Hacking the Leviton 10/100 Mbps 4-port Internet Gateway

For my first foray into Hardware Hacking I decided to see what I could get out of an old Home Internet Gateway that I had laying around. The device worked pretty well when I first got it, but ended up replacing it with an updated wireless gateway a couple years ago.

First, a look inside:

Chips

Name: 40 PIN SMD ETHERNET 10/100 BASE QUAD PORT TRANSFORMER

Name: 10 BASE-T SMD ETHERNET TRANSFORMER

Name: 2M x 32 Synchronous DRAM (SDRAM)

Name: UNKNOWN

Bus Pirate Setup

MOSI – TX
MISO – RX

GND – GND

Configure the Bus Pirate:

HiZ>m

1. HiZ

2. 1-WIRE

3. UART

4. I2C

5. SPI

6. 2WIRE

7. 3WIRE

8. LCD

9. DIO

x. exit(without change)

(1)>3

Set serial port speed: (bps)

1. 300

2. 1200

3. 2400

4. 4800

5. 9600

6. 19200

7. 38400

8. 57600

9. 115200

10. BRG raw value

(1)>9

Data bits and parity:

1. 8, NONE *default

2. 8, EVEN

3. 8, ODD

4. 9, NONE

(1)>1

Stop bits:

1. 1 *default

2. 2

(1)>1

Receive polarity:

1. Idle 1 *default

2. Idle 0

(1)>1

Select output type:

1. Open drain (H=Hi-Z, L=GND)

2. Normal (H=3.3V, L=GND)

(1)>2

Ready

UART>(0)

0.Macro menu

1.Transparent bridge

2. Live monitor

3.Bridge with flow control

UART>(1)

UART bridge

Reset to exit

Are you sure? Y

Serial Connections

My initial concentration to find the UART pins centered around JP3 (top of the above picture) – typically hardware vendors will remove the pins for a UART connection before manufacture. Bottom right pad (in the orientation of the picture above) was ground and top right did have 3.3v – left pins did not have any voltage or ground. However, when I set up my oscilloscope and rebooted the device, no voltage variations on the top right pin…

So next I started looked at JP1 and JP2. JP2 (bottom pin header) show some promise with GND and some 3.3v. Trial and error on the 3.3v connections with the oscilloscope found the top left pin was the TX for the serial connection.

TX	3.3v	RX
GND

I had a bit of trouble actually finding the RX pin because I had not configured my Bus Pirate to have the Normal Output (3.3v), but once I sorted that out, found the RX pin and was off to the races!

Interacting with the Device

Once the TX and RX pins were found and the Bus Pirate connected to those and GND, interaction with the device is now possible.

Got the 2MXI_8bits Flash ROM

ADM5106 Boot:

NetMall System Boot

CPU: ADM5106 Home Gateway Processor

POST Version: 2.00.0170

Creation Date: 2003.01.13

Press <space> key three times to stop autoboot...

Verifying product code......PASS

Boot Product Code!!!

Entered INIT state.

DHCPS:DHCP Server Started.

======================================================

Mars project:

Command Line Interface. 2.19.0001 v.2005.06.14

======================================================

cmd>

So, we can see that we have an ADM5106 chip, which with some searching uncovers the datasheet (http://hri.sourceforge.net/ADM5106_datasheet_v1.37.pdf) which indicates it is a full fledged “Home Gateway Controller” by Admtek Incorporated, which was purchased by Infineon in 2004 (http://www.infineon.com/cms/en/about-infineon/press/press-releases/2004/128207.html).

From the documentation, the chip is described as “The ADM5106/5107 is an ARM7-based home gateway controller integrated with 7-port switch, 5-port

10/100BaseT/TX PHY, and peripheral interface such as USB, SDRAM and flash memory.”

Next is to see what commands we can run from the command prompt:

cmd> help

Command Line Interface v0.01

======================================================

rmem : Read memory.

Usage : rmem <Address> [Num of Words]

wmem : Write memory.

Usage : wmem <Address> <Data0> [Data1] ... [Data7]

rmi : read mii phy register.

Usage : rmi <phy addr> <reg>

wmi : write mii phy register.

Usage : wmi <phy addr> <reg> <Data>

time : Get current system time.

Usage : time

settime : Set system time.

Usage : settime <hh:mm:ss> [yy/mm/dd] [TZ(GMT +/- hour)]

help : List all commands.

Usage : help

mkdir : Make directories.

Usage : mkdir <DIRECTORY>

create : Create files.

Usage : create <FILE>

cat : Concatenate files.

Usage : cat <FILE>

ls : List directory contents.

Usage : ls <DIRECTORY>

rm : Remove files.

Usage : rm <FILE>

rmdir : Remove directories.

Usage : rmdir <DIRECTORY>

copy : Copy files.

