Talk:IX2412
xopr's course log of events / my badly maintained diary
After extracting the image using minipro on a TL866II+ with 8 pin SOIC clamp while keeping the board in reset (connecting X2 pin 2 and 7), followed by binwalk --extract ixrouter.bin
, it was time to search for the password hash
Here is how it looks:
root:*:0:0:root:/root:/bin/ash daemon:*:1:1:daemon:/var:/bin/false ftp:*:55:55:ftp:/home/ftp:/bin/false network:*:101:101:network:/var:/bin/false nobody:*:65534:65534:nobody:/var:/bin/false
And the shadow file:
root::0:0:99999:7::: daemon:*:0:0:99999:7::: ftp:*:0:0:99999:7::: network:*:0:0:99999:7::: nobody:*:0:0:99999:7:::
Ok, root has a shell, but it's password seems disabled and/or empty, wut??
Searching for "passwd" in all of the files I've found a first lead: _ixrouter.bin.extracted/squashfs-root/bin/login.sh
The script contains code that if $FAILSAFE
is set, login should be possible.
Well, that looks good for the root account Squirrel! Next, searching for "root" and along came _ixrouter.bin.extracted/squashfs-root/etc/board.d/03_system where )|passwd root
caught my eye!
#!/bin/sh . /lib/functions.sh . /lib/ramips.sh . /lib/functions/uci-defaults-new.sh . /lib/functions/system.sh ramips_setup_system() { echo $(mtd_get_serial_ascii factory 10) > /etc/serial pass=$(mtd_get_passwd factory 20) ( echo $pass sleep 1 echo $pass )|passwd root } ramips_setup_system exit 0
I've seen the /etc/serial file, so it was promising this file was actually executed.
Opening the lib helper functions next to it (from the top of the files) to start searching for mtd_get_passwd
which was in _ixrouter.bin.extracted/squashfs-root/lib/functions/system.sh
mtd_get_passwd() { local mtdname="$1" local offset="$2" local part part=$(find_mtd_part "$mtdname") if [ -z "$part" ]; then echo "mtd_get_passwd: partition $mtdname not found!" >&2 return fi dd bs=1 skip=$offset count=10 if=$part 2>/dev/null | tr -d '\000' }
and uses find_mtd_part
to do some dd magic: dd bs=1 skip=$offset count=10 if=$part 2>/dev/null | tr -d '\000'
The find_mtd_part
is in _ixrouter.bin.extracted/squashfs-root/lib/functions.sh together with find_mtd_index
: something something /dev/mtdblock
ok I'm on a roll!
Next, grabbing the stored boot log to see if mtd
and/or factory
is coming by:
[ 2.240000] 4 ofpart partitions found on MTD device spi32766.0 [ 2.250000] Creating 4 MTD partitions on "spi32766.0": [ 2.260000] 0x000000000000-0x000000030000 : "u-boot" [ 2.270000] 0x000000030000-0x000000040000 : "u-boot-env" [ 2.290000] 0x000000040000-0x000000050000 : "factory" [ 2.300000] 0x000000050000-0x000001000000 : "firmware" [ 2.340000] 2 uimage-fw partitions found on MTD device firmware [ 2.350000] 0x000000050000-0x0000001785e9 : "kernel" [ 2.370000] 0x0000001785e9-0x000001000000 : "rootfs" [ 2.380000] mtd: device 5 (rootfs) set to be root filesystem [ 2.390000] 1 squashfs-split partitions found on MTD device rootfs [ 2.400000] 0x000000790000-0x000001000000 : "rootfs_data"
There it is!
Ok, next step is to look at the extracted bin file; lazy of an actual hex editor I used hd ixrouter.bin|less
to search for address 040000
(Note, xx
is where the device serial number lives).
00040000 ff ff ff ff c0 d3 91 31 ae 45 xx xx xx xx xx xx |.......1.Exxxxxx| 00040010 xx xx xx xx 38 4d 6d 42 52 32 35 6d 73 6d 00 00 |xxxx8MmBR25msm..| 00040020 00 00 00 00 00 33 2e 30 ff ff ff ff ff ff ff ff |.....3.0........| 00040030 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |................|
testing it via the serial terminal:
IXrouter3 login: root Password: BusyBox v1.23.2 (2018-08-07 15:27:36 CEST) built-in shell (ash) _____ __ _ |_ _\ \/ /_ __ ___ _ _| |_ ___ _ __ | | \ /| '__/ _ \| | | | __/ _ \ '__| | | / \| | | (_) | |_| | || __/ | |___/_/\_\_| \___/ \__,_|\__\___|_| ---------------------------------------- IXrouter3 0.10.4 r0 ---------------------------------------- root@IXrouter3:~#
GREAT SUCCESS!
ok, now give it to me command line style (inspired by the originating script):
$ dd bs=1 skip=$((0x40000+20)) count=10 if=ixrouter.bin 2>/dev/null | tr -d '\000' 8MmBR25msm
next, having seen the U-Boot menu, let's check if we can read the password there as well, eliminating the need of a data-extraction-via-SOIC-clip: md 40000.d 10
doesn't seem to have the data.. Is the offset different?
Ok, what commands do we have as well..
help ... spi - spi command ... MT7621 # spi Usage: spi - spi command use "help spi" for detail! MT7621 # help spi spi spi usage: spi id spi sr read spi sr write <value> spi read <addr> <len> spi erase <offs> <len> spi write <offs> <hex_str_value>
Now, determine the offset and print some bytes
MT7621 # spi read 40014 10 read len: 16 38 4d 6d 42 52 32 35 6d 73 6d 0 0 0 0 0 0
Throw it in a hex-to-ascii converter (because I can't read native HEX and I'm lazy
And there it is (don't forget to remove trailing null characters): 8MmBR25msm
Finally, to be able to do this fully offline, throw some javascript against it
"38 4d 6d 42 52 32 35 6d 73 6d 0 0 0 0 0 0".split(" ").filter(n=>n!=="0").map(n=>String.fromCharCode(parseInt(n,16))).join("") "8MmBR25msm"
Later on I'd figure out that it's length is also in hex, so spi read 40014 a
is sufficient.
xopr 16:33, 10 March 2022 (CET) current wpa2 enterprise update
in short:
encryption='wpa2'
causes the command iwpriv "$ap_ifname" AP_SET_CFG "ASCII_CMD=AP_CFG,${ssid}${channel}${encryption}${key}END"
to fail:
Interface doesn't accept private ioctl... AP_SET_CFG (8BFB): Bad address
It might be that the driver does not support WPA2 enterprise.
The settings used were:
uci set wireless.ap_lan_dev.channel='1' uci set wireless.ap_lan_iface.ssid='spacenet2' uci set wireless.ap_lan_iface.key='shared_secret' uci set wireless.ap_lan_dev.encryption='wpa2' uci set wireless.ap_lan_iface.server=192.168.1.200 uci set wireless.ap_lan_iface.port=1812
but note that for RADIUS, this might be needed instead (IP needs to be adjusted):
uci set wireless.ap_lan_dev.server=192.168.1.200 uci set wireless.ap_lan_dev.port=1812