Editing NetLiteII

Jump to navigation Jump to search
Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.

The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.

Latest revision Your text
Line 5: Line 5:
<pre>
<pre>
Starting Nmap 4.85BETA8 ( http://nmap.org ) at 2009-05-09 20:40 PDT
Starting Nmap 4.85BETA8 ( http://nmap.org ) at 2009-05-09 20:40 PDT
Interesting ports on 192.168.3.157 (old: 172.30.0.107):
Interesting ports on 172.30.0.107:
Not shown: 997 closed ports
Not shown: 997 closed ports
PORT    STATE SERVICE
PORT    STATE SERVICE
Line 11: Line 11:
80/tcp  open  http
80/tcp  open  http
700/tcp open  unknown
700/tcp open  unknown
</pre>
<pre>
Starting Nmap 4.20 ( http://insecure.org ) at 2009-09-25 19:18 PDT
Interesting ports on 192.168.3.157:
Not shown: 1485 closed ports
PORT    STATE        SERVICE
69/udp  open|filtered tftp
137/udp open|filtered netbios-ns
161/udp open|filtered snmp
MAC Address: 00:00:E0:BC:2C:9B (Quadram)
</pre>
</pre>


*Telnet port is open and connects without password.  Once connected, typing "Logon=" gives you access to more settings.
*Telnet port is open and connects without password.  Once connected, typing "Logon=" gives you access to more settings.
<pre>
SYMON NetLite II, Ver 2.60(181.21) 16x128 (Boot:175.01-S3d.BFE.fd13)
  System up time = 01:55:23
    Waiting On Connection
Statistics:                        Memory:  31195120
  recvd packets =        0          used =  1324544(  4.2%)
    bad packets =        0          free =  29870576( 95.7%)
  queued packets =        0          blks = 4/264
  bytes received =        4          Msgs = 8


                                  Refresh =  63Hz
Serial Number  = 00.00.E0.BC.2C.9B  Name = Llama
    IP Address = 172.30.0.107        DHCP = 172.30.0.1
    Subnet Mask = 255.255.255.0        DNS = 172.30.0.1
Default Gateway = 172.30.0.1
CMD:
</pre>
*"help" (after "logon=") outputs:
<pre>
CMD's = Set Ip=n.n.n.n, Set SubNetMask=n.n.n.n, Set DHCP
        Set Gateway=n.n.n.n, Set WINS=n.n.n.n[, n.n.n.n], Set DNS=n.n.n.n,
        Set Name=name, Set Password=password,
        Help Wireless, Help SNTP, LogOff, Exit, Reset, Help
        Show BOOT|FONT|APPL|ANIMATION|SNTP|WIRELESS
        Ping n.n.n.n, Arp, Clear
        CTRL-R = refresh display, CTRL-S = switch statistics, CTRL-D = exit
</pre>
*Communication with the sign is over port 700, but protocol is unknown and probably proprietary
*Appears to require proprietary [http://symon.com/index.asp?bid=146 Symon Enterprise Server software] in order to display messages.
*Appears to require proprietary [http://symon.com/index.asp?bid=146 Symon Enterprise Server software] in order to display messages.
*It is running a TFTP server
*It's running a web server for configuring things. Running Micro-Web


*Outdated setup manual for an old model: [http://209.85.173.132/search?q=cache:C969mUrZIagJ:foorum.hinnavaatlus.ee/download.php%3Fid%3D1984%26sid%3Da8c3da9e2b2d42e480e01fcb23ce502a+Symon+NetLIte+II+sign+hack&cd=2&hl=en&ct=clnk&gl=us]
*Outdated setup manual for an old model: [http://209.85.173.132/search?q=cache:C969mUrZIagJ:foorum.hinnavaatlus.ee/download.php%3Fid%3D1984%26sid%3Da8c3da9e2b2d42e480e01fcb23ce502a+Symon+NetLIte+II+sign+hack&cd=2&hl=en&ct=clnk&gl=us]


*Other Mentions: [http://www.avayausers.com/showthread.php?t=16300] [http://groups.google.com/group/symon-digital-signage/msg/6b7f54362da8125e?pli=1] (already emailed user)
*Other Mentions: [http://www.avayausers.com/showthread.php?t=16300] [http://groups.google.com/group/symon-digital-signage/msg/6b7f54362da8125e?pli=1] (already emailed user)
== Hardware ==
* Running on an ARM-based Sharp SOC (Sharp LH7A400-N0B)
* Marked "Symon Communications / 201-1700-A01 / Rev D / 12/03/03"
* 20-pin header marked "JTAG" -- presumably regular 20-pin ARM JTAG.
* Some photos of the board [http://www.flickr.com/photos/thejof/tags/symon/ here] from [[User:Jof|jof]]
* [http://www.flickr.com/photos/edrabbit/sets/72157617917163530/ Photos from edrabbit]
* On-board flash -- 2x Sharp LH28F320BFE. Datasheet: [[Image:SharpLH28F320BFE.pdf]]
* On-board SDRAM -- 2x Samsung K4S281632F. Datasheet: [[Image:SamsungK4S281632F.pdf]]
== Observations ==
* The sign appears to reboot if you write a null byte '\x00' to port 700
* The read only snmp community is "public".
== Location ==
It's on the shop wall next to the mooninite. It has a network address and a usb cable hanging down next to the SIP phone. You can see the IP address on the display. Pwn it.
[[Category:Pages with a Noisebridge Tiny URL]]
Please note that all contributions to Noisebridge are considered to be released under the Creative Commons Attribution-NonCommercial-ShareAlike (see Noisebridge:Copyrights for details). If you do not want your writing to be edited mercilessly and redistributed at will, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource. Do not submit copyrighted work without permission!

To protect the wiki against automated edit spam, we kindly ask you to solve the following CAPTCHA:

Cancel Editing help (opens in new window)