WL-WN572HG3 Soft Hack?

exec: nikto -h http://192.168.0.250

- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.0.250
+ Target Hostname:    192.168.0.250
+ Target Port:        80
+ Start Time:         2019-12-21 00:25:29 (GMT0)
---------------------------------------------------------------------------
+ Server: lighttpd
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Allowed HTTP Methods: OPTIONS, GET, HEAD, POST

+ 8733 requests: 1 error(s) and 4 item(s) reported on remote host
+ End Time:           2019-12-21 00:29:56 (GMT0) (267 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

For anyone that needs the original firmware updated to 12 March 2020 (20200312):

https://mega.nz/file/9pkF3D4Z#mLDoGIJ0GNUbIjjXnXKPGtvqMA081UDnkHhdJ3ybHx0

Did u finally open it and attached to UART? :wink:

I got in, the uart was not any of the groups of 4 pin header vias, it was a lone 2 holes about 3-4 inches from the end. I dont remember which one. Heres me putting around in putty.
the pastebin
I eventually figured this out and was able to load images across with tftp and attempt to boot. IIRC I kept running into storage issues. couldn't find something.to mount, another just went to kernel panic. that was with the official nightlies for that soc and glue hardware.
I then made builder machine and cooked up this

Booting image at 82000000 ...
Image Name: MIPS OpenWrt Linux-4.14.180
Image Type: MIPS Linux Kernel Image (lzma compressed)
Data Size: 3813618 Bytes = 3.6 MB
Load Address: 80000000
Entry Point: 80000000
Verifying Checksum ... OK
Uncompressing Kernel Image ... OK
No initrd
## Transferring control to Linux (at address 80000000) ...
## Giving linux memsize in MB, 64

Starting kernel ...

Linux version 4.14.180 (builder@buildhost) (gcc version 7.5.0 (OpenWrt GCC 7.5.0 r11063-85e04e9f46)) #0 Sat May 16 18:32:20 2020
Board has DDR2

but downtime was annoying people so that is as far as i got.

ill get back to it soon.

1 Like

I downloaded the file from the link above, ran it through binwalk. Other than some auth server in france it seems ok. Need to go through it some more.

telnet port 2323 opened up for me and I was able login as admin2860 with the password set on the initial setup wizard.

I have since created a new user. I'll be compiling ssh for it later today.

the initial login busybox is missing many commands so be sure to execute /bin/busybox for a larger command set.

# /bin/busybox
BusyBox v1.12.1 (2020-02-29 14:28:25 CST) multi-call binary
Copyright (C) 1998-2008 Erik Andersen, Rob Landley, Denys Vlasenko
and others. Licensed under GPLv2.
See source distribution for full notice.

Usage: busybox [function] [arguments]...
   or: function [arguments]...

        BusyBox is a multi-call binary that combines many common Unix
        utilities into a single executable.  Most people will create a
        link to busybox for each function they wish to use and BusyBox
        will act like whatever it was invoked as!

Currently defined functions:
        [, [[, addgroup, adduser, arp, arping, ash, awk, brctl, cat, chmod, chpasswd, cp, crond, crontab, cut, date, dd, delgroup, deluser, df, diff, dmesg, dumpleases, echo,
        expr, fdisk, free, getty, grep, halt, head, hexdump, hostname, id, ifconfig, init, init, insmod, kill, killall, klogd, ln, logger, login, ls, lsmod, md5sum, mdev, mkdir,
        mknod, mount, netstat, nslookup, passwd, ping, ping6, poweroff, printf, ps, pwd, reboot, rm, rmmod, route, sed, seq, sh, sleep, sulogin, sync, sysctl, syslogd, telnetd,
        test, tftp, time, top, touch, tr, udhcpc, udhcpd, umount, uptime, vconfig, vi, vlock, wc, wget