Usage : copy <source> <destination>

nvclear : Clear all of the NVFS files.

Usage : nvclear

routeShow : Show Route.

Usage : routeShow

mbufShow : Show Mbuf statistics.

Usage : mbufShow

ifShow : Dispaly network interface.

Usage : ifShow <ifname>

ifAllShow : Dispaly all network interface.

Usage : ifAllShow

taskShow : Show Task informations.

Usage : taskShow

semShow : Show Semaphore informations.

Usage : semShow

timerShow : Show Timer informations.

Usage : timerShow

memShow : Show memory pool informations.

Usage : memShow

msgqShow : Show message queue informations.

Usage : msgqShow

eventShow : Show event group informations.

Usage : eventShow

knlShow : Show kernel resource informations.

Usage : knlShow

ipConfig : Configure interface address and subnet mask.

Usage : ipConfig [ifname] [ip] [subnet mask]

ipStatus : Change IP status. 1 for Enabled, 2 for Disabled..

Usage : ipStatus [ifname] [status]

ipAdd : Add alias IP address..

Usage : ipAdd [ifname] [ip] [netmask]

ipDel : Delete alias IP address..

Usage : ipAdd [ifname] [ip] [netmask]

ethmib : Show/Reset ethernet port MIB counters.

Usage : ethmib [reset]

arpAdd : Add an ARP entry to ARP table..

Usage : arpAdd [ip] <Ethernet Address>

arpDel : Delete an ARP entry..

Usage : arpDel [ip]

arpGet : Get the hardware address of a specify IP..

Usage : arpGet [ip]

arpFlush : Flush ARP table..

Usage : arpFlush [ifname]

ping : Ping a host..

Usage : ping [ip] [ms]

dhcpcRelease: Release the IP address for the specified interface..

Usage : dhcpcRelease [ifname]

dhcpcRenew: Renew the IP address for the specified interface..

Usage : dhcpcRenew [ifname]

dhcpsStart: Start DHCP Server..

Usage : dhcpsStart

dhcpsStop : Stop DHCP Server..

Usage : dhcpsStop

dhcpsAddIp: Add static IP to the DHCP server.

Usage : dhcpsAddIp [mac(00-00-00-00-00-00)] [ip(xxx.xxx.xxx.xxx)]

dhcpsDelIp: Delete static IP from the DHCP server.

Usage : dhcpsDelIp [mac(00-00-00-00-00-00)]

dhcpsDelAllIp: Delete all static IP from the DHCP server.

Usage : dhcpsDelAllIp

dhcpsBindingNum: Print binding number of the DHCP server.

Usage : dhcpsBindingNum

natShow : Show NAT link table information.

Usage : natShow

gethostbyname: gethostbyname.

Usage : gethostbyname

logSet : Debug log level setting.

Usage : logSet [key] [level]

So, a few of those look interesting… I started looking at the basic commands – ifShow, ls, etc. and found some good information:

cmd> ls

D nv

D dev

D tmp

D etc

4 File(s) 0 bytes

cmd> ls nv

F 85 download_cfg

F 81 user

F 636 pppoecfg

F 104 dhcpc_cfg

F 224 ip_cfg

F 24 nat_cfg

F 160 nat_cfg_masq

F 460 nat_cfg_rd

F 1210 nat_cfg_vs

F 54 nat_cfg_dmz

F 1180 nat_cfg_trg

F 168 route_cfg

F 16 dns_relay_cfg

F 284 dhcps

F 48 dhcpsblk

F 3795 dhcpsls

F 16 time_zone_cfg

F 80 sntpc_cfg

F 28 firewall_cfg

F 4 ip_defense_cfg

F 212 ip_filter_cfg

F 741 url_block_cfg

F 32 rip_cfg

F 52 http_cfg

F 16 access_host_cfg

F 647 pptpcfg

F 272 ethftr_cfg

F 76 tftpc_cfg

F 72 tftps_cfg

F 40 upnp_syscfg

F 12 admin_cfg

F 136 bpa_login_cfg

F 48 ip_bootup

F 4 mtu_adm1

F 4 usr_wan_ping

F 4 ddnsc_str

F 2884 ddnsc_cfg

37 File(s) 13909 bytes

cmd> cat nv/user

61 64 6D 69 6E 00 00 00 00 00 00 00 00 61 64 6D 69 6E 00 00

00 00 00 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00

00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

File size: 81

Note: in order to ‘cat’ files, you must include the full path as there is no ‘cd <dir>’ command. The ‘cat nv/user’ equates to admin/admin, which is the default username and password for the device.

One other interesting file was the ‘etc/resolv.conf’ file which showed and returned ‘dns.hinet.net’ as the FQDN:

cmd> cat etc/resolv.conf

6E 61 6D 65 73 65 72 76 65 72 20 31 36 38 2E 39 35 2E 31 2E

31 00

File size: 22

Which, when translated to ASCII and look-ups performed showed:

nameserver 168.95.1.1

User756664:~ pkincaid$ host 168.95.1.1

1.1.95.168.in-addr.arpa domain name pointer dns.hinet.net.

