Shadow Boxing

A project log for Shark Robot Vacuum Reverse Engineering

Reverse engineering the Shark RV1001AED series Robot Vacuum

Jon SteelJon Steel 05/30/2022 at 05:570 Comments

So I got in 2 more sample for a total of 3.

I have all 3 with the emmc dump up to the 32Mb mark due to the loader limitation. 

I can also mount the oem and rootfs partitions to play around.

I copied the shadow file from /etc , and two of them have the same password.

Removed due to SharkNinja lawyers

The ImageType 2 is where I have the shared password hash. Comparing the two, they are identical until the root file system. Since I can't dump the rootfs easily yet, I had to manually compare. It was quickly evident that the rootfs saw some differences.

Trying to crack the hashes has not worked out.... I am guessing that the password is derived from a hash of the kernel, in the area of the dump past the 32Mb limit, or some other method.