Posts: 194
Threads: 7
Joined: Jul 2015
06-07-2017, 12:21 AM
(This post was last modified: 06-07-2017, 12:55 AM by soxrok2212.)
(06-06-2017, 05:59 AM)mrfancypants Wrote: P.S. In case anyone ever wants to pick up where I left off, here are some pointers.
Firmwares are at http://68.250.244.11/firmware/, the web site may be someone's personal Linux PC and it is sporadically on and off, I couldn't find any alternate sources.
Thanks for the link. I do have a bit of MIPS locked away in my head. The server seems to be down at the moment, do you have a copy of it?
Also, I am friends with the guy who did research for the PDF you linked I'll try to touch base with him.
Posts: 37
Threads: 3
Joined: Apr 2017
(06-07-2017, 12:21 AM)soxrok2212 Wrote: (06-06-2017, 05:59 AM)mrfancypants Wrote: P.S. In case anyone ever wants to pick up where I left off, here are some pointers.
Firmwares are at http://68.250.244.11/firmware/, the web site may be someone's personal Linux PC and it is sporadically on and off, I couldn't find any alternate sources.
Thanks for the link. I do have a bit of MIPS locked away in my head. The server seems to be down at the moment, do you have a copy of it?
Also, I am friends with the guy who did research for the PDF you linked I'll try to touch base with him.
I seem to have deleted the originals, but here's an extracted filesystem for a 589: http://jmp.sh/3Hp5tOi
Incidentally, The "Jimi Hendrix lyrics" code that I mentioned above is actually well known and very old, it's this: https://seeit.org/eircom/ It may have been used to generate WEP keys in the ancient past. I don't think it's used now at all.
I went further back along the 589/599 product line and got as far as a 2013 firmware for Motorola 2247, and couldn't find any relevant algorithms there either. (Binaries look almost identical to 589/599s.)
Right now my interest is in older 2Wire models (2700/01,3600,3800/01.) I got a couple of firmwares, but I can't get in because they are compressed using something nonstandard ("tmdecompress.c" - Google turns up, literally, one relevant hit, from back in 2004). Any chance your guy has either an unpacked version or a working unpacker?
Posts: 194
Threads: 7
Joined: Jul 2015
I grabbed a few copies before they were removed. Unfortunately I don't have much time to work with this, but where did you get the firmware? Btw, you can try firmware mod kit to extract the binaries if you know the file system.
Posts: 37
Threads: 3
Joined: Apr 2017
(06-10-2017, 05:33 AM)soxrok2212 Wrote: I grabbed a few copies before they were removed. Unfortunately I don't have much time to work with this, but where did you get the firmware? Btw, you can try firmware mod kit to extract the binaries if you know the file system.
I got 589s and 599s from the link I gave (the 68.xx). It may have been an actual AT&T server whose address got accidentally advertised. It's been down ever since. You can still get many of the firmwares from it if you know the exact link (e.g. look it up in google cache) and substitute "gateway.c01.sbcglobal.com" for "68.250.244.11".
There are two versions for Motorola 2247 on arris.com, and one 2700/2701 at https://www.sendspace.com/file/nbs97h.
Turns out that there's another problem with 2701 - even its firmwares can be decrypted, the 2701 is based on an obscure chip that is not supported by common disassemblers. 3801s might work though.
Posts: 194
Threads: 7
Joined: Jul 2015
I'll see if I can find time to look at it tonight. Have been working like a dog lately.
Posts: 194
Threads: 7
Joined: Jul 2015
Update: I'm a exhausted tonight so it may have to wait until the weekend... keep me motivated!
Posts: 194
Threads: 7
Joined: Jul 2015
I have the firmwares extracted and file systems mounted, but only /bin is populated. There are just common linux binaries. In the past, the only relevant binaries I've found were in /lib which is empty. It seems as if we are missing something or the firmwares have been wiped of all sensitive information.
Posts: 194
Threads: 7
Joined: Jul 2015
I have an NVG589 on the way, got it for $15
Posts: 100
Threads: 34
Joined: Aug 2014
06-18-2017, 04:33 AM
(This post was last modified: 06-19-2017, 05:24 AM by devilsadvocate.)
(06-17-2017, 05:13 PM)soxrok2212 Wrote: I have the firmwares extracted and file systems mounted, but only /bin is populated. There are just common linux binaries. In the past, the only relevant binaries I've found were in /lib which is empty. It seems as if we are missing something or the firmwares have been wiped of all sensitive information.
Let us know if you find any CIA planted backdoors in any of these firmwares. This could get very interesting.
https://latesthackingnews.com/2017/06/17...ance-tool/
The article text follows (just in case it gets taken down).
