News archive March 2023 - Koos van den Hout

I have been given a Genexis Platinum-4410 router with the reasoning that I like to play with embedded systems and test the security. Well, that is what I did.

How far did I get

I have serial console, I have extracted filesystem images, and I can't get a shell on the router.

The device

It's a router with 4+1 ethernet ports, wifi, two ports for analog telephones and a USB interface.

Looking at it from the network

In this specific instance the 4 ethernet ports which are logically the 'inside' don't give me a link after the router has booted up. The 1 port which would be the 'outside' or 'WAN' port gives a link and acts as a DHCP client.

The next step was to connect to the wifi network and play with the web interface. This like a custom web interface. Default credentials which match what is on the sticker on the underside of the router.

The router doesn't have a telnet server listening for 'easy' access.

Opening the case

Next step was to open the case and investigate the mainboard. Chips seen on the mainboard: Mindspeed J83100G System on a Chip (SoC), MXIC MX29GL256FHT2I-90Q flash memory, 2* Etrontech EM68B16CWQD-25H 512 mbit DRAM, Si32260-FM1 dual channel FXS (voip) chip and other electronics.

The mainboard has lots of test points, but no clear UART interface. There is an edge connector which looks like a PCI Express connector but it isn't. I asked help about this: What is this connector, does it include UART on a Genexis Platinum-4410 ? : hardwarehacking because r/hardwarehacking on reddit has helped me before.

This edge connector turned out the 'place to be' and with the standard tricks for finding the UART I soon had an idea. But nothing to stick a dupont wire on and no PCI express or cardedge breakout cable/board available. So I had to solder wires to the right lanes on the connector. I had permission to damage the router, so that was ok. Soldering within half a millimeter was really hard! This was the first time I actually used my soldering iron for hardware hacking. And a magnifying glass to actually see what I was soldering.

Last Sunday I spent nearly 3 hours trying to get the 9X5RU Dxpedition to Rwanda in my log in CW (Morse) but that didn't happen.

This morning I got them in my log on my first try. On the 17 meter band.

The technical differences weren't that big. Ok, I was using the Kenwood radio remote today and propagation seemed to work better. But the main difference was that on Sunday it was very busy with amateurs from all over Europe and today I was one of the few callers. I guess the work week has a strong influence here!

DX never sleeps

I guess this turning 'easy' because I tried on a workday and not in the weekend was one of the results of 'DX never sleeps', a different time can help get the contact. The DXpeditions want the highest number of possible contacts so finding a time they are less busy can help in getting the contact. In the first few days/hours all the 'big gun' stations with huge antennas and amplifiers want that contact, after that the simpler stations with some patience also have a good chance.

So far with 9X5RU

Later in the morning I also got the contact on 12m CW. This was harder than 17 meters, I had to give my call 8 times before it was logged completely. After the contact was complete I looked at the signal meter and saw that it barely moved so it was a weak path. Earlier I made contacts with 9X5RU on 17 and 20 meter FT8. But I want to work on my list of countries contacted in morse, so I wanted to make the contact in morse too.

Update.. no success in the afternoon

After 17 and 12 meter band CW I also tried to make the contact on the 10 meter band, where 9X5RU was active in the afternoon. But by that time the US has woken up and has good propagation to Rwanda because of the daylight. I couldn't get through and I heard a lot of US amateur radio callsigns being confirmed.

Somewhere in November last year I saw that Weird Al Yankovic on The Unfortunate Return of The Ridiculously Self-Indulgent Ill-Advised Vanity Tour was also coming to Utrecht! So getting tickets was a good idea, especially when it turned out the tickets were going really fast.

So I went on 20 february 2023 and I had a great evening. The concert was at Tivoli Vredenburg in Utrecht, which is cycling distance from my house. A friend came along and he found it a great idea to park at our house and cycle to a bicycle parking really close to the concert.

I looked up the setlist: “Weird Al” Yankovic Concert Setlist at TivoliVredenburg Grote Zaal, Utrecht on February 20, 2023 | setlist.fm and comparing that to earlier Weird Al Yankovic concerts it's clear he took a different route in this tour. Mostly own work, some of the 'in the style of' songs. He did the extended extended version of Albuquerque with lots of types of Donuts and he 'restarted' the song to make the sauerkraut joke again.

The previous Weird Al Yankovic concert I saw was in Amsterdam was more the style with the parodies and the costumes. Setlist of that concert: “Weird Al” Yankovic Concert Setlist at Melkweg The Max, Amsterdam on September 30, 2015 | setlist.fm. This was a concert with standing room and I turned out to be in the splash zone for the end of 'smells like nirvana'. A group of fans had their own aluminium foil hats for 'Foil' so Al was really enthusiastic about their response and the whole audience had lots of fun.

To give space for the costume change there was also use of video. And when there was a bit of video with Al reacting to Eminem with 'Say what??' a number of times I expected Word Crimes and indeed that happened.

