I have the filesystem extracted with binwalk. Does anyone know how I can find binaries related to UBOOT or where?
Binwalk does not seem to have extracted anything related to uboot. How can I find the entry point for the bootloader so I can disassemble it?
You can try to use unblob: https://github.com/onekey-sec/unblob
Usually u-boot is not part of the emmc but of the spi-nor. Look for a spi-nor flash chip on the board.
You would need a spi clamp to dump the contents.
I found a static username/password in there.
ThylacineGone and password 4p@ssThats10ng
I still have to reball my flash chip and get it back in the device before I can test that.
This is for the admin page at /warehouse and /cgi-bin/warehouse.cgi
But maybe they set the same uname/pw for uboot? @ghoffman maybe you can test that, since I still have to reball the flash chip and reassemble my router before I can test anything
i confirmed access tot he 192.168.1.1/warehouse page.using ThylacineGone/4p@ssThats10ng
unfortunately, thre is nothing useful on the page. there are default SSID/ default password values that are different than the ones on the router case.
none of those name/pw combos work for uboot or for the booted console availble on the serial port
unfortunatley more - i could not get any name/pw combos work for the uboot password.
thanks...
@meisterlone -
for the record i also tried your username/pw for ssh and was unsuccesful.
i'm wondering if the username/pw you extracted is specific to your device?
walking through some of the use userdata.bin strings, i saw a default SSID of SpectrumSetup17, which is different from mine. is that the SSID on your router case? if so, i think you might have to try once you get your device back together - impressive work.
@ghoffman can you try make a POST request to
/cgi-bin/warehouse_api
do a regular GET request- it should throw an error like 400 INVALID_REQUEST or something.
Then do a post request with empty body. I am expecting it should accept the request but show "Unknown command"
The username/pass from previous post may also be required here for the POST to work
Extracted UserData: https://file.io/xaOv4bAho7Sd
They are using OpenSync for updates.
I'm not sure if the uboot password is there somewhere.
@meisterlone -
warehouse_api returns unknown
warehouse.cgi returns authorization required
There is a script to check warehouse mode (/sbin/modecheck.sh):
#!/bin/sh
#SCPBLFW-665 to check firmware warehouse mode
while [ 1 ]
do
ip4=$(ip -o -4 addr list br-wan | awk '{print $4}' | cut -d/ -f1)
ip6=$(ip -o -6 addr list br-wan | grep "scope global" | awk '{print $4}' | cut -d/ -f1)
#check for both ip4 and ip6. in MAP-T mode there will no ipv4 address on br-wan
if [ -z $ip4 ] && [ -z $ip6 ] ; then
sleep 1s
else
#echo $ip4
#echo $ip6
break # while break br-wan acquired ip so exit while loop
fi
done
wmode="Cloud" #default mode set to Cloud
resolvedIPs=$(nslookup "warehouse.ctdi.local" | grep -c "^Address")
if [ $resolvedIPs -ge 2 ] ; then
echo "FQDN acquired.. "
wmode="Warehouse";
else
resolvedIPs=$(nslookup "warehouse.ctdi.com" | grep -c "^Address")
echo "checking 2nd FQDN"
if [ $resolvedIPs -ge 2 ] ; then
echo "got 2nd FQDN.."
wmode="Warehouse";
fi
fi
echo $wmode>/tmp/router_mode
echo "FWS:Idle" > /tmp/update_firmware_state
echo Current mode is $wmode
@lytr -
mine is in cloud mode. i'm not sure how to get it to warehouse mode...
in your extacted data - i think u-boot is in this file:
12862676-14959616.unknown
thx
Can you check B4EEB4 as a uboot password?
that does not work with root or admin as username on uboot - maybe you have a suggestion for uboot login name?
Username should be root:
Hit space key to stop autoboot: %2d
%2d
Username#
root
Password#
You have %d times left to enter correct password.
You have %d times left to enter correct username.
You can also check:
domainmirror258
J15JP
@lytr -
username root confirmed but no success with these on uboot or post-boot serial console-
unfortunately i think the key will be to unlock at uboot somehow, and i don't have anything but serial uart
I was able to get the router into warehouse mode.
So that actually works, and then you have access to some commands. I tried some of the commands and they worked ( get_current_firmware_version, fan_rpm_set etc)
So next I tried some terminal command injection.
Unfortunately I cant get it to execute my injected commands.
update_fan_rpm_set_handler() {
controller=$(get_fan_controller)
status=`ovsh s Node_Services --where service==$controller status -o %s 2>/dev/null`
if [ $status == "enabled" ]; then
echo "TM is not deactivated. Please deactivate TM and then perform fan test"
exit 1
fi
set_rpm=`echo "$command_params" | /bin/sed -n 's/^.*rpm=\([^&]*\).*$/\1/p' | /bin/sed "s/%20/ /g"`
/usr/opensync/bin/fw_utils --set_fan_rpm "$set_rpm" > "$log_file" 2>&1
cat "$log_file"
/bin/rm "$log_file"
}
Above code suggests it should be possible using the set fan rpm handler, because its passing $command_params which is text I can control.. not sure what to try next. I tried a bunch of escape characters and I tried /sbin/reboot instead of sudo reboot, I cant get those executed.
Theres also an "update_firmware" warehouse command that takes a tftp address and file name, but that is probably going to check the image and fail on verifying it. I havent looked into that yet because im not sure what firmware to try flash even. Maybe the initrams for the dynalink RT5010W?
For now i would just really like to get root access on the device, and I thought the command injection was my ticket
Uboot password is probably stored as a sha256 hash:
@meisterlone -
how did you get warehouse mode?
is there access to fw_printenv / fw_setenv or another way to set uboot environment?
i'd set up a tftp server for the wrx36 nitramfs if i could figure out how/where to get it to look
U-boot with elf header (can be easy open with ghidra or ida):
EDIT: New link