According to new Posts published by WikiLeaks, the CIA has been developing and maintaining a host of tools to do just that. This morning, the organization published new documents describing a program called Cherry Blossom, which uses an altered version of a given router’s firmware to turn it into a surveillance tool. Once in point, Cherry Blossom lets a remote agent monitor the target’s internet traffic, scan for useful data like passwords, and even redirect the target to the desired website.
The document is part of a list of publications on CIA hacking tools, including previous modules targeting Apple products and Samsung Smart TVs. As with earlier publications, the document dates to 2012, and it’s unclear how the programs have grown in the five years since.
The manual describes different versions of Cherry Blossom, each tailored to a specific brand and model of router. The pace of hardware upgrades seems to have made it difficult to support each model of router, but the document shows the most popular routers were accessible to Cherry Blossom.
“As of August 2012,” the manual reads, “CB-implanted firmware can be built for roughly 25 different devices from 10 various manufacturers, including Asus, Belkin, Buffalo, Dell, DLink, Linksys, Motorola, Netgear, Senao, and US Robotics.”
The guidebook also goes into detail on how CIA agents would typically install the modified firmware on a given device. “In typical operation,” another passage reads, “a wireless device of interest is implanted with Cherry Blossom firmware, either using the Claymore tool or via a supply chain process.” The “supply-chain operation” likely refers to intercepting the device somewhere between the factory and the user, a common tactic in surveillance operations. No public documents are available on the “Claymore tool” mentioned in the section.
It’s unclear how widely the implant was used, although the manual generally refers to use for specific purposes, rather than for mass surveillance. There’s also reason to believe the NSA was using similar tactics. In 2015, The Intercept published documents obtained by Edward Snowden that detailed efforts by the UK’s GCHQ to exploit vulnerabilities in 13 models of Juniper firewalls.
https://latesthackingnews.com/2017/06/18...ryblossom/
Again, while it’s clear that the CherryBlossom design targeted the following list of routers, it is not clear which have been successfully compromised.
- 3Com: 3CRWE454A72, 3CRWX120695A, 3CRWX275075A, 3CRTRV10075, 3CRWE41196, 3CRWE454G72, 3CRWE53172, 3CRWE554G72T, 3CRWE554G72TU, 3CRWE675075, 3CRWE725075A-US, 3CRWE754G72-A, 3CRWE754G72-B, 3CRWE825075A-US, 3CRWE875075A-US, 3CRWE91096A, 3CRWE91096A, 3CRWE920G73-US, 3CRWEASY96A, 3CRWEASY96A, 3CRWEASYG73-U, 3CRWX440095A
- Accton: WA3101, WA4101, WA5101, WA5201, WA6101, WA6102, WA6102X
- Aironet/Cisco: Aironet 1310 Outdoor Access Point /Bridge, Aironet 350 Series Wireless Bridge, 1300 Series Outdoor Access Point/Bridge, Aironet 1200 Series a/b/g Access Point, Aironet 1310 Outdoor Access Point/Bridge, Aironet 350 Series, Aironet 350 Series AP, Cisco Aironet 1400 Series Wireless Bridge, Cisco Aironet 1400 Series Wireless Bridge
- Allied Telesyn: AT-WA1004G, AT-WA7500, AT-WL2411
- Ambit: (No models specified)
- AMIT, Inc: WIS418, WQS418, WUC128
- ANI Communications: (No models specified)
- Apple: AirPort Express
- Asustek Co: WL-160g, WL-300, WL-300g, WL-330, WL-330g, WL-500b, WL-500g
- Belkin: F5D7230-4
- Breezecom: AP-10, AP-10D, BU-DS.11, BU-DS.11D, DS.5800 Base Unit, RB-DS.11, RB-DS.11D, SA-10, SA-10D, SA-40, SA-40D, WB-10, WB-10D
- Cameo: WLB-2006_2007, WLB-2203/2204, WLG-2002/2003, WLG-2204/2205
- D-Link: AP Manager or D-View SNMP management module?, DCS-2100+, DCS-3220G, DCS-5300G, DCS-5300W, DI-514, DI-524, DI-624, DI-714P+, DI-774, DI-784, DI-824VUP, DP-311P, DP-311U, DPG-2000W, DP-G310, DP-G321, DSM-320, DVC-1100, DWL-1000AP+, DWL-120, DWL-1700AP, DWL-1750, DWL-2100AP, DWL-2200AP, DWL-7000AP, DWL-7100AP, DWL-800AP+, DWL-810+, DWL-G700AP, DWL-G730AP, DWL-G800AP, DWL-G810, DWL-G820
