News items for tag english - Koos van den Hout

2022-11-28 I participated in the CQ World-Wide DX Contest CW
CW contest filling the bands on a websdr Last weekend was the CQ World-Wide DX Contest CW and I participated in that contest on parts of Saturday and Sunday. I ended with 189 contacts. Daytime I worked on the 10 and 15 meter bands and when those started to dry out I switched to the 20 meter and 40 meter amateur bands.

Most of the time I chased stations in search+pounce mode but I also called CQ on the 15 meter band on Sunday afternoon. I will need to practise more with calling CQ: stations came to me at higher speeds than I was used to with running PA900UTR and if I didn't decode the callsign and reacted immediately some give up fast.

But my morse is improving, even at contest speeds and I got a nice number of countries in the log. Even countries I didn't have in morse before: PJ2 Curacao, PJ4 Bonaire, CX Uruguay, 3B8 Mauritius, CN Morroco, SV9 Crete. Of those Mauritius is a completely new country in amateur radio for me.

I put in some extra effort to get those new countries in the log, with other stations that I know are confirmed countries I give up after a few tries and try to get another call in the log. Radio contesting is about the numbers: both number of contacts and the multipliers. In this contest the number of CQ zones and countries is the multiplier, so I optimise a bit for that number. And I suspect a lot of the other contestants do the same.

The overview of my single operator multi band effort:
Band   160   80   40   20   15   10
QSO's    0    0   28   33  108   20
Cty      0    0   18   22   31   10
Zone     0    0    5    8   11    6
Pts: 344  Mul: 111 Score: 38184
This was one of those contests where I had it all planned beforehand to participate, made sure everything was working optimally and had it marked in the family calendar. Normal things like weekend shopping still needed time, but the family wasn't surprised I spent a lot of time behind the radio.

Tags: , , ,
2022-11-24 Next steps digging into the hardware are more on the software side
From a perspective of security research I only touched the surface of the security research on the Corinex CXWC-HD200-WNeH and the Cab.Link CLS-D4E2WX1 by finding default credentials for telnet.

To get a further insight I need to first enumerate the network attack surface completely. What services are running, what programs run those services.

The ultimate step would be to build an emulation environment where I can run the programs from the routers under my control and find out about the programs and get a first few steps into reverse engineering. With qemu it is possible to emulate MIPS systems on x86 hardware, so I can build a test environment.

It would need some work to get old enough versions of code and kernels to create a compatible environment. The Corinex router mentions compilation in 2012 but with Linux kernel 2.6.21 which was released 25 april 2007. The Cab.Link router mentions compilation in 2013 but uses Linux kernel 2.6.31 which was released 9 september 2009.

Tags: , ,
2022-11-22 Opening the Cab.Link CLS-D4E2WX1 and getting full access
Cab.Link CLS-D4E2WX1 router mainboard
Cab.Link CLS-D4E2WX1 router mainboard
Picture by Koos van den Hout, license CC-BY-SA
After getting a good look at the Cab.Link CLS-D4E2WX1 from the outside it was time to void the warranty and open the box. The two screws are hiding under the little rubber feet at the front side and after removing those two screws the case opens with a bit of jiggling.

This device has an external 12 volt 1 ampere power supply.

Chips found on the board:
  • Realtek RTL8306E - 6-port 10/100 mbps ethernet switch controller
  • Winbond W9412G6KH-5 - DRAM 128MBIT memory
  • Qualcomm QCA7411L-AL3C - Homeplug AV / IEEE 1901 the ethernet over cable interface I guess
I also see an extra board (leftside of the picture, blue) where the u.fl cable to the wifi antenna starts. It has a few larger chips but those have a label over them. I guess one of them must be the CPU because I haven't seen a chip with that function yet.

