{"id":1160,"date":"2018-12-19T05:52:43","date_gmt":"2018-12-19T11:52:43","guid":{"rendered":"http:\/\/www.jedge.com\/wordpress\/?p=1160"},"modified":"2018-12-19T05:54:10","modified_gmt":"2018-12-19T11:54:10","slug":"have-fun-at-goodwill-part-2-finding-networking-equipment-for-fun-and-profit","status":"publish","type":"post","link":"https:\/\/www.jedge.com\/wordpress\/2018\/12\/have-fun-at-goodwill-part-2-finding-networking-equipment-for-fun-and-profit\/","title":{"rendered":"Have fun at Goodwill part 2 \u2013 Finding Networking Equipment for Fun and Profit"},"content":{"rendered":"

\"NetgearAs I’ve written about previously, a great place to pick up outdated, and potentially vulnerable, wireless routers is your local Goodwill. Depending on the store those shelves can be packed with devices for only a couple bucks. While you are there you can just Google the model number followed by “exploit”, “openwrt”, or “dd-wrt” to see if you have a device worth playing with. Today I got a Netgear WGT624v2 which dates back to POTUS 43’s first term. I will detail a different adventure than my previous post<\/a>. When cracking open this device I was greeted with two pre-populated headers! We will use the JTAGulator and Dangerous Prototypes BusBlaster v4 to get access via UART and JTAG.
\n
\nWikiDevi<\/a> provides some details on this device but other information is missing or incorrect. Here we will fill in the gaps. The main chip listed on the wiki is the Atheros AR2313 but this device has the same chip (AR2312A<\/a>) as version 1. When packaged with wireless AR2112A<\/a> chip it is referred to as AR5002AP-G.\u00a0 with the The SDRAM is a Winbond W981216BH-75<\/a>. On this device the flash chip is a Macronix International mx29lv320t-90<\/a> which is 4mb of storage just like version 1 of this device. The openwrt wiki<\/a> says this version should only have 2mb of flash storage. Some Googling reveals questions on how to debrick these devices after an official Netgear firmware update. It may have something to do with the boards being difference for the same “version”. No matter, we will work with what we got!<\/p>\n

I used the JTAGulator<\/a> to identify the UART (img<\/a>) (output<\/a>) and the JTAG (img<\/a>) (output<\/a>) pinouts. Below are the mappings for the UART and the JTAG. You can confirm the JTAG pinout from this DD-WRT forum post<\/a>. You can confirm the UART pinout from here<\/a>.<\/p>\n

\"WGT624v2<\/a><\/p>\n

You can now connect to the WGT624v2 over serial and monitor the boot process<\/a>.\u00a0 Plenty of online resources show how to send a magic packet to enable Telnet on Netgear devices.\u00a0 The credentials they list are Gearbuy \/ Geardog (case sensitive).\u00a0 I found that these creds did not work over the serial connection.\u00a0 I don’t know if the previous owner changed the password.\u00a0 As of yet I have not done a reset of the device.\u00a0 It would be unlikely the previous owner would change the password as after some guessing I found the password to be “password”.\u00a0You can now authenticate to the device to obtain menu-command\u00a0 access.\u00a0 You will quickly find out that the OS for this device is VxWorks version 5.4.2. We will leave exploring the OS to another time.<\/p>\n

While connected via UART we also connect via JTAG and use the open source\u00a0Open On-Chip Debugger (openocd). This software will allow use to interface with the device over JTAG (hopefully). Many options exist to configure openocd to communicate with the device and a lot of the information needs to be obtained from datasheets (Winbond<\/a>, MXIC<\/a>, Atheros) for the chips on board. For our purposes we get a little lucky and can leverage an existing configuration script.<\/p>\n

Before leveraging a previous configuration script we will try to create our own.\u00a0 Openocd is capable of “auto probing” to try and identify the CPU. The CPU is the main target we will need in order to communicate with the device.
\n

