Pwnd Blaster: Hacking your PC using your speaker without ever touching it

Pwnd Blaster：无需接触，通过音箱入侵你的电脑

In my last post, I talked about reverse engineering my new Creative Sound Blaster Katana V2X’s firmware. What initially started as simply wanting to write a Linux tool for communicating with my speaker ended up with me discovering vulnerabilities which allow any attacker within a ~15M range of any Katana V2X to turn it into a covert spying tool and Rubber Ducky - all without ever having to pair with or physically touch the device.

在上一篇文章中，我谈到了对我的新款 Creative Sound Blaster Katana V2X 音箱固件进行逆向工程的经历。最初我只是想写一个 Linux 工具来与音箱通信，结果却发现了一些漏洞。这些漏洞允许任何在 Katana V2X 约 15 米范围内的攻击者将其变成一个隐蔽的间谍工具和“橡皮鸭”（Rubber Ducky，一种注入攻击设备），而且完全无需与设备配对或进行物理接触。

CTprotocol background

CT 协议背景

As I explained in my previous post, the Katana V2X is a USB-connected PC sound bar. Being USB-connected, Creative has an app which allows you to change the settings of the speaker - the DSP, the LED configuration, the output source, and so on. To do this, they use a custom protocol called CTP (short for Creative Transport Protocol would be my guess). Basically, it seems to be a fairly simple proprietary protocol for sending various commands and reading the responses to that. I won’t go into much detail here, but if you’re interested, I described how it works in my last post.

正如我在上一篇文章中所解释的，Katana V2X 是一款通过 USB 连接的 PC 条形音箱。由于是 USB 连接，Creative 提供了一款应用程序，允许用户更改音箱的设置，如 DSP、LED 配置、输出源等。为了实现这一点，他们使用了一种名为 CTP（我猜是 Creative Transport Protocol 的缩写）的自定义协议。简单来说，这似乎是一种相当简单的专有协议，用于发送各种命令并读取响应。我在这里就不赘述细节了，如果你感兴趣，我在上一篇文章中已经详细描述了它的工作原理。

What’s important to note, however, is that in order to do anything with CTP over USB, you first have to do challenge-response authentication with the device. The key is static and can be derived from the binaries that ship with the Creative App, and I’m unsure why this is even the case, but the speaker won’t accept any commands until you’ve performed authentication. Fine.

然而，需要注意的是，为了通过 USB 使用 CTP 执行任何操作，你必须首先与设备进行“挑战-响应”身份验证。密钥是静态的，可以从 Creative App 自带的二进制文件中导出。我不确定为什么会这样，但除非你完成了身份验证，否则音箱不会接受任何命令。好吧。

Another thing that’ll become important later is that firmware updates are also performed over CTP. That’s how I initially got my hands on a firmware image - I sniffed the USB traffic using Wireshark and extracted the data from the captures.

另一件稍后会变得重要的事情是，固件更新也是通过 CTP 执行的。这就是我最初获取固件镜像的方法——我使用 Wireshark 嗅探了 USB 流量，并从捕获的数据中提取了固件。

Firmware analysis

固件分析

The firmware container, which is also proprietary but is essentially a primitive Zip file, contains three parts that are of significant value. First, there’s FBOOT, which I previously presumed to be a bootloader (hence the name), but also contains a sort of recovery mode for the speaker. This recovery mode can be entered by holding down the SOURCE button while powering the device on, and allows you to recover from a bad state. This saved my device from being bricked many times, which I’m pretty grateful for.

固件容器虽然也是专有的，但本质上是一个原始的 Zip 文件，包含三个具有重要价值的部分。首先是 FBOOT，我之前推测它是引导加载程序（因此得名），但它也包含一种音箱的恢复模式。在开启设备电源的同时按住 SOURCE 按钮即可进入此恢复模式，它允许你从故障状态中恢复。这多次拯救了我的设备，使其免于变砖，对此我非常感激。

The second part is FMAIN, which is the main firmware of the device. This runs when you boot the device “normally”. While FBOOT implements a lot of the same functionality as FMAIN (they both handle CTP commands, for example), FMAIN is about ~6.5x larger than FBOOT. Both FBOOT and FMAIN are based on a (fairly heavily-modified) version of FreeRTOS, as hinted by a string present in the binaries: /home/jieyi/mcuos2.5/kernel/freertos-8.2.3/.

第二部分是 FMAIN，即设备的主固件。当你“正常”启动设备时，它就会运行。虽然 FBOOT 实现了许多与 FMAIN 相同的功能（例如，它们都处理 CTP 命令），但 FMAIN 的体积大约是 FBOOT 的 6.5 倍。FBOOT 和 FMAIN 都基于（经过相当大修改的）FreeRTOS 版本，二进制文件中存在的一个字符串暗示了这一点：/home/jieyi/mcuos2.5/kernel/freertos-8.2.3/。

The last part of note is CHK2, which is a SHA-256 checksum over the entire firmware container appended to the very end. While not exactly shocking, considering the amount of effort that went into CTP authentication, I was a bit surprised to see that besides this CHK2 SHA-256 checksum, which was trivial to patch, there was no other protection in place for flashing firmwares.

