Router on bramp.net https://blog.bramp.net/ Recent content in Router on bramp.net Hugo -- gohugo.io en-GB Sun, 22 Jan 2012 00:00:00 +0000 Obtaining the firmware for Linksys E4200v2 https://blog.bramp.net/post/2012/01/22/obtaining-the-firmware-for-linksys-e4200v2/ Sun, 22 Jan 2012 00:00:00 +0000 https://blog.bramp.net/post/2012/01/22/obtaining-the-firmware-for-linksys-e4200v2/

I recently got a Linksys E4200v2 wireless router. It’s pretty cool, supports IPv6, 2.4Ghz and 5Ghz wifi networks, VPN, etc. The one downside is that the firmware for the router is not available from Linksys’s website, and the GPL code has not been made available, yet… However, the router has been able to pull updates itself from the Internet.

So I wanted to acquire the firmware to see if I could do something fun with the router. I set about to figure out how the router does this. My plan was to set my laptop up between Internet interface on the router, and the cable modem. Since my laptop doesn’t have two network cards, I plugged into a switch and used Ethercap to ARP poison to redirect traffic via the laptop.

Then using Wireshark I could see the traffic coming out of the router. All I needed to do now was to hit the “check for updates button”.

Firstly I saw two DNS requests, one for the AAAA (IPv6) record for update.linksys.com, then a A request for update.linksys.com. Clearly the updates are coming from there. Secondly I saw a HTTPS connection form to that domain. That makes this a little more complex, as I am unable to see the encrypted traffic, and thus see what is being transferred.

So, I grabbed a simple DNS server, and set up a simple SSL server following these instructions.

Now with DNS spoofing, and a fake SSL server, I could intercept encrypted traffic from the router, as long as it does not validate the SSL certificate. Luckily it didn’t check the validity, and thus I was able to capture the request: (BTW Not checking the cert completely defeats the point of using SSL… bad Linksys!).

POST /cds/update HTTP/1.1
Host: update.linksys.com
Accept: */*
Content-Type: text/xml
Content-Length: 573

<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
  <SOAP-ENV:Header/>
  <SOAP-ENV:Body>
    <ns:GetFirmwareFromDeviceRequest xmlns:ns="http://cisco.com/schemas">
      <ns:LanguageCode>en</ns:LanguageCode>
      <ns:CountryCode>us</ns:CountryCode>
      <ns:MacAddress>12:34:56:78:90:ab</ns:MacAddress>
      <ns:ModelNo>E4200</ns:ModelNo>
      <ns:HardwareVersion>2</ns:HardwareVersion>
      <ns:CurrentFirmwareVersion>2.0.36.126507</ns:CurrentFirmwareVersion>
    </ns:GetFirmwareFromDeviceRequest>
  </SOAP-ENV:Body>
</SOAP-ENV:Envelope>

and the response:

HTTP/1.1 200 OK
Content-Language: en-US
Content-Type: text/xml
SOAPAction: ""

<soapenv:Envelope
 xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
 xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/"
 xmlns:xsd="http://www.w3.org/2001/XMLSchema"
 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
  <soapenv:Header/>
  <soapenv:Body>
    <ns:GetFirmwareFromDeviceResponse xmlns:ns="http://cisco.com/schemas">
      <ns:FirmwareList xmlns:ns="http://cisco.com/schemas">
        <ns:Firmware xmlns:ns="http://cisco.com/schemas">
          <ns:Version xmlns:ns="http://cisco.com/schemas">2.0.36.126507</ns:Version>
          <ns:Revision xmlns:ns="http://cisco.com/schemas">D</ns:Revision>
          <ns:ReleaseDate xmlns:ns="http://cisco.com/schemas">2012-01-06T16:48:08Z</ns:ReleaseDate>
          <ns:DownloadURI xmlns:ns="http://cisco.com/schemas">http://download.linksys.com/updates/to0037258865.pdx/FW_E4200_2.0.36.126507.SSA</ns:DownloadURI>
          <ns:DateFormat xmlns:ns="http://cisco.com/schemas">yyyy-MM-dd';T';HH:mm:ss';Z';</ns:DateFormat>
          <ns:Checksum xmlns:ns="http://cisco.com/schemas">1958710861</ns:Checksum>
        </ns:Firmware>
      </ns:FirmwareList>
    </ns:GetFirmwareFromDeviceResponse>
  </soapenv:Body>
</soapenv:Envelope>

(I slightly modified portions of the request and response to hide the identify of my router.).