root@KALI:~# openocd -f \/usr\/share\/openocd\/scripts\/interface\/ftdi\/dp_busblaster.cfg -c "adapter_khz 100; transport select jtag"\nOpen On-Chip Debugger 0.10.0\nLicensed under GNU GPL v2\nFor bug reports, read\nhttp:\/\/openocd.org\/doc\/doxygen\/bugs.html\nInfo : If you need SWD support, flash KT-Link buffer from https:\/\/github.com\/bharrisau\/busblaster\nand use dp_busblaster_kt-link.cfg instead\nadapter speed: 100 kHz\njtag\nInfo : clock speed 100 kHz\nWarn : There are no enabled taps.  AUTO PROBING MIGHT NOT WORK!!\nError: JTAG scan chain interrogation failed: all zeroes\nError: Check JTAG interface, timings, target power, etc.\nError: Trying to use configured scan chain anyway...\nError: IR capture error at bit 0, saw 0x00 not 0x...3\nWarn : Bypassing JTAG setup events due to errors\nWarn : gdb services need one or more targets defined<\/code><\/pre>
\nUnfortunately the “auto probing” fails. We identified the CPU as an AR2312A.\u00a0 There is the following target script for the AR2313 (atheros_ar2313.cfg)
\n
set _CHIPNAME ar2313\nset _CPUTAPID 0x00000001\njtag newtap $_CHIPNAME cpu -irlen 5 -expected-id $_CPUTAPID\nset _TARGETNAME $_CHIPNAME.cpu\ntarget create $_TARGETNAME mips_m4k -endian big -chain-position $_TARGETNAME<\/code><\/pre>An archived Openwrt forum post<\/a>\u00a0for the ATT\u00a06800G helps us confirm that the above information will also work for the AR2312A.\u00a0 In the forum post a WIGGLER<\/a> was created and the EJTAG software used to communicate with the ATT 6800G which has the same SoC as our device.\u00a0 Also confirmed in this blog post<\/a>. One more item will need to be set so we can see if the configuration file for the AR2313 will work with our device. We will need to set the “reset_config” option. Normally this is set in the board configuration file, which we will get to in a bit. We will set it at the command line for now. We only identified TRST with the JTAGulator.  This is not enough to get a reset to work.  We will also need SRST. A dd-wrt<\/a> forum post identifies the header as a 14 Pin header (Standard MIPS EJTAG 2.5). We connect pin 11 to TSRST on the Bus Blaster. With both reset pins we can
\n
root@KALI:~# openocd -f \/usr\/share\/openocd\/scripts\/interface\/ftdi\/dp_busblaster.cfg -f \/usr\/share\/openocd\/scripts\/target\/atheros_ar2313.cfg -c "adapter_khz 100; transport select jtag; reset_config trst_and_srst"\nOpen On-Chip Debugger 0.10.0+dev-00622-g322d2fa1 (2018-12-17-06:47)\nLicensed under GNU GPL v2\nFor bug reports, read\n        http:\/\/openocd.org\/doc\/doxygen\/bugs.html\nInfo : If you need SWD support, flash KT-Link buffer from https:\/\/github.com\/bharrisau\/busblaster\nand use dp_busblaster_kt-link.cfg instead\nInfo : auto-selecting first available session transport "jtag". To override use 'transport select <transport>'.\nar2313.cpu\nadapter speed: 100 kHz\nWarn : Transport "jtag" was already selected\ntrst_and_srst separate srst_gates_jtag trst_push_pull srst_open_drain connect_deassert_srst\nInfo : Listening on port 6666 for tcl connections\nInfo : Listening on port 4444 for telnet connections\nInfo : clock speed 100 kHz\nInfo : JTAG tap: ar2313.cpu tap\/device found: 0x00000001 (mfg: 0x000 (<invalid>), part: 0x0000, ver: 0x0)\nInfo : Listening on port 3333 for gdb connections\n<\/code><\/pre>We are now connected via JTAG to the Netgear WGT624v2 via the Bus Blaster.  We can now connect and interact with the device over telnet or the GNU Project debugger (GDB). The output listed below shows a simple interaction where we connect via telnet. We list the contents of the registers.  When they do not show anything we then halt<\/strong> the system and show that the registers are now populated.  Then we perform a reset halt<\/strong> and step through a few instructions, showing the program counter (reg pc).
\n
