Seguridad Wireless - Wifi

Equipos y materiales => Puntos de acceso, routers, switchs y bridges => Mensaje iniciado por: fernando3k en 11-08-2014, 21:24 (Lunes)

Título: Shell en Huawei HG630
Publicado por: fernando3k en 11-08-2014, 21:24 (Lunes)
Hola, conseguí por unos pocos pesos un Huawei HG630, el hardware de dicho router es interesante para ser que lo distribuye una operadora acá en Argentina, por lo que pude apreciar, tiene 16MB de flash, 64MB de ram, 400MHz de micro y aparentemente doble nucleo.
Ahora, el firmware es el peor que vi en mi vida, son unos...  :-X
No hay forma de conectarse por telnet, ssh. No hay forma de ejecutar un comando desde la web.
Logré conectarme por puerto serie, pero la shell también esta bloqueada!!!
Lo peor de todos es que el CFE está modificado para que no ande ningún comando, ni siquiera el comando "r" para botear.
Todo esto me produce una bronca excesiva ya que el hardware es de uno, no de la empresa, y encima utilizan un 99% de software libre.
Alguien sabe como puedo obtener una shell en este router? Ya intenté inyectar código salteandome protecciones por java script mediante los cgi, como el clasico cgi para hacer ping, pero no tuve éxito alguno, el "fallo" que tenían otros huawei y que permitía ejecutar comandos en el ping de diagnostico fue solucionado, incluso pude apreciar como dejaron codigo viejo y adaptaron el anterior para solucionar ese "bug".
Les dejo un bootlog por puerto serie por si a alguien le interesa.
Ah! Y aparentemente agregaron una capa extra de "seguridad" para hacer el upgrade de firmware porque no consigo colocarle ningún otro firmware!
Si alguien puede ayudarme seria genial!  ;D


Citar
HELO
CPUI
L1CI
HELO
CPUI
L1CI
DRAM
----
PHYS
STRF
400H
PHYE
DDR2
SIZ4
SIZ3
SIZ2
SIZ1
DINT
USYN
LSYN
MFAS
LMBE
RACE
PASS
----
ZBSS
CODE
DATA
L12F
MAIN


CFE version 1.0.38-112.70 for BCM963268 (32bit,SP,BE)
Build Date: Thu Jan 24 11:03:24 CST 2013 (zhanghuaxiang@X3755-vhg)
Copyright (C) 2000-2011 Broadcom Corporation.

HS Serial flash device: name S25FL128, id 0x0118 size 16384KB
Total Flash size: 16384K with 256 sectors
Chip ID: BCM63168D0, MIPS: 400MHz, DDR: 400MHz, Bus: 200MHz
Main Thread: TP0
Memory Test Passed
Total Memory: 67108864 bytes (64MB)
Boot Address: 0xb8000000

Board IP address                  : 192.168.1.1:ffffff00  
Host IP address                   : 192.168.1.100  
Gateway IP address                :  
Run from flash/host (f/h)         : f  
Default host run file name        : vmlinux  
Default host flash file name      : bcm963xx_fs_kernel  
Boot delay (0-9 seconds)          : 1  
Board Id (0-0)                    : 963268_hg658b  
Number of MAC Addresses (1-32)    : 10  
Base MAC Address                  : 02:10:18:01:00:01  
PSI Size (1-64) KBytes            : 0  
Enable Backup PSI [0|1]           : 0  
System Log Size (0-256) KBytes    : 0  
Main Thread Number [0|1]          : 0  


