Modern 4G Modem Router With Oversimplified Security Protection
by cawan (cawan[at]ieee.org or chuiyewleong[at]hotmail.com)
http://cawanblog.blogspot.com/2015/04/understanding-mips16-to-mips32.html on 05/09/2015 Somebody show a 4g modem router and looking for some challenges against its security protection. After dismantled the unit, the uart port can be identified within a minute and get ready to print the boot log, as shown below. +Ethernet eth0: MAC address <hide> IP: 192.168.0.8/255.255.255.0, Gateway: 192.168.0.1 Default server: 192.168.0.1 RedBoot(tm) bootstrap and debug environment [ROMRAM] Non-certified release, version UNKNOWN - built 22:35:45, Mar
9 2010
Platform: <hide> system (ARM9)
Copyright (C) 2000, 2001, 2002, 2003, 2004 Red Hat, Inc. Copyright (C) 2003, 2004, 2005, 2006 <hide> RAM: 0x00000000-0x02ffc000, [0x00036e40-0x02ff0000] available FLASH: 0x60000000 - 0x60e40000, 57 blocks of 0x00040000 bytes each. RedBoot> cache on RedBoot> fis read -b 0x80000 -f 0x60030000 -l 0x10000 RedBoot> eval 0x80000 [mfill -b 0x800701C8 -l 4 -4 -p 0x1] RedBoot> fs mount -d /dev/flash1 -t jffs2 /flash jffs2 cleanmark size=800 <4>Empty flash at 0x000641a4 ends at 0x00064800 <4>Empty flash at 0x005071a4 ends at 0x00507800 RedBoot> fs cd /flash RedBoot> load -m file -b 0x600000 -r zImage <5>JFFS2 notice: read_dnode: data CRC failed on node at %#08x: read %#08x, calculated %#08x Raw file loaded 0x00600000-0x006d8ec7, assumed entry at 0x00600000 RedBoot> load -m file -b 0x1000000 -r initrd <5>JFFS2 notice: read_dnode: data CRC failed on node at %#08x: read %#08x, calculated %#08x Raw file loaded 0x01000000-0x014a3fff, assumed entry at 0x01000000 RedBoot> exec -z -b 0x600000 Decompressing Linux... done, booting the kernel. Linux version 2.6.26.8-rt16 (<hide>) (gcc version 3.4.4) #1 PREEMPT Wed May 25 14:32:18 CST 2011 CPU: ARM926EJ-S [41069265] revision 5 (ARMv5TEJ), cr=00053177 ... ... Well, it uses redboot. Let's try to stop the boot process with ctrl+c. ... ... RAM: 0x00000000-0x02ffc000, [0x00036e40-0x02ff0000] available FLASH: 0x60000000 - 0x60e40000, 57 blocks of 0x00040000 bytes each. ^C RedBoot> Nice, the prompt is ready now. Let's check what commands are available. RedBoot> help Manage machine caches cache [ON | OFF] Display/switch console channel channel [-1|<channel number>] Compute a 32bit checksum [POSIX algorithm] for a range of memory cksum -b <location> -l <length> Display (hex dump) a range of memory dump -b <location> [-l <length>] [-s|-r|-d] [-1|2|4] execute command on memory eval -b <command address> Execute an image - with MMU off exec [-w timeout] [-b <load addr> [-l <length>]] [-r <ramdisk addr> [-s <ramdisk length>]] [-c "kernel command line"] [-t <target> ] [<entry_point>] Manage FLASH images fis {cmds}
Manage Filesystem files
fs {cmds} Write flash indirectly via in-memory buffer fwrite -b <memory_address> -f <flash_address> -l <length> Execute code at a location go [-w <timeout>] [-c] [-n] [entry] Uncompress GZIP compressed data gunzip -s <location> -d <location> execute dynamic load command gym ...|eval Help about help? help [<topic>] Display command history history Set/change IP addresses ip_address [-b] [-l <local_ip_address>[/<mask_len>]] [-h <server_address>] Load a file load [-r] [-v] [-d] [-h <host>] [-p <TCP port>][-m <varies>] [-c <channel_number>] [-b <base_address>] <file_name> Compare two blocks of memory mcmp -s <location> -d <location> -l <length> [-1|-2|-4] Copy memory from one address to another mcopy -s <location> -d <location> -l <length> [-1|-2|-4] Fill a block of memory with a pattern mfill -b <location> [-l <length> -p <pattern>| -s <stream>] [-1|-2|-4] Network connectivity test ping [-v] [-n <count>] [-l <length>] [-t <timeout>] [-r <rate>] [-i <IP_addr>] -h <IP_addr> Reset the system reset reset_md Display RedBoot version information version Display (hex dump) a range of memory x -b <location> [-l <length>] [-s|-r|-d] [-1|2|4] RedBoot> As usual, the command "fs" is there. Let's check further what can be done with it. RedBoot> help fs Manage Filesystem files fs {cmds} change directory fs cd [<directory>] delete file fs del <file> delete directory fs deldir <directory> filesystem info fs info list directory contents fs list [<directory>] create directory fs mkdir <directory> Mount file system fs mount [-d <device>] -t <fstype> [<mountpoint>] move file fs move <from> <to> Unmount file system fs umount <mountpoint> write data to file fs write -b <mem_base> -l <image_length> <file_name> RedBoot> Well, can mount a filesystem but cannot read file. Let's mount it first. RedBoot> fs info Filesystems available: jffs2 Devices available: /dev/flash1 RedBoot> fs mount -d /dev/flash1 -t jffs2 jffs2 cleanmark size=800 <4>Empty flash at 0x000641a4 ends at 0x00064800 <4>Empty flash at 0x0019753c ends at 0x00197800