Haxorware Forums

Full Version: Access to linux side of combo router/modem
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
I'm in the middle of a Netgear beta test of a new variant of their existing C7000B 24x8 Docsis 3 cable modem / router. Being a beta unit, it has an added ethernet WAN port for testing of the wireless router side of the unit without the cable modem side used. (They're waiting until after the beta test of the router features / stability before having the unit certified on the cable provider's networks. After we're done with Phase I we'll be testing it on the cable network in Phase II).

I have access to the eCos shell on the unit, but the 'shell' command for invoking the linux shell is not functional. Anyone that knows Netgear's equipment or combo modem / routers better than I do have a clue on how I might gain access to the linux side of this router (without JTAG/console access).
Unfortunately eCos is an operating system itself and not Linux based. Most likely a Broadcom system, you should be able to use the same BCM eCos syntax as in other models discussed here to achieve what you're after and more.
(13-02-2015, 05:05 AM)neo_ Wrote: [ -> ]Unfortunately eCos is an operating system itself and not Linux based. Most likely a Broadcom system, you should be able to use the same BCM eCos syntax as in other models discussed here to achieve what you're after and more.

I'm pretty sure the combination modem / router is running both linux and eCos. I think Netgear's chosen to use a system with two cpu cores, each running differing OS's. THe product engineer we're dealing with keeps referring to things being possible or not possible because of how the two "sides" (his term) of the device function. The two separate running "systems" (I'll call it that out of lack of a better term this early in the morning) communicate over a virtual switch on 192.168.17.x & 192.168.100.x subnets. That much I've figured out.

binwalking the firmware image shows a full linux directory structure and a lot of developer comments left in source or shell scripts. Here's a few of the strings that lead me to believe that the second CPU is running linux:

/home/miwang/tchain2/buildroot/tool
ps/gcc-4.2.3d
/mips-linux-
2.6.30-1.0.10mp4 SMP mod_unload MIPS32_R1 32BIT
libsqlite3.so.0
/var/samba/sbin
/var/samba/lib/smb.conf
/var/samba/locks
/var/sysmsg
/var/iproute2/rt_tables
/var/printcap
/var/passwd+
/var/fyi/sys/gateway
/var/ipsec/racoon.conf
/etc/hosts.equiv
/etc/shells
RESOLV_CONF="/etc/resolv.conf"

