# Reverse LinkOne devices
## Download the target firmware
{% embed url="" %}
For this laboratory, I downloaded this one: **L1-RWH1235AC-V1.2.0.22\_pt\_UCB01.bin**
## Extracting rootfs
```
binwalk -Me L1-RWH1235AC-V1.2.0.22_pt_UCB01.bin
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
64 0x40 TRX firmware header, little endian, image size: 7020544 bytes, CRC32: 0x88D7ED84, flags: 0x0, version: 1, header size: 28 bytes, loader offset: 0x1C, linux kernel offset: 0x1753B0, rootfs offset: 0x0
92 0x5C LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 4385244 bytes
1528816 0x1753F0 Squashfs filesystem, little endian, non-standard signature, version 3.0, size: 5486271 bytes, 591 inodes, blocksize: 65536 bytes, created: 2015-03-18 03:43:45
7020640 0x6B2060 LZMA compressed data, properties: 0x5D, dictionary size: 16777216 bytes, uncompressed size: 1398834 bytes
```
You can try to use also this version of squashfs if you got some error like this: **Can't find a SQUASHFS superblock on file.squashfs.** This is a modified version:
{% embed url="" %}
{% hint style="success" %}
gcc version 10 will result in some erros. So, install other version such as 9.x.
{% endhint %}
After that, add it as the principal version when you use make. :sunglasses:
```
sudo update-alternatives --install /usr/bin/gcc gcc /usr/bin/gcc-9 100
```
After that, try to get the fs:
```
sudo sasquatch -d rootfs 1753F0.squashfs
```
## User emulation
```
cp /bin/qemu-mipsel-static .
sudo chroot . ./qemu-mipsel-static /bin/sh
wget https://github.com/firmadyne/libnvram/releases/download/v1.0/libnvram.so.mipsel
(... nvram ...)
export LD_PRELOAD=/firmadyne/libnvram.so
httpd
```
After execute the web-server, or the **/etc/init.d/rcS,** you will get the loop:
At this point, you can use GDB server to debug it:
{% embed url="" %}
Adding a breakpoint on main, and next, you will see the process will enter in a loop inside the "**check\_network**" call.
and .. check some data ... :sunglasses:
Using IDA PRO, you can also reverse the httpd file and the check\_network call. Basically, our iface must be renamed to **br0 and use the range 192.168.0.0/24.**
```
sudo tunctl -t br0 -u `whoami`
sudo ifconfig br0 192.168.0.0/24
sudo ifconfig br0 up
httpd --debugger --verbose --home /webroot/ --auth /var/auth.txt --route /var/route.txt 127.0.0.1 80
```
You got it :nerd:
## Full emulation
{% embed url="" %}
```
wget https://people.debian.org/~aurel32/qemu/mipsel/debian_squeeze_mipsel_standard.qcow2
wget https://people.debian.org/~aurel32/qemu/mipsel/vmlinux-2.6.32-5-4kc-malta
qemu-system-mipsel -M malta -kernel vmlinux-2.6.32-5-4kc-malta -hda debian_squeeze_mipsel_standard.qcow2 -append "root=/dev/sda1 console=tty0"
qemu-system-mipsel -M malta -kernel vmlinux-2.6.32-5-4kc-malta -hda debian_squeeze_mipsel_standard.qcow2 -append "root=/dev/sda1 console=tty0" -net nic -net user,hostfwd=tcp::7777-:22
this is the key:
-net nic -net tap,ifname=br0,script=no,downscript=no -nographic
scp -P 7777 rootfs.tar.gz root@127.0.0.1:/root
ssh -p 7777 root@127.0.0.1
```
### Mount shares
```
mount -t proc /proc ./roofs/proc
mount -o bind /dev ./rootfs/dev
chroot ./roofs/ sh
```
A trick for this router, you can also change the name of the iface: eth0 to br0.
```
nano /etc/udev/rules.d/70-persistent-net.rule
```
To rename interface `eth0` to `wan0`, edit `/etc/udev/rules.d/70-persistent-net.rules` file and change `NAME="eth0"` to `NAME="br0"`.
```
# PCI device 0x11ab:0x4363 (sky2)
SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*",
ATTR{address}=="00:00:00:00:00:00",ATTR{dev_id}=="0x0", ATTR{type}=="1",
KERNEL=="eth*", NAME="br0"
```
After that, rename eth0 to br0 here:
```
nano /etc/network/interfaces
```
```
reboot
ifconfig -a
```
{% embed url="" %}
On the qemu ssh shell, access the rcS script at: /etc/init.d/rcS, and change the line:
```
httpd &
by
httpd --debugger --verbose --home /webroot/ --auth /var/auth.txt --route /var/route.txt 127.0.0.1 80 &
```
After that, execute your file **./rcS** and magic :sunglasses:
On your browser: **0.0.0.0/login/Auth**
{% embed url="" %}