Grabbing the firmware from the Corinex CXWC-HD200-WNeH and extracting the root filesystem / 2022-10-07

My dive into the Corinex CXWC-HD200-WNeH continues. After getting root on the serial console of the Corinex CXWC-HD200-WNeH I ordered similar gear as used in the hardware hacking course to do my own hardware hacking. It arrived this week and today I had some time to play with it.

Using the techniques from the course I found the serial console interface again. The CPU board has 4 through-holes, that is a likely candidate. Next step is finding which pin is which using a multimeter. Ground pin has continuity to any other shield. One pin is at 0 volts without continuity to ground: the receive data pin (from the viewpoint of the chip), another pin has a varying voltage near the maximum voltage, this is the transmit data pin (again from the viewpoint of the chip) and the fourth one has the constant maximum voltage, which was 3.3 volts in this case.

I switched my USB to serial interface to 3.3 volts and connected the TX on the system to the RX on the serial interface and the RX on the system to the TX on the serial interface. I used Dupont cables to make this connection. With minicom as communications program I opened the right interface: minicom -D /dev/ttyUSB0.

After powering the router I got unreadable characters on the screen, I had to adjust the serial port rate. This router has a serial console at 57600 bps, 8 bits, no parity, 1 stopbit.

And messages came out:

U-Boot 1.1.3 (Jan 31 2013 - 17:23:55)

Board: Ralink APSoC DRAM:  32 MB
relocate_code Pointer at: 81fa8000
flash_protect ON: from 0xBF000000 to 0xBF02435F

Just like the previous time. I wanted to dump the firmware image and earlier I couldn't think of a way. Based on Router Archeology: Sitecom WL-330 | Habbie's journal I looked at using the 'md.b' command in u-boot and dumping the contents to a capture file in minicom. I had to figure out the right parameters, but with the hints from Habbie I knew what to look for:

ralink flash device: 0x1000000 at 0xbf000000

Creating 5 MTD partitions on "Ralink SoC physically mapped flash":
0x00000000-0x00030000 : "Bootloader"
0x00030000-0x00040000 : "Mac"
0x00040000-0x00050000 : "Factory"
0x00050000-0x003e0000 : "Kernel"
0x003e0000-0x00400000 : "Config"

So the right command was in my opinion:

SDRAM bus set to 16 bit 
 SDRAM size =32 Mbytes

Please choose the operation: 
   1: Load system code to SDRAM via TFTP. 
   2: Load system code then write to Flash via TFTP. 
   3: Boot system code via Flash (default).
   4: Entr boot command line interface.
   6: Load system code then write to Flash via MINIWEB. 
   9: Load Boot Loader code then write to Flash via TFTP. 
 4 
You choosed 4

 0 

(skipping some u-boot messages)

RT3052 # help
loopback   - Ralink eth loopback test !!
?       - alias for 'help'
boot    - boot default, i.e., run 'bootcmd'
bootd   - boot default, i.e., run 'bootcmd'
bootm   - boot application image from memory
bootp   - boot image via network using BootP/TFTP protocol
cp      - memory copy
echo    - echo args to console
erase   - erase FLASH memory
go      - start application at address 'addr'
help    - print online help
loadb   - load binary file over serial line (kermit mode)
md      - memory display
mdio   - Ralink PHY register R/W command !!
miniweb   - call miniweb function
mm      - memory modify (auto-incrementing)
mw      - memory write (fill)
nm      - memory modify (constant address)
printenv- print environment variables
protect - enable or disable FLASH write protection
reset   - Perform RESET of the CPU
run     - run commands in an environment variable
saveenv - save environment variables to persistent storage
setenv  - set environment variables
spicmd  - read/write data from/to eeprom or vtss
tftpboot- boot image via network using TFTP protocol
version - print monitor version
RT3052 # help md
md [.b, .w, .l] address [# of objects]
    - memory display

RT3052 # md.b 0xbf000000 0x00400000
bf000000: ff 00 00 10 00 00 00 00 fd 00 00 10 00 00 00 00    ................
bf000010: 1e 02 00 10 00 00 00 00 1c 02 00 10 00 00 00 00    ................

.. and a lot of data and about 40 minutes of logging later I had a file.