Also, a 'show all' in eCos displays the following:
Code:
+----------------------------------------------------------------------------+
|       _/_/     _/_/_/_/    _/_/                                            |
|      _/  _/   _/        _/    _/   Broadband                               |
|     _/  _/   _/        _/                                                  |
|    _/_/     _/_/_/    _/           Foundation                              |
|   _/  _/   _/        _/                                                    |
|  _/   _/  _/        _/    _/       Classes                                 |
| _/_/_/   _/          _/_/                                                  |
|                                                                            |
| Copyright (c) 1999 - 2014 Broadcom Corporation                             |
|                                                                            |
| Revision:  5.5.10mp4                                                       |
|                                                                            |
| Features:  BCM93384WVG Console TelnetConsole SshConsole Nonvol Fat         |
| Features:  HeapManager SNMP Networking IPv6 (script                        |
| Features:  bcm93384wvg_U12C298T00) Switch53124 LinuxOnZephyr               |
+----------------------------------------------------------------------------+
| Standard Embedded Target Support for BFC                                   |
|                                                                            |
| Copyright (c) 2003-2014 Broadcom Corporation                               |
|                                                                            |
| Revision:  3.0.1                                                           |
|                                                                            |
| Features:  PID=0xc298 BID=0x0 Bootloader-Rev=2.5.0beta1                    |
| Features:  Bootloader-Compression-Support=0x11 MANUFACT_BITS=0xc           |
| Features:  Dual-band Wifi Bcm80211=Build Jan 22 2015 22:35:15              |
| Features:  App Ver 6.37.14.87.5510.171.22                                  |
| Features:  Wl Ver 6.37.14.87.5510.171.22                                   |
| Features:  IopLib-Rev=5510.70.4                                            |
+----------------------------------------------------------------------------+
| eCos BFC Application Layer                                                 |
|                                                                            |
| Copyright (c) 1999 - 2014 Broadcom Corporation                             |
|                                                                            |
| Revision:  3.0.2                                                           |
|                                                                            |
| Features:  eCos Console Cmds, (no Idle Loop Profiler)                      |
+----------------------------------------------------------------------------+
|         _/_/    _/     _/                                                  |
|      _/    _/  _/_/ _/_/   DOCSIS Cable Modem                              |
|     _/        _/  _/ _/                                                    |
|    _/        _/     _/                                                     |
|   _/        _/     _/                                                      |
|  _/    _/  _/     _/                                                       |
|   _/_/    _/     _/                                                        |
|                                                                            |
| Copyright (c) 1999 - 2014 Broadcom Corporation                             |
|                                                                            |
| Revision:  5.5.10mp4                                                       |
|                                                                            |
| Features:  AckCel(tm) DOCSIS 1.0/1.1/2.0/3.0 Propane(tm) CM SNMP w/Factory |
| Features:  MIB Support CM Vendor Extension eDOCSIS SLED D3.0 Drop          |
| Features:  Classifiers FAP NA Production Custom UI                         |
+----------------------------------------------------------------------------+
| Broadcom Data-Only CM Vendor Extension                                     |
|                                                                            |
| Copyright (c) 1999 - 2014 Broadcom Corporation                             |
|                                                                            |
| Revision:  3.0.2                                                           |
|                                                                            |
| Features:  DHCP Server  HTTP Server  OSS2-N-03025 Visualization LED        |
| Features:  Controller                                                      |
+----------------------------------------------------------------------------+
|        _/      _/      _/     _/_/                                         |
|       _/       _/    _/    _/    _/   Linux                                |
|      _/         _/ _/    _/                                                |
|     _/          _/      _/            Based                                |
|    _/         _/ _/     _/  _/_/_/                                         |
|   _/        _/    _/   _/    _/       Gateway                              |
|  _/_/_/_/ _/      _/    _/_/_/                                             |
|                                                                            |
| Copyright (c) 1999 - 2014 Broadcom Corporation                             |
|                                                                            |
| Revision:  2.6.30-1.0.10mp4                                                |
|                                                                            |
| Features:  /home/justin/LxG1.0.10/targets/3384Kcode/bcm93384               |
| Features:  #0 SMP Wed Nov 19 13:08:42 CST 2014                             |
| Features:  root@localhost.localdomain.                                     |
| Features:  gcc version 4.2.3                                               |
| Features:  BUILD OPTIONS: FS_KERNEL_IMAGE_NAME=bcm93384 LIBOPT=n           |
| Features:  PROFILE=3384Kcode                                               |
| Features:  Applications: DLNA, NAS                                         |
+----------------------------------------------------------------------------+
|                 _/_/_/                                                     |
|        _/_/    _/    _/    eRouter Dual Stack                              |
|     _/    _/  _/    _/                                                     |
|    _/_/_/_/  _/_/_/                                                        |
|   _/        _/ _/                                                          |
|  _/        _/   _/                                                         |
|   _/_/_/  _/     _/                                                        |
|                                                                            |
| Copyright (c) 1999 - 2014 Broadcom Corporation                             |
|                                                                            |
| Revision:  5.5.10mp4                                                       |
|                                                                            |
| Features:  eRouter SNMP Customer Extension NATP DS-Lite                    |
+----------------------------------------------------------------------------+
| Broadcom eRouter Customer Extension                                        |
|                                                                            |
| Copyright (c) 1999 - 2014 Broadcom Corporation                             |
|                                                                            |
| Revision:  3.0.2                                                           |
|                                                                            |
| Features:  ()                                                              |
+----------------------------------------------------------------------------+
| Build Date:  Jan 23 2015                                                   |
From those license banners it appears that eCos is running as a layer on top of linux.
Edited to add: I shouldn't post before I'm awake, I take back the previous line and realize it's most likely talking about the application layer of the OSI model. *facepalm*

Honestly, I'd be happy with just getting SNMP enabled on the LAN side. I've been bashing my head against the desk over the SNMP configuration in eCos and can't get it to respond to SNMPv1/v2 requests.
Interesting, I'd love to get my hands on that firmware/device but I'm sure you signed a NDA.

