Difficulty Connecting to WiFi with Screen Crab

[Skinny]

Hi Guys,

I seem to be having a bit of difficulty getting the screen crab to connect to WiFi. I have my C2 server on my local network and am attempting to connect to my local wireless AP. Here's what I've done to troubleshoot so far. I've looked through the debug output, and as far as I can tell, it confirms a lack of connection to C2.

Util:	 exec [stop adbd]|Util:	 stop adbd shell exited value: 0|Util:	 exec [stop logd]|Util:	 stop logd shell exited value: 0|Util:	 exec [source system/bin/crab && upgrade_check_on_boot]|Util:	 Service start shell exited value: 0|Util:	 exec [source /system/bin/crab && do_gpio_setup && leds_off]|Util:	 RunThread shell exited value: 0|Util:	 exec [source /system/bin/crab && upgrade_framework 1.0.6]|Mirror:	 NEW HDMI Status; Input: true|Mirror:	 HDMI INSERTED|Util:	 crabframeworkupgrade shell exited value: 0|CrabFramework:	 Crab framework up to date|Util:	 exec [source /system/bin/crab && red]|ShellThread:	 setCPU Shell Thread Starting|Util:	 exec [source /system/bin/crab, source /system/bin/crab && sleep 120 && do_cpu_setup]|Mirror:	 camera opened 1920 x 1080|Util:	 Main setLEDsNow() shell exited value: 0|Util:	 exec [source /system/bin/crab && wait_for_sd_location]|Mirror:	 SETTING UP PREVIEW|Util:	 waitforSD shell exited value: 0|
Util:	 exec [source /system/bin/crab && led_off]|Util:	 Main setLEDsNow() shell exited value: 0|DeviceConfig:	 C2 Device.config PARSE COMPLETE|RunThread:	 C2 ENABLED|RunThread:	 CREATING C2 THREAD|RunThread:	 Loading Crab Config from SD|Util:	 exec [source /system/bin/crab && locate_sd && touch /storage/AC93-4313/version.txt && echo 1.0.6 > /storage/AC93-4313/version.txt]|Util:	 versionfile shell exited value: 0|CrabConfig:	 CONFIG OPTION WIFI_SSID|CrabConfig:	 CONFIG ARG SkinnyRD|CrabConfig:	 CONFIG OPTION WIFI_PASS|CrabConfig:	 CONFIG ARG |CrabConfig:	 CONFIG OPTION DEBUG_LOG|CrabConfig:	 CONFIG ARG ON|CrabConfig:	 DEBUG LOG CONFIG OPTION SET TO: ON|
CrabConfig:	 WIFI CONFIGURED|Util:	 exec [source /system/bin/crab && diff_config_enable_wifi SkinnyRD ]|Util:	 psk wifi config shell exited value: 0|CrabConfig:	 WiFi configured successfully|SDREADER:	 NO FILE AT PATH|SDWatch:	 SD Watch Thread Starting|Util:	 exec [source /system/bin/crab, watch_sd_location]|ButtonListener:	 Button Listener Thread Starting|Util:	 exec [source /system/bin/crab, wait_for_button_press]|
RunThread:	 STARTING C2 THREAD|LEDRunner:	 LED Runner Thread Starting|Util:	 exec [source /system/bin/crab, led_off]|C2Run:	 C2 Thread started|C2Run:	 C2 notification added to device queue: Capture Starting|Util:	 LEDRunner shell exited value: 0|C2Run:	 C2 Update crab config called|C2Device:	 C2 FLAG SEND UPDATED STATE|C2Run:	 C2 Waiting for capture thread to start|RunThread:	 STARTING NEW CAPTURE THREAD|CaptureThread:	 CAPTURE THREAD START|CaptureThread:	 Signal Check request sent|Mirror:	 REQUEST RECEIVED|Mirror:	 INTENT SIGNAL CHECK check|Mirror:	 Response sent:SIGNAL|CaptureThread:	 Response:SIGNAL|CaptureThread:	 CRAB HAS VIDEO SIGNAL|C2Run:	 C2 Update crab config called|CaptureThread:	 STARTING IMAGE CAPTURE|Util:	 exec [source /system/bin/crab && get_current_temp]|Util:	 tempcheckexit value: 0|
Util:	 tempcheckshell output : 65228|CaptureThread:	 CURRENT TEMP: 65228|CaptureThread:	 21908 captures avail|Util:	 exec [source /system/bin/crab && get_next_capture]|Util:	 GetNextCapexit value: 0|Util:	 GetNextCapshell output : /storage/AC93-4313/LOOT/2|CaptureThread:	 Capture Request Sent/storage/AC93-4313/LOOT/2.jpg|Mirror:	 REQUEST RECEIVED|Mirror:	 WAITING FOR CAPTURE TO COMPLETE|Util:	 exec [source /system/bin/crab, blue]|Util:	 LEDRunner shell exited value: 0|
Mirror:	 WRITING CAPTURE TO SD|Mirror:	 CAPTURE COMPLETE597ms|Mirror:	 Response sent:/storage/AC93-4313/LOOT/2.jpg|CaptureThread:	 Response:/storage/AC93-4313/LOOT/2.jpg|Util:	 exec [source /system/bin/crab && has_signal_log]|Util:	 NoSignalLog shell exited value: 0|CaptureThread:	 capture interval 5000ms|CaptureThread:	 Time spent capturing 749ms|CaptureThread:	 Capture sleep 4251ms|CaptureThread:	 21907 captures avail|Util:	 exec [source /system/bin/crab && get_next_capture]|Util:	 GetNextCapexit value: 0|Util:	 GetNextCapshell output : /storage/AC93-4313/LOOT/3|
CaptureThread:	 Capture Request Sent/storage/AC93-4313/LOOT/3.jpg|Mirror:	 REQUEST RECEIVED|Mirror:	 WAITING FOR CAPTURE TO COMPLETE|Mirror:	 WRITING CAPTURE TO SD|Mirror:	 CAPTURE COMPLETE599ms|Mirror:	 Response sent:/storage/AC93-4313/LOOT/3.jpg|CaptureThread:	 Response:/storage/AC93-4313/LOOT/3.jpg|
Util:	 exec [source /system/bin/crab && has_signal_log]|Util:	 NoSignalLog shell exited value: 0|CaptureThread:	 capture interval 5000ms|CaptureThread:	 Time spent capturing 749ms|CaptureThread:	 Capture sleep 4251ms|C2Run:	 C2 Thread starting|C2Device:	 C2 STARTUP SYNC|Util:	 exec [cat /proc/uptime | busybox awk {print ;} 2>/dev/null]|Util:	 C2DeviceUpdateexit value: 0|Util:	 C2DeviceUpdateshell output : 44.07|Util:	 exec [cat /sys/class/net/wlan0/statistics/rx_bytes]|Util:	 C2DeviceUpdateexit value: 0|Util:	 C2DeviceUpdateshell output : 0|Util:	 exec [cat /sys/class/net/wlan0/statistics/tx_bytes]|CaptureThread:	 21906 captures avail|Util:	 exec [source /system/bin/crab && get_next_capture]|Util:	 C2DeviceUpdateexit value: 0|Util:	 C2DeviceUpdateshell output : 0|Util:	 exec [ifconfig wlan0 | grep inet addr | cut -d: -f2 | busybox awk {print ;}]|
Util:	 C2DeviceUpdateexit value: 0|Util:	 C2DeviceUpdateshell output : |C2Run:	 C2 error error getting updated ip|C2Device:	 SEND C2 UPTIME|C2Device:	 SEND C2 MINIMAL|C2Device:	 SEND C2 NOTIFICATIONS|Util:	 GetNextCapexit value: 0|Util:	 GetNextCapshell output : /storage/AC93-4313/LOOT/4|CaptureThread:	 Capture Request Sent/storage/AC93-4313/LOOT/4.jpg|Mirror:	 REQUEST RECEIVED|Mirror:	 WAITING FOR CAPTURE TO COMPLETE|POST:	 C2 POST ERROR: java.net.ConnectException: failed to connect to /172.16.0.18 (port 8080): connect failed: ENETUNREACH (Network is unreachable)|C2Run:	 C2 error startup sync post failed|C2Run:	 C2 RETRYING STARTUP SYNC|Mirror:	 WRITING CAPTURE TO SD|Mirror:	 CAPTURE COMPLETE604ms|Mirror:	 Response sent:/storage/AC93-4313/LOOT/4.jpg|CaptureThread:	 Response:/storage/AC93-4313/LOOT/4.jpg|Util:	 exec [source /system/bin/crab && has_signal_log]|Util:	 NoSignalLog shell exited value: 0|CaptureThread:	 capture interval 5000ms|

