Fsecure Sense - Oh Dear! Nice box to re-flash though!

Richrt · January 21, 2023, 4:45pm

So I have a Youtube channel, Rtech Lab and was filming a teardown of this unit today. FSecure make a huge song and dance about how secure it is and its designed to go behind your normal router. Its an older unit but they are still about. On popping the plastic lid I spot a UART header, its not only soldered by they have labelled the pins.

Booted it up with a cable and expected to get UBoot and then nothing like most. Nope, I got a full boot log, then nothing. A tentative tap of the enter key, I get a Chaos Calmer banner and straight in. No password, no hint of security and that's it, the router is owned. The full toolchain is there so this can be reflashed from the console.

Its a nicely built bit of kit, not bad to look at and although I've not probed further, seems to be very highly spec'd hardware including USB 3.0. I dont see any sign of a port for these so they may be a nice target. I'll upload the video in a few days but here's some info. Need any more just ask....

root@SenseF0:27:45:03:81:20:/proc# cat cpuinfo
system type             : Sheipa Platform
machine                 : Unknown
processor               : 0
cpu model               : MIPS 1074Kc V2.4
BogoMIPS                : 498.89
wait instruction        : yes
microsecond timers      : yes
tlb_entries             : 64
extra interrupt vector  : yes
hardware watchpoint     : no
isa                     : mips1 mips2 mips32r2
ASEs implemented        : mips16
shadow register sets    : 1
kscratch registers      : 0
core                    : 0
VCED exceptions         : not available
VCEI exceptions         : not available

processor               : 1
cpu model               : MIPS 1074Kc V2.4
BogoMIPS                : 498.89
wait instruction        : yes
microsecond timers      : yes
tlb_entries             : 64
extra interrupt vector  : yes
hardware watchpoint     : no
isa                     : mips1 mips2 mips32r2
ASEs implemented        : mips16
shadow register sets    : 1
kscratch registers      : 0
core                    : 0
VCED exceptions         : not available
VCEI exceptions         : not available

root@SenseF0:27:45:03:81:20:/proc# cat meminfo
MemTotal:         511400 kB
MemFree:          421652 kB
Buffers:            8188 kB
Cached:            26420 kB
SwapCached:            0 kB
Active:            16292 kB
Inactive:          27304 kB
Active(anon):       9024 kB
Inactive(anon):       48 kB
Active(file):       7268 kB
Inactive(file):    27256 kB
Unevictable:           0 kB
Mlocked:               0 kB
HighTotal:        262144 kB
HighFree:         224704 kB
LowTotal:         249256 kB
LowFree:          196948 kB
SwapTotal:             0 kB
SwapFree:              0 kB
Dirty:                 0 kB
Writeback:             0 kB
AnonPages:          8992 kB
Mapped:             7840 kB
Shmem:                84 kB
Slab:              22200 kB
SReclaimable:      14728 kB
SUnreclaim:         7472 kB
KernelStack:         824 kB
PageTables:          500 kB
NFS_Unstable:          0 kB
Bounce:                0 kB
WritebackTmp:          0 kB
CommitLimit:      255700 kB
Committed_AS:      69864 kB
VmallocTotal:    1015800 kB
VmallocUsed:        1788 kB
VmallocChunk:    1002536 kB