最后值得注意的部分是 CHK2，它是整个固件容器的 SHA-256 校验和，附加在文件的末尾。虽然考虑到在 CTP 身份验证上投入的精力，这并不算令人震惊，但我还是有点惊讶地发现，除了这个很容易修补的 CHK2 SHA-256 校验和之外，固件刷写没有任何其他保护措施。

I would’ve expected to find signature checks here or at the very least a hashsum(secret_value + container_contents) type of protection, but after reimplementing the firmware upgrade functionality in my own tool v2x-ctl, I found that the device happily accepts patched firmwares as long as CHK2 is correct.

我本以为这里会有签名检查，或者至少会有 hashsum(secret_value + container_contents) 类型的保护，但在我自己的工具 v2x-ctl 中重新实现了固件升级功能后，我发现只要 CHK2 正确，设备就会愉快地接受修补后的固件。

To test this, I made a pretty simple modification - I replaced the string WELCOME, which is shown on the segment display on the device when booting up, with PATCHED. After flashing the firmware and rebooting the device, I was happy to see my string being shown to me.

为了测试这一点，我做了一个非常简单的修改——我将设备启动时在段式显示屏上显示的字符串“WELCOME”替换为了“PATCHED”。在刷入固件并重启设备后，我很高兴地看到了我修改后的字符串。

The hacker part of me thinks this is great - people should be able to do what they want with the devices they’ve bought and own. The security professional part of me thinks that having absolutely no protection in place (like having to unlock a bootloader for mobile devices) is pretty bad practice. But it’s not exactly the end of the world if you need physical access to update the device over USB. If.

我作为黑客的那一部分认为这很棒——人们应该能够对自己购买和拥有的设备做他们想做的事。但我作为安全专业人员的那一部分认为，完全没有任何保护措施（比如像移动设备那样需要解锁引导加载程序）是非常糟糕的做法。但如果需要物理接触才能通过 USB 更新设备，那倒也不是世界末日。如果（确实需要物理接触的话）。

Everybody loves Bluetooth

每个人都喜欢蓝牙

Like all “self-respecting” speakers these days, of course the Katana V2X also needs to have Bluetooth, even though it’s most likely going to spend most of its life wired up to a PC or gaming console. And of course Creative needs to have an app which lets you control the speaker’s settings and fancy LED lights from your phone over Bluetooth.

像如今所有“自尊”的音箱一样，Katana V2X 当然也需要具备蓝牙功能，尽管它很可能大部分时间都是通过有线连接到 PC 或游戏机上的。当然，Creative 也需要一款应用程序，让你能够通过蓝牙在手机上控制音箱的设置和炫酷的 LED 灯。

The way BLE (Bluetooth Low Energy) works is that each device has various registers (called GATT characteristics) that, if you’re connected to the device, you can write to, read, subscribe to notifications for, and so on. What’s important to note is that to connect to a device, you don’t need to (necessarily) pair with it. You can often just connect with a device and immediately start reading and writing data to characteristics. Pairing establishes encryption, but a connection can be made without it.

BLE（低功耗蓝牙）的工作方式是，每个设备都有各种寄存器（称为 GATT 特征），如果你连接到该设备，就可以对其进行写入、读取、订阅通知等操作。需要注意的是，连接到设备并不（一定）需要与其配对。你通常可以直接连接设备，并立即开始读取和写入特征数据。配对可以建立加密，但没有配对也可以建立连接。

While digging through the Katana’s firmware, I discovered that the internal CTP handler is bridged to both USB and apparently Bluetooth. Intrigued by this, I downloaded the Creative mobile app and tried connecting to my speaker. “Please press the POWER button to pair.”

在深入研究 Katana 的固件时，我发现内部的 CTP 处理程序同时桥接到了 USB 和蓝牙上。对此我感到很感兴趣，于是下载了 Creative 移动应用程序并尝试连接我的音箱。“请按下电源按钮进行配对。”

I wondered how this pairing process worked, exactly. Maybe it used the same authentication scheme as for USB and maybe I could just use the shared secret to authenticate with any speaker over Bluetooth, as was the case with my e-scooter. I set up a Bluetooth sniffing environment and observed that in order to initiate the pairing process, the phone wrote a payload like 5a 0b… to a characteristic 9e9daaec-3a10-4fe8-b69f-7397aff77886, and read a response from characteristic 9e9daaeb-3a10-4fe8-b69f-7397aff77886.

我很好奇这个配对过程到底是如何工作的。也许它使用了与 USB 相同的身份验证方案，也许我可以像对待我的电动滑板车那样，直接使用共享密钥通过蓝牙对任何音箱进行身份验证。我搭建了一个蓝牙嗅探环境，观察到为了启动配对过程，手机向特征 9e9daaec-3a10-4fe8-b69f-7397aff77886 写入了一个类似 5a 0b... 的负载，并从特征 9e9daaeb-3a10-4fe8-b69f-7397aff77886 读取了响应。

5a had me very, very suspicious, as it’s the same byte that all CTP commands start with. Out of a hunch, I connected to the device over Bluetooth from my laptop and wrote the payload 5a 09 01 02, which is the CTP command for reading the firmware version, and requires authentication to send over USB. To my surprise, upon reading the characteristic 9e9daaeb-3a10-4fe8-b69f-7397aff77886…

5a 这个字节让我非常非常怀疑，因为它与所有 CTP 命令的起始字节相同。出于直觉，我从笔记本电脑通过蓝牙连接到设备，并写入了负载 5a 09 01 02，这是用于读取固件版本的 CTP 命令，在 USB 上发送时需要身份验证。令我惊讶的是，在读取特征 9e9daaeb-3a10-4fe8-b69f-7397aff77886 时……