# Reverse LinkOne devices

## Download the target firmware

{% embed url="<https://link1.com.br/>" %}

For this laboratory, I downloaded this one: **L1-RWH1235AC-V1.2.0.22\_pt\_UCB01.bin**

![](/files/-MgXGlLoLCnweB4ar2e6)

## Extracting rootfs

```
binwalk -Me L1-RWH1235AC-V1.2.0.22_pt_UCB01.bin 

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
64            0x40            TRX firmware header, little endian, image size: 7020544 bytes, CRC32: 0x88D7ED84, flags: 0x0, version: 1, header size: 28 bytes, loader offset: 0x1C, linux kernel offset: 0x1753B0, rootfs offset: 0x0
92            0x5C            LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 4385244 bytes
1528816       0x1753F0        Squashfs filesystem, little endian, non-standard signature, version 3.0, size: 5486271 bytes, 591 inodes, blocksize: 65536 bytes, created: 2015-03-18 03:43:45
7020640       0x6B2060        LZMA compressed data, properties: 0x5D, dictionary size: 16777216 bytes, uncompressed size: 1398834 bytes
```

![](/files/-MgXHb5Aley6bXiOD19I)

You can try to use also this version of squashfs if you got some error like this: **Can't find a SQUASHFS superblock on file.squashfs.** This is a modified version:

{% embed url="<https://github.com/devttys0/sasquatch>" %}

{% hint style="success" %}
gcc version 10 will result in some erros. So, install other version such as 9.x.
{% endhint %}

After that, add it as the principal version when you use make. :sunglasses:&#x20;

```
sudo update-alternatives --install /usr/bin/gcc gcc /usr/bin/gcc-9 100
```

After that, try to get the fs:

```
sudo sasquatch -d rootfs 1753F0.squashfs
```

## User emulation

```
cp /bin/qemu-mipsel-static .
sudo chroot . ./qemu-mipsel-static /bin/sh 
wget https://github.com/firmadyne/libnvram/releases/download/v1.0/libnvram.so.mipsel
(... nvram ...)
export LD_PRELOAD=/firmadyne/libnvram.so
httpd
```

After execute the web-server, or the **/etc/init.d/rcS,** you will get the loop:

![](/files/-MgXJgetHk3KoU1v-9E4)

At this point, you can use GDB server to debug it:

{% embed url="<https://gitbook.seguranca-informatica.pt/arm/basic-tips#gdb-server>" %}

Adding a breakpoint on main, and next, you will see the process will enter in a loop inside the "**check\_network**" call.

![](/files/-MgXtrwrNXBzVGmDe3el)

and .. check some data ... :sunglasses:&#x20;

![](/files/-MgXuRSytUUonfQbk3jG)

![](/files/-MgXvv7qT4G1BmoQiu0c)

Using IDA PRO, you can also reverse the httpd file and the check\_network call. Basically, our iface must be renamed to **br0 and use the range 192.168.0.0/24.**

![](/files/-MgXLAygHFNuNLC1zAVW)

```
sudo tunctl -t br0 -u `whoami`
sudo ifconfig br0 192.168.0.0/24
sudo ifconfig br0 up
httpd --debugger --verbose --home /webroot/ --auth /var/auth.txt --route /var/route.txt 127.0.0.1 80
```

You got it :nerd:&#x20;

![](/files/-MgXLmTG3T2eZ5bwsLuQ)

![](/files/-MgXLvPs4y2cLhDHieLs)

## Full emulation

{% embed url="<https://people.debian.org/~aurel32/qemu/mipsel/>" %}

```
wget https://people.debian.org/~aurel32/qemu/mipsel/debian_squeeze_mipsel_standard.qcow2
wget https://people.debian.org/~aurel32/qemu/mipsel/vmlinux-2.6.32-5-4kc-malta
qemu-system-mipsel -M malta -kernel vmlinux-2.6.32-5-4kc-malta -hda debian_squeeze_mipsel_standard.qcow2 -append "root=/dev/sda1 console=tty0"
qemu-system-mipsel -M malta -kernel vmlinux-2.6.32-5-4kc-malta -hda debian_squeeze_mipsel_standard.qcow2 -append "root=/dev/sda1 console=tty0"  -net nic -net user,hostfwd=tcp::7777-:22 

this is the key:
-net nic -net tap,ifname=br0,script=no,downscript=no -nographic 

scp -P 7777 rootfs.tar.gz root@127.0.0.1:/root
ssh -p 7777 root@127.0.0.1
```

### Mount shares

```
mount -t proc /proc ./roofs/proc
mount -o bind /dev ./rootfs/dev
chroot ./roofs/ sh
```

A trick for this router, you can also change the name of the iface: eth0 to br0.

```
nano /etc/udev/rules.d/70-persistent-net.rule
```

&#x20;To rename interface `eth0` to `wan0`, edit `/etc/udev/rules.d/70-persistent-net.rules` file and change `NAME="eth0"` to `NAME="br0"`.

```
# PCI device 0x11ab:0x4363 (sky2)
SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*",
ATTR{address}=="00:00:00:00:00:00",ATTR{dev_id}=="0x0", ATTR{type}=="1",
KERNEL=="eth*", NAME="br0"
```

After that, rename eth0 to br0 here:&#x20;

```
 nano /etc/network/interfaces
```

```
reboot
ifconfig -a
```

{% embed url="<https://www.shellhacks.com/change-network-interface-name-eth0-eth1-eth2/>" %}

On the qemu ssh shell, access the rcS script at: /etc/init.d/rcS, and change the line:&#x20;

```
httpd &

by

httpd --debugger --verbose --home /webroot/ --auth /var/auth.txt --route /var/route.txt 127.0.0.1 80 &
```

After that, execute your file **./rcS** and magic :sunglasses:&#x20;

![](/files/-MgXOjNuvrYLmunEx310)

On your browser: **0.0.0.0/login/Auth**

![](/files/-MgXOvvIb8KJA2eDLyuK)

{% embed url="<https://cool-y.github.io/2021/01/08/Netgear-psv-2020-0211/>" %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://gitbook.seguranca-informatica.pt/arm/reverse-iot-devices/reverse-linkone-devices.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.