Monomymous safety analysis Marcel, of MGD Productions, has proven how an off-the-shelf locked-down terminal used for on-line restaurant ordering could be jailbroken — with a easy Close to-Subject Communication (NFC) card.
“I discovered this one on an area market for $25, so I instantly snagged it up,” Marcel explains of the T-Join, desktop pill utilized by Takeaway.com and Simply Eat for eating places to deal with on-line orders. “After it booted up, it confirmed an activation display screen. Seems to be just like the earlier proprietor has logged out. We will not do a lot from this display screen, both name the quantity to activate it, or go to the Wi-Fi settings. Since I do not personal a restaurant (shocker, I do know) I’m certain that they’ll refuse to activate this, so Wi-Fi settings it’s!”
From locked-down restaurant terminal to a desktop Android pill — in a single swipe of an NFC card. (📷: MGD Productions)
Accessing the Wi-Fi configuration menu brings up a display screen that might be acquainted to anybody who has used embedded units constructed on Google’s Android, which gave Marcel just a few concepts for how one can bypass the login display screen. Sadly, whereas the Wi-Fi menu offers entry to a file picker for the set up of a certificates file, it proved a useless finish — as did makes an attempt to attach the gadget to a captive portal.
Investigating the {hardware} revealed two USB ports, an Ethernet port, an antenna connection, and an influence enter. Connecting a keyboard and utilizing Alt-Tab introduced up Android’s app switcher, which in flip allowed Marcel to find the model of Android on the gadget: the considerably outdated Android 6. Inner investigation unveiled debug pins that might show helpful, however Marcel noticed one thing else of curiosity: an NFC reader.
“I attempted to Android Beam some issues over and it truly did choose it up and beamed the file over,” Marcel says, “nevertheless I nonetheless could not use them as a result of I did not have entry to a full file picker. Then, 130km.ro on XDA [Developers forum] came upon that NFC tags work to open an app? I by no means heard of this earlier than however apparently, sure, it’s attainable to make an NFC card open any app you need!”
As soon as unlocked, Marcel was capable of finding another methodology to jailbreak the gadget: a hard-coded PIN. (📷: MGD Productions)
Writing a card to entry the complete Android Settings app, Marcel was in a position to disable kiosk mode and restore the Android stats bar and navigation bar. Preliminary makes an attempt to put in customized software program failed with an error, which required further investigation — revealing the hidden presence of the file manger from the CyanogenMod third-party Android ROM challenge, which proved in a position to set up any app straight from an APK.
Marcel’s ultimate discovery: a hard-coded PIN that may be entered by tapping the display screen on the bottom-left 4 instances, which offers an administration menu to unlock the pill — no NFC card required.
The total write-up is accessible on the MGD Productions weblog.