The makers of the Cab.Link CLS-D4E2WX1 were kind enough to include 4 pins labeled J30 (bottom left of the picture) which are a very obvious candidate for being the uart port. Again the process for find GND, TX, RX and Vcc was done and the right pins found. With the board in front and the J30 readable the pins are from left to right TX, RX, GND and 3.3 volt. I name the TX and RX pins from the view of the system, so I see data transmitted on TX and I send data to RX.
Read the rest of Opening the Cab.Link CLS-D4E2WX1 and getting full access

Tags: , ,
2022-11-20 I participated in the LZ-DX contest
CW contest filling the bands on a websdr I was planning to make some morse contacts this weekend but when I had time to turn on the radio on Saturday afternoon there was a lot of contest traffic on the morse parts of the bands. This turned out to be the LZ-DX contest.

This was a chance to get some CW contest practise done. This is a CW and SSB contest but I concentrate on CW contesting at the moment. I found out TLF the contest logger supports the LZ-DX contest out of the box so I could start fast.

Propagation wasn't cooperating very well but I did get contacts in the log. The final result:
Band     Qso    Cancelled  Dup  Point  ITU-Mult   LZ-Mult     Score
 80M       0            0    0      0         0         0
 40M      38            0    0    199         7        11
 20M      30            0    0    131         6         9
 15M       0            0    0      0         0         0
 10M       1            0    0      1         1         0
-------------------------------------------------------------------
          69            0    0    331        14        20     11254

Tags: , ,
2022-11-19 Next hardware to poke around in: Cab.Link CLS-D4E2WX1 router
Cab.Link CLS-D4E2WX1 router top
Cab.Link CLS-D4E2WX1 router top
Picture by Koos van den Hout, license CC-BY-SA
The earlier Ethernet over Cable modem/router I poked at didn't come alone, from the same source I also got a Cab.Link CLS-D4E2WX1 cable modem/router.

Doing a search for it finds actual listings for trying to order them wholesale: Buy Wholesale China 7400-eoc Slave Modem, Separate Tv And Ethernet From One Cable, 4 Ethernet Ports Output & 7400-eoc Slave Modem at USD 127 | Global Sources and Eoc Male Slave 4 Ethernet Port With Wifi - Buy Eoc Esclavo Product on Alibaba.com.

Both listings call it an EOC slave. Given the terminology I expected EOC master devices to exist as well and I soon found out those exist and can be pricey. So I'm not going to spend money on this subject, but I may be interested in recycling an EOC master unit.

The unit has one external wifi antenna, 4 ethernet ports, external power supply 12V and 9 leds. The cable connection is via 2 female F connectors with one labeled 'Cable' and one labeled 'TV'. I do notice the case has a lot of ventilation holes.

On the underside is a label with the manufacturer name, model name, a default equipment management IP 10.10.1.250, a Wireless Network Name 'wifi' and the EOC and Wifi Mac addresses as numbers and barcodes, and the serial number as number and barcode. The unit has four little rubber feet (full LRF support) and two of those are hiding screws to open the unit.

On switching the Cab.Link router on I indeed see a wifi network appear with the name 'wifi' which on connecting gives me an IPv4 address in the 192.168.1.x range with the default gateway 192.168.1.1.

Cab.Link CLS-D4E2WX1 router underside
Cab.Link CLS-D4E2WX1 router underside
Picture by Koos van den Hout, license CC-BY-SA
The Cab.Link router has a web interface listening on port 80. It directly asks for http authorization but using admin/admin for username and password gets me right in. Up until now I haven't found any reference to PLC or EOC in the webinterface.

The Cab.Link also has a telnet server running on port 23. It greets me with an OpenWRT banner but the first few attempts at finding username/password do not let me in:
$ telnet 192.168.1.1
Trying 192.168.1.1...
Connected to 192.168.1.1.
Escape character is '^]'.
WARNING: telnet is a security risk
OpenWrt login: admin
Password: 
Login incorrect
OpenWrt login: root
Password: 
Login incorrect
OpenWrt login: 
I like the 'telnet is a security risk' warning!

