Go Back   The Scream! > COMPUTER RELATED > Hardware > ADSL Router Mods

Reply
 
Thread Tools Display Modes
  #181  
Old 04-May-2013, 15:48
darth_stroyer darth_stroyer is offline
Screamer
 
Join Date: Apr 2013
Posts: 15
Default Re: [NEW] Orange "Bright Box" router hacking :-)

How kind you are, thank you!

I take it that you are allowed to share the keys, and that this is 100% legal?

Thank you again.
Originally Posted by unlokia View Post
Oops, I started something, didn't I? As far as I know, I'm allowed to do whatever I like with the keys. I've scoured the terms of use and help sections and can't find anything indicating otherwise.

I also use Linux (Ubuntu with Cinnamon), but I have to boot into Windows from time to time for a spot of WP development and testing (the WP emulators won't run from a VM). I try not to stay there too long, though, because I end up missing bash, vim and my highly customised Linux profile. Honestly, I have nothing against Windows, but I'm a serious geek and Linux provides the real geeky stuff where PCs are concerned!

PS. sorry for derailing, let's get back to hacking!
Reply With Quote
  #182  
Old 04-May-2013, 18:22
whitenight639 whitenight639 is offline
Screamer
 
Join Date: Mar 2013
Posts: 62
Default Re: [NEW] Orange "Bright Box" router hacking :-)


PS. sorry for derailing, let's get back to hacking!
Originally Posted by darth_stroyer View Post
Lets,

So I've been trying to get this Bb to connect to my BT broadband but am still having no such luck, I think It must be my Broadband username and password as I have all the other settings correct and can see CHAP authentication failed in the logs,

anyway while I was playing around I backed up my config and set the phase@manuf=normal to just see if on the off chance if it would affect anything,

Upon reboot my wlan network was now encrypted and asking for authentication and I think i few other trivial settings were changed - (I can't remember I've slept since then) anyway The /etc folder there are some interesting configuration lists:

glbcfg_ETH.save
glbcfg.dft
glblcfg.manuf
glbcfg_ADSL.save


Anyway I too looked at the backup.bin that is spat-out and binwalk dosn't show up any usefull info in the header, neither does looking at it in the hex editor, I would have thought that it was simply an obscured config list like the ones above because all some of the other settings we know are kept in the beginning part of the nvram or other partitions.
In my digging I cam across reference to a cgi script that uses that binary to create the backup.bin, i even saw reference to an exe file which i thought was odd, although i dont think that resides on the Brightbox. I will look into it again sometime.

It would be rally helpful if I could understand (or get hold of) the original firmware that would be accepted by the webUI, then with the partition backups that unlockia provided maybe we could work-out how to create our own single binary from the partition dumps that would be accepted by the webUI, then we could mod the restrictive files in the rootfs and recompile / compress and offer it up for people to install at there own risk, kinda like TeamDG did with some of the netgear firmwares. It would be easier than trying to create an openWRT from scratch with proprietry drivers.

I think it is time we hasstled Astoria to release some source because as we have found reference to OpenWRT then surely they are using GPL or GNU code and are obligated to release some source? I saw on there website some other source for other devices.
Reply With Quote
  #183  
Old 04-May-2013, 19:26
darth_stroyer darth_stroyer is offline
Screamer
 
Join Date: Apr 2013
Posts: 15
Default Re: [NEW] Orange "Bright Box" router hacking :-)

In my digging I cam across reference to a cgi script that uses that binary to create the backup.bin, i even saw reference to an exe file which i thought was odd, although i dont think that resides on the Brightbox. I will look into it again sometime.
Originally Posted by whitenight639 View Post
I don't think you'll find those anywhere in the filesystem. I was checking around the other day and they're not anywhere. If you have a look at the hex for /bin/arc_httpd, you'll find the strings in there, sans the .exe part (although exe is in on its own, probably concatenated with the path requested in the URL). I'm not sure what project the httpd is based off of, if any. I'm not 100% sure―it was a few days ago that I was looking―but I suspect that arc_httpd maps these CGI exes to the .sh scripts in /usr/sbin.

