Firmware.center - will not be bored. Powered by h5ai.
![]()
This repository contains the results of my reverse engineering of the firmwareof the Swisscom Centro Grande ADSL box. I will probably do a blog post with allthose notes. But for that I need a blog.
Note: I am by no mean a Linux wizard, so I might miss interesting stuff, andsay wrong things. If you think something should be added / changed, feel free toopen an issue / make a pull request.
After a bit of googling, I found the download URL for a version of the firmware :
First of all, what's in the box ?
We can see in the output that there is a gzipped file which was called'vmlinux.bin'. Interesting. Let's extract this file :
ContributingThis project welcomes contributions and suggestions.
![]()
Once again, binwalk is our friend, let's run it against vmlinux.bin :
So in order we have :
Let's extract the file systems. For this we will need the size of the variousparts, which we can calculate by taking the diff between the start adress andthe end adress (the start of next element).
We can still run binwalk against cramfs1 and cramfs2 to check that weextracted exactly what we wanted.
For this part we will use some utilities from the firmware mod kit project :https://code.google.com/p/firmware-mod-kit/
First of all let's compile the tools we will need to extract it :uncramfs-lzma. I tried extracting the files using standard CramFS and it didnot work.
You will get some warnings, but you can safely ignore them. Now let's extractthe content of the two cramfs images.
Listing the content of cramfs1_content shows some directory structure familiarto the UNIX afficionado :
The first thing I noticed about /etc is it doesn't contain the usual
passwd and shadow files which would be very cool to have :(I think it is not possible for a box to boot without them and I just haven't found them yet.If anyone knows more on this topic, I would be really happy to hear from you.
sshd_config
This file is the configuration for the OpenSSH server, which is used for remoteadministration of the router. I have cut some parts of the file to focus on whatseemed important to me.
At the start of the file, we see some instructions to tell the server to listenon any IPv4 adress, on port 22:
Then we have some declarations about which method of authentification are allowed:
Let's hope it is used for production with those settings ! :) That's about itfor sshd config, now let's move to something else.
Also, You can notice that the ssh v1 protocol is enabled by default. This could lead to some funny exploit.
It seems that there is another more recent version of the firmware (if I can understand Swisscom's file naming convention)available at : http://rmsdl.bluewin.ch/pirelli/Vx226x1_60208.sig Let's see what it hides.
This time it contains more data directly, for example two SquashFS instances that we will try extracting immediately.
Running
tree against them reveals a directory structure that overlaps each other (we got /etc two times, etc.) but this times there is a lot more files, for example some init.d 60 seconds v1.0.42.
After checking /etc/version in both filesystems, it seems that there is a main version and a recovery one which is smaller than the main.
Sadly we don't land on a real shell but on their configuration system.Perhaps this can get changed ?
It seems that when we run the adslctl command, it really executes the binary in
/bin/adslctl .At least string matches.
show processes run ps and shows results.
Warning, this may be bricking your router!
To get back to normal mode, exit the shell and then run restore default-setting .The router will reboot into normal mode.
![]() Comments are closed.
|
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |