Dynalink DL-WRX36 Askey RT5010W IPQ8072A technical discussion

@robimarko

If you have some spare time, can you try this as bootcmd on the Dynalink?

"setenv bootargs console=ttyMSM0,115200n8 ubi.mtd=rootfs root=mtd:rootfs rootfstype=squashfs rootwait; ubi part fs; ubi read 43ffd000 kernel; bootm 43ffd000"

This works on a netgear IPQ6018 secure boot enabled device (playing with an image build from the TIP repo, 5.4 kernel)

This avoids the bootipq image signing check etc.

BTW will get a Dynalink myself soon.

Sure, I can try tomorrow as its time to get it completed due to its price

The config backup does not seem to be a ZIP anymore.

Nah, that wont work without setting the NAND ID, and partition table manually first.

Can you send a copy anyways? Askey likes to use their own special methods of compressing the config file

Sure, here it is:

I'll take a look at it a bit later

Ahh, mtdids and mtdparts is already set on my device.

this should work on the Dynalink:

mtdids=nand0=nand0
mtdparts=mtdparts=nand0:0x6100000@0x7a00000(fs),

It's not an issue setting it manually, I am looking now at what the secure boot verifies cause it seems like only the kernel is being verified.

The issue is that they are making an SCM call to do so, the certificate partition is LUKS encrypted UBI volume

On my device they are parsing the elf image header ( parse_elf_image_phdr) and this fails with " It is not a elf image"

The same is being done here, they are just using the bog standard QCA bootloader and bootqca/bootipq command which does everything automagically.

Looking at the code I dont see an obvious exploit.

Here is the bootipq in debug mode:

IPQ807x# bootipq debug
call do_boot_signedimg()
Using nand device 0
setenv mtdids nand0=nand0 && setenv mtdparts mtdparts=nand0:0x6100000@0x1000000(fs),0x6100000@0x7a00000(fs_1),${msmparts} 
[Askey] check_dualimg_nand()-3
******* check firmware img *****
ubi part fs && ubi read 0x44000000 kernel 0x800 
ubi0: attaching mtd1
ubi0: scanning is finished
ubi0: attached mtd1 (name "mtd=0", size 97 MiB)
ubi0: PEB size: 131072 bytes (128 KiB), LEB size: 126976 bytes
ubi0: min./max. I/O unit sizes: 2048/2048, sub-page size 2048
ubi0: VID header offset: 2048 (aligned 2048), data offset: 4096
ubi0: good PEBs: 776, bad PEBs: 0, corrupted PEBs: 0
ubi0: user volume: 3, internal volumes: 1, max. volumes count: 128
ubi0: max/mean erase counter: 2/0, WL threshold: 4096, image sequence number: 509821238
ubi0: available PEBs: 0, total reserved PEBs: 776, PEBs reserved for bad PEB handling: 40
Read 2048 bytes from volume kernel to 44000000
NOT unsigned kernel FW header


[Askey] Secure boot Rev 2.00
[Askey] signed kernel FW package
ubi read 0x44000000 kernel 0x3fd800 
Read 4184064 bytes from volume kernel to 44000000
checkImage magic img 0x27051956  IH_MAGIC 0x27051956 imgsize 0x3fac00
   Image Name:   Linux-4.4.60
   Image Type:   ARM Linux Kernel Image (lzma compressed)
   Data Size:    4172736 Bytes = 4 MiB
   Load Address: 41080000
   Entry Point:  41080000

   Verifying Checksum ...  OK 

kernel_size 0x3fd000 eb_size 0x800 rootfs_size_temp 0x2180840
ubi read 0x443fd040 ubi_rootfs 0x2181000
Read 35131392 bytes from volume ubi_rootfs to 443fd040
checkImage magic img 0x27051956  IH_MAGIC 0x27051956 imgsize 0x2180840
   Image Name:   root.squashfs
   Image Type:   ARM Linux Firmware (lzma compressed)
   Data Size:    35129344 Bytes = 33.5 MiB
   Load Address: 00000000
   Entry Point:  00000000

   Verifying Checksum ...  OK 

******* OK *****
bootargs=ubi.mtd=rootfs root=mtd:ubi_rootfs rootfstype=squashfs uboot-version=0.0.1-1-80112-CS rootwait
[Askey] do_boot_signedimg()
Booting from flash
[Askey] do_boot_signedimg() debug-01, addr: 44000000
ubi0: detaching mtd1
ubi0: mtd1 is detached
ubi0: attaching mtd1
ubi0: scanning is finished
ubi0: attached mtd1 (name "mtd=0", size 97 MiB)
ubi0: PEB size: 131072 bytes (128 KiB), LEB size: 126976 bytes
ubi0: min./max. I/O unit sizes: 2048/2048, sub-page size 2048
ubi0: VID header offset: 2048 (aligned 2048), data offset: 4096
ubi0: good PEBs: 776, bad PEBs: 0, corrupted PEBs: 0
ubi0: user volume: 3, internal volumes: 1, max. volumes count: 128
ubi0: max/mean erase counter: 2/0, WL threshold: 4096, image sequence number: 509821238
ubi0: available PEBs: 0, total reserved PEBs: 776, PEBs reserved for bad PEB handling: 40
ubi read 0x44000000 kernel && Read 0 bytes from volume kernel to 44000000
No size specified -> Using max size (4190208)
[Askey] do_boot_signedimg() debug-02, size: 0
[Askey] do_boot_signedimg() debug-05, 44000000 4190208
dtb_config_name: <config@rt5010w-d350-rev0>
bootm 0x44000068#config@rt5010w-d350-rev0
## Loading kernel from FIT Image at 44000068 ...
   Using 'config@rt5010w-d350-rev0' configuration
   Trying 'kernel@1' kernel subimage
     Description:  ARM64 OpenWrt Linux-4.4.60
     Type:         Kernel Image
     Compression:  gzip compressed
     Data Start:   0x44000150
     Data Size:    3922338 Bytes = 3.7 MiB
     Architecture: AArch64
     OS:           Linux
     Load Address: 0x41080000
     Entry Point:  0x41080000
     Hash algo:    crc32
     Hash value:   71ea479e
     Hash algo:    sha1
     Hash value:   805491e1ce0ad2c317e3a52a8b9654091160d743
   Verifying Hash Integrity ... crc32+ sha1+ OK
## Loading fdt from FIT Image at 44000068 ...
   Using 'config@rt5010w-d350-rev0' configuration
   Trying 'fdt@rt5010w-d350-rev0' fdt subimage
     Description:  ARM64 OpenWrt rt5010w-d350 device tree blob
     Type:         Flat Device Tree
     Compression:  uncompressed
     Data Start:   0x443e6150
     Data Size:    82227 Bytes = 80.3 KiB
     Architecture: AArch64
     Hash algo:    crc32
     Hash value:   877a0dfe
     Hash algo:    sha1
     Hash value:   19595d50a1c0362b772db8f69b3dbd5773e444a0
   Verifying Hash Integrity ... crc32+ sha1+ OK
   Booting using the fdt blob at 0x443e6150
   Uncompressing Kernel Image ... OK
   Loading Device Tree to 4a3e8000, end 4a3ff132 ... OK
Could not find PCI in device tree
Using machid 0x8850105 from environment

