My dive into the Corinex CXWC-HD200-WNeH continues. After getting root on the serial console of the Corinex CXWC-HD200-WNeH
I ordered similar gear as used in the hardware hacking course to do my own
hardware hacking. It arrived this week and today I had some time to play with
it.
Using the techniques from the course I found the serial console interface
again. The CPU board has 4 through-holes, that is a likely candidate. Next step
is finding which pin is which using a multimeter. Ground pin has continuity to
any other shield. One pin is at 0 volts without continuity to ground: the
receive data pin (from the viewpoint of the chip), another pin has a varying
voltage near the maximum voltage, this is the transmit data pin (again from
the viewpoint of the chip) and the fourth one has the constant maximum voltage,
which was 3.3 volts in this case.
I switched my USB to serial interface to 3.3 volts and connected the TX on the
system to the RX on the serial interface and the RX on the system to the TX on
the serial interface. I used Dupont cables to make this connection. With
minicom as communications program I opened the right interface:
minicom -D /dev/ttyUSB0.
After powering the router I got unreadable characters on the screen, I had
to adjust the serial port rate. This router has a serial console at 57600
bps, 8 bits, no parity, 1 stopbit.
And messages came out:
U-Boot 1.1.3 (Jan 31 2013 - 17:23:55)
Board: Ralink APSoC DRAM: 32 MB
relocate_code Pointer at: 81fa8000
flash_protect ON: from 0xBF000000 to 0xBF02435F
Corinex CXWC-HD200-WNeH extracting the firmware
Just like the previous time. I wanted to dump the firmware image and earlier
I couldn't think of a way. Based on Router Archeology: Sitecom WL-330 | Habbie's journal
I looked at using the 'md.b' command in u-boot and dumping the contents to
a capture file in minicom. I had to figure out the right parameters, but
with the hints from Habbie I knew what to look for:
SDRAM bus set to 16 bit
SDRAM size =32 Mbytes
Please choose the operation:
1: Load system code to SDRAM via TFTP.
2: Load system code then write to Flash via TFTP.
3: Boot system code via Flash (default).
4: Entr boot command line interface.
6: Load system code then write to Flash via MINIWEB.
9: Load Boot Loader code then write to Flash via TFTP.
4
You choosed 4
0
(skipping some u-boot messages)
RT3052 # help
loopback - Ralink eth loopback test !!
? - alias for 'help'
boot - boot default, i.e., run 'bootcmd'
bootd - boot default, i.e., run 'bootcmd'
bootm - boot application image from memory
bootp - boot image via network using BootP/TFTP protocol
cp - memory copy
echo - echo args to console
erase - erase FLASH memory
go - start application at address 'addr'
help - print online help
loadb - load binary file over serial line (kermit mode)
md - memory display
mdio - Ralink PHY register R/W command !!
miniweb - call miniweb function
mm - memory modify (auto-incrementing)
mw - memory write (fill)
nm - memory modify (constant address)
printenv- print environment variables
protect - enable or disable FLASH write protection
reset - Perform RESET of the CPU
run - run commands in an environment variable
saveenv - save environment variables to persistent storage
setenv - set environment variables
spicmd - read/write data from/to eeprom or vtss
tftpboot- boot image via network using TFTP protocol
version - print monitor version
RT3052 # help md
md [.b, .w, .l] address [# of objects]
- memory display
RT3052 # md.b 0xbf000000 0x00400000
bf000000: ff 00 00 10 00 00 00 00 fd 00 00 10 00 00 00 00 ................
bf000010: 1e 02 00 10 00 00 00 00 1c 02 00 10 00 00 00 00 ................
.. and a lot of data and about 40 minutes of logging later I had a file.
Reconstructing the binary image from the file was the next step. In
Router Archeology: Sitecom WL-330 | Habbie's journal
was a remark about od but no details, and od has a lot of options.
So I searched for a simpler solution and found gmbnomis/uboot-mdb-dump on GitHub
which can be fed a u-boot md capture and will recreate the binary file.
So now I have a 4 megabyte binary file. Time to carve the 5 partions from the
file and dive into them. With a bit of calculating from bc I came up with
the following dd commands: