Is there any bug bounty or any way to access raw firmware files

[mohzen]

Hey there!
im mohzen, a cybersecurity researcher, and im wondering if there is any wiim bug bounty, or if there is any way to get access to Wiim firmware files to find bugs, and if there is any way to report any found bugs.

Thanks,
Mohzen

 

[F1 Fan]

Hey there!
im mohzen, a cybersecurity researcher, and im wondering if there is any wiim bug bounty, or if there is any way to get access to Wiim firmware files to find bugs, and if there is any way to report any found bugs.

Thanks,
Mohzen

What a strange first post ..

 

[mohzen]

What a strange first post ..

Ive been thinking about it, since my father got the Wiim ultra, it is an interesting device, and i wanna poke it without breaking it.. sorry if this sounds weird!

 

[Wiimer]

Hey there!
im mohzen, a cybersecurity researcher, and im wondering if there is any wiim bug bounty, or if there is any way to get access to Wiim firmware files to find bugs, and if there is any way to report any found bugs.

Thanks,
Mohzen

Hi
Please use the WiiM device and report any issues you encounter through the feedback section of the WiiM app. Alternatively, you can join the beta test. For now, I believe these are all the actions available to us as users.

 

[mohzen]

Hi
Please use the WiiM device and report any issues you encounter through the feedback section of the WiiM app. Alternatively, you can join the beta test. For now, I believe these are all the actions available to us as users.

The thing is, none of them allow access to raw firmware files to statically analyze.

 

[hgo58]

The thing is, none of them allow access to raw firmware files to statically analyze.

Of course not. The firmware is the property of LinkPlay and is not open software.

 

[Burnside]

The thing is, none of them allow access to raw firmware files to statically analyze.

I suspect that’s deliberate as there might well be proprietary code or IPR issues if their firmware was openly available to allow the kind of studies you describe.

As @Wiimer said, bugs are discovered thru use of the devices and reporting those back to WiiM via the more/feedback section in their app.

 

[Wiimer]

Also, you could join Linkplay as an engineer. But you'll probably be dishwasher for the first year.

 

[mohzen]

Also, you could join Linkplay as an engineer. But you'll probably be dishwasher for the first year.

I am ... wont specify my age, so that will certainly be a task under my jurisdiction...

 

[Burnside]

15 I believe you said before editing it out?

I feel you’re chasing a unicorn here and should maybe just abandon your quest and stick to the suggested incident reporting route

 

[QuarryHunslet]

15 I believe you said before editing it out?

Yes, you are correct, well spotted.

 

[hgo58]

The thing is, none of them allow access to raw firmware files to statically analyze.

Anyway, the firmware is not just an app. It's a specially adapted Linux system running a number of standard and sound processes. Unless you got the source code for all of it, there is nothing of interest for normal users.

Trying to decode the system will also be illegal, as I see it.

 

[mohzen]

Anyway, the firmware is not just an app. It's a specially adapted Linux system running a number of standard and sound processes. Unless you got the source code for all of it, there is nothing of interest for normal users.

Trying to decode the system will also be illegal, as I see it.

Reverse engineering isn't illegal? Where did you get that?

15 I believe you said before editing it out?

I feel you’re chasing a unicorn here and should maybe just abandon your quest and stick to the suggested incident reporting route

I feel the same, this doesn’t exactly feel like the right approach, and trying to dig deeper could cause more trouble than it’s worth.

Thanks to the community!

 

[Burnside]

Section 7 here states: "You may not copy, modify, create a derivative work of, reverse engineer, decompile, or otherwise attempt to extract the source code of the Services or any part thereof, unless this is expressly permitted or required by law. All rights not expressly granted herein are reserved by us."

 

[slartibartfast]

Reverse engineering isn't illegal? Where did you get that?

WiiM terms and conditions include this
"You may not copy, modify, create a derivative work of, reverse engineer, decompile, or otherwise attempt to extract the source code of the Services or any part thereof, unless this is expressly permitted or required by law."

@Burnside beat me to it

 

[mohzen]

Section 7 here states: "You may not copy, modify, create a derivative work of, reverse engineer, decompile, or otherwise attempt to extract the source code of the Services or any part thereof, unless this is expressly permitted or required by law. All rights not expressly granted herein are reserved by us."

"unless this is expressly permitted or required by law." Assuming US Law (since Linkplay is registered in the US) Under 17 U.S. Code § 1201, "The Librarian shall publish any class of copyrighted works for which the Librarian has determined, pursuant to the rulemaking conducted under subparagraph (C), that noninfringing uses by persons who are users of a copyrighted work are, or are likely to be, adversely affected, and the prohibition contained in subcparagraph (A) shall not apply to such users with respect to such class of works for the ensuing 3-year period." And according to "37 CFR § 201.40 - Exemptions to prohibition against circumvention" , under (b)(18): "Computer programs, where the circumvention is undertaken on a lawfully acquired device... solely for the purpose of good-faith security research."

 

[mohzen]

Also, i'm not new to cybersecurity, if any of you would like, read my blog here [hxxps://blog.l3afs.space].

Have a good one,
mohzen