Saturday, September 5, 2015

Modern 4G Modem Router With Oversimplified Security Protection

Modern 4G Modem Router With Oversimplified Security Protection

by cawan (cawan[at]ieee.org or chuiyewleong[at]hotmail.com)

http://cawanblog.blogspot.my/2015/09/modern-4g-modem-router-with.html

on 05/09/2015


Somebody show a 4g modem router and looking for some challenges against its security
protection. After dismantled the unit, the uart port can be identified within a
minute and get ready to print the boot log, as shown below.

+Ethernet eth0: MAC address
IP: 192.168.0.8/255.255.255.0, Gateway: 192.168.0.1
Default server: 192.168.0.1

RedBoot(tm) bootstrap and debug environment [ROMRAM]
Non-certified release, version UNKNOWN - built 22:35:45, Mar  9 2010

Platform: system (ARM9)
Copyright (C) 2000, 2001, 2002, 2003, 2004 Red Hat, Inc.
Copyright (C) 2003, 2004, 2005, 2006

RAM: 0x00000000-0x02ffc000, [0x00036e40-0x02ff0000] available
FLASH: 0x60000000 - 0x60e40000, 57 blocks of 0x00040000 bytes each.
RedBoot> cache on
RedBoot> fis read -b 0x80000 -f 0x60030000 -l 0x10000
RedBoot> eval 0x80000
[mfill -b 0x800701C8 -l 4 -4 -p 0x1]
RedBoot> fs mount -d /dev/flash1 -t jffs2 /flash
jffs2 cleanmark size=800
<4>Empty flash at 0x000641a4 ends at 0x00064800
<4>Empty flash at 0x005071a4 ends at 0x00507800
RedBoot> fs cd /flash
RedBoot> load -m file -b 0x600000 -r zImage
<5>JFFS2 notice:  read_dnode: data CRC failed on node at %#08x: read %#08x, calculated %#08x
Raw file loaded 0x00600000-0x006d8ec7, assumed entry at 0x00600000
RedBoot> load -m file -b 0x1000000 -r initrd
<5>JFFS2 notice:  read_dnode: data CRC failed on node at %#08x: read %#08x, calculated %#08x
Raw file loaded 0x01000000-0x014a3fff, assumed entry at 0x01000000
RedBoot> exec -z -b 0x600000
Decompressing Linux... done, booting the kernel.
Linux version 2.6.26.8-rt16 () (gcc version 3.4.4) #1 PREEMPT Wed May 25 14:32:18 CST 2011
CPU: ARM926EJ-S [41069265] revision 5 (ARMv5TEJ), cr=00053177
...
...


Well, it uses redboot. Let's try to stop the boot process with ctrl+c.

...
...
RAM: 0x00000000-0x02ffc000, [0x00036e40-0x02ff0000] available
FLASH: 0x60000000 - 0x60e40000, 57 blocks of 0x00040000 bytes each.
^C
RedBoot> 


Nice, the prompt is ready now. Let's check what commands are available.

RedBoot> help
Manage machine caches
   cache [ON | OFF]
Display/switch console channel
   channel [-1|]
Compute a 32bit checksum [POSIX algorithm] for a range of memory
   cksum -b -l
Display (hex dump) a range of memory
   dump -b [-l ] [-s|-r|-d] [-1|2|4]
execute command on memory
   eval -b
Execute an image - with MMU off
   exec [-w timeout] [-b [-l ]]
        [-r [-s ]]
        [-c "kernel command line"] [-t ] []
Manage FLASH images
   fis {cmds}
Manage Filesystem files
   fs {cmds}
Write flash indirectly via in-memory buffer
   fwrite -b -f -l
Execute code at a location
   go [-w ] [-c] [-n] [entry]
Uncompress GZIP compressed data
   gunzip -s -d
execute dynamic load command
   gym ...|eval
Help about help?
   help []
Display command history
   history
Set/change IP addresses
   ip_address [-b] [-l [/]] [-h ]
Load a file
   load [-r] [-v] [-d] [-h ] [-p ][-m ] [-c ]
        [-b ]
Compare two blocks of memory
   mcmp -s -d -l [-1|-2|-4]
Copy memory from one address to another
   mcopy -s -d -l [-1|-2|-4]
Fill a block of memory with a pattern
   mfill -b [-l -p | -s ] [-1|-2|-4]
Network connectivity test
   ping [-v] [-n ] [-l ] [-t ] [-r ]
        [-i ] -h
Reset the system
   reset

   reset_md
Display RedBoot version information
   version
Display (hex dump) a range of memory
   x -b [-l ] [-s|-r|-d] [-1|2|4]
RedBoot>


As usual, the command "fs" is there. Let's check further what can be done with it.

RedBoot> help fs
Manage Filesystem files
   fs {cmds}
change directory
  fs cd []
delete file
  fs del
delete directory
  fs deldir
filesystem info
  fs info
list directory contents
  fs list []
create directory
  fs mkdir
Mount file system
  fs mount [-d ] -t []
move file
  fs move
Unmount file system
  fs umount
write data to file
  fs write -b -l
RedBoot>

Well, can mount a filesystem but cannot read file. Let's mount it first.


RedBoot> fs info
Filesystems available:
jffs2

Devices available:
/dev/flash1
RedBoot> fs mount -d /dev/flash1 -t jffs2
jffs2 cleanmark size=800
<4>Empty flash at 0x000641a4 ends at 0x00064800
<4>Empty flash at 0x0019753c ends at 0x00197800
<4>Empty flash at 0x001b8484 ends at 0x001b8800
<4>Empty flash at 0x005071a4 ends at 0x00507800
RedBoot>


The filesystem is mounted now, let's list the files.

RedBoot> fs list
   1 drwxr-xr-x  1 size      0 .
   1 drwxr-xr-x  1 size      0 ..
118280 -rw-r--r--  1 size     12 TZ
   7 drwxr-xr-x  1 size      0 db
20072 drwxr-xr-x  1 size      0 sf
  27 drwxr-xr-x  1 size      0 tmp
  21 -rwxr-xr-x  1 size    292 rcS
 158 drwxr-xr-x  1 size      0 ppp
   4 drwxr-xr-x  1 size      0 cron
   3 drwxr-xr-x  1 size      0 conf
20075 drwxr-xr-x  1 size      0 voip
  20 drwxr-xr-x  1 size      0 rc.d
  11 -rwxr-xr-x  1 size     10 group
  10 -rwxr-xr-x  1 size     29 fstab
39706 -rw-r--r--  1 size     33 md_ok
  26 drwxr-xr-x  1 size      0 sncfg
65556 -rw-r--r--  1 size 4866048 initrd
  12 drwxr-xr-x  1 size      0 init.d
  25 -rwxr-xr-x  1 size     59 shadow
  17 -rwxr-xr-x  1 size     29 passwd
65555 -rw-r--r--  1 size 888520 zImage
  22 -rwxr-xr-x  1 size    621 rcS-common
39707 -rw-r--r--  1 size     33 rescue_ok
20036 -rw-rw-rw-  1 size    436 hostnds_if0
   9 drwxr-xr-x  1 size      0 dropbear
  16 -rwxr-xr-x  1 size   1815 mini_httpd.pem
   5 -rwxr-xr-x  1 size   1289 cwmp_cacert.pem
  24 -rw-r--r--  1 size    542 services
 449 -rw-r--r--  1 size    224 default.cfg
  14 -rwxr-xr-x  1 size    125 inittab
 347 -rwxr-xr-x  1 size   7712 termcap
65577 -rwxr-xr-x  1 size     12 tlv.emc
  18 -rwxr-xr-x  1 size    117 priority
  19 -rwxr-xr-x  1 size      0 profile
 657 drwx------  1 size      0 net-snmp
   6 -rwxr-xr-x  1 size   3363 cwmp_client.pem
 597 -rw-r--r--  1 size     69 resolv.conf
  23 -rwxr-xr-x  1 size   1126 rcS-common-post
  15 drwxr-xr-x  1 size      0 iproute2
RedBoot>


Terrible, yes, it is. How to read file ? Simple, let's read passwd.

RedBoot> load -m file -b 600000 -r passwd
Raw file loaded 0x000927c0-0x000927dc, assumed entry at 0x000927c0
RedBoot> x -b 600000 -l 29 -r
726F6F743A783A303A303A2C2C2C3A2F726F6F743A2F62696E2F73680A
RedBoot>

cawan$ cat data.hex
726F6F743A783A303A303A2C2C2C3A2F726F6F743A2F62696E2F73680A
cawan$
cawan$ cat hex2raw.py
import binascii

fin=open("data.hex","rb")
fout=open("data.raw","wb")
d_hex=fin.read(2)
while d_hex != "":
    d_bin=binascii.unhexlify(d_hex)
    fout.write(d_bin)
    d_hex=fin.read(2)
cawan$
cawan$ python hex2raw.py
Traceback (most recent call last):
  File "hex2raw.py", line 7, in
    d_bin=binascii.unhexlify(d_hex)
TypeError: Odd-length string
cawan$
cawan$ cat data.raw
root:x:0:0:,,,:/root:/bin/sh
cawan$


Hell, no fun at all, just a shame. I start to appreciate aruba's rap.


pdf version:-
https://www.scribd.com/doc/278686074/Modern-4G-Modem-Router-With-Oversimplified-Security-Protection