kirdes
May 20, 2022, 7:02pm
41
@robimarko
If you have some spare time, can you try this as bootcmd on the Dynalink?
"setenv bootargs console=ttyMSM0,115200n8 ubi.mtd=rootfs root=mtd:rootfs rootfstype=squashfs rootwait; ubi part fs; ubi read 43ffd000 kernel; bootm 43ffd000"
This works on a netgear IPQ6018 secure boot enabled device (playing with an image build from the TIP repo, 5.4 kernel)
This avoids the bootipq image signing check etc.
BTW will get a Dynalink myself soon.
Sure, I can try tomorrow as its time to get it completed due to its price
The config backup does not seem to be a ZIP anymore.
Nah, that wont work without setting the NAND ID, and partition table manually first.
Can you send a copy anyways? Askey likes to use their own special methods of compressing the config file
I'll take a look at it a bit later
kirdes
May 22, 2022, 8:07pm
48
Ahh, mtdids and mtdparts is already set on my device.
this should work on the Dynalink:
mtdids=nand0=nand0
mtdparts=mtdparts=nand0:0x6100000@0x7a00000(fs),
It's not an issue setting it manually, I am looking now at what the secure boot verifies cause it seems like only the kernel is being verified.
The issue is that they are making an SCM call to do so, the certificate partition is LUKS encrypted UBI volume
kirdes
May 22, 2022, 8:15pm
50
On my device they are parsing the elf image header ( parse_elf_image_phdr
) and this fails with " It is not a elf image
"
The same is being done here, they are just using the bog standard QCA bootloader and bootqca/bootipq command which does everything automagically.
Looking at the code I dont see an obvious exploit.
Here is the bootipq in debug mode:
IPQ807x# bootipq debug
call do_boot_signedimg()
Using nand device 0
setenv mtdids nand0=nand0 && setenv mtdparts mtdparts=nand0:0x6100000@0x1000000(fs),0x6100000@0x7a00000(fs_1),${msmparts}
[Askey] check_dualimg_nand()-3
******* check firmware img *****
ubi part fs && ubi read 0x44000000 kernel 0x800
ubi0: attaching mtd1
ubi0: scanning is finished
ubi0: attached mtd1 (name "mtd=0", size 97 MiB)
ubi0: PEB size: 131072 bytes (128 KiB), LEB size: 126976 bytes
ubi0: min./max. I/O unit sizes: 2048/2048, sub-page size 2048
ubi0: VID header offset: 2048 (aligned 2048), data offset: 4096
ubi0: good PEBs: 776, bad PEBs: 0, corrupted PEBs: 0
ubi0: user volume: 3, internal volumes: 1, max. volumes count: 128
ubi0: max/mean erase counter: 2/0, WL threshold: 4096, image sequence number: 509821238
ubi0: available PEBs: 0, total reserved PEBs: 776, PEBs reserved for bad PEB handling: 40
Read 2048 bytes from volume kernel to 44000000
NOT unsigned kernel FW header
[Askey] Secure boot Rev 2.00
[Askey] signed kernel FW package
ubi read 0x44000000 kernel 0x3fd800
Read 4184064 bytes from volume kernel to 44000000
checkImage magic img 0x27051956 IH_MAGIC 0x27051956 imgsize 0x3fac00
Image Name: Linux-4.4.60
Image Type: ARM Linux Kernel Image (lzma compressed)
Data Size: 4172736 Bytes = 4 MiB
Load Address: 41080000
Entry Point: 41080000
Verifying Checksum ... OK
kernel_size 0x3fd000 eb_size 0x800 rootfs_size_temp 0x2180840
ubi read 0x443fd040 ubi_rootfs 0x2181000
Read 35131392 bytes from volume ubi_rootfs to 443fd040
checkImage magic img 0x27051956 IH_MAGIC 0x27051956 imgsize 0x2180840
Image Name: root.squashfs
Image Type: ARM Linux Firmware (lzma compressed)
Data Size: 35129344 Bytes = 33.5 MiB
Load Address: 00000000
Entry Point: 00000000
Verifying Checksum ... OK
******* OK *****
bootargs=ubi.mtd=rootfs root=mtd:ubi_rootfs rootfstype=squashfs uboot-version=0.0.1-1-80112-CS rootwait
[Askey] do_boot_signedimg()
Booting from flash
[Askey] do_boot_signedimg() debug-01, addr: 44000000
ubi0: detaching mtd1
ubi0: mtd1 is detached
ubi0: attaching mtd1
ubi0: scanning is finished
ubi0: attached mtd1 (name "mtd=0", size 97 MiB)
ubi0: PEB size: 131072 bytes (128 KiB), LEB size: 126976 bytes
ubi0: min./max. I/O unit sizes: 2048/2048, sub-page size 2048
ubi0: VID header offset: 2048 (aligned 2048), data offset: 4096
ubi0: good PEBs: 776, bad PEBs: 0, corrupted PEBs: 0
ubi0: user volume: 3, internal volumes: 1, max. volumes count: 128
ubi0: max/mean erase counter: 2/0, WL threshold: 4096, image sequence number: 509821238
ubi0: available PEBs: 0, total reserved PEBs: 776, PEBs reserved for bad PEB handling: 40
ubi read 0x44000000 kernel && Read 0 bytes from volume kernel to 44000000
No size specified -> Using max size (4190208)