Tags: , ,
2022-11-18 SSL scans showing up in the log
A comment on irc made me have a look at the logs for my haproxy system to get an idea whether any weird vulnerability scan came by. No special vulnerability scan showed up, but my attention was drawn to a number of lines like:
Nov 18 08:05:01 wozniak haproxy[13987]: 2001:470:1:332::28:37618 [18/Nov/2022:08:05:01.900] https-in/1: SSL handshake failure
Nov 18 08:05:44 wozniak haproxy[13987]: 2001:470:1:332::28:27286 [18/Nov/2022:08:05:44.328] https-in/1: SSL handshake failure
Nov 18 08:06:22 wozniak haproxy[13987]: 2001:470:1:332::2e:3137 [18/Nov/2022:08:06:21.962] https-in/1: SSL handshake failure
Nov 18 08:06:22 wozniak haproxy[13987]: 2001:470:1:332::2d:33085 [18/Nov/2022:08:06:22.278] https-in/1: SSL handshake failure
Nov 18 08:06:22 wozniak haproxy[13987]: 2001:470:1:332::2d:17531 [18/Nov/2022:08:06:22.593] https-in/1: SSL handshake failure
Nov 18 08:06:22 wozniak haproxy[13987]: 2001:470:1:332::30:58869 [18/Nov/2022:08:06:22.915] https-in/1: SSL handshake failure
Nov 18 08:06:23 wozniak haproxy[13987]: 2001:470:1:332::2e:46537 [18/Nov/2022:08:06:23.228] https-in/1: SSL handshake failure
Nov 18 08:06:23 wozniak haproxy[13987]: 2001:470:1:332::29:20027 [18/Nov/2022:08:06:23.544] https-in/1: SSL handshake failure
Nov 18 08:06:24 wozniak haproxy[13987]: 2001:470:1:332::31:13423 [18/Nov/2022:08:06:23.872] https-in/1: SSL handshake failure
Nov 18 08:06:24 wozniak haproxy[13987]: 2001:470:1:332::28:56683 [18/Nov/2022:08:06:24.197] https-in/1: SSL handshake failure
Nov 18 08:06:24 wozniak haproxy[13987]: 2001:470:1:332::31:5055 [18/Nov/2022:08:06:24.524] https-in/1: SSL handshake failure
Nov 18 08:06:24 wozniak haproxy[13987]: 2001:470:1:332::2e:20907 [18/Nov/2022:08:06:24.841] https-in/1: SSL handshake failure
If there is one of two of these lines from one address, it is a sign of a client which can't finish the SSL negotiation. With my site that probably means and old client which doesn't understand LetsEncrypt certificates without an extra certification path.

But this is quote a number of SSL errors from the same IPv6 range in a short time. I wondered what was behind this and did a bit of testing, until I found it's simple to cause this by doing an SSL test. For example with the famous Qualys SSL test or with an ssl scan tool. This is logical: ssltest uses a lot of different negotiations to test what actually works.

Tags: , ,
2022-11-18 Current thoughts on hardware hacking
Corinex CXWC-HD200-WNeH uart connected
Corinex CXWC-HD200-WNeH uart connected
Picture by Koos van den Hout, license CC-BY-SA
I closed the case of a vulnerability in the Corinex CXWC-HD200-WNeH with a confirmation from the vendor that this is a device completely out of support. Which confirms the public information I found when I started looking into this device. This was all related to the course in hardware hacking I took and applying the new knowledge.

So now I can look back on this experience and think about my future here. Hardware hacking has serious links to my current job as technical security specialist. In my work I regularly have to look at vulnerabilities and assess the chance and impact of misuse of the vulnerability. With hardware hacking I find vulnerabilities by researching hardware. This helps me understand the chance and impact factor of other vulnerabilities.

There is also a link to my education: part of that was MTS electronics. I learned how to solder, before SMD components were a thing and I think I got some explanation about switching mode power supplies at the end. As I got into computers I didn't do much with this education but the last years in amateur radio have made me get out the soldering iron again.

There is a clear link to my hobby of amateur radio. My interest in amateur radio is linked to wanting to know how things actually work. Hardware hacking is also done with RF signals so I may get into more RF related hardware hacking.

