From Hackerspace ACKspace
Jump to: navigation, search

xopr's course log of events / my badly maintained diary

After extracting the image using minipro on a TL866II+ with 8 pin SOIC clamp while keeping the board in reset (connecting X2 pin 2 and 7), followed by binwalk --extract ixrouter.bin, it was time to search for the password hash Here is how it looks:


And the shadow file:


Ok, root has a shell, but it's password seems disabled and/or empty, wut??

Searching for "passwd" in all of the files I've found a first lead: _ixrouter.bin.extracted/squashfs-root/bin/ The script contains code that if $FAILSAFE is set, login should be possible.

Well, that looks good for the root account Squirrel! Next, searching for "root" and along came _ixrouter.bin.extracted/squashfs-root/etc/board.d/03_system where )|passwd root caught my eye!


. /lib/
. /lib/
. /lib/functions/
. /lib/functions/

	echo $(mtd_get_serial_ascii factory 10) > /etc/serial
	pass=$(mtd_get_passwd factory 20)
	         echo $pass
	         sleep 1
	         echo $pass
	)|passwd root


exit 0

I've seen the /etc/serial file, so it was promising this file was actually executed. Opening the lib helper functions next to it (from the top of the files) to start searching for mtd_get_passwd which was in _ixrouter.bin.extracted/squashfs-root/lib/functions/

mtd_get_passwd() {
	local mtdname="$1"
	local offset="$2"
	local part

	part=$(find_mtd_part "$mtdname")
	if [ -z "$part" ]; then
		echo "mtd_get_passwd: partition $mtdname not found!" >&2
	dd bs=1 skip=$offset count=10 if=$part 2>/dev/null | tr -d '\000'

and uses find_mtd_part to do some dd magic: dd bs=1 skip=$offset count=10 if=$part 2>/dev/null | tr -d '\000'

The find_mtd_part is in _ixrouter.bin.extracted/squashfs-root/lib/ together with find_mtd_index: something something /dev/mtdblock ok I'm on a roll!

Next, grabbing the stored boot log to see if mtd and/or factory is coming by:

[    2.240000] 4 ofpart partitions found on MTD device spi32766.0
[    2.250000] Creating 4 MTD partitions on "spi32766.0":
[    2.260000] 0x000000000000-0x000000030000 : "u-boot"
[    2.270000] 0x000000030000-0x000000040000 : "u-boot-env"
[    2.290000] 0x000000040000-0x000000050000 : "factory"
[    2.300000] 0x000000050000-0x000001000000 : "firmware"
[    2.340000] 2 uimage-fw partitions found on MTD device firmware
[    2.350000] 0x000000050000-0x0000001785e9 : "kernel"
[    2.370000] 0x0000001785e9-0x000001000000 : "rootfs"
[    2.380000] mtd: device 5 (rootfs) set to be root filesystem
[    2.390000] 1 squashfs-split partitions found on MTD device rootfs
[    2.400000] 0x000000790000-0x000001000000 : "rootfs_data"

There it is!

Ok, next step is to look at the extracted bin file; lazy of an actual hex editor I used hd ixrouter.bin|less to search for address 040000 (Note, xx is where the device serial number lives).

00040000  ff ff ff ff c0 d3 91 31  ae 45 xx xx xx xx xx xx  |.......1.Exxxxxx|
00040010  xx xx xx xx 38 4d 6d 42  52 32 35 6d 73 6d 00 00  |xxxx8MmBR25msm..|
00040020  00 00 00 00 00 33 2e 30  ff ff ff ff ff ff ff ff  |.....3.0........|
00040030  ff ff ff ff ff ff ff ff  ff ff ff ff ff ff ff ff  |................|

testing it via the serial terminal:

IXrouter3 login: root

BusyBox v1.23.2 (2018-08-07 15:27:36 CEST) built-in shell (ash)

  _____  __                _            
 |_ _\ \/ /_ __ ___  _   _| |_ ___ _ __ 
  | | \  /| '__/ _ \| | | | __/ _ \ '__|
  | | /  \| | | (_) | |_| | ||  __/ |   
 |___/_/\_\_|  \___/ \__,_|\__\___|_|   
IXrouter3 0.10.4 r0


ok, now give it to me command line style (inspired by the originating script):

$ dd bs=1 skip=$((0x40000+20)) count=10 if=ixrouter.bin 2>/dev/null | tr -d '\000'

next, having seen the U-Boot menu, let's check if we can read the password there as well, eliminating the need of a data-extraction-via-SOIC-clip: md 40000.d 10 doesn't seem to have the data.. Is the offset different?

