Hacking the TalkTalk HUAWEI HG523a Router Part 2

For part 1 please Click Here.

OK. So i have access to the routers busybox console. I found by typing the busybox command it displays all the commands available on the device.

# busybox
BusyBox vv1.9.1 (2012-03-05 00:16:52 CST) multi-call binary
Copyright (C) 1998-2007 Erik Andersen, Rob Landley, Denys Vlasenko
and others. Licensed under GPLv2.
See source distribution for full notice.

Usage: busybox [function] [arguments]...
or: function [arguments]...

BusyBox is a multi-call binary that combines many common Unix
utilities into a single executable.  Most people will create a
link to busybox for each function they wish to use and BusyBox
will act like whatever it was invoked as!

Currently defined functions:
[, [[, arp, ash, cat, chmod, chown, cp, date, echo, ftpget,
ftpput, halt, ifconfig, init, kill, killall, linuxrc,
ln, ls, mcast, mkdir, mknod, mount, netstat, nslookup,
ping, poweroff, ps, reboot, rm, route, sh, sleep, test,
top, traceroute, umount, vconfig, wget


As you can see the amount of commands available is quite small. Looking at some other busybox console outputs posted online there are usually many more programs available to run. There is a great page found here which details many of the programs or 'applets' that busybox can have installed and describes what they are for. Many of the commands available on the HG523a aren't of much use.

My next aim is to try and extract the filesystem from the device. Allowing me to analyse it more easily on another computer with more tools available.

I tried to mount a directory over nfs but i found out that nfs isnt supported on the device. If you run the command cat /proc/filesystems you can check what file systems are supported. If NFS is listed in this output it may have been an option.

# cat /proc/filesystems
nodev   rootfs
nodev   bdev
nodev   proc
nodev   sockfs
nodev   pipefs
nodev   tmpfs
nodev   ramfs

My next attempt involved copying the device file which contains the file system. I first checked the file system type. This information is important later on.

# cat /proc/mounts
rootfs / rootfs rw 0 0
/dev/root / squashfs ro 0 0
none /dev tmpfs rw 0 0
/proc /proc proc rw 0 0
none /var tmpfs rw 0 0
none /tmp tmpfs rw 0 0
none /mnt tmpfs rw 0 0

From this output you can see the root filesystem is running on squashfs.

I next went on to find where the file system is stored. /dev/root dosnt exist which was slightly confusing.

# cat /proc/mtd
dev:    size   erasesize  name
mtd0: 00010000 00001000 "boot"
mtd1: 00001000 00001000 "flag"
mtd2: 003c0000 00001000 "main"
mtd3: 0002d000 00001000 "config"

This mtd file showed that the router software is split into 4 parts.

Boot, which i assume is the boot loader.
Flag, which I'm note sure.
Main, which i assume is the file system. especially considering it is the largest in size.
Config. Which again, I'm not entirely sure what is it. But the one of interest is the one called main on mtd2.

Now. looking in the dev directory you can see there are all the mtd devices.

# cd /dev
# ls
initctl    mtdblock6  mtd4       tty1       kmem       I2S        ram2
mem        mtdblock5  mtd3       tty2       port       boardled   ram3
ttyp2      mtdblock4  mtd2       tty3       null       wlchr      adsl0
ttyp1      mtdblock3  mtd1       tty4       ac0        ttyUSB0
ttyp0      mtdblock2  mtd0       ppp        acl0       ttyUSB1
ptyp2      mtdblock1  ptmx       printer0   urandom    ttyUSB2
ptyp1      mtdblock0  ttyS0      console    gpio       ttyUSB3
ptyp0      mtd6       tty        bhal       hwnat0     ram0
zero       mtd5       tty0       commondrv  i2cM0      ram1

If you remember when i typed in the busybox command at the beginning, there was a command called ftpput. This ftpput command is the way I'm going to extract the firmware from the device.

# ftpput
BusyBox vv1.9.1 (2012-03-05 00:16:52 CST) multi-call binary

Usage: ftpput [options] remote-host

Download or upload via FTP.

-g    Download
-s    Upload
-v    Verbose
-u    Username to be used
-p    Password to be used
-l    Local file path
-r    Remote file path
-P    Port to be used, optional
-B    Bind local ip, optional
-A    Remote resolved ip, optional
-b    Transfer start position
-e    Transfer length
-m    Max transfer size
-c    Compress downloaded file


So i opened up my Kali linux virtual machine and installed an FTP server. I then attempted to upload using ftpput on the router. One of the difficulties i had with this program is that it was very unforgiving with the syntax. It wouldn’t respond stating the mistake you made with the input. But in the end after some searching i found the correct command.

ftpput -s -v -u ftpuser -p toor -l /dev/mtdblock2 -r /ftpdir/mtdblock2

ftpuser is the username that has write access on my ftp server on the Kali virtual machine.
toor is the password
/dev/mtdblock2 is the file I’m copying.
/ftpdir/mtdblock2 is the location on the ftp server the file is saved. is the FTP server IP address

So now i have mtdblock2 on my virtual machine.

