Mar 10, 2014

SmartBro Motorola Canopy SM 12.1 update

1:16 AM  pakitong  No comments

SmartBro Canopy SM (subscriber module) is own by Motorola until it was acquired by Cambium Networks recent years. The Motorola Canopy fixed wireless internet broadband antenna that operates at 5.7GHz is the first and among the oldest wireless product of Smart/PLDT in the Philippines.

My Canopy antenna been years on top of my Mom roof serve as my backup internet connection that provides me even I am at the last mile in the south most of the country. It is just an aggregate of 2Mbps but gives me a reliable link even as far as two (2) miles from the Base Station.


I have just updated it to the new Canopy 12.1 SM DES Official Build package and the above screen shot is to be shared for  you, my guest blog readers. Its has some features that the old version don't have. The logo also change to the Cambium Networks instead of Motorola Canopy. More update of the web interface soon to be uploaded.

Read More

Mar 9, 2014

How-To TP-Link TL-WR941ND Revert From DD-WRT firmware

11:11 AM  pakitong  3 comments

DD-WRT is likely to be many a term, this ingenious router operating system provides endless configuration options for wireless router. I have a Linksys WAP54G and a TP-Link TL-WR1043ND flashed with DD-WRT, which are currently in operation and diligently perform their duties.

Only good, then bad

Especially after the flash of the TL-WR1043ND I was very impressed by the performance that unfolds the router. So I also have my TL-WR941ND 3.0 flashed with DD-WRT. As you can see in the screenshot below, there was only the preSP2 v24 [Beta] 15778 available, but not stable.


After DD-WRT was configured, the router ran about 1.5 weeks until the WLAN failed. While the WLAN LED lit, but there was no Wi-Fi network available. I thought nothing of it and started the router just new, it ran again. A week later the incident repeated again and I was skeptical. At first I thought that it is on the channel, and changed from 3 to 11 At first it went well, but then came the third wireless crash. This story repeated itself again and again, almost regularly. Until I came up with the idea that it could be due to DD-WRT. After a google session it was clear that the TL-WR941ND has problems with the WLAN if DD-WRT is installed. I think the beta is for verwantwortlich. Although I have the TL-WR1043ND flashed with a beta, but that was the 14896 build.

Back to Stock Firmware

Now a flash was on the floor firmware of TP-Link. Unfortunately you can not simply transfer as the BIN file using the DD-WRT web interface, you get an error. After much searching, I had found several methods that should enable the Revert, such as telnet or tftp in conjunction with Ping etc. But all this did not help me further, or was so complicated that I would have needed a lot of time.

Suddenly I came across a thread in the DD-WRT forum, by special firmware files are available for download, which can be loaded directly to the web interface of DD-WRT ("Webrevert"). The offered file for the TL-WR941ND was spot on and brought my router in 5 minutes back to the original state, without further ado with Telnet, SSH, or TFTP.

Downloads

For those who are not registered to the forum, there is the possibility to load the files directly.

TP-Link TL-WA801N/ND v1 Webrevert download here

TP-Link TL-WA901N/ND v1 Webrevert download here

TP-Link TL-WA901N/ND v2 Webrevert download here

TP-Link TL-WR740N v1/v2 Webrevert download here

TP-Link TL-WR740N v3 Webrevert (world wide version only) download here

TP-Link TL-WR741N/ND v1/v2 Webrevert download here

TP-Link TL-WR743N/ND v1 Webrevert download here

TP-Link TL-WR841N/ND v3 Webrevert download here

TP-Link TL-WR841N/ND v5 Webrevert download here

TP-Link TL-WR841N/ND v7 Webrevert download here

TP-Link TL-WR941N/ND v2/v3 Webrevert download here

TP-Link TL-WR941N/ND v4 Webrevert download here

TP-Link TL-WR1043ND v1 Webrevert download here

Read More

Fatal: Received unexpected end-of-file from server

3:02 AM  pakitong  No comments

Got this error today while using PSCP. I was attempting to move a file from my local computer to a remote server that allows only SCP Transfer Protocol. This was the command I was using:

pscp.exe -p wr740nv1_en_3_12_4_up(100910).bin root@192.168.1.1:/tmp

Digging a little bit into the issue, I found that since I intend to use SCP Transfer Protocol to transfer the file to the remote server, I need to explicitly specify the SCP protocol. I changed my command to the one below, and it worked like charm.