It would be rally helpful if I could understand (or get hold of) the original firmware that would be accepted by the webUI, then with the partition backups that unlockia provided maybe we could work-out how to create our own single binary from the partition dumps that would be accepted by the webUI, then we could mod the restrictive files in the rootfs and recompile / compress and offer it up for people to install at there own risk, kinda like TeamDG did with some of the netgear firmwares. It would be easier than trying to create an openWRT from scratch with proprietry drivers.
Originally Posted by whitenight639 View Post
Yep, this would be the holy grail, but I don't think our situation is too bad. We can get root without having to modify the hardware. I was thinking we may be able to use a USB stick to test OpenWRT, creating the root file system on that, mount + chroot to test without risking a brick.

I think it is time we hasstled Astoria to release some source because as we have found reference to OpenWRT then surely they are using GPL or GNU code and are obligated to release some source? I saw on there website some other source for other devices.
Arcadyan probably are in violation of GPL, but if they're using the OpenWRT stuff unmodified (a couple of the drivers in /lib/modules/... are from OpenWRT) then any source they give us wouldn't help. It would be interesting to find out if their arc_httpd is a derivative, because they'd be forced to release the source if the license requires it.

The OpenWRT guys said we'd never have the ADSL drivers, but I wonder if anyone's tried asking! :-p
Reply With Quote
  #184  
Old 04-May-2013, 20:38
whitenight639 whitenight639 is offline
Screamer
 
Join Date: Mar 2013
Posts: 62
Default Re: [NEW] Orange "Bright Box" router hacking :-)



Arcadyan probably are in violation of GPL, but if they're using the OpenWRT stuff unmodified (a couple of the drivers in /lib/modules/... are from OpenWRT) then any source they give us wouldn't help. It would be interesting to find out if their arc_httpd is a derivative, because they'd be forced to release the source if the license requires it.

The OpenWRT guys said we'd never have the ADSL drivers, but I wonder if anyone's tried asking! :-p
Originally Posted by darth_stroyer View Post
I have emailed them politely asking for any GPL release or adsl . cpu stuff they will give us.

I also maybe about to aquire another Brightbox for free, I will post it to you if you want it when ive got a couple of quid spare (could be a while).
Reply With Quote
  #185  
Old 04-May-2013, 20:42
darth_stroyer darth_stroyer is offline
Screamer
 
Join Date: Apr 2013
Posts: 15
Default Re: [NEW] Orange "Bright Box" router hacking :-)

I have emailed them politely asking for any GPL release or adsl . cpu stuff they will give us.

I also maybe about to aquire another Brightbox for free, I will post it to you if you want it when ive got a couple of quid spare (could be a while).
Originally Posted by whitenight639 View Post
Well, I won't say no, if it happens! It would certainly save me from putting the box into 'manufactory' for 45 minutes to do some investigating only to have to change it back because my kids want to watch My Little Pony on Netflix!
Reply With Quote
  #186  
Old 04-May-2013, 21:02
darth_stroyer darth_stroyer is offline
Screamer
 
Join Date: Apr 2013
Posts: 15
Default Re: [NEW] Orange "Bright Box" router hacking :-)

By the way... I think a firmware update might just be a simple squashfs img. Take a look at /usr/sbin/sh_img_upgrade.sh. See the commands util_sys_cli StoreImg $1 $image_file followed by sh_img_upgrade_usage? Also, that same shell script refers to Journalling Flash File System 2, or JFFS2, which is used most prominently in... you guessed it: OpenWRT.

At this point I'm starting to wonder if we could just build an OpenWRT image use these commands to install it. I don't have the means to recover from a brick, though!
Reply With Quote
  #187  
Old 04-May-2013, 21:03
whitenight639 whitenight639 is offline
Screamer
 
Join Date: Mar 2013
Posts: 62
Default Re: [NEW] Orange "Bright Box" router hacking :-)

Well, I won't say no, if it happens! It would certainly save me from putting the box into 'manufactory' for 45 minutes to do some investigating only to have to change it back because my kids want to watch My Little Pony on Netflix!
Originally Posted by darth_stroyer View Post

I'll pm you when i got some funds, it'll happen, ha I know, I got 2 right now and i would love to give one to the mrs but i dont think she'd be too impressed if it crashed and the little one couldnt watch abney & teal or "some more a-bet (alphabet)" videos on youtube, (shes only 2 1/2 and can do the whole phonetic alphabet and count to 20).
Reply With Quote
  #188  
Old 04-May-2013, 21:05
unlokia unlokia is offline
Screamager
 
Join Date: Jun 2006
Posts: 237
Default Re: [NEW] Orange "Bright Box" router hacking :-)

Off topic (a bit) but can anyone tell me how to get DMZ/port forwards working reliably, so I can ssh into my PC? This box is having none of it...