I've made a wireless capture, but without knowing what the MAC address OUI for the screen crab is, it does me no good as there is a ton of wireless traffic in the area. 

I've checked and double checked to make sure the config file is correct. The only thing in the config file is

WIFI_SSID XxxxxxXxxX
WIFI_PASS XxxxXXxXXxx
DEBUG_LOG ON

I have confirmed I can reach the C2 server over 8080 from both the wired and wireless side of my network.

I've also deleted the device from Cloud C2, made another device, and re-downloaded the device.config file. 

Any suggestions? Thanks for any help you can provide!

[Skinny]

No answers yet, but I have a few more questions to add.

Is the serial number the MAC address?
Does the screen crab change it's MAC address each time it boots?
If the Screen Crab can't find the C2 server, will it disconnect from WiFi?

I am still unable to get a WiFi connection out of the device. I'll update as I glean more information.

Edited April 22, 2020 by Skinny

[Skinny]

Can confirm the WiFi/Bluetooth chip inside is getting power (3.3V). For those of you that are interested, it is a WiFi/Bluetooth combo module carrying a RTL8723BS chip. Cool that it has bluetooth as well. Datasheet can be found here: http://files.pine64.org/doc/datasheet/pine64/RTL8723BS.pdf

Also, right by the USB C header looks to be a Tx/Rx serial connector. If you are interested in gaining root access, connect up through putty and a serial cable adapter. The baud rate 115200.

I was able to get the MAC address for the wifi adapter. The MAC OUI is 74:EE:2A. It resolves to SHENZHEN BILIAN ELECTRONIC CO.，LTD. With this information I able to watch as the WiFi module attempt to connect. The only thing that seems to be happening is that the wifi adapter is sending out a probe request for Wildcard. I believe this means it is asking for APs in the area to respond with their SSIDs. I don't know why it's not asking for my SSID as specified in the config file.

I tried to connect the wlan0 interface manually. The operating system is OpenWrt 4.1.17. There is not a text editor (vi, vim, or nano the greatest text editor ever made). iwconfig does not exist. With the absence of any of these tools, I failed at trying it manually. 

One last large piece of information. If you have the serial port plugged up during a power on event, you can catch the bootup. I've looked through it and found nothing glaring, but if anyone sees something amiss, let me know. 

C1:80000000
C2
?
C3hswitch frequency to 0x00000046
frequency divider is 0x00000080
switch frequency to 0x00000046
frequency divider is 0x00000004
switch to SDR 8 bit
switch bus width to 0x00000008 bits success

hwsetting size: 00000718
C4
f
5-5
Goto FSBL: 0x10100000
<=============================================>
fsbl_main: sys_secure_type = 0x0000BEEE
fsbl_main: sys_boot_type = 0x00000002
fsbl_main: sys_boot_enc = 0x00000000
fsbl_main: sys_bisr_done = 0x00000000
sys_hwsetting_size:00000740
sys_bootcode_size:000C11C0
sys_secure_fsbl_size:00010B80
sys_secure_os_size:000727C0
sys_bl31_size:00005040
sys_rsa_key_fw_size:00000000
sys_rsa_key_tee_size:00000000
sys_rescue_size:00026448

HwSetting:
hwsetting_blk_no:00000100
hwsetting_total_size:000007C0
hwsetting_blk_count:00000004

Bootcode:
bootcode_blk_no:00000104
bootcode_total_size:000C11E0
bootcode_blk_count:00000609

FSBL:
secure_fsbl_blk_no:0000070D
secure_fsbl_total_size:00010BA0
secure_fsbl_blk_count:00000086

TEE OS:
secure_os_blk_no:00000793
secure_os_total_size:000727E0
secure_os_blk_count:00000394

BL31:
bl31_blk_no:00000B27
bl31_total_size:00005060
bl31_blk_count:00000029

RSA Key Fw:
rsa_key_fw_blk_no:00000B50
rsa_key_fw_total_size:00000000
rsa_key_fw_blk_count:00000000

RSA Key TEE:
rsa_key_tee_blk_no:00000B50
rsa_key_tee_total_size:00000000
rsa_key_tee_blk_count:00000000

Rescue:
rescue_blk_no:00000B50
rescue_total_size:00026468
rescue_blk_count:00000133
********** FW_TYPE_GOLD_TEE **********
fwInfo->fwType: 00000023
fwInfo->isGolden: 00000001
fwInfo->ddrReadAddr: 00520000
fwInfo->ddrDestAddr: 10200000
fwInfo->flashType: 00000002
fwInfo->flashUnitSize: 00000200
fwInfo->flashOffset: 000F2600
fwInfo->dataSize: 000727E0
body_size:000727C0
flash_unit_no:00000793
flash_unit_count:00000394
real_size:0007278C
sha256 Fw
********** FW_TYPE_GOLD_BL31 **********
fwInfo->fwType: 00000028
fwInfo->isGolden: 00000001
fwInfo->ddrReadAddr: 00520000
fwInfo->ddrDestAddr: 10120000
fwInfo->flashType: 00000002
fwInfo->flashUnitSize: 00000200
fwInfo->flashOffset: 00164E00
fwInfo->dataSize: 00005060
body_size:00005040
flash_unit_no:00000B27
flash_unit_count:00000029
real_size:00005018
sha256 Fw
********** FW_TYPE_BOOTCODE **********
fwInfo->fwType: 00000001
fwInfo->isGolden: 00000001
fwInfo->ddrReadAddr: 00520000
fwInfo->ddrDestAddr: 00020000
fwInfo->flashType: 00000002
fwInfo->flashUnitSize: 00000200
fwInfo->flashOffset: 00020800
fwInfo->dataSize: 000C11E0
body_size:000C11C0
flash_unit_no:00000104
flash_unit_count:00000609
real_size:000C1180
sha256 Fw
j bootcode jump address:00020000
64b


