Hardware Hacking Box. HELP
HACKING
Hardware Hacking Box. HELP
2016-12-22
By
David "DeMO" Martínez Oliveira

In the previous post on this series I used my reference router and a SBC (a Raspberry Pi 3 in that case) to connected to the router console. That worked very well, so I tried with new devices... but it didn't worked that well with those. Anyway I will tell you in this post what I have done, and maybe... some good people out there could help me with this.
Mandatory Disclaimer
Please keep in mind the following:
  • Once you dismount/open any of those devices you are voiding their warranty.
  • I'm not responsible of any damage you may cause to your devices.
  • Finally, I'm not responsible of any damage you can do to yourself. Routers have to be connected to the mains power. Usually you get low voltage to the router board and all the dangerous stuff stays behind the transformer, but be always cautious when working with mains power and disconnect the devices whenever you manipulate them.

My two target devices are:

  • Eminent EM4551 (wLINK 300 PRO). This is another wifi router a friend gave to me. It also has a populated serial on the board (more on this in a sec) and another connector that could be a JTAG interface... But I haven't got that far yet. This is my target 1 device
  • Dymond WR03 wifi repeater. I found this in a local shop and I wondered if there was something in of interest, so I got one. I will also talk a bit about this in the post.

Let's start with the EM4551.

Opening the Eminent EM4551

This is a bit old Wifi router... that is why I used it for these tests. Anyway looks like a decent device. In order to open it, we have to remove some rubber pieces in the bottom to access the screws we have to remove. Note that only two of those have to be removed (please refer to the figure below:

Eminent Router Screw Access

After removing the screws we get access to the bottom part of the router

Eminent Router Bottom side of the main board

Now it is easy to remove the main board out of the box to work on it.

Eminent Router Main Board

We can see a 4 pin connector in the top part of the board (close to the activity LEDs). That is very promising. There is also an unpopulated header on the left side of the board. This is a 14 pin connector so we have some chances to get a JTAG interface there.

So far so good... Let's get serial

Eminent Serial Pin Identification

Now is time to check if that 4 pin header in the top may contain a serial interface. I followed the standard process described in many different places:

  • Continuity test for Ground and Vcc from the power connector
  • Voltage determination
  • Monitoring the activity during boot (when all the messages are sent out)
  • Elimination

You can find a very good explanation of the process in this page: https://wiki.openwrt.org/doc/hardware/port.serial

I could easily identify the GND and Vcc pins in the connector. Then I hook some wires there to measure the voltage when it router is switched on. This one works at 3.3V what is fine to hook it to the Rpi or use one of my USB-TTL adapters

Eminent Router Main Board

With all this information I could get access to the serial port, and after determining (by try an error) that that serial works at 57600 bauds I could access the serial port:

Eminent Router Serial Access from Raspberry Pi 3

However, this one does not drop a shell, a login or even some boot loader access... So I cannot do much so far with this serial port. This is the serial dump from the router. I can get the TFTP boot mode activated, but I haven't explored that way so far


(May 26 2009 - 14:29:23)

Board: Ralink APSoC DRAM:  16 MB
relocate_code Pointer at: 80fb4000

 Set info->start[0]=BFC00000
*** Warning - bad CRC, using default environment

============================================
Ralink UBoot Version: 3.1
--------------------------------------------
ASIC 3052_MP1 (MAC to GigaMAC Mode)
DRAM COMPONENT: 64Mbits
DRAM BUS: 32BIT
Total memory: 16 MBytes
Flash: 2 MBytes
Date:May 26 2009  Time:14:29:23
============================================
icache: sets:256, ways:4, linesz:32 ,total:32768
dcache: sets:128, ways:4, linesz:32 ,total:16384

 ##### The CPU freq = 384 MHZ ####

 SDRAM bus set to 32 bit
 SDRAM size =16 Mbytes
Disable WAN Port: 0

Please choose the operation: (t:tftp server/b(boot now)/f(flash test))

BootType => b
## Booting image at bfc30000 ...
   Image Name:   em4551a
   Created:      2009-05-26   5:34:16 UTC

 System Control Status = 0x00440000
   Image Type:   MIPS Linux Kernel Image (lzma compressed)
   Data Size:    1816555 Bytes =  1.7 MB
   Load Address: 80000000
   Entry Point:  802d5000
   Verifying Checksum ... OK
   Uncompressing Kernel Image ... OK
No initrd
## Transferring control to Linux (at address 802d5000) ...
## Giving linux memsize in MB, 16

Starting kernel ...


