Technology sharing: Reverse-hack Huawei Router Part I.

Write it in front.

The following will introduce the process of a reverse router, which is exactly a Huawei HG533 router.

This article only represents the intention of the original author, at the same time, the tools and techniques introduced in this article are offensive, please use it legally and legitimately.

Body

The previous idea is also relatively simple to find the serial port, and this serial port is also reserved for the nature of a serial port, mainly for the later debugging and upgrading equipment use. And for the router you can be seen as a small embedded device, from the printer to the smart camera can look at this, and the serial port is sometimes hidden, our goal is to find this serial port and then debug the device. The serial port can access the router's CFE, observe boot and debug information, and interact with the system through a shell and asynchronous serial communication. The following note is about the router serial port description, in the absence of special instructions, refers to the UART.

Probe serial

It is important to note that in routers, the serial port we are looking for is not the usual RS232, but the UART (Universal Asynchronous transceiver), which is a common interface in router devices. In the search for the UART, it is important to note that on the router board those single row has 4~6 pin position, most of the situation is still useful, but a few exceptions. This is not intended for the user, so there are times when it is idle and it is not used in its pins. After seeing the circuit board after disassembly, two places caught my attention. See

Visual inspection This device has two different serial ports and two different circuit composition, while using these two parts to complete the communication tasks of the equipment. Now there is a way of thinking, we can according to the circuit board wiring situation, to find the main circuit, and finally we can get the information we need.

Pin recognition

Here we find two rows of pins (see figure), which, according to the previous judgment, should be the UART. Now that the goal is found, the first thing to do is to see what is useful and which is useless, and I use a simple technique to judge that this is a photo taken from the front of the circuit board, and let's take a look.

Here we need to pay attention to the PCB circuit board above the solder point between the connection.

1. It seems to be connected to something (note the position of two o ' clock direction)

2. No connection

3. If the solder joint is connected to a lot of places, it is most likely a GND or VCC pin, but this is not a versatile method. It should be added that the VCC pin is usually made square and the router board can see a wide line, so it is very likely that the pin is also a VCC pin.

The 4.GND pin usually has multiple lines connected to the surrounding ground, so it's important to see the ground around you. And here you see this, so you can tell that this is the GND pin.

5. Connect to something

Solder Pins

In the picture above we see two serial ports. So now it's starting to weld on it, though it's difficult, I try to break through the solder joints and then penetrate the solder joints to the back, but obviously it's very difficult. and the second serial port, I intend to use the Dremel electric grinder to achieve the purpose of the front, so that it can be welded on the back of the PCB board, the workload is still relatively large.

Pin description

The previous three useful pins have been obtained, but we have not yet specifically utilized the UART. What needs to be emphasized here is that the UART is one of the asynchronous serial communication protocols, which works by transmitting each character of the transmitted data one after the other. Let's review the UART:

TX "Send pin, data sent on TX will be received by RX input"

Rx "Receive PIN, RX input Receive"

Gnd "ground, the pin voltage is typically 0"

VCC "supply voltage. The pin voltage is stable, usually 3.3V ~5v, do not attempt to connect "

CTS is "allowed to send, while CTS is a response to RTS, typically used"

DTR "typically used"

CTS and RTS are the two pins in the stream control of serial communication, which is a brief introduction, which is to place the RTS as a valid bit when the receiver (UART2) thinks it can accept the UART data. The data is sent only after the CTS pin of the sender (UART1) receives this signal. In general, when the UART data receive cache is larger than two bytes free, the RTS can be set to a valid receive. An example is to explain that A to B sends an RTS signal, that a to send some data to B, b after receiving the RTS, to all the base station to send a CTS signal, indicating that it is ready, a can be sent. The UART can enter an internal loopback (Loopback) mode for diagnostic or debug purposes. In loopback mode, data sent from TX is received by the RX input. When TX and RX are set (the default value of 1), the voltage also floats.

So let's take a look at what we've got to conclude:

1. The previous three pins appear to be TX, Rx, and GND.

2. One that looks much like Gnd (the 4th position in the right place)

3.tx-is used for data transmission

4.rx-is associated with another place.

Of course, in order to verify, I need to try different permutations and combinations, then you need to Usb-uart, that is, the next computer to convert the USB data to the UART data. Below you can use an oscilloscope and a multimeter to see what happens with each pin.

The oscilloscope is now used to verify the specifics of each pin:

1.gnd-fixed at 0V so it must be grounded.

2.Tx-You can see the information sent in the picture

3. Fluctuations between 0v, then must be Rx, that is because there has not been a larger float.

Now that we have understood the pin situation, the following need to analyze the serial port situation, then you need to know the serial communication speed (baud rate), you need to use Logic analyzer. If not, then you need to try the previous permutations,

I've started using analyzers to analyze the baud rate, and now I can see the data (\n\r\n\ru-boot 1.1.3 ...).

Once the serial port and baud rate are known, the device is connected

Connecting the serial port

Now that you have the hardware information for the device, you need to establish a communication relationship with the device below. Start Usb-uart, then use two serial ports to communicate and see the situation with an oscilloscope

After the start of the serial port, the computer and the device also began to send information, this is the information, the following is the first line of information sent

Please choose operation:

3:boot system code via Flash (default).

4:ENTR boot command line interface.

0

Command line interface?? When I press 4, I get this. Also, when we press 3 and wait for the flash checksum to complete, then press ENTER, you will see the "Welcome to ATP Cli" message and a login prompt. After an attempt, you can successfully login with the default password admin:admin.

 ——————————--–welcome to ATP Cli ———————————— - login:adminpassword: #Password  is   ' admin ' ATP  >shellbusybox vv1.  9.1  (2013 - 08 - : 15 : 00  CST) Built-in   Shell (Ash) Enter ' help '  for  A List of Built-in   commands.# ls  var  usr tmp sbin proc mnt lib Init etc Dev bin 

The command-line page takes advantage of the shell command to get root privileges. The router also runs the BusyBox, which will be introduced later.

What will be introduced next?

Now that you've got BusyBox, the following will focus on software such as passwords, some applications, and so on. Of course, we will introduce some more interesting things, please look forward to ....

* Reference source : Jcjc-dev

Technology sharing: Reverse-hack Huawei Router Part I.