U-Boot 2012.07 svn.161586    (Jan 04 2018 - 13:45:55)

CPU  : Cortex-A53 quad core - AARCH32
Board: Realtek QA Board
DRAM:  0 Bytes
Watchdog: Disabled
Cache: Enabled
Non-Cache Region: 1 MB@0x07900000
MMC:   RTD1295 eMMC: 0
rsp[0]=0x15010038,
                       rsp[1]=0x47544634,
                       rsp[2]=0x520622bd,
                       rsp[3]=0x5a23763f
rsp[0]=0xd0270132,
                       rsp[1]=0x0f5903ff,
                       rsp[2]=0xf6dbffef,
                       rsp[3]=0x8e40400d
mmc->version=0x00010000
version=0x00000004
[LY] cardtype=57, mmc->card_caps=0f
[LY] freq = 00464388, clk diver = 00000080
[LY] speed up emmc at HS-200
[LY] HS-200 bus width=2
[LY] mmc->boot_caps = 20b
TEMP TX_WINDOW=0x7ffffffe, TX_best=0xf
RX_WINDOW=0xffffff03, RX_best=0x14
TX1_WINDOW=0x3fffffc0, TX_best=0x11
[LY] hs200 : 0
[HC] WPG_SIZE = 8388608
Device: RTD1295 eMMC
Manufacturer ID: 15
OEM: 100
Name: 8GTF4
Tran Speed: 5f5e100
Rd Block Len: 512
MMC version 4.0
High Capacity: No
Capacity: 7.3 GiB
Bus Width: 8-bit
Speed: HS200
Factory: MMC
Factory: pp:0, seq#:0x20, size:0x21a00
------------tmp/factory/000BootParam.h found
[logo]src w/h=1920/1080 dst w/h=3840/2160
HDMITx_HPD=False
------------can't find tmp/factory/video_rpc.bin
tv_system=25 mode=1
In:    serial
Out:   serial
Err:   serial
Net:   Realtek PCIe GBE Family Controller mcfg = 0024
dev->name=r8168#0
Hit Esc or Tab key to enter console mode or rescue linux:  0
------------can't find tmp/factory/recovery
======== Checking into android recovery ====

Start Boot Setup ...
---------------LOAD  NORMAL FW  TABLE ---------------
[INFO] fw desc table base: 0x00620000, count: 20
Normal boot fw follow...
Kernel:
         FW Image to 0x03000000, size=0x00f34600 (0x03f34600)
         FW Image fr 0x02c42400
DT:
         FW Image to 0x02100000, size=0x00010162 (0x02110162)
         FW Image fr 0x028b0200
Audio FW:
         FW Image to 0x01b00000, size=0x00352088 (0x01e52088)
         FW Image fr 0x028f0200
IMAGE FILE:
         FW Image to 0x1e800000, size=0x007e9000 (0x1efe9000)
         FW Image fr 0x199002000
Start A/V Firmware ...
[FW]kylin_bring up hwsetting
Finish kylin_bring_temp hwsetting
[+][AO][aio_HWEnable]
[AO]aio_CRTOn:
SYS_CLOCK_ENABLE1 [ 0x9800000c]: 0x13fec561
SYS_CLOCK_ENABLE2 [ 0x98000010]: 0x58ffe416
SYS_SOFT_RESET1 [ 0x98000000]: 0xbfda1001
SYS_SOFT_RESET4 [ 0x98000050]: 0x0000801f
[AO]ao_SetDACAnalogOn:
TVE_VDAC_CTR1 [ 0x980183a0]: 0xa86c0280
AIO_O_ACANA_GCTL1 [ 0x98006604]: 0x24951504
AIO_I_ACANA_ADC_GCTL2 [ 0x98006610]: 0x880a3a00
AIO_I_ADC_TCON [ 0x980066fc]: 0x221f0000
AIO_I_ADC_TCON [ 0x980066fc]: 0x221fff00
[-][AO][aio_HWEnable]
TAudio]SetTickRate  0x0000E0X0PcO8R
, [EANCVP UA]T  S0ext1 0p0r0o0t0e0c0t
f rsttka_rptr:e l0oxa0d0_0b0o0o0t0i0m aegneds:_ e0mxm0c0 0:0 1l0o0a0d  mUo-dBuoloeti d6:46
 rHoDmM I0 xR0a0w0 2E8n1a2b5l et:o  M0PxG0 1A5C030 0D0T0S  wMiPtEhG 2s iAzAeC  0DxD0P0 1W0M0A0P0R0O
 MLP

SPDIF Raw Enable: MPG AC3 DTS MPEG2 AAC DDP WMAPRO MLP

Force 2ch Format: DTS DTSHD AC3 DDP MLP AAC WMAPRO



[AO][InitHDMIVideoType]HDMI Frequecny 148, resolution 25


@@@@@@@One Step TV System magic number = 0xc0de0bee, addr = 0xa001f800@@@@@@@

@@@@@@@@@ boot_info->tv_sys.interfaceType 0
[@@VIDEO_RPC_VOUT_ToAgent_ConfigTVSystem_0_svc]type 0!
HDMIOff = 0
[VO]vo->is_hdmi_off_clock_on:0
[@@VIDEO_RPC_VOUT_ToAgent_ConfigVideoStandard_0_svc]
[VO_SetVideoStandard]st 25 p 1 1 0
[VO_SetVideoStandard]ped 1 data0  0x00000004 data1  0x00000000
[VO_SetVideoStandard]HDMIoff 0 is_tve_on 1 user_cvbs_off 0
lvds.format 0 port_setting  0x00000381 lvds_wb 0
[VO setTVStandard 25 3D 0 0]

(TVE) TVE_DAC_mode 0,cmd->enProg 1!!
TV_NTSC_J
~~comp 0, ch2 1, mode_3D 0!!
:c~ocpoym_p2 n0d,_ bcoho2t l1o,a dmeord_ea_n3dD_ r0u!n!
  ~s~rTcV:E0 xs0t1a5n0d0a0r0d0#,
 dst:0x00021000, size:0x000c0000
Jumping to 2nd bootloader...
SetVideoStandard return!
[@@VIDEO_RPC_VOUT_ToAgent_ConfigHdmiInfoFrame_0_svc]

(VO_ConfigHDMI_InfoFrame) L:236, is_hdmi_plugin 1, hdmiMode 1!!Mode 1 dataByte1  0x00000000  0x00000000  0x00000000
dataByte4  0x00000000  0x00000000 int0  0x00000001

