  1. I am curious if anyone has gotten the Inject Raw Frames feature at the bottom of the PineAP page to work. I have tried several different frame types and attempted to receive the transmission from several different boxes (Mint Linux running on a VM and Pentoo running on my laptop). I have PineAP running with no other options on and a fresh firmware load.

    I am attempting to send an RTS frame. I copied the hex from Wireshark as it appears below.


    The Inject Raw Frame module then said to take out the radio header information, which I did.


    The frame breaks out as follows:

    b4 = Type/Subtype
    a200 = Duration
    84fcacffffff = Recv MAC address
    3c3786ffffff = Transmitting MAC Address

    Every time I click Inject Frame, I see nothing on either receiving unit. I see plenty of traffic, just not these frames. I have these receiving hosts set to the same channel and they are both in promiscuous mode.

    If anyone can pick out what I'm doing wrong, I'd love to know, or If you have an example that has worked for you, I'd love to see that as well. Thanks for your help.

  2. I've finally got it working! But it's an unusable solution for the field. I opened it up and used the serial connection header to connect to check the wireless interface. I fully connected the device with the micoSD card inserted and plugged through an HDMI connection.

    The results of looking at the network interfaces were as follows after a full boot:

    1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
        link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
        inet scope host lo
           valid_lft forever preferred_lft forever
        inet6 ::1/128 scope host
           valid_lft forever preferred_lft forever
    2: eth0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc fq_codel state DOWN qlen 1000
        link/ether 00:10:20:30:40:50 brd ff:ff:ff:ff:ff:ff
    3: gre0@NONE: <NOARP> mtu 1476 qdisc noop state DOWN
        link/gre brd
    4: gretap0@NONE: <BROADCAST,MULTICAST> mtu 1462 qdisc noop state DOWN qlen 1000
        link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
    5: wlan0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN qlen 1000
        link/ether 74:ee:2a:a9:16:9e brd ff:ff:ff:ff:ff:ff
    6: p2p0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN qlen 1000
        link/ether 76:ee:2a:a9:16:9e brd ff:ff:ff:ff:ff:ff

    wlan0 wasn't coming up. Right now the microSD card in the crab has a config file that is only programmed to setup the wireless capability. The device.config file is present as well.

    The strange thing is that if you run 'ip link set wlan0 up,' nothing happens, but if you run 'ip link set wlan0 down', the interface springs to life and connects to the AP. Unfortunately, whatever script that was supposed to trigger the c2 functionality had already passed.

    So I rebooted the device and waited until this spot where the booting process slows down:

    [   20.840703] audit: auditd disappeared
    [   21.304272] init: avc:  denied  { set } for property=tmp.exec_ubus scontext=u:r:system_app:s0 tcontext=u:object_r:default_prop:s0 tclass=property_service
    [   21.424438] init: avc:  denied  { set } for property=tmp.exec_ubus scontext=u:r:realtek:s0 tcontext=u:object_r:default_prop:s0 tclass=property_service

    At this point I typed in 'ip link set wlan0 down' quite quickly. A couple seconds later, cloudc2 picked up the callback and all was well.  So it works, but only on my lab bench top as it is impractical to have the device open in the field for installation.

    I don't know much about OpenWRT right now, but I suspect some kind of boot file needs to be re-written. The unfortunate thing is I can't seem to get vi, vim, or nano to run in order to edit anything yet and I'm about to run out of time to work on this for awhile. Hopefully someone can look into this oddity and beat me to fixing it.

  3. The battle continues. I now have 3 screen crabs that all have the same issue. After running them for the 1st time, they never seem to connect consistently again. I have tried many different avenues to get consistent behavior, but the fact remains that the screen crab does not connect to the AP. I've tried 2 separate APs with similar results. Here is what is happening over the air.


    The screen crab will send out a Wildcard probe request, the AP will respond, and that's about all that happens. After that, the crab just starts sending out probe requests again. This sequence repeats all throughout the packet capture.

  4. Meanwhile, I'm still having trouble with the WiFi radio. I now have 3 screen crabs in my possession. I grabbed a brand new one and placed an SD card inside of it with a config file, containing just the WIFI SSID and password, and the device.config file from c2. The screen crab worked great. It connected to the AP and called back to C2 perfectly. After letting it grab a few screenshots over the course of several minutes, I pressed the button and let the light go green. I removed the microSD letting the light go red. I disconnected power from the crab.

    Next, I placed the microSD back into the screen crab and connected power. The crab came on, the light went blue, but it never connected to the AP and therefore never connected to c2. I cycled power again, but still no connection.

    I then repeated everything above with another mint condition screen crab. It did the exact same thing. Now I have 3 screen crabs that are in the same situation. Just by cycling power after the first run, it will not reconnect to the AP. 

    Unfortunately, I can't find a reliable setup or course of action to get consistent behavior. 

  5. On 5/18/2020 at 7:00 PM, Th4ntis said:

    I'm having some issues getting mine to connect to my WiFi it seems. I put a blank MicroSD card in so it generates the config.txt, edited it to add my WiFi SSID and Password with quotes at @Skinny suggested.

    Instead of editing it, erase everything in the file except for the WiFi SSID and Password. The only reason I say this is because of the line under #3 on the screen crab instructional page: https://docs.hak5.org/hc/en-us/articles/360033503594-Configuring-Screen-Crab-for-Cloud-C2

    See if it makes a difference.

    Also, after you change it, let it fully reboot, press the button, let the LED turn green, unplug power, and then boot it again. I've found that sometimes it takes 2 boots before things start working. I'm not sure why. 

  6. @zenn1999 Mine also gets very warm. It started out working two days ago when I set it up for another infrastructure, and then stopped working yesterday. I went into the office and grabbed two more. I'll test them Monday to see if they are having the same problem and get back to you.

  7. Here's what I did: 


    The problem is that it doesn't work all the time, but it's worth a try. I'm beginning to think it might be a hardware issue, but I'm not sure. I'm about to get my hands on another unit to see if it behaves differently.

