Close

AX220XX wireless to uart bridge: getting access, part 2

A project log for DBPOWER ELM327 Wi-Fi Interface (OBD II) "review"

just out of interest I bought one of these to play with

rawerawe 08/19/2014 at 17:550 Comments

We're in :) and the first thing to do is to rename the wifi to "Bordnetz" (German for "vehicle electrical system", but netz = network and "Bord" like in "on-board", I just like this kind of jokes):

cmd> version
mac: 000ec6003b1b
ver: 1.02.23
id : 14041601
Ok
cmd> help
Usage: quit
Usage: version
Usage: setdef
Usage: saveconfig
Usage: reboot
Usage: setssid <Maximum 31 characters>
Usage: setnt <0 = sta, 1 = adhoc, 2 = ap>
Usage: setet <Encryption Type>
       <Encryption Type> 0: No Security    4: WPA2-AES
                         1: WEP-WEP64      5: WPA1-TKIP
                         2: WEP-WEP128     6: WPA1-AES
                         3: WPA2-TKIP      7: AUTO
Usage: setwp <WPA Passphrase, 8 ~ 63 characters>
Usage: setch <channel index>
       <channel index>
       0: Auto 1:  1   2:  2   3:  3   4:  4   5:  5   6:  6
       7:  7   8:  8   9:  9  10: 10  11: 11
Usage: wificonfig
Usage: setwifi <status>
       <status>: 0: disable wifi     1: enable wifi
Usage: serialport <baud rate> <data bits> <parity> <stop bits> <flow ctrl>
       <baud rate>: 0: 115200     5: 4800
                    1: 57600      6: 2400
                    2: 38400      7: 1200
                    3: 19200      8: 300
                    4: 9600       9: 110
       <data bits>: 0: 5    1: 6     2: 7   3: 8
       <parity>:    0: Odd  1: Even  2: None
       <stop bits>: 0: 1    1: 1.5   2: 2
       <flow ctrl>: 0: Xon/Xoff   1: Hardware    2: None
Usage: ipconfig
Usage: setip <ip addr>
Usage: setmask <netmask>
Usage: setgateway <ip addr>
Usage: setdns <ip addr>
Usage: setmode <mode>
       <mode>: 0: SERVER     1: CLIENT
Usage: connectype <type>
       <type>:  0: TCP     1: UDP
       <type>: 10: TCP Srv + Tcp Cli
Usage: setsrvport <port>
Usage: setdstport <port>
Usage: setdsthn <Host name/IP>
Usage: connstatus
Usage: setdhcpcli <status>
       <status>: 0: disable     1: enable
Usage: setdhcpsrv <status>
       <status>: 0: disable     1: enable
Usage: dhcpsrv <start addr> <end addr> <netmask> <gateway> <lease>
Usage: show counter
Usage: transmitsize <size>
       <size>: size in byte (0~4096), default 1024
Usage: transmittime <time>
       <time>: time in ms (0~1000), default 50
Usage: smartconfig
Usage: setat <flag>
  <flag> =1, at cmd enabled, =0, at cmd disabled
Usage: setxap <flag>
  <flag> =1, XAP is enabled, =0, XAP is disabled
Usage: setio <pin> <dir> <value>
<dir>: 0 = input, 1 = output
       setio 1 0    :set p1 dir to input
       setio 1 1    :set p1 dir to output
       setio 1 1 0  :set p1 output to low
Usage: getio <pin>
       getio 1      :get p1 status
Usage: appsrv <flag>
  <flag> =1, appsrv enabled, =0, appsrv disabled
Usage: demoplug <flag>
  <flag> =1, enable plug demo, =0, disable plug demo
Ok
cmd> getio 0
invalid pin
Error
cmd> getio 1
Error
cmd> getio 2
pin=2, value=1, tick=0
Ok
cmd> getio 3
Error
cmd> getio 4
invalid pin
Error
cmd> getio 5
invalid pin
Error
cmd> gerio 6
Unknown command gerio
cmd> getio 6
invalid pin
Error
cmd> connstatus
Wifi Status  : Disconnected.
Socket Status: Disconnected.
Ok
cmd> ipconfig
Static Ip:
Current IP     : 192.168.0.10
Current IP Mask: 255.255.255.0
Current Gateway: 192.168.0.10
Ok
cmd> show counter
Uart   Rx = 248
Uart   Tx = 6215
Socket Rx = 0
Socket Tx = 0
Ok
cmd> demoplug
plug demo is disabled.
Ok
cmd> appsrv
appsrv is disabled.
Ok
cmd> ssid
Unknown command ssid
cmd> reboot
device will reboot...
Ok
cmd> 
cmd> quit


