Talk:IX2412
Contents
xopr's course log of events / my badly maintained diary
After extracting the image using minipro on a TL866II+ with 8 pin SOIC clamp while keeping the board in reset (connecting X2 pin 2 and 7), followed by binwalk --extract ixrouter.bin, it was time to search for the password hash
Here is how it looks:
root:*:0:0:root:/root:/bin/ash daemon:*:1:1:daemon:/var:/bin/false ftp:*:55:55:ftp:/home/ftp:/bin/false network:*:101:101:network:/var:/bin/false nobody:*:65534:65534:nobody:/var:/bin/false
And the shadow file:
root::0:0:99999:7::: daemon:*:0:0:99999:7::: ftp:*:0:0:99999:7::: network:*:0:0:99999:7::: nobody:*:0:0:99999:7:::
Ok, root has a shell, but it's password seems disabled and/or empty, wut??
Searching for "passwd" in all of the files I've found a first lead: _ixrouter.bin.extracted/squashfs-root/bin/login.sh
The script contains code that if $FAILSAFE is set, login should be possible.
Well, that looks good for the root account Squirrel! Next, searching for "root" and along came _ixrouter.bin.extracted/squashfs-root/etc/board.d/03_system where )|passwd root caught my eye!
#!/bin/sh
. /lib/functions.sh
. /lib/ramips.sh
. /lib/functions/uci-defaults-new.sh
. /lib/functions/system.sh
ramips_setup_system()
{
echo $(mtd_get_serial_ascii factory 10) > /etc/serial
pass=$(mtd_get_passwd factory 20)
(
echo $pass
sleep 1
echo $pass
)|passwd root
}
ramips_setup_system
exit 0
I've seen the /etc/serial file, so it was promising this file was actually executed.
Opening the lib helper functions next to it (from the top of the files) to start searching for mtd_get_passwd which was in _ixrouter.bin.extracted/squashfs-root/lib/functions/system.sh
mtd_get_passwd() {
local mtdname="$1"
local offset="$2"
local part
part=$(find_mtd_part "$mtdname")
if [ -z "$part" ]; then
echo "mtd_get_passwd: partition $mtdname not found!" >&2
return
fi
dd bs=1 skip=$offset count=10 if=$part 2>/dev/null | tr -d '\000'
}
and uses find_mtd_part to do some dd magic: dd bs=1 skip=$offset count=10 if=$part 2>/dev/null | tr -d '\000'
The find_mtd_part is in _ixrouter.bin.extracted/squashfs-root/lib/functions.sh together with find_mtd_index: something something /dev/mtdblock ok I'm on a roll!
Next, grabbing the stored boot log to see if mtd and/or factory is coming by:
[ 2.240000] 4 ofpart partitions found on MTD device spi32766.0 [ 2.250000] Creating 4 MTD partitions on "spi32766.0": [ 2.260000] 0x000000000000-0x000000030000 : "u-boot" [ 2.270000] 0x000000030000-0x000000040000 : "u-boot-env" [ 2.290000] 0x000000040000-0x000000050000 : "factory" [ 2.300000] 0x000000050000-0x000001000000 : "firmware" [ 2.340000] 2 uimage-fw partitions found on MTD device firmware [ 2.350000] 0x000000050000-0x0000001785e9 : "kernel" [ 2.370000] 0x0000001785e9-0x000001000000 : "rootfs" [ 2.380000] mtd: device 5 (rootfs) set to be root filesystem [ 2.390000] 1 squashfs-split partitions found on MTD device rootfs [ 2.400000] 0x000000790000-0x000001000000 : "rootfs_data"
There it is!
Ok, next step is to look at the extracted bin file; lazy of an actual hex editor I used hd ixrouter.bin|less to search for address 040000 (Note, xx is where the device serial number lives).
00040000 ff ff ff ff c0 d3 91 31 ae 45 xx xx xx xx xx xx |.......1.Exxxxxx| 00040010 xx xx xx xx 38 4d 6d 42 52 32 35 6d 73 6d 00 00 |xxxx8MmBR25msm..| 00040020 00 00 00 00 00 33 2e 30 ff ff ff ff ff ff ff ff |.....3.0........| 00040030 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |................|
testing it via the serial terminal:
IXrouter3 login: root Password: BusyBox v1.23.2 (2018-08-07 15:27:36 CEST) built-in shell (ash) _____ __ _ |_ _\ \/ /_ __ ___ _ _| |_ ___ _ __ | | \ /| '__/ _ \| | | | __/ _ \ '__| | | / \| | | (_) | |_| | || __/ | |___/_/\_\_| \___/ \__,_|\__\___|_| ---------------------------------------- IXrouter3 0.10.4 r0 ---------------------------------------- root@IXrouter3:~#
GREAT SUCCESS!
