Hi friends,
This post shows you the process of disassembling Observa TECOM AW4062 firmware using firmware-mod-kit.
First of all, download the firmware file from here.
Next is download last version of firmware-mod-kit with subversion.
cd /opt
svn checkout http://firmware-mod-kit.googlecode.com/svn/trunk/ firmware-mod-kit-read-only
cd firmware-mod-kit-read-only/trunk/src/
make
As firmware-mod-kit uses binwalk we can take an eye on its output first.
binwalk -v AW4062TS-1.4.2.img
Scan Time: Oct 26, 2011 @ 22:58:51
Magic File: /usr/local/etc/binwalk/magic.binwalk
Signatures: 74
Target File: AW4062TS-1.4.2.img
MD5 Checksum: 7985b08e3ca4ef1e3b1f86fff05369dd
DECIMAL HEX DESCRIPTION
-------------------------------------------------------------------------------------------------------
12 0xC LZMA compressed data, properties: 0x80, dictionary size: 838860800 bytes, uncompressed size: 86 bytes
64 0x40 Squashfs filesystem, big endian, version 2.0, size: 1586090 bytes, 485 inodes, blocksize: 65536 bytes, created: Wed Nov 4 10:32:27 2009
1589312 0x184040 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 4247686 bytes
Next step is extract firmware files.
./extract-ng.sh AW4062TS-1.4.2.img
Firmware Mod Kit (build-ng) 0.71 beta, (c)2011 Craig Heffner, Jeremy Collake
http://www.bitsum.com
Scanning firmware...
DECIMAL HEX DESCRIPTION
-------------------------------------------------------------------------------------------------------
64 0x40 Squashfs filesystem, big endian, version 2.0, size: 1586090 bytes, 485 inodes, blocksize: 65536 bytes, created: Wed Nov 4 10:32:27 2009
Extracting 64 bytes of header image at offset 0
Extracting squashfs file system at offset 64
Extracting 160 byte footer from offset 2789920
Extracting squashfs files...
Firmware extraction successful!
Firmware parts can be found in 'fmk/*'
In fmk/rootfs folder we can see:
drwxr-xr-x 2 root root 4096 nov 4 2009 bin
drwxr-xr-x 2 3892510720 1677721600 4096 mar 3 2008 dev
drwxr-xr-x 4 root root 4096 nov 4 2009 etc
drwxr-xr-x 3 root root 4096 nov 4 2009 home
drwxr-xr-x 2 root root 4096 nov 4 2009 lib
lrwxrwxrwx 1 root root 8 oct 26 22:50 mnt -> /var/mnt
drwxr-xr-x 2 root root 4096 nov 4 2009 proc
lrwxrwxrwx 1 root root 4 oct 26 22:50 sbin -> /bin
drwxr-xr-x 2 root root 4096 nov 4 2009 sys
lrwxrwxrwx 1 root root 8 oct 26 22:50 tmp -> /var/tmp
drwxr-xr-x 3 root root 4096 nov 4 2009 usr
drwxr-xr-x 2 root root 4096 nov 4 2009 var
Inside bin directory there are some interesting binary files, lets search for interesting strings ...
