Hacking the TalkTalk HUAWEI HG523a Router Part 2

For part 1 please Click Here.

OK. So i have access to the routers busybox console. I found by typing the busybox command it displays all the commands available on the device.

# busybox
BusyBox vv1.9.1 (2012-03-05 00:16:52 CST) multi-call binary
Copyright (C) 1998-2007 Erik Andersen, Rob Landley, Denys Vlasenko
and others. Licensed under GPLv2.
See source distribution for full notice.

Usage: busybox [function] [arguments]...
or: function [arguments]...

BusyBox is a multi-call binary that combines many common Unix
utilities into a single executable.  Most people will create a
link to busybox for each function they wish to use and BusyBox
will act like whatever it was invoked as!

Currently defined functions:
[, [[, arp, ash, cat, chmod, chown, cp, date, echo, ftpget,
ftpput, halt, ifconfig, init, kill, killall, linuxrc,
ln, ls, mcast, mkdir, mknod, mount, netstat, nslookup,
ping, poweroff, ps, reboot, rm, route, sh, sleep, test,
top, traceroute, umount, vconfig, wget

#

As you can see the amount of commands available is quite small. Looking at some other busybox console outputs posted online there are usually many more programs available to run. There is a great page found here which details many of the programs or ‘applets’ that busybox can have installed and describes what they are for. Many of the commands available on the HG523a aren’t of much use.

My next aim is to try and extract the filesystem from the device. Allowing me to analyse it more easily on another computer with more tools available.

I tried to mount a directory over nfs but i found out that nfs isnt supported on the device. If you run the command cat /proc/filesystems you can check what file systems are supported. If NFS is listed in this output it may have been an option.

# cat /proc/filesystems
nodev   rootfs
nodev   bdev
nodev   proc
nodev   sockfs
nodev   pipefs
nodev   tmpfs
squashfs
nodev   ramfs
#

My next attempt involved copying the device file which contains the file system. I first checked the file system type. This information is important later on.

# cat /proc/mounts
rootfs / rootfs rw 0 0
/dev/root / squashfs ro 0 0
none /dev tmpfs rw 0 0
/proc /proc proc rw 0 0
none /var tmpfs rw 0 0
none /tmp tmpfs rw 0 0
none /mnt tmpfs rw 0 0

From this output you can see the root filesystem is running on squashfs.

I next went on to find where the file system is stored. /dev/root dosnt exist which was slightly confusing.

# cat /proc/mtd
dev:    size   erasesize  name
mtd0: 00010000 00001000 "boot"
mtd1: 00001000 00001000 "flag"
mtd2: 003c0000 00001000 "main"
mtd3: 0002d000 00001000 "config"
#

This mtd file showed that the router software is split into 4 parts.

Boot, which i assume is the boot loader.
Flag, which I’m note sure.
Main, which i assume is the file system. especially considering it is the largest in size.
Config. Which again, I’m not entirely sure what is it. But the one of interest is the one called main on mtd2.

Now. looking in the dev directory you can see there are all the mtd devices.

# cd /dev
# ls
initctl    mtdblock6  mtd4       tty1       kmem       I2S        ram2
mem        mtdblock5  mtd3       tty2       port       boardled   ram3
ttyp2      mtdblock4  mtd2       tty3       null       wlchr      adsl0
ttyp1      mtdblock3  mtd1       tty4       ac0        ttyUSB0
ttyp0      mtdblock2  mtd0       ppp        acl0       ttyUSB1
ptyp2      mtdblock1  ptmx       printer0   urandom    ttyUSB2
ptyp1      mtdblock0  ttyS0      console    gpio       ttyUSB3
ptyp0      mtd6       tty        bhal       hwnat0     ram0
zero       mtd5       tty0       commondrv  i2cM0      ram1
#

If you remember when i typed in the busybox command at the beginning, there was a command called ftpput. This ftpput command is the way I’m going to extract the firmware from the device.

# ftpput
BusyBox vv1.9.1 (2012-03-05 00:16:52 CST) multi-call binary

Usage: ftpput [options] remote-host

Download or upload via FTP.