  8. 22 hours ago, Foxtrot said:

    You can try with --force-depends for kernel modules. We do the same thing on the Pineapple automatically.

    Thanks for the response. I gave it a shot and it looked promising but still failed out at the end.

    Configuring kmod-libphy.
    Configuring kmod-mii.
    Configuring kmod-usb-net.
    Configuring kmod-usb-net-asix-ax88179.
    Collected errors:
     * satisfy_dependencies_for: Cannot satisfy the following dependencies for kmod-usb-net-asix-ax88179:
     *      kernel (= 4.14.176-1-342af9e4f67b3447c53216ab8e3b12a1)

    I was trying to install a driver for an Ethernet adapter I was working with. Looks like it was going well for the dependencies but then failed to actually load what I wanted.


    Strangely, I rebooted the Owl and went back in to try the process again. This time is says there was a successful installation:

    opkg install kmod-usb-net-asix-ax88179 --force-depends
    Package kmod-usb-net-asix-ax88179 (4.14.176-1) installed in root is up to date.

    Now I just need to figure out how to bring up an Ethernet interface as it appears that does not happen automatically. Looks like it's not as simple as ifconfig eth0 up.

  9. 19 hours ago, MGideon said:

    I have it set to WPA2.  I reset everything and tried again. Now I can deauth, but my device (phone) sits in the associated clients area. If I turn off wifi and back on (on my phone) it goes back to my AP in the recon list.  

    It looks like I can only insert an image from a URL.  I took the screen shots, but need to figure out how to post them.


    Your devices aren't going to auto connect to the Pineapple if you are spoofing an access point that requires WPA2 encryption. WPA2 encryption is a mutual authentication. You devices are looking to exchange encryption information with the Pineapple (the spoofed SSID), but the Pineapple cannot provide that information. So your devices believe that it cannot be the SSID they are accustomed to connect to. The SSID you want to spoof is a public one that someone's phone may have used before. 

    To get this to work for your devices, delete out your current AP/SSID from the programming of both devices. Reset your AP to use no authentication. Connect your devices to your AP. Now use the pineapple to spoof the SSID. Try your deauth attach now. Also remember that it helps if the Pineapple is closer to your devices than the AP is. If this doesn't work, just shut off your AP and see if they will connect to the pineapple automatically.

  10. One more added bit of strangeness, if your password has a $ symbol in it, change it to something without the symbol. Once you get it to connect once, you can then use the $ once again.

    I got everything working by setting up my APs guest network and then connected that network to the regular one. I set an easy password on it. The config.txt file was changed so that the easy password was surrounded in "quotes" as specified above. I restarted the Screen Crab twice and on the second time, it connected. 

    After it connected, I changed the config.txt to my normal SSID where I have a $ symbol in the password. The device was restarted with the changes. The Screen Crab successfully connected to my normal network SSID, but only after successfully connecting it to the first.

    Incidentally, my C2 server changed IP addresses this morning because I was using DHCP. I had to go through all this all over again this morning. That included changing out the device.config file as expected.

  11. Looks like the kernel is too old to do any of this now:

    Collected errors:
     * satisfy_dependencies_for: Cannot satisfy the following dependencies for kmod-usb-core:
     *      kernel (= 4.14.176-1-342af9e4f67b3447c53216ab8e3b12a1)
     * opkg_install_cmd: Cannot install package kmod-usb-core.

    I saw trying to load a usb ethernet adapter and got the same response. Doesn't seem to be a way in Openwrt to pull backwards compatible drivers from old repos.

  12. New day, new attempts at connection. Tried the following:

    • Confirmed through Wireshark that the only Wireless activity coming from the screen crab are probe requests asking for local APs to respond.
    • Forced my wireless AP to use a well known channel (6) just to ensure the screen crab didn't have a problem with my AP being on channel 3.
    • Also varied the power of the AP and whether or not the SSID was being broadcast.
    • Introduced another AP that functioned as a open access point. 
    • Tried to vary the config file in every conceivable way to get it to work.

    None of the above efforts worked. Think I'm about to throw in the towel.

  13. Can confirm the WiFi/Bluetooth chip inside is getting power (3.3V). For those of you that are interested, it is a WiFi/Bluetooth combo module carrying a RTL8723BS chip. Cool that it has bluetooth as well. Datasheet can be found here: http://files.pine64.org/doc/datasheet/pine64/RTL8723BS.pdf


    Also, right by the USB C header looks to be a Tx/Rx serial connector. If you are interested in gaining root access, connect up through putty and a serial cable adapter. The baud rate 115200.


    I was able to get the MAC address for the wifi adapter. The MAC OUI is 74:EE:2A. It resolves to SHENZHEN BILIAN ELECTRONIC CO.,LTD. With this information I able to watch as the WiFi module attempt to connect. The only thing that seems to be happening is that the wifi adapter is sending out a probe request for Wildcard. I believe this means it is asking for APs in the area to respond with their SSIDs. I don't know why it's not asking for my SSID as specified in the config file.

    I tried to connect the wlan0 interface manually. The operating system is OpenWrt 4.1.17. There is not a text editor (vi, vim, or nano the greatest text editor ever made). iwconfig does not exist. With the absence of any of these tools, I failed at trying it manually. 

    One last large piece of information. If you have the serial port plugged up during a power on event, you can catch the bootup. I've looked through it and found nothing glaring, but if anyone sees something amiss, let me know. 