(HDMI_3D) mode 1, HDMI_gen 1, En_3D 0, Format_3D 0 scramble:0!!clearDynamicRangeMasteringPkt()

 go back SET_HDMI!!boot_info  0xa001f600 magic  0x2452544b en 1
boot_info.w 1920 h 1080
boot_addr  0x1e800000
w 1920, h 1080, img0  0x1e800000, pitch0 7680
disp.x 0 y 0 w 1920 h 1080
PowerOnOSD~~
[AO][_AO_if_video_HDMI_mode]HDMI not enabled
[AO][+]_AO_setup_default_audio_infoframe
[AO][--]_AO_hdmi_disable(0)
[AUDIO WARNING]
[AO][_AO_hdmi_disable]do nothing, HDMI not enable  0x00000000  0x00000001
Audio_Channel_Count 1 :2CH, audio_layout:0
HDMI_Frequency 148 :1080p50,1080p60
Sampling_Frequency 3 :48K
CTS = 148500, N = 6144
[+][HDMI_gen_audio_infoframe]
CA:2CH: L,R
[-][HDMI_gen_audio_infoframe]
SYS_PLL_PSAUDA1 [ 0x98000130]: 0x0050022d
[AO][++]_AO_hdmi_enable(0)
[AUDIO WARNING]
[AO][_AO_hdmi_enable]do nothing, HDMI not enable  0x00000000  0x00000001
[AO][-]_AO_setup_default_audio_infoframe


U-Boot 2015.07-g428cfe7-dirty (Jul 28 2017 - 10:10:26 +0800)

CPU  : Cortex-A53 Quad Core
Board: Realtek QA Board
DRAM:  1 GiB
mapping memory 0x20000000-0x40000000 non-cached
In:    serial
Out:   serial
Err:   serial
Hit any key to stop autoboot:  0
rtk_plat_set_fw not port yet, use default configs
## Flattened Device Tree blob at 02100000
   Booting using the fdt blob at 0x2100000
   reserving fdt memory region: addr=0 size=30000
   reserving fdt memory region: addr=1f000 size=1000
   reserving fdt memory region: addr=30000 size=d0000
   reserving fdt memory region: addr=3200000 size=b800000
   reserving fdt memory region: addr=1b00000 size=400000
   reserving fdt memory region: addr=2600000 size=c00000
   reserving fdt memory region: addr=1ffe000 size=4000
   reserving fdt memory region: addr=11000000 size=9200000
   reserving fdt memory region: addr=10000000 size=14000
   reserving fdt memory region: addr=2200000 size=400000
   reserving fdt memory region: addr=1b00000 size=500000
   Using Device Tree in place at 0000000002100000, end 0000000002113161
Bring UP slave CPUs
Jump to BL31 entrypoint
VERBOSE: bl31_setup
NOTICE:  BL31: v1.2(debug):1522ab7
NOTICE:  BL31: Built : 16:33:46, Oct 13 2016
INFO:    BL31: Initializing runtime services
INFO:    Start to init service std_svc
INFO:    Finish to init service std_svc
INFO:    Start to init service opteed_fast
INFO:    Finish to init service opteed_fast
INFO:    BL31: Initializing BL32
INFO:    TEE-CORE: TEE OS v2.1
INFO:    TEE-CORE: tee os version : 1
INFO:    TEE-CORE: OTP tee os version : 0
INFO:    TEE-CORE: chip_rev_id : 10000
INFO:    TEE-CORE: check golden fw : f6cf6f46
INFO:    TEE-CORE: Do not supoort check tee os version in this chip.
INFO:    TEE-CORE: Initializing (828cd34-dev #1 Thu Dec  8 16:13:14 CST 2016 aarch64)
MESSAGE: [0x0] TEE-CORE:tee_otp_get_hw_unique_key:46: ************************     tee_otp_get_hw_unique_key chip id: 10000
INFO:    TEE-CORE: teecore inits done
INFO:    Core_0 TEESMC_OPTEED_RETURN_ENTRY_DONE
INFO:    Core_0 got optee_vectors (0x1020093c)
INFO:    BL31: Initialized BL32
INFO:    EXIT BL31
INFO:    bl31_to_kernel: kernel_resume_entry = 0x1e000
INFO:    bl31 jumps to EL2: kerenl entry
[    0.000000] Booting Linux on physical CPU 0x0
[    0.000000] Initializing cgroup subsys cpuset
[    0.000000] Initializing cgroup subsys cpu
[    0.000000] Initializing cgroup subsys cpuacct
[    0.000000] Linux version 4.1.17-g9100299-dirty (root@635f7edd71a8) (gcc version 4.9.4 (OpenWrt/Linaro GCC 4.9-2015.06 r47591) ) #44 SMP PREEMPT Sat Aug 24 23:16:20 UTC 2019
[    0.000000] Detected VIPT I-cache on CPU0
[    0.000000] alternatives: enabling workaround for ARM erratum 845719
[    0.000000] DT: cma-improve=0
[    0.000000] earlycon: Early serial console at MMIO32 0x98007800 (options '')
[    0.000000] bootconsole [uart0] enabled
WARNING: NO PSCI SERVICE: 0x84000000
WARNING: NO PSCI SERVICE: 0x84000006
WARNING: NO PSCI SERVICE: 0x8400000a
WARNING: NO PSCI SERVICE: 0x8400000a
VVVEEERRRBBBOOOSSSEEE:::   bbblll333111___ssseeetttuuuppp


NNNOOOTTTIIICCCEEE:::      BBBLLL333111:::   vvv111...222(((dddeeebbbuuuggg))):::111555222222aaabbb777


NNNOOOTTTIIICCCEEE:::      BBBLLL333111:::   BBBuuuiiilllttt   :::   111666:::333333:::444666,,,   OOOcccttt   111333   222000111666


ssINNNFFFOO::O:           BB LBL3L3131:1:  : IInnIniittitiiialaalliziizziniignng g  rrurununtntitiimmme ees  sseeervrrviviiccceese
I

 IINFNNOFFO:O::            SSStttaaarrrttt   tttooo   iiinnniiittt  s sseeerrvvrivicicece e  ssstttdd_d_ss_svvvcc  c

IN
  NFFINOOF::O    :       FFi inFniiisnihsh s hto toto   iiininniittt  s seserervrvivicicecee  s tssttddd___sssvvvccc


IIINNNFFFOOO:::            SSStttaaarrrttt   tttooo   iiinnniiittt   ssseeerrrvvviiiccceee   ooopppttteeeeedde__dff_faasasstt  t

II
t NINNFFOOFO: ::           FiFFiininniisshsh h t totoo i  niiinniti tt s sereservvricvicie ec eo optopetpeetedee_ddf_af_sfasat st
I
N
2IFNINFOF:O: O:        B  B L3BL3L11:3 :1:  IInIninitititiaiallailizizizinninggg  BB BLL3L3322
I

 NIIFNNFOFO:O::            CoCCoorrreee___231   TTTEEEEEESSSMMMCCC___OOOPPPTTTEEEEEEDD__D_RRREEETTUTURURNRN__NE_ENNENTTRRTYRY__YDD_ODONNOENE  E


2ININFNFOFO::O :           BBLLBL33113:1: : I InIniniitittiialaalliizizzedeedd B  BBLL3L3232

INI
1  NFIFNOFO: :O :         EX EXEIXITTI BT LB BLL33113


00NNINFFOOFO:::           b bllb33l131__1_ttoot__ok_kkeererrnnenelel:l: : k keekerrnrnneeell__lr_reresesuusmmeeum__eeenn_tetrnryty r =y=   =00x x101eex000100e0

