Router hardware Extraction

Router hardware Extraction

In the previous chapter, we have learned how to extract the root file system from the router firmware, and how to analyze and mine vulnerabilities. Starting from this chapter, we will learn some basic knowledge about router hardware. Generally, we obtain available firmware from a vro manufacturer. However, not every vro manufacturer provides firmware download, or some model products do not provide firmware download, in this case, we need to use the technology in this chapter to connect the computer to the vro motherboard through the interface provided by the router hardware, and extract the required data from the current vro.

16.1 basic hardware knowledge

This section describes the basic knowledge related to the router hardware.

16.1.1 router FLASH

FLASH is also called FLASH memory, which is a common memory type in routers. It is a read-write memory that can still store data after the system is restarted or shut down. FLASH stores information such as the vro operating system currently in use. The FLASH of a router is like a computer's hard disk. Our hard disk is usually formatted into multiple partitions. Similarly, FLASH is formatted into multiple partitions. Generally, FLASH is divided into four blocks, which have the following functions.

Bootloader: initializes the hardware environment, updates the firmware, recognizes the file format of the operating system, and loads the kernel into the memory for execution. "CFE" is the abbreviation of "Common Firmware Environment" (Unified Firmware Environment). It is a Bootloader software developed by Broadcom for its own MIPS-based processors, the Linksys WRT54G v2 router uses CFE. Kernel: the Kernel of the operating system. Root Filesystem: the Root file system of the operating system, such as squashfs and rootfs. NVRAM: stores the configuration file in the vro. After the vro is started, it reads the configuration file from NVRAM and sets the vro. After you modify the vro settings, the system writes the modified Parameters Back to NVRAM.

The data stored in the FLASH of the router is of great significance for our research on Router Security. We can read the configuration information in NVRAM to understand the sensitive information in the current vro, extract the firmware from FLASH, and then use the previous knowledge for vulnerability analysis and mining. Next, we will provide some ideas for extracting the data from the hardware.

16.1.2 hardware data extraction ideas

There are many ways to extract data by accessing the hardware. Generally, you can consider the following three solutions.

Extract FLASH and NVRAM using the JTAG interface on the vro board. The advantage of this method is that only one JTAG line is needed and there is no need for many auxiliary devices. The disadvantage is that the vro CPU must support JTAG and the JTAG interface must be available on the motherboard. Extract from the FLASH chip removed from the motherboard. This method can be used when the vro does not support the JTAG method, but the disadvantage is also obvious-extracting the chip from the motherboard may cause physical damage to the vro. Use the test clip to extract from the FLASH chip. The advantage of using the test clip is that you do not need to remove the chip from the router, you only need to use the test clip to clamp the chip pin, the disadvantage is that the FLASH chip with different PIN numbers needs to use the corresponding test clip. 16.2 router serial port

The serial port of the router is very useful for developers. Generally, you can use the serial port to implement the following functions.

CFE of the access router. Observe the boot and debugging information. Use a Shell to perform interactive asynchronous serial communication with the system.

Therefore, these features are of great benefit to our research on Router Security. In a router, the serial port we are looking for does not refer to the common RS232, but UART (Universal asynchronous transceiver). It is a common interface in a router device. Although RS-232 and UART are compatible in terms of protocol, they are not compatible in terms of voltage. UART is usually operated at 3.3 volts, but it can also run at other standard voltages (such as 5 volts and 1.8 volts. In the subsequent sections, the descriptions of the router serial port refer to UART without special instructions. Shows the serial interface on the Linksys WRT54G v2.2 vro motherboard.

16.2.1 serial port Probe

Next we use the basic observation method and multimeter to find the UART from the complex router motherboard, and determine the purpose of each pin of the UART. Because UART is not standardized, the method demonstrated here is not "universal ". This section uses the Linksys WRT54G v2 vrov2 as an example. There are two serial ports on the main board. Next we will demonstrate some basic methods to determine the serial port of the router. First, we can observe the pins on the vro motherboard with the naked eye. Generally, UART must contain at least four pins.

Vcc: Power Supply voltage. The voltage of this pin is relatively stable. Ground (GND): Ground. The voltage of this pin is usually 0. Transmit (TXD): Data Transmission pin. Receive (RXD): The data receiving pin.

That is to say, we should first note that the single lines on the vro motherboard have 4 ~ Position of six pins. However, this method is not always effective at any time, because the positions of these pins are designed by various vendors and there is no uniform standard. Shows the UART position on the motherboard of the WRT54G router.