 Boot :e=192.168.1.1:ffffff00 h=192.168.1.100 g= r=f f=vmlinux i=bcm963xx_fs_kernel d=1 p=0
*** Press any key to stop auto run (1 seconds) ***
Auto run second count down: 0
autoRun
boot from main
Booting from kernel offset (0xb85a2100) ...
Booting from image main (0xb8010000) ...
Code Address: 0x80010000, Entry Address: 0x800146c0
Decompression OK!
Entry at 0x800146c0
Closing network.
Disabling Switch ports.
Flushing Receive Buffers...
0 buffers found.
Closing DMA Channels.
Starting program at 0x800146c0
Linux version 2.6.30 (zhanghuaxiang@X3755-vhg) (gcc version 4.4.2 (Buildroot 2010.02-git) ) #31 SMP PREEMPT Fri Jan 25 18:22:19 CST 2013
HS Serial flash device: name S25FL128, id 0x0118 size 16384KB
63268hg622b prom init
CPU revision is: 0002a080 (Broadcom4350)
DSL SDRAM reserved: 0x132000
Determined physical RAM map:
 memory: 03ece000 @ 00000000 (usable)
Zone PFN ranges:
  DMA      0x00000000 -> 0x00001000
  Normal   0x00001000 -> 0x00003ece
Movable zone start PFN for each node
early_node_map[1] active PFN ranges
    0: 0x00000000 -> 0x00003ece
On node 0 totalpages: 16078
free_area_init_node: node 0, pgdat 804991f0, node_mem_map 81000000
  DMA zone: 32 pages used for memmap
  DMA zone: 0 pages reserved
  DMA zone: 4064 pages, LIFO batch:0
  Normal zone: 94 pages used for memmap
  Normal zone: 11888 pages, LIFO batch:1
Built 1 zonelists in Zone order, mobility grouping on.  Total pages: 15952
Kernel command line: root=31:0 ro noinitrd console=ttyS0,115200
wait instruction: enabled
Primary instruction cache 64kB, VIPT, 4-way, linesize 16 bytes.
Primary data cache 32kB, 2-way, VIPT, cache aliases, linesize 16 bytes
NR_IRQS:128
PID hash table entries: 256 (order: 8, 1024 bytes)
console [ttyS0] enabled
Dentry cache hash table entries: 8192 (order: 3, 32768 bytes)
Inode-cache hash table entries: 4096 (order: 2, 16384 bytes)
Memory: 58460k/64312k available (3666k kernel code, 5832k reserved, 995k data, 168k init, 0k highmem)
Calibrating delay loop... 398.33 BogoMIPS (lpj=199168)
Mount-cache hash table entries: 512
--Kernel Config--
  SMP=1
  PREEMPT=1
  DEBUG_SPINLOCK=0
  DEBUG_MUTEXES=0
Broadcom Logger v0.1 Jan 24 2013 10:48:12
CPU revision is: 0002a080 (Broadcom4350)
Primary instruction cache 64kB, VIPT, 4-way, linesize 16 bytes.
Primary data cache 32kB, 2-way, VIPT, cache aliases, linesize 16 bytes
Calibrating delay loop... 402.43 BogoMIPS (lpj=201216)
Brought up 2 CPUs
net_namespace: 1152 bytes
bhal: bhalInit entry
NET: Registered protocol family 16
Internal 1P2 VREG is forced to remain enabled
registering PCI controller with io_map_base unset
registering PCI controller with io_map_base unset
bio: create slab <bio-0> at 0
SCSI subsystem initialized
usbcore: registered new interface driver usbfs
usbcore: registered new interface driver hub
usbcore: registered new device driver usb
pci 0000:00:00.0: reg 10 32bit mmio: [0x10004000-0x10013fff]
pci 0000:00:00.0: reg 30 32bit mmio: [0x000000-0x0007ff]
pci 0000:00:00.0: supports D1 D2
pci 0000:00:00.0: PME# supported from D0 D3hot D3cold
pci 0000:00:00.0: PME# disabled
pci 0000:00:09.0: reg 10 32bit mmio: [0x10002600-0x100026ff]
pci 0000:00:0a.0: reg 10 32bit mmio: [0x10002500-0x100025ff]
pci 0000:01:00.0: PME# supported from D0 D3hot
pci 0000:01:00.0: PME# disabled
pci 0000:01:00.0: PCI bridge, secondary bus 0000:02
pci 0000:01:00.0:   IO window: disabled
pci 0000:01:00.0:   MEM window: disabled
pci 0000:01:00.0:   PREFETCH window: disabled
PCI: Setting latency timer of device 0000:01:00.0 to 64
BLOG v3.0 Initialized
BLOG Rule v1.0 Initialized
Broadcom IQoS v0.1 Jan 24 2013 10:53:32 initialized
Broadcom GBPM v0.1 Jan 24 2013 10:53:33 initialized
NET: Registered protocol family 8
NET: Registered protocol family 20
NET: Registered protocol family 2
IP route cache hash table entries: 1024 (order: 0, 4096 bytes)
TCP established hash table entries: 2048 (order: 2, 16384 bytes)
TCP bind hash table entries: 2048 (order: 2, 16384 bytes)
TCP: Hash tables configured (established 2048 bind 2048)
TCP reno registered
NET: Registered protocol family 1
squashfs: version 4.0 (2009/01/31) Phillip Lougher
squashfs: version 4.0 with LZMA457 ported by BRCM
JFFS2 version 2.2. © 2001-2006 Red Hat, Inc.
fuse init (API version 7.11)
msgmni has been set to 114
io scheduler noop registered (default)
PCI: Setting latency timer of device 0000:01:00.0 to 64
Driver 'sd' needs updating - please use bus_type methods
PPP generic driver version 2.4.2
NET: Registered protocol family 24
IMQ driver loaded successfully.
   Hooking IMQ after NAT on PREROUTING.
   Hooking IMQ before NAT on POSTROUTING.
bcm963xx_mtd driver v2.1