[Askey] do_boot_signedimg() debug-02, size: 0
[Askey] do_boot_signedimg() debug-05, 44000000 4190208
dtb_config_name: <config@rt5010w-d350-rev0>
bootm 0x44000068#config@rt5010w-d350-rev0
## Loading kernel from FIT Image at 44000068 ...
Using 'config@rt5010w-d350-rev0' configuration
Trying 'kernel@1' kernel subimage
Description: ARM64 OpenWrt Linux-4.4.60
Type: Kernel Image
Compression: gzip compressed
Data Start: 0x44000150
Data Size: 3922338 Bytes = 3.7 MiB
Architecture: AArch64
OS: Linux
Load Address: 0x41080000
Entry Point: 0x41080000
Hash algo: crc32
Hash value: 71ea479e
Hash algo: sha1
Hash value: 805491e1ce0ad2c317e3a52a8b9654091160d743
Verifying Hash Integrity ... crc32+ sha1+ OK
## Loading fdt from FIT Image at 44000068 ...
Using 'config@rt5010w-d350-rev0' configuration
Trying 'fdt@rt5010w-d350-rev0' fdt subimage
Description: ARM64 OpenWrt rt5010w-d350 device tree blob
Type: Flat Device Tree
Compression: uncompressed
Data Start: 0x443e6150
Data Size: 82227 Bytes = 80.3 KiB
Architecture: AArch64
Hash algo: crc32
Hash value: 877a0dfe
Hash algo: sha1
Hash value: 19595d50a1c0362b772db8f69b3dbd5773e444a0
Verifying Hash Integrity ... crc32+ sha1+ OK
Booting using the fdt blob at 0x443e6150
Uncompressing Kernel Image ... OK
Loading Device Tree to 4a3e8000, end 4a3ff132 ... OK
Could not find PCI in device tree
Using machid 0x8850105 from environment
Starting kernel ...
Jumping to AARCH64 kernel via monitor
By any chance were you able to get any sort of firmware dump from the router? All I really need is either the rootfs or an ota
I can give you the rootfs that I dumped from initramfs, I was not able to capture the OTA image.
No idea if it matches the exported config file though, it was a while ago.
Here are all of the partitions dumped:
https://drive.google.com/drive/folders/1-Juhxm29UgfRqwX9doycXJK-L3gk01HK?usp=sharing
Were you able to extract any files? I'm trying with binwalk -e but the two rootfs files are basically empty
Can you send the url of the login page for the settings? Ok the rac2v1k there's hidden settings for the ISP and I'm wondering if they might be accessible on this router too. I just need the url itself and no actual access to it
Yeah, its extractable, just extract the UBI volumes with ubireader and then you can use binwalk to extract the squashfs based rootfs.
I can provide you with the URL tommorow, there should be a way to enable SSH as I found references to a SSH enable, port etc fields in the english translation JS
Don't need the url anymore lol. When you have the chance try replacing login.html in the settings url with Qs5AxZ98erDM/login.html
then try the default user/pw if the page loads
If the page loads but doesn't let you log in, try restoring this config
Edit:
Looks like this router might have a zigbee/thread/ble 5.0 radio QPG7015M . Files/utils for it are in /usr/askey_iot
and /etc/iot
Encrypt/Decrypt backup files. This is normally handled by sysupgrade
To decrypt backups
openssl enc -d -aes-256-cbc -a -in /path/to/backup.cfg -out backup.tar.gz -pass pass:AskeyRT5000wKey1357924680
To encrypt backups
openssl enc -e -aes-256-cbc -a -in /path/to/backup.tar.gz -out backup.cfg -pass pass:AskeyRT5000wKey1357924680
Encrypt/Decrypt passwords in /etc/config/wireless and possibly other places.
When you ssh into the router you can use the commands aes256 -e
and aes256 -d
instead. I found the password inside that command.
Encrypt:
echo "data-to-encrypt" | openssl enc -e -aes-256-cbc -a -pass pass:497BCD5B8033A672BCB22E97E40D5E7C
Decrypt: echo 'encrypted-data' | openssl enc -d -aes-256-cbc -a -pass pass:497BCD5B8033A672BCB22E97E40D5E7C
Random/interesting looking commands
mf_tool
- Looks to be for diagnostics and might also be able to permanently change MAC address among other stuff
RJ45_led_control.sh
- Self explanatory. Available options are all_on
, all_off
, and recover
2 Likes
I tried replacing the version with the magic you provided and it will load the login page but refuse to even try verying the login.
Also, restoring that config does not work.
Ok, so just enabling dropbear in /etc/config actually enables it, however RSA host key is being used and OpenSSH 9 does not like that at all.
It can however be enabled for the Askey by adding in ~/.ssh/config
:
Host 192.168.2.31
HostkeyAlgorithms +ssh-rsa
PubkeyAcceptedAlgorithms +ssh-rsa
Just replace the host IP obviously, and now onto figuring out the root password.
Hm, I replaced the root user password in /etc/shadow with $1$0Zm8tfKN$3hW1vziEpFyHfBu.uJ.q61
Thats askey1234
in MD5 generated by mkpasswd
Doubt it'll work but try technician or operator for the username instead
There arent those users:
root:$1$0Zm8tfKN$3hW1vziEpFyHfBu.uJ.q61:17410:0:99999:7:::
admin:$1$k2jZYFav$iAuPT.4x8xh5Tv2MJZgJo1:17410:0:99999:7:::
daemon:*:0:0:99999:7:::
ftp:*:0:0:99999:7:::
network:*:0:0:99999:7:::
nobody:*:0:0:99999:7:::
dnsmasq:x:0:0:99999:7:::
lldp:x:0:0:99999:7:::
minidlna:x:0:0:99999:7:::
I replaced the root user password in /etc/shadow with $1$0Zm8tfKN$3hW1vziEpFyHfBu.uJ.q61
Thats askey1234
in MD5 generated by mkpasswd.
But it still gets refused