    C3hswitch frequency to 0x00000046
    frequency divider is 0x00000080
    switch frequency to 0x00000046
    frequency divider is 0x00000004
    switch to SDR 8 bit
    switch bus width to 0x00000008 bits success
    hwsetting size: 00000718
    Goto FSBL: 0x10100000
    fsbl_main: sys_secure_type = 0x0000BEEE
    fsbl_main: sys_boot_type = 0x00000002
    fsbl_main: sys_boot_enc = 0x00000000
    fsbl_main: sys_bisr_done = 0x00000000
    TEE OS:
    RSA Key Fw:
    RSA Key TEE:
    ********** FW_TYPE_GOLD_TEE **********
    fwInfo->fwType: 00000023
    fwInfo->isGolden: 00000001
    fwInfo->ddrReadAddr: 00520000
    fwInfo->ddrDestAddr: 10200000
    fwInfo->flashType: 00000002
    fwInfo->flashUnitSize: 00000200
    fwInfo->flashOffset: 000F2600
    fwInfo->dataSize: 000727E0
    sha256 Fw
    ********** FW_TYPE_GOLD_BL31 **********
    fwInfo->fwType: 00000028
    fwInfo->isGolden: 00000001
    fwInfo->ddrReadAddr: 00520000
    fwInfo->ddrDestAddr: 10120000
    fwInfo->flashType: 00000002
    fwInfo->flashUnitSize: 00000200
    fwInfo->flashOffset: 00164E00
    fwInfo->dataSize: 00005060
    sha256 Fw
    ********** FW_TYPE_BOOTCODE **********
    fwInfo->fwType: 00000001
    fwInfo->isGolden: 00000001
    fwInfo->ddrReadAddr: 00520000
    fwInfo->ddrDestAddr: 00020000
    fwInfo->flashType: 00000002
    fwInfo->flashUnitSize: 00000200
    fwInfo->flashOffset: 00020800
    fwInfo->dataSize: 000C11E0
    sha256 Fw
    j bootcode jump address:00020000
    U-Boot 2012.07 svn.161586    (Jan 04 2018 - 13:45:55)
    CPU  : Cortex-A53 quad core - AARCH32
    Board: Realtek QA Board
    DRAM:  0 Bytes
    Watchdog: Disabled
    Cache: Enabled
    Non-Cache Region: 1 MB@0x07900000
    MMC:   RTD1295 eMMC: 0
    [LY] cardtype=57, mmc->card_caps=0f
    [LY] freq = 00464388, clk diver = 00000080
    [LY] speed up emmc at HS-200
    [LY] HS-200 bus width=2
    [LY] mmc->boot_caps = 20b
    TEMP TX_WINDOW=0x7ffffffe, TX_best=0xf
    RX_WINDOW=0xffffff03, RX_best=0x14
    TX1_WINDOW=0x3fffffc0, TX_best=0x11
    [LY] hs200 : 0
    [HC] WPG_SIZE = 8388608
    Device: RTD1295 eMMC
    Manufacturer ID: 15
    OEM: 100
    Name: 8GTF4
    Tran Speed: 5f5e100
    Rd Block Len: 512
    MMC version 4.0
    High Capacity: No
    Capacity: 7.3 GiB
    Bus Width: 8-bit
    Speed: HS200
    Factory: MMC
    Factory: pp:0, seq#:0x20, size:0x21a00
    ------------tmp/factory/000BootParam.h found
    [logo]src w/h=1920/1080 dst w/h=3840/2160
    ------------can't find tmp/factory/video_rpc.bin
    tv_system=25 mode=1
    In:    serial
    Out:   serial
    Err:   serial
    Net:   Realtek PCIe GBE Family Controller mcfg = 0024
    Hit Esc or Tab key to enter console mode or rescue linux:  0
    ------------can't find tmp/factory/recovery
    ======== Checking into android recovery ====
    Start Boot Setup ...
    ---------------LOAD  NORMAL FW  TABLE ---------------
    [INFO] fw desc table base: 0x00620000, count: 20
    Normal boot fw follow...
             FW Image to 0x03000000, size=0x00f34600 (0x03f34600)
             FW Image fr 0x02c42400
             FW Image to 0x02100000, size=0x00010162 (0x02110162)
             FW Image fr 0x028b0200
    Audio FW:
             FW Image to 0x01b00000, size=0x00352088 (0x01e52088)
             FW Image fr 0x028f0200
             FW Image to 0x1e800000, size=0x007e9000 (0x1efe9000)
             FW Image fr 0x199002000
    Start A/V Firmware ...
    [FW]kylin_bring up hwsetting
    Finish kylin_bring_temp hwsetting
    SYS_CLOCK_ENABLE1 [ 0x9800000c]: 0x13fec561
    SYS_CLOCK_ENABLE2 [ 0x98000010]: 0x58ffe416
    SYS_SOFT_RESET1 [ 0x98000000]: 0xbfda1001
    SYS_SOFT_RESET4 [ 0x98000050]: 0x0000801f
    TVE_VDAC_CTR1 [ 0x980183a0]: 0xa86c0280
    AIO_O_ACANA_GCTL1 [ 0x98006604]: 0x24951504
    AIO_I_ACANA_ADC_GCTL2 [ 0x98006610]: 0x880a3a00
    AIO_I_ADC_TCON [ 0x980066fc]: 0x221f0000
    AIO_I_ADC_TCON [ 0x980066fc]: 0x221fff00
    TAudio]SetTickRate  0x0000E0X0PcO8R
    , [EANCVP UA]T  S0ext1 0p0r0o0t0e0c0t
    f rsttka_rptr:e l0oxa0d0_0b0o0o0t0i0m aegneds:_ e0mxm0c0 0:0 1l0o0a0d  mUo-dBuoloeti d6:46
     rHoDmM I0 xR0a0w0 2E8n1a2b5l et:o  M0PxG0 1A5C030 0D0T0S  wMiPtEhG 2s iAzAeC  0DxD0P0 1W0M0A0P0R0O
    Force 2ch Format: DTS DTSHD AC3 DDP MLP AAC WMAPRO
    [AO][InitHDMIVideoType]HDMI Frequecny 148, resolution 25
    @@@@@@@One Step TV System magic number = 0xc0de0bee, addr = 0xa001f800@@@@@@@
    @@@@@@@@@ boot_info->tv_sys.interfaceType 0
    [@@VIDEO_RPC_VOUT_ToAgent_ConfigTVSystem_0_svc]type 0!
    HDMIOff = 0
    [VO_SetVideoStandard]st 25 p 1 1 0
    [VO_SetVideoStandard]ped 1 data0  0x00000004 data1  0x00000000
    [VO_SetVideoStandard]HDMIoff 0 is_tve_on 1 user_cvbs_off 0
    lvds.format 0 port_setting  0x00000381 lvds_wb 0
    [VO setTVStandard 25 3D 0 0]
