Reverse LinkOne devices

Download the target firmware

For this laboratory, I downloaded this one: L1-RWH1235AC-V1.2.0.22_pt_UCB01.bin

Extracting rootfs

binwalk -Me L1-RWH1235AC-V1.2.0.22_pt_UCB01.bin 

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
64            0x40            TRX firmware header, little endian, image size: 7020544 bytes, CRC32: 0x88D7ED84, flags: 0x0, version: 1, header size: 28 bytes, loader offset: 0x1C, linux kernel offset: 0x1753B0, rootfs offset: 0x0
92            0x5C            LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 4385244 bytes
1528816       0x1753F0        Squashfs filesystem, little endian, non-standard signature, version 3.0, size: 5486271 bytes, 591 inodes, blocksize: 65536 bytes, created: 2015-03-18 03:43:45
7020640       0x6B2060        LZMA compressed data, properties: 0x5D, dictionary size: 16777216 bytes, uncompressed size: 1398834 bytes

You can try to use also this version of squashfs if you got some error like this: Can't find a SQUASHFS superblock on file.squashfs. This is a modified version:

gcc version 10 will result in some erros. So, install other version such as 9.x.

After that, add it as the principal version when you use make. 😎

sudo update-alternatives --install /usr/bin/gcc gcc /usr/bin/gcc-9 100

After that, try to get the fs:

sudo sasquatch -d rootfs 1753F0.squashfs

User emulation

cp /bin/qemu-mipsel-static .
sudo chroot . ./qemu-mipsel-static /bin/sh 
wget https://github.com/firmadyne/libnvram/releases/download/v1.0/libnvram.so.mipsel
(... nvram ...)
export LD_PRELOAD=/firmadyne/libnvram.so
httpd

After execute the web-server, or the /etc/init.d/rcS, you will get the loop:

At this point, you can use GDB server to debug it:

Adding a breakpoint on main, and next, you will see the process will enter in a loop inside the "check_network" call.

and .. check some data ... 😎

Using IDA PRO, you can also reverse the httpd file and the check_network call. Basically, our iface must be renamed to br0 and use the range 192.168.0.0/24.

sudo tunctl -t br0 -u `whoami`
sudo ifconfig br0 192.168.0.0/24
sudo ifconfig br0 up
httpd --debugger --verbose --home /webroot/ --auth /var/auth.txt --route /var/route.txt 127.0.0.1 80

You got it πŸ€“

Full emulation

wget https://people.debian.org/~aurel32/qemu/mipsel/debian_squeeze_mipsel_standard.qcow2
wget https://people.debian.org/~aurel32/qemu/mipsel/vmlinux-2.6.32-5-4kc-malta
qemu-system-mipsel -M malta -kernel vmlinux-2.6.32-5-4kc-malta -hda debian_squeeze_mipsel_standard.qcow2 -append "root=/dev/sda1 console=tty0"
qemu-system-mipsel -M malta -kernel vmlinux-2.6.32-5-4kc-malta -hda debian_squeeze_mipsel_standard.qcow2 -append "root=/dev/sda1 console=tty0"  -net nic -net user,hostfwd=tcp::7777-:22 

this is the key:
-net nic -net tap,ifname=br0,script=no,downscript=no -nographic 

scp -P 7777 rootfs.tar.gz root@127.0.0.1:/root
ssh -p 7777 root@127.0.0.1

Mount shares

mount -t proc /proc ./roofs/proc
mount -o bind /dev ./rootfs/dev
chroot ./roofs/ sh

A trick for this router, you can also change the name of the iface: eth0 to br0.

nano /etc/udev/rules.d/70-persistent-net.rule

To rename interface eth0 to wan0, edit /etc/udev/rules.d/70-persistent-net.rules file and change NAME="eth0" to NAME="br0".

# PCI device 0x11ab:0x4363 (sky2)
SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*",
ATTR{address}=="00:00:00:00:00:00",ATTR{dev_id}=="0x0", ATTR{type}=="1",
KERNEL=="eth*", NAME="br0"

After that, rename eth0 to br0 here:

 nano /etc/network/interfaces
reboot
ifconfig -a

On the qemu ssh shell, access the rcS script at: /etc/init.d/rcS, and change the line:

httpd &

by

httpd --debugger --verbose --home /webroot/ --auth /var/auth.txt --route /var/route.txt 127.0.0.1 80 &

After that, execute your file ./rcS and magic 😎

On your browser: 0.0.0.0/login/Auth

Last updated