Ok, what commands do we have as well..

spi     - spi command

MT7621 # spi
spi     - spi command

 use "help spi" for detail!
MT7621 # help spi
spi spi usage:
  spi id
  spi sr read
  spi sr write <value>
  spi read <addr> <len>
  spi erase <offs> <len>
  spi write <offs> <hex_str_value>

Now, determine the offset and print some bytes

MT7621 # spi read 40014 10
read len: 16
38 4d 6d 42 52 32 35 6d 73 6d 0 0 0 0 0 0 

Throw it in a hex-to-ascii converter (because I can't read native HEX and I'm lazy And there it is (don't forget to remove trailing null characters): 8MmBR25msm

Finally, to be able to do this fully offline, throw some javascript against it

"38 4d 6d 42 52 32 35 6d 73 6d 0 0 0 0 0 0".split(" ").filter(n=>n!=="0").map(n=>String.fromCharCode(parseInt(n,16))).join("")

Later on I'd figure out that it's length is also in hex, so spi read 40014 a is sufficient.

xopr 16:33, 10 March 2022 (CET) current wpa2 enterprise update

in short: encryption='wpa2' causes the command iwpriv "$ap_ifname" AP_SET_CFG "ASCII_CMD=AP_CFG,${ssid}${channel}${encryption}${key}END" to fail:

Interface doesn't accept private ioctl...
AP_SET_CFG (8BFB): Bad address

It might be that the driver does not support WPA2 enterprise.

The settings used were:

uci set'1'
uci set wireless.ap_lan_iface.ssid='spacenet2'
uci set wireless.ap_lan_iface.key='shared_secret'
uci set wireless.ap_lan_dev.encryption='wpa2'
uci set wireless.ap_lan_iface.server=
uci set wireless.ap_lan_iface.port=1812

but note that for RADIUS, this might be needed instead (IP needs to be adjusted):

uci set wireless.ap_lan_dev.server=
uci set wireless.ap_lan_dev.port=1812

different firmware

xopr 14:49, 25 March 2022 (CET) I had some fun flashing Mediatek AP-MT7621A-V60 EVB 21.02firmware, which came with several challenges yet to overcome:

  • swconfig changed to Distributed Switch Architecture (DSA) and the order of wan/lan ports were reversed (port 5 became wan); this caused the switch to pass port 5 traffic to the lan. To mitigate, one has to unplug the clients before rebooting
  • the working gpio pinout was lost, this impacted the leds and modem power/reset options:
3g-perst (used in /etc/rc.button/reset)

/sys/class/leds/ (symlink to /sys/devices/gpio-leds/leds/)
  • with some testing, found out that some gpio pins are "busy", which might indicate they're mapped: 18, 22-28, 30
  • the drivers for wifi and the 4g modem were either not available or had no effect on enabling the device (might well be gpio related)

xopr 16:49, 30 April 2022 (CEST) roaming

I tested a roaming session (on a location with wonky coverage): it wasn't very effective; it did not seem to want to roam and the connection was flaky.

The router lasted 26:45h on a fully charged Xiaomi Mi Powerbank 3 (20Ah), which is nice.

