miércoles, 26 de octubre de 2011

Disassembling Observa TECOM AW4062 firmware

Hi friends,

This post shows you the process of disassembling Observa TECOM AW4062 firmware using firmware-mod-kit. 

First of all, download the firmware file from here.

Next is download last version of  firmware-mod-kit with subversion.

cd /opt
svn checkout http://firmware-mod-kit.googlecode.com/svn/trunk/ firmware-mod-kit-read-only
cd firmware-mod-kit-read-only/trunk/src/
make


As firmware-mod-kit uses binwalk we can take an eye on its output first.


binwalk -v AW4062TS-1.4.2.img

Scan Time:    Oct 26, 2011 @ 22:58:51
Magic File:   /usr/local/etc/binwalk/magic.binwalk
Signatures:   74
Target File:  AW4062TS-1.4.2.img
MD5 Checksum: 7985b08e3ca4ef1e3b1f86fff05369dd

DECIMAL       HEX           DESCRIPTION
-------------------------------------------------------------------------------------------------------
12            0xC           LZMA compressed data, properties: 0x80, dictionary size: 838860800 bytes, uncompressed size: 86 bytes
64            0x40          Squashfs filesystem, big endian, version 2.0, size: 1586090 bytes, 485 inodes, blocksize: 65536 bytes, created: Wed Nov  4 10:32:27 2009
1589312       0x184040      LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 4247686 bytes


Next step is extract firmware files.


./extract-ng.sh AW4062TS-1.4.2.img
Firmware Mod Kit (build-ng) 0.71 beta, (c)2011 Craig Heffner, Jeremy Collake
http://www.bitsum.com

Scanning firmware...

DECIMAL       HEX           DESCRIPTION
-------------------------------------------------------------------------------------------------------
64            0x40          Squashfs filesystem, big endian, version 2.0, size: 1586090 bytes, 485 inodes, blocksize: 65536 bytes, created: Wed Nov  4 10:32:27 2009

Extracting 64 bytes of  header image at offset 0
Extracting squashfs file system at offset 64
Extracting 160 byte footer from offset 2789920
Extracting squashfs files...
Firmware extraction successful!
Firmware parts can be found in 'fmk/*'



In fmk/rootfs folder we can see:


drwxr-xr-x 2 root       root       4096 nov  4  2009 bin
drwxr-xr-x 2 3892510720 1677721600 4096 mar  3  2008 dev
drwxr-xr-x 4 root       root       4096 nov  4  2009 etc
drwxr-xr-x 3 root       root       4096 nov  4  2009 home
drwxr-xr-x 2 root       root       4096 nov  4  2009 lib
lrwxrwxrwx 1 root       root          8 oct 26 22:50 mnt -> /var/mnt
drwxr-xr-x 2 root       root       4096 nov  4  2009 proc
lrwxrwxrwx 1 root       root          4 oct 26 22:50 sbin -> /bin
drwxr-xr-x 2 root       root       4096 nov  4  2009 sys
lrwxrwxrwx 1 root       root          8 oct 26 22:50 tmp -> /var/tmp
drwxr-xr-x 3 root       root       4096 nov  4  2009 usr
drwxr-xr-x 2 root       root       4096 nov  4  2009 var



Inside bin directory there are some interesting binary files, lets search for interesting strings ...