It is found through observation that the box in the words "JP1" is the serial port location of the WRT54G router board most compliant with the URAT sign. The serial number of the pin has been indicated on the motherboard to locate each pin. After finding the serial port of the router, we need to differentiate the functions of these pins. The following two methods are provided. Through the combination of these two methods, you can quickly identify the role of each pin.

1. Visual Method

The main board will follow some rules during printing. These rules can help us identify the serial port pins.

(1) features of VCC pins

The VCC pins are usually square, such as Pin 1 on the motherboard of the WRT54G router. The wider cabling can be seen from the vro motherboard, so this pin is likely to be a VCC pin, such as pin 2 on the WRT54G router motherboard.

(2) features of GND pins

The GND pin usually has multiple wires connected to the surrounding ground (GND ). As shown in, after amplifying the WRT54G router motherboard, we can see that PINs 9 and 10 have two wires to connect to the surrounding ground.

If it does not seem so obvious on the motherboard of the WRT54G router, the No. 9 pin on the motherboard of the WRT120N router is particularly prominent. There are a total of eight fine wires connecting the surrounding ground, as shown in.

The visual method can be used to preliminarily determine that the first and second pins on the motherboard of the WRT54G router are VCC pins, and the ninth and 10th pins are GND pins, but there are still 6 pins. In these 6 pins, we need to differentiate TXD pins from RXD pins. Among the remaining six pins, we can see that the four pins 3, 4, 5, and 6 have four Thin Strip connections, respectively, then we can preliminarily judge that TXD and RXD are in these four pins. Unfortunately, if you want to know which pin is TXD and which pin is RXD, you cannot obtain the exact answer by using the visual method. The visual method is only a preliminary judgment and cannot be fully affirmed. Therefore, we need to further determine through the following method.

2. multimeter Test Method

Use a digital multimeter for testing, as shown in.

(1) Test the GND pin

Adjust the multimeter to the minimum value of the resistance measurement. The minimum value is 200 ohm, so the resistance is 200 ohm. Then, we need to determine where the two table pens of the multimeter should be placed. Generally, metal shielding is a ground point that facilitates testing. Therefore, you can place a table pen on a metal shielding cover and use the other table pen to contact 10 pins respectively, test the 10 pins of the metal shield and serial port. The pin with a resistance of 0 is the GND pin. There is a metal shielding housing on the motherboard of the WRT54G router, where the black probe (the negative probe of the multimeter) is placed, and then the other probe is used to contact 10 pins to be tested, respectively, as shown in.

After testing 10 pins, we found that only the Resistors on pins 9 and 10 are very close to 0, and the multimeter shows a resistance of 00.2 ohm, as shown in.

Here, the reason why the multimeter resistance is not 0 is that the resistance of the multimeter itself is 40 ohm (00.2 × 200 ). Try to short the two table pens to test the resistance of the multimeter, as shown in. Therefore, the resistance of Pin 9 and pin 10 of the WRT54G router motherboard is actually 0, that is, pin 9 and pin 10 are both GND.

(2) test VCC

Although the VCC pin is irrelevant to the serial port of the router, it is also necessary to determine that the VCC pin can exclude it as the RXD pin and TXD pin. In the visual test, we suspect that pins 1 and 2 are VCC pins, so we will use a multimeter to verify this guess. Place the multimeter range on the DC voltage 20 volt shift, power on the router (power on the router ), from the time the vro is started to the time when the system is fully started, it is observed that the voltage value is basically stable at 3.30 volts. Therefore, the conjecture that pins 1 and 2 are VCC pins is verified, as shown in.

(3) test TXD pin

When the serial port is active and data is sent (otherwise, the departure pin cannot be tested), the sending pin is quite easy to identify. The sending pin on the motherboard is pulled up to the same voltage as the VCC pin, typically 3.3 volts. When data is sent, the voltage drops to 0. When a variable DC voltage is read, the digital multimeter displays the final average sample voltage. Therefore, if the multimeter shows that the pin voltage drops, it indicates that the pin has data to be sent. Therefore, you can determine that the PIN is a TXD pin. In a vro, all boot information of the boot program, kernel, and system will be printed to the serial port. Therefore, the best time to test the TXD pin is in the system startup phase. We monitor the four pins 3, 4, 5, and 6 during the vro system startup and should be able to easily identify which are sending pins. Test pins 3 and 4 and find that the voltage remains at 3.30 volts for a period of time, as shown in.

After a while, the voltage suddenly drops to 2.83 volts, as shown in.

