by cawan (cawan[at]ieee.org or chuiyewleong[at]hotmail.com)
http://cawanblog.blogspot.my/2015/09/modern-4g-modem-router-with.html
on 05/09/2015
Somebody show a 4g modem router and looking for some challenges against its security
protection. After dismantled the unit, the uart port can be identified within a
minute and get ready to print the boot log, as shown below.
+Ethernet eth0: MAC address
IP: 192.168.0.8/255.255.255.0, Gateway: 192.168.0.1
Default server: 192.168.0.1
RedBoot(tm) bootstrap and debug environment [ROMRAM]
Non-certified release, version UNKNOWN - built 22:35:45, Mar 9 2010
Platform:
Copyright (C) 2000, 2001, 2002, 2003, 2004 Red Hat, Inc.
Copyright (C) 2003, 2004, 2005, 2006
RAM: 0x00000000-0x02ffc000, [0x00036e40-0x02ff0000] available
FLASH: 0x60000000 - 0x60e40000, 57 blocks of 0x00040000 bytes each.
RedBoot> cache on
RedBoot> fis read -b 0x80000 -f 0x60030000 -l 0x10000
RedBoot> eval 0x80000
[mfill -b 0x800701C8 -l 4 -4 -p 0x1]
RedBoot> fs mount -d /dev/flash1 -t jffs2 /flash
jffs2 cleanmark size=800
<4>Empty flash at 0x000641a4 ends at 0x00064800
<4>Empty flash at 0x005071a4 ends at 0x00507800
RedBoot> fs cd /flash
RedBoot> load -m file -b 0x600000 -r zImage
<5>JFFS2 notice: read_dnode: data CRC failed on node at %#08x: read %#08x, calculated %#08x
Raw file loaded 0x00600000-0x006d8ec7, assumed entry at 0x00600000
RedBoot> load -m file -b 0x1000000 -r initrd
<5>JFFS2 notice: read_dnode: data CRC failed on node at %#08x: read %#08x, calculated %#08x
Raw file loaded 0x01000000-0x014a3fff, assumed entry at 0x01000000
RedBoot> exec -z -b 0x600000
Decompressing Linux... done, booting the kernel.
Linux version 2.6.26.8-rt16 (
CPU: ARM926EJ-S [41069265] revision 5 (ARMv5TEJ), cr=00053177
...
...
Well, it uses redboot. Let's try to stop the boot process with ctrl+c.
...
...
RAM: 0x00000000-0x02ffc000, [0x00036e40-0x02ff0000] available
FLASH: 0x60000000 - 0x60e40000, 57 blocks of 0x00040000 bytes each.
^C
RedBoot>
Nice, the prompt is ready now. Let's check what commands are available.
RedBoot> help
Manage machine caches
cache [ON | OFF]
Display/switch console channel
channel [-1|
Compute a 32bit checksum [POSIX algorithm] for a range of memory
cksum -b
Display (hex dump) a range of memory
dump -b
execute command on memory
eval -b
Execute an image - with MMU off
exec [-w timeout] [-b
[-r
[-c "kernel command line"] [-t
Manage FLASH images
fis {cmds}
Manage Filesystem files
fs {cmds}
Write flash indirectly via in-memory buffer
fwrite -b
Execute code at a location
go [-w
Uncompress GZIP compressed data
gunzip -s
execute dynamic load command
gym ...|eval
Help about help?
help [
Display command history
history
Set/change IP addresses
ip_address [-b] [-l
Load a file
load [-r] [-v] [-d] [-h
[-b
Compare two blocks of memory
mcmp -s
Copy memory from one address to another
mcopy -s
Fill a block of memory with a pattern
mfill -b
Network connectivity test
ping [-v] [-n
[-i
Reset the system
reset
reset_md
Display RedBoot version information
version
Display (hex dump) a range of memory
x -b
RedBoot>
As usual, the command "fs" is there. Let's check further what can be done with it.
RedBoot> help fs
Manage Filesystem files
fs {cmds}
change directory
fs cd [
delete file
fs del
delete directory
fs deldir
filesystem info
fs info
list directory contents
fs list [
create directory
fs mkdir
Mount file system
fs mount [-d
move file
fs move
Unmount file system
fs umount
write data to file
fs write -b
RedBoot>
Well, can mount a filesystem but cannot read file. Let's mount it first.