Anyway I enjoy the music of Weird Al Yankovic. I started with the parodies and I sometimes remark 'this is a strange version of a Weird Al Yankovic song' when I hear for example Gangsta Paradise or Like a virgin. The polka versions are always fun to me. I didn't really like the personal songs the first time but after hearing them a few times and discovering the layers including the jokes I start to appreciate them too.

And recently Rob o'Hara did an episode of his podcast You Don't Know Flack about Weird Al. Rob is also a big fan of Weird Al Yankovic and has seen him perform in the US multiple times. And listening to this podcast episode made me write down 'my' Weird Al story.

Rob also went on a pilgrimage of the sites in Tulsa, Oklahoma where the outside shots of the UHF movie were filmed: UHF - My 15 Year Pilgrimage. Now that is a Weird Al Yankovic fan!

The picture in this newsitem is from the same tour, just a few days earlier. I tried taking some phone pictures but there was nothing good and I found this picture with a nice license which captures the tour really great.

Ages ago I added a way to get access to my google contacts as a thunderbird address book. But on installation of thunderbird on a new laptop I couldn't find a simple answer to "how did I do that again?!?".

With access to the old laptop I was able to reconstruct my steps, so I'll note them here:

• Install cardbook as add-on in Thunderbird
• Go to this add-in in the Thunderbird userinterface
• From the top left 'hamburger' menu, select 'Address book', 'New address book'
• A window pops up asking 'Address book location', select 'Remote'
• The next window asks 'type of your address book' and gives google as default selection
• As username enter the standard address used for your google account. This doesn't have to end in @gmail.com.
• After entering the address, click 'Validate' and a window pops up with a minimal browser to log into your google account. Do this.
• After logging in the browser window will ask for permission for Cardbook to access your google contacts.
• After selecting a colour for this new address book you can use it.
• In the process google will probably send you alerts about this new login and permission.

And now my contacts are synchronized between android phone, google contacts web interface and thunderbird!

This year I participated in the EA PSK63 Contest again. This is a contest organized by the Spanish Amateur Radio Club Unión de Radioaficionados Españoles and they organize nice contests!

This is a 24-hour contest between 12:00 UTC on Saturday and 11:59 UTC on Sunday. Contacts were made Saturday afternoon and evening, and Sunday morning. The last contact was logged at 11:59 UTC on Sunday! I went for the 20 and 40 meter bands and checked a few times whether there was activity on the 10 meter band. In the end I made 182 contacts, 1 on the 10 meter band.

Besides the usual search and pounce approach (looking for other stations calling CQ) I also called CQ for periods. This got me a nice amount of contacts in a short period. The peak was 4 contacts within 2 minutes. With the new Yaesu FT-991A radio it's also possible to find a free frequency, center it in the passband at 1500 Hz and then turn the bandwidth of the receiver down. Big signals outside the passband have a lot less influence with this radio so I can receive signals on 'my' frequency better.

Ten years ago, on 6 March 2013 I passed the test for the Dutch novice amateur license.

It's been a fun 10 years! I made lots of new friends, learned new stuff and had great experiences. It's a great hobby, I really like it as a hobby that's absolutely not work.

Amateur radio is a hobby with lots of subhobbies. I got into different subhobbies than I expected and started in. And the subhobbies I do get into may even change again, depending on what I get interested in or lose interest in.

It seems it is also possible to cause something in Microsoft IPv4 space to do a scan for web vulnerabilities. It's starting to become part of a pattern here! Noticed in the logs:

20.220.235.164 - - [05/Mar/2023:15:05:57 +0100] "GET / HTTP/1.1" 200 39297 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36"
20.220.235.164 - - [05/Mar/2023:15:05:59 +0100] "HEAD /api.zip HTTP/1.1" 404 694 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36"
20.220.235.164 - - [05/Mar/2023:15:05:59 +0100] "HEAD /source.zip HTTP/1.1" 404 694 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36"
20.220.235.164 - - [05/Mar/2023:15:05:59 +0100] "GET /server-status HTTP/1.1" 403 975 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36"
20.220.235.164 - - [05/Mar/2023:15:05:59 +0100] "GET /.nginx.env HTTP/1.1" 404 972 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.2 Safari/605.1.15"

..

20.220.235.164 - - [05/Mar/2023:15:08:55 +0100] "HEAD /status HTTP/1.1" 404 694 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36"
20.220.235.164 - - [05/Mar/2023:15:08:55 +0100] "HEAD /callback HTTP/1.1" 404 694 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36"
20.220.235.164 - - [05/Mar/2023:15:08:55 +0100] "HEAD /handler HTTP/1.1" 404 694 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36"
20.220.235.164 - - [05/Mar/2023:15:08:55 +0100] "HEAD /plaid HTTP/1.1" 404 694 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36"
20.220.235.164 - - [05/Mar/2023:15:08:56 +0100] "HEAD /plaid/item/webhook/ HTTP/1.1" 404 694 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36"

For a total of 751 attempts via http on one site, receiving a redirect to https and following that redirect. I wonder if I can determine which scanner was used from the pattern of URLs tried.