Reverse LinkOne devices
Download the target firmware
For this laboratory, I downloaded this one: L1-RWH1235AC-V1.2.0.22_pt_UCB01.bin
Extracting rootfs
binwalk -Me L1-RWH1235AC-V1.2.0.22_pt_UCB01.bin
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
64 0x40 TRX firmware header, little endian, image size: 7020544 bytes, CRC32: 0x88D7ED84, flags: 0x0, version: 1, header size: 28 bytes, loader offset: 0x1C, linux kernel offset: 0x1753B0, rootfs offset: 0x0
92 0x5C LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 4385244 bytes
1528816 0x1753F0 Squashfs filesystem, little endian, non-standard signature, version 3.0, size: 5486271 bytes, 591 inodes, blocksize: 65536 bytes, created: 2015-03-18 03:43:45
7020640 0x6B2060 LZMA compressed data, properties: 0x5D, dictionary size: 16777216 bytes, uncompressed size: 1398834 bytes
You can try to use also this version of squashfs if you got some error like this: Can't find a SQUASHFS superblock on file.squashfs. This is a modified version:
gcc version 10 will result in some erros. So, install other version such as 9.x.
After that, add it as the principal version when you use make. 😎
sudo update-alternatives --install /usr/bin/gcc gcc /usr/bin/gcc-9 100After that, try to get the fs:
sudo sasquatch -d rootfs 1753F0.squashfsUser emulation
cp /bin/qemu-mipsel-static .
sudo chroot . ./qemu-mipsel-static /bin/sh
wget https://github.com/firmadyne/libnvram/releases/download/v1.0/libnvram.so.mipsel
(... nvram ...)
export LD_PRELOAD=/firmadyne/libnvram.so
httpdAfter execute the web-server, or the /etc/init.d/rcS, you will get the loop:
At this point, you can use GDB server to debug it:
Adding a breakpoint on main, and next, you will see the process will enter in a loop inside the "check_network" call.
and .. check some data ... 😎
Using IDA PRO, you can also reverse the httpd file and the check_network call. Basically, our iface must be renamed to br0 and use the range 192.168.0.0/24.
sudo tunctl -t br0 -u `whoami`
sudo ifconfig br0 192.168.0.0/24
sudo ifconfig br0 up
httpd --debugger --verbose --home /webroot/ --auth /var/auth.txt --route /var/route.txt 127.0.0.1 80You got it 🤓
Full emulation
wget https://people.debian.org/~aurel32/qemu/mipsel/debian_squeeze_mipsel_standard.qcow2
wget https://people.debian.org/~aurel32/qemu/mipsel/vmlinux-2.6.32-5-4kc-malta
qemu-system-mipsel -M malta -kernel vmlinux-2.6.32-5-4kc-malta -hda debian_squeeze_mipsel_standard.qcow2 -append "root=/dev/sda1 console=tty0"
qemu-system-mipsel -M malta -kernel vmlinux-2.6.32-5-4kc-malta -hda debian_squeeze_mipsel_standard.qcow2 -append "root=/dev/sda1 console=tty0" -net nic -net user,hostfwd=tcp::7777-:22
this is the key:
-net nic -net tap,ifname=br0,script=no,downscript=no -nographic
scp -P 7777 rootfs.tar.gz [email protected]:/root
ssh -p 7777 [email protected]Mount shares
mount -t proc /proc ./roofs/proc
mount -o bind /dev ./rootfs/dev
chroot ./roofs/ shA trick for this router, you can also change the name of the iface: eth0 to br0.
nano /etc/udev/rules.d/70-persistent-net.rule To rename interface eth0 to wan0, edit /etc/udev/rules.d/70-persistent-net.rules file and change NAME="eth0" to NAME="br0".
# PCI device 0x11ab:0x4363 (sky2)
SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*",
ATTR{address}=="00:00:00:00:00:00",ATTR{dev_id}=="0x0", ATTR{type}=="1",
KERNEL=="eth*", NAME="br0"After that, rename eth0 to br0 here:
nano /etc/network/interfacesreboot
ifconfig -a
On the qemu ssh shell, access the rcS script at: /etc/init.d/rcS, and change the line:
httpd &
by
httpd --debugger --verbose --home /webroot/ --auth /var/auth.txt --route /var/route.txt 127.0.0.1 80 &After that, execute your file ./rcS and magic 😎
On your browser: 0.0.0.0/login/Auth
Last updated
Was this helpful?