NNFI0
 t FOOI:N: F O    :    bb ll33 b1 1l3 jj1um umpjspu ms pttos  o EtEoLL2 :2E L:k 2ek:er ereknlenlr ee nenlntrt ryen y
r
 y
[    0.266999] bl31_set_tee_protect !!!
INFO:    Non-Secure Boot or IC_REV >= B00 : no action !!
[    0.276213] bl31_set_tee_protect ret = 0
[    0.706215] ****** rtk_lockapi_init 597, chip: id=0x00000000, revision=0x00010000
TVE_setDAC 2485,  0xd48bd400
[    2.820198] rtk-usb-power-manager 98000000.rtk_usb_power_manager: rtk_dwc3_u2host status is okay
[    2.830127] rtk-usb-power-manager 98000000.rtk_usb_power_manager: ehci status is okay
[    2.838953] rtk-usb-power-manager 98000000.rtk_usb_power_manager: ohci status is okay
[    2.854247] rtk-usb-power-manager 98000000.rtk_usb_power_manager: create_debug_files
[    3.371288] [RTD129x PCIE Slot2] 9803b000.pcie2: PCIE device has link down in slot 2
[    3.380031] [RTD129x PCIE Slot2] 9803b000.pcie2: rtk_pcie2_hw_initial fail
[    3.601652] [RTD129x PCIE Slot1] 9804e000.pcie: PCIE device has link down in slot 1
[    3.610296] [RTD129x PCIE Slot1] 9804e000.pcie: rtk_pcie_hw_initial fail
[    3.622636] rtk119x-ir 98007000.irda: [rtk119x_ir_probe]: can't get multiple support from dtb, set to default->not support

[ROS: openRPC() intr_scpu_dev_r buf  0x00e2ffa1 s  0x00e2ffa1 e  0x00e4ffa1 i  0x00e2ffa1
[ROS: openStubRPC() intr_w buf  0x00e6ffa1 s  0x00e6ffa1 e  0x00e8ffa1 i  0x00e6ffa1[AVCPU] Set Debug level flag  0x81e03f74 *flag  0x01df53c0 ucache  0xa1df53c0
[AVCPU] Set Debug level *ptrDebugFlag  0x00000001
-------------------
Audio Version = 164590 (Kylin)
Common Version = 0
Binary src compiled at Sep  7 2017 17:37:57
Note =
-------------------




[A] gloabl malloc size  0x003ffeb8
[    3.725967] AudioIntrRead:143 can't find process for handling AudioIntrRead programID:98
[    3.735196] AudioIntrRead: program:98 version:0 procedure:1 taskID:0 sysTID:4294967295 sysPID:4294967295 size:4 context:81e03745 atomic
[    3.907021] cec_core_init, register cec_bus ffffffc00113b050
[    3.913047] register cec driver 'cec' (ffffffc00113b1d0)
[    3.918542] register cec device 'cec0' (ffffffc00113b2c8) to cec0
[    3.924895] [cec_bus_match name = cec0,len=4,drv_name=cec]
[    3.930902] probe : cec_dev 'cec0' (ffffffc00113b2c8), cec_drv 'cec' (ffffffc00113b1d0)
[    3.939866] register cec device 'cec1' (ffffffc00113b578) to cec0
[    3.946196] [cec_bus_match name = cec1,len=4,drv_name=cec]
[    3.951888] probe : cec_dev 'cec1' (ffffffc00113b578), cec_drv 'cec' (ffffffc00113b1d0)
[    4.048802] [SDIO] rtk_sdhci_set_clock end real_div=1f4, div=fa, c3c=0, PLL=ae4388, CLK=fa07
[    4.068957] EMMC : emmc of_node found
[    4.072756] [rtkemmc_probe] get driving s0 : 0x1
[    4.075606] SDIO 2.0 A01 version
[    4.080795] [rtkemmc_probe] get driving s0 : 0x77
[    4.082712] [SDIO] rtk_sdhci_set_clock end real_div=4, div=2, c3c=80000, PLL=ae4388, CLK=207
[    4.094255] [rtkemmc_probe] get driving s0 : 0x77
[    4.099075] [rtkemmc_probe] get driving s0 : 0x77
[    4.103891] [rtkemmc_probe] get driving s0 : 0x33
[    4.108713] [rtkemmc_probe] get driving s2 : 0x1
[    4.113446] [rtkemmc_probe] get driving s2 : 0xbb
[    4.118262] [rtkemmc_probe] get driving s2 : 0xbb
[    4.123084] [rtkemmc_probe] get driving s2 : 0xbb
[    4.127900] [rtkemmc_probe] get driving s2 : 0x33
[    4.132722] [rtkemmc_probe] get tx tuning switch : 0
[    4.137805] [rtkemmc_probe] get rx tuning switch : 0
[    4.197305] -->rfkill_bluetooth_init
[    4.201076] -->rfkill_bluetooth_probe
[    4.204971] bluetooth_set_power: block=1
[    4.208997] <--rfkill_bluetooth_probe
[    4.212871] card->mmc_avail_type = 0x00000013
[    4.407269] rtk-dwc3-type_c 98013200.rtk_dwc3_drd_type_c: create_debug_files
[    4.694839] CL_DEV::ST 0 -> 0
[    4.798863] [HDMI RX] switch hdmi rx state to 1
Thu Jan  1 00:00:04 UTC 1970 Starting OpenWRT init
[    4.945728] hub 2-0:1.0: config failed, hub doesn't have any ports! (err -19)
[    4.980390] rtk-ohci 98013400.ohci: _ohci_readl [USB Workaround] fixed force to enable ohci clock
Press the [f] key and hit [enter] to enter failsafe mode
Press the [1], [2], [3] or [4] key and hit [enter] to select the debug level
[    5.677997] rtk-dwc3-type_c 98013200.rtk_dwc3_drd_type_c: Connection change OK: IN device mode to connect host at cc2 (cc_status=0x18)
[    7.459948] block: unable to load configuration (fstab: Entry not found)
[    7.466890] block: no usable configuration
fsck from util-linux 2.28
e2fsck 1.42.12 (29-Aug-2014)
nasetc: recovering journal
nasetc: clean, 52/8200 files, 3611/40952 blocks
resize2fs 1.42.12 (29-Aug-2014)
The filesystem is already 40952 (1k) blocks long.  Nothing to do!