  1. connection problems? reboot or toggle power:

echo 0 > /sys/class/gpio/3g-perst/value;sleep 5;echo 1 > /sys/class/gpio/3g-perst/value

cat /sys/kernel/debug/usb/devices

Some reference links:


uqmi --device=/dev/cdc-wdm0 --set-device-operating-mode online
uqmi --device=/dev/cdc-wdm0 --set-network-modes all
uqmi --device=/dev/cdc-wdm0 --set-network-roaming any
uqmi --device=/dev/cdc-wdm0 --get-data-status --get-signal-info --get-serving-system
Some actions with one of more results added:
  --get-versions:                   Get service versions
	"service_0": "1,5",
	"service_1": "1,67",
	"service_2": "1,0",
	"service_3": "1,25",
	"service_4": "1,12",
	"service_5": "1,10",
	"service_7": "1,3",
	"service_8": "1,2",
	"service_9": "2,1",
	"service_10": "2,24",
	"service_11": "1,46",
	"service_12": "1,4",
	"service_15": "1,0",
	"service_16": "2,0",
	"service_17": "1,0",
	"service_23": "1,0",
	"service_24": "1,0",
	"service_26": "1,16",
	"service_29": "1,1",
	"service_34": "1,0",
	"service_36": "1,0",
	"service_41": "1,0",
	"service_42": "1,0",
	"service_48": "1,0",
	"service_54": "1,0"

  --get-data-status:                Get current data access status
  "Incompatible state" (gsm)

  --get-pin-status:                 Get PIN verification status
  "Not supported"

  --get-iccid:                      Get the ICCID
  "Not supported"

  --get-imsi:                       Get International Mobile Subscriber ID
  "Not supported"

  --get-msisdn:                     Get the MSISDN (telephone number)
  "Not supported"

  --network-scan:                   Initiate network scan
(NOTE: slow)
	"network_info": [
	"radio_access_technology": [

  --network-register:               Initiate network register

  --get-signal-info:                Get signal strength info
	"type": "gsm",
	"signal": -90
	"type": "lte",
	"rssi": -81,
	"rsrq": -14,
	"rsrp": -112,
	"snr": 4

  --get-serving-system:             Get serving system info
(NOTE: the gibberish should state something like ''Mobile NL'' in this case)
	"registration": "registered",
	"plmn_mcc": 204,
	"plmn_mnc": 8,
	"plmn_description": "ͷ8�.��L",
	"roaming": false

  --list-messages:                  List SMS messages
  "Not supported"

  --get-message <id>:               Get SMS message at index <id>
  "Not supported"

  --wda-get-data-format:            Get data format


Trying list of devices
SIM ready
Waiting for Registration..(120 sec max)
Registered on Home network: "Mobile NL Mobile NL",7
Signal Quality: 17,99
#comgt -d /dev/ttyUSB2 -s /etc/gcom/getcarrier.gcom 
comgt -d /dev/ttyUSB3 -s /etc/gcom/getstrength.gcom 
comgt -d /dev/ttyUSB2 -s /etc/gcom/getimsi.gcom
MODE=gsm comgt -d /dev/ttyUSB2 -s /etc/gcom/setmode.gcom
#all, lte, umts, gsm, cdma, td-scdma
cmda,td-scdma: unsupported


