Close
0%
0%

Hacking the Vodafone Huawei R201

Tearing apart this portable wireless mobile device!

Public Chat
Similar projects worth following
A few weeks ago I set about a challenge of hacking this wireless device, one of the main reasons is that no other guide existed and very little information was available online.

What I have found along the way is multiple vulnerabilities and some interesting techniques that if coupled with expertise of others could see this device well and truly hacked.

Please come join and help, I will provide as much information as possible!

ENABLE TELENT

It took me the best part of 3 days to crack telnet, dont ask me how I did it I dont know myself! (many many hours of playing around trying different techniques). If anything it goes to show that with enough persistance, anything is possible.

This is only the entry point into the device, I would like to take this further and potentially re-write some firmware with the help of the community.

If you would like to do the same here is the guide below >

config

Automatically generated make config

config - 30.60 kB - 06/19/2020 at 19:57

Download

  • Running Processes

    thetechtoker06/19/2020 at 22:01 0 comments

      PID  PPID USER     STAT   VSZ %MEM %CPU COMMAND
      953   720 root     S    17020 21.1 81.2 /dlna/twonkymediaserver -inifile /var/twonkymedia-server-default-huawei.ini
     4936  1373 root     R     2776  3.4 12.5 top -n 1
      948     1 root     S    85996107.0  0.0 call
      748     1 root     S    39444 49.1  0.0 xmlreporting
      738     1 root     S    37552 46.7  0.0 httpd
      650     1 root     S    37376 46.5  0.0 cms
      662     1 root     S    36760 45.7  0.0 atserver
      669     1 root     S    36548 45.5  0.0 ui_main
     1062     1 root     S    36524 45.4  0.0 upnp -D -L br0 -W rmnet0
      918     1 root     S    36476 45.4  0.0 /bin/wificonnect
      890   888 root     S     5364  6.6  0.0 /bin/hostapd_wps /tmp/hostapd.conf
     1508  1323 root     S N   4880  6.0  0.0 smbd -D
     1323     1 root     S N   4760  5.9  0.0 smbd -D
     1327     1 root     S     3604  4.4  0.0 nmbd -D
      621     1 root     S     2780  3.4  0.0 /usr/sbin/telnetd
     1373   621 root     S     2780  3.4  0.0 -ash
      634     1 root     S     2780  3.4  0.0 /sbin/getty ttyMSM2 115200 vt100
        1     0 root     S     2776  3.4  0.0 init
      661     1 root     S     1720  2.1  0.0 atproxy
      832     1 root     S     1716  2.1  0.0 /bin/dnsmasq -i br0 --conf-file=/var/dnsmasq.conf
      730     1 root     S     1668  2.0  0.0 atcsms
     1064     1 root     S     1636  2.0  0.0 lld2d br0
      722     1 root     S     1592  1.9  0.0 syswatch
      633     1 root     S     1588  1.9  0.0 mic
     1115     1 root     S     1584  1.9  0.0 dhcpc -i rmnet0 -I rmnet0
      720     1 root     S     1572  1.9  0.0 /dlna/twonkymedia -inifile /var/twonkymedia-server-default-huawei.ini
      825     1 root     S     1544  1.9  0.0 dhcps
      372     1 root     S <   1516  1.8  0.0 /sbin/udevd --daemon --debug
      644     1 root     S     1336  1.6  0.0 diag_switch /dev/ttyMSM0
      888     1 root     S     1332  1.6  0.0 /bin/hostapd_wps /tmp/hostapd.conf
      864     2 root    ...

    Read more »

  • / # df

    thetechtoker06/19/2020 at 21:46 0 comments


    Filesystem             1k-blocks           Used      Available   Use%        Mounted on
    rootfs                           31516          31516          0              100%        /
    /dev/root                      31516          31516          0              100%       /
    tmpfs                           40124          4                 40120      0%          /dev
    /dev/mtdblock0            6144           1760           4384       29%        /mnt/flash
    /dev/mtdblock1           41040          41040         0             100%       /mnt/cdrom
    /dev/mtdblock3            6464          6464          0             100%       /mnt/www

  • /etc/init.d/rcS script

    thetechtoker06/19/2020 at 20:03 1 comment

    #!/bin/sh
    ################################################################################
    # ------------------------------------------------------------------------------
    # Copyright (C) 2008 QUALCOMM Incorporated. # All Rights Reserved. QUALCOMM Proprietary and Confidential.
    # ------------------------------------------------------------------------------
    ################################################################################

    echo "rcS:::executing /etc/init.d/rcS script"

    # re-establish ramfs file system:etc|var|mnt|
    echo "establish ramfs file system:|tmp|etc|var|mnt|"
    /bin/mount -f -t ramfs ramfs /tmp