Thanks
Reply With Quote
  #189  
Old 04-May-2013, 21:06
whitenight639 whitenight639 is offline
Screamer
 
Join Date: Mar 2013
Posts: 62
Default Re: [NEW] Orange "Bright Box" router hacking :-)

By the way... I think a firmware update might just be a simple squashfs img. Take a look at /usr/sbin/sh_img_upgrade.sh. See the commands util_sys_cli StoreImg $1 $image_file followed by sh_img_upgrade_usage? Also, that same shell script refers to Journalling Flash File System 2, or JFFS2, which is used most prominently in... you guessed it: OpenWRT.

At this point I'm starting to wonder if we could just build an OpenWRT image use these commands to install it. I don't have the means to recover from a brick, though!
Originally Posted by darth_stroyer View Post
Nice work! I will try for you but might not be tonight, the reluctancy I have is that the bb has extensive scripting in it for the configuration and drivers, if i fed it a vanilla openWRT image it would be less than useless, If i can repackage its own firmware with some mods it will be the bees-knees.
Reply With Quote
  #190  
Old 04-May-2013, 21:13
darth_stroyer darth_stroyer is offline
Screamer
 
Join Date: Apr 2013
Posts: 15
Default Re: [NEW] Orange "Bright Box" router hacking :-)

Off topic (a bit) but can anyone tell me how to get DMZ/port forwards working reliably, so I can ssh into my PC? This box is having none of it...

Thanks
Originally Posted by unlokia View Post
I have port forwarding working on mine for a few services running from my NAS box. If you test it from inside the network it doesn't seem like it's working, but if you try from outside the network (try with 3G on your phone), it works fine.
Reply With Quote
  #191  
Old 04-May-2013, 21:14
whitenight639 whitenight639 is offline
Screamer
 
Join Date: Mar 2013
Posts: 62
Default Re: [NEW] Orange "Bright Box" router hacking :-)

Off topic (a bit) but can anyone tell me how to get DMZ/port forwards working reliably, so I can ssh into my PC? This box is having none of it...

Thanks
Originally Posted by unlokia View Post
I would say check the tr69 stuff becos the web interface just uses that, if the web interface has bugs it might not write the config properly, anyway are you trying to ssh into a local machine or a remote one, do u really need a dmz can't you just use port forwarding. do you have upnp turned on? ive not tried it so thats all i can suggest.
Reply With Quote
  #192  
Old 04-May-2013, 21:21
unlokia unlokia is offline
Screamager
 
Join Date: Jun 2006
Posts: 237
Default Re: [NEW] Orange "Bright Box" router hacking :-)

I would say check the tr69 stuff becos the web interface just uses that, if the web interface has bugs it might not write the config properly, anyway are you trying to ssh into a local machine or a remote one, do u really need a dmz can't you just use port forwarding. do you have upnp turned on? ive not tried it so thats all i can suggest.
Originally Posted by whitenight639 View Post
I've tried:

1/ Forwarding on, DMZ on

2/ Forwarding on, DMZ off

3/ DMZ on, forwarding off

Nothing.

As for uPnP... I'll try that. I am ssh'ing into my Mint PC - obviously if it were a private IP (which works well, as one expects it to) I wouldn't be having these issues.

Anyhoo, it's no great shakes - it would just be handy - I have 101 ways to remote into Linux
Reply With Quote
  #193  
Old 04-May-2013, 21:27
whitenight639 whitenight639 is offline
Screamer
 
Join Date: Mar 2013
Posts: 62
Default Re: [NEW] Orange "Bright Box" router hacking :-)

I've tried:

1/ Forwarding on, DMZ on

2/ Forwarding on, DMZ off

3/ DMZ on, forwarding off

Nothing.

As for uPnP... I'll try that. I am ssh'ing into my Mint PC - obviously if it were a private IP (which works well, as one expects it to) I wouldn't be having these issues.