    (TVE) TVE_DAC_mode 0,cmd->enProg 1!!
    ~~comp 0, ch2 1, mode_3D 0!!
    :c~ocpoym_p2 n0d,_ bcoho2t l1o,a dmeord_ea_n3dD_ r0u!n!
      ~s~rTcV:E0 xs0t1a5n0d0a0r0d0#,
     dst:0x00021000, size:0x000c0000
    Jumping to 2nd bootloader...
    SetVideoStandard return!
    (VO_ConfigHDMI_InfoFrame) L:236, is_hdmi_plugin 1, hdmiMode 1!!Mode 1 dataByte1  0x00000000  0x00000000  0x00000000
    dataByte4  0x00000000  0x00000000 int0  0x00000001
    (HDMI_3D) mode 1, HDMI_gen 1, En_3D 0, Format_3D 0 scramble:0!!clearDynamicRangeMasteringPkt()
     go back SET_HDMI!!boot_info  0xa001f600 magic  0x2452544b en 1
    boot_info.w 1920 h 1080
    boot_addr  0x1e800000
    w 1920, h 1080, img0  0x1e800000, pitch0 7680
    disp.x 0 y 0 w 1920 h 1080
    [AO][_AO_if_video_HDMI_mode]HDMI not enabled
    [AO][_AO_hdmi_disable]do nothing, HDMI not enable  0x00000000  0x00000001
    Audio_Channel_Count 1 :2CH, audio_layout:0
    HDMI_Frequency 148 :1080p50,1080p60
    Sampling_Frequency 3 :48K
    CTS = 148500, N = 6144
    CA:2CH: L,R
    SYS_PLL_PSAUDA1 [ 0x98000130]: 0x0050022d
    [AO][_AO_hdmi_enable]do nothing, HDMI not enable  0x00000000  0x00000001
    U-Boot 2015.07-g428cfe7-dirty (Jul 28 2017 - 10:10:26 +0800)
    CPU  : Cortex-A53 Quad Core
    Board: Realtek QA Board
    DRAM:  1 GiB
    mapping memory 0x20000000-0x40000000 non-cached
    In:    serial
    Out:   serial
    Err:   serial
    Hit any key to stop autoboot:  0
    rtk_plat_set_fw not port yet, use default configs
    ## Flattened Device Tree blob at 02100000
       Booting using the fdt blob at 0x2100000
       reserving fdt memory region: addr=0 size=30000
       reserving fdt memory region: addr=1f000 size=1000
       reserving fdt memory region: addr=30000 size=d0000
       reserving fdt memory region: addr=3200000 size=b800000
       reserving fdt memory region: addr=1b00000 size=400000
       reserving fdt memory region: addr=2600000 size=c00000
       reserving fdt memory region: addr=1ffe000 size=4000
       reserving fdt memory region: addr=11000000 size=9200000
       reserving fdt memory region: addr=10000000 size=14000
       reserving fdt memory region: addr=2200000 size=400000
       reserving fdt memory region: addr=1b00000 size=500000
       Using Device Tree in place at 0000000002100000, end 0000000002113161
    Bring UP slave CPUs
    Jump to BL31 entrypoint
    VERBOSE: bl31_setup
    NOTICE:  BL31: v1.2(debug):1522ab7
    NOTICE:  BL31: Built : 16:33:46, Oct 13 2016
    INFO:    BL31: Initializing runtime services
    INFO:    Start to init service std_svc
    INFO:    Finish to init service std_svc
    INFO:    Start to init service opteed_fast
    INFO:    Finish to init service opteed_fast
    INFO:    BL31: Initializing BL32
    INFO:    TEE-CORE: TEE OS v2.1
    INFO:    TEE-CORE: tee os version : 1
    INFO:    TEE-CORE: OTP tee os version : 0
    INFO:    TEE-CORE: chip_rev_id : 10000
    INFO:    TEE-CORE: check golden fw : f6cf6f46
    INFO:    TEE-CORE: Do not supoort check tee os version in this chip.
    INFO:    TEE-CORE: Initializing (828cd34-dev #1 Thu Dec  8 16:13:14 CST 2016 aarch64)
    MESSAGE: [0x0] TEE-CORE:tee_otp_get_hw_unique_key:46: ************************     tee_otp_get_hw_unique_key chip id: 10000
    INFO:    TEE-CORE: teecore inits done
    INFO:    Core_0 got optee_vectors (0x1020093c)
    INFO:    BL31: Initialized BL32
    INFO:    EXIT BL31
    INFO:    bl31_to_kernel: kernel_resume_entry = 0x1e000
    INFO:    bl31 jumps to EL2: kerenl entry
    [    0.000000] Booting Linux on physical CPU 0x0
    [    0.000000] Initializing cgroup subsys cpuset
    [    0.000000] Initializing cgroup subsys cpu
    [    0.000000] Initializing cgroup subsys cpuacct
    [    0.000000] Linux version 4.1.17-g9100299-dirty (root@635f7edd71a8) (gcc version 4.9.4 (OpenWrt/Linaro GCC 4.9-2015.06 r47591) ) #44 SMP PREEMPT Sat Aug 24 23:16:20 UTC 2019
    [    0.000000] Detected VIPT I-cache on CPU0
    [    0.000000] alternatives: enabling workaround for ARM erratum 845719
    [    0.000000] DT: cma-improve=0
    [    0.000000] earlycon: Early serial console at MMIO32 0x98007800 (options '')
    [    0.000000] bootconsole [uart0] enabled
    WARNING: NO PSCI SERVICE: 0x84000000
    WARNING: NO PSCI SERVICE: 0x84000006
    WARNING: NO PSCI SERVICE: 0x8400000a
    WARNING: NO PSCI SERVICE: 0x8400000a
    VVVEEERRRBBBOOOSSSEEE:::   bbblll333111___ssseeetttuuuppp
    NNNOOOTTTIIICCCEEE:::      BBBLLL333111:::   vvv111...222(((dddeeebbbuuuggg))):::111555222222aaabbb777
    NNNOOOTTTIIICCCEEE:::      BBBLLL333111:::   BBBuuuiiilllttt   :::   111666:::333333:::444666,,,   OOOcccttt   111333   222000111666
    ssINNNFFFOO::O:           BB LBL3L3131:1:  : IInnIniittitiiialaalliziizziniignng g  rrurununtntitiimmme ees  sseeervrrviviiccceese