find . -type f | xargs strings | grep -i /var/
/var/boaUser.passwd
***** Open file /var/boaUser.passwd failed !
/var/boaSuper.passwd
***** Open file /var/boaSuper.passwd failed !
/var/DigestUser.passwd
***** Open file /var/DigestUser.passwd failed !
/var/DigestSuper.passwd
***** Open file /var/DigestSuper.passwd failed!
/var/passwd
/var/tmp
/var/resolv.conf
/var/run/igmp_pid
/var/ftpput_conf.txt
***** Open file /var/ftpput_conf.txt failed !
/bin/ftp -inv < /var/ftpput_conf.txt
/var/ftpget_conf.txt
***** Open file /var/ftpget_conf.txt failed !
/bin/ftp -inv < /var/ftpget_conf.txt
/var/ftpget_img.txt
***** Open file /var/ftpget_img.txt failed !
/bin/ftp -inv < /var/ftpget_img.txt
/var/log/messages.old
/var/log/messages
/var/run/cli.pid
/var/log/messages
/var/config/oldsetting.xml
/var/run/ShowStatus_pid
/var/run/flatfsd.pid
t/var/config/.init
/var/telnetnum
0/var/run/telnetd.pid
/var/run/cli.pid
/var/log/wtmp
/var/run/boa.pid
/var/run/boa.pid
/var/boaUser.passwd
/var/DigestUser.passwd
/var/DigestSuper.passwd
/var/log/messages
/var/config/oldsetting.xml
/var/config/client.pem
/var/config/cacert.pem
echo 1 > /var/wps_start_pbc
echo 1 > /var/wps_start_pin
echo %s > /var/wps_peer_pin
/var/resolv.conf
/var/passwd
/var/tmp
/var/log/messages
/var/log/messages.old
/var/run/udhcpd.pid
/var/udhcpd/udhcpd.leases
/var/ppp/pppoe.conf
/var/ppp/pppoa.conf
/var/run/spppd.pid
/var/run/updatedd.pid
updatedd: Remove /var/run/updatedd.pid file
/var/run/cli.pid
/var/run/configWlanLock
/var/udhcpd/udhcpd.conf
/var/udhcpd/udhcpd.leases
/var/passwd
/var/run/snmpd.pid
/var/run/ftpd.pid
/var/run/ftpd.pid
/var/run/configd.pid
/var/run/ddns.pid
/var/run
/var/run/igmp_pid
/var/run/ShowStatus_pid
/var/run/routed.conf
/var/run/routed.pid
/var/log/
/var/run/iwcontrol.pid
/var/run
iwcontrol:/var/run/%s
/var/auth-%s.fifo
/var/iapp.fifo
/var/autoconf-%s.fifo
/var/wscd-%s.fifo
/var/run/udpechoserver.pid
/var/udhcpd/tr111device.txt
/var/dhcpdMacBase.txt
Open file /var/dhcpdMacBase.txt fail !
/var/udhcpd/DHCPReservedIPAddr.txt
/var/run/udhcpd.pid
/var/udhcpd/udhcpd.leases
/var/run/mini_upnpd.pid
/var/run/tftpd.pid
/var/run/wdg.pid
/var/run/igmp_pid
/var/run//dhcrelay.pid
/var/ppp/ifup_%s
/var/run/spppd.pid
/var/ppp/resolv.conf
/var/ppp/pppoe.conf
/var/ppp/pppoa.conf
/var/ppp/ppp.conf
/var/run/dhcrelay.pid
/var/config/oldsetting.xml
/var/flash_check_fail
/var/wscd.conf
/var/run/wscd
/var/wps/
/var/web/
/var/flash_check_fail
/var/flashweb.gz
/var/ftpStatus.txt
***** Open file /var/ftpStatus.txt failed !
/var/run
/var/log/messages
/var/tmp/messages
link fail: /var/tmp/messages -> %s
/var/tmp/messages.old
link fail: /var/tmp/messages.old -> %s
/var/run/syslogd.pid
/var/wpakey
-x, --pid-file=path Specify path of PID file. (defaults to /var/run/dnsmasq.pid).
/var/run/dnsmasq.pid
/var/run/spppd.pid
/var/auth-%s.fifo
/var/run/auth-%s.pid
/var/run/mpoad.pid
/var/snmpComStr.conf
Open file /var/snmpComStr.conf failed !
/var/run/snmpd.pid
/var/log/messages
/var/udhcpd/tr111device.txt
/var/run/udhcpd.pid
/var/udhcpd/udhcpd.leases
/var/udhcpc/udhcpc
/var/run/udhcpc.pid
/var/run/udhcpc.pid
/var/ppp/ppp.conf
/var/ppp/pppoe.conf
/var/ppp/pppoa.conf
/var/run/spppd.pid
/var/restime
/var/traceroute.log
Open file /var/traceroute.log failed!
%s > /var/traceroute.log 2>&1
/var/boaUser.passwd
***** Open file /var/boaUser.passwd failed !
/var/boaSuper.passwd
***** Open file /var/boaSuper.passwd failed !
/var/passwd
/var/tmp
/var/log/messages
/var/config/oldsetting.xml
/var/config/client.pem
/var/config/cacert.pem
/var/config/CWMPNotify.txt
/var/run/cwmp.pid
Besides, there is a binary file called wpa_default, that reads a file from /var/wpakey.
cat /var/wepkey && qemu-mips -L rootfs/ rootfs/bin/wpa_default
aaaaaaaaaaaaaaaaaa
The default WPA key is aaaaaaaaaaaaaaaaaa
In the home directory are the files under the httpd server. The httpd server is Boa 0.93.15 which is buggy.
There is more interesting things ... but now it's your turn to play with it ;)
Enjoy! (and stay tuned for updates)