==boot from main kernel==

 rootfs_addr=0xb8010100 kernel_addr=0xb85a2100  BOOT_OFFSET:0xf8400000  
Registered device mtd[BCM63XX RootFS] dev[0] Flash[0xb8010100]
ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver
PCI: Enabling device 0000:00:0a.0 (0000 -> 0002)
PCI: Setting latency timer of device 0000:00:0a.0 to 64
ehci_hcd 0000:00:0a.0: EHCI Host Controller
ehci_hcd 0000:00:0a.0: new USB bus registered, assigned bus number 1
ehci_hcd 0000:00:0a.0: Enabling legacy PCI PM
ehci_hcd 0000:00:0a.0: irq 18, io mem 0x10002500
ehci_hcd 0000:00:0a.0: USB f.f started, EHCI 1.00
usb usb1: configuration #1 chosen from 1 choice
hub 1-0:1.0: USB hub found
hub 1-0:1.0: 2 ports detected
ohci_hcd: USB 1.1 'Open' Host Controller (OHCI) Driver
PCI: Enabling device 0000:00:09.0 (0000 -> 0002)
PCI: Setting latency timer of device 0000:00:09.0 to 64
ohci_hcd 0000:00:09.0: OHCI Host Controller
ohci_hcd 0000:00:09.0: new USB bus registered, assigned bus number 2
ohci_hcd 0000:00:09.0: irq 17, io mem 0x10002600
usb usb2: configuration #1 chosen from 1 choice
hub 2-0:1.0: USB hub found
hub 2-0:1.0: 2 ports detected
usbcore: registered new interface driver usblp
Initializing USB Mass Storage driver...
usbcore: registered new interface driver usb-storage
USB Mass Storage support registered.
usbcore: registered new interface driver usbserial
USB Serial support registered for generic
usbcore: registered new interface driver usbserial_generic
usbserial: USB Serial Driver core
usbcore: registered new interface driver usbtest
MoniterInit entry
Serial: BCM63XX driver $Revision: 3.00 $
ttyS0 at MMIO 0xb0000180 (irq = 13) is a BCM63XX
ttyS1 at MMIO 0xb00001a0 (irq = 42) is a BCM63XX
adsl: adsl_init entry
bcmxtmcfg: bcmxtmcfg_init entry
bcmxtmrt: Broadcom BCM3168D0 ATM/PTM Network Device v0.4 Jan 25 2013 18:19:29
bcmPktDma_init: Broadcom Packet DMA Library initialized
Total # RxBds=1448
bcmPktDmaBds_init: Broadcom Packet DMA BDs initialized