LINUX started...

 THIS IS ASIC
ralink flash device: 0x1000000 at 0xbf000000
alias:em4551a version:5.90
Default Configuration
Init LED ->[ ON ]
insmod: /lib/modules/2.6.21: No such file or directory
insmod: ip_conntrack_proc.ko: module not found
Bridge Init


=========================================
RALINK WIRELESS MODULE DETECTED!!
=========================================


device apcli0 is not a slave of br0



=================================================================
press magic key to change default setting ...
  LAN MAC : 00:14:5C:84:E3:E5
  WAN MAC : 00:14:5C:84:E3:E6
WAN IFNAME => [eth2.2]
iptables: No chain/target/match by that name
PPTP Server Start!!
insmod: /lib/modules/2.6.21: No such file or directory
insmod: ppp_mppe.ko: module not found
SIGNAL -> Config Update signal progress
SIGNAL -> WAN ip changed
EMINENT Router Serial Dump

The next step will be to try JTAG access. The have populated half of the 14 pins connector in the board. According to some information I found around, all the required JTAG signal should be there. If not, I will have to solder the other half.

Eminent Router JTAG Connector???... DUNNO

Soldering itself is straightforward. The problem is that the holes in the board are filled with solder and it is not that easy to remove. I removed the solder for the pins I added using the iron, but, for the next one,... I will try to use a drill.

So. This is it for the Eminent router... Kind of a success but without profit :/

In case you are curious, this is the serial dump for this device:

Opening the Dymond WR03

This little guy is a wifi repeater. I found it in a local shop. A quick search shows that it provides a web interface and the fact that it cost around 20 bucks means that it can have a computer inside. I took my chances and I bought one.

Dymond WR03 Wifi Repeater

It can easily be open just removing 4 screws.

Dymond WR03 Wifi Repeater. Main Board

We can see 4 holes on the board that may be our serial port. Let's keep checking the hardware before exploring that connector.

The power supply is below the main board and it is connected to it using 2 wires.

The power supply is separated from the board with some cardboard, it is pretty small and looks useful for other projects :)

Dymond WR03 Power Supply

So I added some pins to that 4 pins connector and started checking if that was a serial port.

Dymond WR03 After adding some pins to the board

Serial Access to the WR03

The first thing I did was to check the voltage of the power supply. In this case if was something around 9 volts, but it didn't looked very stable. There is probably some filtering circuitry in the board to deal with that.

Dymond WR03 Wifi. Measurement Voltage provided by the power supply

Then I checked the 4 pin connector voltage. It looks like another 3.3V TTL serial.

Dymond WR03 Serial Port Voltage Measurement

Again, following the typical continuity test, I identified the different serial pins and determined that this one transmits at 38400 apparently with the standard 8N1 as usual.

This one boots normally and ask for a login, however my transmission line towards the router is wrong. The echo I receive from it does not match what I send. I tried with different configurations but nothing worked, and I finally gave up with this one... at least for the time being.

I know that the pin is the correct one, because I kindof manage to interact with the device but my data is wrong interpreted and I cannot access the device. My hypothesis about this topic are:

  • I may had damaged the device. Either during the soldering of the pins or when I plugged the Vcc pin. I did that at some point in my first tests and that may have destroy something on the board/li>
  • There is some HW element missing in the board that prevents the Rx line to work properly. Checking different resources in the internet I found that for some routers you need to add some pull-up or serial resistor to the Rx line and sometimes, you may even need to shotcut some connection in the board or remove some resistor.