Anyhoo, it's no great shakes - it would just be handy - I have 101 ways to remote into Linux
Originally Posted by unlokia View Post

check you Iptables / SElinux (Think thats what i mean) are not rejecting connection requests and your ssl certs are where they shud be, remoting into linux pcs shud be easy but sometomes needs some playing with.
Reply With Quote
  #194  
Old 04-May-2013, 21:29
unlokia unlokia is offline
Screamager
 
Join Date: Jun 2006
Posts: 237
Default Re: [NEW] Orange "Bright Box" router hacking :-)

check you Iptables / SElinux (Think thats what i mean) are not rejecting connection requests and your ssl certs are where they shud be, remoting into linux pcs shud be easy but sometomes needs some playing with.
Originally Posted by whitenight639 View Post
Why, thank you!

~~ edit ~~

It seems ports are open:

Code:
sudo iptables -L
[sudo] password for matt: 
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

~~~~ edit #2 ~~~~

Okay. I turned OFF uPnP... and now port forwarding works, and I can SSH into my PC over 3G!

Thank you!!

Last edited by unlokia; 04-May-2013 at 21:50.
Reply With Quote
  #195  
Old 04-May-2013, 22:06
unlokia unlokia is offline
Screamager
 
Join Date: Jun 2006
Posts: 237
Default Re: [NEW] Orange "Bright Box" router hacking :-)

For all those running Linux, this is what I have been working on for the last hour - a popup alert + sound for the Desktop. I wanted to SSH into my PC over 3G/WiFi, so I can send alerts using this script.

UnZIP, and use this syntax:

Code:
$ chmod +x popupmsg [return]

$ ./popupmsg <some_word_or_non_spaced_string> [return]

https://www.dropbox.com/s/g9ymb61dcg...ubuntu_etc.zip

Have fun
Reply With Quote
  #196  
Old 05-May-2013, 20:44
whitenight639 whitenight639 is offline
Screamer
 
Join Date: Mar 2013
Posts: 62
Default Re: [NEW] Orange "Bright Box" router hacking :-)

For all those running Linux, this is what I have been working on for the last hour - a popup alert + sound for the Desktop. I wanted to SSH into my PC over 3G/WiFi, so I can send alerts using this script.

UnZIP, and use this syntax
Originally Posted by unlokia View Post

are you any good at programming GTK interfaces / gui's? not related to this thread but i had a simple java programe that sent IR codes to my arduino to control my Sony 7.1 surround sound amp, I wanted to send these simple codes from a gui that looked like a remote control but gtk programming just melted my brain, i couldnt get my head around it.
Reply With Quote
  #197  
Old 05-May-2013, 20:56
unlokia unlokia is offline
Screamager
 
Join Date: Jun 2006
Posts: 237
Default Re: [NEW] Orange "Bright Box" router hacking :-)

are you any good at programming GTK interfaces / gui's? not related to this thread but i had a simple java programe that sent IR codes to my arduino to control my Sony 7.1 surround sound amp, I wanted to send these simple codes from a gui that looked like a remote control but gtk programming just melted my brain, i couldnt get my head around it.
Originally Posted by whitenight639 View Post
Never done any GTK stuff, but for 500 a day, I'll try

Arduino? Yuck, no thanks.
Reply With Quote
  #198  
Old 07-May-2013, 06:37
whitenight639 whitenight639 is offline
Screamer
 
Join Date: Mar 2013
Posts: 62
Default Re: [NEW] Orange "Bright Box" router hacking :-)

Never done any GTK stuff, but for 500 a day, I'll try

Arduino? Yuck, no thanks.
Originally Posted by unlokia View Post

Whats wrong with the Arduino?


Anyway I have finally managed to connect this BB to my BT broadband,

In manufacturer mode the ADSL drivers do not start with the box it is upon changing settings thru the webUI that seems to start the driver (sometimes), you can see this from doing ifconfig when telnetted into the BB,

before the DSL driver there is just Bcmsw, Br0 Eth0 -Eth3 and wlan interfaces after it has been kicked in the nuts the atm0 and ppp0 interfaces show up, I tried to start this with various scrips on the BB but had no luck I set up my BB to how I want it, backed up the configuration thru the WebUI then changed phas@manuf=normal did a commitcfg [flash] and rebooted, now my internets actually work when i turn the BB on and the NAT & DNS actually starts to function (it wasnt before when when i did manage to trick the DSL drivers and get a connection).
Reply With Quote
  #199  
Old 07-May-2013, 07:38
whitenight639 whitenight639 is offline
Screamer
 
Join Date: Mar 2013
Posts: 62
Default Re: [NEW] Orange "Bright Box" router hacking :-)

I found some conflicting pages from BT on their ADSL settings, so thought I would post the ones I used here:

Connection type: PPPoA (PPPoATM)
VCI = 38,
VPI = 0
Encapsulation: VCMUX
Modulation: G.DMT
RFC: 2364
Network type: WAN (Not LAN)

MTU: Auto/Normal 1458 - 1500 (Lower numbers can help if data corruption occurs default is 1500)
QOS: UBR (Unlikely to be CBR/VBR)

The username should be of the format firstname.lastname@btbroadband.com for BTBB customers. Also no password is required, but if the router insists, use bt as the password.

Also the orange version of the Brightbox does not have a "connect" button on the Broadband settings page, the EE does, the EE also has a separate page for ADSL mode, as I left this on auto as it figures it out, Bit Swapping is a yes and SRA is not used, Don't think it will work with it enabled, at least not with my broadband.
Reply With Quote
  #200  
Old 08-May-2013, 03:01
whitenight639 whitenight639 is offline
Screamer
 
Join Date: Mar 2013
Posts: 62
Default Re: [NEW] Orange "Bright Box" router hacking :-)

By the way... I think a firmware update might just be a simple squashfs img. Take a look at /usr/sbin/sh_img_upgrade.sh. See the commands util_sys_cli StoreImg $1 $image_file followed by sh_img_upgrade_usage? Also, that same shell script refers to Journalling Flash File System 2, or JFFS2, which is used most prominently in... you guessed it: OpenWRT.

At this point I'm starting to wonder if we could just build an OpenWRT image use these commands to install it. I don't have the means to recover from a brick, though!
Originally Posted by darth_stroyer View Post
Ok, I just succesfully flashed my orange BB with the EE BB firmware, I tried using mksquashfs-lzma on the root filesystem i posted before with no luck and then tried giving it the squashfs i extracted from priimg with no luck, so i tried just giving it the priimg.bin straight up and it took it and it worked.

So in a previous post i gave a link to a .sh script file from openWRT (i think) that tried extracting compressed files with all different sorts of decompression programs, this was what i used to extract the priimg.bin although i can't remember which program it used, I will do it again when i've got more time and hopefully then we will know the compression algorythm used and we can then build our own firmware images :-)

Also out of interest in squashfs-root/www/cgi/cgi_atmint.js there is a simple list of permitted broadband domain names that the previously mentioned script checks against in the atmint.html file.
Reply With Quote
  #201  
Old 08-May-2013, 04:34
whitenight639 whitenight639 is offline
Screamer
 
Join Date: Mar 2013
Posts: 62
Default Re: [NEW] Orange "Bright Box" router hacking :-)

So also found that you can update the bootloader and software image by doing this:



You must set your TCP/IP v4 protocol to:

IP: 192.168.1.2
Netmask: 255.255.255.0
Gateway: 192.168.1.1
DNS: (optional, can be blank).

Then:

Power off the router.
Press reset button near the antenna.
Keep it pressed while powering up during ~20+ seconds.
Acces to http://192.168.1.1 and upload binary file.
Wait until router reboots.


Reply With Quote
  #202  
Old 08-May-2013, 13:20
whitenight639 whitenight639 is offline
Screamer
 
Join Date: Mar 2013
Posts: 62
Default Re: [NEW] Orange "Bright Box" router hacking :-)

Ok so just want to post this here so i dont have to keep this in my brain,


