lördag 17 februari 2018

Deep dive into an old router to extract its password

The objectives:
I had an old ISP provided ADSL wifi router to spare. I was hoping to increase its value slightly by checking if I would be able to use one of the LAN ports as WAN port and ignore the ADSL part, but we were never given the credentials for logging in to the web UI. Challenge accepted! :)

The router:
Provided by Swedish ISP Boxer (later sold their ADSL service to AllTele)
Branded name: Inteno X5669A

Original name: Xavi X5669A-WP2 (closely related to WP2U, same model with USB ports - they share firmware)

Specification: ADSL 2+, 4x10/100 Mbit LAN, 802.11b/g wifi, 2xVoIP ports
Internal hardware:
- ADSL/router SoC: Broadcom BCM6358VKFBG
- Ethernet switch: Broadcom BCM5325EKQMG
- Wifi: Broadcom BCM4318KFBG
- VoIP: Legerity LE88221DLC
- 32mb RAM
- 8 mb Flash
Router was running CFE version 1.0.37-12.5
Firmware version was X5669A-WP2U_3.12UVNT10.08

Looking for the obvious...
(Unsuccessful stuff is greyed out, including it since it might have worked for other routers)

- Lots of googling, tried every default credential I could find and think of (admin/admin, admin/serialnumber, etc), or trying to find a firmware update of this or a similar router that might contain the default credentials. No luck.- Tried Telnet, SSH, etc - but these also required credentials.
- Contacted Boxer and AllTele asking for the default credentials - no luck.
- Using Firefox dev tools I was able to see in the HTTP headers which HTTP server it used, trying to find exploits of it but no luck
- Resetting to factory settings by holding reset for 10+ seconds - no luck, but curiously it changed the Wifi name from the previous Boxer_XX to Inteno_YYXX (XX amd YYXX being the last digits of the MAC address). This might have affected the password as well!

No luck... Time to open it up
- Opened it up, looking for serial port and JTAGs - yes to both!
- Bought a CP210x (USB to Serial adapter with 3.3 and 5V support) for like 15 SEK on ebay. Initially I didn't get it to work - first Windows 10 just spammed me with "the device has malfunctioned", until I tried a different USB port (maybe it had problems with USB 3). Then I needed drivers.
- Checked the settings of the device in device manager, I found that the COM port became called "COM6".
- Used multimeter to find ground pin of the serial (black on a grounded point on the PCB, red on each of the four pins. All but one shows 0 while the others shows 3.3V - that one is the ground. Then just took a semi-wild guess and actually picked the right pinout on the first go: "GROUND - NC - VCC (3.3V) - RX - TX" - the TX goes to the RX on the adapter and vice versa. Note: Never connect VCC pin.
- Tried to access the device with PuTTY. With cables connected as such, I just got a lot of garble. Changed the bit rate from the default to 115200, both in device settings in Windows and in PuTTy. Success - the CFE boot loader gave me a boot menu! :)

Using CFE
- Sadly, all of the obvious commands in CFE (such as "save") was not enabled in this version. There were plenty of commands to erase or write to Flash but that is not what I need.
- However, the CFE allowed download an image from TFTP to RAM, and run it from there... but what image to use?

OpenWRT to the rescue!
- OpenWRT supports at least the BCM63xx, so I created an Ubuntu VM, downloaded and installed the prerequisites and the code repository, selected the proper hardware (generic BCM63xx), "ramdisk" as target, and compression disabled.
- I then used Solarwinds free SFTP server on Windows box and hosted the OpenWRT image I built. I hooked the PC and the router with Ethernet cables.
- I configured CFE ("c" command) to a manually selected IP address of the PC, specified that it should boot from host ("h") instead of flash ("f").
- Got error code "-18".  Solarwinds log was empty. Removed a switch that sat between the router and the PC, and disabled the Windows firewall.
- Succes! OpenWRT was booting!

Getting the Flash content
- With OpenWRT running, I could use dd to copy the raw flash data from /dev/mtdX (X = 0-4) to files in the /tmp folder:
dd if=/dev/mtd0 of=/tmp/mtd0backup
- I could then use WinSCP to transfer the content to my PC.
- I then used a hex editor (HxD) to simply search for "user" and "password" in the flash image files. - In mtd1 I found quite a few interesting passwords, but the most interesting was [sysusername value="admin"] and [syspassword value="cGliNk9FWXZ5Qg=="]. (XML angle brackets replaced with square brackets because Blogger...
- The "==" at the end of the password makes it look like it is base64 encoded. Decoding it gave me the password "pib6OEYvyB".

And indeed, admin and pib6OEYvyB where the correct credentials for this device. Victory! :)

Further work...

And no... the current web UI doesn't allow using a LAN port as WAN port... :( Perhaps some configuration changes could be done to make it happen...
Would be nice to get OpenWRT running on this, though it seems from the wiki that it is not likely to have wifi drivers for this device (and ADSL and VoIP certainly wont work). I'll look closer into this another day...


Very thankful for OpenWRT, enabling stuff like this!