HackerTrans
TopNewTrendsCommentsPastAskShowJobs

DesktopECHO

no profile record

Submissions

Sometimes the best SBC is the one already gathering dust in your desk drawer

old.reddit.com
15 points·by DesktopECHO·3 yıl önce·2 comments

XRDP with H.264 codec brings immense performance boost

old.reddit.com
84 points·by DesktopECHO·3 yıl önce·19 comments

The situation with malware on Android TV ROMs is ridiculous

old.reddit.com
27 points·by DesktopECHO·3 yıl önce·6 comments

WSL1 Is Dying from Neglect

4 points·by DesktopECHO·3 yıl önce·2 comments

T95 Allwinner T616 Malware Analysis

github.com
221 points·by DesktopECHO·4 yıl önce·72 comments

Owner of an Android TV box? May want to check if it's an active botnet member...

forum.xda-developers.com
6 points·by DesktopECHO·4 yıl önce·1 comments

comments

DesktopECHO
·3 yıl önce·discuss
If anyone on Windows would like to see what performance is like, I updated my WSL installer scripts to use this version of XRDP.

Ubuntu XFCE: https://github.com/DesktopECHO/xWSL

KDE Neon: https://github.com/DesktopECHO/kWSL

Kali: https://github.com/DesktopECHO/Kali-xRDP

These scripts will build a complete RDP-accessible Linux desktop environment in WSL. A GPU isn't needed to see a significant performance gain over 'stock' XRDP.
DesktopECHO
·3 yıl önce·discuss
I don't see anything with regards to inclusion of the Clear Codec (RDP8.1 + H.264) in Fedora builds.

If there is evidence indicating this is actually the case, please let me know.
DesktopECHO
·3 yıl önce·discuss
That's client side. FreeRDP needs H.264 libraries to work with this branch of XRDP. Apparently, Ubuntu and variants do not include this in their FreeRDP builds, good to know it's in Debian though.

(MSTSC.EXE and the official macOS RDP client already have H.264 support built-in)
DesktopECHO
·3 yıl önce·discuss
I believe your writeup is about enabling Glamor; it does not do anything to enable the H.264 "Clear Codec" branch of XRDP.

Apologies in advance if I'm wrong here, please correct me if I'm mistaken :)
DesktopECHO
·3 yıl önce·discuss
https://github.com/DesktopECHO/T95-H616-Malware#25-apr-2023-...

> Thanks to Tanner at LTT for letting me review his findings - It appears the scope of this issue is much bigger than expected; many Android TV Boxes with the AllWinner H616, H618 and RockChip RK3328 feature the "Corejava" C2 Bootstrap.
DesktopECHO
·4 yıl önce·discuss
Not this one.

> Nope. While basic Linux support is slowly materializing, two major blockers are still at the same spot - HDMI audio (no useful driver) and bug in display driver (big code change may be required to fix it).

https://forum.libreelec.tv/thread/24275-allwinner-h616-suppo...
DesktopECHO
·4 yıl önce·discuss
Clearly you never saw the original title before it was changed by the mods, but believe whatever you like.
DesktopECHO
·4 yıl önce·discuss
Wow sorry to hear that. If you can, check if the device is still available over ADB. If it is, try re-running the script.

Not sure what happened in your case, I flashed many ROMs and ran the script against them to see if anything bad would happen. No issues.

In any case it won't be a Hard Brick. Power off, hold [volume-up] insert power jack and tap the [power] button 10 times. (I think. I lost my remote ages ago and can't check.)
DesktopECHO
·4 yıl önce·discuss
I'm with you on that. There are efforts underway to get plain-old Linux running, but it's some time away as this chip only went into mainline as of kernel 6.0
DesktopECHO
·4 yıl önce·discuss
I'm not going to try and change your mind, just sayin' that seems like a really bad idea.
DesktopECHO
·4 yıl önce·discuss
Thanks for this fascinating insight. The jankyness you describe lines-up exactly with what I'm seeing here.

If H616 was the mainstream/volume chip box to have in 2021, then I'm super-interested to see what their 2023 H618 boxes look like. They are all over Amazon with loads of reviews on YouTube, just like its predecessor.

Considering the interest this write-up has generated I'm inclined get one and 'take the bullet' to see if this behaviour is continues. Given your insight about how these chips get sold, chances seem quite high.
DesktopECHO
·4 yıl önce·discuss
These boxes identify themselves as a Google Pixel 2 (walleye) because, reasons!
DesktopECHO
·4 yıl önce·discuss
I'm not too surprised, as the malware goes out of its way to use ycxrl.com -- Going to extents like using 8.8.8.8 instead of the default DNS server, and trying a DNS server on port 5353.

Using those techniques, nobody would get a chance to see this second fall-back.

EDIT to clarify: Thanks for listing this, it's definately good to list these addresses as 'bad' for others to be aware, but DNS blocking won't slow down this malware, not even a bit.

Here's what it took for me to see cbpheback.com -- Install Pi-hole on the Android device and add these rules to iptables:

  adb shell iptables -t nat -A OUTPUT -p udp --dport 53 -j DNAT --to 127.0.0.1:53
  adb shell iptables -t nat -A OUTPUT -p tcp --dport 53 -j DNAT --to 127.0.0.1:53
  adb shell iptables -t nat -A OUTPUT -p tcp --dport 5353 -j DNAT --to 127.0.0.1:53
  adb shell iptables -t nat -A OUTPUT -p udp --dport 5353 -j DNAT --to 127.0.0.1:53
DesktopECHO
·4 yıl önce·discuss
Title was changed by the mods so that's how it stays! :)
DesktopECHO
·4 yıl önce·discuss
Thanks for the guidance here. Where I'm really stuck is when tcpdump tells me about the presence of the offending traffic and correlating process. In this case, it's the Android "system_server" process and I'm not sure how to find the hook into it that downloads the malware.

In hindsight I should have made this an Ask HN post...
DesktopECHO
·4 yıl önce·discuss
Funny you mention it, as it also had ADUPS. By itself, I can deal with that.

Actually it more resembles the CopyCat malware. My challenge is finding the hook in system_server that downloads the payload from C2.

* https://www.checkpoint.com/downloads/resources/copycat-resea...
DesktopECHO
·4 yıl önce·discuss
Fair point, thanks. Added AliExpress.
DesktopECHO
·4 yıl önce·discuss
Yeah only the primary server seems to be on blocklists. The malware uses 3 DNS addresses, all on Linode.

Not that it matters, as the malware uses 8.8.8.8 if it doesn't like the DNS reply -- Then it tries a DNS server on port 5353!
DesktopECHO
·4 yıl önce·discuss
Follow-up to my earlier report about the stock firmware on these Android TV devices, with a script to de-fang Stage 0 by preventing the payload from downloading (chattr +i FTW!)
DesktopECHO
·4 yıl önce·discuss
I went the Linux Deploy route and published a couple of container images that Just Work on pretty much any ARM Android device.

Once you shiv systemd, some pretty elaborate scripts can run in an Android chroot just like they would on bare-metal ARM. Just think of your old Android as an off-brand rPi with case, built-in touchscreen LCD, and way, way fewer GPIO pins. No surprise the server will need a new UPS battery.

NextCloudDroid: https://github.com/DesktopECHO/nextcloudpi Pi-hole for Android: https://github.com/DesktopECHO/Pi-hole-for-Android