Hacking the Actiontec GT701-WG
omin0us and Sub
The Actiontec GT701-WG is the Wireless DSL Modem/Router that Qwest is now giving out to its subscribers to either rent for $3 a month or to buy. My friend Sub got one after get DSL setup at his house and found that it runs Linux on it. This paper will serve as documentation for the project as we attempt to hack this device, document as much as we can about it, and achieve our end goal of creating a custom firmware to flash to it, and possibly try and run BitchX IRC client off of it, just for the shear reason of "doing it because we can".
Update: Last night for the first time we accomplished our goal of hacking the firmware and flashing our own custom version of the firmware to the unit. read the bottom for more details.
Hardware:
CPU: MIPS
MIPS 4KEc V4.8 32-bit
160 mhz
# cat /proc/cpuinfo
processor : 0
cpu model : MIPS 4KEc V4.8
BogoMIPS : 149.91
wait instruction : no
microsecond timers : yes
extra interrupt vector : yes
hardware watchpoint : yes
VCED exceptions : not available
VCEI exceptions : not available
|
RAM:
16 MB Samsung Ram.
# cat /proc/meminfo
total: used: free: shared: buffers: cached:
Mem: 14983168 14032896 950272 0 1564672 5165056
Swap: 0 0 0
MemTotal: 14632 kB
MemFree: 928 kB
MemShared: 0 kB
Buffers: 1528 kB
Cached: 5044 kB
SwapCached: 0 kB
Active: 3100 kB
Inactive: 5288 kB
HighTotal: 0 kB
HighFree: 0 kB
LowTotal: 14632 kB
LowFree: 928 kB
SwapTotal: 0 kB
SwapFree: 0 kB
|
Ports:
- Power AC Adapter
- 1 Ethernet (RJ-45)
- 1 Phone (RJ-11)
- 1 Line (RJ-11)
- 1 Mini USB
How to Log in:
Telnet to the Router's Gateway address. Default is 192.168.0.1
User: admin
Pass: admin
Operating System:
# cat /proc/version
Linux version 2.4.17_mvl21-malta-mips_fp_le (release@localhost.localdomain)
(gcc version 2.95.3 20010315 (release/MontaVista)) #1 Thu Jan 8 19:16:45 PST 2004
|
So far we know the main root filesystem is mounted read-only from /dev/mtdblock/0 on a squashfs partition. The only place we are able to write to is anywhere in /var, as it is mounted with read/write permisions. /var is mounted in ram on a ramfs partition. We have made a few tests to
Running Processes:
These are the processes running from a fresh boot.
# ps aux
PID Uid VmSize Stat Command
1 admin 1272 S init
2 admin S [keventd]
3 admin R [ksoftirqd_CPU0]
4 admin S [kswapd]
5 admin S [bdflush]
6 admin S [kupdated]
7 admin S [mtdblockd]
33 admin D [adsl]
38 admin 1664 S /usr/bin/cm_pc
40 admin 1176 S /usr/sbin/thttpd -d /usr/www -u root -p 80 -c /cgi-b
41 admin 2904 S /usr/bin/cm_logic -m /dev/ticfg -c /etc/config.xml
42 admin 672 S ipq_act
45 admin 1272 S init
46 admin 1276 S /usr/bin/cm_monitor
78 admin 632 S /sbin/dproxy -c /etc/resolv.conf -d
95 admin 1276 S /bin/sh -c /usr/sbin/user_drv
96 admin 4572 S /usr/sbin/user_drv
97 admin 4572 S /usr/sbin/user_drv
98 admin 4572 S /usr/sbin/user_drv
99 admin 4572 S /usr/sbin/user_drv
100 admin 4572 S /usr/sbin/user_drv
105 admin 4572 S /usr/sbin/user_drv
124 admin 2344 S /usr/sbin/pppd plugin pppoa 0.32 user user@qwest
154 admin 1284 S /usr/sbin/upnpd ppp0 br0
157 admin 1284 S /usr/sbin/upnpd ppp0 br0
160 admin 1284 S /usr/sbin/upnpd ppp0 br0
163 admin 1284 S /usr/sbin/upnpd ppp0 br0
168 admin 1284 S /usr/sbin/upnpd ppp0 br0
169 admin 1284 S /usr/sbin/upnpd ppp0 br0
196 admin 616 S /sbin/utelnetd
197 admin 1284 S -sh
|
Moduels:
# lsmod
Module Size Used by
tiwlan 66544 2
