Opening the Cab.Link CLS-D4E2WX1 and getting full access / 2022-11-22

Koos van den Hout

2022-11-22 Opening the Cab.Link CLS-D4E2WX1 and getting full access
Cab.Link CLS-D4E2WX1 router mainboard
Cab.Link CLS-D4E2WX1 router mainboard
Picture by Koos van den Hout, license CC-BY-SA
After getting a good look at the Cab.Link CLS-D4E2WX1 from the outside it was time to void the warranty and open the box. The two screws are hiding under the little rubber feet at the front side and after removing those two screws the case opens with a bit of jiggling.

This device has an external 12 volt 1 ampere power supply.

Chips found on the board:
  • Realtek RTL8306E - 6-port 10/100 mbps ethernet switch controller
  • Winbond W9412G6KH-5 - DRAM 128MBIT memory
  • Qualcomm QCA7411L-AL3C - Homeplug AV / IEEE 1901 the ethernet over cable interface I guess
I also see an extra board (leftside of the picture, blue) where the u.fl cable to the wifi antenna starts. It has a few larger chips but those have a label over them. I guess one of them must be the CPU because I haven't seen a chip with that function yet.

The makers of the Cab.Link CLS-D4E2WX1 were kind enough to include 4 pins labeled J30 (bottom left of the picture) which are a very obvious candidate for being the uart port. Again the process for find GND, TX, RX and Vcc was done and the right pins found. With the board in front and the J30 readable the pins are from left to right TX, RX, GND and 3.3 volt. I name the TX and RX pins from the view of the system, so I see data transmitted on TX and I send data to RX.

The uart voltage is 3.3 volt. The uart speed turned out to be 115200 bps in this device. Connecting a terminal program via a serial interface gives bootup messages, with U-Boot 
U-Boot 1.1.4-g2cba69c0-dirty (May 20 2013 - 20:04:48)

AP121 (ar9331) U-boot
and Linux kernel 
Linux version 2.6.31 (root@ubuntu) (gcc version 4.3.3 (GCC) ) #3 Fri Nov 29 13:24:10 CST 2013
The system is clearly based on OpenWrt which the telnet interface also confirms. The web interface avoids mentioning this.

After boot pressing enter on the serial interface gives a welcome message and a root prompt: 
BusyBox v1.15.3 (2013-11-21 11:54:18 CST) built-in shell (ash)
Enter 'help' for a list of built-in commands.

  ______   ______  _______  .______        ______    __   _______  
 /      | /      ||       \ |   _  \      /  __  \  |  | |       \ 
|  ,----'|  ,----'|  .--.  ||  |_)  |    |  |  |  | |  | |  .--.  |
|  |     |  |     |  |  |  ||      /     |  |  |  | |  | |  |  |  |
|  `----.|  `----.|  '--'  ||  |\  \----.|  `--'  | |  | |  '--'  |
 \______| \______||_______/ | _| `._____| \______/  |__| |_______/ 

Copyright (c) 2013 ITTIM, Inc. ------------------------------------
* All Rights Reserved. 
* ITTIM Confidential and Proprietary.
-------------------------------------------------------------------
root@ccdroid:/#
I viewed the /etc/passwd file which had the encrypted root password: 
root:$1$$zdlNHiCDxYDfeF4MZL.H3/:0:0:root:/root:/bin/ash
daemon:*:1:1:daemon:/var:/bin/false
ftp:*:55:55:ftp:/home/ftp:/bin/false
network:*:101:101:network:/var:/bin/false
nobody:*:65534:65534:nobody:/var:/bin/false
Searching for $1$$zdlNHiCDxYDfeF4MZL.H3/ finds 💀 Exploit for ZTE Mobile Hotspot MS910S Backdoor / Hardcoded Password CVE-2016-6301 CVE-2013-1813 CVE-2015-9261 CVE-2016-2147 CVE-2019-3422 CVE-2017-16544 CVE-2016-2148 CVE-2011-5325 CVE-2011-2716 with the hardcoded password 5up for root which indeed works over telnet: 
koos@kernighan:~$ telnet 192.168.1.1
Trying 192.168.1.1...
Connected to 192.168.1.1.
Escape character is '^]'.
WARNING: telnet is a security risk
OpenWrt login: root
Password: 


BusyBox v1.15.3 (2013-11-21 11:54:18 CST) built-in shell (ash)
Enter 'help' for a list of built-in commands.