pscp.exe -scp wr740nv1_en_3_12_4_up(100910).bin root@192.168.1.1:/tmp

Please note the ‘-scp’ in the command. This ‘-scp’ forces the PSCP to use the SCP Transfer Protocol. If not specified explicitly, the PSCP will attempt to use the SFTP Protocol by default.

Read More

SIMET Box Firmware Analysis: Embedded Device Hacking & Forensics

2:32 AM  pakitong  No comments

SIMET is organized by the Brazilian NIC.br in order to test and monitor the Internet speed across the country. For more info (in portuguese) visit their site here. All the data collected is available to the community on reports and heat maps like this.


The organization is now handing out free Wi-Fi routers to Brazilians in order to measure the Internet quality on different regions. The SIMET Box equipment is a custom TL-WR740N pre-installed with OpenWRT. You can also download and install the standalone firmware on other TPLink's SOHO routers.

The project is quite interesting but in times of PRISM and NSA I don't like the idea of using a "black box" at home, so I decided to check its design.

Firmware

As I don't have the actual box, I'll analyze SIMET Box's firmware image. The firmware can be downloaded from http://simet.nic.br/firmware. For this initial analysis I'll be using simetbox-tl-wr740n-v4.bin (MD5 d08798093e1591bece897671e96b5983).

Let's start by using Craig Heffner's binwalk and firmware-mod-kit to unsquash the filesystem:

binwalk -Me simetbox-tl-wr740n-v4.bin


After extracting the files we can browse through the squashfs-root dir and grep files to identify OpenWrt's version base:


We now know that SIMET Box is based on Attitude Adjustment branch (v12.09) for Atheros AR71xx, downloadable on OpenWRT's official site: openwrt-ar71xx-generic-tl-wr740n-v4-squashfs-factory.bin.

After extracting the base firmware (using binwalk) we now have two directory trees to diff. We can use WinMerge or Kdiff3 to compare files.





There are some new init.d scripts like atualiza_arqs, autossh, miniupnpd and zabbix_agentd:


Lots of binaries (/bin/busibox for example) are quite similar: they may have a small version difference or were compiled using particular command line arguments:


List of files created by SIMET Box (not present on the OpenWrt's base firmware):

while read -r i ; do file $i ; done < list.txt


/etc/config/autossh: ASCII text

/etc/config/upnpd: ASCII text

/etc/dropbear/authorized_keys: OpenSSH DSA public key

/etc/dropbear/id_rsa: data

/etc/hotplug.d/button/00-button: ASCII text

/etc/hotplug.d/iface/20-autossh: POSIX shell script, ASCII text executable

/etc/hotplug.d/iface/50-miniupnpd: POSIX shell script, ASCII text executable

/etc/init.d/atualiza_arqs_simet: POSIX shell script, ASCII text executable

/etc/init.d/autossh: POSIX shell script, ASCII text executable

/etc/init.d/miniupnpd: POSIX shell script, ASCII text executable

/etc/init.d/zabbix_agentd: POSIX shell script, ASCII text executable

/etc/rc.d/S11sysctl: symbolic link to `../init.d/sysctl'

/etc/rc.d/S19firewall: symbolic link to `../init.d/firewall'

/etc/rc.d/S45atualiza_arqs_simet: symbolic link to `../init.d/atualiza_arqs_simet'

/etc/rc.d/S60zabbix_agentd: symbolic link to `../init.d/zabbix_agentd'

/etc/rc.d/S80autossh: symbolic link to `../init.d/autossh'