So, I have stopped here with this device. I don't feel like spending another 20 bucks to figure out if I had managed when I connected the Vcc pin and I still need to sharp my skills to be able to determine if I have to do some modification on the board.

For the time being, this is the serial dump for this device

Booting...
@ chip__no chip__id mfr___id dev___id cap___id size_sft dev_size chipSize
@ 0000000h 0c84016h 00000c8h 0000040h 0000016h 0000000h 0000016h 0400000h
@ blk_size blk__cnt sec_size sec__cnt pageSize page_cnt chip_clk chipName
@ 0010000h 0000040h 0001000h 0000400h 0000100h 0000010h 0000030h GD25Q32

Input : CLK_SEL=0x00000004, DIV=0x00000000
Now CPU Speed=500

---RealTek(RTL8881A)at 2016.06.21-16:50+0800 v1.4c [16bit](520MHz)
no sys signature at 00010000!
no sys signature at 00020000!
no sys signature at 00030000!
no sys signature at 00017000!
no rootfs signature at 000E0000!
no rootfs signature at 000F0000!
no rootfs signature at 00130000!
no rootfs signature at 00137000!
Jump to image start=0x80500000...
decompressing kernel:
Uncompressing Linux... done, booting the kernel.
done decompressing kernel.
start address: 0x80003400
Realtek WLAN driver - version 1.7 (2015-10-30)(SVN:1553)
DFS function - version 2.0.6
Adaptivity function - version 9.3.2

**********************************

** NOTE!! RTL8881A INTERNAL PA!    **

**********************************


#######################################################
SKB_BUF_SIZE=3200 MAX_SKB_NUM=480
#######################################################


**********************************

** NOTE!! RTL8881A INTERNAL PA!    **

**********************************

**********************************

** NOTE!! RTL8881A INTERNAL PA!    **

**********************************

**********************************

** NOTE!! RTL8881A INTERNAL PA!    **

**********************************

**********************************

** NOTE!! RTL8881A INTERNAL PA!    **

**********************************

**********************************

** NOTE!! RTL8881A INTERNAL PA!    **

**********************************


#######################################################
SKB_BUF_SIZE=3200 MAX_SKB_NUM=480
#######################################################




Probing RTL8186 10/100 NIC-kenel stack size order[3]...
chip name: 8196C, chip revid: 0
NOT YET
eth0 added. vid=9 Member port 0x10f...
eth1 added. vid=8 Member port 0x10...
[peth0] added, mapping to [eth1]...
Realtek FastPath:v1.03
init started: BusyBox v1.13.4 (2016-06-21 16:50:38 CST)
errno:13
Init Start...
!!! adjust 5G 2ndoffset for 8812 !!!
Init bridge interface...


************* Initialize MAC/PHY parameter *************
8881A internal PA PIN control or 8881A high power
Init Wlan application...

WiFi Simple Config v2.18-wps2.0 (2015.11.09-07:03+0000).


WiFi Simple Config v2.18-wps2.0 (2015.11.09-07:03+0000).

Register to wlan0
Register to wlan1
Register to wlan1-vxd
route: SIOCDELRT: No such process
open fifo /var/iapp.fifo OK
open fifo /var/wscd-wlan1-vxd.fifo OK
open fifo /var/wscd-wlan0.fifo OK
iwcontrol RegisterPID to (wlan0)
iwcontrol RegisterPID to (wlan1)
IEEE 802.11f (IAPP) using interface br0 (v1.8)
boa: server version Boa/0.94.14rc21
boa: server built Jun 21 2016 at 16:51:11.
boa: starting server pid=277, port 80

WR03 login:

Any Help will be appreciated

In case you, beloved reader, are an HW expert, here is a small video of the behaviour of the router. This may be familiar for you and maybe, somebody can say... Oh man, you have to do X to make this work. In the meantime thanks for reading this.

RELATED POSTS
Hardware Hacking Box. Serial Access to Routers
Having Fun with your Home Router
Building Portable Devices