Reverse LinkOne devices

Download the target firmware

Home
Link1One
For this laboratory, I downloaded this one: L1-RWH1235AC-V1.2.0.22_pt_UCB01.bin

Extracting rootfs

1
binwalk -Me L1-RWH1235AC-V1.2.0.22_pt_UCB01.bin
2
​
3
DECIMAL HEXADECIMAL DESCRIPTION
4
--------------------------------------------------------------------------------
5
64 0x40 TRX firmware header, little endian, image size: 7020544 bytes, CRC32: 0x88D7ED84, flags: 0x0, version: 1, header size: 28 bytes, loader offset: 0x1C, linux kernel offset: 0x1753B0, rootfs offset: 0x0
6
92 0x5C LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 4385244 bytes
7
1528816 0x1753F0 Squashfs filesystem, little endian, non-standard signature, version 3.0, size: 5486271 bytes, 591 inodes, blocksize: 65536 bytes, created: 2015-03-18 03:43:45
8
7020640 0x6B2060 LZMA compressed data, properties: 0x5D, dictionary size: 16777216 bytes, uncompressed size: 1398834 bytes
Copied!
You can try to use also this version of squashfs if you got some error like this: Can't find a SQUASHFS superblock on file.squashfs. This is a modified version:
GitHub - devttys0/sasquatch
GitHub
gcc version 10 will result in some erros. So, install other version such as 9.x.
After that, add it as the principal version when you use make.
😎
1
sudo update-alternatives --install /usr/bin/gcc gcc /usr/bin/gcc-9 100
Copied!
After that, try to get the fs:
1
sudo sasquatch -d rootfs 1753F0.squashfs
Copied!

User emulation

1
cp /bin/qemu-mipsel-static .
2
sudo chroot . ./qemu-mipsel-static /bin/sh
3
wget https://github.com/firmadyne/libnvram/releases/download/v1.0/libnvram.so.mipsel
4
(... nvram ...)
5
export LD_PRELOAD=/firmadyne/libnvram.so
6
httpd
Copied!
After execute the web-server, or the /etc/init.d/rcS, you will get the loop:
At this point, you can use GDB server to debug it:
Basic tips
Red Teaming and Malware Analysis
Adding a breakpoint on main, and next, you will see the process will enter in a loop inside the "check_network" call.
and .. check some data ...
😎
Using IDA PRO, you can also reverse the httpd file and the check_network call. Basically, our iface must be renamed to br0 and use the range 192.168.0.0/24.
1
sudo tunctl -t br0 -u `whoami`
2
sudo ifconfig br0 192.168.0.0/24
3
sudo ifconfig br0 up
4
httpd --debugger --verbose --home /webroot/ --auth /var/auth.txt --route /var/route.txt 127.0.0.1 80
Copied!
You got it
πŸ€“

Full emulation

Index of /~aurel32/qemu/mipsel
1
wget https://people.debian.org/~aurel32/qemu/mipsel/debian_squeeze_mipsel_standard.qcow2
2
wget https://people.debian.org/~aurel32/qemu/mipsel/vmlinux-2.6.32-5-4kc-malta
3
qemu-system-mipsel -M malta -kernel vmlinux-2.6.32-5-4kc-malta -hda debian_squeeze_mipsel_standard.qcow2 -append "root=/dev/sda1 console=tty0"
4
qemu-system-mipsel -M malta -kernel vmlinux-2.6.32-5-4kc-malta -hda debian_squeeze_mipsel_standard.qcow2 -append "root=/dev/sda1 console=tty0" -net nic -net user,hostfwd=tcp::7777-:22
5
​
6
this is the key:
7
-net nic -net tap,ifname=br0,script=no,downscript=no -nographic
8
​
9
scp -P 7777 rootfs.tar.gz [email protected]:/root
10
ssh -p 7777 [email protected]
Copied!

Mount shares

1
mount -t proc /proc ./roofs/proc
2
mount -o bind /dev ./rootfs/dev
3
chroot ./roofs/ sh
Copied!
A trick for this router, you can also change the name of the iface: eth0 to br0.
1
nano /etc/udev/rules.d/70-persistent-net.rule
Copied!
To rename interface eth0 to wan0, edit /etc/udev/rules.d/70-persistent-net.rules file and change NAME="eth0" to NAME="br0".
1
# PCI device 0x11ab:0x4363 (sky2)
2
SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*",
3
ATTR{address}=="00:00:00:00:00:00",ATTR{dev_id}=="0x0", ATTR{type}=="1",
4
KERNEL=="eth*", NAME="br0"
Copied!
After that, rename eth0 to br0 here:
1
nano /etc/network/interfaces
Copied!
1
reboot
2
ifconfig -a
Copied!
Change Network Interface Name: eth0,eth1,eth2+ - ShellHacks
ShellHacks
On the qemu ssh shell, access the rcS script at: /etc/init.d/rcS, and change the line:
1
httpd &
2
​
3
by
4
​
5
httpd --debugger --verbose --home /webroot/ --auth /var/auth.txt --route /var/route.txt 127.0.0.1 80 &
Copied!
After that, execute your file ./rcS and magic
😎
On your browser: 0.0.0.0/login/Auth
Netgear_ζ ˆζΊ’ε‡ΊζΌζ΄ž_PSV-2020-0211
ζ··ε…ƒιœΉι›³ζ‰‹
​
Last modified 2mo ago