Talk:IX2412

From Hackerspace ACKspace
Revision as of 14:49, 25 March 2022 by Xopr (talk | contribs) (different firmware: new section)
Jump to: navigation, search

xopr's course log of events / my badly maintained diary

After extracting the image using minipro on a TL866II+ with 8 pin SOIC clamp while keeping the board in reset (connecting X2 pin 2 and 7), followed by binwalk --extract ixrouter.bin, it was time to search for the password hash Here is how it looks:

root:*:0:0:root:/root:/bin/ash
daemon:*:1:1:daemon:/var:/bin/false
ftp:*:55:55:ftp:/home/ftp:/bin/false
network:*:101:101:network:/var:/bin/false
nobody:*:65534:65534:nobody:/var:/bin/false

And the shadow file:

root::0:0:99999:7:::
daemon:*:0:0:99999:7:::
ftp:*:0:0:99999:7:::
network:*:0:0:99999:7:::
nobody:*:0:0:99999:7:::

Ok, root has a shell, but it's password seems disabled and/or empty, wut??

Searching for "passwd" in all of the files I've found a first lead: _ixrouter.bin.extracted/squashfs-root/bin/login.sh The script contains code that if $FAILSAFE is set, login should be possible.

Well, that looks good for the root account Squirrel! Next, searching for "root" and along came _ixrouter.bin.extracted/squashfs-root/etc/board.d/03_system where )|passwd root caught my eye!

#!/bin/sh

. /lib/functions.sh
. /lib/ramips.sh
. /lib/functions/uci-defaults-new.sh
. /lib/functions/system.sh

ramips_setup_system()
{
	echo $(mtd_get_serial_ascii factory 10) > /etc/serial
	pass=$(mtd_get_passwd factory 20)
	(
	         echo $pass
	         sleep 1
	         echo $pass
	)|passwd root
}

ramips_setup_system

exit 0

I've seen the /etc/serial file, so it was promising this file was actually executed. Opening the lib helper functions next to it (from the top of the files) to start searching for mtd_get_passwd which was in _ixrouter.bin.extracted/squashfs-root/lib/functions/system.sh

mtd_get_passwd() {
	local mtdname="$1"
	local offset="$2"
	local part

	part=$(find_mtd_part "$mtdname")
	if [ -z "$part" ]; then
		echo "mtd_get_passwd: partition $mtdname not found!" >&2
		return
	fi
	dd bs=1 skip=$offset count=10 if=$part 2>/dev/null | tr -d '\000'
}

and uses find_mtd_part to do some dd magic: dd bs=1 skip=$offset count=10 if=$part 2>/dev/null | tr -d '\000'

The find_mtd_part is in _ixrouter.bin.extracted/squashfs-root/lib/functions.sh together with find_mtd_index: something something /dev/mtdblock ok I'm on a roll!

Next, grabbing the stored boot log to see if mtd and/or factory is coming by:

[    2.240000] 4 ofpart partitions found on MTD device spi32766.0
[    2.250000] Creating 4 MTD partitions on "spi32766.0":
[    2.260000] 0x000000000000-0x000000030000 : "u-boot"
[    2.270000] 0x000000030000-0x000000040000 : "u-boot-env"
[    2.290000] 0x000000040000-0x000000050000 : "factory"
[    2.300000] 0x000000050000-0x000001000000 : "firmware"
[    2.340000] 2 uimage-fw partitions found on MTD device firmware
[    2.350000] 0x000000050000-0x0000001785e9 : "kernel"
[    2.370000] 0x0000001785e9-0x000001000000 : "rootfs"
[    2.380000] mtd: device 5 (rootfs) set to be root filesystem
[    2.390000] 1 squashfs-split partitions found on MTD device rootfs
[    2.400000] 0x000000790000-0x000001000000 : "rootfs_data"

There it is!

Ok, next step is to look at the extracted bin file; lazy of an actual hex editor I used hd ixrouter.bin|less to search for address 040000 (Note, xx is where the device serial number lives).

