables, NAND partitions, firmware dumps, and more.
-
test_scripts: Here you will find bash scripts I developed to extract diverse information from the device. While functional, these scripts may require adjustments for specific use cases. They represent initial efforts and are open to contributions via pull requests (PRs) aimed at improving their structure and efficiency.
My primary objectives include exposing a local camera feed using protocols like RTSP and enhancing the local API to better control the capabilities of the pet feeder. It appears that some features of the pet feeder may already be accessible via Home Assistant through the Tuya integration.
Regardless, my ultimate goals revolve around making the camera feed accessible and developing an API that seamlessly integrates with Home Assistant.
While there is a wealth of information available online about similar devices, specific details on this particular device, the Petlibro Pet Feeder (PLAF203), are relatively scarce. When I initially started exploring this device, there were no dedicated articles available. However, I recently came across a blog post discussing interesting findings about this device.
One notable discovery from the blog post is the ability to trigger the device's motor to dispense food using a command like:
echo -en "\x55\xaa\x03\x01\x00\x01\x01\x05" > /dev/ttySAK1You can read more about this discovery from the author's blog post: SNHack Attack: How Hackers Could Turn Your Smart Pet Feeder into an All-You-Can-Eat Buffet
-
cttyhack - Provides a program with a controlling tty if possible.
-
login - Initiates a new session on the system.
-
netstat - Displays networking information.
-
init - Provides insights into how BusyBox starts up a system.
-
switch_root - Frees initramfs and switches to another root filesystem.
-
syslogd - System logging daemon.
-
cryptpw - Prints crypt hashed password.
-
ftpget - Retrieves a remote file via FTP.
-
ftpput - Stores a local file on a remote machine via FTP.
-
hexdump - Displays file contents in hexadecimal, decimal, octal, or ASCII.
-
mkpasswd - Prints crypt(3) hashed password.
-
nc - Allows arbitrary TCP and UDP connections and listens.
-
passwd - Changes the owner or a user's password.
-
pscan - Scans a host and prints all open ports.
-
tcpsvd - Creates a TCP socket, binds it to an IP and port, and listens.
-
telnet - Connects to a telnet server.
-
tftp - Transfers a file from/to a TFTP server.
-
udpsvd - Creates a UDP socket, binds it to an IP and port, and waits.
-
wget - Retrieves files via HTTP or FTP.
-
inetd - Listens for network connections and launches programs.
-
telnetd - Telnet server. Handles incoming Telnet connections.
-
tftpd - Transfers a file on a TFTP client's request.
-
uname - Print system information.
-
df - Report file system disk space usage.
-
mpstat - Report processors related statistics.
-
stat - Display file or file system status.
-
iostat - Report Central Processing Unit (CPU) and Input/Output statistics.
-
blkid - Locate/print block device attributes.
-
du - Estimate file space usage.
-
free - Display amount of free and used memory in the system.
-
groups - Print group memberships for each user.
-
hostid - Print the numeric identifier for the current host.
-
id - Print real and effective user and group IDs.
-
lsof - List open files.
-
lsusb - List USB devices.
-
top - Display Linux tasks.
-
whoami - Print effective username.