GACT probability NOT on
Mirror/redirect action on
u32 classifier
    input device check on
    Actions configured
Netfilter messages via NETLINK v0.30.
nf_conntrack version 0.5.0 (1004 buckets, 4016 max)
xt_time: kernel timezone is -0000
nf_nat_pt: no ports specified
ip_tables: (C) 2000-2006 Netfilter Core Team
TCP cubic registered
Initializing XFRM netlink socket
NET: Registered protocol family 10
ip6_tables: (C) 2000-2006 Netfilter Core Team
IPv6 over IPv4 tunneling driver
NET: Registered protocol family 17
NET: Registered protocol family 15
Ebtables v2.0 registered
ebt_time registered
ebt_ftos registered
ebt_wmm_mark registered
802.1Q VLAN Support v1.8 Ben Greear <greearb@candelatech.com>
All bugs added by David S. Miller <davem@redhat.com>
VFS: Mounted root (squashfs filesystem) readonly on device 31:0.
Freeing unused kernel memory: 168k freed

=file:drivers/usb/core/hub.c,line:3274,func:hub_events=eventCounts=1=
init started: BusyBox vv1.9.1 (2013-01-24 10:59:58 CST)
starting pid 258, tty '': '/etc/init.d/rcS'
RCS DONE
starting pid 260, tty '': '/bin/sh'


BusyBox vv1.9.1 (2013-01-24 10:59:58 CST) built-in shell (ash)
Enter 'help' for a list of built-in commands.

/bin/startbsp: line 18: cannot create /dev/mtdblock2: No such device or address
mount: mounting /dev/mtdblock2 on /config failed: No such file or directory
-/bin/sh: usbdiagd: not found
Loading drivers and kernel modules...
bcm_ingqos: module license 'Proprietary' taints kernel.
Disabling lock debugging due to kernel taint
Broadcom Ingress QoS Module  Char Driver v0.1 Jan 24 2013 10:51:57 Registered<243>

Broadcom Ingress QoS ver 0.1 initialized
BPM: tot_mem_size=67108864B (64MB), buf_mem_size=6710886B (6MB), num of buffers=3201, buf size=2096
Broadcom BPM Module Char Driver v0.1 Jan 24 2013 10:51:56 Registered<244>
[NTC bpm] bpm_set_status: BPM status : enabled

NBUFF v1.0 Initialized
Initialized fcache state
Broadcom Packet Flow Cache  Char Driver v2.2 Jan 25 2013 18:19:24 Registered<242>
Created Proc FS /procfs/fcache
Broadcom Packet Flow Cache registered with netdev chain
Broadcom Packet Flow Cache learning via BLOG enabled.
Constructed Broadcom Packet Flow Cache v2.2 Jan 25 2013 18:19:24
chipId 0x631680D0
Broadcom Forwarding Assist Processor (FAP) Char Driver v0.1 Jan 24 2013 10:51:59 Registered <241>
FAP Debug values at 0x00000010 0x00000010
Enabling SMISBUS PHYS_FAP_BASE[0] is 0x10c01000
FAP Soft Reset Done
4ke Reset Done
Enabling SMISBUS PHYS_FAP_BASE[1] is 0x10c01000
FAP Soft Reset Done
4ke Reset Done
Allocated FAP0 GSO Buffers (0xA2A3D124) : 1048576 bytes @ 0xA2B00000
Allocated FAP1 GSO Buffers (0xA2A5D124) : 1048576 bytes @ 0xA2400000
[NTC fapProto] fapReset  : Reset FAP Protocol layer
[FAP0] DSPRAM : stack <0x80000000><1024>, global <0x80000400><7096>, free <72>, total<8192>
[FAP1] DSPRAM : stack <0x80000000><1024>, global <0x80000400><7096>, free <72>, total<8192>
[FAP0] PSM : addr<0x80002000>, used <24560>, free <16>, total <24576>
[FAP1] PSM : addr<0x80002000>, used <24560>, free <16>, total <24576>
[FAP0] Flows supported: 237 (dsp 60, psm 75, qsm 102)
[FAP1] Flows supported: 237 (dsp 60, psm 75, qsm 102)
[FAP0] DQM : availableMemory 14188 bytes, nextByteAddress 0xE0010894
[FAP1] DQM : availableMemory 14188 bytes, nextByteAddress 0xE0010894
[FAP0] GSO Buffer set to 0xA2B00000
[FAP1] GSO Buffer set to 0xA2400000
[FAP0] FAP BPM Initialized.
[FAP1] FAP BPM Initialized.
bcmPktDma_bind: FAP Driver binding successfull
Broadcom BCM63168D0 Ethernet Network Device v0.1 Jan 25 2013 18:19:21
fapDrv_psmAlloc: fapIdx=0, size: 4000, offset=b08206f0 bytes remaining 7008
ETH Init: Ch:0 - 200 tx BDs at 0xb08206f0
fapDrv_psmAlloc: fapIdx=1, size: 4000, offset=b0a206f0 bytes remaining 7008
ETH Init: Ch:1 - 200 tx BDs at 0xb0a206f0
fapDrv_psmAlloc: wastage 8 bytes
fapDrv_psmAlloc: fapIdx=0, size: 4808, offset=b0821690 bytes remaining 2192
ETH Init: Ch:0 - 600 rx BDs at 0xb0821690
fapDrv_psmAlloc: wastage 8 bytes
fapDrv_psmAlloc: fapIdx=1, size: 4808, offset=b0a21690 bytes remaining 2192
ETH Init: Ch:1 - 600 rx BDs at 0xb0a21690
eth0.3: MAC Address: 08:7A:4C:33:00:00
eth0.5: MAC Address: 08:7A:4C:33:00:00
eth0.4: MAC Address: 08:7A:4C:33:00:00
eth0.2: MAC Address: 08:7A:4C:33:00:00