# ls -l
drwxr-xr-x    3 0        0               0 dev
drwxr-xr-x    5 0        0               0 usr
drwxr-xr-x    3 0        0               0 etc
drwxr-xr-x    4 0        0               0 lib
drwxr-xr-x    2 0        0               0 mnt
drwxr-xr-x    3 0        0               0 home
drwxr-xr-x    2 0        0               0 sbin
drwxr-xr-x    6 0        0               0 var
lrwxrwxrwx    1 0        0              11 init -> bin/busybox
drwxr-xr-x   11 0        0               0 etc_ro
drwxr-xr-x   11 0        0               0 sys
drwxr-xr-x    2 0        0               0 bin
dr-xr-xr-x   49 0        0               0 proc
drwxr-xr-x    4 0        0               0 tmp
drwxr-xr-x    2 0        0               0 media
drwxr-xr-x    3 0        0               0 vendor
# pwd
/
# cd /etc
#
#
#
# cd ..
# cd etc_ro/lighttpd/www/
# ls -l
drwxr-xr-x    2 0        0               0 cgi-bin
-rwxr-xr-x    1 0        0           17986 sch_reboot.shtml
-rwxr-xr-x    1 0        0           10047 live_test.shtml
-rwxr--r--    1 0        0              43 live_dmesg.shtml
-rwxr--r--    1 0        0            3322 live_mfg.shtml
-rwxr-xr-x    1 0        0              48 mesh_get_signal.shtml
-rwxr-xr-x    1 0        0           38951 lang2_fr.js
-rwxr-xr-x    1 0        0           27082 live_get_mesh_app.shtml
-rwxr-xr-x    1 0        0              47 live_setLedOff.shtml
drwxr-xr-x    2 0        0               0 wifi_wavlink
-rwxr-xr-x    1 0        0            1518 live_check_ddns.shtml
-rwxr-xr-x    1 0        0           16466 wifi_rep.shtml
-rwxr-xr-x    1 0        0             939 main1.shtml
-rwxr-xr-x    1 0        0           12625 update_mesh_app.shtml
-rwxr-xr-x    1 0        0            3976 webcmd.shtml
-rwxr-xr-x    1 0        0           30438 wizard_rep.shtml
-rwxr-xr-x    1 0        0              47 live_cli_signal.shtml
-rwxr-xr-x    1 0        0           15622 login.shtml
-rwxr-xr-x    1 0        0           27925 wizard_wisp_mesh.shtml
-rwxr-xr-x    1 0        0            1329 live_check_fw.shtml
-rwxr-xr-x    1 0        0           23266 reset_reboot.shtml
-rwxr-xr-x    1 0        0           29315 main.shtml
-rwxr-xr-x    1 0        0             188 live_getsettings.shtml
-rwxr-xr-x    1 0        0           27605 live_get_mesh.shtml
-rwxr-xr-x    1 0        0           25819 setting.shtml
-rwxr--r--    1 0        0           34476 lang2_en.js
-rwxr-xr-x    1 0        0           18053 wifi.shtml
-rwxr-xr-x    1 0        0           29937 wizard_wisp.shtml
-rwxr-xr-x    1 0        0           34757 wifi_base.shtml
-rwxr-xr-x    1 0        0            9218 linux.css
-rwxr-xr-x    1 0        0              48 live_ddns.shtml
-rwxr-xr-x    1 0        0            8327 live_check.shtml
-rwxr-xr-x    1 0        0           13872 ddns.shtml
-rwxr-xr-x    1 0        0              46 live_mac.shtml
-rwxr-xr-x    1 0        0             302 live_setting.shtml
-rwxr-xr-x    1 0        0           15038 check_update.shtml
-rwxr-xr-x    1 0        0           12613 update_mesh.shtml
-rwxr-xr-x    1 0        0           32242 lang2_cn.js
-rwxr-xr-x    1 0        0           14086 update_uboot.shtml
-rwxr-xr-x    1 0        0           18095 nas_disk.shtml
-rwxr-xr-x    1 0        0              42 live_language.shtml
-rwxr-xr-x    1 0        0            1224 live_internet.shtml
-rwxr-xr-x    1 0        0           10234 reset_app.shtml
-rwxr-xr-x    1 0        0             430 mesh_satellite_status.shtml
-rwxr-xr-x    1 0        0           32648 linux.js
-rwxr-xr-x    1 0        0            3470 lang_net_conf.js
-rwxr-xr-x    1 0        0           38928 lang2_es.js
-rwxr-xr-x    1 0        0            2842 live_status.shtml
-rwxr--r--    1 0        0           28817 net_tool.shtml
-rwxr-xr-x    1 0        0               6 apptimeout.shtml
-rwxr-xr-x    1 0        0             485 mesh_get_extender.shtml
-rwxr-xr-x    1 0        0           10756 ledonoff.shtml
-rwxr-xr-x    1 0        0           13893 nightlight_onoff.shtml
-rwxr-xr-x    1 0        0             309 803F5D.txt
-rwxr-xr-x    1 0        0           32752 lang2_tw.js
-rwxr-xr-x    1 0        0            1463 live_speed.shtml
-rwxr-xr-x    1 0        0            3031 live_signal.shtml
-rwxr-xr-x    1 0        0           19951 lan.shtml
-rwxr-xr-x    1 0        0              46 live_internetStatus.shtml
-rwxr-xr-x    1 0        0           20386 wifi_advance2.shtml
-rwxr-xr-x    1 0        0           44989 lang2_jp.js
-rwxr-xr-x    1 0        0            2540 live_online.shtml
drwxr-xr-x    2 0        0               0 Templates
-rwxr-xr-x    1 0        0           25381 devicestat.shtml
-rwxr-xr-x    1 0        0           32253 wizard_ap.shtml
-rwxr-xr-x    1 0        0           25527 wifi_advance5.shtml
-rwxr-xr-x    1 0        0           27986 sysinit.shtml
-rwxr-xr-x    1 0        0            9897 wifi_roaming.shtml
-rwxr-xr-x    1 0        0           17343 wifi_mesh.shtml
-rwxr-xr-x    1 0        0           35522 lang2_nl.js
-rwxr-xr-x    1 0        0              85 lan_get_strength.shtml
-rwxr-xr-x    1 0        0           30036 wizard_router.shtml
-rwxr-xr-x    1 0        0            9240 fileerror.shtml
-rwxr-xr-x    1 0        0           17378 wifi_touchlink.shtml
-rwxr-xr-x    1 0        0           19178 set_time.shtml
-rwxr-xr-x    1 0        0           16705 set_safety.shtml
-rwxr-xr-x    1 0        0            3449 lang_jet_conf.js
-rwxr-xr-x    1 0        0           25168 wizard_client.shtml
-rwxr-xr-x    1 0        0           21683 wizard.shtml
-rwxr-xr-x    1 0        0              54 live_disk.shtml
-rwxr-xr-x    1 0        0           93436 jquery-1.8.2.min.js
-rwxr-xr-x    1 0        0              45 mesh_sync.shtml
-rwxr-xr-x    1 0        0           27887 wizard_router_mesh.shtml
-rwxr-xr-x    1 0        0           22786 wifi_base_mesh.shtml
drwxr-xr-x    2 0        0               0 images
-rwxr-xr-x    1 0        0           12239 sitesurvey.shtml
-rwxr-xr-x    1 0        0           10404 man_security.shtml
-rwxr-xr-x    1 0        0           19516 update.shtml
-rwxr-xr-x    1 0        0           39227 lang2_it.js
-rwxr-xr-x    1 0        0           13145 reset.shtml
-rwxr-xr-x    1 0        0           10432 wifi.js
-rwxr-xr-x    1 0        0              44 mesh_get_mode.shtml
-rwxr--r--    1 0        0           15212 cli_control.shtml
-rwxr-xr-x    1 0        0           12381 wifi_region.shtml
-rwxr-xr-x    1 0        0            1150 favicon.ico
-rwxr-xr-x    1 0        0           38657 lang2_de.js
-rwxr-xr-x    1 0        0           19631 update_mesh_fw.shtml
-rwxr-xr-x    1 0        0            2963 live_repsignal.shtml
-rwxr-xr-x    1 0        0           18230 extender_set_ssid.shtml
-rwxr-xr-x    1 0        0            8825 md5.js
-rwxr-xr-x    1 0        0           11845 wifi_mode.shtml
-rwxr-xr-x    1 0        0           13101 wifi_guest.shtml
-rwxr-xr-x    1 0        0           30991 wan.shtml
-rwxr-xr-x    1 0        0           16120 ledonoff_mesh.shtml
-rwxr-xr-x    1 0        0              46 live_setLedOn.shtml
-rwxr-xr-x    1 0        0            3466 lang_conf.js
-rwxr-xr-x    1 0        0           11961 reset_update.shtml
lrwxrwxrwx    1 0        0              17 messages.txt -> /var/log/messages
lrwxrwxrwx    1 0        0              12 speed.tmp -> /bin/busybox
1 Like

