Posts

How to change Atheros AR9xxx aka ath9k EEPROM values

One of my Atheros AR9280 minipcie cards had some odd undefined regulatory domain (0x6B) configured. This caused even latest Linux ath9k driver to break so I wanted to change it to valid regdom. Which ath9k developers think is sin and are trying to prevent people from doing, but luckily our old friend iwleeprom has Atheros support letting us to fix this.

Modifying Huawei B593u firmware images using FMK

Nothing special here in my opionion, but I've seen few comments saying that FMK  doesn't work with Huawei B593u. Just follow instructions below and you end up with normal firmware image having one important difference - you can telnet in as admin from LAN side of device.

Inside old Motorola (Symbol) AP-5131 access point

Image
I found couple Motorola AP-5131 802.11a/g access points today. It's old design from Symbol Technologies dating back to 2005 with manufacturing date from 2010.

Netdisco2 on Ubuntu 14.04

Netdisco is neat tool to collect layer-2 forwarding database from switches, match MACs with layer-3 ARP table from router and present it over searchable webui. Old "Netdisco 1" was quite horrible to setup, but it did still do its job. Recently "Netdisco 2" was released making admins life much easier and also bringing fancy new look for webui. So here's my notes about installing new virtual machine with Netdisco 2.

Huapwn - Backdoor on your Huawei B593u

Public Huawei document I linked couple days ago mentioned factory diagnostics tool called  " Huawei deviceLocker V0.1" that will grant access to root shell on router. I got curious on how this would actually work and came to conclusion it must be something extremely simple and insecure, it IS Huawei after all. Did some poking around /bin/web process I figured this out - it's all there in clear-text for anyone to read. And that admin password is in Huawei docs, not exactly secret either. In case you didn't realize there's no need for authentication to exploit this. Protip: Try to hide you backdoors a bit better next time.

Persistent customizations to Huawei B593u with stock firmware

Perhaps you're fairly satisfied with Huawei stock firmware but would like to fix some security problems and remove spyware installed by factory. There's fairly easy way to do this.

Unpacking Huawei B593u compressed Broadcom CFE bootloader

Sorry, one more B593u post but felt this is worth documenting. While hacking my way into Huawei B593u I had big problem with Huawei crippled CFE bootloader. It was not talking to me and when I finally did get it to talk to me it was only one way. All I could see was CFE> prompt after smashing ^C but nothing else.