Getting further into the Corinex CXWC-HD200-WNeH: I got root! / 2022-09-22

Koos van den Hout

2022-09-22 Getting further into the Corinex CXWC-HD200-WNeH: I got root!
Corinex CXWC-HD200-WNeH side with warrantylabel
Corinex CXWC-HD200-WNeH side with warrantylabel. The warranty was voided.
Picture by Koos van den Hout, license CC-BY-SA
This week I was attending a course in hardware hacking: HackLab: Hardware Hacking at the Deloitte office in Den Haag.

How to find the right pins to get a commandline on a router-like device was part of this course, and the last day there was an option to Bring Your Own Device, to hack it. So I brought this router as I thought it was an ideal target to get access to it, since on the earlier try I could not get into the webinterface of the Corinex CXWC-HD200-WNeH device.

Corinex CXWC-HD200-WNeH opened boards visible
Corinex CXWC-HD200-WNeH opened boards visible
Picture by Koos van den Hout, license CC-BY-SA
So this time I took out the screwdriver, voided the warranty of the device by breaking the little sticker on the side and opening it. It has a board with the powersupply and cable interface parts. The powersupply is shielded with some plastic.

There is a smaller board with the main chip which contains the processor, ram, wifi module. The first task was to find the uart interface which should give a serial console. That's a skill I learned in the hacklab: first find out which pins have continuity to ground with the device switched off. With a simple multimeter which has a beeping continuity meter this is simple. The beep makes it possible to test the device without looking at the meter.

After that it's a matter of switching the multimeter to voltage and checking other pins for voltage. Usually there are 4 pins on a uart port: ground which is physically connected to the device ground, receive data and send data and a reference voltage. On measuring the pins the reference voltage will be at the steady maximum voltage, the data transmitting from the device will be varying and the pin where the device expects data will be at 0 volt.

Uart ports can be 5 volt, 3.3 volt, 2.5 volt or 1.8 volt in recent devices. 5 and 3.3 volt are the most common. USB serial interfaces that support 5 and 3.3 volt are cheap (3 euro), USB serial interfaces that support all 4 are somewhat more expensive (10 euro).

For the Corinex router the voltage is 3.3 Volt. There was a 3.3 Volt ftdi USB to serial interface available, so I was able to access the uart port. I connected to the uart port, used a terminal program and searched for the right serial port settings and ended up at 57600 baud, 8 bits, no parity, 1 stopbit.

After looking at all the boot messages I was greeted with a root prompt. No more hacking, just full access. The system boots using the U-Boot bootloader. The system runs linux with a 2.6.21 kernel. I looked around on the filesystem and started looking for the configuration for the webserver hoping to find the username/password. I found this in /flash/config so I could get into that interface as well.

I also found it was running a telnet server, but not on the standard port. The port was 32560. Without commands like netstat or ss I had to learn this from /proc/net/tcp. Browsing the iptables listing shows that port 80 is supposed to be allowed and other ports aren't, but 32560 reacts fine.

Chip found: Ralink RT3052F processor with embedded ram and flash and with 2.4 GHz wifi and a network switch for 1 gigabit port and 5 100 mbit ports.

Things I'd still like to do: copy the entire filesystem to another computer so I can research it and check around the web interface for security issues.

Corinex CXWC-HD200-WNeH uart connected
Corinex CXWC-HD200-WNeH uart connected
Picture by Koos van den Hout, license CC-BY-SA
All the startup messages: 

U-Boot 1.1.3 (Jan 31 2013 - 17:23:55)

Board: Ralink APSoC DRAM:  32 MB
relocate_code Pointer at: 81fa8000
flash_protect ON: from 0xBF000000 to 0xBF02435F
protect on 0
protect on 1
protect on 2
protect on 3
protect on 4
protect on 5
protect on 6
protect on 7
protect on 8
protect on 9
flash_protect ON: from 0xBF3E0000 to 0xBF3FFFFF
protect on 69
protect on 70
*** Warning - bad CRC, using default environment

