Grandstream GWN7000 Router

Hi all

I'm seeking some guidance to how I can identify a router (this router) as being supported by openWRT?
The few things I can find about is that it's based on openWRT under the hood, a Luci fork or something?
There's some SSH login on port 22, but that just gives me some selections that's also available in the WebUI. I have to use the Admin user to get access, but there seems to be a root user also. I just can't find the password just yet. Iv'e tried to get the firmware and thrown Binwalk at that, but nothing yet.
I have taken it apart to see if I can learn more, but I'm hitting some roadblocks.
I've taken a picture of the hardware, but I can't upload it yet.
Please note that there's no WiFi in this device.

https://fccid.io/YZZGWN7000/Internal-Photos/Internal-Photos-3068905 suggests some QCA design, ath79 or more modern (ipq40xx, ipq806x), the FCC images are way to blurry to tell anything beyond that. Next step would be identifying the pins for the serial console and retrieving a bootlog.

Perhaps you could use this vulnerability.

It says code is on their github, but I didn't find it.

Based on https://www.grandstream.com/hubfs/Grandstream_Feb_2021/Zip%20File/gwn-opensource.tgz, that would suggest ipq8064.

is that consistent w/ tenable page where they got root and...
~ # uname -a
Linux Grandstream 3.14.43 #1 SMP PREEMPT Wed Aug 15 15:14:30 CDT 2018 armv7l GNU/Linux

Try https://github.com/scarvell/grandstream_exploits

1 Like

Thanks for that, but as far as I can tell, the firmware has to be lower than 1.0.6.32.

The firmware is at 1.0.9.6, which also eliminates this vulnerability. It was fixed in this firmware as per the changelog.

These pictures does look like my device. The only difference is that those headers aren't present in my device. But the pins are there, and ready to be soldered on.
Would that be the best course of action going forward?

There's no way around finding the serial headers first, without it, no dice.

Okay. I will see if I have the skills for that.
I've just confirmed that the OS is reporting itself as OpenWRT Chaos Calmer 15.05.
I will try to poke it some more :slight_smile:

1.0.4.23 is still up, simply change the digits in the URL.
Other releases, documented in the change log you posted, might also be there, but I didn't check.