JetKVM - SSH password-auth w/insecure default root password

cyclone

In the 4th quarter of 2024, I backed the Kickstarter JetKVM, and just received my units in the mail yesterday. There's several unboxing and how-to's, so let's skip straight to poking around the linux backend and see if we can find anything interesting.

JetKVM Version info:
App: 0.3.8-dev202502191413
System: 0.2.2

During my first login to the JetKVM WUI, I had the option on whether or not to set a password, so I set "Cyclone_123" for our test. I found the JetKVM to work well, and having remote access to my headless server with a device that cost $69 was great.

After enabling developer mode, I logged into the Web Terminal and poked around looking for configs that may contain something of interest like hashed passwords. Note, I did not setup any SSH keys for this test and left them at default (blank).

I quickly found "kvm_config.json" which contains the WUI we just created under the "hashed_password" field. This hash is bcrypt cost 10.

/ # cat /userdata/kvm_config.json
{
  "cloud_url": "https://api.jetkvm.com",
  "cloud_token": "",
  "google_identity": "",
  "jiggler_enabled": false,
  "auto_update_enabled": true,
  "include_pre_release": true,
  "hashed_password": "$2y$10$W1Ln8lsAchCnw2gVX/Q8y.bu/8bRFT97E3N9th70YdQnM7cm0Xw7y",
  "local_auth_token": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
  "localAuthMode": "password",
  "wake_on_lan_devices": null,
  "hdmi_edid_string": "00ffffffffffff0052620188008888881c150103800000780a0dc9a05747982712484c00000001010101010101010101010101010101023a801871382d40582c4500c48e2100001e011d007251d01e206e285500c48e2100001e000000fc00543734392d6648443732300a20000000fd00147801ff1d000a202020202020017b",
  "active_extension": "",
  "display_max_brightness": 64,
  "display_dim_after_sec": 3600,
  "display_off_after_sec": 0
}

Here's the decoded "hdmi_edid_string" in case you're currious:

Spoiler

edid-decode (hex):

00 ff ff ff ff ff ff 00 52 62 01 88 00 88 88 88
1c 15 01 03 80 00 00 78 0a 0d c9 a0 57 47 98 27
12 48 4c 00 00 00 01 01 01 01 01 01 01 01 01 01
01 01 01 01 01 01 02 3a 80 18 71 38 2d 40 58 2c
45 00 c4 8e 21 00 00 1e 01 1d 00 72 51 d0 1e 20
6e 28 55 00 c4 8e 21 00 00 1e 00 00 00 fc 00 54
37 34 39 2d 66 48 44 37 32 30 0a 20 00 00 00 fd
00 14 78 01 ff 1d 00 0a 20 20 20 20 20 20 01 7b

---

Block 0, Base EDID:
EDID Structure Version & Revision: 1.3
Vendor & Product Identification:
Manufacturer: TSB
Model: 34817
Serial Number: 2290649088
Made in: week 28 of 2011
Basic Display Parameters & Features:
Digital display
Image size is variable
Gamma: 2.20
RGB color display
First detailed timing is the preferred timing
Color Characteristics:
Red : 0.6250, 0.3398
Green: 0.2802, 0.5947
Blue : 0.1552, 0.0703
White: 0.2832, 0.2978
Established Timings I & II: none
Standard Timings: none
Detailed Timing Descriptors:
DTD 1: 1920x1080 60.000000 Hz 16:9 67.500 kHz 148.500000 MHz (708 mm x 398 mm)
Hfront 88 Hsync 44 Hback 148 Hpol P
Vfront 4 Vsync 5 Vback 36 Vpol P
DTD 2: 1280x720 60.000000 Hz 16:9 45.000 kHz 74.250000 MHz (708 mm x 398 mm)
Hfront 110 Hsync 40 Hback 220 Hpol P
Vfront 5 Vsync 5 Vback 20 Vpol P
Display Product Name: 'T749-fHD720'
Display Range Limits:
Monitor ranges (GTF): 20-120 Hz V, 1-255 kHz H, max dotclock 290 MHz
Extension blocks: 1
Checksum: 0x7b

---

Preferred Video Timing if only Block 0 is parsed:
DTD 1: 1920x1080 60.000000 Hz 16:9 67.500 kHz 148.500000 MHz (708 mm x 398 mm)
Hfront 88 Hsync 44 Hback 148 Hpol P
Vfront 4 Vsync 5 Vback 36 Vpol P

---

Native Video Resolution:
1920x1080

---

edid-decode SHA: 84ddf9155376 2021-10-03 10:37:45

Failures:

Block 0, Base EDID:
Base EDID: EDID specified 1 extension block(s), but found 0 extension block(s).
EDID:
Base EDID: The DTD image sizes all fit inside 255x255cm, but no display size was set.

EDID conformity: FAIL

Running the bcrypt hash with hashcat instantly cracked with our known WUI password.

Now, onto the linux user accounts.

We find the root account using a deprecated md5crypt hashed password. I gave it a run with hashcat which proved to not be our previously cracked WUI password, so I ran it through my main wordlist which cracked it within 2 seconds. The default root password is "rockchip". This is a bit concerning!

Next, we'll run an nmap scan to check for open ports.

cyclone@pve-cyclone:~# nmap -p 1-10000 -sV -O -A 192.168.1.75
Starting Nmap 7.93 ( https://nmap.org ) at 2025-02-22 21:34 CST                           
...
Nmap scan report for 192.168.1.75
Host is up (0.00080s latency).
Not shown: 9998 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     Dropbear sshd 2024.85 (protocol 2.0)
80/tcp open  http                            
|_http-title: JetKVM               
...
MAC Address: 44:B7:D0:xx:xx:xx (Microchip Technology)
...
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE                                   
HOP RTT     ADDRESS                          
1   0.80 ms 192.168.1.75

We see SSH port 22 and HTTP port 80 are open. Port 80 is for the WUI, and hopefully HTTPS port 443 gets enabled in a future update.

The documentation states that SSH requires setting up SSH keys, and that password SSH auth is not allowed. (https://jetkvm.com/docs/advanced-usage/developing)

Let's test this:

To further verify if Dropbear is configured for password-auth, we can run this command from the KVM Terminal: "ps | grep dropbear"

The output "dropbear -R -E" means dropbear is running with "-R" "re-exec" and "-E" "log to stderr". To disable password auth and require key auth, the command should be "dropbear -R -E -s -g".

Contrary to the JetKVM docs, password SSH auth is indeed enabled, and with an insecure root password, "rockchip".

I've submitted an issue on JetKVM's GitHub concerning this. https://github.com/jetkvm/kvm/issues/187

Note, SSH is only enabled with Developer Mode enabled.

Update 2025/02/24:
A simple fix for both of these issues:

After enabling Developer Mode, open the KVM Web Terminal and run these commands:

1. Fix Dropbear password-auth:

• sed -i 's|dropbear -R -E|dropbear -R -E -s -g|' /oem/usr/bin/dropbear.sh
• 

2. Change root password

• passwd
• 

3. Test SSH after cycling Developer Mode off / on to apply new dropbear settings:

• 

• 

That's all for now, and looking forward to seeing the JetKVM project grow!

cyclone

GitHub Repo Updates:

1. 2025/02/22 - Issue: jetkvm/kvm https://github.com/jetkvm/kvm/issues/187
2. 2025/02/24 - Issue: jetkvm/rv1106-system https://github.com/jetkvm/rv1106-system/issues/6
3. 2025/02/24 - PR: jetkvm/rv1106-system https://github.com/jetkvm/rv1106-system/pull/7
4. 2025/02/24 - PR: chemhack removed default root password "rockchip" https://github.com/jetkvm/rv1106-system/pull/8