pinktabsquare

Blog: Android

Argos MyTablet FUBAR

consultant-placeholder10 Ken Munro 09 Sep 2016

pinktab

Some time ago, we noticed that Argos was selling a cheap tablet – the Bush MyTablet. It didn’t get great reviews, but our attention was drawn to it because

1. It was clearly running Android
2. It used the RK3188 CPU
3. It was Pink

 

 

A quick poke around the Android settings showed it was running KitKat 4.4.4. This was a long time ago, but even then Lollipop was current. Fail.

bushsettings

It supported encryption, unlike the Tesco Hudl 1, but we found we could crack a 4 digit PIN in under an hour… on a laptop, let alone a cracking rig!

Extracting the data

Key was getting in to the vulnerable Rockchip flash mode. Not as easy as the Hudl.

First, we took the back off, removed the EM shield from the CPU which acted as a heatsink. It quickly overheated and hard rebooted giving us the bootloader and flash mode.

We could also cheat and enable ADB locally, but that of course required the PIN first.

Finally, after about an hour of fiddling, we discovered that one simply holds vol up and vol down and power on. Flash mode fun!

bush1

Crack the PIN

Extract key and the salt from the metadata partition and the userdata partition header, then brute it:

bush3

Pwned!

We disclosed this to Home Retail Group in December 2014. At their request we waited some considerable time in order to avoid jeopardising a key sales period for them.

We didn’t get that much joy during the disclosure process, then frankly got bored of cheap Android tablets and moved on to IoT.

Rummaging through a box of old tablets today, we found the shiny pink Bush, so thought we may as well publish.

The Bush isn’t sold any more, though you can likely find them on eBay for giggles.