/etc/rc.d/S95miniupnpd: symbolic link to `../init.d/miniupnpd'

/etc/uci-defaults/50-reset: POSIX shell script, ASCII text executable

/etc/uci-defaults/50-reset-wps: POSIX shell script, ASCII text executable

/etc/uci-defaults/50-wifi: POSIX shell script, ASCII text executable

/etc/uci-defaults/99-miniupnpd: POSIX shell script, ASCII text executable

/etc/uci-defaults/luci-i18n-portuguese_brazilian: POSIX shell script, UTF-8 Unicode text executable

/etc/uci-defaults/luci-theme-bootstrap: POSIX shell script, ASCII text executable

/etc/uci-defaults/luci-upnp: POSIX shell script, ASCII text executable

/etc/zabbix_agentd.conf: ASCII text

/lib/libpthread-0.9.33.2.so: ELF 32-bit MSB shared object, MIPS, MIPS32 rel2 version 1 (SYSV), dynamically linked (uses shared libs), corrupted section header size

/lib/libpthread.so.0: symbolic link to `libpthread-0.9.33.2.so'

/root/.ssh/known_hosts: ASCII text, with very long lines

/sbin/fw3: ELF 32-bit MSB executable, MIPS, MIPS32 rel2 version 1, dynamically linked (uses shared libs), corrupted section header size

/usr/bin/auto_upgrade: symbolic link to `simet_tools'

/usr/bin/checa_udhcpc.sh: POSIX shell script, ASCII text executable

/usr/bin/get_mac_address.sh: POSIX shell script, ASCII text executable

/usr/bin/simet_client: ELF 32-bit MSB executable, MIPS, MIPS32 rel2 version 1, dynamically linked (uses shared libs), corrupted section header size

/usr/bin/simet_dns: symbolic link to `simet_tools'

/usr/bin/simet_porta25: symbolic link to `simet_tools'

/usr/bin/simet_tools: ELF 32-bit MSB executable, MIPS, MIPS32 rel2 version 1, dynamically linked (uses shared libs), corrupted section header size