=file:drivers/usb/core/hub.c,line:3274,func:hub_events=eventCounts=2=
--SMP support
wl: dsl_tx_pkt_flush_len=338
wl: high_wmark_tot=2080
PCI: Setting latency timer of device 0000:00:00.0 to 64
wl: passivemode=1
wl: napimode=0
wl0: allocskbmode=1 currallocskbsz=256
otp_read_pci: bad crc
Neither SPROM nor OTP has valid image
wl:srom/otp not programmed, using main memory mapped srom info(wombo board)
wl:loading /etc/wlan/bcm6362_vars.bin
Failed to open srom image from '/etc/wlan/bcm6362_vars.bin'.
wl:loading /etc/wlan/bcm6362_map.bin
wl0: Broadcom BCM435f 802.11 Wireless Controller 5.100.138.2001.cpe.L.3
p8021ag: p8021ag_init entry
IRQ 8/BCM WATCHDOG: IRQF_DISABLED is not guaranteed on shared IRQs
BCM Hardware Watchdog Timer for BCM96361
USB Serial support registered for GSM modem (1-port)
usbcore: registered new interface driver option
option: v0.7.2:USB Driver for GSM modems
Start mic now ...
magic number is 3e 00 74 20.
Read from flash ok.
@.back up config file ok !
load cfm ok.
start log proc...
ifconfig: SIOCSIFNETMASK: Cannot assign requested address
<6>br0: starting userspace STP failed, starting kernel STP
add group failed: Operation not supported
set group 0 mac learning disable in br0 failed: Operation not supported
BcmAdsl_Initialize=0x8022496C, g_pFnNotifyCallback=0x8048CCC4
lmemhdr[2]=0x100CE000, pAdslLMem[2]=0x100CE000
pSdramPHY=0xA3FFFFF8, 0x0 0x0
*** XfaceOffset: 0x5FF90 => 0x5FF90 ***
*** PhySdramSize got adjusted: 0xD9E68 => 0x110570 ***
AdslCoreSharedMemInit: shareMemAvailable=137840
AdslCoreHwReset:  pLocSbSta=82630000 bkupThreshold=3072
AdslCoreHwReset:  AdslOemDataAddr = 0xA3F9AC2C
fapDrv_psmAlloc: fapIdx=1, size: 1600, offset=b0a22960 bytes remaining 592
XTM Init: Ch:0 - 200 rx BDs at 0xb0a22960
fapDrv_psmAlloc: fapIdx=1, size: 128, offset=b0a22fa0 bytes remaining 464
XTM Init: Ch:1 - 16 rx BDs at 0xb0a22fa0
Success
ARL table flush done
Success
atp: cur kernel version:[2.6.30]
device eth0.3 entered promiscuous mode
device eth0.4 entered promiscuous mode
device eth0.5 entered promiscuous mode
device eth0.2 entered promiscuous mode
ADDRCONF(NETDEV_UP): eth0.2: link is not ready
ADDRCONF(NETDEV_UP): eth0.3: link is not ready
ADDRCONF(NETDEV_UP): eth0.4: link is not ready
ADDRCONF(NETDEV_UP): eth0.5: link is not ready
device eth0 is not a slave of br0
arp uses obsolete (PF_INET,SOCK_PACKET)
wl: Unsupported
device wl0 entered promiscuous mode
br0: topology change detected, propagating
br0: port 5(wl0) entering forwarding state