- Epigram: (No models specified)
- Gemtek: WADB-100G, WHAPC-100GE 11G, WHRTC-100GW, WX-1500, WX-1590, WX-1600, WX-1688, WX-2214, WX-2501, WX-5520A, WX-5520G, WX-5525G, WX-5525R, WX-5541, WX-5545, WX-5551, WX-5555, WX-5800, WX-5801, WX-5803
- Global Sun: CM054RT, WL AP 2454 NM0, WL AP 2454 QA0, WL AP 2454 QA3, WL MU 2454 13I0, WL RT 2454 NM0, WL RT 2554 QA0, WL UD 2454 13I0
- Hsing Tech: (No models specified)
- Linksys: BEFW11S4, WAP11, WAP51AB, WAP54G, WAP55AG, WCG200, WET54G, WET54GS5, WGA11B, WGA54G, WMA11B, WMLS11B, WPG12, WPG54G, WPS11, WPS54GU2, WRE54G, WRT54G, WRT54GP2, WRT54GS, WRT55AG, WRV54G, WVC11B, WVC54G
- Motorola: WR850G
- Orinoco: AP-2000 Access Point, AP-2500 Access Point, AP-4000 Tri-Mode Access Point, AP-600 Access Point, Orinoco AP-700, Tsunami MP.11, Tsunami QuickBridge 11, Tsunami QuickBridge 20, Tsunami QuickBridge 60
- Planet Tec: WAP-1963A, WAP-4030, WRT-413, WAP-1963, WAP-1966, WAP-4000, WAP-4050, WAP-5000, WAP-5100, WL-U356, WRT-403, WRT-410
- RPT Int: (No models specified)
- Senao: 5GHz/2.4GHz Dual Band Wireless Access Point, Aries2, Dual Band Wireless Access Point, Long Range Wireless Dongle, Long Range Wireless Outdoor Client Bridge, NL-2511AP PRO PLUS, NL2511SR Plus, NL2511SR Plus(A), NL-2611AP3 PLUS, NL-3054CB3 PLUS, Outdoor Wireless Access Point/Router, Outdoor Wireless Bridge, SL2511SR Plus, Wireless 11g Broadband Router, Wireless Multi-Client Bridge/Access Point
- US Robotics: USR5420, USR5430, USR5450, USR8054
- Z-Com: XG-1100, XG-2000, XG-3020, XG-580, XG-580Plus, XG-581, XG-582, XI-1450, XI-1500, XI-1510
Within the CherryBlossom propaganda, there are also reports that appear to target seven explicit routers for use with “Flytrap.” Flytrap is a tool CherryBlossom uses to “beacon over the Internet to a Command & Control server pointed to as the CherryTree,” according to WikiLeaks.
Flytrap routers
The CherryBlossom documents included firmware flashing instructions labeled “Flytrap” for each of these router models.- Belkin: F5D8231
- DLink: DIR130
- Linksys: WRT320N, WRT54G, WRT300N, WRT54GL, WRT54GL
There are also two separate lists of devices in the CherryBlossom documents.
Posts: 37
Threads: 3
Joined: Apr 2017
(06-17-2017, 05:13 PM)soxrok2212 Wrote: I have the firmwares extracted and file systems mounted, but only /bin is populated. There are just common linux binaries. In the past, the only relevant binaries I've found were in /lib which is empty. It seems as if we are missing something or the firmwares have been wiped of all sensitive information.
Are you looking at the file I uploaded? There should be /bin/sdb and /bin/cshell, which contain much of the default configuration logic, and a /lib/libmotopia.so, which has the interface used to access the NVRAM (the actual access code is in the kernel space).
I also got a device (a 4111N) and I have a full filesystem dump for it.
At this point I'm about 95% sure that none of the firmwares shipped since 2013/14 or so have the code we want (not unless it is crippled and/or well hidden.) Still looking at older versions. I have some educated guesses as to how the password is generated, but I can't come up with a working algorithm. There's most likely a MD5 of either the serial number or the mfg timestamp (plus an unknown salt) involved. I'm trying to organize my thoughts and I'll put it somewhere on the web to keep this thread from getting too far off-topic.
Unless the exact algorithm can be worked out, fartboxes approach may be the best we have
devilsadvocate Wrote:Let us know if you find any CIA planted backdoors in any of these firmwares. This could get very interesting.
As I understand the leak, that's not something they'd plant in regular firmwares. That's more along the lines of uploading a modified version of firmware with spying capabilities onto an otherwise pristine device. To do that, you'd typically need to connect to the router via wi-fi first. (Which is not to say there aren't any backdoors in these firmwares.)
|