     IINFNNOFFO:O::            SSStttaaarrrttt   tttooo   iiinnniiittt  s sseeerrvvrivicicece e  ssstttdd_d_ss_svvvcc  c
      NFFINOOF::O    :       FFi inFniiisnihsh s hto toto   iiininniittt  s seserervrvivicicecee  s tssttddd___sssvvvccc
    IIINNNFFFOOO:::            SSStttaaarrrttt   tttooo   iiinnniiittt   ssseeerrrvvviiiccceee   ooopppttteeeeedde__dff_faasasstt  t
    t NINNFFOOFO: ::           FiFFiininniisshsh h t totoo i  niiinniti tt s sereservvricvicie ec eo optopetpeetedee_ddf_af_sfasat st
    2IFNINFOF:O: O:        B  B L3BL3L11:3 :1:  IInIninitititiaiallailizizizinninggg  BB BLL3L3322
    2ININFNFOFO::O :           BBLLBL33113:1: : I InIniniitittiialaalliizizzedeedd B  BBLL3L3232
    1  NFIFNOFO: :O :         EX EXEIXITTI BT LB BLL33113
    00NNINFFOOFO:::           b bllb33l131__1_ttoot__ok_kkeererrnnenelel:l: : k keekerrnrnneeell__lr_reresesuusmmeeum__eeenn_tetrnryty r =y=   =00x x101eex000100e0
     t FOOI:N: F O    :    bb ll33 b1 1l3 jj1um umpjspu ms pttos  o EtEoLL2 :2E L:k 2ek:er ereknlenlr ee nenlntrt ryen y
    [    0.266999] bl31_set_tee_protect !!!
    INFO:    Non-Secure Boot or IC_REV >= B00 : no action !!
    [    0.276213] bl31_set_tee_protect ret = 0
    [    0.706215] ****** rtk_lockapi_init 597, chip: id=0x00000000, revision=0x00010000
    TVE_setDAC 2485,  0xd48bd400
    [    2.820198] rtk-usb-power-manager 98000000.rtk_usb_power_manager: rtk_dwc3_u2host status is okay
    [    2.830127] rtk-usb-power-manager 98000000.rtk_usb_power_manager: ehci status is okay
    [    2.838953] rtk-usb-power-manager 98000000.rtk_usb_power_manager: ohci status is okay
    [    2.854247] rtk-usb-power-manager 98000000.rtk_usb_power_manager: create_debug_files
    [    3.371288] [RTD129x PCIE Slot2] 9803b000.pcie2: PCIE device has link down in slot 2
    [    3.380031] [RTD129x PCIE Slot2] 9803b000.pcie2: rtk_pcie2_hw_initial fail
    [    3.601652] [RTD129x PCIE Slot1] 9804e000.pcie: PCIE device has link down in slot 1
    [    3.610296] [RTD129x PCIE Slot1] 9804e000.pcie: rtk_pcie_hw_initial fail
    [    3.622636] rtk119x-ir 98007000.irda: [rtk119x_ir_probe]: can't get multiple support from dtb, set to default->not support
    [ROS: openRPC() intr_scpu_dev_r buf  0x00e2ffa1 s  0x00e2ffa1 e  0x00e4ffa1 i  0x00e2ffa1
    [ROS: openStubRPC() intr_w buf  0x00e6ffa1 s  0x00e6ffa1 e  0x00e8ffa1 i  0x00e6ffa1[AVCPU] Set Debug level flag  0x81e03f74 *flag  0x01df53c0 ucache  0xa1df53c0
    [AVCPU] Set Debug level *ptrDebugFlag  0x00000001
    Audio Version = 164590 (Kylin)
    Common Version = 0
    Binary src compiled at Sep  7 2017 17:37:57
    Note =
    [A] gloabl malloc size  0x003ffeb8
    [    3.725967] AudioIntrRead:143 can't find process for handling AudioIntrRead programID:98
    [    3.735196] AudioIntrRead: program:98 version:0 procedure:1 taskID:0 sysTID:4294967295 sysPID:4294967295 size:4 context:81e03745 atomic
    [    3.907021] cec_core_init, register cec_bus ffffffc00113b050
    [    3.913047] register cec driver 'cec' (ffffffc00113b1d0)
    [    3.918542] register cec device 'cec0' (ffffffc00113b2c8) to cec0
    [    3.924895] [cec_bus_match name = cec0,len=4,drv_name=cec]
    [    3.930902] probe : cec_dev 'cec0' (ffffffc00113b2c8), cec_drv 'cec' (ffffffc00113b1d0)
    [    3.939866] register cec device 'cec1' (ffffffc00113b578) to cec0
    [    3.946196] [cec_bus_match name = cec1,len=4,drv_name=cec]
    [    3.951888] probe : cec_dev 'cec1' (ffffffc00113b578), cec_drv 'cec' (ffffffc00113b1d0)
    [    4.048802] [SDIO] rtk_sdhci_set_clock end real_div=1f4, div=fa, c3c=0, PLL=ae4388, CLK=fa07
    [    4.068957] EMMC : emmc of_node found
    [    4.072756] [rtkemmc_probe] get driving s0 : 0x1
    [    4.075606] SDIO 2.0 A01 version
    [    4.080795] [rtkemmc_probe] get driving s0 : 0x77
    [    4.082712] [SDIO] rtk_sdhci_set_clock end real_div=4, div=2, c3c=80000, PLL=ae4388, CLK=207
    [    4.094255] [rtkemmc_probe] get driving s0 : 0x77
    [    4.099075] [rtkemmc_probe] get driving s0 : 0x77
    [    4.103891] [rtkemmc_probe] get driving s0 : 0x33
    [    4.108713] [rtkemmc_probe] get driving s2 : 0x1
    [    4.113446] [rtkemmc_probe] get driving s2 : 0xbb
    [    4.118262] [rtkemmc_probe] get driving s2 : 0xbb
    [    4.123084] [rtkemmc_probe] get driving s2 : 0xbb
    [    4.127900] [rtkemmc_probe] get driving s2 : 0x33
    [    4.132722] [rtkemmc_probe] get tx tuning switch : 0
    [    4.137805] [rtkemmc_probe] get rx tuning switch : 0
    [    4.197305] -->rfkill_bluetooth_init
    [    4.201076] -->rfkill_bluetooth_probe
    [    4.204971] bluetooth_set_power: block=1
    [    4.208997] <--rfkill_bluetooth_probe
    [    4.212871] card->mmc_avail_type = 0x00000013