ext4 etc mounted!
mount: /dev: filesystem mounted, but mount(8) failed: No such file or directory
Thu Jan  1 00:00:08 UTC 1970 Waiting 28 x 0.1 seconds for OpenWRT coldplug
Thu Jan  1 00:00:08 UTC 1970 Starting Android init
[    8.806140] init: FIXME: selinux is forced to permissive mode!!
[    8.873451] init: /init.rc: 244: invalid command '/sbin/swapon'
[    8.881737] init: could not import file '/init.lighttpd.rc' from '/init.kylin.rc'
[    8.890295] init: SELinux: Could not get canonical path /adb_keys restorecon: No such file or directory.
[    9.089103] rtk_sdmmc_get_cd: SD card exists, regCARD_EXIST = 4
[    9.318723] init: Failed to read from /dev/hw_random: No such device
[    9.325333] init: could not open /dev/keychord: No such file or directory
[    9.361084] init: Failed to read from /dev/hw_random: No such device
[    9.595812] init: /recovery not specified in fstab
[    9.768201] bluetooth_set_power: block=1
[    9.775260] init: property 'ro.serialno' doesn't exist while expanding '${ro.serialno}'
i    9.807788] init: cannot expand '${ro.serialno[}A'V CwPhUi] lSeet  Dwerbuigt lienvegl  ftloag  ' 0/xs81ydsff/24cc la*fslsag/ a 0ndxr01o2i0d728_u8 subca/chae nd 0roxaid1200/72iS88e r
 a[AlV'CP
U] Set Debug level *ptrDebugFlag  0x00000000
[    9.833483] init: cannot find '/system/bin/debuggerd64', disabling 'debuggerd64'
[    9.841575] init: cannot find '/system/bin/rild', disabling 'ril-daemon'
[    9.849445] devfreq 98050000.gpu: Couldn't update frequency transition information.
[    9.861292] init: cannot find '/system/bin/install-recovery.sh', disabling 'flash_recovery'
[    9.873491] init: cannot find '/system/bin/jpuinit', disabling 'jpuinit'
root@kylin32:/ # [    9.964435] adding 'Function FS Gadget'/ffffffc07a383738 to config 'b'/ffffffc07d68e900 --> Fail (ret=-19)
[    9.975345] configfs-gadget 98020000.dwc3_drd: failed to start g1: -19
[    9.983541] adding 'Function FS Gadget'/ffffffc07a383738 to config 'b'/ffffffc07d68e900 --> Ok (ret=0)
[   10.769996] healthd: No charger supplies found
[   12.108840] SD card is being inserted now...!!!
[   12.118891] rtk_sdmmc_get_cd: SD card exists, regCARD_EXIST = 4
[   14.162655] audit: rate limit exceeded
[   17.193462] init: no such service 'regService'
[   17.198123] init: no such service 'regService'
[   17.688507] [HDMITx_ERR] [ops_get_sink_cap]sink cap is not available
[   17.991447] r8169 98016000.gmac eth0: rtl_csiar_cond == 0 (loop: 100, delay: 10).
[   18.000481] r8169 98016000.gmac eth0: rtl_csiar_cond == 1 (loop: 100, delay: 10).
[   18.263879] ufsd: "vold" (mmcblk1p1): force nocase=1
[   18.269648] ufsd: "vold" (mmcblk1p1): is mounted as exFAT at 2019-10-11 09:30:30
[   18.771641] audit: rate limit exceeded
[   19.900593] audit: rate limit exceeded
[   19.900894] [HDMITx_ERR] [ops_get_sink_cap]sink cap is not available
[   19.900988] [HDMITx_ERR] [ops_get_sink_cap]sink cap is not available
[   19.904304] [HDMITx_ERR] [ops_get_sink_cap]sink cap is not available
[   21.419333] configfs-gadget gadget: unbind function 'Function FS Gadget'/ffffffc07a383738
[   21.427849] Call trace:
[   21.628695] audit: *NO* daemon at audit_pid=3761
[   21.630514] audit: rate limit exceeded
[   22.128207] init: avc:  denied  { set } for property=tmp.exec_ubus scontext=u:r:system_app:s0 tcontext=u:object_r:default_prop:s0 tclass=property_service
[   22.270257] init: avc:  denied  { set } for property=tmp.exec_ubus scontext=u:r:realtek:s0 tcontext=u:object_r:default_prop:s0 tclass=property_service

 

[Skinny]

New day, new attempts at connection. Tried the following:

• Confirmed through Wireshark that the only Wireless activity coming from the screen crab are probe requests asking for local APs to respond.
• Forced my wireless AP to use a well known channel (6) just to ensure the screen crab didn't have a problem with my AP being on channel 3.
• Also varied the power of the AP and whether or not the SSID was being broadcast.
• Introduced another AP that functioned as a open access point. 
• Tried to vary the config file in every conceivable way to get it to work.

None of the above efforts worked. Think I'm about to throw in the towel.

Edited April 23, 2020 by Skinny

[Skinny]

It's solved! (It is not solved. See below:

WIFI_SSID "XxxxXxxX"
WIFI_PASS "XxxxxXxxX"

Once I did this, everything started working. Well that was an insane amount an effort for such an easy fix. Hope this helps someone down the road.

Edited May 26, 2020 by Skinny

[Skinny]

One more added bit of strangeness, if your password has a $ symbol in it, change it to something without the symbol. Once you get it to connect once, you can then use the $ once again.

I got everything working by setting up my APs guest network and then connected that network to the regular one. I set an easy password on it. The config.txt file was changed so that the easy password was surrounded in "quotes" as specified above. I restarted the Screen Crab twice and on the second time, it connected. 

After it connected, I changed the config.txt to my normal SSID where I have a $ symbol in the password. The device was restarted with the changes. The Screen Crab successfully connected to my normal network SSID, but only after successfully connecting it to the first.

Incidentally, my C2 server changed IP addresses this morning because I was using DHCP. I had to go through all this all over again this morning. That included changing out the device.config file as expected.

[Th4ntis]

I'm having some issues getting mine to connect to my WiFi it seems. I put a blank MicroSD card in so it generates the config.txt, edited it to add my WiFi SSID and Password with quotes at @Skinny suggested. I tried changing my WiFi to something simple and that still didn't seem to wanna connect. I have the "device.config" on the root of the MicroSD Card. I even tried using my phones Hotspot. My config.txt contains this and nothing more:

WIFI_SSID "MY_SSID"
WIFI_PASS "MY_PASS"

I'm kind of at a loss on what to try/do next.

 

EDIT: ALso tried using my phones Hotspot with no WiFi pass and it still did not connect

Edited May 19, 2020 by Th4ntis

[Skinny]

On 5/18/2020 at 7:00 PM, Th4ntis said:

I'm having some issues getting mine to connect to my WiFi it seems. I put a blank MicroSD card in so it generates the config.txt, edited it to add my WiFi SSID and Password with quotes at @Skinny suggested.

Instead of editing it, erase everything in the file except for the WiFi SSID and Password. The only reason I say this is because of the line under #3 on the screen crab instructional page: https://docs.hak5.org/hc/en-us/articles/360033503594-Configuring-Screen-Crab-for-Cloud-C2

See if it makes a difference.

Also, after you change it, let it fully reboot, press the button, let the LED turn green, unplug power, and then boot it again. I've found that sometimes it takes 2 boots before things start working. I'm not sure why. 

Edited May 20, 2020 by Skinny

[Skinny]

The battle continues. I now have 3 screen crabs that all have the same issue. After running them for the 1st time, they never seem to connect consistently again. I have tried many different avenues to get consistent behavior, but the fact remains that the screen crab does not connect to the AP. I've tried 2 separate APs with similar results. Here is what is happening over the air.

The screen crab will send out a Wildcard probe request, the AP will respond, and that's about all that happens. After that, the crab just starts sending out probe requests again. This sequence repeats all throughout the packet capture.

