Very basic stuff, just playing with hardware/firmware; don't expect to be inspired.
This is just a small site I put together after taking apart my [worthless] DI-614+ (now discontinued). This router is a piece of junk. It still works, but it has to be reset almost everyday and it's wireless signal strength is SUPER BAD. So one day I decided to take it apart to see what I can do with it and how it looks inside and here it is. This site is by no means the definitive location to get info on the 614+, there are other (probably better sites). But this is just my own little project.
The main goal of this is to get shell access (from the current firmware release) or even run Linux on the 614+ if at all possible. This page was started by me, for me, and with little to no research on the subject of 614+ hacking (which later turned out to be a pretty extensive topic, mostly regurgitated info and no real-deal linux on 614+ info). If this is new to you, enjoy, if you've seen this before, please feel free to move on.
Note: This is Revision B. So what you see here is for the LAST DI-614+ (discontinued).
CPU Info:
Conexant
Network Processor
CX82100-41
E363335.1
0318 PHILIPPINES
ARM
Other Info:
OEM ID: GL2422RT-1T7
ARM9 Conexant CX82100-41 168Mhz
Global Sun Tech GL2422RT-1T8 v1.1
1MB FLASH (29LV800BTC-90)
8MB RAM (ICSI IC42S16400-7T)
Ethernet (Marvell 88E6060)
Wireless TI ACX100 mini-pci
There is a document online (here) that says that Revision A of the 614+ can be flashed with Firmwares from TrendWare (TEW-311BRP), Eusso (GL2422-RT) and PheeNet (WBIG-104b+) routers which all originate from Global SunTechnologies in Taiwan. It also says there is currently no firmware for Revision B that can be substituted into the 614+. The main point I was looking was for confirmation that there is a telnet config mode, and there is. Now I guess it's my job to keep researching telnet config mode for RevB of the 614+. There has to be a way to enable this mode. If not, I'm going to CONSIDER flashing my 614+ with a firmware from one of those routers but with updated ARM9 processors (if those even exist.)
Playing with the Firmware:
The firmware can be opened with WinRAR to extract "Nml.mem" which seems to be the main FlashROM data for the Connexant chip?? I'm still new at embedded stuff hacking. But looking around inside the image file, there seems to be alot of cool stuff that can be done with a little hex-editing! I'm so excited.
Now to figure out the file format of Nml.mem....extracting .GIF files is pretty easy though, finding the start and end of the files is pretty damn easy as they are stored one after the other (GIF89a - 0x47 0x49 0x46 0x38 0x39 0x61 signals the start of a GIF file and 0x00 0x3B seems to signal the end if I recall). If you want to extract the files to modify them just use a program that extracts file formats out of files (I forgot the name of an old DOS program I had that did this..) Anyway here is an example of a GIF file extracted straight from Nlm.mem (which is inside the .bin):
Editing this while leaving the colors/size the same is very easy. Stuffing it back into Nlm.mem is yet untested......TO DO.
UPDATE:
I managed to extract all the GIF's and JPEG's stored in the firmware image (22 GIFS, 100 JPEGS). Now to extract the HTML and Executables stored in Nlm.mem.
Interesting strings inside the Firmware:
1) Looking for all the text-strings in "Nlm.mem" we find this:
WDB8WvbXdHtZyM8Ms2RENgHlacJghQyG
Previous experience with software protections and just lots of reading tells me that this looks like a hash. Could the password for the router be computed against this hash? I dunno. I would like to know though...Then to find a way to extract the encrypted hash out of the router memory...ugh..never mind, whats the point?
Also inside that same file is this string: "dbgout.txt" I'd like to be able to access this and see what it has.
2) And now for the most useless stuff inside the Nlm.mem file:
Hey Moe, it dont woik. NYUK NYUK NYUK NYUK *bop* Owww!
YES, this was taken out of Nlm.mem! I have NO IDEA why it's there (crazy programmers). Or when it shows (possibly through a console error message).
3) Here is another interesting string:
This is a strange problem.YES, this was taken straight out of Nlm.mem. Heh, just had to put it up here.
4) HELLO!!!%#@ Look what we have here:
GST Telnet server v1.0A little further own down the file we see this:
!!! idle timeout (5 minutes) !!!
TELNET: bind error
TELNET: open socket fail
TELNET: setsockopt SO_REUSEADDR error
Remote Managment Telnet ServerLooks like there IS a telnet server on this little sucker!!! I HAVE TO FIGURE THIS OUT!!
5) Here is some more interesting stuff, looks like the MiniPCI card has a PRISM2 chipset (or not?) and ACX100TSK (on the chip it says AGX100AGHK) is the Texas Instruments wireless network chip (there's a project to write Linux drivers for the ACX100 chipset at http://acx100.sourceforge.net/ but I won't bother taking out the miniPCI card at this moment) Here is the FCC-ID page that has a ton of info on the ACX100 card including pictures HERE (PDF file) and manual here:
nInitializing Wireless Interface...OK !Here is some info gathered from the FCC website about the miPCI card in MY DI-614+:
Send WIRELESS_INIT_FAIL_TRAP
Initializing Wireless Interface...Failure !
Reinit WLAN driver (2) !
PRISM2_AP
Repeater disconnects with AP...
Start Easy backup mode.
802.11 Ad Hoc starts. BSSID = %02x:%02x:%02x:%02x:%02x:%02x
AP Client disconnects with AP.
Start Complex backup mode.
restore apclient timer
ACX100TSK
Michael error : Stop.
Check 22m rates
Repeater connects with AP. BSSID = %02x:%02x:%02x:%02x:%02x:%02x
AP Client connects with AP. BSSID = %02x:%02x:%02x:%02x:%02x:%02x
802.11 Ad Hoc connects with other. BSSID = %02x:%02x:%02x:%02x:%02x:%02x Channel:%d
AP is swapped by backup AP
Repeater disconnects with AP.
AP Client disconnects with AP.
Repeater disconnects with AP.
AP Client disconnects with AP.
ping complete
Memory Block Free Error!
Reinit WLAN driver (4) !
Reinit WLAN driver (5) !
Reinit WLAN driver (1) !
Reinit WLAN driver (3) !
.hteCPU did not start after boot from flash
Failed to download firmware to the ACX100
Timeout waiting for the ACX100 to complete Initialization
- Prodect Name: Wireless 22Mbps Mini PCI Card
- Model Name: GL2422MP-MT FCC ID: KA2ACX100
Copyright (c) 1996-2000 Express Logic Inc. * ThreadX ARM7/Green Hills Version G3.0f.3.0c
Ok the 614+ seems to run Express Logic's ThreadX Real-Time Operating System (www.expresslogic.com) on ARM's (www.arm.com) ARM9 (the RevB has an ARM9, but this looks like it is backwards compatible with the ARM7 specs??) processor from a little research it looks like Green Hills Software Inc (www.ghs.com) licensed ThreadX from Express Logic, or I could be wrong..
Final outlook: After looking through Nlm.mem I am 100% sure there HAS to be a way to enable DEBUG MODE/REMOTE TELNET SERVER. Whether it's possible by some debugging/hex editing or something, I don't know. But there are just too many clues to have it any other way. I wish I had an ARM debugger....
This page (http://www.dlink.pl/presse/artikel_detail.asp?docid=DLPI020902) has a mention of "Web-based and Telnet configuration" on the 614+ I'd like to know how to enable telnet configuration...
1 comments:
Looking for D-link Support call on 1800987893 , visit on:
Reset dlink password
dlink router firmware
Post a Comment