    [    4.407269] rtk-dwc3-type_c 98013200.rtk_dwc3_drd_type_c: create_debug_files
    [    4.694839] CL_DEV::ST 0 -> 0
    [    4.798863] [HDMI RX] switch hdmi rx state to 1
    Thu Jan  1 00:00:04 UTC 1970 Starting OpenWRT init
    [    4.945728] hub 2-0:1.0: config failed, hub doesn't have any ports! (err -19)
    [    4.980390] rtk-ohci 98013400.ohci: _ohci_readl [USB Workaround] fixed force to enable ohci clock
    Press the [f] key and hit [enter] to enter failsafe mode
    Press the [1], [2], [3] or [4] key and hit [enter] to select the debug level
    [    5.677997] rtk-dwc3-type_c 98013200.rtk_dwc3_drd_type_c: Connection change OK: IN device mode to connect host at cc2 (cc_status=0x18)
    [    7.459948] block: unable to load configuration (fstab: Entry not found)
    [    7.466890] block: no usable configuration
    fsck from util-linux 2.28
    e2fsck 1.42.12 (29-Aug-2014)
    nasetc: recovering journal
    nasetc: clean, 52/8200 files, 3611/40952 blocks
    resize2fs 1.42.12 (29-Aug-2014)
    The filesystem is already 40952 (1k) blocks long.  Nothing to do!
    ext4 etc mounted!
    mount: /dev: filesystem mounted, but mount(8) failed: No such file or directory
    Thu Jan  1 00:00:08 UTC 1970 Waiting 28 x 0.1 seconds for OpenWRT coldplug
    Thu Jan  1 00:00:08 UTC 1970 Starting Android init
    [    8.806140] init: FIXME: selinux is forced to permissive mode!!
    [    8.873451] init: /init.rc: 244: invalid command '/sbin/swapon'
    [    8.881737] init: could not import file '/init.lighttpd.rc' from '/init.kylin.rc'
    [    8.890295] init: SELinux: Could not get canonical path /adb_keys restorecon: No such file or directory.
    [    9.089103] rtk_sdmmc_get_cd: SD card exists, regCARD_EXIST = 4
    [    9.318723] init: Failed to read from /dev/hw_random: No such device
    [    9.325333] init: could not open /dev/keychord: No such file or directory
    [    9.361084] init: Failed to read from /dev/hw_random: No such device
    [    9.595812] init: /recovery not specified in fstab
    [    9.768201] bluetooth_set_power: block=1
    [    9.775260] init: property 'ro.serialno' doesn't exist while expanding '${ro.serialno}'
    i    9.807788] init: cannot expand '${ro.serialno[}A'V CwPhUi] lSeet  Dwerbuigt lienvegl  ftloag  ' 0/xs81ydsff/24cc la*fslsag/ a 0ndxr01o2i0d728_u8 subca/chae nd 0roxaid1200/72iS88e r
    U] Set Debug level *ptrDebugFlag  0x00000000
    [    9.833483] init: cannot find '/system/bin/debuggerd64', disabling 'debuggerd64'
    [    9.841575] init: cannot find '/system/bin/rild', disabling 'ril-daemon'
    [    9.849445] devfreq 98050000.gpu: Couldn't update frequency transition information.
    [    9.861292] init: cannot find '/system/bin/install-recovery.sh', disabling 'flash_recovery'
    [    9.873491] init: cannot find '/system/bin/jpuinit', disabling 'jpuinit'
    root@kylin32:/ # [    9.964435] adding 'Function FS Gadget'/ffffffc07a383738 to config 'b'/ffffffc07d68e900 --> Fail (ret=-19)
    [    9.975345] configfs-gadget 98020000.dwc3_drd: failed to start g1: -19
    [    9.983541] adding 'Function FS Gadget'/ffffffc07a383738 to config 'b'/ffffffc07d68e900 --> Ok (ret=0)
    [   10.769996] healthd: No charger supplies found
    [   12.108840] SD card is being inserted now...!!!
    [   12.118891] rtk_sdmmc_get_cd: SD card exists, regCARD_EXIST = 4
    [   14.162655] audit: rate limit exceeded
    [   17.193462] init: no such service 'regService'
    [   17.198123] init: no such service 'regService'
    [   17.688507] [HDMITx_ERR] [ops_get_sink_cap]sink cap is not available
    [   17.991447] r8169 98016000.gmac eth0: rtl_csiar_cond == 0 (loop: 100, delay: 10).
    [   18.000481] r8169 98016000.gmac eth0: rtl_csiar_cond == 1 (loop: 100, delay: 10).
    [   18.263879] ufsd: "vold" (mmcblk1p1): force nocase=1
    [   18.269648] ufsd: "vold" (mmcblk1p1): is mounted as exFAT at 2019-10-11 09:30:30
    [   18.771641] audit: rate limit exceeded
    [   19.900593] audit: rate limit exceeded
    [   19.900894] [HDMITx_ERR] [ops_get_sink_cap]sink cap is not available
    [   19.900988] [HDMITx_ERR] [ops_get_sink_cap]sink cap is not available
    [   19.904304] [HDMITx_ERR] [ops_get_sink_cap]sink cap is not available
    [   21.419333] configfs-gadget gadget: unbind function 'Function FS Gadget'/ffffffc07a383738
    [   21.427849] Call trace:
    [   21.628695] audit: *NO* daemon at audit_pid=3761
    [   21.630514] audit: rate limit exceeded
    [   22.128207] init: avc:  denied  { set } for property=tmp.exec_ubus scontext=u:r:system_app:s0 tcontext=u:object_r:default_prop:s0 tclass=property_service
    [   22.270257] init: avc:  denied  { set } for property=tmp.exec_ubus scontext=u:r:realtek:s0 tcontext=u:object_r:default_prop:s0 tclass=property_service


