Adding Support for Verizon CR1000A

For Developers
1265

@hurrian I’ve had a chance to compare the 2 firmware versions a little more now. The line
cp $DEFAULT_UCI/ $ETC_CONFIG/* isn’t actually the issue. This just copies the default_uci from /tmp/uci_default. The next line cp -rf $RESTORE_UCI/ $ETC_CONFIG/* would still overwrite any files from the default_uci uploaded with the configuration.

The real issue is restore_config.sh which isn’t in the 3.2.0.9 firmware.

#!/bin/sh

tmp_restore=/tmp/restore_config
tmp_restore_etc_config=/tmp/restore_config/etc/config
tmp_restore_default_config=/tmp/restore_config/default_config

package_list=`cat /etc/package_list`
mkdir -p $tmp_restore_etc_config
for package in $package_list
do
	if [ -f /tmp/config/uci/$package ]; then
		cp -f /tmp/config/uci/$package $tmp_restore_etc_config
	fi
done
cp -rf /tmp/uci_default $tmp_restore_default_config

if [ -d $tmp_restore_default_config -a -d $tmp_restore_etc_config ]; then
	ucihlp -u $tmp_restore_default_config restore $tmp_restore /etc/allow.list
	for package in $package_list
	do
		if [ -f $tmp_restore_default_config/$package ]; then
			cp -f $tmp_restore_default_config/$package /data/restore_uci
		fi
	done
	rm -rf $tmp_restore
else
	rm -rf $tmp_restore
	exit 1
fi

Now it checks with package_list and allow.list before copying any files. I couldn’t find package_list, but allow.list is in the extracted 3.2.0.11 firmware I posted.

I also had a chance to look at rolling back the firmware. That is controlled by authentication.sh

#/bin/sh

AUTH_DIR="/tmp/.auth”
CRSP_SIGN="$AUTH_DIR/sign”
CRSP_IMAGE="$AUTH_DIR/image”
PROD_PUB_KEY="/etc/key/whole_img_prod_pub.pem”
DEV_PUB_KEY="/etc/key/whole_img_dev_pub.pem”

img_authentication() {
    signed_image=$1
    token=$(uci get sshd.config.usb_token_path)
    interim_fw=1

    rm -fr $AUTH_DIR
    echo 3 /proc/sys/vm/drop_caches
    mkdir -p $AUTH_DIR
    echo "signed_image $signed_image”
    echo "CRSP_SIGN $CRSP_SIGN”
    echo "CRSP_IMAGE $CRSP_IMAGE”
    dd if=$signed_image of=$CRSP_SIGN bs=256 count=1
    dd if=$signed_image of=$CRSP_IMAGE bs=256 skip=1

    # Check prod signature on 1st 256 bytes
    openssl dgst -sha256 -verify $PROD_PUB_KEY -sigopt rsa_padding_mode:pss -signature $CRSP_SIGN $CRSP_IMAGE
    if [ $? == 0 ]; then
        echo "Image authentication (prod) successfully”
        mv $CRSP_IMAGE $signed_image # Flash the unsigned image, replace source file!
        rm -fr $AUTH_DIR
        echo 3 /proc/sys/vm/drop_caches
        return 1
    elif [[ "$token" != "empty" ]] && [[ "$interim_fw" != "1" ]]; then
        echo "Image authentication failed!”
        return 0
    fi

    # Check dev signature on 1st 256 bytes
    openssl dgst -sha256 -verify $DEV_PUB_KEY -sigopt rsa_padding_mode:pss -signature $CRSP_SIGN $CRSP_IMAGE
    if [ $? == 0 ]; then
        echo "Image authentication (dev) successfully on signature”
        mv $CRSP_IMAGE $signed_image # Flash the unsigned image, replace source file!
        rm -fr $AUTH_DIR
        echo 3 /proc/sys/vm/drop_caches
        return 1
    else
        echo "Image authentication failed!”
    fi

#    rm -fr $AUTH_DIR
    echo 3 /proc/sys/vm/drop_caches
    return 0
}

Here we extract the first 256 bytes of the firmware, and then take the sha256 hash of the rest of the image. The first 256 bytes is decrypted with the “whole_img” key and compared against the hash, if they’re a match the image authenticates and will be installed. I ran the commands myself, and the firmware successfully validate using the dev key. The issue is that they changed the keys in 3.2.0.11, but signed it with the keys for 3.2.0.9. So when you update to 3.2.0.11 you will get the new keys, which work to decrypt all firmware versions after that. However, trying to roll back to 3.2.0.9 no longer works since the signature is now decrypted with the wrong key.

