OpenRCE_Saphex
July 30th, 2008, 14:33
Hi,
This is just a small update. After figuring out how to interrupt the booting sequence on the router, I got this nifty prompt:
When the router was about to boot I pressed space. Who would have guessed that the interrupt character was "Space" instead of "Ctrl + C"? Then, the help command revealed all the commands available.
Some of this commands provide nice information about the router.
To my disappointment there wasn't a xmodem command to send the firmware. It would be nice that I could send it trough the serial interface. But then again, there is the netboot command. This command allows the router to boot from Ethernet or USB. Pretty cool. Then, I downloaded Tftpd32 and the original firmware. The following is the DHCP server configuration on Tftpd32.
After renaming the firmware to boot.bin and moving it to the work directory of Tftpd32 I issued the netboot command.
And the worst happened, the router got stuck. The firmware that I got from the manufacturer is for web interface update, so I cant get it to work since it probably has a header and other stuff that aren't needed. The manufacturer will only provide the web interface version (I think, didn't asked them too), not the binary version. So its time to do some reversing on it.
Not so different now huh??
Best regards,
saphex
https://www.openrce.org/blog/view/1234/Something_different_part_3,_or_not_quite_different
This is just a small update. After figuring out how to interrupt the booting sequence on the router, I got this nifty prompt:
Code:
NBcf1edfs1Z
PP Boot 9.0.8.7.ALL (6th June 2005)
Copyright (c) 2003 Huawei-3Com, Inc.
SDRAM size = 0x1000000
PLL indicates clock speed set to maximum value of 96MHz
Key pressed, stopping boot.
Entered console ... User request.
]
When the router was about to boot I pressed space. Who would have guessed that the interrupt character was "Space" instead of "Ctrl + C"? Then, the help command revealed all the commands available.
Code:
]help
Commands to the console are:
configeeprom display EEPROM configuration information
configflash display FLASH configuration information
copyimages {yes | no} copy network booted image files
initialise initialise configuration information
listenv list environment variables
mac <address> set MAC address
serialboot yes boot from EEPROM
serialboot no boot from FLASH
flashnetboot {yes | no} always network boot from FLASH
autolanrecover {yes | no} attempt LAN recovery if FLASH not bootable
setenv <key> <value> set environment variable
unsetenv <key> unset environment variable
The following boot modes are supported by serial EEPROM v3.0+ only:
serialboot {yes | auto} boot via EEPROM, auto-select Ethernet or USB
serialboot ethernet boot via EEPROM from Ethernet only
serialboot usb boot via EEPROM from USB only
serialboot no boot from FLASH
dw <address> [<length>] dump words (hex/ascii)
enter <address> enter an image
erw <wrdaddress> read a single word from EEPROM
eww <wrdaddress> <value> write a single word to EEPROM
fdw <address> [<length>] dump flash words (hex/ascii)
flash config print flash configuration
help print this text
quit leave the console
reset reset system
rw <address> read a single word
netboot [recover] download image using netboot [in recovery mode]
why reason for console entry
ww <address> <value> write a single word
]
Some of this commands provide nice information about the router.
Code:
]configflash
Valid configuration information found
MAC: 00:0f:e2:16:12:29
serialboot: yes / auto
copyimages: yes
flashfs: auto
flashnetboot: no
autolanrecover: yes
]
Code:
]flash config
Flash configuration: 1 chips
Chip 0 compiled size 2048k actual size 2048k on EPB @ 0xcf000000
Chip 0 ID is c249: (MXIC 29LV160ABTC 2048k bytes), unlocked (0)
Flash start offset: 0x00010000
Space for all FLASHFS partitions: 0x001f0000
found partition at 0x001e0000 ... 0x00200000, size 128kbytes
found partition at 0x00010000 ... 0x001e0000, size 1856kbytes
Found 2 valid flashfs partitions
]
To my disappointment there wasn't a xmodem command to send the firmware. It would be nice that I could send it trough the serial interface. But then again, there is the netboot command. This command allows the router to boot from Ethernet or USB. Pretty cool. Then, I downloaded Tftpd32 and the original firmware. The following is the DHCP server configuration on Tftpd32.
Code:
IP pool starting address: 192.168.7.1
Size of pool: 1
Mask: 255.255.255.0
Boot file: boot.bin
After renaming the firmware to boot.bin and moving it to the work directory of Tftpd32 I issued the netboot command.
Code:
]netboot
Starting network boot image
n
ar432-2 Network boot v4.03 (FLASH)
Phy reset line on GPIO 0x1a
MAC 00:0f:e2:16:12:29
SDRAM 0x01000000 bytes
(Hold '*' during reset for prompt)
Booting from Ethernet or USB (auto-select)
boot
boot
reply
IP 192.168.7.1
Server 192.168.7.2 ()
Booting 'boot.bin'
................................................................
................................................................
................................................................
......................
Done! (0x001b5a00 bytes)
Starting binary image
And the worst happened, the router got stuck. The firmware that I got from the manufacturer is for web interface update, so I cant get it to work since it probably has a header and other stuff that aren't needed. The manufacturer will only provide the web interface version (I think, didn't asked them too), not the binary version. So its time to do some reversing on it.
Not so different now huh??
Best regards,
saphex
https://www.openrce.org/blog/view/1234/Something_different_part_3,_or_not_quite_different