ok, now give it to me command line style (inspired by the originating script):
$ dd bs=1 skip=$((0x40000+20)) count=10 if=ixrouter.bin 2>/dev/null | tr -d '\000' 8MmBR25msm
next, having seen the U-Boot menu, let's check if we can read the password there as well, eliminating the need of a data-extraction-via-SOIC-clip: md 40000.d 10 doesn't seem to have the data.. Is the offset different?
Ok, what commands do we have as well..
help ... spi - spi command ... MT7621 # spi Usage: spi - spi command use "help spi" for detail! MT7621 # help spi spi spi usage: spi id spi sr read spi sr write <value> spi read <addr> <len> spi erase <offs> <len> spi write <offs> <hex_str_value>
Now, determine the offset and print some bytes
MT7621 # spi read 40014 10 read len: 16 38 4d 6d 42 52 32 35 6d 73 6d 0 0 0 0 0 0
Throw it in a hex-to-ascii converter (because I can't read native HEX and I'm lazy
And there it is (don't forget to remove trailing null characters): 8MmBR25msm
Finally, to be able to do this fully offline, throw some javascript against it
"38 4d 6d 42 52 32 35 6d 73 6d 0 0 0 0 0 0".split(" ").filter(n=>n!=="0").map(n=>String.fromCharCode(parseInt(n,16))).join("")
"8MmBR25msm"
Later on I'd figure out that it's length is also in hex, so spi read 40014 a is sufficient.
xopr 16:33, 10 March 2022 (CET) current wpa2 enterprise update
in short:
encryption='wpa2' causes the command iwpriv "$ap_ifname" AP_SET_CFG "ASCII_CMD=AP_CFG,${ssid}${channel}${encryption}${key}END" to fail:
Interface doesn't accept private ioctl... AP_SET_CFG (8BFB): Bad address
It might be that the driver does not support WPA2 enterprise.
The settings used were:
uci set wireless.ap_lan_dev.channel='1' uci set wireless.ap_lan_iface.ssid='spacenet2' uci set wireless.ap_lan_iface.key='shared_secret' uci set wireless.ap_lan_dev.encryption='wpa2' uci set wireless.ap_lan_iface.server=192.168.1.200 uci set wireless.ap_lan_iface.port=1812
but note that for RADIUS, this might be needed instead (IP needs to be adjusted):
uci set wireless.ap_lan_dev.server=192.168.1.200 uci set wireless.ap_lan_dev.port=1812
different firmware
xopr 14:49, 25 March 2022 (CET) I had some fun flashing Mediatek AP-MT7621A-V60 EVB 21.02firmware, which came with several challenges yet to overcome:
- swconfig changed to Distributed Switch Architecture (DSA) and the order of wan/lan ports were reversed (port 5 became wan); this caused the switch to pass port 5 traffic to the lan. To mitigate, one has to unplug the clients before rebooting
- the working gpio pinout was lost, this impacted the leds and modem power/reset options:
/sys/class/gpio/ 3g-ndisable 3g-perst (used in /etc/rc.button/reset) 3g-power-enable digin wifi-pd /sys/class/leds/ (symlink to /sys/devices/gpio-leds/leds/) ix2:blue:3g ix2:blue:vpn ix2:red:3g ix2:red:status
- with some testing, found out that some gpio pins are "busy", which might indicate they're mapped: 18, 22-28, 30
- the drivers for wifi and the 4g modem were either not available or had no effect on enabling the device (might well be gpio related)
xopr 16:49, 30 April 2022 (CEST) roaming
I tested a roaming session (on a location with wonky coverage): it wasn't very effective; it did not seem to want to roam and the connection was flaky.
The router lasted 26:45h on a fully charged Xiaomi Mi Powerbank 3 (20Ah), which is nice.
- connection problems? reboot or toggle power:
echo 0 > /sys/class/gpio/3g-perst/value;sleep 5;echo 1 > /sys/class/gpio/3g-perst/value
cat /sys/kernel/debug/usb/devices
Some reference links:
- https://openwrt.org/docs/guide-user/network/wan/wwan/ltedongle
- https://openwrt.org/docs/guide-user/network/wan/wwan/3gdongle
- https://openwrt.org/docs/guide-user/network/wan/wwan/modemmanager
uqmi
uqmi --device=/dev/cdc-wdm0 --set-device-operating-mode online uqmi --device=/dev/cdc-wdm0 --set-network-modes all uqmi --device=/dev/cdc-wdm0 --set-network-roaming any uqmi --device=/dev/cdc-wdm0 --get-data-status --get-signal-info --get-serving-system
Some actions with one of more results added:
--get-versions: Get service versions
{
"service_0": "1,5",
"service_1": "1,67",
"service_2": "1,0",
"service_3": "1,25",
"service_4": "1,12",
"service_5": "1,10",
"service_7": "1,3",
"service_8": "1,2",
"service_9": "2,1",
"service_10": "2,24",
"service_11": "1,46",
"service_12": "1,4",
"service_15": "1,0",
"service_16": "2,0",
"service_17": "1,0",
"service_23": "1,0",
"service_24": "1,0",
"service_26": "1,16",
"service_29": "1,1",
"service_34": "1,0",
"service_36": "1,0",
"service_41": "1,0",
"service_42": "1,0",
"service_48": "1,0",
"service_54": "1,0"
}
--get-data-status: Get current data access status
"connected"
"Incompatible state" (gsm)
--get-pin-status: Get PIN verification status
"Not supported"
--get-iccid: Get the ICCID
"Not supported"
--get-imsi: Get International Mobile Subscriber ID
"Not supported"
--get-msisdn: Get the MSISDN (telephone number)
"Not supported"
--network-scan: Initiate network scan
(NOTE: slow)
{
"network_info": [
],
"radio_access_technology": [
]
}
--network-register: Initiate network register
?
--get-signal-info: Get signal strength info
{
"type": "gsm",
"signal": -90
}
{
"type": "lte",
"rssi": -81,
"rsrq": -14,
"rsrp": -112,
"snr": 4
}
--get-serving-system: Get serving system info
(NOTE: the gibberish should state something like ''Mobile NL'' in this case)
{
"registration": "registered",
"plmn_mcc": 204,
"plmn_mnc": 8,
"plmn_description": "ͷ8�.��L",
"roaming": false
}
--list-messages: List SMS messages
"Not supported"
--get-message <id>: Get SMS message at index <id>
"Not supported"
--wda-get-data-format: Get data format
"raw-ip"
gcom/comgt
Trying list of devices SIM ready Waiting for Registration..(120 sec max) Registered on Home network: "Mobile NL Mobile NL",7 Signal Quality: 17,99
#comgt -d /dev/ttyUSB2 -s /etc/gcom/getcarrier.gcom comgt -d /dev/ttyUSB3 -s /etc/gcom/getstrength.gcom comgt -d /dev/ttyUSB2 -s /etc/gcom/getimsi.gcom
MODE=gsm comgt -d /dev/ttyUSB2 -s /etc/gcom/setmode.gcom #all, lte, umts, gsm, cdma, td-scdma cmda,td-scdma: unsupported
socat
https://www.chromium.org/chromium-os/how-tos-and-troubleshooting/debugging-3g/
opkg update
opkg install socat
socat - /dev/ttyUSB2,crnl
AT
AT+QCFG=?
AT+QCFG=?
+QCFG: "gprsattach",(0,1)
+QCFG: "nwscanmode",(0-8),(0,1)
+QCFG: "nwscanseq",(00-0102030405),(0,1)
+QCFG: "servicedomain",(0,1,2),(0,1)
+QCFG: "roamservice",(1,2,255),(0,1)
+QCFG: "band",(0-200),(0-7FFFFFFFFFFFFFFF),(0-7FFFFFFFFFFFFFFF),(0,1)
+QCFG: "rrc",(0-4)
+QCFG: "msc",(0-2)
+QCFG: "sgsn",(0-2)
+QCFG: "hsdpacat",(6,8,10-24)
+QCFG: "hsupacat",(5,6)
+QCFG: "pdp/duplicatechk",(0,1)
+QCFG: "tdscsq",(0,1)
+QCFG: "airplanecontrol",(0,1)
+QCFG: "ledmode",(0,1)
+QCFG: "ehrpd",(0,7)
+QCFG: "usbid",<vid>,<pid>
+QCFG: "usbee",<enable>
+QCFG: "usbnet",<0-3>
+QCFG: "usbcfg",<vid>,<pid>,<diag>,<nmea>,<at_port>,<modem>,<rmnet>,<adb>
+QCFG: "urc/ri/ring",("off","pulse","always","auto","wave"),(1-2000),(1-10000),(1-10000),("off","on"),(1-5)
+QCFG: "urc/ri/smsincoming",("off","pulse","always"),(1-2000),(1-5)
+QCFG: "urc/ri/other",("off","pulse"),(1-2000),(1-5)
+QCFG: "risignaltype",("respective","physical")
+QCFG: "urc/delay",(0,1)
+QCFG: "agps/string",(0,1)
+QCFG: "cdmaruim",(0,1)
+QCFG: "cmux/urcport",(0-4)
+QCFG: "ModemRstLevel",(0,1)
+QCFG: "ApRstLevel",(0,1)
+QCFG: "ltectcc/smsstorage"[,(0,1)]
+QCFG: "noauthcheck",(0,1)
+QCFG: "nwscanmodeex",(1-63)
+QCFG: "oostimer",<timer1>,<timer2>,<timer3>
+QCFG: "diversity",(0-1)
+QCFG: "ppp/termframe",(0,1)
+QCFG: "bootup",<name>,(0,1)
+QCFG: "nwoptmz/acq",(0,1),(60-16777200)
+QCFG: "ims",(0-2)
+QCFG: "pcmclk",(0,1)
+QCFG: "tone/incoming",(0,1)
+QCFG: "rssi",(0-20)
+QCFG: "cdmasms/cmtformat"[,(0,1)]
+QCFG: "ltesms/format"[,(0,1)]
+QCFG: "amrcodec",(0-255)
+QCFG: "apready",(0,1),(0,1),(100-3000)
+QCFG: "urc/cache",(0,1)
+QCFG: "thermal/modem"[,<level>,<trig>,<clr>]
+QCFG: "thermal/limit_rates"[,<enable>]
+QCFG: "lte/bandprior",(1-43),(1-43),(1-43)
+QCFG: "codec/powsave",(0,1)
+QCFG: "qmisync",(0,1)
+QCFG: "disrplmn",(0,1)
+QCFG: "vts/async",(0,1)
+QCFG: "urc/ri/pin",("uart_ri","uart_dcd")
+QCFG: "stkauto/setupmenutr",(0,1)
+QCFG: "iproute_enable",(0,1)
+QCFG: "imsreg/iptype",(0,1)
+QCFG: "multi_ip_package",<enable>,<package_max_len>,<package_max_count_in_queue>,<timeout>
+QCFG: "apn/blocked",(0,1),(0,1)
+QCFG: "pktsize"
+QCFG: "sim/onchip",(0,1)
+QCFG: "redir/3gtolte",(0,1)
+QCFG: "qcautoconnect",(0,1)
OK
AT+QMBNCFG="LIST"
+QMBNCFG: "List",0,0,0,"Reliance_India_VoLTE",0x05800202,000000000
+QMBNCFG: "List",1,0,0,"TW_Mobile_China_VoLTE",0x05800301,000000000
+QMBNCFG: "List",2,0,0,"Bouygues_France_VoLTE",0x05800101,000000000
+QMBNCFG: "List",3,0,0,"VF_Germany_VoLTE",0x05010415,000000000
+QMBNCFG: "List",4,0,0,"Smartfren_Indonesia_VoLTE",0x05800601,000000000
+QMBNCFG: "List",5,0,0,"ROW_Generic_3GPP",0x05010814,201703231
OK
at+cgcontrdp
+CGCONTRDP: 1,5,KPN4G.nl,666.666.666.666,,89.184.161.10,89.184.181.10
OK
at+cgdcont?
+CGDCONT: 1,"IPV4V6","KPN4G.nl","0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0",0,0,0,0
OK
AT+COPS?
+COPS: 0,0,"Mobile NL Mobile NL",7
OK
https://forum.rakwireless.com/t/no-connection-rak2013-pi3/3631
https://forum.gl-inet.com/t/sim-card-not-registered/14617/2
https://forums.quectel.com/t/quectel-eg91-network-registration/5041/9
AT+QENG="neighbourcell" t
+QENG: "neighbourcell intra","LTE",500,268,-14,-111,-76,0,14,7,10,8,58
+QENG: "neighbourcell intra","LTE",500,369,-20,-122,-90,0,3,7,10,8,58
+QENG: "neighbourcell inter","LTE",1300,-,-,-,-,-,14,0,12,5,-,-,-,-
+QENG: "neighbourcell inter","LTE",3150,-,-,-,-,-,3,0,16,6,-,-,-,-
OK
AT commands
Also, from https://osmocom.org/projects/quectel-modems/wiki/AT_Commands this list of AT commands is available:
+QMBNCFG +EGMR +CVERSION +CSUB +QDMEM +QNWINFO +QGDCNT +QAUGDCNT +QPDPGDCNT +QNWLOCK +QCTPWDCFG +QTEST +QLTS +QECCNUM +QURCCFG +QINDCFG +QNVW +QNVR +QNVFW +QNVFR +QNVFD +QECCFG +QECTIMER +QECRST +QECMSDCFG +QECMSD +QECCFGSAVE +QECALL +QECPUSH +QRIR +QCSMP +QSMSR +QSMSL +QSMSS +QSMSW +QSMSM +QCLASS0 +xgauth +QICSGP +QIACT +QIDNSCFG +QIDNSGIP +QIDEACT +QIOPEN +QISEND +QISENDEX +QISDE +QIRD +QISWTMD +QISTATE +QICLOSE +QICFG +QNTP +QPING +QIGETERROR +QSSLCFG +QSSLOPEN +QSSLRECV +QSSLSEND +QSSLCLOSE +QSSLSTATE +QHTTPCFG +QHTTPURL +QHTTPGET +QHTTPPOST +QHTTPREAD +QHTTPPOSTFILE +QHTTPREADFILE +QCELLLOC +QLOCCFG +QFTPOPEN +QFTPCLOSE +QFTPPUT +QFTPGET +QFTPCFG +QFTPSIZE +QFTPDEL +QFTPCWD +QFTPPWD +QFTPMKDIR +QFTPRMDIR +QFTPRENAME +QFTPMDTM +QFTPLIST +QFTPNLST +QFTPMLSD +QFTPSTAT +QFTPLEN +QSMTPPUT +QSMTPCFG +QSMTPSUB +QSMTPDST +QSMTPBODY +QSMTPATT +QSMTPCLR +QMMSEND +QMMSCFG +QMMSEDIT +QSIMDET +QSIMSTAT +QDSIM +QCCID +CCID +QPINC +QINISTAT +QFLDS +QFLST +QFUPL +QFDWL +QFDEL +QFCWD +QFMKD +QFPWD +QFOPEN +QFCLOSE +QFPOSITION +QFFLUSH +QFTUCAT +QFSEEK +QFREAD +QFWRITE +QFDELROOTFILE +QUSBWAITTIME +QSTK +QSTKPD +QSTKGI +QSTKRSP +QSTKSTATE +QSTKTR +QSTKENV +QSTKMM +HWINFO +QATI +QGMI +QGMM +QGMR ^DATAMODE ^DATADOWN ^NETCFG +QPOWD +QSCLK +QGPS +QGPSLOC +QGPSCFG +QGPSGNMEA +QGPSDEL +QGPSEND +QGPSXTRA +QGPSXTRATIME +QGPSXTRADATA +QGPSXTRAURL +QGPSXTRASNTP +QGPSXTRATAUTO +QGPSSUPLURL +QGPSSUPLCA +QGPSLOCK +QGPSACCEPT +QRFTESTMODE +QRFTEST +QIIC +QAUDLOOP +QDAI +CMUT +CLVL +QSIDET +QAUDMOD +QEEC +QMIC +QRXGAIN +QAUDRD +QAUDPLAY +QAUDSTOP +QLTONE +QLDTMF +QAUDCFG +QTONEDET +QGPIOW +QPRTPARA +QNAND +QENG +QFOTADL +QFUMO +QFUMOCFG +QPRINT +QFASTBOOT +QSDMOUNT +QGAUTH $MYAUTH +QADC +QADCTEMP +QTRYRAT +QCERTIOP +QRFTXPWR +QWIFI +QWSSID +QWSSIDHEX +QWBCAST +QWAUTH +QWMOCH +QWISO +QWDHCP +QWNAT +QWCLICNT +QWSETMAC +QWRSTD +QWCLIP +QWSERVER +QWCLILST +QWCLIRM +QWTOCLIEN +QWTOCLI +QDATAFWD +QWPARAM +QWWAN +QSETMAC +QWIFICFG +QWSTAINFO +QW2LFST +QPPPDROP +QPSM +QPSMCFG +QOEM ^SMONC +QTEMPDBG +QTEMP +QTEMPDBGLVL +CSVM +QSPN +QSAR +QMODEMCPU +QLINUXCPU +QRXPWR +AWSECW +AWSECR +QNETDEVSTATUS +QEMMINFO +CGDCONTEX