Since we have the firmware, we could replace those first 256 bytes in the signature with the correct SHA256 digest (8ff3dcf02dadd48ea879848e14961aec59be24fc6c79581afbd8ad0f9ffb62a0) if we had the private key. Unfortunately we don’t, and likely never will. We could correctly guess the 256 byte signature, but there are 512^16 possibilities, which AI tells me is way more than the number of atoms in the known universe :laughing:

1266

Worth noting, image authentication is somehow not done when upgrading/downgrading firmware thru TR069. Seems to only run when upgrading firmware using the web UI or USB key (assuming one had somehow obtained the USB token)

That said, TR069 configuration can only be done thru their VPN since they remembered to protect the config this time around (compared to G3100)

1 Like
1267

Mine has firmware 3.2.0.8 which also does not give me a default_uci folder. Mind posting that one again? Thanks!

1268

@ahai311 congrats on having a vulnerable unit!

here is a download link for the etc/config/ folder from 3.2.0.9.

Per @spol-eff method you should make a copy of this in your extracted config file, and name it “default_uci”. (Adding Support for Verizon CR1000A - #238 by spol-eff)

Then add the script to enable SSH and include it in the cron file. Encrypt the config file, and upload it to enable SSH (Adding Support for Verizon CR1000A - #262 by spol-eff)

1269

Thanks for your reply, clicking on the link shows a download error. Unable to download.

1270

@ahai311
https://limewire.com/d/RfgNZ#82W6hTAHop

It looks like the link got broke because of the # in the link.

in case it doesn’t work:
https://limewire.com/d/RfgNZ#82W6hTAHop

1 Like
1271

Thank you for downloading. I'll give it a try.

1272

Post please openwrt itb files needed for flashning/install,plan to write emmc directly tomorrow. Previous links seems to be expired. Thanks

1273

Download Link https://limewire.com/d/md9rZ#iUNfjqy86c

1274

thanks,but gives" Error

The URL doesn't have the correct format."
Sysupgrade and initial initramfs itb to write directly to emmc.
I will publish that and factory fota patches on mega.nz folder.

1275

Can you help me? I entered here fw_setenv TestMode mfg and finished the reboot, plugged in the power supply, and I am stuck at this point, and the keyboard can't input either.
U-Boot 2016.01-v00.04 (May 06 2022 - 14:40:18 +0800)

DRAM: smem ram ptable found: ver: 1 len: 4
2 GiB
NAND: Could not find nand-flash in device tree
SF: Unsupported flash IDs: manuf ff, jedec ffff, ext_jedec ffff
ipq_spi: SPI Flash not found (bus/cs/speed/mode) = (0/0/48000000/0)
0 MiB
MMC: : 0 (eMMC)
PCI Link Intialized
In: serial@78B3000
Out: serial@78B3000
Err: serial@78B3000
Console Enable
machid: 8010012
eth0 MAC Address from ART is not valid
eth1 MAC Address from ART is not valid
eth2 MAC Address from ART is not valid
eth3 MAC Address from ART is not valid
eth4 MAC Address from ART is not valid
eth5 MAC Address from ART is not valid
autoboot_command
Hit any key to stop autoboot: 0

MMC read: dev # 0, block # 16418, count 40960 ... 40960 blocks read: OK
Verifying... fail
This is the invalid kernel
bootipq - bootipq from flash device

Net: MAC0 addr:0:3:7f:ba:db:ad
PHY ID1: 0x31c3
PHY ID2: 0x1c13
EDMA ver 1 hw init
Num rings - TxDesc:1 (0-0) TxCmpl:1 (7-7)
RxDesc:1 (15-15) RxFill:1 (7-7)
ipq807x_edma_alloc_rings: successfull
ipq807x_edma_setup_ring_resources: successfull
ipq807x_edma_configure_rings: successfull
ipq807x_edma_hw_init: successfull
eth0
IPQ807x#

1276

That's a very good step. You are super close. Just connect Ethernet to wan and follow steps to tftp temporary image and then flash permanent one as it was described in original posts

1277

It has been fully installed according to the tutorial steps. Thank you very much for your help.

2 Likes
1278

Any progress on using the RTL930x chip as a slave switch over SPI?
I saw that the latest realtek driver commits have started to decouple the switch driver code from the SoC code.

1279

I don't think so. I could try to mess around with this. How decoupled is it now? Any commit links?