Router Reversing

Background

Routers and Access Points

  • All routers and any devices run some software
  • Embedded systems, so written in C in most cases
  • Router software usually is proprietary but OpenWRT and dd-wrt are common open source softwares

Recon
Analysis
Firmware

RECON/DISCOVERY

Target Device

The router used is a travel router focused on protecting privacy

The GL-MT300N-V2

  • Produced by GL iNet
  • Designed to be a Travel Router
  • Can act as Router, Repeater, and USB modem
  • Only Supports 2.4GHz networking

Hardware Specs

  • MTK7628NN
  • SPI Flash (16MB)
  • WAN and LAN Ethernet Ports
  • USB 2.0
  • Micro USB
  • 128 MB of RAM (DDR2)
  • User Programmable Switch
  • Reset button
  • On Board UART

PCB Pinout

ANALYSIS

UARTs

  • A UART is a Universal Asynchronous Reciever-Transmitter
  • Used for Serial Communications from (in this case) an embedded device to a computer
  • UARTs do not require a clock, thus they are asynchronous.
  • The UART on the device appears to be full duplex
  • A UART will consist of 2-4 pins. Tx (transmit), Rx (receive), VCC, and GND. Tx and Rx are always needed, VCC and GND are optional

Connecting...

  • Modern Computers do not have serial ports, so a USB to UART is needed
  • Usually these have 3.3V or 5V, since the target device uses 5V as power, it's safe to assume that the 5V line will be correct
  • The CP2102 is the most Common IC

Soldering Pins On

Connecting Continued...

  • Use PuTTY or Arduino IDE
  • Arduino has trouble displaying output
  • Start Logging as well...

Successful Connection

What's this? UBOOT?

U-Boot

  • Universal Bootloader used in embedded devices
  • Works on multiple architectures
  • Boots OS by reading kernel and related data
  • Ah we can see that Ralink Uboot has a couple of useful commands

Booting Into U-Boot

  • During startup it can be seen that there is a line of text that says "type gl to interrupt startup"
  • Typing in gl drops us into U-Boot!

U-Boot 'help' output

MT7628 # help
?       - alias for 'help'
bootm   - boot application image from memory
cp      - memory copy
crc32   - checksum calculation
erase   - erase SPI FLASH memory
fatinfo - print information about filesystem
fatload - load binary file from a dos filesystem
fatls   - list files in a directory (default /)
go      - start application at address 'addr'
help    - print online help
loadb   - load binary file over serial line (kermit mode)
md      - memory display
mdio   - Ralink PHY register R/W command !!
mm      - memory modify (auto-incrementing)
nm      - memory modify (constant address)
printenv- print environment variables
reset   - Perform RESET of the CPU
rf      - read/write rf register
saveenv - save environment variables to persistent storage
setenv  - set environment variables
spi     - spi command
tftpboot- boot image via network using TFTP protocol
usb     - USB sub-system
usbboot - boot from USB device
version - print monitor version

md - memory display

  • md can be used to read sections of memory
  • Let's do a quick check, outputting a couple of lines

MT7628 # md.b 0x80000000 0x1000000

80000000: 01 00 00 a0 02 00 00 a0 03 00 00 a0 04 00 00 a0    ................

80000010: 05 00 00 a0 06 00 00 a0 07 00 00 a0 08 00 00 a0    ................

80000020: 09 00 00 a0 0a 00 00 a0 0b 00 00 a0 0c 00 00 a0    ................

80000030: 0d 00 00 a0 0e 00 00 a0 0f 00 00 a0 10 00 00 a0    ................

80000040: 11 00 00 a0 12 00 00 a0 13 00 00 a0 14 00 00 a0    ................

80000050: 15 00 00 a0 16 00 00 a0 17 00 00 a0 18 00 00 a0    ................

80000060: 19 00 00 a0 1a 00 00 a0 1b 00 00 a0 1c 00 00 a0    ................

80000070: 1d 00 00 a0 1e 00 00 a0 1f 00 00 a0 20 00 00 a0    ............ ...

80000080: 21 00 00 a0 22 00 00 a0 23 00 00 a0 24 00 00 a0    !..."...#...$...

80000090: 25 00 00 a0 26 00 00 a0 27 00 00 a0 28 00 00 a0    %...&...'...(...

800000a0: 29 00 00 a0 2a 00 00 a0 2b 00 00 a0 2c 00 00 a0    )...*...+...,...

800000b0: 2d 00 00 a0 2e 00 00 a0 2f 00 00 a0 30 00 00 a0    -......./...0...

800000c0: 31 00 00 a0 32 00 00 a0 33 00 00 a0 34 00 00 a0    1...2...3...4...

800000d0: 35 00 00 a0 36 00 00 a0 37 00 00 a0 38 00 00 a0    5...6...7...8...

800000e0: 39 00 00 a0 3a 00 00 a0 3b 00 00 a0 3c 00 00 a0    9...:...;...<...
^C

Dump Memory

  • Determine where the OS is loaded from
  • In this case, it is at 0x80000000, and ends at 0x100000
  • This takes time (over 6 hours), its usually smarter to setup a TFTP server and send it that way
  • Using TFTP doesn't work, as its not available in the proprietary uboot being used

Ingest

Write a simple script to Parse the output of md with simple python script

filename = "inputToParse.log"
import sys
output_stream = sys.stdout
with open(filename) as f:
    content = f.read().splitlines()
f.close()
content.remove('')

f = open("parsedOutput.txt", "w")
i = 0
for line in content:
    i = i+1
    str = line
    chunks = str.split(' ')
    del chunks[0]
    del chunks[16:]
    converted = ''.join(chunks)
    output_stream.write('Line: %s\r'% i)
    output_stream.flush()
    f.write(converted)
output_stream.write('\n')

FIRMWARE

Check

  • We have the firmware
  • In fact, the firmware is a custom OpenWRT!
  • Test compile

Clone and Install Tools

sudo apt install build-essential ccache ecj fastjar file g++ gawk \
gettext git java-propose-classpath libelf-dev libncurses5-dev \
libncursesw5-dev libssl-dev python python2.7-dev python3 unzip wget \
python3-distutils python3-setuptools rsync subversion swig time \
xsltproc zlib1g-dev 
git clone openwrt https://github.com/openwrt/openwrt.git

Compilation

Compiling is easy, run the dependency scripts, and run make. (time is used to time how long compilation takes)

Successful Compile

Installing Firmware

Our OpenWrt Version

Modification

  • Changing up Uboot
  • Deleting opkg

References

  • https://openwrt.org/start
  • https://docs.gl-inet.com/en/2/hardware/mt300n-v2/
  • https://github.com/gl-inet/openwrt
  • Ubuntu VM
  • GL-iNet MT300N-V2
  • USB to UART

Tools used