============================================ 
Billion Bootrom Version: 1.0
-------------------------------------------- 
ASIC 3052_MP2 (Port5<->None)
DRAM COMPONENT: 256Mbits 
DRAM BUS: 16BIT 
Total memory: 32 MBytes
Date:Jan 31 2013  Time:17:23:55
============================================ 
icache: sets:256, ways:4, linesz:32 ,total:32768
dcache: sets:128, ways:4, linesz:32 ,total:16384 

 ##### The CPU freq = 384 MHZ #### 

SDRAM bus set to 16 bit 
 SDRAM size =32 Mbytes

Please choose the operation: 
   1: Load system code to SDRAM via TFTP. 
   2: Load system code then write to Flash via TFTP. 
   3: Boot system code via Flash (default).
   4: Entr boot command line interface.
   6: Load system code then write to Flash via MINIWEB. 
   9: Load Boot Loader code then write to Flash via TFTP. 
 0 
resetFlag = 30
   
3: System Boot system code via Flash.
## Booting image at bf050040 ...
   Image Name:   Billion Firmware Image
   Created:      2013-06-19   7:37:16 UTC

 System Control Status = 0x22440000 

   Data Size:    2766283 Bytes =  2.6 MB
   Load Address: 80000000
   Entry Point:  80318000
   Verifying Checksum ... OK
   Uncompressing Kernel Image ... OK
No initrd
## Transferring control to Linux (at address 80318000) ...
## Giving linux memsize in MB, 32

Starting kernel ...


LINUX started...

 THIS IS ASIC
Linux version 2.6.21 (root@furby-laptop) (gcc version 3.4.2) #143 Tue Aug 28 12:20:36 CEST 2012

 The CPU feqenuce set to 384 MHz
CPU revision is: 0001964c
Determined physical RAM map:
 memory: 02000000 @ 00000000 (usable)
Initrd not found or empty - disabling initrd
Built 1 zonelists.  Total pages: 8128
Kernel command line: console=ttyS1,57600n8 root=/dev/ram0
Primary instruction cache 32kB, physically tagged, 4-way, linesize 32 bytes.
Primary data cache 16kB, 4-way, linesize 32 bytes.
Synthesized TLB refill handler (20 instructions).
Synthesized TLB load handler fastpath (32 instructions).
Synthesized TLB store handler fastpath (32 instructions).
Synthesized TLB modify handler fastpath (31 instructions).
Cache parity protection disabled
cause = 80800064, status = 1100ff00
PID hash table entries: 128 (order: 7, 512 bytes)
calculating r4koff... 00177000(1536000)
CPU frequency 384.00 MHz
Using 192.000 MHz high precision timer.
Dentry cache hash table entries: 4096 (order: 2, 16384 bytes)
Inode-cache hash table entries: 2048 (order: 1, 8192 bytes)
Memory: 27136k/32768k available (2763k kernel code, 5632k reserved, 400k data, 1796k init, 0k highmem)
Mount-cache hash table entries: 512
NET: Registered protocol family 16
NET: Registered protocol family 2
Time: MIPS clocksource has been installed.
IP route cache hash table entries: 1024 (order: 0, 4096 bytes)
TCP established hash table entries: 1024 (order: 1, 8192 bytes)
TCP bind hash table entries: 1024 (order: 0, 4096 bytes)
TCP: Hash tables configured (established 1024 bind 1024)
TCP reno registered
detected lzma initramfs
detected lzma initramfs
initramfs: LZMA lc=3,lp=0,pb=2,dictSize=1048576,origSize=7260672
LZMA initramfs by Ming-Ching Tiew <mctiew@yahoo.com>...............................................................................................................Load RT2880 Timer Module(Wdg/Soft)
squashfs: version 3.2-r2 (2007/01/15) Phillip Lougher
squashfs: LZMA suppport for slax.org by jro
io scheduler noop registered (default)
Ralink gpio driver initialized
HDLC line discipline: version $Revision: 1.1.1.1 $, maxframe=4096
N_HDLC line discipline registered.
Serial: 8250/16550 driver $Revision: 1.3 $ 2 ports, IRQ sharing disabled
serial8250: ttyS0 at I/O 0xb0000500 (irq = 37) is a 16550A
serial8250: ttyS1 at I/O 0xb0000c00 (irq = 12) is a 16550A
RAMDISK driver initialized: 16 RAM disks of 16384K size 1024 blocksize
loop: loaded (max 8 devices)
rdm_major = 254
PPP generic driver version 2.4.2
PPP BSD Compression module registered
NET: Registered protocol family 24
IMQ starting with 2 devices...
IMQ driver loaded successfully.
        Hooking IMQ before NAT on PREROUTING.
        Hooking IMQ after NAT on POSTROUTING.


