_ _ _____ _ _ ____ _ | | ( ) / ____| (_) | | _ \| | | | __ _ _ __ ___ ___ ___|/ | (___ ___ ___ _ _ _ __ _| |_ _ _ | |_) | | ___ __ _ _ | |/ _` | '_ ` _ \ / _ \/ __| \___ \ / _ \/ __| | | | '__| | __| | | | | _ <| |/ _ \ / _` | | |__| | (_| | | | | | | __/\__ \ ____) | __/ (__| |_| | | | | |_| |_| | | |_) | | (_) | (_| | \____/ \__,_|_| |_| |_|\___||___/ |_____/ \___|\___|\__,_|_| |_|\__|\__, | |____/|_|\___/ \__, | __/ | __/ | |___/ |___/ Home Twitter: @Xtrato Email: james[at]jamesdotcom.com PGP Key GitHub: Xtrato Youtube: Xtratozorz RSS Feed9th July 2014 || Hacking the TalkTalk HUAWEI HG523a Router Part 2
For part 1 please Click Here.
OK. So i have access to the routers busybox console. I found by typing the busybox command it displays all the commands available on the device.
# busybox BusyBox vv1.9.1 (2012-03-05 00:16:52 CST) multi-call binary Copyright (C) 1998-2007 Erik Andersen, Rob Landley, Denys Vlasenko and others. Licensed under GPLv2. See source distribution for full notice. Usage: busybox [function] [arguments]... or: function [arguments]... BusyBox is a multi-call binary that combines many common Unix utilities into a single executable. Most people will create a link to busybox for each function they wish to use and BusyBox will act like whatever it was invoked as! Currently defined functions: [, [[, arp, ash, cat, chmod, chown, cp, date, echo, ftpget, ftpput, halt, ifconfig, init, kill, killall, linuxrc, ln, ls, mcast, mkdir, mknod, mount, netstat, nslookup, ping, poweroff, ps, reboot, rm, route, sh, sleep, test, top, traceroute, umount, vconfig, wget
As you can see the amount of commands available is quite small. Looking at some other busybox console outputs posted online there are usually many more programs available to run. There is a great page found here which details many of the programs or 'applets' that busybox can have installed and describes what they are for. Many of the commands available on the HG523a aren't of much use.
My next aim is to try and extract the filesystem from the device. Allowing me to analyse it more easily on another computer with more tools available.
I tried to mount a directory over nfs but i found out that nfs isnt supported on the device. If you run the command cat /proc/filesystems you can check what file systems are supported. If NFS is listed in this output it may have been an option.
# cat /proc/filesystems nodev rootfs nodev bdev nodev proc nodev sockfs nodev pipefs nodev tmpfs squashfs nodev ramfs #
My next attempt involved copying the device file which contains the file system. I first checked the file system type. This information is important later on.
# cat /proc/mounts rootfs / rootfs rw 0 0 /dev/root / squashfs ro 0 0 none /dev tmpfs rw 0 0 /proc /proc proc rw 0 0 none /var tmpfs rw 0 0 none /tmp tmpfs rw 0 0 none /mnt tmpfs rw 0 0 #
From this output you can see the root filesystem is running on squashfs.
I next went on to find where the file system is stored. /dev/root dosnt exist which was slightly confusing.
# cat /proc/mtd dev: size erasesize name mtd0: 00010000 00001000 "boot" mtd1: 00001000 00001000 "flag" mtd2: 003c0000 00001000 "main" mtd3: 0002d000 00001000 "config" #
This mtd file showed that the router software is split into 4 parts.
Boot, which i assume is the boot loader. Flag, which I'm note sure. Main, which i assume is the file system. especially considering it is the largest in size. Config. Which again, I'm not entirely sure what is it. But the one of interest is the one called main on mtd2.
Now. looking in the dev directory you can see there are all the mtd devices.
