There is also an mcafee option.
config mcafee 'config'
option enable '0'
option environment_code 'PROD'
There is also an mcafee option.
config mcafee 'config'
option enable '0'
option environment_code 'PROD'
I think these hidden sqlite databases might be useful, there's much less care about input sanitization inside custom binaries than in shell scripts.
Few weeks back I was able to bypass the GUI check for ping. It still does validation on backend.
There is a screen where it creates Network Objects. Those could be saved to one of the dbs listed above
Stoked to see you guys tearing this thing apart and having fun! I can't add much here, but just know someone is cheering from a distance
Here are the tables from .db:
UI_FsamIconUpdate | UI_parentalRule |
---|---|
UI_Port | UI_parentalText |
UI_PortRule | UI_pinholeRule |
UI_accessControl | UI_qsw |
UI_accessControl_networkObj | UI_routes6 |
UI_accessControl_portRule | UI_scheduleDate |
UI_analysis | UI_scheduleRule |
UI_blockDevice | UI_scheduleTime |
UI_forwardRule | UI_staticNAT |
UI_item | UI_staticNAT_forwardRule |
UI_networkObj | UI_triggerRule |
UI_parentalMAC | UI_triggerRule_port |
@meisterlone I'm experimenting with a jailbreak and would really like your help.
Can you try running util_backup_cli restore_from_file fa6ef1063557d8da3613680e7e0f6627e94b3df2.cfg
against this file? https://file.io/OUbONfOu5bNi
It fails on my router but I don't know why - hoping it'll print something useful to the console. It should enable SSH if it succeeded, but I'm targeting the latest fw version so some UCI configs might not play well with the older fw on your router.
Better to run a full backup in case something goes wrong, and remove /data/restore_uci
immediately after running the command.
Cant download, says file deleted
Ugh how do they take them down so quickly, here's an alternative link: https://pastebin.com/10dv4jfu
It's a base64 text file, just save the contents as .cfg.
EDIT: aaaand it's gone.
Use google drive, seems to be most reliable
I'd need to use my google account for that, don't really wanna do it. Can you try this one?
Seems to be up for now: https://transfer.sh/dymQau/fa6ef1063557d8da3613680e7e0f6627e94b3df2.cfg
this is b64 encoded, should i decode before running?
no decoding necessary - this is a legacy config format I found inside libmapi_backup
, it uses base64-encoded text
hmm im trying to think how i can get this file on the router without enabling sshd first =|
wget doesnt work
normally id enabled sshd to transfer the file over, but that would jeopardize the test.
I guess I could transfer the file to mmc then reboot and pull it from mmc to run util_backup_cli or a clean boot
There's curl
inside the firmware, you can use that.
And to clarify - it doesn't enable SSH immediately, it should put a new pending UCI config to /data/restore_uci
, which should be applied on the next reboot. This is why I asked you to delete /data/restore_uci
so that no changes are made to your router that's running an older version of the firmware.
Just use USB drive?
the network settings on this does not allow curl or wget to pull directly from the internet. Its being routed to some local socket somehow. Probably vswitch or a vpn or something. Anyhows, heres the output
root@CR1000A:~# util_backup_cli restore_from_file fa6ef1063557d8da3613680e7e0f66
27e94b3df2.cfg
EVP_DecryptFinal_ex() Error
aes-256-cbc.c-aes_256_cbc_decrypt() 103: AES Decryption Failed!
EVP_DecryptFinal_ex() Error
aes-256-cbc.c-aes_256_cbc_decrypt() 103: AES Decryption Failed!
sh: base64: not found
Input file size is invalid!
root@CR1000A:~# md5sum fa6ef1063557d8da3613680e7e0f6627e94b3df2.cfg
08ef96ec88f64ce5613812f5320345a3 fa6ef1063557d8da3613680e7e0f6627e94b3df2.cfg
root@CR1000A:/# find . -iname base64
root@CR1000A:/#