/usr/bin/sshreversetunnel: POSIX shell script, ASCII text executable

/usr/bin/teste_spoofing.sh: POSIX shell script, ASCII text executable

/usr/bin/wifionoff: POSIX shell script, ASCII text executable

/usr/lib/lua/luci/controller/simet.lua: ASCII text

/usr/lib/lua/luci/controller/upnp.lua: ASCII text

/usr/lib/lua/luci/i18n/base.pt-br.lmo: data

/usr/lib/lua/luci/i18n/upnp.ca.lmo: data

/usr/lib/lua/luci/i18n/upnp.cs.lmo: data

/usr/lib/lua/luci/i18n/upnp.de.lmo: data

/usr/lib/lua/luci/i18n/upnp.es.lmo: data

/usr/lib/lua/luci/i18n/upnp.fr.lmo: data

/usr/lib/lua/luci/i18n/upnp.hu.lmo: data

/usr/lib/lua/luci/i18n/upnp.it.lmo: data

/usr/lib/lua/luci/i18n/upnp.ja.lmo: data

/usr/lib/lua/luci/i18n/upnp.no.lmo: data

/usr/lib/lua/luci/i18n/upnp.pl.lmo: data

/usr/lib/lua/luci/i18n/upnp.pt-br.lmo: data

/usr/lib/lua/luci/i18n/upnp.pt.lmo: data

/usr/lib/lua/luci/i18n/upnp.ro.lmo: data

/usr/lib/lua/luci/i18n/upnp.ru.lmo: data

/usr/lib/lua/luci/i18n/upnp.vi.lmo: data

/usr/lib/lua/luci/i18n/upnp.zh-cn.lmo: data

/usr/lib/lua/luci/model/cbi/upnp/upnp.lua: ASCII text

/usr/lib/lua/luci/sgi/uhttpd.lua: ASCII text

/usr/lib/lua/luci/view/admin_status/index/upnp.htm: ASCII text

/usr/lib/lua/luci/view/simet/simet.htm: HTML document, UTF-8 Unicode text

/usr/lib/lua/luci/view/themes/bootstrap/footer.htm: HTML document, ASCII text

/usr/lib/lua/luci/view/themes/bootstrap/header.htm: HTML document, ASCII text

/usr/lib/lua/luci/view/upnp_status.htm: HTML document, ASCII text

/usr/lib/opkg/info/autossh.conffiles: ASCII text

/usr/lib/opkg/info/autossh.control: ASCII text

/usr/lib/opkg/info/autossh.list: ASCII text

/usr/lib/opkg/info/hping3.control: ASCII text

/usr/lib/opkg/info/hping3.list: ASCII text

/usr/lib/opkg/info/libip6tc.control: ASCII text

/usr/lib/opkg/info/libip6tc.list: ASCII text

/usr/lib/opkg/info/libnfnetlink.control: ASCII text

/usr/lib/opkg/info/libnfnetlink.list: ASCII text

/usr/lib/opkg/info/libopenssl.control: ASCII text

/usr/lib/opkg/info/libopenssl.list: ASCII text

/usr/lib/opkg/info/libpcap.control: ASCII text

/usr/lib/opkg/info/libpcap.list: ASCII text

/usr/lib/opkg/info/libpthread.control: ASCII text

/usr/lib/opkg/info/libpthread.list: ASCII text

/usr/lib/opkg/info/luci-app-simet.control: ASCII text

/usr/lib/opkg/info/luci-app-simet.list: ASCII text

/usr/lib/opkg/info/luci-app-upnp.control: ASCII text

/usr/lib/opkg/info/luci-app-upnp.list: ASCII text

/usr/lib/opkg/info/luci-i18n-portuguese-brazilian.control: ASCII text

/usr/lib/opkg/info/luci-i18n-portuguese-brazilian.list: ASCII text

/usr/lib/opkg/info/luci-sgi-uhttpd.control: ASCII text

/usr/lib/opkg/info/luci-sgi-uhttpd.list: ASCII text

/usr/lib/opkg/info/luci-theme-bootstrap.control: ASCII text

/usr/lib/opkg/info/luci-theme-bootstrap.list: ASCII text

/usr/lib/opkg/info/miniupnpd.conffiles: ASCII text

/usr/lib/opkg/info/miniupnpd.control: ASCII text

/usr/lib/opkg/info/miniupnpd.list: ASCII text

/usr/lib/opkg/info/simet-base-files.control: ASCII text

/usr/lib/opkg/info/simet-base-files.list: ASCII text

/usr/lib/opkg/info/simet-client.control: ASCII text

/usr/lib/opkg/info/simet-client.list: ASCII text

/usr/lib/opkg/info/simet-tools.control: ASCII text

/usr/lib/opkg/info/simet-tools.list: ASCII text

/usr/lib/opkg/info/uhttpd-mod-lua.control: ASCII text

/usr/lib/opkg/info/uhttpd-mod-lua.list: ASCII text

/usr/lib/opkg/info/zabbix-agentd.control: ASCII text

/usr/lib/opkg/info/zabbix-agentd.list: ASCII text

/usr/lib/opkg/info/zlib.control: ASCII text

/usr/lib/opkg/info/zlib.list: ASCII text

/usr/lib/libcrypto.so.1.0.0: ELF 32-bit MSB shared object, MIPS, MIPS32 rel2 version 1 (SYSV), dynamically linked, corrupted section header size

/usr/lib/libip6tc.so: symbolic link to `libip6tc.so.0.0.0'

/usr/lib/libip6tc.so.0: symbolic link to `libip6tc.so.0.0.0'

/usr/lib/libip6tc.so.0.0.0: ELF 32-bit MSB shared object, MIPS, MIPS32 rel2 version 1 (SYSV), dynamically linked, corrupted section header size