00040000  ff ff ff ff c0 d3 91 31  ae 45 xx xx xx xx xx xx  |.......1.Exxxxxx|
00040010  xx xx xx xx 38 4d 6d 42  52 32 35 6d 73 6d 00 00  |xxxx8MmBR25msm..|
00040020  00 00 00 00 00 33 2e 30  ff ff ff ff ff ff ff ff  |.....3.0........|
00040030  ff ff ff ff ff ff ff ff  ff ff ff ff ff ff ff ff  |................|

testing it via the serial terminal:

IXrouter3 login: root
Password: 


BusyBox v1.23.2 (2018-08-07 15:27:36 CEST) built-in shell (ash)

  _____  __                _            
 |_ _\ \/ /_ __ ___  _   _| |_ ___ _ __ 
  | | \  /| '__/ _ \| | | | __/ _ \ '__|
  | | /  \| | | (_) | |_| | ||  __/ |   
 |___/_/\_\_|  \___/ \__,_|\__\___|_|   
----------------------------------------
IXrouter3 0.10.4 r0
----------------------------------------
root@IXrouter3:~# 

GREAT SUCCESS!

ok, now give it to me command line style (inspired by the originating script):

$ dd bs=1 skip=$((0x40000+20)) count=10 if=ixrouter.bin 2>/dev/null | tr -d '\000'
8MmBR25msm

next, having seen the U-Boot menu, let's check if we can read the password there as well, eliminating the need of a data-extraction-via-SOIC-clip: md 40000.d 10 doesn't seem to have the data.. Is the offset different?

Ok, what commands do we have as well..

help
...
spi     - spi command
...

MT7621 # spi
Usage:
spi     - spi command

 use "help spi" for detail!
MT7621 # help spi
spi spi usage:
  spi id
  spi sr read
  spi sr write <value>
  spi read <addr> <len>
  spi erase <offs> <len>
  spi write <offs> <hex_str_value>

Now, determine the offset and print some bytes

MT7621 # spi read 40014 10
read len: 16
38 4d 6d 42 52 32 35 6d 73 6d 0 0 0 0 0 0 

Throw it in a hex-to-ascii converter (because I can't read native HEX and I'm lazy And there it is (don't forget to remove trailing null characters): 8MmBR25msm

Finally, to be able to do this fully offline, throw some javascript against it

"38 4d 6d 42 52 32 35 6d 73 6d 0 0 0 0 0 0".split(" ").filter(n=>n!=="0").map(n=>String.fromCharCode(parseInt(n,16))).join("")
"8MmBR25msm"

Later on I'd figure out that it's length is also in hex, so spi read 40014 a is sufficient.

xopr 16:33, 10 March 2022 (CET) current wpa2 enterprise update

in short: encryption='wpa2' causes the command iwpriv "$ap_ifname" AP_SET_CFG "ASCII_CMD=AP_CFG,${ssid}${channel}${encryption}${key}END" to fail:

Interface doesn't accept private ioctl...
AP_SET_CFG (8BFB): Bad address

It might be that the driver does not support WPA2 enterprise.

The settings used were:

uci set wireless.ap_lan_dev.channel='1'
uci set wireless.ap_lan_iface.ssid='spacenet2'
uci set wireless.ap_lan_iface.key='shared_secret'
uci set wireless.ap_lan_dev.encryption='wpa2'
uci set wireless.ap_lan_iface.server=192.168.1.200
uci set wireless.ap_lan_iface.port=1812

but note that for RADIUS, this might be needed instead (IP needs to be adjusted):

uci set wireless.ap_lan_dev.server=192.168.1.200
uci set wireless.ap_lan_dev.port=1812

different firmware

xopr 14:49, 25 March 2022 (CET) I had some fun flashing Mediatek AP-MT7621A-V60 EVB 21.02firmware, which came with several challenges yet to overcome:

  • swconfig changed to Distributed Switch Architecture (DSA) and the order of wan/lan ports were reversed (port 5 became wan); this caused the switch to pass port 5 traffic to the lan. To mitigate, one has to unplug the clients before rebooting
  • the working gpio pinout was lost, this impacted the leds and modem power/reset options:
/sys/class/gpio/
3g-ndisable
3g-perst (used in /etc/rc.button/reset)
3g-power-enable
digin
wifi-pd

/sys/class/leds/ (symlink to /sys/devices/gpio-leds/leds/)
ix2:blue:3g
ix2:blue:vpn
ix2:red:3g
ix2:red:status
  • with some testing, found out that some gpio pins are "busy", which might indicate they're mapped: 18, 22-28, 30
  • the drivers for wifi and the 4g modem were either not available or had no effect on enabling the device (might well be gpio related)