  14. No answers yet, but I have a few more questions to add.

    Is the serial number the MAC address?
    Does the screen crab change it's MAC address each time it boots?
    If the Screen Crab can't find the C2 server, will it disconnect from WiFi?

    I am still unable to get a WiFi connection out of the device. I'll update as I glean more information.

  15. Hi Guys,

    I seem to be having a bit of difficulty getting the screen crab to connect to WiFi. I have my C2 server on my local network and am attempting to connect to my local wireless AP. Here's what I've done to troubleshoot so far. I've looked through the debug output, and as far as I can tell, it confirms a lack of connection to C2.

    Util:	 exec [stop adbd]|Util:	 stop adbd shell exited value: 0|Util:	 exec [stop logd]|Util:	 stop logd shell exited value: 0|Util:	 exec [source system/bin/crab && upgrade_check_on_boot]|Util:	 Service start shell exited value: 0|Util:	 exec [source /system/bin/crab && do_gpio_setup && leds_off]|Util:	 RunThread shell exited value: 0|Util:	 exec [source /system/bin/crab && upgrade_framework 1.0.6]|Mirror:	 NEW HDMI Status; Input: true|Mirror:	 HDMI INSERTED|Util:	 crabframeworkupgrade shell exited value: 0|CrabFramework:	 Crab framework up to date|Util:	 exec [source /system/bin/crab && red]|ShellThread:	 setCPU Shell Thread Starting|Util:	 exec [source /system/bin/crab, source /system/bin/crab && sleep 120 && do_cpu_setup]|Mirror:	 camera opened 1920 x 1080|Util:	 Main setLEDsNow() shell exited value: 0|Util:	 exec [source /system/bin/crab && wait_for_sd_location]|Mirror:	 SETTING UP PREVIEW|Util:	 waitforSD shell exited value: 0|
    Util:	 exec [source /system/bin/crab && led_off]|Util:	 Main setLEDsNow() shell exited value: 0|DeviceConfig:	 C2 Device.config PARSE COMPLETE|RunThread:	 C2 ENABLED|RunThread:	 CREATING C2 THREAD|RunThread:	 Loading Crab Config from SD|Util:	 exec [source /system/bin/crab && locate_sd && touch /storage/AC93-4313/version.txt && echo 1.0.6 > /storage/AC93-4313/version.txt]|Util:	 versionfile shell exited value: 0|CrabConfig:	 CONFIG OPTION WIFI_SSID|CrabConfig:	 CONFIG ARG SkinnyRD|CrabConfig:	 CONFIG OPTION WIFI_PASS|CrabConfig:	 CONFIG ARG |CrabConfig:	 CONFIG OPTION DEBUG_LOG|CrabConfig:	 CONFIG ARG ON|CrabConfig:	 DEBUG LOG CONFIG OPTION SET TO: ON|
    CrabConfig:	 WIFI CONFIGURED|Util:	 exec [source /system/bin/crab && diff_config_enable_wifi SkinnyRD ]|Util:	 psk wifi config shell exited value: 0|CrabConfig:	 WiFi configured successfully|SDREADER:	 NO FILE AT PATH|SDWatch:	 SD Watch Thread Starting|Util:	 exec [source /system/bin/crab, watch_sd_location]|ButtonListener:	 Button Listener Thread Starting|Util:	 exec [source /system/bin/crab, wait_for_button_press]|
    RunThread:	 STARTING C2 THREAD|LEDRunner:	 LED Runner Thread Starting|Util:	 exec [source /system/bin/crab, led_off]|C2Run:	 C2 Thread started|C2Run:	 C2 notification added to device queue: Capture Starting|Util:	 LEDRunner shell exited value: 0|C2Run:	 C2 Update crab config called|C2Device:	 C2 FLAG SEND UPDATED STATE|C2Run:	 C2 Waiting for capture thread to start|RunThread:	 STARTING NEW CAPTURE THREAD|CaptureThread:	 CAPTURE THREAD START|CaptureThread:	 Signal Check request sent|Mirror:	 REQUEST RECEIVED|Mirror:	 INTENT SIGNAL CHECK check|Mirror:	 Response sent:SIGNAL|CaptureThread:	 Response:SIGNAL|CaptureThread:	 CRAB HAS VIDEO SIGNAL|C2Run:	 C2 Update crab config called|CaptureThread:	 STARTING IMAGE CAPTURE|Util:	 exec [source /system/bin/crab && get_current_temp]|Util:	 tempcheckexit value: 0|
    Util:	 tempcheckshell output : 65228|CaptureThread:	 CURRENT TEMP: 65228|CaptureThread:	 21908 captures avail|Util:	 exec [source /system/bin/crab && get_next_capture]|Util:	 GetNextCapexit value: 0|Util:	 GetNextCapshell output : /storage/AC93-4313/LOOT/2|CaptureThread:	 Capture Request Sent/storage/AC93-4313/LOOT/2.jpg|Mirror:	 REQUEST RECEIVED|Mirror:	 WAITING FOR CAPTURE TO COMPLETE|Util:	 exec [source /system/bin/crab, blue]|Util:	 LEDRunner shell exited value: 0|
    Mirror:	 WRITING CAPTURE TO SD|Mirror:	 CAPTURE COMPLETE597ms|Mirror:	 Response sent:/storage/AC93-4313/LOOT/2.jpg|CaptureThread:	 Response:/storage/AC93-4313/LOOT/2.jpg|Util:	 exec [source /system/bin/crab && has_signal_log]|Util:	 NoSignalLog shell exited value: 0|CaptureThread:	 capture interval 5000ms|CaptureThread:	 Time spent capturing 749ms|CaptureThread:	 Capture sleep 4251ms|CaptureThread:	 21907 captures avail|Util:	 exec [source /system/bin/crab && get_next_capture]|Util:	 GetNextCapexit value: 0|Util:	 GetNextCapshell output : /storage/AC93-4313/LOOT/3|
    CaptureThread:	 Capture Request Sent/storage/AC93-4313/LOOT/3.jpg|Mirror:	 REQUEST RECEIVED|Mirror:	 WAITING FOR CAPTURE TO COMPLETE|Mirror:	 WRITING CAPTURE TO SD|Mirror:	 CAPTURE COMPLETE599ms|Mirror:	 Response sent:/storage/AC93-4313/LOOT/3.jpg|CaptureThread:	 Response:/storage/AC93-4313/LOOT/3.jpg|
    Util:	 exec [source /system/bin/crab && has_signal_log]|Util:	 NoSignalLog shell exited value: 0|CaptureThread:	 capture interval 5000ms|CaptureThread:	 Time spent capturing 749ms|CaptureThread:	 Capture sleep 4251ms|C2Run:	 C2 Thread starting|C2Device:	 C2 STARTUP SYNC|Util:	 exec [cat /proc/uptime | busybox awk {print ;} 2>/dev/null]|Util:	 C2DeviceUpdateexit value: 0|Util:	 C2DeviceUpdateshell output : 44.07|Util:	 exec [cat /sys/class/net/wlan0/statistics/rx_bytes]|Util:	 C2DeviceUpdateexit value: 0|Util:	 C2DeviceUpdateshell output : 0|Util:	 exec [cat /sys/class/net/wlan0/statistics/tx_bytes]|CaptureThread:	 21906 captures avail|Util:	 exec [source /system/bin/crab && get_next_capture]|Util:	 C2DeviceUpdateexit value: 0|Util:	 C2DeviceUpdateshell output : 0|Util:	 exec [ifconfig wlan0 | grep inet addr | cut -d: -f2 | busybox awk {print ;}]|
    Util:	 C2DeviceUpdateexit value: 0|Util:	 C2DeviceUpdateshell output : |C2Run:	 C2 error error getting updated ip|C2Device:	 SEND C2 UPTIME|C2Device:	 SEND C2 MINIMAL|C2Device:	 SEND C2 NOTIFICATIONS|Util:	 GetNextCapexit value: 0|Util:	 GetNextCapshell output : /storage/AC93-4313/LOOT/4|CaptureThread:	 Capture Request Sent/storage/AC93-4313/LOOT/4.jpg|Mirror:	 REQUEST RECEIVED|Mirror:	 WAITING FOR CAPTURE TO COMPLETE|POST:	 C2 POST ERROR: java.net.ConnectException: failed to connect to / (port 8080): connect failed: ENETUNREACH (Network is unreachable)|C2Run:	 C2 error startup sync post failed|C2Run:	 C2 RETRYING STARTUP SYNC|Mirror:	 WRITING CAPTURE TO SD|Mirror:	 CAPTURE COMPLETE604ms|Mirror:	 Response sent:/storage/AC93-4313/LOOT/4.jpg|CaptureThread:	 Response:/storage/AC93-4313/LOOT/4.jpg|Util:	 exec [source /system/bin/crab && has_signal_log]|Util:	 NoSignalLog shell exited value: 0|CaptureThread:	 capture interval 5000ms|

