Lunii.RE
Lunii.RE copied to clipboard
Published
20 hours ago •
o-daneel
o-daneel
Understanding the inner mechanics of Lunii StoryTeller. Using Ghidra to reverse engineer the STM32 firmwares and cryptography
Lunii is a French company that made an interactive box for kids to customize stories. Lunii made our children loving stories, a real helper for them to fall asleep.
If you like it, BUY IT !!!
Even if you don't, children will 😁
Lunii has released a new version of their storyteller. I hope they learned from their mistakes.
Maybe, we will know 🫣 soon...
Sections
- Hardware
- Firmware analysis
- Ciphering reverse
TL;DR
Too long, didn't read ?
Many people doesn't care about about software security. There Lunii's company failed in many ways:
- JTAG is still enabled on the PCB (allows internal flash dump)
- External Flash is not ciphered (allows dump)
- UART is enabled, then provides a lot of debug
- Firmware embeds too many debug strings helping decompiling
- Firmwares are verified/validated through a dumb CRC (Hash would have been better)
Work in Progress
TODO
- Describe test mode / Try it
- Deep dive in file section to understand format
- .nm : Night mode (to be tested)
- Decompile
- Main FW : in progress > Main Firmware
- Firmware management
- Try loading firmware update
- Create custom firmware (simple internal picture update)
- Restore original FW
- Insert dummy patch (just back and forth) + try it (using custom picture)
- Make less dummy patch with printf call (can't be read without UART acces)
DONE
- Deep dive in file section to understand format
- .cfg : DONE
- .pi : DONE
- /rf/ & .ri : DONE
- /sf/ & .si : DONE
- .ni : DONE
- .li : DONE
- .bt DONE
- Undelete on storyteller ? DONE > only 50 mp3 files, none french stories removed.
- sample code to process TEA cipher/decipher
- in C or python ? : DONE
- Try it on Key_A ciphered files : DONE
- How to extract Key_B ? DONE
- Decompile
- Boot FW : DONE > Bootloader Firmware
- Backup FW : partial but CLOSED, no worth > Backup Firmware
FAILED / ABORTED
- NFC chip
- write NDEF using a dummy card (to test) with Android NXP Write
- update storyteller to switch to "test"
- back to production
- investigate test mode
- Firmware management
- Make patch to write to SD :
- A dummy file
- File with SNU + DATA
- File with KeyA & KeyB in plain
- Make patch to write to SD :
Links / Similar repos
- Lunii - Pack Manager CLI
- TBD Lunii 1/2 - TBD Lunii 2/2
- linux-cli (Did the same reverse analysis 😥 in July 2022, i'm late)
- Lunii_v3.RE
- (Hackday) Tsukuyomi Hacking Lunii
- (GitHub) Tsukuyomi
- STUdio - Story Teller Unleashed
- (GitHub) STUdio, Story Teller Unleashed
- (GitHub) STUdio
o-daneel