The next stage is to extract the firmware from mtdblock2. I did attempt initially to try and mount the device directly hoping it would work. But sadly it didn’t.

root@kali:~/Desktop/talktalk# mount -t squashfs mtdblock2 /mnt
mount: wrong fs type, bad option, bad superblock on /dev/loop0,
missing codepage or helper program, or other error
In some cases useful info is found in syslog - try
dmesg | tail  or so

I then went on to run binwalk on it.

root@kali:~/Desktop/talktalk# binwalk mtdblock2

0             0x0           Squashfs filesystem, big endian, lzma signature, version 3.0, size: 2072620 bytes,  182 inodes, blocksize: 65536 bytes, created: Sun Mar  4 16:18:17 2012
2076736       0x1FB040      LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 3827500 bytes

As you can see, it is showing that there is a Squashfs filesystem right at the start of the file. Which confirms the findings when i ran cat /proc/mount on the device.

I then went on to download firmware-mod-kit in an attempt to unsquash the filesystem. It is an insanely awesome set of scripts which goes through all the unsquashfs versions and attempts to extract the firmware. Once downloaded and installed i ran the unsquashfs_all.sh script against mtdblock2 and waited.

Eventually, version squashfs-3.2-r2-hg612-lzma/unsquashfs successfully extracted the firmware. I can browse the directories and view the files like i could on the device. But now have much more freedom in what i want to do next.

root@kali:~/Desktop/talktalk/squashfs-root/bin# ls
adslcmd   busybox  cms      ddnsc     echo       ipcheck    klog  mini_upnpd  netlogger  ripd     sntp      tr111   wlancmd
adslctrl  cat      console  dhcpc     equipcmd   iptables   ln    mkdir       netstat    rm       startbsp  umount  wscd
ash       chmod    cp       dhcps     ethcmd     iwcontrol  log   mknod       ping       sh       swapdev   upg     zebra
atmcmd    chown    cwmp     dns       igmpproxy  iwpriv     ls    mount       pppc       siproxd  tc        upnp
brctl     cli      date     ebtables  ip         kill       mic   mpoad       ps         sleep    telnetd   web

I have made uploaded a copy of the file system here if anyone wants to download it and take a look. Please let me know if you find anything interesting.

Make sure to check back next time as i go even deeper into the TalkTalk HUAWEI HG523a Router.

Hacking the TalkTalk HUAWEI HG523a Router

I got my hands on a TalkTalk HUAWEI HG523a. This is one of the routers distributed to TalkTalk subscribers. This is my first attempt of doing any kind of embedded device analysis so i decided it would be beneficial to document the steps i take. As i progress i will write new posts detailing what i have done.

Before i start, one of the best resources i have found in working through this project is devttys0.com. A lot of the things i do in this post i found in that blog.

OK, so the first thing i decided to do was to open the router and try to find some kind of serial interface that would allow me to get a shell on the device. The picture below shows what the top of the PCB looks like.













Looking at the board you can see a a grouping of five pins that look quite like a serial port. You would expect to find a transmit, receive, power and ground pins to connect to. The next step to to identify which pin is which. I did this using a multimeter.









The first pin to identify is ground. To do this i switched the multimeter to continuity mode. This checks if there is an electrical connection between the two probes. I attached one of the multimeter probes to the power socket casing (which is a known ground point) and the other on each of the pins in turn. You would expect the multimeter to show there’s continuity if it is connected to two ground pins. In this case it showed continuity on pin 4. So this is the ground pin.

The next step is to identify the transmit pin. You would expect when the router is powered it it will display boot messages and other information on the serial interface. This kind of behavior can be seen on the multimeter as an erratic voltage. So to find the transmit pin simply connect one probe to ground as always, and the other to each pin in turn. The pin that exhibits an unstable voltage that constantly changes is likely the transmit pin. In this case the transmit pin is pin 5.

With this router i couldn’t clearly identify the power and receive pins. Both pin 1 and pin 3  has a 3.3 volt power and pin 2 was completely dead. So all i did was take a guess. I found that pin 1 is the receive pin and pin 3 is the power pin.

the next step is to connect to this serial interface. I used a USB-UART adapter i bought off ebay for a whopping £1.19. So i connect the USB-UART adapter to the pins on the router and power it up. I connect to the COM port using putty and was greeted with the following:











From my limited understanding i believed this to be because the BAUD rate was incorrect. So i found a very cool python script called baudrate which allows you to easily find the correct baud rate for the interface your trying to connect to.  You just enter the command and use the arrow keys to cycle through the baud rates until you find the correct one. (The correct one will display the boot-up text correctly.)

root@kali:~/Documents/baudrate-1.0/src# python baudrate.py /dev/ttyUSB0

Starting baudrate detection on /dev/ttyUSB0, turn on your serial device now.
Press Ctl+C to quit.
@@@@@@@@@@@@@@@@@@@@@ Baudrate: 115200 @@@@@@@@@@@@@@@@@@@@@

*******____________skb_________size 224
/proc/FastPath created
Realtek MCast FastPath
/proc/mc_FastPath created
NET: Registered protocol family 1
NET: Registered protocol family 17
Bridge LAN vlan registered
Ebtables v2.0 registered
802.1Q VLAN Support v1.8 Ben Greear <greearb@candelatech.com>
All bugs added by David S. Miller <davem@redhat.com>
VFS: Mounted root (squashfs filesystem) readonly.
Freeing unused kernel memory: 108k freed
init started: BusyBox vv1.9.1 (2012-03-05 00:16:52 CST)
starting pid 69, tty '': '/etc/init.d/rcS'
starting pid 72, tty '': '/bin/sh'

BusyBox vv1.9.1 (2012-03-05 00:16:52 CST) built-in shell (ash)

From this output you can see that at a baud rate of 115200 the text displays normally. So the serial interface uses a 115200 baud rate. As it turns out this is quite common.

Once the boot up has finished i hit enter on the keyboard and it displayed a login prompt. I entered the default user name and password of admin and admin which was printed on a sticker on the router. This then logged me into the routes serial interface.














As you can see from the screenshot you are entered into a ATP command line interface. Looking through the options of this interface it seems quite limited as to what you can do. Some things of interest include:

By typing ‘debug display cwmp’ it allows you to view details for the TR-069 application layer protocol used for the remote updating of router firmware.

ATP>debug display cwmp
ACS URL: http://acs.talktalk.co.uk:7547/ACS-server/ACS
User Name:
Connection Request User Name: userid
Connection Request Password: cRP#21530316207S2C088299
Connection Request URL:
Inform Enable: 1
Inform Period: 86400

You also have the option for setting the authentication type used for cwmp.

ATP>debug set cwmp authtype ?
0: none; 1: basic; 2: digest; 3: adapt

And to set the password for TR-064 with:

ATP>debug set tr064 pwd mypassword123

Going through all the other options i couldn’t find many other useful commands. I decided to do a bit of googling to see if there was any hidden commands that could be used. I found a blog post where someone said to enter the shell command to bring up a Busybox shell. I gave this a try and it worked.

BusyBox vv1.9.1 (2012-03-05 00:16:52 CST) built-in shell (ash)
Enter 'help' for a list of built-in commands.
# ls
var   usr   tmp   sbin  proc  mnt   lib   init  etc   dev   bin

As it turns out. Looking at the same blog post its possible to get the same level of access by just telnetting into the router and entering the admin admin login details i used. But i suppose what i have done is good practice, and a lot of fun :)

Make sure you check back for what i attempt next with this TalkTalk router.

Malware Analysis Part 2: First Attempt

Please read part 1 first if you would like to know how the analysis lab is setup.

There are various sites you can use to download sample malicious software. The one i used is called openmalware.org. I wasn’t completely sure which sample to choose. I wanted one which was recent so i decided to get a a sample called “BC.Heuristic.Trojan.SusPacked.BF-6.A” I’m not going to link to it for obvious reasons but the MD5 hash of the sample is 0148d6e7f75480b3353f1416328b5135. This can be used as a search term on the open malware site to find sample i used in this analysis attempt.

Once i downloaded the file i took a snapshot of the registry and files on the machine using Regshot. I then ran the file, took another snapshot and compared the two. The restults shows that multiple files and folders were created when it executed.

Files added: 3
C:\Program Files\Windos\logg.dat
C:\Program Files\Windos\Windos.exe
Files [attributes?] modified: 3
C:\Documents and Settings\james\NTUSER.DAT.LOG
Folders added: 1
C:\Program Files\Windos

I also noticed that the Debian server has received a flood of DNS requests from the malware infected machine.


So the malware is attempting to fetch its IP for its server and i assume either download additional stuff or send some data to the server.

Because of this DNS request the next step i figured was to put my DNS server to good use and respond to the request with one of my own IP’s to see what it did next. So i opened the /etc/hosts file and added a new entry pointing se7aaaaa.no-##.### (redacted) to my debian server I then started Wireshark on the malware infested machine and reset the DNS daemon.


This part i’m not 100% sure on. But what i can gather from this is that it is trying to start a TCP connection with my Debian server on the port 81 which is the TOR port. although it doesn’t necessarily mean its trying to connect in any way to the TOR network. Obviously whatever its trying to do the server isn’t responding appropriately (or not at all) and therefore the connection isn’t fully made. The next step i made was to set a netcat listener on the port and see what is being sent. To do this i entered the following command:

nc -l -p 81

-l specifies a listener and -p the port i want to listen on.

Untitled-1As you can see what i received is unintelligible.

In my next posting i will continue the analysis of this file. Once i figured out where to go from here :)

Malware Analysis Part 1: Lab Setup

At this stage I know very little about the Malware analysis process. I recently purchased a book on the subject called “Practical Malware Analysis” by Michael Sikorski and Andrew Honig. My aim is to read through the book and practice the techniques taught on real examples of malicious code. Updating this blog as i progress.

The first step, which I will detail today is the setup of my virtual lab. For the hardware I have used my old gaming computer. Its not very good at running games anymore but perfect for the malware analysis. I have it installed with Debian Linux distribution and have also installed VirtualBox.

There are pros and cons for using virtualisation for malware analysis. The pros include the ability to create snapshots of the working environment and having the ability to create virtual networks. Which i will explain later. One downside i have read about is some malware will behave differently if it discovers its being run in a virtualised environment. With the sole purpose of preventing it being analysed.

So in my setup i am using VirtualBox to create the virtual machines. I am using a Windows XP Professional machine. Loaded with any tools which i may need. Along with a Debian machine used as a DNS / Mail / IRC / ETC server. Some malware will attempt to communicate in some way with something on the internet. Weather it be through IRC, a simple DNS request or through mail protocol. Having a virtual Debian machine with these services installed it allows me to receive the requests and see in more detail what they are doing.


As you can see from the screenshot. I have created clones of both the virtual machines. This allows me to easily start afresh without having to reinstall all the tools again. Both the machines are in Host only mode and connected to a virtual network called vboxnet0. This prevents the malware escaping from the virtual machine and propagating throughout my network. I am also extremely paranoid and will unplug my network cable from the computer when performing the analysis.

The only software i will install on Debian to start with is a DNS server. This will allow me to redirect any DNS queries the malware may make to a computer of my choice (Mine). I decided to use Dnsmasq for this purpose as its very simple to setup.

I simply installed Dnsmasq with the command:

apt-get install dnamasq

And edited the /etc/dnsmasq.conf file to to only allow queries on a specific interface. In my case eth0

# If you want dnsmasq to listen for DHCP and DNS requests only on
# specified interfaces (and the loopback) give the name of the
# interface (eg eth0) here.
# Repeat the line for more than one interface.

and to allow for logging of dns requests:

# For debugging purposes, log each DNS query as it passes through
# dnsmasq.

I also added into the /etc/hosts file a test record pointing the domain james.com to IP address


Next i’m going to setup Windows XP to use my virtual Debian machine as a DNS server. I’m not going to explain how i did this. If your reading this you probably know already. I tested the configuration with nslookup.


As you can see the DNS server responded with the test ip of

I can monitor the DNS requests being made to the server by using the command:

tail -f /var/log/syslog

This should turn out useful when running the malware.


Now I’m going to detail some of the software I have installed on the target machine. At this stage I haven’t even attempted to look at any malware so I am likely missing some necessary tools. Once the malware is on the machine it won’t have access to the internet. Because of this I have tried to plan ahead and install everything I suspect I will need. There’s a high chance I will miss something having never done this before.

This tool allows you to take a snapshot of your machine in two different states and then compare them. For example, you may make a snapshot before and after you have run some malware. Comparing the two snapshots will allow you to see the changes the malware has made to the system. It records new files / folders and registry changes.

Process Explorer
This is basically task manager in steroids. It allows you to see the processes that are running

This allows you to monitor network traffic In this case in particular, traffic created by the malware.

Process Monitor
Allows you to see events which happen when a program is run. For example changes, modifications and execution of files.

Allows you to monitor files and network activity

I have never used this software before. From general reading, it allows you to run a program through it and watch how it interacts with the underlying system. It allows you to see the instructions it executes in the form of assembly language and also the data it stores.

A more powerful version of Windows notepad.

Part of the SysInternals suite. It allows you to scan a file for strings (sequence of readable characters)

Once I installed the software above I saved the virtual machine and cloned it. This lets me work on the cloned version when analysing the malware and reverting back to the original clean machine if I need to start again.