The voltage is then restored to 3.29 volts. Continue the test and find that the features of pin 5 and pin 6 are inconsistent with those of the TXD pin. Therefore, Pin 3 and pin 4 are determined to be TXD. Although this is an effective method to identify the sending pin, it is worth noting that if the serial port only sends a small amount of data, the voltage fluctuation may not be so accurate, in this case, we need to use an oscilloscope or logic analyzer to capture the data activity of the sending pin.

(4) Test the RXD pin

It is the most difficult to accurately identify the receiving pin because it does not have very effective feature definitions. We usually find the TXD pin through testing, and the other PIN is the RXD pin. For example, on the motherboard of the WRT54G router, pins 5 and 6 are the RXD pins. After the above tests, we have basically completed the Pin test on the WRT54G router motherboard. Two serial ports (ttys0 and ttys1) have been found out. Note that not all vro boards have two serial ports. There are two URAT interfaces on the motherboard of the WRT54G v2 router. The test results are shown in table 16-1.

Table 16-1

Pin definition pin Definition 1 VCC (3.3 V) 2.0 6 RXD (ttyS0) 2 VCC (3.3 V) 2.0 6 RXD (ttyS0) 3 TXD (ttyS1) 8 NC 4 TXD (ttyS0) 9 GND 5 RXD (ttyS1) 10 GND16.2.2 connect to the serial port

After identifying the various pins of the serial port, we can connect through a USB to UART adapter TTL-232R-3V3 line. Insert the USB interface of the UART adapter into the USB interface of the computer and connect the UART adapter to the serial port of the router. The usage is as follows.

Connect the GND of the adapter to the GND of the serial port. Connect the RXD of the adapter to the TXD of the serial port. Connect the TXD of the adapter to the RXD of the serial port.

Next, we begin to prepare for the hardware connection. First, use a pin or weld a 10-pin horn seat to the motherboard, as shown in.

Then, connect the UART adapter and serial port using a line (using the ttyS0 serial interface close to the edge of the motherboard) as shown in the above method.

Connect the UART adapter to the computer after connecting the serial port of the router. Since this is a virtual machine environment, make sure that you have added the TTL-232R-3V3 adapter to the virtual machine, as shown in.

Hardware operations have basically been completed here. Next, we need to check the protocol settings of the serial port. There are multiple settings for the serial port, but here we only need to set the baud rate. An error attempt is the fastest and easiest way to identify the baud rate. Because serial ports are usually used to display debugging information (that is, they send ASCII data), and there are only a few possible frequencies of the baud rate, we can cyclically test the possible baud rate one by one, the baud rate of the current serial port is found until understandable data (such as ASCII Code) is output. In the download link provided in this book, baudrate. py has a function option "-a" to automatically detect the baud rate. The usage is as follows.

    embeded@ubuntu:~/soft$ sudo python baudrate.py -a    Starting baudrate detection on /dev/ttyUSB0, turn on your serial device now.    Press Ctl+C to quit.    @@@@@Baudrate: 9600 @@@@@@@    ---snip---    @@@@@Baudrate: 115200 @@@@@@@    Detected baudrate: 115200    Save minicom configuration as:

Here we have detected that the baud rate of the serial port used by the WRT54G router motherboard is 115? 200, but it should be noted that, in the automatic detection process, ensure that the serial port has data output, otherwise baudrate. py will not be able to accurately detect the baud rate.

16.2.3 reading vro serial port data in Linux

You can use the following methods to read the serial port data of a vro in Linux.

1. Connect the vro serial port through miniterm. py

After knowing the baud rate of the router serial port, we can directly run the miniterm. py in the download link of this book. For example, do you know that the baud rate is 115? 200. Run the following command.

    embedded@ubuntu:~/soft$ sudo miniterm.py /dev/ttyUSB0 115200    --- Miniterm on /dev/ttyUSB0: 115200,8,N,1 ---    --- Quit: Ctrl+]  |  Menu: Ctrl+T | Help: Ctrl+T followed by Ctrl+H ---

At this time, miniterm. py is in the waiting state. Start the router (power on). You can see that the startup information has been printed on the Ubuntu terminal, as shown below.

    CFE version 1.0.37 for BCM947XX (32bit,SP,LE)

Build Date: Fri Feb 27 15:20:59 CST 2004 (root @ honor) Copyright (C), Broadcom Corporation. initializing Arena. initializing Devices. et0: Broadcom BCM47xx 10/100 Mbps Ethernet Controller 3.50.21.0 CPU type 0x29007: 200 MHz Total memory: 0x2000000 bytes (32 MB) Total memory used by CFE: 0x80334DC0-0x8043A310 (1070416) initialized Data: 0x80334DC0-0x80336F40 (8576) BSS Area: 0x80336F40-0x80338310 (5072) Local Heap: 0x80338310-0x80438310 (1048576) Stack Area: 0x80438310-0x8043A310 (8192) Text (code) segment: 0x80300000-0x8030F220 (61984) Boot area (physical): 0x0043B000-0x0047B000 --- snip --- 2. vroccfe command mode

In the start-up phase of the WRT54G router, press Ctrl + C to stop the START process of the WRT54G router system and enter the CFE command line mode, as shown in the following example.

     CFE version 1.0.37 for BCM947XX (32bit,SP,LE)

Build Date: Fri Feb 27 15:20:59 CST 2004 (root @ honor) Copyright (C), Broadcom Corporation. initializing Arena. initializing Devices. --- snip --- Boot version: v2.3 The boot is CFE mac_init (): Find mac [00: 0F: 66: AE: B4: DC] in location 1 Nothing... device eth0: hwaddr 00-0F-66-AE-B4-DC, ipaddr 192.168.1.1, mask 255.255.255.0 gateway not set, nameserver not set Reading: Failed.: Error CFE>

Enter "help" to view the currently supported commands, as shown below.

CFE> help

Available commands: et Broadcom Ethernet utility. nvram NVRAM utility. reboot Reboot. flash Update a flash memory device memtest memory. f Fill contents of memory. e Modify contents of memory. d Dump memory. u Disassemble instructions. autoboot Automatic system bootstrap. batch Load a batch file into memory and execute it go Verify and boot OS image. boot Load an executable file into memory and execute it load Load an executable file into memory without executing it save Save a region of memory to a remote file via TFTP ping a remote IP host. arp Display or modify the ARP Table ifconfig Configure the Ethernet interface show devices Display information about the installed devices. unsetenv Delete an environment variable. printenv Display the environment variables setenv Set an environment variable. help Obtain help for CFE commands For more information about a command, enter 'help command-name'

    *** command status = 0    

You can use these commands to perform vro CFE, FLASH, and NVRAM operations. Here, we use the following command to view the logon page password in the WRT54G router NVRAM configuration information.

    CFE> nvram get http_passwd    admin    *** command status = 0

The returned result shows that the logon password for the Web management function of the WRT54G router is "admin ".

3. Router Linux System Mode

When the WRT54G router is started, if you do not use the Ctrl + C key combination, the router will start normally. the startup information is printed as follows.

CFE version 1.0.37 for BCM947XX (32bit, SP, LE) Build Date: Fri Feb 27 15:20:59 CST 2004 (root @ honor) Copyright (C), Broadcom Corporation. initializing Arena. initializing Devices. --- snip --- gateway not set, nameserver not set pppoe0 ifname = ppp0 ip = 10.64.64.64, netmask = 255.255.255.255.255, gw = 10.112.112.112 then No interface specified. quitting... hit enter to continue...

After the system is started, the system prompts "Enter" to continue. Press Enter to Enter the Linux system. The prompt is as follows.

    BusyBox v0.60.0 (2005.07.12-09:08+0000) Built-in shell (msh)    Enter 'help' for a list of built-in commands.    #

Now, we can use commands to manage vrouters. For example, to view the dynamic library link address of the Web server running on the vro, run the following command.

# Ps | grep httpd 63 0s httpd 147 0s grep httpd # cat/proc/63/maps | grep libc. so.0 2aac316-2aac7000 r-xp 00000000 1f: 02 1530/lib/ld-uClibc.so.0 2ab06000-2ab07000 rw-p 00006000 1f: 02 1530/lib/ld-uClibc.so.0 2ad53000-2ad88000 r-xp 00000000 1f: 02 1560/lib/libc. so.0 2adc7000-2adc9000 rw-p 00034000 1f: 02 1560/lib/libc. so.0

The base address of libc. so.0 is 0x2ad53000.

16.2.4 reading vro serial port data in Windows

In Windows, you can connect to the serial port of the vro. Next, let's take a look at how to use Putty to connect to the serial port of the vro. After connecting the adapter and the Serial port, first find the adapter port COM3 through the Windows Device Manager, then configure Putty and set "Connect type" to "Serial ", change "Serial line" to "COM3" and set the baud rate to 115? 200. After the preceding basic information is configured, click "Open" to connect to the vro, as shown in. To enter the CFE command line mode, press Ctrl + C during startup.

You can obtain the startup information through the router's serial port. In CFE mode, you can use CFE to execute commands and operate NVRAM. You can use CFE to update the firmware of FLASH. You can also obtain the Shell management system through the serial port.