Today, you can find serial ports almost everywhere. And when you find one, you know, you cannot resist access it :)
Usually, those aren’t RS232, but so-called TTL-level serial ports: this means that they use diferent voltage levels (0 – +5v vs. -12 – +12v), and you need an adapter to connect them to your computer.
So, this nifty little device comes to hand: the USB-BUB II from Modern Device. As you can suppose, it’s at its second incarnation.
The USB-BUB II it’s based around the FT232R chip: it connects to an usb port, and provides a TTL serial, complete with DTR and CTS signals. But the board has a couple of handy – and unusual – features: first of all there’s a polyfuse, to protect the USB line from short circuits. Also, two smd LEDs – one green and one red – that shows activity on the RX and TX line.
The board can also deliver 3.3v or 5v power – but don’t count too much on that, the maximum current is 50mA. In case you need some power, however, on the back of the board there’s also space to solder an external voltage regulator.
The BUB use is straightforward: drivers are available for Windows, OS X and Windows CE (!), and recent versions of Linux kernel supports it natively. Also, the board is delivered fully mounted, you just need to solder the header, or the wires, and connect the usb. It works pretty well at all the speeds I tried, and it doesn’t suffer too much from interferences, from what I can say.
Overall, a pretty useful device – a bit pricey (€13,50, shipped in the EU, from The JeeLabs Shop), but still a good choice.
Now that we have gained access to the box, let’s start gather some info – this is the very first step if we want to try to build a custom firmware.
First of all, let’s make a dump of the flash.
We said that the router has a telnet access: when we log in, we’re in the command line shell of OpenRG. From there we can control various aspects of the box, but if we type ‘system shell‘ and press enter… voilà! We’re in a busybox shell!
We can put a pendrive in one of the USB ports and mount it:
mount /dev/sda1 /mnt/flash
then use dd to dump the flash:
dd if=/dev/mtdblock0 of=/mnt/flash/flashimage.img bs=1m
Now we have a 16Mb file, but what there’s inside?
We saw that our router uses U-Boot as its bootloader. This is a good thing: U-Boot is open source, and this version keeps a bunch of useful commands.
With flayout, we have the layout of the flash:
Section 00 Type UNKNOWN Address 0xBF000000 MaxSize 0x00060000
Section 01 Type IMAGE Address 0xBF060000 MaxSize 0x003E0000
Section 02 Type IMAGE Address 0xBF440000 MaxSize 0x00AE0000
Section 03 Type CONF Address 0xBFF20000 MaxSize 0x00060000
Section 04 Type CONF Address 0xBFF80000 MaxSize 0x00060000
Section 05 Type FACTORY Address 0xBFFE0000 MaxSize 0x0001FC00
Section 06 Type LAYOUT Address 0xBFFFFC00 MaxSize 0x00000400
Also, from bdinfo, we know at wich address is the flash start:
flashstart = 0xBF000000
Now, we can split our flash image:
dd if=flashimage.img of=uboot.img ibs=1 count=$((0x00060000))
dd if=flashimage.img of=openrg_1.img ibs=1 skip=$((0x00060000)) count=$((0x003E0000))
dd if=flashimage.img of=openrg_2.img ibs=1 skip=$((0x00440000)) count=$((0x00AE0000))
dd if=flashimage.img of=conf_1.img ibs=1 skip=$((0x00F20000)) count=$((0x00060000))
dd if=flashimage.img of=conf_2.img ibs=1 skip=$((0x00F80000)) count=$((0x00060000))
dd if=flashimage.img of=conf_factory.img ibs=1 skip=$((0x00FE0000)) count=$((0x0001FC00))
dd if=flashimage.img of=layout.img ibs=1 skip=$((0x00FFFC00)) count=$((0x00000400))
Ok, time to fire up an hexdecimal editor :)
Since someone asked for it, here are all the pieces of flash dump that shouldn’t contain sensitive data. I haven’t been unable to unpack the openrg images, yet, so if you find a way, please drop me a note.
Also, here’s the stuff that the router downloaded from the provisioning server during the last update:
ED_ARGO95_1.3.19.kit (update image)
ED_ARGO95_1.3.19.txt (default configuration)
Update 2 (03/02/2012)
And here are also the two missing pieces, configuration area and factory area.
I did my best to remove all the sensitive data, but I’m fairly sure I missed something.
Update 3 (22/03/2012)
I finally fetched from the Fastweb server the new firmware releases, the ones with interface locked out.