User756664:~ pkincaid$ whois hinet.net

Whois Server Version 2.0

Domain names in the .com and .net domains can now be registered

with many different competing registrars. Go to http://www.internic.net

for detailed information.

HINET.NET.TW

HINET.NET

OK, enough with the small talk – the mother lode was found with the ‘rmem’ and ‘wmem’ commands. With those you could read and write to the memory!

The documentation on the chip (link above) was very helpful in letting the reader know what was at various memory locations. Just to verify indeed the documentation was correct, the ‘Switch Register Map’ in Chapter 10 showed at Base + 00, you should find the model of the chip, which in my case was the 5106. Chapter 7 was also very helpful in showing that the ‘switch’ is at 0x88000000, which indeed showed 5106. So it appears the documentation is pretty accurate.

cmd> rmem 0x88000000

88000000: 00005106

The other command line parameter for the ‘rmem’ command is the number of bytes that are to be read. Playing around with the Switch Registry memory location (0x88000000) and reading 32 bytes at a time kept rebooting the device – lo and behold, at Base + 04 is SftReset, sure enough, you read that memory location and the device reboots:

cmd> rmem 0x88000004

8∏Got the 2MXI_8bits Flash ROM

ADM5106 Boot:

And, at Base + 08, is the MIBReset:

cmd> ethmib

Port 0 Port 1 Port 2 Port 3 Port 4 Port 5 Port 6

==============================================================================

RxPkts | 00000000 00000000 00000000 00000000 00000041 00000000 00000000

RxBytes | 00000000 00000000 00000000 00000000 0000265c 00000000 00000000

RxBC | 00000000 00000000 00000000 00000000 0000002d 00000000 00000000

RxMC | 00000000 00000000 00000000 00000000 0000000e 00000000 00000000

RxErr | 00000000 00000000 00000000 00000000 00000000 00000000 00000000

TxPkts | 00000000 00000000 00000000 00000000 0000000a 00000000 00000000

TxBytes | 00000000 00000000 00000000 00000000 000006e0 00000000 00000000

TxCols | 00000000 00000000 00000000 00000000 00000000 00000000 00000000

cmd> rmem 0x88000008

88000008: 00000000

cmd> ethmib

Port 0 Port 1 Port 2 Port 3 Port 4 Port 5 Port 6

==============================================================================

RxPkts | 00000000 00000000 00000000 00000000 00000000 00000000 00000000

RxBytes | 00000000 00000000 00000000 00000000 00000000 00000000 00000000

RxBC | 00000000 00000000 00000000 00000000 00000000 00000000 00000000

RxMC | 00000000 00000000 00000000 00000000 00000000 00000000 00000000

RxErr | 00000000 00000000 00000000 00000000 00000000 00000000 00000000

TxPkts | 00000000 00000000 00000000 00000000 00000000 00000000 00000000

TxBytes | 00000000 00000000 00000000 00000000 00000000 00000000 00000000

TxCols | 00000000 00000000 00000000 00000000 00000000 00000000 00000000

cmd>

Other than the documented Memory Map from the documentation, there are a couple of command line options that are very interesting in the memory analysis:

cmd> knlShow

Task Table List

-------------------------------------------------

Name Priority Status

=================================================

0. KnlTask 0 QUEUE_SUSPEND

1. tNetTas 50 READY

2. tNvTask 100 SLEEP_SUSPEND

3. tLog 100 READY

4. tInLog 100 READY

5. tOutLog 100 READY

6. tDhcpcT 100 QUEUE_SUSPEND

7. tDnsPro 100 READY

8. tDhcpsT 100 QUEUE_SUSPEND

9. tSntpc 100 READY

10. tHttpD 100 READY

11. tHtpTsk 100 QUEUE_SUSPEND

12. clitask 5 READY

13. tUpnpD 100 READY

14. tUpnpTs 100 QUEUE_SUSPEND

15. tFpi 100 READY

-------------------------------------------------

Memory Pool List

--------------------------------------------------------------------------

Name StartAddr Size MinAlloc Available Type TasksWaiting

===========================================================================

0. KenMem 0x1747B4 1048576 48 219168 FIFO 0

1. FileMem 0x274834 786432 48 376 FIFO 0

2. SysMem 0x3348B4 524288 48 183804 FIFO 0

---------------------------------------------------------------------------

Semaphore Table List

-------------------------------------------------------

Name Type Count TasksWaitting

=======================================================

0. MFS_SEM FIFO 1 0

1. netSem FIFO 0 0

2. splSem FIFO 1 0

3. hosttbl FIFO 1 0

4. mblksem PRIORITY 1 0

5. mclsem PRIORITY 1 0

6. FLSH FIFO 1 0

7. sio_Rx0 FIFO 0 0

8. sio_RT0 FIFO 0 0

9. NVRAM FIFO 1 0

10. log_sem FIFO 1 0

11. mac_clo FIFO 1 0

12. inlog_s FIFO 1 0

13. outlog_ FIFO 1 0

14. downloa FIFO 1 0

15. user_cf FIFO 1 0

16. pppoe_c FIFO 1 0

17. dhcpc_c FIFO 1 0

18. DhcpcSe FIFO 1 0

19. dhcpcMu FIFO 1 0

20. dhcpcEv FIFO 1 0

21. dhcp_ti FIFO 1 0

22. leaseSe FIFO 1 0

23. ip_cfg FIFO 1 0

24. nat_cfg FIFO 1 0

25. route_c FIFO 1 0

26. dns_rel FIFO 1 0

27. dhcps_c FIFO 1 0

28. time_zo FIFO 1 0

29. sntpc_c FIFO 1 0

30. sotSem FIFO 1 0

31. sorSem FIFO 1 0

32. sosSem FIFO 1 0

33. ip_fire FIFO 1 0

34. ip_defe FIFO 1 0

35. ip_filt FIFO 1 0

36. url_blo FIFO 1 0

37. rip_cfg FIFO 1 0

38. http_cf FIFO 1 0

39. access_ FIFO 1 0

40. pptp_cf FIFO 1 0

41. ethftr_ FIFO 1 0

42. TftpcCf FIFO 1 0

43. TftpcTa FIFO 1 0

44. TftpsCf FIFO 1 0

45. TftpsTa FIFO 1 0

46. upnp_cf FIFO 1 0

47. sotSem FIFO 1 0

48. sorSem FIFO 1 0

49. sosSem FIFO 1 0

-------------------------------------------------------

Timer Table List

-------------------------------------------------------

Name Status InitialTime Expirations

=======================================================

0. t0 Enable 100 0

1. t1 Enable 20 0

2. t2 Enable 50 0

3. t3 Enable 6000 0

4. t4 Disable 1 1

5. t5 Enable 60000 0

6. t6 Enable 6000 0

7. t7 Enable 4319200 0

8. t8 Disable 100 1

9. t9 Disable 100 1

10. SelTime Disable 2 1

11. SelTime Disable 5 0

12. SelTime Disable 2 1

-------------------------------------------------------

Message queue List

--------------------------------------------------------------------------

Name StartAddr Size Available Suspend TasksWaiting

===========================================================================

0. KnlQueu 0x3379C8 40 40 FIFO 1

1. netq 0x337AA4 600 588 FIFO 0

2. logQ 0x335970 230 230 FIFO 0

3. inlogQ 0x3364C4 40 40 FIFO 0

4. outlogQ 0x336D44 40 40 FIFO 0

5. dhcpEve 0x3459BC 40 40 FIFO 1

6. dnsprox 0x349168 3 3 FIFO 0

7. dhcpsEv 0x34C898 90 90 FIFO 1

8. sntpc 0x34ED54 2 2 FIFO 0

9. httpdq 0x354738 6 6 FIFO 0

10. httpd 0x3547D4 10 10 FIFO 1

11. upnpq 0x35B650 5 5 FIFO 0

12. upnphtt 0x35B6EC 10 10 FIFO 1

---------------------------------------------------------------------------

Event Group List

--------------------------------------------

Name Flag tasksWaiting

=============================================

-----------------------------------------------

Memory Pool List and Message Queue List give us some memory addresses to take a look at. From the Queue list, the Kernel Queue is a 0x3379c8 and has a size of 40:

cmd> rmem 0x3379c8 40

003379c8: ffff0000 ffff0000 ffff0000 ffff0000 ffff0000 ffff0000 ffff0000 ffff0000

003379e8: ffff0000 ffff0000 ffff0000 ffff0000 00337a38 003379b8 ffff0000 001728e0

00337a08: 00386c8c 00338414 00000000 53454d41 5f53464d 004d4553 00000001 00000001

00337a28: 00000000 00000000 ffff0000 ffff0000 00337a94 003379f8 ffff0000 001728e0

00337a48: 00169858 00335914 00000000 51554555 7174656e 00000000 00000101 00000258

Conclusion

For a first attempt at hardware hacking, I am quite happy with the results. Still would like to play around with the memory, I am not familiar with ARM internals and registers – not sure where the next instruction would be at to be able to overflow or exploit it…

Electronics Ninja

Sunday, July 26, 2015

Hacking the Leviton 10/100 Mbps 4-port Internet Gateway

Chips

Bus Pirate Setup

Serial Connections

Interacting with the Device

Conclusion

No comments:

Post a Comment