Download the target firmware
For this laboratory, I downloaded this one: L1-RWH1235AC-V1.2.0.22_pt_UCB01.bin
Copy binwalk -Me L1-RWH1235AC-V1.2.0.22_pt_UCB01.bin
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
64 0x40 TRX firmware header, little endian, image size: 7020544 bytes, CRC32: 0x88D7ED84, flags: 0x0, version: 1, header size: 28 bytes, loader offset: 0x1C, linux kernel offset: 0x1753B0, rootfs offset: 0x0
92 0x5C LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 4385244 bytes
1528816 0x1753F0 Squashfs filesystem, little endian, non-standard signature, version 3.0, size: 5486271 bytes, 591 inodes, blocksize: 65536 bytes, created: 2015-03-18 03:43:45
7020640 0x6B2060 LZMA compressed data, properties: 0x5D, dictionary size: 16777216 bytes, uncompressed size: 1398834 bytes You can try to use also this version of squashfs if you got some error like this: Can't find a SQUASHFS superblock on file.squashfs. This is a modified version:
gcc version 10 will result in some erros. So, install other version such as 9.x.
Copy sudo update-alternatives --install /usr/bin/gcc gcc /usr/bin/gcc-9 100 After that, try to get the fs:
Copy sudo sasquatch -d rootfs 1753F0.squashfs User emulation
Copy cp /bin/qemu-mipsel-static .
sudo chroot . ./qemu-mipsel-static /bin/sh
wget https://github.com/firmadyne/libnvram/releases/download/v1.0/libnvram.so.mipsel
(... nvram ...)
export LD_PRELOAD=/firmadyne/libnvram.so
httpd After execute the web-server, or the /etc/init.d/rcS, you will get the loop:
At this point, you can use GDB server to debug it:
Adding a breakpoint on main, and next, you will see the process will enter in a loop inside the "check_network " call.
Using IDA PRO, you can also reverse the httpd file and the check_network call. Basically, our iface must be renamed to br0 and use the range 192.168.0.0/24.
Copy sudo tunctl -t br0 -u `whoami`
sudo ifconfig br0 192.168.0.0/24
sudo ifconfig br0 up
httpd --debugger --verbose --home /webroot/ --auth /var/auth.txt --route /var/route.txt 127.0.0.1 80 Full emulation
Copy wget https://people.debian.org/~aurel32/qemu/mipsel/debian_squeeze_mipsel_standard.qcow2
wget https://people.debian.org/~aurel32/qemu/mipsel/vmlinux-2.6.32-5-4kc-malta
qemu-system-mipsel -M malta -kernel vmlinux-2.6.32-5-4kc-malta -hda debian_squeeze_mipsel_standard.qcow2 -append "root=/dev/sda1 console=tty0"
qemu-system-mipsel -M malta -kernel vmlinux-2.6.32-5-4kc-malta -hda debian_squeeze_mipsel_standard.qcow2 -append "root=/dev/sda1 console=tty0" -net nic -net user,hostfwd=tcp::7777-:22
this is the key:
-net nic -net tap,ifname=br0,script=no,downscript=no -nographic
scp -P 7777 rootfs.tar.gz root@127.0.0.1:/root
ssh -p 7777 root@127.0.0.1 Mount shares
Copy mount -t proc /proc ./roofs/proc
mount -o bind /dev ./rootfs/dev
chroot ./roofs/ sh A trick for this router, you can also change the name of the iface: eth0 to br0.
Copy nano /etc/udev/rules.d/70-persistent-net.rule To rename interface eth0 to wan0, edit /etc/udev/rules.d/70-persistent-net.rules file and change NAME="eth0" to NAME="br0".
Copy # PCI device 0x11ab:0x4363 (sky2)
SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*",
ATTR{address}=="00:00:00:00:00:00",ATTR{dev_id}=="0x0", ATTR{type}=="1",
KERNEL=="eth*", NAME="br0" After that, rename eth0 to br0 here:
Copy nano /etc/network/interfaces On the qemu ssh shell, access the rcS script at: /etc/init.d/rcS, and change the line:
Copy httpd &
by
httpd --debugger --verbose --home /webroot/ --auth /var/auth.txt --route /var/route.txt 127.0.0.1 80 & On your browser: 0.0.0.0/login/Auth