RedBoot> fs info
Filesystems available:
jffs2
Devices available:
/dev/flash1
RedBoot> fs mount -d /dev/flash1 -t jffs2
jffs2 cleanmark size=800
<4>Empty flash at 0x000641a4 ends at 0x00064800
<4>Empty flash at 0x0019753c ends at 0x00197800
<4>Empty flash at 0x001b8484 ends at 0x001b8800
<4>Empty flash at 0x005071a4 ends at 0x00507800
RedBoot>
The filesystem is mounted now, let's list the files.
RedBoot> fs list
1 drwxr-xr-x 1 size 0 .
1 drwxr-xr-x 1 size 0 ..
118280 -rw-r--r-- 1 size 12 TZ
7 drwxr-xr-x 1 size 0 db
20072 drwxr-xr-x 1 size 0 sf
27 drwxr-xr-x 1 size 0 tmp
21 -rwxr-xr-x 1 size 292 rcS
158 drwxr-xr-x 1 size 0 ppp
4 drwxr-xr-x 1 size 0 cron
3 drwxr-xr-x 1 size 0 conf
20075 drwxr-xr-x 1 size 0 voip
20 drwxr-xr-x 1 size 0 rc.d
11 -rwxr-xr-x 1 size 10 group
10 -rwxr-xr-x 1 size 29 fstab
39706 -rw-r--r-- 1 size 33 md_ok
26 drwxr-xr-x 1 size 0 sncfg
65556 -rw-r--r-- 1 size 4866048 initrd
12 drwxr-xr-x 1 size 0 init.d
25 -rwxr-xr-x 1 size 59 shadow
17 -rwxr-xr-x 1 size 29 passwd
65555 -rw-r--r-- 1 size 888520 zImage
22 -rwxr-xr-x 1 size 621 rcS-common
39707 -rw-r--r-- 1 size 33 rescue_ok
20036 -rw-rw-rw- 1 size 436 hostnds_if0
9 drwxr-xr-x 1 size 0 dropbear
16 -rwxr-xr-x 1 size 1815 mini_httpd.pem
5 -rwxr-xr-x 1 size 1289 cwmp_cacert.pem
24 -rw-r--r-- 1 size 542 services
449 -rw-r--r-- 1 size 224 default.cfg
14 -rwxr-xr-x 1 size 125 inittab
347 -rwxr-xr-x 1 size 7712 termcap
65577 -rwxr-xr-x 1 size 12 tlv.emc
18 -rwxr-xr-x 1 size 117 priority
19 -rwxr-xr-x 1 size 0 profile
657 drwx------ 1 size 0 net-snmp
6 -rwxr-xr-x 1 size 3363 cwmp_client.pem
597 -rw-r--r-- 1 size 69 resolv.conf
23 -rwxr-xr-x 1 size 1126 rcS-common-post
15 drwxr-xr-x 1 size 0 iproute2
RedBoot>
Terrible, yes, it is. How to read file ? Simple, let's read passwd.
RedBoot> load -m file -b 600000 -r passwd
Raw file loaded 0x000927c0-0x000927dc, assumed entry at 0x000927c0
RedBoot> x -b 600000 -l 29 -r
726F6F743A783A303A303A2C2C2C3A2F726F6F743A2F62696E2F73680A
RedBoot>
cawan$ cat data.hex
726F6F743A783A303A303A2C2C2C3A2F726F6F743A2F62696E2F73680A
cawan$
cawan$ cat hex2raw.py
import binascii
fin=open("data.hex","rb")
fout=open("data.raw","wb")
d_hex=fin.read(2)
while d_hex != "":
d_bin=binascii.unhexlify(d_hex)
fout.write(d_bin)
d_hex=fin.read(2)
cawan$
cawan$ python hex2raw.py
Traceback (most recent call last):
File "hex2raw.py", line 7, in
d_bin=binascii.unhexlify(d_hex)
TypeError: Odd-length string
cawan$
cawan$ cat data.raw
root:x:0:0:,,,:/root:/bin/sh
cawan$
Hell, no fun at all, just a shame. I start to appreciate aruba's rap.
pdf version:-
https://www.scribd.com/doc/278686074/Modern-4G-Modem-Router-With-Oversimplified-Security-Protection