=== pAd = c0000000, size = 501520 ===

<-- RTMPAllocAdapterBlock, Status=0
ralink flash device: 0x1000000 at 0xbf000000
Ralink SoC physically mapped flash: Found 1 x16 devices at 0x0 in 16-bit bank
 Amd/Fujitsu Extended Query Table at 0x0040
number of CFI chips: 1
cfi_cmdset_0002: Disabling erase-suspend-program due to code brokenness.
Creating 5 MTD partitions on "Ralink SoC physically mapped flash":
0x00000000-0x00030000 : "Bootloader"
0x00030000-0x00040000 : "Mac"
0x00040000-0x00050000 : "Factory"
0x00050000-0x003e0000 : "Kernel"
0x003e0000-0x00400000 : "Config"
block2mtd: version $Revision: 1.1.1.1 $
nvram successfully probed
Netfilter messages via NETLINK v0.30.
nf_conntrack version 0.5.0 (256 buckets, 2048 max)
ip_tables: (C) 2000-2006 Netfilter Core Team, Type=Restricted Cone
ipt_time loading
arp_tables: (C) 2002 David S. Miller
TCP cubic registered
NET: Registered protocol family 1
NET: Registered protocol family 17
802.1Q VLAN Support v1.8 Ben Greear <greearb@candelatech.com>
All bugs added by David S. Miller <davem@redhat.com>
GDMA1_MAC_ADRH -- : 0x00000000
GDMA1_MAC_ADRL -- : 0x00000000
Ralink APSoC Ethernet Driver Initilization. v2.00  256 rx/tx descriptors allocated, mtu = 1500!
LOOK~~~~~~~~~~~~~        read=801ea330
GDMA1_MAC_ADRH -- : 0x0000000c
GDMA1_MAC_ADRL -- : 0x4341457b
PROC INIT OK!
Freeing unused kernel memory: 1796k freed
init started: BusyBox v1.12.1 (2012-08-22 10:19Algorithmics/MIPS FPU Emulator v1.5
:32 CST)
starting pid 13, tty '': '/etc_ro/rcS'
devpts: called with bogus options
mount: mounting none on /proc/bus/usb failed: No such file or directory
cp: cannot stat '/mtd/bin/board.conf': No such file or directory
cp: cannot stat '/mtd/system.conf': No such file or directory
insmod: vdsl.ko: module not found
insmod: board.ko: module not found
Checking Config from flash
get /flash directory
profile_main: get /flash directory, action = 0
profile_main: before switch
profile_main: A_GET call getFileFromFlash(config.tgz)
get /mac directory
profile_main: get /mac directory, action = 3
profile_main: before switch

phy_tx_ring = 0x0046b000, tx_ring = 0xa046b000

phy_rx_ring = 0x00000000, rx_ring = 0x00000000
RT305x_ESW: Link Status Changed
CDMA_CSG_CFG = 81000007
GDMA1_FWD_CFG = 710000
log start
ifconfig: SIOCSIRT305x_ESW: Link Status Changed
FHWADDR: Device device eth0 entered promiscuous mode
or resource busyRX DESC a03b5000  size = 2048