My current thought is that I want to continue in this subject. It's given me joy: getting into a device in new and unexpected ways gives joy! I have learned new things. I noticed I need to feed the brain regularly with new information and actually learning something new is much better brainfood than browsing social media. At the same time social media is the way to learn more about this subject and interact with other people interested in this subject. I ended up on /r/hardwarehacking on reddit and already learned from others and shared some of my own insights!

There is the thing about RFID/NFC security. I have looked into this in the past, mostly by getting the tools to peek into the MiFare classic cards. I am considering going further with this area of hardware hacking. Prices of hacking tools for this area like the proxmark3 or the flipper zero are above the 'nice to try a few things' level. On the other hand I think I could have loads of fun there, and the overlap with amateur radio is very clear.

At the end of this bit of writing: thanks to people who share their hardware hacking experiences on-line! Thanks to Jilles Groenendijk, Router Archeology: Sitecom WL-330 - Habbie's journal, @Flashback Team on youtube, Make Me Hack on youtube, and Boschko Security for sharing their stories and knowledge.

Tags: , , , , ,
2022-11-09 Working on my morse skills
Since passing the morse exam I have continued working on my morse skills. As one of the reasons for wanting to learn morse was to be able to participate in morse radio contesting I still want to increase my speed and accuracy in copying callsigns.

Exercising with tools like lcwo.net and Morse Runner helps improve these skills.

But I'm also working on these skills 'on-air'. At the radio club I've done morse activations of special call PA900UTR a few times and that went ok. I don't get all the calls right the first time but it is a good experience and it's working out.

Tags: , ,
2022-11-03 It seems the rcu_sched messages stopped after I reseated SATA cables
In the beginning of October I shut down the home server conway and reseated the SATA cables in the hopes of having less problems with timeouts. And started the whole system again to also fix other problems.

About a month later I think this worked, I've never seen a rcu_sched message again since doing that reseating.

Tags: , ,
2022-10-31 I found a vulnerability in the Corinex CXWC-HD200-WNeH and I tried to report it
Somewhere between the digging in the Corinex CXWC-HD200-WNeH I found a vulnerability. A combination of a misconfigured network filter and a default account make it quite easy to get into the device and get full access.

I tried to report this vulnerability before publishing about it. Timeline:
  • 24 September 2022 I mailed a general address at Corinex about this
  • 29 September 2022 I mailed someone who wrote about Corinex devices in the Netherlands
  • 28 October 2022 I tried to contact @CorinexCorp on twitter via a mention
All this got exactly zero response.

Update 2022-11-17: @CorinexCorp responded on twitter: Hi Koos. Apologies for a lack of response. Corinex no longer supports CXWC-HD200-WNeH devices. The company exited the consumer market many years ago.

Because this device is out-of-support for years now and should not be in use anywhere anymore, I think I've invested enough effort in trying to report this vulnerability to the right people and I can now publish this and close this chapter.

On to the actual vulnerability. Like a lot of other vulnerabilities this is a case of multiple things coming together.
Read the rest of I found a vulnerability in the Corinex CXWC-HD200-WNeH and I tried to report it

Tags: , ,

IPv6 check

Running test...
, reachable as koos+website@idefix.net. PGP encrypted e-mail preferred. PGP key 5BA9 368B E6F3 34E4 local copy PGP key 5BA9 368B E6F3 34E4 via keyservers

RSS
Meningen zijn die van mezelf, wat ik schrijf is beschermd door auteursrecht. Sommige publicaties bevatten een expliciete vermelding dat ze ongevraagd gedeeld mogen worden.
My opinions are my own, what I write is protected by copyrights. Some publications contain an explicit license statement which allows sharing without asking permission.
Other webprojects: Camp Wireless, wireless Internet access at campsites, The Virtual Bookcase, book reviews
This page generated by $Id: newstag.cgi,v 1.39 2022/11/18 15:23:48 koos Exp $ in 0.052560 seconds.