root@KALI:~# telnet localhost 4444\nTrying ::1...\nTrying 127.0.0.1...\nConnected to localhost.\nEscape character is '^]'.\nOpen On-Chip Debugger\n> reg\n===== mips32 registers\n(0) r0 (\/32)\n(1) r1 (\/32)\n(2) r2 (\/32)\n(3) r3 (\/32)\n(4) r4 (\/32)\n(5) r5 (\/32)\n(6) r6 (\/32)\n(7) r7 (\/32)\n\n. . . SNIP . . .\n\n(71) fir (\/32): 0x00000000\n> halt\nMIPS32 only implemented\ntarget halted in MIPS32 mode due to debug-request, pc: 0x80242ba0\n> reg\n===== mips32 registers\n(0) r0 (\/32): 0x00000000\n(1) r1 (\/32): 0x804D0000\n(2) r2 (\/32): 0x00000002\n(3) r3 (\/32): 0x00011CB5\n(4) r4 (\/32): 0x80FA56E0\n(5) r5 (\/32): 0x00000000\n(6) r6 (\/32): 0x80FA56E0\n(7) r7 (\/32): 0x80FA56E0\n(\n. . . SNIP . . .\n\n(37) pc (\/32): 0x80242BA0\n\n. . . SNIP . . .\n\n> reset halt\nJTAG tap: ar2313.cpu tap\/device found: 0x00000001 (mfg: 0x000 (<invalid>), part: 0x0000, ver: 0x0)\ntarget halted in MIPS32 mode due to debug-request, pc: 0xbfc00000\n> reg\n===== mips32 registers\n(0) r0 (\/32): 0x00000000\n(1) r1 (\/32): 0x00080000\n(2) r2 (\/32): 0x00000002\n(3) r3 (\/32): 0x00011CB5\n(4) r4 (\/32): 0x80FA56E0\n(5) r5 (\/32): 0x00000000\n(6) r6 (\/32): 0x80FA56E0\n\n. . . SNIP . . .\n\n(37) pc (\/32): 0xBFC00000\n\n. . . SNIP . . .\n\n> step; reg pc\ntarget halted in MIPS32 mode due to single-step, pc: 0xbfc00004\npc (\/32): 0xBFC00004\n\n. . . SNIP . . .\n\n> step; reg pc\ntarget halted in MIPS32 mode due to single-step, pc: 0xbfc00554\npc (\/32): 0xBFC00554\n> dump_image 0xBFC00554.bin 0xBFC00554 0x1000\ndumped 4096 bytes in 7.579714s (0.528 KiB\/s)<\/code><\/pre>Complete output<\/a> of telnet commands.
\nWe did a dump of memory (dump_image) and quickly examine what we obtained via the “strings” command.  The result shows that we got hit by the watchdog timer.  We will need to conduct additional research on how to avoid this.  That will be for another post.  The next post will deal with a setup of the board configuration file that includes communication with the device’s flash. Maybe a post of interaction with GDB will follow as well.
root@KALI:~# strings 0xBFC00554.bin\n. . . SNIP . . .\nar531x rev\n firmware startup...\nSDRAM TEST...\nPASSED\nFAILED at address:\n exp\n got\npanic: romStart failed!\n0123456789abcdef<\nNMI (watchdog): ErrorPC:\nsysConsoleDump: type\n. . . SNIP . . .<\/code><\/pre><\/p>\n
Resources<\/strong>
\nhttps:\/\/www.netgear.com\/support\/product\/WGT624v2.aspx<\/a>
\nhttps:\/\/wikidevi.com\/wiki\/Netgear_WGT624v2<\/a>
\nhttps:\/\/wikidevi.com\/wiki\/Netgear_WGT624v1<\/a>
\nhttps:\/\/wikidevi.com\/wiki\/Atheros_AR2313<\/a>
\nhttp:\/\/www.jedge.com\/docs\/winbond_W981216BH-75.pdf<\/a>
\nhttp:\/\/www.jedge.com\/docs\/Atheros_AR2112.pdf<\/a>
\nhttp:\/\/www.jedge.com\/docs\/Macronix International mx29lv320.pdf<\/a>
\nhttp:\/\/www.atheros.com:80\/pt\/AR5002AP-GBulletin.htm<\/a><\/p>\n
https:\/\/forum.dd-wrt.com\/phpBB2\/viewtopic.php?t=33975<\/a>
\nhttps:\/\/forum.archive.openwrt.org\/viewtopic.php?id=12672<\/a>
\nhttps:\/\/oldwiki.archive.openwrt.org\/oldwiki\/OpenWrtDocs\/Hardware\/Netgear\/WGT624<\/a>
\nhttps:\/\/forum.archive.openwrt.org\/viewtopic.php?id=14205<\/a>
\nhttps:\/\/community.ubnt.com\/t5\/NanoStation-and-Loco-Devices\/flash-memory-address-of-redboot\/td-p\/257677<\/a><\/p>\n
https:\/\/www.youtube.com\/watch?v=IwnPbNhd2GM<\/a>
\nhttp:\/\/techwithdave.davevw.com\/2013\/07\/getting-started-with-openocd.html<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
As I’ve written about previously, a great place to pick up outdated, and potentially vulnerable, wireless routers is your local Goodwill. Depending on the store those shelves can be packed with devices for only a couple bucks. While you are there you can just Google the model number followed by “exploit”, “openwrt”, or “dd-wrt” to […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[3,163,114],"tags":[172,176,171],"class_list":["post-1160","post","type-post","status-publish","format-standard","hentry","category-configuration","category-hacking","category-hardware-hacking","tag-jtagulator","tag-openocd","tag-uart"],"_links":{"self":[{"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/posts\/1160","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/comments?post=1160"}],"version-history":[{"count":25,"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/posts\/1160\/revisions"}],"predecessor-version":[{"id":1186,"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/posts\/1160\/revisions\/1186"}],"wp:attachment":[{"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/media?parent=1160"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/categories?post=1160"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/tags?post=1160"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}