<-- RTMPAllocTxRxRingMemory, Status=0
RtmpOSFileOpen(): Error 2 opening /var/iNIC_ap.dat
Open file "/var/iNIC_ap.dat" failed!
1. Phy Mode = 0
ERROR!!! RTMPReadParametersHook failed, Status[=0x00000001]
!!! rt28xx Initialized fail !!!
device ra0 entered promiscuous mode
interface ra1 does not exist!
interface ra2 does not exist!
interface ra3 does not exist!
ResetWLAN: Entered
interface wds0 does not exist!
interface wds1 does not exist!
interface wds2 does not exist!
interface wds3 does not exist!
device ra0 left promiscuous mode
br0: port 2(ra0) entering disabled state
device ra0 entered promiscuous mode
RX DESC a1f47000  size = 2048
<-- RTMPAllocTxRxRingMemory, Status=0
1. Phy Mode = 9
2. Phy Mode = 9
LOOK~~~~~~~~~~~~~        read=801ea330
3. Phy Mode = 9
MCS Set = ff ff 00 00 00
SYNC - BBP R4 to 20MHz.l
The 4-BSSID mode is enabled, the BSSID byte5 MUST be the multiple of 4
Main bssid = 00:0b:c2:11:9f:bd
<==== rt28xx_init, Status=0
0x1300 = 00064380
device ra0 left promiscuous mode
device ra0 entered promiscuous mode
The 4-BSSID mode is enabled, the BSSID byte5 MUST be the multiple of 4
switch reg write offset=98, valuThe 4-BSSID mode is enabled, the BSSID byte5 MUST be the multiple of 4
e=7f3f
br0: port 2(ra0) entering learning state
br0: port 1(eth0) entering learning state
br0: topology change detected, propagating
br0: port 2(ra0) entering forwarding state
br0: topology change detected, propagating
br0: port 1(eth0) entering forwarding state
ifconfig: ioctl 0x8914 failed: Cannot assign requested address
ifconfig: ioctl 0x8914 failed: Cannot assign requested address
ifconfig: ioctl 0x8914 failed: Cannot assign requested address
ifconfig: ioctl 0x8914 failed: Cannot assign requested address
iptables -t mangle -N MYSHAPER-OUT
iptables -t mangle -N MYSHAPER-IN
WanPortChg: old port =  , new port= BPL
switch reg write offset=98, value=7f3f
switch reg write offset=98, valuswitch register base addr to 0xb0000300
e=7f3f
SetPlcPort
write offset 0xc, value 0x921ffa1
switch reg writeRT305x_ESW: Link Status Changed
 offset=c8, value=2150bff5
switch register base addr to 0xb0000000
write offset 0x60, value 0x9f
BUG: at kernel/softirq.c:138 local_bh_enable()
Call Trace:[<800084e4>][<800084e4>][<8002db88>][<801e7050>][<801e8cc0>][<8019e19c>][<8019e8b8>][<8019e930>][<801b7cb0>][<802a4f18>][<802a4bd4>][<802a4bd4>][<802a5fc4>][<8007b610>][<802a6114>][<80212e78>][<80208cc4>][<8012b354>][<8003e474>][<8002e154>][<8002d908>][<8008abe4>][<8002da3c>][<801188fc>][<80002e20>][<800201c8>][<8011c838>][<80329ee4>][<800278d0>][<800278e8>][<80083c94>][<8008bd24>][<8006ae28>][<80083c44>][<8007f048>][<80027a08>][<8012ad64>][<80090384>][<800905c8>][<8007f53c>][<80088db8>][<800907a0>][<8007f7dc>][<8000b6e0>][<8000b6e0>][<80100f9c>]
Set: phy[0].reg[0] = 3900
br0: port 3(vlan3) entering learning state
br0: topology change detected, propagating
br0: port 3(vlan3) entering forwarding state
device eth0 left promiscuous mode
br0: port 1(eth0) entering disabled state
switch reg write offset=e4, value=20
device br0 entered promiscuous mode
enter vdslChgProfile
device vlan1 is not a slave of brwan
vlan1: Setting MAC address to  00 0b c2 11 9f bd.
VLAN (vlan1):  Underlying device (eth0) has same MAC, not checking promiscious mode.
brwan: port 1(vlan1) entering learning state
ifconfig: ioctl 0x8914 failed: Cannot assign requested address
buf1=ip ro replace default

RTNETLINK rtnl_talk answers: No such process
RTNETLINK rtnl_talk answers: No such device
QosRestorePolicy() ... 
tc qdisc del dev brwan root 2>/dev/null
ifconfig imq0 down
tc qdisc del dev imq0 root 2>/dev/null
ifconfig imq0 up
iptables -t mangle -F POSTROUTING
iptables -t mangle -F MYSHAPER-IN
iptables -t mangle -F MYSHAPER-OUT
iptables -t mangle -A MYSHAPER-IN -j IMQ --todev 0
----debug---open lan dhcpc mode by vdsl page--------
unit=0
udhcpcd, interface br0

DHCP client started
DHCP client INIT_SELECTING
buf1=ip ro replace default nexthop dev br0

RTNETLINK rtnl_talk answers: No such process
QosRestorePolicy() ... 
tc qdisc del dev br0 root 2>/dev/null
ifconfig imq0 down
tc qdisc del dev imq0 root 2>/dev/null
ifconfig imq0 up
iptables -t mangle -F POSTROUTING
iptables -t mangle -F MYSHAPER-IN
iptables -t mangle -F MYSHAPER-OUT
iptables -t mangle -A MYSHAPER-IN -j IMQ --todev 0
I am in deconfig
QosRestorePolicy() ... 
tc qdisc del dev brwan root 2>/dev/null
ifconfig imq0 down
tc qdisc del dev imq0 root 2>/dev/null
ifconfig imq0 up
iptables -t mangle -F POSTROUTING
iptables -t mangle -F MYSHAPER-IN
iptables -t mangle -F MYSHAPER-OUT
iptables -t mangle -A MYSHAPER-IN -j IMQ --todev 0
WanPortChg(): new is WAN_PORT_PLC
switch reg write offset=98, value=7f3f
Performing a DHCP renew
device vlan1 left promiscuous mode
brwan: port 1(vlan1) entering disabled state
vlan1: dev_set_promiscuity(master, 1)
device eth0 entered promiscuous mode
device vlan1 entered promiscuous mode
br0: port 1(vlan1) entering learning state
br0: topology change detected, propagating
br0: port 1(vlan1) entering forwarding state
in ResetDHCPD
webserver begin...
(0): BPL, wan_plc.asp, qs_plc.asp, , 0x42
host=CorinexWifi
webs: Listening for HTTP requests at address 127.0.0.1 (127.0.0.1) port=80 
Socket creation success.
Socket binding to vlan1 success.

Sending packet!00 13 9D 00 00 00 00 0B C2 11 9F BD 00 08 AA AA 03 00 13 9D 0C 01 
Send success (22).
starting pid 360, tty '/dev/ttyS1': '/bin/sh'


BusyBox v1.12.1 (2012-08-22 10:19:32 CST) built-in shell (ash)
Enter 'help' for a list of built-in commands.

# 
Received: 01 80 C2 00 00 0E 00 0B C2 11 90 23 81 00 00 01 D5 20 FC 01 02 00 00 00 00 03 40 11 79 7F 00 00 00 00 FF FF FF FF 00 44 00 43 01 5B 06 D0 01 01 06 00 4B ED AE 02 00 00 00 00 00 00 00 00 00 00 
# 
# 
#
In the webinterface and in other places I still see the coax interface referenced as 'PLC' which suggests powerline communications. That needs more research.
Tags: , , ,

IPv6 check

Running test...

Archive

Browse the recent archive:
September 2023
August 2023
July 2023
June 2023
May 2023
April 2023
March 2023
February 2023
January 2023
December 2022
November 2022
October 2022
News archive
, reachable as koos+website@idefix.net. PGP encrypted e-mail preferred. PGP key 5BA9 368B E6F3 34E4 local copy PGP key 5BA9 368B E6F3 34E4 via keyservers

RSS
Meningen zijn die van mezelf, wat ik schrijf is beschermd door auteursrecht. Sommige publicaties bevatten een expliciete vermelding dat ze ongevraagd gedeeld mogen worden.
My opinions are my own, what I write is protected by copyrights. Some publications contain an explicit license statement which allows sharing without asking permission.
Other webprojects: Camp Wireless, wireless Internet access at campsites
This page generated by $Id: newsitem.cgi,v 1.62 2023/09/19 14:49:50 koos Exp $ in 0.012534 seconds.