I know this post is a little outside the typical theme, but I wanted to write about CuriosityStream and Nebula since I was unable to find many reviews of the services.
I like “edutainment” content in moderation when I’m not able to dedicate attention to reading the corresponding Wikipedia article(s). On YouTube, these are channels like Mustard, Paper Skies, and Wendover.
Some of these creators pitch Nebula as an alternative streaming service with exclusive content not available on YouTube. Since the annual subscription is quite cheap, I thought I would take a subscription and see what it has to offer.
Unfortunately for the channels I am interested in, there are little to no exclusive videos present on Nebula:
Mustard’s channel has only 3 videos on Nebula that have not been posted to YouTube. Some of the “Nebula Original” videos have since been posted to YouTube (and since they’re historical topics, the fact that they’re reposted to YouTube later is of little consequence).
Wendover’s Nebula channel has a small number of Nebula exclusive videos. Of the 100 Wendover videos available on Nebula, 12 are not present on YouTube.
But the point of writing a blog post is not only to comment on the lack of original content available on Nebula. Let us talk about Nebula’s content security. There is none.
As far as I can tell, the only thing preventing you from downloading any Nebula exclusive video is guessing the video title:
To obtain the video title, just replace whitespace and punctuation with the hyphen character. For the Mustard channel video “This Plane Tried To Do The Impossible: The Caproni Transaero” you would end up with the video title “this-plane-tried-to-do-the-impossible-the-caproni-transaero”
There are some videos which don’t conform to this scheme exactly, such as the Nebula exclusive movie “Alaska’s Silent Summer” by Wendover. In this case, the manifest URL simply uses the first word of the video title.
If anyone wanted to determine the manifest URL for the Nebula exclusive Mustard video “The Ugliest Plane Ever Built” it wouldn’t require more than a few guesses, given the above information.
The manifest is served by a CDN, and works without authentication so it’s trivial to guess the manifest URL to use with youtube-dl. Enjoy 👍
CuriosityStream is a slightly different matter. The content I looked at appeared to be content produced for television which was relicensed for distribution by CuriosityStream. An example of this would be the ARTE series Happiness is on the Plate, or the BBC series Mumbai Railway which I could not find available on any open content distribution platform (like YouTube).
If you enjoy television productions which have a limited distribution, then a subscription to CuriosityStream might be for you.
CuriosityStream at least varies the hash of their content manifest files, so you cannot simply guess the URL to obtain the content. However, CuriosityStream are not using any form of DRM, so with an account you can obtain an offline copy of the content using youtube-dl.
Fujitsu servers come with a remote management solution called iRMC S4 (newer models have iRMC S5). iRMC S4 and S5 are like other lights-out remote management solutions from HP (iLO) or Dell (iDRAC) which comprises a baseband management controller firmware along with other software utilities to remotely configure and manage servers. Importantly though, iRMC S4 runs Linux.
Before we get into the hardware of iRMC S4, let us examine the firmware update process. iRMC S4 follows a pretty typical BMC firmware update process: Fujitsu’s support website offers firmware downloads, and the iRMC web management interface allows you to upload the update which is then written to the inactive firmware slot.
As is common for enterprise hardware, there is no rollback protection, so you can downgrade the installed firmware to previous versions. I did not extensively test this functionality though, so there may be limits to how far you can downgrade as the firmware modifies the persistent conf partition (which is not redundant).
Running binwalk against the update file for the TX140 S2, we can immediately see that it is not encrypted:
These correspond to the lower and higher firmware slots in iRMC S4, and ensure that the firmware you are updating is not the currently running firmware.
So, could our way into iRMC S4 be as easy as modifying the cramfs from the firmware update?
Unfortunately, no. The update is signed and the signature is checked by /usr/local/bin/flasher against an RSA-1024 public key located on the conf partition prior to overwriting:
-----BEGIN PUBLIC KEY-----
-----END PUBLIC KEY-----
Attempting to modify and repack cramfs results in the following output to the UART:
[1533 : 1533 INFO]VerifyImage
Signature Verification Failure
[1533 : 1533 CRITICAL][utils.c:1241]Signature verification failed
[1533 : 1533 CRITICAL][utils.c:1522]Encrypted hash of Image and the actual contents of rom.ima does not match
With our software-only modification route looking grim, it is time to move on into the realm of the evil maid.