I might write a script to make fake requests, but until then you can easily create a request with curl:

curl -d @request.raw https://update.linksys.com/cds/update

Then you just extract the DownloadURI and

curl http://download.linksys.com/updates/to0037258865.pdx/FW_E4200_2.0.36.126507.SSA

Voila I now have the firmware. Now I need to figure out what to do with it.

Update: As requested I fetched the more recent version of the file:
2.0.37.131047 – http://download.linksys.com/updates/to0040829450.pdx/FW_E4200_2.0.37.131047.SSA

 Verizon FiOS MI424WR rev. F Router https://blog.bramp.net/post/2010/11/25/verizon-fios-mi424wr-rev.-f-router/ Thu, 25 Nov 2010 00:00:00 +0000 https://blog.bramp.net/post/2010/11/25/verizon-fios-mi424wr-rev.-f-router/

I just got a FiOS wifi router and I must say I really like it. The web interface has many more options than any home router I’ve ever played with, and it seems like it’d be easy for a beginner but doesn’t get in the way of an expert. It also telnet access (optionally over SSL), which puts you into a custom shell. Poking around the commands I find one awesome one:

Wireless Broadband Router> help system shell
shell   Spawn busybox shell in foreground

Wireless Broadband Router> system shell
BusyBox v1.01 (2005.09.07-07:38+0000) Built-in shell (lash)
Enter 'help' for a list of built-in commands.

/ #

This is very clearly running Linux, with BusyBox. For those interested here are some interesting bits of information:

/ # cat /proc/version 
Linux version 2.6.16.14 #1 SMP Sat Nov 28 00:38:50 PST 2009

A four year old kernel. Well what do you expect from this kind of device :)

/ # cat /proc/cpuinfo 
system type		: MC524WR
processor		: 0
cpu model		: Cavium Networks Octeon CN50XX V0.1
BogoMIPS		: 1000.48
wait instruction	: yes
microsecond timers	: yes
tlb_entries		: 64
extra interrupt vector	: yes
hardware watchpoint	: yes
ASEs implemented	:
VCED exceptions		: not available
VCEI exceptions		: not available
processor		: 1
cpu model		: Cavium Networks Octeon CN50XX V0.1
BogoMIPS		: 1000.48
wait instruction	: yes
microsecond timers	: yes
tlb_entries		: 64
extra interrupt vector	: yes
hardware watchpoint	: yes
ASEs implemented	:
VCED exceptions		: not available
VCEI exceptions		: not available

w00t, a Dual Cores 64bit MIPS chip

/ # cat /proc/meminfo 
MemTotal:        53200 kB
MemFree:         11588 kB
Buffers:          9252 kB
Cached:           9228 kB
SwapCached:          0 kB
Active:           7796 kB
Inactive:        16220 kB
HighTotal:           0 kB
HighFree:            0 kB
LowTotal:        53200 kB
LowFree:         11588 kB
SwapTotal:           0 kB
SwapFree:            0 kB
Dirty:               0 kB
Writeback:           0 kB
Mapped:          11272 kB
Slab:            13700 kB
CommitLimit:     26600 kB
Committed_AS:    11384 kB
PageTables:        196 kB
VmallocTotal: 1073741824 kB
VmallocUsed:      2752 kB
VmallocChunk: 1073738692 kB
HugePages_Total:     0
HugePages_Free:      0
Hugepagesize:     2048 kB

Only ~53MB of RAM if I’m reading that right. Seems most likely to be 64MB to me, but I will investigate further.

Also, as this is Linux, the source code has been made available. The README reveals it is a MC524 Router (MI424WR-GEN2 REV E/F).

The device doesn’t seem to have many of the standard Linux tools, no doubt to save space. It does however have an external USB port. My plan is to compile more of busybox, as well as some other binaries, and run them from an external USB stick.

Hacking an router has never been so easy! I’ll post more when I know more!