Modern 4G Modem Router With Oversimplified Security Protection

by cawan (cawan[at]ieee.org or chuiyewleong[at]hotmail.com)

http://cawanblog.blogspot.com/2015/04/understanding-mips16-to-mips32.html
on 05/09/2015
Somebody show a 4g modem router and looking for some challenges against its security
protection. After dismantled the unit, the uart port can be identified within a
minute and get ready to print the boot log, as shown below.
+Ethernet eth0: MAC address <hide>
IP: 192.168.0.8/255.255.255.0, Gateway: 192.168.0.1
Default server: 192.168.0.1
RedBoot(tm) bootstrap and debug environment [ROMRAM]
Non-certified release, version UNKNOWN - built 22:35:45, Mar

9 2010

Platform: <hide> system (ARM9)

Copyright (C) 2000, 2001, 2002, 2003, 2004 Red Hat, Inc.
Copyright (C) 2003, 2004, 2005, 2006 <hide>
RAM: 0x00000000-0x02ffc000, [0x00036e40-0x02ff0000] available
FLASH: 0x60000000 - 0x60e40000, 57 blocks of 0x00040000 bytes each.
RedBoot> cache on
RedBoot> fis read -b 0x80000 -f 0x60030000 -l 0x10000
RedBoot> eval 0x80000
[mfill -b 0x800701C8 -l 4 -4 -p 0x1]
RedBoot> fs mount -d /dev/flash1 -t jffs2 /flash
jffs2 cleanmark size=800
<4>Empty flash at 0x000641a4 ends at 0x00064800
<4>Empty flash at 0x005071a4 ends at 0x00507800
RedBoot> fs cd /flash
RedBoot> load -m file -b 0x600000 -r zImage
<5>JFFS2 notice: read_dnode: data CRC failed on node at %#08x: read %#08x, calculated %#08x
Raw file loaded 0x00600000-0x006d8ec7, assumed entry at 0x00600000
RedBoot> load -m file -b 0x1000000 -r initrd
<5>JFFS2 notice: read_dnode: data CRC failed on node at %#08x: read %#08x, calculated %#08x
Raw file loaded 0x01000000-0x014a3fff, assumed entry at 0x01000000
RedBoot> exec -z -b 0x600000
Decompressing Linux... done, booting the kernel.
Linux version 2.6.26.8-rt16 (<hide>) (gcc version 3.4.4) #1 PREEMPT Wed May 25 14:32:18 CST
2011
CPU: ARM926EJ-S [41069265] revision 5 (ARMv5TEJ), cr=00053177
...
...
Well, it uses redboot. Let's try to stop the boot process with ctrl+c.
...
...
RAM: 0x00000000-0x02ffc000, [0x00036e40-0x02ff0000] available
FLASH: 0x60000000 - 0x60e40000, 57 blocks of 0x00040000 bytes each.
^C
RedBoot>
Nice, the prompt is ready now. Let's check what commands are available.
RedBoot> help
Manage machine caches
cache [ON | OFF]
Display/switch console channel
channel [-1|<channel number>]
Compute a 32bit checksum [POSIX algorithm] for a range of memory
cksum -b <location> -l <length>
Display (hex dump) a range of memory
dump -b <location> [-l <length>] [-s|-r|-d] [-1|2|4]
execute command on memory
eval -b <command address>
Execute an image - with MMU off
exec [-w timeout] [-b <load addr> [-l <length>]]
[-r <ramdisk addr> [-s <ramdisk length>]]
[-c "kernel command line"] [-t <target> ] [<entry_point>]
Manage FLASH images
fis {cmds}

Manage Filesystem files

fs {cmds}
Write flash indirectly via in-memory buffer
fwrite -b <memory_address> -f <flash_address> -l <length>
Execute code at a location
go [-w <timeout>] [-c] [-n] [entry]
Uncompress GZIP compressed data
gunzip -s <location> -d <location>
execute dynamic load command
gym ...|eval
Help about help?
help [<topic>]
Display command history
history
Set/change IP addresses
ip_address [-b] [-l <local_ip_address>[/<mask_len>]] [-h <server_address>]
Load a file
load [-r] [-v] [-d] [-h <host>] [-p <TCP port>][-m <varies>] [-c <channel_number>]
[-b <base_address>] <file_name>
Compare two blocks of memory
mcmp -s <location> -d <location> -l <length> [-1|-2|-4]
Copy memory from one address to another
mcopy -s <location> -d <location> -l <length> [-1|-2|-4]
Fill a block of memory with a pattern
mfill -b <location> [-l <length> -p <pattern>| -s <stream>] [-1|-2|-4]
Network connectivity test
ping [-v] [-n <count>] [-l <length>] [-t <timeout>] [-r <rate>]
[-i <IP_addr>] -h <IP_addr>
Reset the system
reset
reset_md
Display RedBoot version information
version
Display (hex dump) a range of memory
x -b <location> [-l <length>] [-s|-r|-d] [-1|2|4]
RedBoot>
As usual, the command "fs" is there. Let's check further what can be done with it.
RedBoot> help fs
Manage Filesystem files
fs {cmds}
change directory
fs cd [<directory>]
delete file
fs del <file>
delete directory
fs deldir <directory>
filesystem info
fs info
list directory contents
fs list [<directory>]
create directory
fs mkdir <directory>
Mount file system
fs mount [-d <device>] -t <fstype> [<mountpoint>]
move file
fs move <from> <to>
Unmount file system
fs umount <mountpoint>
write data to file
fs write -b <mem_base> -l <image_length> <file_name>
RedBoot>
Well, can mount a filesystem but cannot read file. Let's mount it first.
RedBoot> fs info
Filesystems available:
jffs2
Devices available:
/dev/flash1
RedBoot> fs mount -d /dev/flash1 -t jffs2
jffs2 cleanmark size=800
<4>Empty flash at 0x000641a4 ends at 0x00064800
<4>Empty flash at 0x0019753c ends at 0x00197800

