Posts

Showing posts from August, 2014

How to change Atheros AR9xxx aka ath9k EEPROM values

One of my Atheros AR9280 minipcie cards had some odd undefined regulatory domain (0x6B) configured. This caused even latest Linux ath9k driver to break so I wanted to change it to valid regdom. Which ath9k developers think is sin and are trying to prevent people from doing, but luckily our old friend iwleeprom has Atheros support letting us to fix this.

Modifying Huawei B593u firmware images using FMK

Nothing special here in my opionion, but I've seen few comments saying that FMK  doesn't work with Huawei B593u. Just follow instructions below and you end up with normal firmware image having one important difference - you can telnet in as admin from LAN side of device.

Inside old Motorola (Symbol) AP-5131 access point

Image
I found couple Motorola AP-5131 802.11a/g access points today. It's old design from Symbol Technologies dating back to 2005 with manufacturing date from 2010.

Netdisco2 on Ubuntu 14.04

Netdisco is neat tool to collect layer-2 forwarding database from switches, match MACs with layer-3 ARP table from router and present it over searchable webui. Old "Netdisco 1" was quite horrible to setup, but it did still do its job. Recently "Netdisco 2" was released making admins life much easier and also bringing fancy new look for webui. So here's my notes about installing new virtual machine with Netdisco 2.

Huapwn - Backdoor on your Huawei B593u

Public Huawei document I linked couple days ago mentioned factory diagnostics tool called  " Huawei deviceLocker V0.1" that will grant access to root shell on router. I got curious on how this would actually work and came to conclusion it must be something extremely simple and insecure, it IS Huawei after all. Did some poking around /bin/web process I figured this out - it's all there in clear-text for anyone to read. And that admin password is in Huawei docs, not exactly secret either. In case you didn't realize there's no need for authentication to exploit this. Protip: Try to hide you backdoors a bit better next time.

Persistent customizations to Huawei B593u with stock firmware

Perhaps you're fairly satisfied with Huawei stock firmware but would like to fix some security problems and remove spyware installed by factory. There's fairly easy way to do this.

Unpacking Huawei B593u compressed Broadcom CFE bootloader

Sorry, one more B593u post but felt this is worth documenting. While hacking my way into Huawei B593u I had big problem with Huawei crippled CFE bootloader. It was not talking to me and when I finally did get it to talk to me it was only one way. All I could see was CFE> prompt after smashing ^C but nothing else.

Latest modem.bin LTE dongle firmware for Huawei B593u-12

Latest modem.bin firmwares currently available are T-Mobile customized 11.533.03.03.748 (2013-09-30) from SP105 and generic 11.433.61.00.00 (2012-12-04) from Polkomtel SP103. While these are customized for EM920u according to few forum posts I've found they work equally with Huawei USB LTE dongles such as E392 part of same MDM9200 family.

Differences of Huawei B593u and B593s

I got few B593u models and it's pretty straight forward Broadcom BCM5358 based router with Linux. As usual GPL sources were never published by Huawei crooks. LTE modem side is simply Qualcomm MDM9200 based Huawei USB dongle connected internally to Broadcom SoC over USB.

How to capture LTE WAN traffic for diagnostic purposes on Huawei B593u and not so much of security

Found this document on Huawei webpage you might be interested. It's in Microsoft Word .docx format. http://www.huawei.com/ecommunity/3msimage/download-10060827-10000297-9bca6ae8ffa54796a5245e6650b0e607.bin?type=bbs

Serial console on Huawei B593u

Image
Here's location of Huawei B593u TTL serial console. Settings are usual 115200 8N1.

What's inside Huawei B593u-12 LTE router?

Image
There ain't many pictures showing innards of B593u around and even less ones with any details. This obviously needs to be fixed.

Well, that was easy

I think ethernet switch and wireless aren't supported by opensource drivers so even with OpenWrt booting on Huawei B593u-12 it's not much use. USB connected LTE module is not detected, my guess is that some GPIO needs to be toggled to enable it. PCA9555 GPIO expander would need some work too. Also 256MB NAND-flash is missing, only 16MB SPI flash is found.

Teaser on Huawei B539u hacking

CFE> boot -elf -tftp 192.168.1.100:openwrt-brcm47xx-mips74k-vmlinux.elf

Updating Ubuntu 12.04 LTS kernel to 3.15.8 with latest ddbridge DVB drivers