# cd /dev # ls initctl mtdblock6 mtd4 tty1 kmem I2S ram2 mem mtdblock5 mtd3 tty2 port boardled ram3 ttyp2 mtdblock4 mtd2 tty3 null wlchr adsl0 ttyp1 mtdblock3 mtd1 tty4 ac0 ttyUSB0 ttyp0 mtdblock2 mtd0 ppp acl0 ttyUSB1 ptyp2 mtdblock1 ptmx printer0 urandom ttyUSB2 ptyp1 mtdblock0 ttyS0 console gpio ttyUSB3 ptyp0 mtd6 tty bhal hwnat0 ram0 zero mtd5 tty0 commondrv i2cM0 ram1 #
If you remember when i typed in the busybox command at the beginning, there was a command called ftpput. This ftpput command is the way I'm going to extract the firmware from the device.
# ftpput BusyBox vv1.9.1 (2012-03-05 00:16:52 CST) multi-call binary Usage: ftpput [options] remote-host Download or upload via FTP. Options: -g Download -s Upload -v Verbose -u Username to be used -p Password to be used -l Local file path -r Remote file path -P Port to be used, optional -B Bind local ip, optional -A Remote resolved ip, optional -b Transfer start position -e Transfer length -m Max transfer size -c Compress downloaded file #
So i opened up my Kali linux virtual machine and installed an FTP server. I then attempted to upload using ftpput on the router. One of the difficulties i had with this program is that it was very unforgiving with the syntax. It wouldn't respond stating the mistake you made with the input. But in the end after some searching i found the correct command.
ftpput -s -v -u ftpuser -p toor -l /dev/mtdblock2 -r /ftpdir/mtdblock2 192.168.1.3
ftpuser is the username that has write access on my ftp server on the Kali virtual machine. toor is the password /dev/mtdblock2 is the file I'm copying. /ftpdir/mtdblock2 is the location on the ftp server the file is saved. 192.168.1.3 is the FTP server IP address
So now i have mtdblock2 on my virtual machine.
The next stage is to extract the firmware from mtdblock2. I did attempt initially to try and mount the device directly hoping it would work. But sadly it didn't.
root@kali:~/Desktop/talktalk# mount -t squashfs mtdblock2 /mnt mount: wrong fs type, bad option, bad superblock on /dev/loop0, missing codepage or helper program, or other error In some cases useful info is found in syslog - try dmesg | tail or so
I then went on to run binwalk on it.
root@kali:~/Desktop/talktalk# binwalk mtdblock2 DECIMAL HEX DESCRIPTION ------------------------------------------------------------------------------------------------------------------- 0 0x0 Squashfs filesystem, big endian, lzma signature, version 3.0, size: 2072620 bytes, 182 inodes, blocksize: 65536 bytes, created: Sun Mar 4 16:18:17 2012 2076736 0x1FB040 LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 3827500 bytes
As you can see, it is showing that there is a Squashfs filesystem right at the start of the file. Which confirms the findings when i ran cat /proc/mount on the device.
I then went on to download firmware-mod-kit in an attempt to unsquash the filesystem. It is an insanely awesome set of scripts which goes through all the unsquashfs versions and attempts to extract the firmware. Once downloaded and installed i ran the unsquashfs_all.sh script against mtdblock2 and waited.
Eventually, version squashfs-3.2-r2-hg612-lzma/unsquashfs successfully extracted the firmware. I can browse the directories and view the files like i could on the device. But now have much more freedom in what i want to do next.
root@kali:~/Desktop/talktalk/squashfs-root/bin# ls adslcmd busybox cms ddnsc echo ipcheck klog mini_upnpd netlogger ripd sntp tr111 wlancmd adslctrl cat console dhcpc equipcmd iptables ln mkdir netstat rm startbsp umount wscd ash chmod cp dhcps ethcmd iwcontrol log mknod ping sh swapdev upg zebra atmcmd chown cwmp dns igmpproxy iwpriv ls mount pppc siproxd tc upnp brctl cli date ebtables ip kill mic mpoad ps sleep telnetd webI have made uploaded a copy of the file system here if anyone wants to download it and take a look. Please let me know if you find anything interesting.