-------------------------------
-----Welcome to ATP Cli------
-------------------------------

Login: admin
The console is prohibited!
Título: Re: Shell en Huawei HG630
Publicado por: danitool en 21-04-2015, 15:53 (Martes)
Por casualidad no tendrás una foto de la placa?, me gustaría comprobar si se parece a este otro router

http://wiki.openwrt.org/toh/huawei/hg658bc

El HG630 es interesante ya que, es el único BCM63168 que por ahora vi que usa una flash SPI, esto podría abrir alguna puerta para desbrickear otros routers BCM63168 con una flash NAND, pero que tienen posibilidad de soldar un flash SPI.

Si tuvieseses un backup de la flash también sería interesante, para extraer el bootloader por ejemplo.
Título: Re: Shell en Huawei HG630
Publicado por: fernando3k en 21-04-2015, 17:03 (Martes)
NO! si el firmware de porquería no me dejó hacer nada!!! no pude obtener acceso al shell. y no tengo lector de memorias.
fotos no tengo, estuve 3 días tratando de encontrar algun bug explotable, me frustré y lo regalé :-p
Título: Re: Shell en Huawei HG630
Publicado por: danitool en 21-04-2015, 20:01 (Martes)
Lástima, parece que hay avances en cuanto lo de habilitar telnet y seguramente busybox. El método según leí consiste en bajar el archivo de configuración del router, desencriptarlo, modificarlo con contraseña nueva y acceso telnet, y subirlo de nuevo al router.

https://hg658c.wordpress.com/2015/03/17/hg658c_configtool/

Incluso sería viable la instalación de OpenWrt, y más sencillo seguramente por tener la flash SPI, de paso como ya dije podría dar pistas para ayudar a desbriquear otros routers como el que recientemente brickeó Noltari, el comtrend VR-3032u.

De todas formas no sé hasta que punto el bootloader de Huawei tendría alguna utilidad, a Huawei le encanta limitar el acceso, o hacer que todo funcione de una forma muy particular y crispante.
Título: Re: Shell en Huawei HG630
Publicado por: fernando3k en 21-04-2015, 21:32 (Martes)
No recuerdo siquiera haber podido descargar la configuración jeje. Igual no se si funcionaría con este modelo y si funcionara hay que ver si se podría explotar alguna falla subiendo una configuración modificada, yo probé muchas cosas saltando las protecciones de java script pero no conseguí nada, igual, tampoco soy experto en ese campo. Y de obtener root hay que ver si se puede escribir un nuevo CFE  ;D
Título: Re: Shell en Huawei HG630
Publicado por: nanod88 en 05-09-2015, 08:10 (Sábado)
Buenas, jugando con el HG630, y un poco de san google, pude entrar en la shell de este router, sin hacer nada raro..

1- Entrar como admin a la pagina del router (http://IP_DEL_ROUTER_HG630/admin.html) User: admin   /  Pass:CalVxePV1!

2- En el menu de la izq, Avanzado -> ACL

3- Crear la regla que permita TELNET (Clic en New , Service Type=TELNET ; Access direction = LAN, Las IP's dejar en blanco)

4- Listo , ya entras por telnet a la consola ATP. Te logueas como admin con la misma clave de antes.

5- Ejecuta 'shell' (sin comillas), y entras al queridisimo busyboxxxxx    ;D ;D ;D

Algunas PiCs:

(http://i.imgur.com/8DAh4ki.png)


(http://i.imgur.com/8f3F7GM.png) (http://imgur.com/8f3F7GM)


Espero que sirva la data, medio tarde, pero bue...
Saludos