Options:
-g    Download
-s    Upload
-v    Verbose
-u    Username to be used
-p    Password to be used
-l    Local file path
-r    Remote file path
-P    Port to be used, optional
-B    Bind local ip, optional
-A    Remote resolved ip, optional
-b    Transfer start position
-e    Transfer length
-m    Max transfer size
-c    Compress downloaded file

#

So i opened up my Kali linux virtual machine and installed an FTP server. I then attempted to upload using ftpput on the router. One of the difficulties i had with this program is that it was very unforgiving with the syntax. It wouldn’t respond stating the mistake you made with the input. But in the end after some searching i found the correct command.

ftpput -s -v -u ftpuser -p toor -l /dev/mtdblock2 -r /ftpdir/mtdblock2 192.168.1.3

ftpuser is the username that has write access on my ftp server on the Kali virtual machine.
toor is the password
/dev/mtdblock2 is the file I’m copying.
/ftpdir/mtdblock2 is the location on the ftp server the file is saved.
192.168.1.3 is the FTP server IP address

So now i have mtdblock2 on my virtual machine.

The next stage is to extract the firmware from mtdblock2. I did attempt initially to try and mount the device directly hoping it would work. But sadly it didn’t.

root@kali:~/Desktop/talktalk# mount -t squashfs mtdblock2 /mnt
mount: wrong fs type, bad option, bad superblock on /dev/loop0,
missing codepage or helper program, or other error
In some cases useful info is found in syslog - try
dmesg | tail  or so

I then went on to run binwalk on it.

root@kali:~/Desktop/talktalk# binwalk mtdblock2

DECIMAL       HEX           DESCRIPTION
-------------------------------------------------------------------------------------------------------------------
0             0x0           Squashfs filesystem, big endian, lzma signature, version 3.0, size: 2072620 bytes,  182 inodes, blocksize: 65536 bytes, created: Sun Mar  4 16:18:17 2012
2076736       0x1FB040      LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 3827500 bytes

As you can see, it is showing that there is a Squashfs filesystem right at the start of the file. Which confirms the findings when i ran cat /proc/mount on the device.

I then went on to download firmware-mod-kit in an attempt to unsquash the filesystem. It is an insanely awesome set of scripts which goes through all the unsquashfs versions and attempts to extract the firmware. Once downloaded and installed i ran the unsquashfs_all.sh script against mtdblock2 and waited.

Eventually, version squashfs-3.2-r2-hg612-lzma/unsquashfs successfully extracted the firmware. I can browse the directories and view the files like i could on the device. But now have much more freedom in what i want to do next.

root@kali:~/Desktop/talktalk/squashfs-root/bin# ls
adslcmd   busybox  cms      ddnsc     echo       ipcheck    klog  mini_upnpd  netlogger  ripd     sntp      tr111   wlancmd
adslctrl  cat      console  dhcpc     equipcmd   iptables   ln    mkdir       netstat    rm       startbsp  umount  wscd
ash       chmod    cp       dhcps     ethcmd     iwcontrol  log   mknod       ping       sh       swapdev   upg     zebra
atmcmd    chown    cwmp     dns       igmpproxy  iwpriv     ls    mount       pppc       siproxd  tc        upnp
brctl     cli      date     ebtables  ip         kill       mic   mpoad       ps         sleep    telnetd   web

I have made uploaded a copy of the file system here if anyone wants to download it and take a look. Please let me know if you find anything interesting.

Make sure to check back next time as i go even deeper into the TalkTalk HUAWEI HG523a Router.

One thought on “Hacking the TalkTalk HUAWEI HG523a Router Part 2

  1. hbyt

    Hi thanks for the blog I have HG533 F.1.01 I managed to figure out the telnet and got a shell so I could portforward using a script from my Linux box works good. I wanted to see if the routers dhclient lease can be reset so I get a new IP address without having to reset the router. Not got that yet. My question is can this one be flashed easily with openwrt I have several of them lying around and I wanted to use one as a wireless router. Have so far used a usb to upload to the router (wget doesnt seem to work) but I have no command to flash the unit with the openwrt image file. Also the image file from TT is of a different image file type u-boot/PPCBoot. Any ideas would be appreciated. Awsome post.

    Regards,
    Hbyte

     

Leave a Reply

Your email address will not be published. Required fields are marked *