OpenWrt Forum Archive

Topic: D-link DWR-956 (LTE/4G - 802.11ac) - My OpenWRT Project

The content of this topic has been archived on 11 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Post #1
adde88
2 Jun 2016, 09:46

Hi everyone. I'm new here, and this is my first post. Yey! smile
I have a little special case.
My wifi router is a D-link DWR-956, purchased from Telenor Norway (an isp/phone company).
It's an LTE/4G router, with 802.11ac support.
http://i.imgur.com/FW7Dzho.jpg?2

I couldn't find ANY information on the web about this router. Not from Telenor, and not from D-link.
Nothing at all...
They even encrypted the firmware updates, so analyzing them was impossible.

Well, i've been tinkering with this device for a while now, and I've learnt a greaet deal doing so.
I managed to get a serial-console on the device after locating the UART headers.
U-boot was very limited, So I had to load the mtd partitions, and UBI partitions into memory, then dump the content of the memory to the screen while logging everything.
Afterwards i had to go over all the logfiles to filter out the offsets and the ascii, leaving only the hex.
After some days i had an exact duplicate of the NAND-chip on my hard-drive.
Everything was unencrypted on the device, so i found the keys to decrypt the firmware updates, and the root-password to the device.

The SoC is a Lantiq GRX388

cat /proc/cpuinfo
system type: AR10
processor: 0
cpu model: MIPS 34Kc V5.6
BogoMIPS: 399.76
wait instruction: yes
microsecond timers: yes
tlb_entries: 16
extra interrupt vector: yes
hardware watchpoint: yes, count: 4, address/irw mask: [0x0000, 0x0ff8, 0x0ff8, 0x0ff8]
ASEs implemented: mips16 dsp mt
shadow register sets: 1
core: 0
VCED exceptions: not available
VCEI exceptions: not available

The firmware running is a custom-build of OpenWRT running with kernel 2.6.32.42. (with a few vulnerabilities)

root@telenor-ruter:~# cat /etc/openwrt_release 
DISTRIB_ID="OpenWrt"
DISTRIB_RELEASE="10.03.1"
DISTRIB_CODENAME="backfire"
DISTRIB_DESCRIPTION="OpenWrt Backfire 10.03.1"
root@telenor-ruter:~# cat /etc/openwrt_version 
10.03.1-RC6

I haven't given up my hopes of getting OpenWRT up and running on this device.
So if there's anything i can do to help out, please let me know.
At the moment i'm trying to emulate the firmware with Firmadyne, and i'm learning lots of new stuff every day.

Post #2
roema
20 Sep 2016, 18:12

Hi Adde!

I think, i can help you!
I can decrypt SNOM760 Firmware modify, repack, encrypt and sing new firmware.
I think its the same process in d-link firmware.
Most firmware are aes128 encrypted, with sign header.

Can you send me a firmware image?

Manu

Post #3
roema
20 Sep 2016, 18:14

If its posibil, sende me the Dump with the original firmware.

Manu

(Last edited by roema on 21 Sep 2016, 05:15)

The discussion might have continued from here.