Well, I guess all of that was kinda pointless/

Random firmware from @alecuba16

Here is his FW image
http://IP/webcmd.shtml
/bin/busybox

And here is OEM firmware
http://IP/webcmd.shtml
/bin/busybox

so I guess there was a built in root access anyways.

I'll still document the board for USB host (x2?) and the UART for serial.

~frustro

2 Likes
=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2020.08.22 18:21:56 =~=~=~=~=~=~=~=~=~=~=~=
WAVLINK login: admin2860
Password: 


BusyBox v1.12.1 (2019-02-28 15:06:05 CST) built-in shell (ash)
Enter 'help' for a list of built-in commands.

# /bin/busybox
BusyBox v1.12.1 (2019-02-28 15:06:05 CST) multi-call binary
Copyright (C) 1998-2008 Erik Andersen, Rob Landley, Denys Vlasenko
and others. Licensed under GPLv2.
See source distribution for full notice.

Usage: busybox [function] [arguments]...
   or: function [arguments]...

        BusyBox is a multi-call binary that combines many common Unix
        utilities into a single executable.  Most people will create a
        link to busybox for each function they wish to use and BusyBox
        will act like whatever it was invoked as!

Currently defined functions:
        [, [[, addgroup, adduser, arp, ash, awk, brctl, cat, chmod, chpasswd,
        cp, crond, crontab, cut, date, delgroup, deluser, df, dmesg, dumpleases,
        echo, expr, fdisk, free, getty, grep, halt, head, hexdump, hostname,
        id, ifconfig, init, init, insmod, kill, killall, klogd, ln, logger,
        login, ls, lsmod, md5sum, mdev, mkdir, mknod, mount, netstat, nslookup,
        passwd, ping, ping6, poweroff, printf, ps, pwd, reboot, rm, rmmod,
        route, sed, seq, sh, sleep, sulogin, sync, syslogd, telnetd, test,
        tftp, time, top, touch, tr, udhcpc, udhcpd, umount, uptime, vconfig,
        vi, vlock, wc, wget

# adduser frustro
Changing password for frustro
New password:
Retype password:
Password for frustro changed by admin2860
# login
WAVLINK login: frustro
Password: 


BusyBox v1.12.1 (2019-02-28 15:06:05 CST) built-in shell (ash)
Enter 'help' for a list of built-in commands.
# exit

1 Like

Nice! So we don't have any trouble flashing random firmware?

I will buy me some device, too.

I wouldnt recommend this device at all @PolynomialDivision.
The ethernet ports are only 10/100 so if you have internet faster than 100mbps you have a bottleneck there. The only way to get around that is to have the unit in repeater mode and use 5g wifi to connect to your local network. Using the ethernet in AP or Router mode will just slow everything down to the speed of that port.

It's possible that the USB ports are there but just not populated and you might be able to add a USB gigabit ethernet adapter and then cook that into a openwrt FW image.

Just a thought.

~frustro

1 Like

o.O

Thanks! Okay.

@frustro

Any idea if there is some Mediatek Outdoor Hardware, that has 1 GB port?

I would like to try Mediatek Device, but maybe I have to stick to EAP225 Outdoor.

Hello,
@frustro do you see a reasonable way to test OpenWRT this way?

I bought the device for my ship and think I would fit perfectly from the hardware side. If there would be a way to start with OpenWRT it should be pretty much usable as a simple repeater even with 10/100 ports (not used in this scenario).

@alecuba16 the link is dead.
Do you still have the firmware?
Where did you find it?
Would you mind to share it with me or upload it somewhere again?

@frustro
How did you open the device without bring any harm to the sealing?
Do you have any photos or other documentation?

would be very interesting get some information about that too :innocent:

There really is no "seal" it's just o rings and washers and nuts.

remove the antenna and the silicone rubber boots, then the SMA connector nut and waster for all for antenna.
Then gently unscrew the bottom cap, there is an o-ring between the cap and the body, dont damage it. Slide out of bottom with ease.

I didn't film or picture anything yet.

Advice, while you are in there strengthen the antenna connectors with more solder and epoxy. My antenna have broken away from the board a few times until i used a quick 2 part epoxy with the wind and weather.

ill find the firmware for you

1 Like

https://www.wavlink.com/en_us/firmware/details/0d612458a7.html thats the version i used on my device. the firmware works on many models.

1 Like

Wow thank you a lot.

This explanation is worth more than pictures :joy: :+1:

Oh good to know that. It will be installed on the ship and with lots of wind and 'movement'.

Thank you

Thank you again. I did some research and didn't find it at all. But it was there all the time, obviously.

Was there a way to flash OpenWRT over some sort of WebIF/telnet/SSH/etc.?
How did you manage to run OpenWRT on it?

You have to remove the grounding wire screw as well. I recall the ship thing that's why I mentioned the added strength

That's all I remember right now

Thank you a lot for all the information. I do some more research if I am inside :wink: :+1: