Trying to get into a Genexis Platinum-4410 router / 2023-03-31

Koos van den Hout

2023-03-31 Trying to get into a Genexis Platinum-4410 router
I have been given a Genexis Platinum-4410 router with the reasoning that I like to play with embedded systems and test the security. Well, that is what I did.

How far did I get

I have serial console, I have extracted filesystem images, and I can't get a shell on the router.

The device

It's a router with 4+1 ethernet ports, wifi, two ports for analog telephones and a USB interface.

Looking at it from the network

In this specific instance the 4 ethernet ports which are logically the 'inside' don't give me a link after the router has booted up. The 1 port which would be the 'outside' or 'WAN' port gives a link and acts as a DHCP client.

The next step was to connect to the wifi network and play with the web interface. This like a custom web interface. Default credentials which match what is on the sticker on the underside of the router.

The router doesn't have a telnet server listening for 'easy' access.

Opening the case

Next step was to open the case and investigate the mainboard. Chips seen on the mainboard: Mindspeed J83100G System on a Chip (SoC), MXIC MX29GL256FHT2I-90Q flash memory, 2* Etrontech EM68B16CWQD-25H 512 mbit DRAM, Si32260-FM1 dual channel FXS (voip) chip and other electronics.

The mainboard has lots of test points, but no clear UART interface. There is an edge connector which looks like a PCI Express connector but it isn't. I asked help about this: What is this connector, does it include UART on a Genexis Platinum-4410 ? : hardwarehacking because r/hardwarehacking on reddit has helped me before.

This edge connector turned out the 'place to be' and with the standard tricks for finding the UART I soon had an idea. But nothing to stick a dupont wire on and no PCI express or cardedge breakout cable/board available. So I had to solder wires to the right lanes on the connector. I had permission to damage the router, so that was ok. Soldering within half a millimeter was really hard! This was the first time I actually used my soldering iron for hardware hacking. And a magnifying glass to actually see what I was soldering.

Not getting access via the serial console

Genexis Platinum-4410 router, mainboard edge connector with uart pins
Genexis Platinum-4410 router, mainboard edge connector with uart pins. RX and TX from the view of the board (serial data goes out over TX).
Picture by Koos van den Hout, license CC-BY-SA
Finally I had a console connection and got bootup messages. Serial console is at 115200 bps 8n1. The boot loader doesn't call itself U-boot but the available commands do remind me. Interesting bootup messages: 
Linux version 2.6.33.5-drgos-hrg1000-1.14.1-R (jenkins@jenkins) (gcc version 4.1.2) #1 Thu Aug 13 10:56:11 CEST 2015
CPU: ARMv6-compatible processor [4117b365] revision 5 (ARMv6TEJ), cr=00c5387d
CPU: VIPT aliasing data cache, VIPT aliasing instruction cache
Machine: Comcerto 1000 (EVM)
Somewhere during the boot a login prompt appears, but I can't get in: 
drgos login: root
Login incorrect
drgos login: admin
Password: 
Login incorrect
So the login 'root' is ok without password but it's not allowing me a session.

Dumping the filesystem

In the bootup messages is a memory map: 
7 cmdlinepart partitions found on MTD device comcertoflash.0
Creating 7 MTD partitions on "comcertoflash.0":
0x000000000000-0x000000020000 : "Bootstrap"
0x000000020000-0x000001ea0000 : "JFFS2"
0x000001ea0000-0x000001f20000 : "Bootloader1"
0x000001f20000-0x000001fa0000 : "Bootloader2"
0x000001fa0000-0x000001fc0000 : "UniqueParam"
0x000001fc0000-0x000001fe0000 : "BootloaderCFG"
0x000001fe0000-0x000002000000 : "SharedCFG"
So I imagined the filesystem image to be somewhere in JFFS2. I had to determine the offset of the flash memory addresses to the system memory addresses, but that could be determined from: 
Checking for bootloader images...
0x21EA0000:             drgldr-hrg1000-1.4.1-RC14
0x21F20000:             drgldr-hrg1000-1.4.1-DEV13
The first bootloader is at memory location 0x21EA0000 while it is at flash location 0x01EA0000 so the flash memory must be mapped from memory location 0x20000000. Calculation: the JFFS2 image is at 0x20000000 + 0x00020000 = 0x20020000.

Conclusion: a memory dump had to be made from 0x20020000 length 0x1e80000: 
hrg1000 > base 20020000
Base Address: 0x20020000
hrg1000 > md.b 0 1e80000
20020000: 85 19 03 00 0c 00 00 00 b1 b0 1e e4 85 19 02 e0    ................
20020010: 98 0d 00 00 6f 6e ad fc 0d 00 00 00 19 09 00 00    ....on..........
The '85 19' is the magic number for JFFS2 filesystems so I am on the right track. This dump took a while, about 4 hours(!). I logged the dump with the logfile option from tio, removed all other logging so I only had md.b output and converted it to a binary file using the GitHub - gmbnomis/uboot-mdb-dump tool: 
koos@moore:~/genexis$ python3 ../src/uboot-mdb-dump/uboot_mdb_to_image.py < memwork.asc > genexis-image.bin
koos@moore:~/genexis$ sha256sum genexis-image.bin
e6dd3b2151322af3d22933295580264e92281c73325ab2dbda339280654f2639  genexis-image.bin
To extract files took a few steps. First I had to extract the JFFS2 filesystem, which binwalk didn't do right. But GitHub - onekey-sec/jefferson: JFFS2 filesystem extraction tool can do this fine. 
koos@moore:~/genexis$ jefferson genexis-image.bin -d outdir
koos@moore:~/genexis$ cd outdir/01/
koos@moore:~/genexis/outdir/01$ ls -l
-rw-r--r-- 1 koos koos 11602938 Mar 31 18:25 drgos-hrg1000-1.14.1-R.img
koos@moore:~/genexis/outdir/01$ binwalk -e drgos-hrg1000-1.14.1-R.img

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             uImage header, header size: 64 bytes, header CRC: 0xA03AB861, created: 2015-08-13 08:56:20, image size: 11602874 bytes, Data Address: 0x80808000, Entry Point: 0x80808000, data CRC: 0x8EA552DF, OS: Linux, CPU: ARM, image type: OS Kernel Image, compression type: gzip, image name: "drgos-hrg1000-1.14.1-R"
64            0x40            gzip compressed data, maximum compression, from Unix, last modified: 1970-01-01 00:00:00 (null date)


koos@moore:~/genexis/outdir/01$ cd _drgos-hrg1000-1.14.1-R.img.extracted/
koos@moore:~/genexis/outdir/01/_drgos-hrg1000-1.14.1-R.img.extracted$ ls -l
-rw-rw-r-- 1 koos koos 13522144 Mar 31 19:35 40
koos@moore:~/genexis/outdir/01/_drgos-hrg1000-1.14.1-R.img.extracted$ file 40
40: data
koos@moore:~/genexis/outdir/01/_drgos-hrg1000-1.14.1-R.img.extracted$ binwalk -e 40

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
114688        0x1C000         gzip compressed data, maximum compression, from Unix, last modified: 2015-08-13 08:54:30
10169709      0x9B2D6D        Certificate in DER format (x509 v3), header length: 4, sequence length: 5376
10331925      0x9DA715        Certificate in DER format (x509 v3), header length: 4, sequence length: 5528
10567421      0xA13EFD        Certificate in DER format (x509 v3), header length: 4, sequence length: 1332
10586793      0xA18AA9        Certificate in DER format (x509 v3), header length: 4, sequence length: 5380
10591989      0xA19EF5        Certificate in DER format (x509 v3), header length: 4, sequence length: 5380
11022092      0xA82F0C        SHA256 hash constants, little endian
12037765      0xB7AE85        Certificate in DER format (x509 v3), header length: 4, sequence length: 5388
12038633      0xB7B1E9        Certificate in DER format (x509 v3), header length: 4, sequence length: 5396
12038673      0xB7B211        Certificate in DER format (x509 v3), header length: 4, sequence length: 5388
12039673      0xB7B5F9        Certificate in DER format (x509 v3), header length: 4, sequence length: 1292
12163733      0xB99A95        Certificate in DER format (x509 v3), header length: 4, sequence length: 1324
12163737      0xB99A99        Certificate in DER format (x509 v3), header length: 4, sequence length: 1292
12163741      0xB99A9D        Certificate in DER format (x509 v3), header length: 4, sequence length: 1304
12330109      0xBC247D        Certificate in DER format (x509 v3), header length: 4, sequence length: 5396
12330149      0xBC24A5        Certificate in DER format (x509 v3), header length: 4, sequence length: 5388
12333797      0xBC32E5        Certificate in DER format (x509 v3), header length: 4, sequence length: 5388
12333897      0xBC3349        Certificate in DER format (x509 v3), header length: 4, sequence length: 5388
12334005      0xBC33B5        Certificate in DER format (x509 v3), header length: 4, sequence length: 5380
12334073      0xBC33F9        Certificate in DER format (x509 v3), header length: 4, sequence length: 5380
12672088      0xC15C58        Linux kernel version 2.6.33
12710576      0xC1F2B0        DES SP2, little endian
12711088      0xC1F4B0        DES SP1, little endian
12734916      0xC251C4        CRC32 polynomial table, little endian
13283808      0xCAB1E0        Neighborly text, "NeighborSolicitsipv6 ah init: can't add xfrm type"
13283828      0xCAB1F4        Neighborly text, "NeighborAdvertisementsadd xfrm type"
13288511      0xCAC43F        Neighborly text, "neighbor %.2x%.2x.%.2x:%.2x:%.2x:%.2x:%.2x:%.2x lost on port %d(%s)(%s)"
13456659      0xCD5513        LZMA compressed data, properties: 0xC0, dictionary size: 0 bytes, uncompressed size: 32 bytes