    I've made a wireless capture, but without knowing what the MAC address OUI for the screen crab is, it does me no good as there is a ton of wireless traffic in the area. 

    I've checked and double checked to make sure the config file is correct. The only thing in the config file is

    WIFI_SSID XxxxxxXxxX

    I have confirmed I can reach the C2 server over 8080 from both the wired and wireless side of my network.

    I've also deleted the device from Cloud C2, made another device, and re-downloaded the device.config file. 

    Any suggestions? Thanks for any help you can provide!

  16. Just thought I would update this thread a bit. When I was attempting to have the screen grab capture several months ago, the setup was using a hotel room TV as the second monitor. Only select resolutions were being recorded by the Screen Crab even though the monitor would display the output. Specifically 800x600 would not work nor would 1360x768.

    I've finally had a chance to test out the Screen Crab with a secondary computer monitor with capability up to 1080p. My test setup was that I placed the Screen Grab in line with the secondary monitor. I then changed the resolution every 20 seconds while noting on the secondary screen with notepad what resolution I was using. All of the following resolutions worked. All resolutions tested worked.


    As an added test, I used my small TV here in my lab to see if 800x600 or 1360x768 would cause a problem for the Screen Crab. It had no problem grabbing screen shots. 

    I do not know why several months ago I had the problem outlined in this thread. I believe more testing should be conducted beyond a sample size of two TVs and a monitor. I'll continue to use the Screen Crab and update if I start to see more strange results.

  17. Well it looks like 6 lines of resolution makes a huge difference and that I am very unlucky. I switched everything to 1080p and things started working. I must just have a knack for screwing up resolutions and picking. I also check 1366x768 and it worked fine where 1360x768 does not. I think I'll just go through the full spectrum to see what works and what doesn't. This does make things a little tricky on engagements, but we'll see what our success rate is as it's deployed. 

    @Darren Kitchen, thanks for all your help and have a great day!

  18. Thanks for the response @Darren Kitchen,

    I plugged it inline with a secondary monitor and outputted from my laptop at 1360 x 768 and at 800x600. Neither worked. I have also tried changing the microSD card, switching out the laptop to a laptop that is operating at a lower resolution natively (1360 x 768), and tried my other 2 screen crabs. In every scenario I am getting the same results. I'm not sure what is going on.

    In every case, the secondary monitor displays perfectly. I'm not sure what is left.

    Thanks again for your help.