cmd> 
cmd> wificonfig
SSID        : WiFi_OBDII
Network Type: AP(2)
Encrypt Type: None(0)
PassPhrase  : 12345678
Ap's channel: 1
Dhcp Client : enable
Ok
cmd> ipconfig
Static Ip:
Current IP     : 192.168.0.10
Current IP Mask: 255.255.255.0
Current Gateway: 192.168.0.10
Ok
cmd> cmd> 
cmd> set   setssid Bordnetz
Ok
cmd> cmd> wificonfig
SSID        : Bordnetz
Network Type: AP(2)
Encrypt Type: None(0)
PassPhrase  : 12345678
Ap's channel: 1
Dhcp Client : enable
Ok
cmd> saveconfig
Saving Configuration to FLASH
Ok
cmd> reboot
device will reboot...
Ok
cmd> 
cmd> setwifi 1
Ok
cmd> ipconfig
Static Ip:
Current IP     : 192.168.0.10
Current IP Mask: 255.255.255.0
Current Gateway: 192.168.0.10
Ok
cmd> cmd> 
cmd> ipconfig
Static Ip:
Current IP     : 192.168.0.10
Current IP Mask: 255.255.255.0
Current Gateway: 192.168.0.10
Ok
cmd> wlanconfig
Unknown command wlanconfig
cmd> wificonfig
SSID        : Bordnetz
Network Type: AP(2)
Encrypt Type: None(0)
PassPhrase  : 12345678
Ap's channel: 1
Dhcp Client : enable
Ok
cmd> quit

Lets have a look at these...

cmd> demoplug
plug demo is disabled.
Ok
cmd> appsrv
appsrv is disabled.
Ok

Rabbit hole 1: 

appsrv opens up port 8001 on udp and the "connstatus" command now shows "AppSrv Staus: Offline."

The device now sends UDP packets to IP 114.215.182.213 (owned by Aliyun Computing Co., LTD) at ~500ms interval from and to port 8001, with a payload of:

0x [11 00] [00 0e c6 00 3b 1b]

backdoor?

The last bytes are the mac adress of the device (00 0e c6 00 3b 1b). 1100 (dez. 4352) must be a header like "hey there AppSrv!", This IP responds to PING requests! yay!

Btw. If you increase or decrease the IP adress, you see that this IP range is used by all sorts of services (just use http to check), reachring from "hello world" to strange chinese images.

A quick port scan reveals: http://114.215.182.213:8000/ ha! 

The error messages reveal: The code is from the following book: PHP for the Web: Visual QuickStart Guide (link to pdf removed, as ebook seems to be payware/copyrited)

and the login data is the same as in the example! yay!

if ( (strtolower($_POST[‘email’]) = = ‘me@example.com’) && ($_POST[‘password’] = = ‘testpass’) ) { // Correct!

The page now forwards to http://appsrv.xlwtech.com/login.php which does not exist (anymore), but http://www.xlwtech.com/ exists, bingo!

Seang Well Company Limited.

http://www.xlwtech.com/shownew.aspx?id=103 AppServer! The wifi module is an "XLW-210D module" . Detailed info on config i/f here: http://www.xlwtech.com/upload/2012/8/20120827153114994.pdf

http://www.xlwtech.com/en/showwifi.aspx?id=33

That is a deep rabbit hole!

Rabbit hole 2:

If demoplug is enabled, the device floods ARP requests for 192.168.0.10, which is set as gateway in its config. As it does not answer this request for itself it keeps flooding...  unfortunately, the "setgateway" command reports "OK" but does not change anything... But the IP command works, the device is now 192.168.0.9. This means we can re-configure ourself to be 192.168.0.10 and bingo, it will throw even more data towards us.

The ability of setting device parameters over uart is great! This enables "failsafe" network configuration without lock-out/bricking (hopefully...). It is awesome what can be found in such a tiny tiny circuit board.
Previous log

AX220XX wireless to uart bridge: getting access, part 1

08/18/2014 at 18:26 0 comments
Next log

AX220xx module = xlwtech XLW-210D, but what does AppSrv do?

08/20/2014 at 19:29 0 comments

Discussions

Yes, delete it Cancel

By using our website and services, you expressly agree to the placement of our performance, functionality, and advertising cookies. Learn More