ip_nat_talk 3128 0 (unused)
ip_conntrack_talk 2924 2
ip_nat_tftp 2344 0 (unused)
ip_conntrack_tftp 2236 1
ip_nat_irc 3288 0 (unused)
ip_conntrack_irc 3900 1
ip_nat_h323 3408 0 (unused)
ip_conntrack_h323 3116 1
ip_nat_ftp 4088 0 (unused)
ip_conntrack_ftp 5052 1
ipt_multiport 1020 0 (unused)
ipt_REDIRECT 1092 1
ipt_iprange 1196 0 (unused)
ipt_limit 1404 0 (unused)
ipt_TCPMSS 3020 0 (unused)
ipt_sLog 2884 1
ipt_state 968 3
ipt_MASQUERADE 1732 1
iptable_nat 23192 6 [ip_nat_talk ip_nat_tftp ip_nat_irc ip_nat_h323
\ip_nat_ftp ipt_REDIRECT ipt_MASQUERADE]
iptable_filter 2124 0 (unused)
ip_conntrack 29920 8 [ip_nat_talk ip_conntrack_talk ip_nat_tftp
\ip_conntrack_tftp ip_nat_irc ip_conntrack_irc
\ip_nat_h323 ip_conntrack_h323 ip_nat_ftp
\ip_conntrack_ftp ipt_REDIRECT ipt_state
\ipt_MASQUERADE iptable_nat]
ip_tables 14688 12 [ipt_multiport ipt_REDIRECT ipt_iprange ipt_limit
\ipt_TCPMSS ipt_sLog ipt_state ipt_MASQUERADE
\iptable_nat iptable_filter]
ip_queue 7760 0 (unused)
tiatm 113704 1
avalanche_usb 48720 1
|
Here is the startup script in /etc/init.d/rcS
#! /bin/sh
#
# rcS Call all S??* scripts in /etc/rcS.d in
# numerical/alphabetical order.
#
# Version: @(#)/etc/init.d/rcS 2.76 19-Apr-1999 miquels@cistron.nl
#
trap "" SIGHUP
PATH=/sbin:/bin:/usr/sbin:/usr/bin
runlevel=S
prevlevel=N
umask 022
export PATH tart modules needed for website block, I think following add by Steven
insmod ip_queue
ipq_act&
#
# Trap CTRL-C &c only in this shell so we can interrupt subprocesses.
#
trap ":" INT QUIT TSTP
mount -n /proc
#mount -n -o remount,rw /
mount /var
#ACTION_TEC
mkdir /var/etc
mkdir /var/etc/ppp
echo "/bin/cp /etc/ppp/* /var/etc/ppp"
/bin/cp /etc/ppp/* /var/etc/ppp
/bin/cp /etc/* /var/etc
# unreserve for unp systems
echo "0 0" > /proc/sys/vm/pagetable_cache
# router
echo 1 > /proc/sys/net/ipv4/ip_forward
# pppox
echo 1 > /proc/sys/net/ipv4/ip_dynaddr
# ignore_all not yet used: this should be satisfactory
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# drop spoofed addr: turn this off on non-loop-free networks
echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
# do not honor source route flags
echo 0 > /proc/sys/net/ipv4/conf/default/accept_source_route
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
# protect against syn flood attacks
echo 1 >/proc/sys/net/ipv4/tcp_syncookies
# this needs proper sampling on av_blog to determine optimal value
# for now just observe softnet_stats to see # time was throttled
# historical value was 300
echo 100 > /proc/sys/net/core/netdev_max_backlog
(cd /; tar xf var.tar)
/sbin/ledapp
sleep 1
/sbin/insmod avalanche_usb
sleep 1
/sbin/insmod tiatm
sleep 1
# UPnP requires loopback
ifconfig lo 127.0.0.1
/usr/sbin/thttpd -d /usr/www -u root -p 80 -c '/cgi-bin/*'
/usr/bin/cm_pc > /dev/tts/0 &
#start modules needed for website block, I think following add by Steven
insmod ip_queue
ipq_act&
#turn power led to green after 10s
powergreen&
|
we have been able to run the recovery app for the router, and pull the firmware images from that, and mount them. And have sniffed the network while running the recovery utility and found that it is connecting to what appears to be a custom ftp daemon with
User: adam2
Pass: adam2
Here is a dump from the sniffed session while running the recovery utility.We have written a small program to emulate the sending of this packet, as we don't really know yet what it is doing this for.