find . -type f | xargs strings | grep -i /var/






/var/boaUser.passwd
***** Open file /var/boaUser.passwd failed !
/var/boaSuper.passwd
***** Open file /var/boaSuper.passwd failed !
/var/DigestUser.passwd
***** Open file /var/DigestUser.passwd failed !
/var/DigestSuper.passwd
***** Open file /var/DigestSuper.passwd failed!
/var/passwd
/var/tmp
/var/resolv.conf
/var/run/igmp_pid
/var/ftpput_conf.txt
***** Open file /var/ftpput_conf.txt failed !
/bin/ftp -inv < /var/ftpput_conf.txt
/var/ftpget_conf.txt
***** Open file /var/ftpget_conf.txt failed !
/bin/ftp -inv < /var/ftpget_conf.txt
/var/ftpget_img.txt
***** Open file /var/ftpget_img.txt failed !
/bin/ftp -inv < /var/ftpget_img.txt
/var/log/messages.old
/var/log/messages
/var/run/cli.pid
/var/log/messages
/var/config/oldsetting.xml
/var/run/ShowStatus_pid
/var/run/flatfsd.pid
t/var/config/.init
/var/telnetnum
0/var/run/telnetd.pid
/var/run/cli.pid
/var/log/wtmp
/var/run/boa.pid
/var/run/boa.pid
/var/boaUser.passwd
/var/DigestUser.passwd
/var/DigestSuper.passwd
/var/log/messages
/var/config/oldsetting.xml
/var/config/client.pem
/var/config/cacert.pem
echo 1 > /var/wps_start_pbc
echo 1 > /var/wps_start_pin
echo %s > /var/wps_peer_pin
/var/resolv.conf
/var/passwd
/var/tmp
/var/log/messages
/var/log/messages.old
/var/run/udhcpd.pid
/var/udhcpd/udhcpd.leases
/var/ppp/pppoe.conf
/var/ppp/pppoa.conf
/var/run/spppd.pid
/var/run/updatedd.pid
updatedd: Remove /var/run/updatedd.pid file
/var/run/cli.pid
/var/run/configWlanLock
/var/udhcpd/udhcpd.conf
/var/udhcpd/udhcpd.leases
/var/passwd
/var/run/snmpd.pid
/var/run/ftpd.pid
/var/run/ftpd.pid
/var/run/configd.pid
/var/run/ddns.pid
/var/run
/var/run/igmp_pid
/var/run/ShowStatus_pid
/var/run/routed.conf
/var/run/routed.pid
/var/log/
/var/run/iwcontrol.pid
/var/run
iwcontrol:/var/run/%s
/var/auth-%s.fifo
/var/iapp.fifo
/var/autoconf-%s.fifo
/var/wscd-%s.fifo
/var/run/udpechoserver.pid
/var/udhcpd/tr111device.txt
/var/dhcpdMacBase.txt
Open file /var/dhcpdMacBase.txt fail !
/var/udhcpd/DHCPReservedIPAddr.txt
/var/run/udhcpd.pid
/var/udhcpd/udhcpd.leases
/var/run/mini_upnpd.pid
/var/run/tftpd.pid
/var/run/wdg.pid
/var/run/igmp_pid
/var/run//dhcrelay.pid
/var/ppp/ifup_%s
/var/run/spppd.pid
/var/ppp/resolv.conf
/var/ppp/pppoe.conf
/var/ppp/pppoa.conf
/var/ppp/ppp.conf
/var/run/dhcrelay.pid
/var/config/oldsetting.xml
/var/flash_check_fail
/var/wscd.conf
/var/run/wscd
/var/wps/
/var/web/
/var/flash_check_fail
/var/flashweb.gz
/var/ftpStatus.txt
***** Open file /var/ftpStatus.txt failed !
/var/run
/var/log/messages
/var/tmp/messages
link fail: /var/tmp/messages -> %s
/var/tmp/messages.old
link fail: /var/tmp/messages.old -> %s
/var/run/syslogd.pid
/var/wpakey
-x, --pid-file=path         Specify path of PID file. (defaults to /var/run/dnsmasq.pid).
/var/run/dnsmasq.pid
/var/run/spppd.pid
/var/auth-%s.fifo
/var/run/auth-%s.pid
/var/run/mpoad.pid
/var/snmpComStr.conf
Open file /var/snmpComStr.conf failed !
/var/run/snmpd.pid
/var/log/messages
/var/udhcpd/tr111device.txt
/var/run/udhcpd.pid
/var/udhcpd/udhcpd.leases
/var/udhcpc/udhcpc
/var/run/udhcpc.pid
/var/run/udhcpc.pid
/var/ppp/ppp.conf
/var/ppp/pppoe.conf
/var/ppp/pppoa.conf
/var/run/spppd.pid
/var/restime
/var/traceroute.log
Open file /var/traceroute.log failed!
%s > /var/traceroute.log 2>&1
/var/boaUser.passwd
***** Open file /var/boaUser.passwd failed !
/var/boaSuper.passwd
***** Open file /var/boaSuper.passwd failed !
/var/passwd
/var/tmp
/var/log/messages
/var/config/oldsetting.xml
/var/config/client.pem
/var/config/cacert.pem
/var/config/CWMPNotify.txt
/var/run/cwmp.pid


Besides, there is a binary file called wpa_default, that reads a file from /var/wpakey.

cat /var/wepkey && qemu-mips -L rootfs/ rootfs/bin/wpa_default

aaaaaaaaaaaaaaaaaa
The default WPA key is aaaaaaaaaaaaaaaaaa

In the home directory are the files under the httpd server. The httpd server is Boa 0.93.15 which is buggy.

There is more interesting things ... but now it's your turn to play with it ;)

Enjoy! (and stay tuned for updates)