  ______   ______  _______  .______        ______    __   _______  
 /      | /      ||       \ |   _  \      /  __  \  |  | |       \ 
|  ,----'|  ,----'|  .--.  ||  |_)  |    |  |  |  | |  | |  .--.  |
|  |     |  |     |  |  |  ||      /     |  |  |  | |  | |  |  |  |
|  `----.|  `----.|  '--'  ||  |\  \----.|  `--'  | |  | |  '--'  |
 \______| \______||_______/ | _| `._____| \______/  |__| |_______/ 

Copyright (c) 2013 ITTIM, Inc. ------------------------------------
* All Rights Reserved. 
* ITTIM Confidential and Proprietary.
-------------------------------------------------------------------
root@ccdroid:~#
Having access also means I can ask for what kind of CPU is in there: 
root@ccdroid:/# cat /proc/cpuinfo
system type             : Atheros AR9330 (Hornet)
processor               : 0
cpu model               : MIPS 24Kc V7.4
BogoMIPS                : 266.24
wait instruction        : yes
microsecond timers      : yes
tlb_entries             : 16
extra interrupt vector  : yes
hardware watchpoint     : yes, count: 4, address/irw mask: [0x0004, 0x0890, 0x0020, 0x0ff8]
ASEs implemented        : mips16
shadow register sets    : 1
core                    : 0
VCED exceptions         : not available
VCEI exceptions         : not available

root@ccdroid:/#
The Atheros AR9330 is a complete 'System on a Chip' (SoC) with a MIPS CPU, 802.11n wifi. According to the information I can find this chip also has a 4 port ethernet switch, so I wonder why the router also has a Realtek RTL8306E chip. Maybe to connect to the HomePlug interface chip?

There is also another weird thing: the Winbond W9412G6KH-5 memory chip is on the main board, the little blue board seems to have the CPU. This means all communication with the RAM goes over the bridge between the CPU board and the main board.

From the boot messages I can also see there is a flash memory chip, but I don't know the type yet. Trying to read the markings from the chips is hard with some of the chip, including the chip I see as a candidate for being a flash eprom. The boot messages say something about the flash memory: 
Flash Manuf Id 0xc8, DeviceId0 0x40, DeviceId1 0x17
flash size 8388608, sector count = 128
Flash:  8 MB
Manufacturer 0xc8 is 'ESMT' according to some searching, Elite Semiconductor Memory Technology in full. But that's not helping me identify the flash chip. Searching for Flash Manuf Id 0xc8, DeviceId0 0x40, DeviceId1 0x17 finds this is also used in the TP-Link Archer C60 version 1 according to Tp link archer c60 bad magic number - Installing and Using OpenWrt - OpenWrt Forum and according to [OpenWrt Wiki] TP-Link Archer C60 this is a W25Q64 which turns out to be a winbond W25Q64 with 8 pins, so probably the 8-pin chip I suspected.

Browsing around on the filesystem finds /usr/sbin/wshaper.htb which is my old friend The Wonder Shaper.

I was again interested whether I could find any mention of plc on the filesystem, but I found absolutely nothing.
Tags: , ,

IPv6 check

Running test...

Archive

Browse the recent archive:
March 2023
February 2023
January 2023
December 2022
November 2022
October 2022
September 2022
August 2022
July 2022
June 2022
May 2022
April 2022
News archive
, reachable as koos+website@idefix.net. PGP encrypted e-mail preferred. PGP key 5BA9 368B E6F3 34E4 local copy PGP key 5BA9 368B E6F3 34E4 via keyservers

RSS
Meningen zijn die van mezelf, wat ik schrijf is beschermd door auteursrecht. Sommige publicaties bevatten een expliciete vermelding dat ze ongevraagd gedeeld mogen worden.
My opinions are my own, what I write is protected by copyrights. Some publications contain an explicit license statement which allows sharing without asking permission.
Other webprojects: Camp Wireless, wireless Internet access at campsites, The Virtual Bookcase, book reviews
This page generated by $Id: newsitem.cgi,v 1.58 2022/12/12 15:34:31 koos Exp $ in 0.009924 seconds.