Code:
whitenight639@jaguar:/opt/firmware-mod-kit/trunk$ binwalk priimg.bin
DECIMAL   	HEX       	DESCRIPTION
-------------------------------------------------------------------------------------------------------------------
0         	0x0       	uImage header, header size: 64 bytes, header CRC: 0x36A4D467, created: Thu Sep 20 20:00:26 2012, image size: 852408 bytes, Data Address: 0x80002000, Entry Point: 0x801D8550, data CRC: 0x53468E9A, OS: Linux, CPU: MIPS, image type: OS Kernel Image, compression type: lzma, image name: ""MIPS Linux-2.6.30""



64        	0x40      	LZMA compressed data, properties: 0x6D, dictionary size: 1048576 bytes, uncompressed size: 2527888 bytes
1048576   	0x100000  	Squashfs filesystem, little endian, version 4.0, compression: lzma, size: 5652861 bytes,  1096 inodes, blocksize: 65536 bytes, created: Thu Sep 20 20:00:24 2012
Code:
whitenight639@jaguar:/opt/firmware-mod-kit/trunk$ dd if=priimg.bin of=priimgwithoutheader.squashfs bs=1 skip=1048576 count=5652861

5652861+0 records in
5652861+0 records out
5652861 bytes (5.7 MB) copied, 9.67791 s, 584 kB/s
Code:
whitenight639@jaguar:/opt/firmware-mod-kit/trunk$ sudo ./unsquashfs_all.sh priimgwithoutheader.squashfs rootfsworking_directory
./unsquashfs_all.sh: line 85: ./src/binwalk: No such file or directory
Attempting to extract SquashFS .X file system...


Trying ./src/squashfs-2.1-r2/unsquashfs... 
Trying ./src/squashfs-2.1-r2/unsquashfs-lzma... 
Trying ./src/squashfs-3.0/unsquashfs... 
Trying ./src/squashfs-3.0/unsquashfs-lzma... 
Trying ./src/squashfs-3.0-lzma-damn-small-variant/unsquashfs-lzma... 
Trying ./src/others/squashfs-2.0-nb4/unsquashfs... 
Trying ./src/others/squashfs-3.0-e2100/unsquashfs... 
Trying ./src/others/squashfs-3.0-e2100/unsquashfs-lzma... 
Trying ./src/others/squashfs-3.2-r2/unsquashfs... 
Trying ./src/others/squashfs-3.2-r2-lzma/squashfs3.2-r2/squashfs-tools/unsquashfs... 
Trying ./src/others/squashfs-3.2-r2-hg612-lzma/unsquashfs... 
Trying ./src/others/squashfs-3.2-r2-wnr1000/unsquashfs... 
Trying ./src/others/squashfs-3.2-r2-rtn12/unsquashfs... 
Trying ./src/others/squashfs-3.3/unsquashfs... 
Trying ./src/others/squashfs-3.3-lzma/squashfs3.3/squashfs-tools/unsquashfs... 
Trying ./src/others/squashfs-3.3-grml-lzma/squashfs3.3/squashfs-tools/unsquashfs... 
Trying ./src/others/squashfs-3.4-cisco/unsquashfs... 
Trying ./src/others/squashfs-3.4-nb4/unsquashfs... 
Trying ./src/others/squashfs-3.4-nb4/unsquashfs-lzma... 
Trying ./src/others/squashfs-4.2-official/unsquashfs... Parallel unsquashfs: Using 2 processors
1023 inodes (1188 blocks) to write

[================================================================================================================/] 1188/1188 100%
created 826 files
created 73 directories
created 111 symlinks
created 86 devices
created 0 fifos
File system sucessfully extracted!
MKFS="./src/others/squashfs-4.2-official/mksquashfs"
whitenight639@jaguar:/opt/firmware-mod-kit/trunk$
The rootfs I posted before may not have been extracted fully, when running the above script without root only the following are created:
[================================================== ================================================== ===/ ] 1102/1188 92%
created 826 files
created 73 directories
created 111 symlinks
created 0 devices
created 0 fifos

With root the full 1188 are created and looking thru it the devices and such are even listed under /dev like you would see on the BB if you looked in that directory with root telnet.
As to the implications for using the original rootfs I posted I don't know I will upload it and update my post accordingly.

So now I can try and make a few small changes and recompress the filesystem, Although I don't know how I can add the headers I stripped off with dd, Anybody got a clue?

EDIT- Maybe I can dd off the bytes that I skipped and then catenate them together but will that work? can you cat together a compressed filesystem and a binary file?

Last edited by whitenight639; 08-May-2013 at 13:27.
Reply With Quote
  #203  
Old 08-May-2013, 14:11
whitenight639 whitenight639 is offline
Screamer
 
Join Date: Mar 2013
Posts: 62
Default Re: [NEW] Orange "Bright Box" router hacking :-)

ok so I just did:

$ dd if=priimg.bin of=header.squashfs bs=1 skip=0 count=1048576

$ sudo ./src/others/squashfs-4.2-official/mksquashfs rootfsworking_directory BBFS.squashfs -comp lzma -b 65536

$ cat header.squashfs BBFS.squashfs >NewFirmware.bin


Code:
whitenight639@jaguar:/opt/firmware-mod-kit/trunk$ binwalk priimg.bin

DECIMAL   	HEX       	DESCRIPTION
-------------------------------------------------------------------------------------------------------------------
0         	0x0       	uImage header, header size: 64 bytes, header CRC: 0x36A4D467, created: Thu Sep 20 20:00:26 2012, image size: 852408 bytes, Data Address: 0x80002000, Entry Point: 0x801D8550, data CRC: 0x53468E9A, OS: Linux, CPU: MIPS, image type: OS Kernel Image, compression type: lzma, image name: ""MIPS Linux-2.6.30""
64        	0x40      	LZMA compressed data, properties: 0x6D, dictionary size: 1048576 bytes, uncompressed size: 2527888 bytes
1048576   	0x100000  	Squashfs filesystem, little endian, version 4.0, compression: lzma, size: 5652861 bytes,  1096 inodes, blocksize: 65536 bytes, created: Thu Sep 20 20:00:24 2012 

whitenight639@jaguar:/opt/firmware-mod-kit/trunk$ binwalk NewFirmware.bin

DECIMAL   	HEX       	DESCRIPTION
-------------------------------------------------------------------------------------------------------------------
0         	0x0       	uImage header, header size: 64 bytes, header CRC: 0x36A4D467, created: Thu Sep 20 20:00:26 2012, image size: 852408 bytes, Data Address: 0x80002000, Entry Point: 0x801D8550, data CRC: 0x53468E9A, OS: Linux, CPU: MIPS, image type: OS Kernel Image, compression type: lzma, image name: ""MIPS Linux-2.6.30""
64        	0x40      	LZMA compressed data, properties: 0x6D, dictionary size: 1048576 bytes, uncompressed size: 2527888 bytes
1048576   	0x100000  	Squashfs filesystem, little endian, version 4.0, compression: lzma, size: 5710061 bytes,  1097 inodes, blocksize: 65536 bytes, created: Wed May  8 13:58:25 2013
So after trying the BB with my new firware it didnt work, then after playing spot the difference it seems im missing something when compressing, maybe they excluded certain files or extended attributes, both the webUI and the hiidden firmware upgrade UI dod not like it, so either it is because the upload script checks for a specific size or hast or even filename, But I might try giving this to it on a usb and setting the boot image via serial in the preboot settings.
Reply With Quote
  #204  
Old 08-May-2013, 21:40
whitenight639 whitenight639 is offline
Screamer
 
Join Date: Mar 2013
Posts: 62
Default Re: [NEW] Orange "Bright Box" router hacking :-)

ok so if you connect via serial, interrupt the boot when it prompts and then go to 192.168.1.1 you can upload an image in the same way as the above screenshot,

when an invalid image is given the serial says the following:

upload system image at 0x83519f58, length 6762496
Invalid Image Signature
*** upgrade status = -41

When a correct image is given it says:

Code:
upload system image at 0x83519f58, length 8257536
DATE	: Fri Sep 21 03:00:26 2012
VER	: v0.09.94.0006
CRC	: CA7C2EC6

but fortunatly broadcom release there CFE bootloader software so a new one can probably be created that will not check signatures, (well atleast for newer chips) but there are differences in the CFE and NVRAM mapping with this 6328 Chip, some openWRT pages describe them.

I don't know why my image is so much smaller, I must have done something wrong, but no-matter as Its checking for some signature or hash so its either give it a new CFE bootloader or just maybe it can be updated via the Tr69 stuff with less restrictions / signature checking but I doubt it. (do the ISPs create the branded firmware or do Arkayda / astoria do it for them under contract?)