Reconstructing the binary image from the file was the next step. In Router Archeology: Sitecom WL-330 | Habbie's journal was a remark about od but no details, and od has a lot of options. So I searched for a simpler solution and found gmbnomis/uboot-mdb-dump on GitHub which can be fed a u-boot md capture and will recreate the binary file.

So now I have a 4 megabyte binary file. Time to carve the 5 partions from the file and dive into them. With a bit of calculating from bc I came up with the following dd commands:

$ dd bs=1K count=192 if=image.bin of=bootloader.bin
$ dd bs=1K skip=192 count=64 if=image.bin of=mac.bin
$ dd bs=1K skip=256 count=64 if=image.bin of=factory.bin
$ dd bs=1K skip=320 count=3648 if=image.bin of=kernel.bin
$ dd bs=1K skip=3968 count=128 if=image.bin of=config.bin

The files are still not in an easy recognizable format:

$ file bootloader.bin mac.bin factory.bin kernel.bin config.bin 
bootloader.bin: data
mac.bin:        data
factory.bin:    data
kernel.bin:     data
config.bin:     data

But with binwalk I can dive into the kernel.bin for more details:

$ binwalk kernel.bin

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
64            0x40            uImage header, header size: 64 bytes, header CRC: 0x9FB45741, created: 2013-06-19 07:37:16, image size: 2766283 bytes, Data Address: 0x80000000, Entry Point: 0x80318000, data CRC: 0x3D69A905, OS: Linux, CPU: MIPS, image type: OS Kernel Image, compression type: lzma, image name: "Billion Firmware Image"
128           0x80            LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 5079792 bytes

It's nice to see the uImage header metadata match the boot messages:

## Booting image at bf050040 ...
   Image Name:   Billion Firmware Image
   Created:      2013-06-19   7:37:16 UTC

I extracted the parts with binwalk -e and now I have an uncompressed file 80 which again is...

_kernel.bin.extracted$ file 80
80: data

Time to dive deeper:

_kernel.bin.extracted$ binwalk -e 80

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
2838588       0x2B503C        Linux kernel version 2.6.21
2869152       0x2BC7A0        SHA256 hash constants, little endian
2920800       0x2C9160        Unix path: /usr/gnemul/irix/
2923088       0x2C9A50        Unix path: /usr/lib/libc.so.1
3017192       0x2E09E8        Unix path: /etc/Wireless/RT2860AP/RT2860AP.dat
3035084       0x2E4FCC        XML document, version: "1.0"
3068075       0x2ED0AB        Neighborly text, "neighbor %.2x%.2x.%.2x:%.2x:%.2x:%.2x:%.2x:%.2x lost on port %d(%s)(%s)"
3181904       0x308D50        CRC32 polynomial table, little endian
3387392       0x33B000        LZMA compressed data, properties: 0x5D, dictionary size: 1048576 bytes, uncompressed size: 7260672 bytes


_kernel.bin.extracted$ cd _80.extracted/
_kernel.bin.extracted/_80.extracted$ ls
33B000  33B000.7z
_kernel.bin.extracted/_80.extracted$ file 33B000
33B000: ASCII cpio archive (SVR4 with no CRC)

Finally? I had to peek long at the cpio manpage for the right options, but it seems to be jackpot time:

_kernel.bin.extracted/_80.extracted$ cpio -i -t < 33B000 
/ramfs2.img
/bin
/bin/qos_run
/bin/cat
/bin/lld2d
/bin/webs

.. and a lot more. To extract it:

_kernel.bin.extracted/_80.extracted/rootfs$ cpio -i --no-absolute-filenames < ../33B000
cpio: Removing leading `/' from member names
cpio: dev/mtd4: Cannot mknod: Operation not permitted
cpio: dev/console: Cannot mknod: Operation not permitted
cpio: dev/ttyS1: Cannot mknod: Operation not permitted

And this gives me usable files:

_kernel.bin.extracted/_80.extracted/rootfs$ file bin/busybox 
bin/busybox: ELF 32-bit LSB executable, MIPS, MIPS-II version 1 (SYSV), dynamically linked, interpreter /lib/ld-uClibc.so.0, stripped