You might be successful with reverse engineering parts of the firmware to get SNMP access, but I can't really state much with my blind position. Building upon your binwalking, may I suggest the following overview as a possibly useful guide.

http://w00tsec.blogspot.com
https://github.com/Broadcom/aeolus
interesting seems there should be another uart console for the linux side
The only serial cable I have suitable for connecting to a console is my cisco console cable and a USB-Serial adapter. I might just build a small adapter to plug the cisco cable into that breaks it out into individual lines so I can poke around and find the linux side's console. (I don't want to hack my cable apart)

Unfortunately, once these combination modem / routers are certified for use on cable networks it will be the cable networks themselves pushing all firmware updates and choosing what features to enable / disable. The end user, even though they'll be available at retail, will have no control over what firmware is pushed to their device. The access the beta testers have (such as hidden pages for enabling / disabling the dedicated ethernet WAN ports that the test units have, telnet access, etc) will be locked down when they get certified. I have the firmware images we're beta testing, but once we move to Phase II and the images are pushed to the devices by the cable networks I won't have access to the web gui firmware update page. I'm hoping to find a way to restore beta firmware without the use of the web gui.

I am however looking forward to Phase II because we've been told we will be testing the full capacity of the modem. Right now my existing modem is an 8x4 channel on a 50Mbps tier which is the highest offered by my cable provider. Can't wait to see what 24x8 is capable of.
(14-02-2015, 07:29 AM)drewmerc Wrote: [ -> ]https://github.com/Broadcom/aeolus
interesting seems there should be another uart console for the linux side

I get a kick out of the fact that the reference design on github that you linked to is running OpenWRT on the linux CPU. Wonder if mine is.

https://github.com/Broadcom/aeolus/blob/...ux-log.txt

The reference design you linked to specifies two uarts because it also specifies the CM & Router are two separate boards joined by a ribbon cable. The board in this router has one 4 pin header that looks like a console port and another two row shrouded header with a pin pitch / spacing that looks a lot closer together than the 4 pin header and has quite a few more pins. I haven't taken a good enough look at it yet to see how many pins are on the two row header. The 4 pin is most likely a uart console and the 2 row higher density header is most likely a JTAG interface or even USB since these are supposed to have both host & device type usb ports. There's even mention of a USB-Serial interface being integrated that would require just a USB cable with the proper pin header end on it, plugged into a computer and it would appear as a FTDI serial chip.
ok now i wanna see pics of your pcb
You may be able to access the linux side of the router the same way I accessed it on an N450/CG3000Dv2.

Sign into the web interface and plug in a USB drive. It takes a while to be mounted and show up.

Click the Advanced tab, then click ReadySHARE, then click Advanced Settings.

Under "Available Network Folders", click "Create Network Folder".

Right-click on the "Folder" text entry field and click "Inspect". This will bring up the Chrome DevTools Elements panel.

Right click on the highlighted element for the field and click "Edit as HTML". Delete the following text: readonly="true"

Now you can click in the "Folder" text entry field and enter a forward slash.

Enter something for "Share Name". I used root_fs. You can change read and write access drop-downs if you like.

Click "Apply" and now you should be able to open Windows Explorer to \\readyshare or \\192.168.0.5 and you will have access to your root filesystem

Now you can edit the /etc/passwd file to your liking. I changed /bin/false on the admin line to /bin/sh and could successfully telnet to 192.168.0.5 with the same username and password used to access the web interface.