/usr/lib/libjson-c.so.2: symbolic link to `libjson-c.so.2.0.1'

/usr/lib/libjson-c.so.2.0.1: ELF 32-bit MSB shared object, MIPS, MIPS32 rel2 version 1 (SYSV), dynamically linked, corrupted section header size

/usr/lib/libnfnetlink.so.0: symbolic link to `libnfnetlink.so.0.2.0'

/usr/lib/libnfnetlink.so.0.2.0: ELF 32-bit MSB shared object, MIPS, MIPS32 rel2 version 1 (SYSV), dynamically linked, corrupted section header size

/usr/lib/libpcap.so: symbolic link to `libpcap.so.1.1'

/usr/lib/libpcap.so.1.1: symbolic link to `libpcap.so.1.1.1'

/usr/lib/libpcap.so.1.1.1: ELF 32-bit MSB shared object, MIPS, MIPS32 rel2 version 1 (SYSV), dynamically linked, corrupted section header size

/usr/lib/libssl.so.1.0.0: ELF 32-bit MSB shared object, MIPS, MIPS32 rel2 version 1 (SYSV), dynamically linked, corrupted section header size

/usr/lib/libz.so: symbolic link to `libz.so.1.2.7'

/usr/lib/libz.so.1: symbolic link to `libz.so.1.2.7'

/usr/lib/libz.so.1.2.7: ELF 32-bit MSB shared object, MIPS, MIPS32 rel2 version 1 (SYSV), dynamically linked, corrupted section header size

/usr/lib/uhttpd_lua.so: ELF 32-bit MSB shared object, MIPS, MIPS32 rel2 version 1 (SYSV), dynamically linked, corrupted section header size

/usr/sbin/autossh: ELF 32-bit MSB executable, MIPS, MIPS32 rel2 version 1, dynamically linked (uses shared libs), corrupted section header size

/usr/sbin/hping3: ELF 32-bit MSB executable, MIPS, MIPS32 rel2 version 1, dynamically linked (uses shared libs), corrupted section header size

/usr/sbin/miniupnpd: ELF 32-bit MSB executable, MIPS, MIPS32 rel2 version 1, dynamically linked (uses shared libs), corrupted section header size

/usr/sbin/zabbix_agentd: ELF 32-bit MSB executable, MIPS, MIPS32 rel2 version 1, dynamically linked (uses shared libs), corrupted section header size

/usr/share/libiwinfo/hardware.txt: ASCII text

/usr/share/miniupnpd/firewall.include: POSIX shell script, ASCII text executable

/www/luci-static/bootstrap/cascade.css: assembler source, ASCII text

/www/luci-static/bootstrap/favicon.ico: MS Windows icon resource - 1 icon

/www/luci-static/bootstrap/html5.js: HTML document, ASCII text, with very long lines

/www/simet/ceptro.png: PNG image data, 78 x 30, 8-bit colormap, non-interlaced

/www/simet/cgi.png: PNG image data, 46 x 30, 8-bit colormap, non-interlaced

/www/simet/nic.png: PNG image data, 47 x 25, 8-bit colormap, non-interlaced

/www/simet/nonet.htm: UTF-8 Unicode text

/www/simet/offline.jpg: JPEG image data, EXIF standard

/www/simet/simetbox_minilogo.png: PNG image data, 111 x 23, 8-bit colormap, non-interlaced

/www/simet/view_tab.css: assembler source, ASCII text

/www/simet/view_tab.js: UTF-8 Unicode text, with very long lines

This simple technique is quite useful for forensic analysis of embedded devices, as you have a white-list of known binaries and config files. It's important to review both created and modified files, but I'll focus on the ones listed above. Each binary and config file can be reviewed separately so we can find interesting entries like:

SSH reverse tunnel settings and authorized_keys:


Password changing scripts and Iptables rules:


The device management starting page has an external iframe and users are identified by their MAC Address via HTTP GET requests:


Cronjobs to test external access to port 25 and if the ISP allows IP spoofing:


Zabbix agent settings:


As a quick advice to SIMET engineers, it would be nice to have HTTPS for those external queries, a bit more of transparency on what the equipment does internally, who's able to access it (whose authorized_keys are those?), what external IP addresses it communicates with and what information is being collected. Securing SOHO modems is very important, specially here in Brazil where lots of recent attacks were targeting these devices (Fabio Assolini's talk "The tale of one thousand and one DSL modems" detailed this a year ago).