Starting kernel ...

Jumping to AARCH64 kernel via monitor

By any chance were you able to get any sort of firmware dump from the router? All I really need is either the rootfs or an ota

I can give you the rootfs that I dumped from initramfs, I was not able to capture the OTA image.
No idea if it matches the exported config file though, it was a while ago.

Here are all of the partitions dumped:
https://drive.google.com/drive/folders/1-Juhxm29UgfRqwX9doycXJK-L3gk01HK?usp=sharing

Were you able to extract any files? I'm trying with binwalk -e but the two rootfs files are basically empty

Can you send the url of the login page for the settings? Ok the rac2v1k there's hidden settings for the ISP and I'm wondering if they might be accessible on this router too. I just need the url itself and no actual access to it

Yeah, its extractable, just extract the UBI volumes with ubireader and then you can use binwalk to extract the squashfs based rootfs.

I can provide you with the URL tommorow, there should be a way to enable SSH as I found references to a SSH enable, port etc fields in the english translation JS

Don't need the url anymore lol. When you have the chance try replacing login.html in the settings url with Qs5AxZ98erDM/login.html then try the default user/pw if the page loads
If the page loads but doesn't let you log in, try restoring this config

Edit:
Looks like this router might have a zigbee/thread/ble 5.0 radio QPG7015M. Files/utils for it are in /usr/askey_iot and /etc/iot

Encrypt/Decrypt backup files. This is normally handled by sysupgrade

To decrypt backups
openssl enc -d -aes-256-cbc -a -in /path/to/backup.cfg -out backup.tar.gz -pass pass:AskeyRT5000wKey1357924680

To encrypt backups
openssl enc -e -aes-256-cbc -a -in /path/to/backup.tar.gz -out backup.cfg -pass pass:AskeyRT5000wKey1357924680

Encrypt/Decrypt passwords in /etc/config/wireless and possibly other places.

When you ssh into the router you can use the commands aes256 -e and aes256 -d instead. I found the password inside that command.

Encrypt:
echo "data-to-encrypt" | openssl enc -e -aes-256-cbc -a -pass pass:497BCD5B8033A672BCB22E97E40D5E7C

Decrypt: echo 'encrypted-data' | openssl enc -d -aes-256-cbc -a -pass pass:497BCD5B8033A672BCB22E97E40D5E7C

Random/interesting looking commands

mf_tool - Looks to be for diagnostics and might also be able to permanently change MAC address among other stuff
RJ45_led_control.sh - Self explanatory. Available options are all_on, all_off, and recover

2 Likes

I tried replacing the version with the magic you provided and it will load the login page but refuse to even try verying the login.

Also, restoring that config does not work.

Ok, so just enabling dropbear in /etc/config actually enables it, however RSA host key is being used and OpenSSH 9 does not like that at all.

It can however be enabled for the Askey by adding in ~/.ssh/config:

Host 192.168.2.31
        HostkeyAlgorithms +ssh-rsa
        PubkeyAcceptedAlgorithms +ssh-rsa

Just replace the host IP obviously, and now onto figuring out the root password.
Hm, I replaced the root user password in /etc/shadow with $1$0Zm8tfKN$3hW1vziEpFyHfBu.uJ.q61
Thats askey1234 in MD5 generated by mkpasswd

Doubt it'll work but try technician or operator for the username instead

There arent those users:

root:$1$0Zm8tfKN$3hW1vziEpFyHfBu.uJ.q61:17410:0:99999:7:::
admin:$1$k2jZYFav$iAuPT.4x8xh5Tv2MJZgJo1:17410:0:99999:7:::
daemon:*:0:0:99999:7:::
ftp:*:0:0:99999:7:::
network:*:0:0:99999:7:::
nobody:*:0:0:99999:7:::
dnsmasq:x:0:0:99999:7:::
lldp:x:0:0:99999:7:::
minidlna:x:0:0:99999:7:::

I replaced the root user password in /etc/shadow with $1$0Zm8tfKN$3hW1vziEpFyHfBu.uJ.q61
Thats askey1234 in MD5 generated by mkpasswd.

But it still gets refused