On the TX140 S2 the BMC UART has been routed to pads, located just below PCIe slot 2, which are easily soldered to:
To stop the default boot sequence, press Escape within 2 seconds:
U-Boot 1.1.6 (Jun 20 2013 - 09:09:05)
DRAM: 247 MB
Fast clk is set
Found SPI Chip Macronix MX66L51235F
Flash: 64 MB
Net: pilot_eth0, pilot_eth1
Hit Esc key to stop autoboot: 0
------ Boot Options-------
0. Normal Boot
2. Remote Recovery
3. Management Console
4. Raw Console
Select Boot Option:
Despite requesting the GPL source code for iRMC S4 in December 2020, Fujitsu still has not provided the source code. Without the source code for u-boot, it is difficult to determine if there are any routes that could lead to easy exploitation.
Getting a root console is relatively straightforward with soldering or a chip jig. If you use a jig, you will need very steady hands as flashrom requires 20-30 minutes to write and verify the 27MB cramfs region.
Lucky me, Fujitsu engineers considered physical modification of the iRMC S4 firmware out of scope, and there is no secure boot or signature verification of the cramfs on flash.
Since we can manipulate cramfs, we can bypass the stock Fujitsu shell and replace /usr/local/bin/remman with a symlink to /bin/sh and SSH as the admin user. This is not particularly useful though, as the admin user is not rootsysadmin, and the busybox that Fujitsu ship is lacking the su applet, so there’s no way to easily escalate your privileges from admin to sysadmin once logged in.
~ $ id
uid=1002(admin) gid=501(ipmi) groups=501(ipmi),504(lanoem),510(serialoem),528(iRMCsettings),529(RemoteStorage),530(UserAccounts),531(VideoRedirection),532(CfgConnectionBlade),535(RemoteManager)
The uid 0 account is not called root, but rather sysadmin with the password superuser:
The sysadmin account is not visible in the iRMC web interface and, as far as I can tell, the password cannot be changed (unless you physically modify the contents of cramfs). I believe the account is leftover from the SDK that iRMC S4 appears to be based on.
All my attempts to login as sysadmin via SSH or uart with the default remman shell were unsuccessful, so it doesn’t appear to be a security risk out of the box.
However, once you have replaced /usr/local/bin/remman with a symlink to /bin/sh it is possible to login as the sysadmin user and enjoy root access to your iRMC S4.
When I was building the Fujitsu TX140 S2, I wanted to purchase a SATA controller to expand the capacity from 6 SATA devices to 12. The ASMedia ASM1166 seemed most interesting as it is a modern design offering six SATA3 6Gbps ports without use of a port multiplier.
Despite what the silk screen on the PCB states, it is not “PCIe 3.0 x4” except in PCIe slot dimensions (since there is no standard for a physical PCIe x2 connector). The ASM1166 has a PCIe 3.0 x2 interface:
So the ASM1166 cannot provide full bandwidth to six SATA3 devices, but it is not as bandwidth limited as other SATA controllers which have only a PCIe x1 host connection. Be aware that the bandwidth will be halved if you install it in a PCIe 2.0 slot, due to the less efficient encoding of PCIe 2.0 (8b/10b) versus PCIe 3.0 (128b/130b).
The board designer did properly route the PCIe x2 connection to the host, as confirmed by lspci:
Power consumption is very good, the card only draws 2.8W idle.
PCIe SATA controllers based on the ASM1166 are comparatively priced to other 5-6 port SATA controllers, but offer more bandwidth than cards using the JMicron JMB585 or Marvell 88SE9125. ASM1166 controllers can be found for around 20€ on AliExpress. There are seemingly some sellers shipping cards with PCIe x1 connectors, so I would advise you to check the reviews of other customers to see which variant the seller sends.
I was unable to find detailed information about the card such as power consumption and lspci output online, which I find very useful when making purchasing decisions, so I thought I should write a short summary. This is not a review or endorsement of any online marketplace or brand.