On the next post I'll detail how to run those MIPS32 binaries on a virtual environment using QEMU and analyze some of the files with IDA Pro.

Written by Bernardo Rodrigues posted by guest blogger.

Read More

TP-LINK WR740N Ver2.1 OpenWrt Revert To Original Firmware

2:16 AM  pakitong  3 comments

I have been using my TP-LINK WR740N version 2.1 since 2010 for my mini Lab likewise at home with the third party firmware OpenWrt Backfire Trunk. Just recently I wanted to make a simulation for WDS that TP-Link products for their unique non-Standard bridging protocol that capable of doing two jobs i.e. as a bridge and at same time as a wireless access point (WAP). It took me an hour Googling to find on the net on how-to revert the device to it original TP-Link stock firmware.


First I stumble upon on DD-Wrt forum looking for the simplest way on how-to revert the TL-WR740N version2.1 to its original factory stock firmware and I found this.
I bought two TL-WR740N (Hardware v2.1) then I did the firmware update with the following dd-wrt image in this order:

1)http://www.dd-wrt.com/routerdb/de/download/TP-Link/WR740N/2.0/factory-to-ddwrt.bin/3841

2)http://www.dd-wrt.com/routerdb/de/download/TP-Link/WR740N/2.0/tl-wr740n-webflash.bin/3842
I was not lucky enough to get my device work from the above mention because my firmware was OpenWrt.

Another nice article I visited written by goughlui with the same TP-LINK TL-WR740N he did also the experiment both DD-Wrt and OpenWrt firmware but he able to managed to revert it to the original TP-Link stock fimware, unfortunately I fail his procedures didn't work for my device.

I headed back to OpenWrt forum and read the TP-Link WR741N/ND since this is just identical to WR740N, when I follow the how-to's I manage to bring back to its original stock firmware. And here's how I did it.

I assume your TP-LINK WR740N version 2.1 is on third party firmware the OpenWrt.

I use putty to login the device via ssh, just follow the command.

cd /tmp

wget http://everbest.ftpserver.biz/TP-Link/Firmware/WR740N/wr740nv1_en_3_12_4_up(100910).bin

Alternatively if you can not download the stock firmware (wr740nv1_en_3_12_4_up(100910).bin) via wget you can download it to your local drive from official TP-Link website.

Otherwise use the PSCP.EXE utility from your M$ Windows box you can download it from here

 PSCP.EXE -scp wr740nv1_en_3_12_4_up(100910).bin root@192.168.1.1:/tmp

The command above will let you send the stock firmware from your local drive that you have downloaded to the TP-Link WR740N OpenWrt third party firmware. Once the file completely uploaded follow the next command below.

cd /tmp

mv wr740nv1_en_3_12_4_up(100910).bin tplink.bin

mtd -r write /tmp/tplink(100910).bin firmware

This is the actual process on the TP-Link WR740N version 2.1

root@OpenWrt:/tmp# mv wr740nv1_en_3_12_4_up(100910).bin tplink.bin
root@OpenWrt:/tmp# mtd -r write /tmp/tplink.bin firmware
Unlocking firmware ...

Writing from /tmp/tplink.bin to firmware ...
Rebooting ...

After the WR740N reboots point your web browser to its default http://192.168.1.1 now you will see the login page.


Congratulations! you have just reverted your TP-LINK WR740N version 2.1 to its original stock firmware from OpenWrt without using the serial debricking kit.

Read More