<4>Empty flash at 0x001b8484 ends at 0x001b8800

<4>Empty flash at 0x005071a4 ends at 0x00507800
RedBoot>
The filesystem is mounted now, let's list the files.
RedBoot> fs list
1 drwxr-xr-x 1 size
0 .
1 drwxr-xr-x 1 size
0 ..
118280 -rw-r--r-- 1 size
12 TZ
7 drwxr-xr-x 1 size
0 db
20072 drwxr-xr-x 1 size
0 sf
27 drwxr-xr-x 1 size
0 tmp
21 -rwxr-xr-x 1 size
292 rcS
158 drwxr-xr-x 1 size
0 ppp
4 drwxr-xr-x 1 size
0 cron
3 drwxr-xr-x 1 size
0 conf
20075 drwxr-xr-x 1 size
0 voip
20 drwxr-xr-x 1 size
0 rc.d
11 -rwxr-xr-x 1 size
10 group
10 -rwxr-xr-x 1 size
29 fstab
39706 -rw-r--r-- 1 size
33 md_ok
26 drwxr-xr-x 1 size
0 sncfg
65556 -rw-r--r-- 1 size 4866048 initrd
12 drwxr-xr-x 1 size
0 init.d
25 -rwxr-xr-x 1 size
59 shadow
17 -rwxr-xr-x 1 size
29 passwd
65555 -rw-r--r-- 1 size 888520 zImage
22 -rwxr-xr-x 1 size
621 rcS-common
39707 -rw-r--r-- 1 size
33 rescue_ok
20036 -rw-rw-rw- 1 size
436 hostnds_if0
9 drwxr-xr-x 1 size
0 dropbear
16 -rwxr-xr-x 1 size
1815 mini_httpd.pem
5 -rwxr-xr-x 1 size
1289 cwmp_cacert.pem
24 -rw-r--r-- 1 size
542 services
449 -rw-r--r-- 1 size
224 default.cfg
14 -rwxr-xr-x 1 size
125 inittab
347 -rwxr-xr-x 1 size
7712 termcap
65577 -rwxr-xr-x 1 size
12 tlv.emc
18 -rwxr-xr-x 1 size
117 priority
19 -rwxr-xr-x 1 size
0 profile
657 drwx------ 1 size
0 net-snmp
6 -rwxr-xr-x 1 size
3363 cwmp_client.pem
597 -rw-r--r-- 1 size
69 resolv.conf
23 -rwxr-xr-x 1 size
1126 rcS-common-post
15 drwxr-xr-x 1 size
0 iproute2
RedBoot>
Terrible, yes, it is. How to read file ? Simple, let's read passwd.
RedBoot> load -m file -b 600000 -r passwd
Raw file loaded 0x000927c0-0x000927dc, assumed entry at 0x000927c0
RedBoot> x -b 600000 -l 29 -r
726F6F743A783A303A303A2C2C2C3A2F726F6F743A2F62696E2F73680A
RedBoot>
cawan$ cat data.hex
726F6F743A783A303A303A2C2C2C3A2F726F6F743A2F62696E2F73680A
cawan$
cawan$ cat hex2raw.py
import binascii
fin=open("data.hex","rb")
fout=open("data.raw","wb")
d_hex=fin.read(2)
while d_hex != "":
d_bin=binascii.unhexlify(d_hex)
fout.write(d_bin)
d_hex=fin.read(2)
cawan$
cawan$ python hex2raw.py
Traceback (most recent call last):
File "hex2raw.py", line 7, in <module>
d_bin=binascii.unhexlify(d_hex)
TypeError: Odd-length string
cawan$
cawan$ cat data.raw

root:x:0:0:,,,:/root:/bin/sh
cawan$
Hell, no fun at all, just a shame. I start to appreciate aruba's rap.