[Skinny]

I've finally got it working! But it's an unusable solution for the field. I opened it up and used the serial connection header to connect to check the wireless interface. I fully connected the device with the micoSD card inserted and plugged through an HDMI connection.

The results of looking at the network interfaces were as follows after a full boot:

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc fq_codel state DOWN qlen 1000
    link/ether 00:10:20:30:40:50 brd ff:ff:ff:ff:ff:ff
3: gre0@NONE: <NOARP> mtu 1476 qdisc noop state DOWN
    link/gre 0.0.0.0 brd 0.0.0.0
4: gretap0@NONE: <BROADCAST,MULTICAST> mtu 1462 qdisc noop state DOWN qlen 1000
    link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
5: wlan0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN qlen 1000
    link/ether 74:ee:2a:a9:16:9e brd ff:ff:ff:ff:ff:ff
6: p2p0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN qlen 1000
    link/ether 76:ee:2a:a9:16:9e brd ff:ff:ff:ff:ff:ff

wlan0 wasn't coming up. Right now the microSD card in the crab has a config file that is only programmed to setup the wireless capability. The device.config file is present as well.

The strange thing is that if you run 'ip link set wlan0 up,' nothing happens, but if you run 'ip link set wlan0 down', the interface springs to life and connects to the AP. Unfortunately, whatever script that was supposed to trigger the c2 functionality had already passed.

So I rebooted the device and waited until this spot where the booting process slows down:

[   20.840703] audit: auditd disappeared
[   21.304272] init: avc:  denied  { set } for property=tmp.exec_ubus scontext=u:r:system_app:s0 tcontext=u:object_r:default_prop:s0 tclass=property_service
[   21.424438] init: avc:  denied  { set } for property=tmp.exec_ubus scontext=u:r:realtek:s0 tcontext=u:object_r:default_prop:s0 tclass=property_service

At this point I typed in 'ip link set wlan0 down' quite quickly. A couple seconds later, cloudc2 picked up the callback and all was well.  So it works, but only on my lab bench top as it is impractical to have the device open in the field for installation.

I don't know much about OpenWRT right now, but I suspect some kind of boot file needs to be re-written. The unfortunate thing is I can't seem to get vi, vim, or nano to run in order to edit anything yet and I'm about to run out of time to work on this for awhile. Hopefully someone can look into this oddity and beat me to fixing it.

Edited June 26, 2020 by Skinny

[nolashadow]

I have 4 screen crabs none of them connect to my Wi-Fi. I tried to connect them to 3 different Wi-Fi and still nothing. I took them to my office and tried the Wi-Fi at work and still nothing. 

[trunner]

I don't know if this is going to be helpful, but I had started down the same road when I found your post. Thank you for this, great info!!! In my case, I had the same symptoms. I decided to see what the WiFi was even doing.

I started with a signal analyzer I had and realized, I was not putting out anywhere near the right amount of power. So I switched my power supply, it turns out my favorite dell USB C power pack is toast. It was at one point 40w now its putting out enough power to fire that led on the crab nice and bright and no more. I don't know if this will help you, but I hope it helps someone.

 

take care.

[phrogg]

@Skinny thanks for sharing your adventure with the screen crab.

I have just one questions regarding gaining root access to the screen crab. When I connect via the TX/RX pins with a USB serial adapter (I'm using `screen /dev/tty.usbserial-XXX 115200`) then I'm only able to see the output at boot up and the characters I'm sending to the device. I don't get a shell prompt. How did you manage to explore the file system and see the ifconfig output?

[Skinny]

@trunner It doesn't seem to make a difference whether it's plugged into battery or into a wall outlet through a transformer, the result is the same.

@phrogg After it booted, I just pressed Enter and the prompt popped up. I'm using Windows with Putty. The prompt I get is pasted below after the last few lines of the boot sequence.

[   22.793488] init: avc:  denied  { set } for property=tmp.exec_ubus scontext=u:r:system_app:s0 tcontext=u:object_r:default_prop:s0 tclass=property_service
[   22.930341] init: avc:  denied  { set } for property=tmp.exec_ubus scontext=u:r:realtek:s0 tcontext=u:object_r:default_prop:s0 tclass=property_service

root@kylin32:/ #
root@kylin32:/ #

 

[Skinny]

For anyone interested, once connected to the serial port, there is a bash file in /system/bin called crab. It has loads of function in there you can play around with like changing LED colors, wifi functions, and other helpful things. To run the function type:

source crab

After that just type the name of the function you want to run. To find out the functions just cat out the file.

cat /system/bin/crab

Looking through logs a little more today, I see the problem that is occurring:

C2Run:	 C2 Thread starting|
C2Device:	 C2 STARTUP SYNC|
Util:	 exec [cat /proc/uptime | busybox awk {print ;} 2>/dev/null]|
Util:	 C2DeviceUpdateexit value: 0|
Util:	 C2DeviceUpdateshell output : 40.80|
Util:	 exec [cat /sys/class/net/wlan0/statistics/rx_bytes]|
Util:	 C2DeviceUpdateexit value: 0|
Util:	 C2DeviceUpdateshell output : 0|
Util:	 exec [cat /sys/class/net/wlan0/statistics/tx_bytes]|
Util:	 C2DeviceUpdateexit value: 0|
Util:	 C2DeviceUpdateshell output : 0|
Util:	 exec [ifconfig wlan0 | grep inet addr | cut -d: -f2 | busybox awk {print ;}]|
Util:	 C2DeviceUpdateexit value: 0|
Util:	 C2DeviceUpdateshell output : |
C2Run:	 C2 error error getting updated ip|
C2Device:	 SEND C2 UPTIME|
C2Device:	 SEND C2 MINIMAL|
C2Device:	 SEND C2 NOTIFICATIONS|
POST:	 C2 POST ERROR: java.net.UnknownHostException: Unable to resolve host Chippunk: No address associated with hostname|
C2Run:	 C2 error startup sync post failed|
C2Run:	 C2 RETRYING STARTUP SYNC|

The "error getting updated ip" towards the bottom is a result of the Screen Crab not connecting to the AP that is available. Once the C2 instance in invoked, it doesn't seem to try again. After the boot sequence, I can force a connection to the AP by typing "ip link set wlan0 down" but by then, the C2 steps have already past. I know it's legitimately connect to the AP because I can ping the c2 server from the crab. At the moment I'm looking for a way to invoke the c2 instance after I manually get the crab to connect to the AP.

[Skinny]

I changed some things today and it seemed to be working for awhile. Jumping back into this project a few days ago, I screwed up the c2 setup. When I started c2, for hostname I put the hostname of the computer and not the IP address of the computer. If you look at the last post: 

POST:	 C2 POST ERROR: java.net.UnknownHostException: Unable to resolve host Chippunk: No address associated with hostname|

This got me thinking as to why it would give me that error. After correcting the mistake, it worked great on two different networks.

After putting the case back together and restarting the crab, I was back to square one. It is once again refusing to connect even with the correct c2 setup. 