koos@moore:~/genexis/outdir/01/_drgos-hrg1000-1.14.1-R.img.extracted$ cd _40.extracted/
koos@moore:~/genexis/outdir/01/_drgos-hrg1000-1.14.1-R.img.extracted/_40.extracted$ file 1C000
1C000: ASCII cpio archive (SVR4 with no CRC)
koos@moore:~/genexis/outdir/01/_drgos-hrg1000-1.14.1-R.img.extracted/_40.extracted$ mkdir rootimage ; cd rootimage
koos@moore:~/genexis/outdir/01/_drgos-hrg1000-1.14.1-R.img.extracted/_40.extracted/rootimage$ cpio -i --no-absolute-filenames < ../1C000
cpio: Removing leading `/' from member names
44472 blocks
koos@moore:~/genexis/outdir/01/_drgos-hrg1000-1.14.1-R.img.extracted/_40.extracted/rootimage$ ls -la
total 72
drwxrwxr-x 17 koos koos 4096 Mar 31 20:33 .
drwxrwxr-x  3 koos koos 4096 Mar 31 20:33 ..
drwxr-xr-x  2 koos koos 4096 Mar 31 20:33 bin
drwxr-xr-x  2 koos koos 4096 Mar 31 20:33 config
drwxr-xr-x  2 koos koos 4096 Mar 31 20:33 dev
drwxr-xr-x 19 koos koos 4096 Mar 31 20:33 etc
-rwxr-xr-x  1 koos koos 2463 Mar 31 20:33 init
-rw-r--r--  1 koos koos    0 Mar 31 20:33 .init_enable_core
drwxr-xr-x  2 koos koos 4096 Mar 31 20:33 jffs
drwxr-xr-x 12 koos koos 4096 Mar 31 20:33 lib
drwxr-xr-x  2 koos koos 4096 Mar 31 20:33 mnt
drwxr-xr-x  2 koos koos 4096 Mar 31 20:33 proc
drwxr-xr-x  2 koos koos 4096 Mar 31 20:33 rom
drwxr-xr-x  2 koos koos 4096 Mar 31 20:33 root
drwxr-xr-x  2 koos koos 4096 Mar 31 20:33 sbin
drwxr-xr-x  2 koos koos 4096 Mar 31 20:33 sys
drwxr-xr-x  4 koos koos 4096 Mar 31 20:33 tmp
drwxr-xr-x 10 koos koos 4096 Mar 31 20:33 usr
lrwxrwxrwx  1 koos koos    4 Mar 31 20:33 var -> /tmp
drwxr-xr-x  6 koos koos 4096 Mar 31 20:33 www
And the obvious reason I did not get in: 
koos@moore:~/genexis/outdir/01/_drgos-hrg1000-1.14.1-R.img.extracted/_40.extracted/rootimage$ grep root etc/passwd
root:*:0:0:root:/root:/bin/false
So no shell on the router... yet.
Tags: , ,

IPv6 check

Running test...

Archive

Browse the recent archive:
May 2023
April 2023
March 2023
February 2023
January 2023
December 2022
November 2022
October 2022
September 2022
August 2022
July 2022
June 2022
News archive
, reachable as koos+website@idefix.net. PGP encrypted e-mail preferred. PGP key 5BA9 368B E6F3 34E4 local copy PGP key 5BA9 368B E6F3 34E4 via keyservers

RSS
Meningen zijn die van mezelf, wat ik schrijf is beschermd door auteursrecht. Sommige publicaties bevatten een expliciete vermelding dat ze ongevraagd gedeeld mogen worden.
My opinions are my own, what I write is protected by copyrights. Some publications contain an explicit license statement which allows sharing without asking permission.
Other webprojects: Camp Wireless, wireless Internet access at campsites, The Virtual Bookcase, book reviews
This page generated by $Id: newsitem.cgi,v 1.58 2022/12/12 15:34:31 koos Exp $ in 0.009465 seconds.