    /bin/cp -rf /etc  /tmp/
    /bin/mount -n -t ramfs ramfs /etc
    /bin/mv  /tmp/etc/* /etc/

    /bin/cp -rf /var  /tmp/
    /bin/mount -f -t ramfs ramfs /var
    /bin/mv  /tmp/var/* /var/

    /bin/mount -f -t ramfs ramfs /mnt

    echo "rcS:::mounting filesystems"
    mount -a 2>/dev/null

    #echo "rcS:::mounting /prj/happyfeet"
    #mkdir -p /prj/happyfeet
    #mount -t nfs -n -o nolock,rsize=1024,wsize=1024 baskin:/vol/eng_asw_0032/happyfeet /prj/happyfeet

    echo "rcS:::executing /etc/rc.d scripts"
    run-parts -a start /etc/rc.d

    echo "rcS:::mounting flashfs"
    mkdir -p /mnt/flash
    mount -t yaffs2 /dev/mtdblock0 /mnt/flash

    # BB5D05399 s00163283, begin 2010/4/28
    mkdir -p /mnt/dlna
    # BB5D05399 s00163283, end 2010/4/28

    #echo "rcS:::rdate"
    #/usr/sbin/rdate -s 129.6.15.29

    # Check CD-ROM Image
    echo " Check CD-ROM"
    mkdir /mnt/cdrom
    mount -t iso9660 -o loop /dev/mtdblock1 /mnt/cdrom
    #check webres img
    mkdir /mnt/www
    mount -f -t cramfs /dev/mtdblock3 /mnt/www
    ####BB5D05622 z00125912 begin
    echo "rcS:::mounting pa_res"
    mkdir -p /mnt/pa_res
    mount -t cramfs /dev/mtdblock4 /mnt/pa_res
    ####BB5D05622 z00125912 end
    # move the following into management.c for the feature:
    #    when 583x is being charged in power off state, the user shouldnot
    #    see the CDROM and port change
    #if [ -f /mnt/cdrom/AutoRun.exe ]
    #then
    #    echo " USB Default Dynamic Composition (0x1003)"
    #    /opt/qcom/bin/tests/usb_composition.sh 0x1003
    #    echo /dev/mtdblock1 > /sys/devices/platform/mass_storage/lun0/file
    #else
    #    echo " USB Default Dynamic Composition (0x1E03)"
    #    /opt/qcom/bin/tests/usb_composition.sh 0x1E03
    #fi

    # Run customer.rcS from /mnt/flash if [ -x /mnt/flash/customer.rcS ]; then
        echo "rcS:::Executing /mnt/flash/customer.rcS"
        /mnt/flash/customer.rcS
    fi

    # Starting Qcom DUN over HSUSB

    echo"Starting DUN Bridge over HSUSB..."
    #/opt/qcom/bin/./qcom_dun_hsusb.sh export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/opt/qcom/lib

    echo "rcS:::DONE Executing /etc/init.d/rcS Script"
    # Nothing should live below this line!
    cd /dev
    mknod ttyHSUSB0 c 127 0
    #/opt/qcom/bin/./port_bridge /dev/smd0 /dev/ttyHSUSB0 &

    cd /bin
    #./ar6k_load_ap.sh
    mic &

  • All Commands Available

    thetechtoker06/19/2020 at 19:53 0 comments

    /sbin #
    arp
    doc_loadbios
    docfdisk
    flash_erase
    flash_eraseall
    flash_info
    flash_lock
    flash_otp_dump
    flash_otp_info
    flash_unlock
    flashcp
    ftl_check
    ftl_format
    getty
    ifconfig
    ifdown
    ifup
    init
    insmod
    klogd
    logread
    lsmod
    modprobe
    mtd_debug
    nanddump
    nandtest
    nandwrite
    nftl_format
    nftldump
    pivot_root
    recv_image
    rfddump
    rfdformat
    rmmod
    route
    serve_image
    setconsole
    slattach
    start-stop-daemon
    sulogin
    sumtool
    switch_root
    sysctl
    syslogd
    udevadm
    udevd
    udhcpc
    /bin #
    addgroup
    adduser
    ar6000.ko
    ar6000_sta.ko
    ar6k-wps-oob.conf
    ash
    at
    atcsms
    athtcmd_ram.bin
    athtestcmd
    athwlan.bin.z77
    athwlan_sta.bin.z77
    atproxy
    atserver
    bbconfig
    bmiloader
    busybox
    call
    cat
    chgrp
    chmod
    chown
    cms
    cp
    cpio
    data.patch.nopa.bin
    data.patch.pa.bin
    date
    delgroup
    deluser
    device.bin
    df
    dhcpc
    dhcps
    diag_switch
    dmesg
    dnsmasq
    dumpkmap
    echo
    eeprom.AR6002
    egrep
    factory
    FALSE
    fgrep
    getopt
    grep
    gunzip
    gzip
    hostapd
    hostapd_cli
    hostapd_wps
    hostname
    httpd
    ip
    iperf
    iptables
    iwconfig
    iwlist
    iwpriv
    kill
    lld2d
    ln
    login
    ls
    mic
    mkdir
    mknod
    mktemp
    more
    mount
    mv
    netstat
    nice
    nmbd
    nopa.bin
    nopaartagent
    nvram
    nvram_linux_test
    pa.bin
    paartagent
    pidof
    ping
    ps
    pwd
    qmiserver
    reboot
    rm
    rmdir
    run-parts
    sh
    siproxd
    sleep
    smbd
    smbpasswd
    sntp
    startsntp
    stty
    su
    sync
    syswatch
    touch
    TRUE
    ui_main
    umount
    uname
    upnp
    usleep
    wificonnect
    wmiconfig
    xmlreporting
    xmltest zcat
    /usr/bin #
    arping
    basename
    chvt
    clear
    cut
    dc
    deallocvt
    dirname
    env
    expr
    find
    free
    ftpget
    ftpput
    head
    hexdump
    hostid
    id
    ipcrm
    ipcs
    killall
    less
    logger
    md5sum
    nslookup
    od
    passwd
    printf
    readlink
    renice
    reset
    seq
    sort
    strace
    strings
    test
    tftp
    time
    top
    tr
    traceroute
    tty
    uptime
    wc
    wget
    xargs
    /usr/sbin #
    brctl
    chroot
    figlet
    inetd
    rdate
    setlogcons

  • cat /proc/mounts

    thetechtoker06/19/2020 at 18:37 0 comments

    rootfs / rootfs rw 0 0
    /dev/root / cramfs ro 0 0
    ramfs /tmp ramfs rw 0 0
    ramfs /etc ramfs rw 0 0
    ramfs /var ramfs rw 0 0
    ramfs /mnt ramfs rw 0 0
    none /debug debugfs rw 0 0
    proc /proc proc rw 0 0
    none /tmp ramfs rw 0 0
    none /sys sysfs rw 0 0
    none /var/log ramfs rw 0 0
    none /var/run ramfs rw 0 0
    none /var/lock ramfs rw 0 0
    tmpfs /dev tmpfs rw,mode=755 0 0
    devpts /dev/pts devpts rw,mode=600 0 0
    /dev/mtdblock0 /mnt/flash yaffs2 rw 0 0
    /dev/mtdblock1 /mnt/cdrom iso9660 ro 0 0
    /dev/mtdblock3 /mnt/www cramfs ro 0 0
    /dev/mmcblk0p2 /mnt/sd vfat rw,fmask=0022,dmask=0022,codepage=cp437,iocharset=utf8,shortname=mixed 0 0

  • cat /proc/version

    thetechtoker06/19/2020 at 18:36 0 comments

    Linux version 2.6.25 (bcm@localhost.localdomain) (gcc version 4.1.1 (CodeSourcery ARM Sourcery G++ 2006q3-26)) #1 PREEMPT Fri Sep 17 19:09:44 CST 2010

  • cat /proc/mtd

    thetechtoker06/19/2020 at 18:33 0 comments

    dev:    size   erasesize  name
    mtd0: 00600000 00020000 "0:EFS2APPS"
    mtd1: 081c0000 00020000 "0:MMC"
    mtd2: 02a00000 00020000 "0:APPS"
    mtd3: 00e00000 00020000 "0:WEBSERVE"

  • cat /proc/cpuinfo

    thetechtoker06/19/2020 at 18:29 0 comments

    Processor       : ARMv6-compatible processor rev 2 (v6l)
    BogoMIPS        : 382.56
    Features        : swp half thumb fastmult edsp java
    CPU implementer : 0x41
    CPU architecture: 6TEJ
    CPU variant     : 0x1
    CPU part        : 0xb36
    CPU revision    : 2
    Cache type      : write-back
    Cache clean     : cp15 c7 ops
    Cache lockdown  : format C
    Cache format    : Harvard
    I size          : 32768
    I assoc         : 4
    I line length   : 32
    I sets          : 256
    D size          : 32768
    D assoc         : 4
    D line length   : 32
    D sets          : 256

    Hardware        : QCT SURF7X25
    Revision        : 0000
    Serial          : 0000000000000000

View all 8 project logs

  • 1
    Enable Telnet

    Follow the video to enable telent on the device.

View all instructions

Enjoy this project?

Share

Discussions

Similar Projects

Does this project spark your interest?

Become a member to follow this project and never miss any updates