Every now and then we fall in love with an appliance, a tool, a piece of equipment. This time, it was a soldering station… but let’s start from the beginning. Being in need of a soldering station, I started to look for something relatively affordable, but with a good quality.
Here in Europe, the obvious choice seems some low end Weller model, but: a) they are greatly overpriced and b) the non-professional line has received very poor reviews.
After reading a bunch of forum threads and reviews, a company name stood out: Hakko. Everyone loved its products, especially the venerable model 936 (out of production), and its successor, the FX-888. Buy it here it’s not easy: almost nobody sells it online, even on the bay. Hopefully I’ve been able to get it through a local reseller.
Packaging and apparence
The FX-888 comes in a robust yellow cardboard box: opening it we find the manuals (a couple of sheets, actually) and the iron. Under that, there’s the station and the iron holder.
Hakko has made quite a nice job with the look of the soldering station: it’s small (a nice feature when you’ve little space on the desk), it has a solid feel and a modern look. The temperature is written in Celsius and Fahrenheit, and a red led indicates when the temperature is reached. Probably a display with a digital readout of the iron temperature would’ve made a nice addon, but is more a whim than a real need.
The FX-888 is a pleasure to use: the iron is light and comfortable, and the cord is very flexible. It reaches the temperature very quickly, and is extremely accurate. Also, during work, it keeps the temperature very well, something that isn’t found easily in the low-end stations.
The holder is solid and spots three kinds of cleaners: the usual sponge, a cleaning rubber – to clean the iron without water, thus help in keeping the temperature – and a cleaning wire, to remove the oxide while keeping a bit of solder on the tip.
The station is ESD safe (the iron is grounded), thus reducing the risk of electrostatic discharges that can damage your circuits. Also, the control knob can be locked in position, and under the base there’s a little screwdriver that can be used for thermal corrections.
Of course this cannot be a fair review: I started the piece stating my infatuation for the object in question… but I felt the need to let know everyone looking for a soldering station with a reasonable price (I paid mine about €110), excellent quality and a broad range of tips to choose from, that this can be a good choice.
Also, if you visit Hakko‘s site, you’ll find plenty of information on the station, tips and also a story (in the form of a personal diary) to learn soldering!
It seems like a good idea, since we have now access (again) to the router, try to do our best to lock out the provider, and avoid further remote configurations / upgrades.
This is what I did, feel free to find other methods and add a comment to this post :)
– Activate the firewall, and block – with a specific rule – port 4567 (is used for remote control)
– Edit the firewall rule that allows access – via telnet – from a specific list of networks, changing the operation to “Drop”, and write down those networks (these are the networks from which the provider connects to do remote maintenance)
– Create a static route for every network noted in the previous step, redirecting to a non-existing gateway (ie. 0.0.0.0)
A note on the last point: when you restart the router, it will fail to connect to the ACS (remote configuration) server. This is a nice thing, but because of this the ‘Fastweb’ led will remain red, and the ‘Ethernet’ and ‘WiFi’ leds will remain off. This is just aesthetic: wireless and wired network works perfectly.
Here are a couple of screenshots that shows what you should obtain thereafter:
Usual disclaimer: these are not general purpose instructions – I cannot guarantee it will work for you. Use them at your own risk.
Even if we learned some useful things about our router (and in the next posts, we will continue to explore it), we still need to find the credentials to access to the interface.
The interface is available via http or https and telnet, on the external interface – you can access it only from the local network, but you need to use the external ip address of the router.
But how can we find the username / password? Well, when Fastweb started delivering those boxes, they left the default values of admin / admin – guessing that was easy, and everyone was happy :) But the fun didn’t last long – they quickly remotely upgraded the firmware, changing the password and stopping the joy.
So, what can we do? Luckily I found a couple of those things:
They are media converters – the media converter it’s the link between optical fiber and twisted pair. A couple of those, an hub, Wireshark, and we have the perfect setup to do Man In The Middle!
The plan is simple: we start to sniff packets between the router and the Fastweb infrastructure, then we reset the router configuration (keeping pressed the reset pushbutton for about 15 sec), and… yes! We get the configuration file!
Luckily, in OpenRG the password is obfuscated (and not encrypted!), and we can deobfuscate it with Zibri’s OpenRG deobfiscator. Bingo!
Username: lanadmin / Password: lanpasswd
Username: UserName / Password: Password
Yes… they didn’t learn anything.