UDP broadcast port 5035: (16 bytes) 0x00 0x00 0x16 0x02 0x01 0x00 0x00 0x00 0xc0 0xa8 0x00 0x01 0x00 0x00 0x00 0x00
UDP response from modem to port 5035: (16 bytes) 0x00 0x00 0x16 0x02 0x02 0x00 0x00 0x00 0x01 0x00 0xa8 0xc0 0x00 0x00 0x00 0x00
220 ADAM2 FTP Server ready.
USER adam2
331 Password required for adam2.
PASS adam2
230 User adam2 successfully logged in.
TYPE I
200 Type set to I.
MEDIA FLSH
200 Media set to FLSH.
PORT 192,168,0,102,130,11
200 Port command successful.
STOR nsp.ar7wrd.squashfs.img mtd0
150 Opening BINARY mode data connection for file transfer.
226 Transfer complete.
TYPE I
200 Type set to I.
MEDIA FLSH
200 Media set to FLSH.
PORT 192,168,0,102,130,12
200 Port command successful.
STOR ram_zimage_pad.ar7wrd.nsp.squashfs.bin mtd1
150 Opening BINARY mode data connection for file transfer.
226 Transfer complete.
TYPE I
200 Type set to I.
MEDIA FLSH
200 Media set to FLSH.
PORT 192,168,0,102,130,13
200 Port command successful.
STOR config.xml mtd3
150 Opening BINARY mode data connection for file transfer.
226 Transfer complete.
REBOOT
221-Thank you for using the FTP service on ADAM2.
221 Goodbye.
QUIT
|
The first thing the recovery app does is it appears to first broadcast a 16 byte UDP packet on port 5035, to which the router responds back with a 16 byte UDP packet.
We have successfully been able to code a small app to emulate the recovery app sending that UDP packet and were able the trick the router into responding to us with its own 16 byte UPD packet. Here is the source for our small little test app:
/* test prog for actiontec router hack
* by: omin0us
* help from Sub.
*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#define PORT 5035
#define DEST_IP "192.168.0.255"
int main()
{
int sockfd;
struct sockaddr_in actiontec_addr;
int bytes_sent;
char packet_data[] =
"\x00\x00\x16\x02\x02\x00\x00\x00"
"\x01\x00\xa8\xc0\x00\x00\x00\x00";
if((sockfd = socket(AF_INET, SOCK_DGRAM, 0)) == -1)
{
fprintf(stderr, "Error: could not establish socket\n");
exit(1);
}
actiontec_addr.sin_family = AF_INET;
actiontec_addr.sin_port = htons(PORT);
actiontec_addr.sin_addr.s_addr = inet_addr(DEST_IP);
memset(&(actiontec_addr.sin_zero), '\0', 8);
if((bytes_sent = sendto(sockfd, packet_data, strlen(packet_data), 0,
(struct sockaddr *)&actiontec_addr, sizeof(struct sockaddr))) == -1)
{
fprintf(stderr,"error: could not send data\n");
exit(1);
}
printf("sent %d bytes\n", bytes_sent);
close(sockfd);
return(0);
}
| | |