root@SenseF0:27:45:03:81:20:/proc# df
Filesystem           1K-blocks      Used Available Use% Mounted on
rootfs                   59904      2828     57076   5% /
/dev/root                14592     14592         0 100% /rom
tmpfs                   255700        80    255620   0% /tmp
/dev/mtdblock5           59904      2828     57076   5% /overlay
overlayfs:/overlay       59904      2828     57076   5% /
tmpfs                      512         0       512   0% /dev
/dev/mtdblock7          707880      4660    703220   1% /data
/dev/mtdblock1            5100      3124      1976  61% /hw_setting
tmpfs                   255700         0    255700   0% /tmp/.jail/event_store
overlayfs:/overlay       59904      2828     57076   5% /tmp/.jail/event_store/usr/bin/event_store
overlayfs:/overlay       59904      2828     57076   5% /tmp/.jail/event_store/lib/ld-uClibc.so.0
overlayfs:/overlay       59904      2828     57076   5% /tmp/.jail/event_store/lib/libblobmsg_json.so
overlayfs:/overlay       59904      2828     57076   5% /tmp/.jail/event_store/lib/libc.so.0
overlayfs:/overlay       59904      2828     57076   5% /tmp/.jail/event_store/usr/lib/libcares.so.2
overlayfs:/overlay       59904      2828     57076   5% /tmp/.jail/event_store/usr/lib/libcrypto.so.1.0.0
overlayfs:/overlay       59904      2828     57076   5% /tmp/.jail/event_store/lib/libdl.so.0
overlayfs:/overlay       59904      2828     57076   5% /tmp/.jail/event_store/lib/libgcc_s.so.1
overlayfs:/overlay       59904      2828     57076   5% /tmp/.jail/event_store/usr/lib/libjson-c.so.2
overlayfs:/overlay       59904      2828     57076   5% /tmp/.jail/event_store/lib/libm.so.0
overlayfs:/overlay       59904      2828     57076   5% /tmp/.jail/event_store/usr/lib/libmosquitto.so.1
overlayfs:/overlay       59904      2828     57076   5% /tmp/.jail/event_store/lib/libpreload-seccomp.so
overlayfs:/overlay       59904      2828     57076   5% /tmp/.jail/event_store/usr/lib/libprotobuf.so.9
overlayfs:/overlay       59904      2828     57076   5% /tmp/.jail/event_store/lib/libpthread.so.0
overlayfs:/overlay       59904      2828     57076   5% /tmp/.jail/event_store/lib/librt.so.0
overlayfs:/overlay       59904      2828     57076   5% /tmp/.jail/event_store/usr/lib/libsqlite3.so.0
overlayfs:/overlay       59904      2828     57076   5% /tmp/.jail/event_store/usr/lib/libssl.so.1.0.0
overlayfs:/overlay       59904      2828     57076   5% /tmp/.jail/event_store/lib/libssp.so.0
overlayfs:/overlay       59904      2828     57076   5% /tmp/.jail/event_store/usr/lib/libstdc++.so.6
overlayfs:/overlay       59904      2828     57076   5% /tmp/.jail/event_store/lib/libubox.so
overlayfs:/overlay       59904      2828     57076   5% /tmp/.jail/event_store/lib/libuci.so
overlayfs:/overlay       59904      2828     57076   5% /tmp/.jail/event_store/usr/lib/libuuid.so.1
overlayfs:/overlay       59904      2828     57076   5% /tmp/.jail/event_store/usr/lib/libz.so.1
overlayfs:/overlay       59904      2828     57076   5% /tmp/.jail/event_store/bin/date
overlayfs:/overlay       59904      2828     57076   5% /tmp/.jail/event_store/bin/dmesg
overlayfs:/overlay       59904      2828     57076   5% /tmp/.jail/event_store/bin/echo
/dev/mtdblock7          707880      4660    703220   1% /tmp/.jail/event_store/data/db
df: /tmp/.jail/event_store/etc/config/seattle\040(deleted): No such file or directory
overlayfs:/overlay       59904      2828     57076   5% /tmp/.jail/event_store/etc/hosts

hecatae · January 21, 2023, 5:12pm

Where have you been, it's already on the Table of Hardware:

@plappermaul has done a lot of work on it.

takimata · January 21, 2023, 5:16pm

I really don't want to rain on your parade, but yes, this is already documented in the wiki.

This is the default behaviour with serial console on all OpenWrt devices. While login on TTY can be secured it is debatable how much of a point there is to it, at least on a device on which you need intense, almost intimate physical contact to use it in the first place. At that point any security is pretty much out the window anyway.