opkg update
opkg install socat
socat - /dev/ttyUSB2,crnl
+QCFG: "gprsattach",(0,1)
+QCFG: "nwscanmode",(0-8),(0,1)
+QCFG: "nwscanseq",(00-0102030405),(0,1)
+QCFG: "servicedomain",(0,1,2),(0,1)
+QCFG: "roamservice",(1,2,255),(0,1)
+QCFG: "band",(0-200),(0-7FFFFFFFFFFFFFFF),(0-7FFFFFFFFFFFFFFF),(0,1)
+QCFG: "rrc",(0-4)
+QCFG: "msc",(0-2)
+QCFG: "sgsn",(0-2)
+QCFG: "hsdpacat",(6,8,10-24)
+QCFG: "hsupacat",(5,6)
+QCFG: "pdp/duplicatechk",(0,1)
+QCFG: "tdscsq",(0,1)
+QCFG: "airplanecontrol",(0,1)
+QCFG: "ledmode",(0,1)
+QCFG: "ehrpd",(0,7)
+QCFG: "usbid",<vid>,<pid>
+QCFG: "usbee",<enable>
+QCFG: "usbnet",<0-3>
+QCFG: "usbcfg",<vid>,<pid>,<diag>,<nmea>,<at_port>,<modem>,<rmnet>,<adb>
+QCFG: "urc/ri/ring",("off","pulse","always","auto","wave"),(1-2000),(1-10000),(1-10000),("off","on"),(1-5)
+QCFG: "urc/ri/smsincoming",("off","pulse","always"),(1-2000),(1-5)
+QCFG: "urc/ri/other",("off","pulse"),(1-2000),(1-5)
+QCFG: "risignaltype",("respective","physical")
+QCFG: "urc/delay",(0,1)
+QCFG: "agps/string",(0,1)
+QCFG: "cdmaruim",(0,1)
+QCFG: "cmux/urcport",(0-4)
+QCFG: "ModemRstLevel",(0,1)
+QCFG: "ApRstLevel",(0,1)
+QCFG: "ltectcc/smsstorage"[,(0,1)]
+QCFG: "noauthcheck",(0,1)
+QCFG: "nwscanmodeex",(1-63)
+QCFG: "oostimer",<timer1>,<timer2>,<timer3>
+QCFG: "diversity",(0-1)
+QCFG: "ppp/termframe",(0,1)
+QCFG: "bootup",<name>,(0,1)
+QCFG: "nwoptmz/acq",(0,1),(60-16777200)
+QCFG: "ims",(0-2)
+QCFG: "pcmclk",(0,1)
+QCFG: "tone/incoming",(0,1)
+QCFG: "rssi",(0-20)
+QCFG: "cdmasms/cmtformat"[,(0,1)]
+QCFG: "ltesms/format"[,(0,1)]
+QCFG: "amrcodec",(0-255)
+QCFG: "apready",(0,1),(0,1),(100-3000)
+QCFG: "urc/cache",(0,1)
+QCFG: "thermal/modem"[,<level>,<trig>,<clr>]
+QCFG: "thermal/limit_rates"[,<enable>]
+QCFG: "lte/bandprior",(1-43),(1-43),(1-43)
+QCFG: "codec/powsave",(0,1)
+QCFG: "qmisync",(0,1)
+QCFG: "disrplmn",(0,1)
+QCFG: "vts/async",(0,1)
+QCFG: "urc/ri/pin",("uart_ri","uart_dcd")
+QCFG: "stkauto/setupmenutr",(0,1)
+QCFG: "iproute_enable",(0,1)
+QCFG: "imsreg/iptype",(0,1)
+QCFG: "multi_ip_package",<enable>,<package_max_len>,<package_max_count_in_queue>,<timeout>
+QCFG: "apn/blocked",(0,1),(0,1)
+QCFG: "pktsize"
+QCFG: "sim/onchip",(0,1)
+QCFG: "redir/3gtolte",(0,1)
+QCFG: "qcautoconnect",(0,1)


+QMBNCFG: "List",0,0,0,"Reliance_India_VoLTE",0x05800202,000000000
+QMBNCFG: "List",1,0,0,"TW_Mobile_China_VoLTE",0x05800301,000000000
+QMBNCFG: "List",2,0,0,"Bouygues_France_VoLTE",0x05800101,000000000
+QMBNCFG: "List",3,0,0,"VF_Germany_VoLTE",0x05010415,000000000
+QMBNCFG: "List",4,0,0,"Smartfren_Indonesia_VoLTE",0x05800601,000000000
+QMBNCFG: "List",5,0,0,"ROW_Generic_3GPP",0x05010814,201703231


+CGCONTRDP: 1,5,,666.666.666.666,,,

+CGDCONT: 1,"IPV4V6","","",0,0,0,0


+COPS: 0,0,"Mobile NL Mobile NL",7


AT+QENG="neighbourcell" t
+QENG: "neighbourcell intra","LTE",500,268,-14,-111,-76,0,14,7,10,8,58
+QENG: "neighbourcell intra","LTE",500,369,-20,-122,-90,0,3,7,10,8,58
+QENG: "neighbourcell inter","LTE",1300,-,-,-,-,-,14,0,12,5,-,-,-,-
+QENG: "neighbourcell inter","LTE",3150,-,-,-,-,-,3,0,16,6,-,-,-,-


AT commands

Also, from this list of AT commands is available: