Posts

Showing posts with the label Hacking

Backdoor and root shell on ZTE MF286

ZTE MF286 has built-in factory backdoor allowing root shell access on embedded Linux running inside router. However since we don't know RSA-2048 private key used for encrypting device specific password we're not able to use this. Which doesn't mean we won't have other means to gain root shell.

Linux SNAT with per-connection source address from IP pool

When doing NAT with pool of addresses to choose from (instead of masquerading) Linux insists on always using same IP from pool for particular source IP. Often this is preferred, but not always. To workaround we need to patch kernel a bit.

Persistent customizations to Huawei B593u with stock firmware

Perhaps you're fairly satisfied with Huawei stock firmware but would like to fix some security problems and remove spyware installed by factory. There's fairly easy way to do this.

Unpacking Huawei B593u compressed Broadcom CFE bootloader

Sorry, one more B593u post but felt this is worth documenting. While hacking my way into Huawei B593u I had big problem with Huawei crippled CFE bootloader. It was not talking to me and when I finally did get it to talk to me it was only one way. All I could see was CFE> prompt after smashing ^C but nothing else.

Serial console on Huawei B593u

Image
Here's location of Huawei B593u TTL serial console. Settings are usual 115200 8N1.

Well, that was easy

I think ethernet switch and wireless aren't supported by opensource drivers so even with OpenWrt booting on Huawei B593u-12 it's not much use. USB connected LTE module is not detected, my guess is that some GPIO needs to be toggled to enable it. PCA9555 GPIO expander would need some work too. Also 256MB NAND-flash is missing, only 16MB SPI flash is found.

Teaser on Huawei B539u hacking

CFE> boot -elf -tftp 192.168.1.100:openwrt-brcm47xx-mips74k-vmlinux.elf

Updating Seagate ST3000DM001-9YN166 to CC4H firmware while in external USB 3.0 enclosure

Some time ago I purchased external 3TB USB 3.0 hard disks, TrekStor DataStation maxi light 3TB to be exact. It seem disk models and manufactures used by TrekStor vary, which is no surprise. Therefore I have externally identical disk enclosures with three different models of disks due making three separate purchases over few months.

Gaining root shell on Huawei B593 4G LTE router

Huawei B593 has "few" security issues. If you want to play around here's some tips.

Handbrake auto-crop and channel logos

Same as old post except with updated patch for fresh Handbrake SVN version. Handbrake does good job auto-cropping black bars from source and calculating resulting aspect ratio. However if you're encoding digital TV recordings it's common to have channel logo on otherwise black portion of image.

Automatic US / UK VPN connection with XBMC, iPlayer, Hulu and Free Cable

XBMC has addons for various geolocked services, Hulu and iPlayer being among most popular. Switching between VPN connections manually gets boring quick so I hacked following script that will automatically connect and disconnect VPN to US / UK on demand. Tested with XBMCbuntu and XBMC 12.0 Frodo.

Activating extroot on OpenWrt 12.09-rc1

Enabling extroot on OpenWrt 12.09-rc1 is bit tricky. Likely reason you're trying to enable extroot is lack of free space i.e. router with 4MB flash. Problem is that unless you're interested in creating custom firmware images there's no space left for tools to enable extroot using old procedure. Following has been tested with TP-Link MR3220 v1. It's ar71xx with 32MB RAM and 4MB flash being lowest end of currently supported OpenWrt compatible devices.

Multipath OLSRd (SEREADMO)

Some years ago patch for OLSRd v0.5.6-r2 surfaced that added support for loadbalancing single flow over multiple paths. Documentation on how to set it up is scarce. I did get it working to some extent. It's somewhat unstable and doesn't really like single mesh node having multiple network interfaces, but it does loadbalance traffic over multiple paths as promised.

Dumping process memory in Linux

Sometimes when troubleshooting misbehaving applications having complete dump of process memory comes handy. Here's small script that does exactly that on Linux. Run it with pid of process you're interested as parameter.

Replacing WLAN card on HP nc6000 laptop

Atheros WLAN card on my hack laptop HP nc6000 died sometime ago. No problem I thought as I had unused Intel 2200BG. After swapping card I was greeted with 104 unsupported wireless network device error. While 2200BG was one of original options for nc6000 one I installed had wrong PCI subsystem ID. Quick googling showed multiple people killing their nc6000 after flashing hacked firmware requiring soldering iron and eeprom programming device to recover. Nothing wrong with that and that most certainly has higher hack value, but not for me this time. Since card itself was ok for BIOS I started thinking if I could somehow change ID supplied by card to one HP BIOS accepts...

Enable Windows Remote Desktop remotely from command-line using PSEXEC

Need RDP access to remote Windows server or workstation, but forgot to enable it after installing OS? If there's no firewall blocking and required components are installed (as they are by default) run following command as user that has admin rights on target PC. PSEXEC.EXE -s \\HELSI1136 CMD.EXE /C "REG.EXE add ^"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server^" /v fDenyTSConnections /t REG_DWORD /d 0 /f"

XBMC and overlapping subtitles with iPlayer addon

There's often overlapping subtitles with XBMC and BBC iPlayer addon. Rather than modify actual addon and losing changes every time it's updated I hacked up script that edits SRT file after it's downloaded from BBC site but before XBMC reads it.

Setting up XBMCbuntu 12 based HTPC - Part 5 - Recompile XBMC

Now it's getting more interesting. XBMC is notoriously bad in buffering content. There's various patches floating around but none of them really does what I'm looking for:

Setting up XBMCbuntu 12 based HTPC - Part 3 - OS tweaks

Since XBMCbuntu is just Ubuntu with some tweaks next we apply my usual Ubuntu fixes over it. Only major difference is that this time we're not removing Network-Damager. And of course bunch of XBMC specific changes.

Setting up XBMCbuntu 12 based HTPC - Part 1 - The beginning

I had here series of posts, more like notes, of my XBMC install. I've since found out better ways to fix some of problems explained in those posts. To avoid having two set of posts with different instructions I took old ones down and will post new instructions.