I did learn a few additional things today. There is a way to edit files. You can not natively just type vi, vim, or nano and edit things, but you can invoke busybox. If you type the following, you'll get an editor.

busybox vi

Also, at boot, there are some lines that are killing bluetooth. I suspect it's part of the radio chip because many wifi chips come with bluetooth already embedded.

Lastly, the crab is booting using an android system. There is an init program that loads a ton of init files in the main directory. With the ability to edit, you could probably play with the boot sequence and move over your own scripts on the SD card. 

Edited October 7, 2020 by Skinny

[Skinny]

IT'S FIXED!!! This took a stupid amount of time to figure out for such a simple work around. Before heading down the path outlined below, be absolutely certain there is not some other issue keeping the Crab from connecting to C2.

Problem:

After initially connecting to C2 and running perfectly over WiFi, subsequent attempts to connect to the same AP using the same Screen Crab prove fruitless and do not work. This is due to wlan0 on the Screencrab not being up when C2 is invoked at boot.

Solution:

1. Take the case off of the screen crab.
2. Connect to the screen crab's headers (see above) using a TTL-232R-3V3 USB to TTL serial cable. You will need two male to female extension wires to make this possible with the cable specified.
3. (I'm using Windows) Use Putty to connect to the crab. Baud rate is 115200.
4. With a microSD card fully configured and inserted into the Crab, power on the crab. If you setup everything correctly, you will see the boot sequence scrolling past in the putty window.
5. After about 22 seconds, the boot sequence will cease. Press Enter to get a prompt: 

   root@kylin32:/ #

6. Remount the system folder to allow editing of the crab framework file. 

   mount -o remount,rw '/system'

7. Edit the crab file using vi. 

   busybox vi /system/bin/crab

8. If you are unfamiliar with vi, like I was, press "i" to edit the file.
9. Curser down to the enable_wifi function and edit it to appear as follows:

   enable_wifi () {
     blink 2 1 cyan led_off
     sync
     wpa_supplicant -iwlan0 -Dnl80211 -c/data/misc/wifi/wpa_supplicant.conf
     svc wifi enable
     sleep 2
     if ifconfig wlan0 | grep inet; then
       echo WiFi connected
     else
       ifconfig wlan0 down
       sleep 4
     fi
   }

   The "ifconfig wlan0 down" part will, strangely enough, turn on the wlan0 interface if it hasn't come one yet. This is the primary problem with my screen crabs not connecting.

10. After you are finished editing, press Escape, then type :w and press Enter. This will save the file.

11. Type :q! and press Enter. This will exit you out of vi.

12. Press the button on the side of the Crab to disengage the microSD card and then shut the Crab.

13. Restart the Crab. 

If your network setup isn't too complicated, you can expect the Crab to reconnect about 10 to 15 seconds after the crab LED lights Blue.

--------------------

Remaining Problems:

The crab seems to have an issue when changing from one wireless AP to another. The first time you connect to a new AP (and have taken care to put new settings in the config.txt file and have downloaded a new device.config), the crab will remain connected to the old AP if it is still within range. After rolling power a once or twice, it will finally connect to its intended AP. I think this could be fixed by playing around with the crab framework a little more.

--------------------

Upgrade Thoughts:

Once I find the C2 mechanism, I would like for the screen crab to reinvoke C2 if it ever looses connection. Right now if the crab looses connection to the AP (for instance the AP gets powered down for a minute or two), it will not reacquire the AP and re-invoke C2. 

[edlovesiraq]

Can the Hak5 team just make an update to fix this?

i don't have the cable your talking about so I can't get in to it in the same way. 

[luckybiggs]

I just got my Screen Crab this week and am having the same issue connecting to my wifi. This should be the easy part! As stated above I tried wrapping the SSID and Password in quotes but that didn't work. SSID and Password have no special characters. I even tried "wifi" for my SSID and "pass" for the password. I even tried 2 other networks away from home. Still nothing. The device captures images just fine so it seems to be working I just can't get it to connect. I even turned off my entire network with the exception of my router, one switch and one WAP. I could never get a device in my DHCP leases. And I don't see anything with Wireshark. Any suggestions? Does the Hak5 team monitor these forums? This thread is almost a year old with no solution!

[Skinny]

My solution was posted on October 8, just above. It's not clean, but all my Screen Crabs are now far more reliable at connecting. It's a bit of a bear. 

[Ughcomeon]

Are you able to interact (pull / copy loot off of the crab) without the Cloud C2 setup? meaning can you just get the crab connected to a isolated network and then SSH (or other?) to pull files?

[Ayka]

Hey Hak5 Team, can we get at least something from you guys on this? I also have a Screen Crab that simply wont connect to WiFi; trying with both C2 and stand-alone configs. It does see the proper SSID/Password in the Config but just never connects.

It'd be really nice to get a firmware update that addresses this with Skinny's Fix from above. I lost my FTDI cable in a move, so now I'm stuck waiting for a new one to be delivered to use the device.

[chrizree]

Have you tried to let the Crab boot without the SD card inserted and when the LED turns red, insert the SD card? It works for me every time, at least when it comes to connecting to new networks. The Crab holds the latest AP in local storage/config, so you won't need the SD card plugged in to get a WiFi connection if you already have been connected to it once before (the latest network/AP, not "historic" ones). The Crab stores the previous AP (SSID/PSK) in /data/misc/wifi/wpa_supplicant.conf. I did some "research" recently (not had time before) to deep dive into the crab since it's kind of "odd" compared to other Hak5 devices that are OpenWrt or Debian based. It took a little while but I have come to the conclusion that it runs Android 6.0.1 along with OpenWrt (but not in the "ordinary" way). The kylin prompt was kind of confusing at first since it made me think it was running the "state sponsored" Kylin OS. But that was just curtains of smoke after I realized that Realtek has a board named kylin as well. Running Cloud C2 on the Crab at the moment just to try if it works (not with the Crab as a client but the actual C2 server instance, but... just a test though to see if ARMv8 binaries runs as they should on the device).

[Jeannot Verge]

Pretty evident by the lack of support that Darren is only interested in self-promotion over the quality of his products. Hak5 tools rarely work as described and support is non-existent. Why?

[BDSM]

Hi,

I have followed the guides and basic troubleshooting:

1. placing the WIFI SSID and PASSWORD in the section with the other actionable text up top in the config file

2. correctly escaping out the SSID and password

3. creating the wifi autoexe file to test connectivity

4. checking the network for added devices

5. checking the C2 server

6. deleting all data off the config file minus the SSID and PASSWORD section

7. re-booting, and

8. inserting the micro SD card when the device is powered on with the red LED on).

I feel like an absolute idiot with not being able to make use of the Wifi features. Please, dear god, send help.  

 

References:
https://docs.hak5.org/hc/en-us/articles/360033503594-Configuring-Screen-Crab-for-Cloud-C2

https://jbcsec.com/screen-crab-the-favorite-tool-of-bothan-spies/

https://docs.hak5.org/hc/en-us/articles/360014295634-Adding-Devices-to-Cloud-C2

https://docs.hak5.org/hc/en-us/articles/360033503594-Configuring-Screen-Crab-for-Cloud-C2

https://www.youtube.com/watch?v=TIpx_ENurLY

https://www.youtube.com/watch?v=cvFMf9BQLAI