Last edited by whitenight639; 09-May-2013 at 06:01.
Reply With Quote
  #205  
Old 09-May-2013, 02:23
unlokia unlokia is offline
Screamager
 
Join Date: Jun 2006
Posts: 237
Default Re: [NEW] Orange "Bright Box" router hacking :-)

Gosh! Well done Mr! Consider me "well impressed", LOL

I never thought of skipping the header with dd - (isn't that header called 'magic' something?)

You're well on your way!

Reply With Quote
  #206  
Old 09-May-2013, 04:13
whitenight639 whitenight639 is offline
Screamer
 
Join Date: Mar 2013
Posts: 62
Default Re: [NEW] Orange "Bright Box" router hacking :-)

Gosh! Well done Mr! Consider me "well impressed", LOL

I never thought of skipping the header with dd - (isn't that header called 'magic' something?)

You're well on your way!

Originally Posted by unlokia View Post

Thanks bro, still abit lost tbh, but its funny you should mention magic

If you look at the end of priimg with a hex editor you will see:

Code:
ArcMagicSignature;date=Fri Sep 21 03:00:26 2012;ver=v0.09.94.0006;

I ran strings on ArcMagicSignature and the only match i got was:

\00\00secimg\00\00bootldr\00priimg\00\00;=\00\00ArcMagicSignature\00\00\00date\00\00\00\00/dev/mtdblock%c\00
%s(%d) Calculate CRC %08X vs Internal CRC32 %08X


in:
root/lib/libmhdl_sys.so

So it looks like it simply wants an image to match a CRC hash value.

I have split priimg into a
64byte uImage header,
1MB lzma header / meta data,
7.2MB (I think) squash Fs
128 byte footer / Arc magic signature


I don't know why i did this or if it will be any use, i was hoping to extract the squashFS make a few tiny changes to a few files, recompress and then catenate the headers and footers back on, and hopefully the BB would accept it, I'm not so sure this is the right way to go about it and the looking at my recompressed lzma-squashfs images in a hex editor it looks totally different, I'll try some more tomorrow i think were close to being able to run a modified firmware on the box.

oh and just for reference the CFE error codes are here:

Code:
00001 /*
00002  * Copyright (C) 2000, 2001, 2002 Broadcom Corporation
00003  *
00004  * This program is free software; you can redistribute it and/or
00005  * modify it under the terms of the GNU General Public License
00006  * as published by the Free Software Foundation; either version 2
00007  * of the License, or (at your option) any later version.
00008  *
00009  * This program is distributed in the hope that it will be useful,
00010  * but WITHOUT ANY WARRANTY; without even the implied warranty of
00011  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
00012  * GNU General Public License for more details.
00013  *
00014  * You should have received a copy of the GNU General Public License
00015  * along with this program; if not, write to the Free Software
00016  * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.
00017  */
00018 
00019 /*
00020  * Broadcom Common Firmware Environment (CFE)
00021  *
00022  * CFE's global error code list is here.
00023  *
00024  * Author:  Mitch Lichtenberg
00025  */
00026 
00027 #define CFE_OK                   0
00028 #define CFE_ERR                 -1      /* generic error */
00029 #define CFE_ERR_INV_COMMAND     -2
00030 #define CFE_ERR_EOF             -3
00031 #define CFE_ERR_IOERR           -4
00032 #define CFE_ERR_NOMEM           -5
00033 #define CFE_ERR_DEVNOTFOUND     -6
00034 #define CFE_ERR_DEVOPEN         -7
00035 #define CFE_ERR_INV_PARAM       -8
00036 #define CFE_ERR_ENVNOTFOUND     -9
00037 #define CFE_ERR_ENVREADONLY     -10
00038 
00039 #define CFE_ERR_NOTELF          -11
00040 #define CFE_ERR_NOT32BIT        -12
00041 #define CFE_ERR_WRONGENDIAN     -13
00042 #define CFE_ERR_BADELFVERS      -14
00043 #define CFE_ERR_NOTMIPS         -15
00044 #define CFE_ERR_BADELFFMT       -16
00045 #define CFE_ERR_BADADDR         -17
00046 
00047 #define CFE_ERR_FILENOTFOUND    -18
00048 #define CFE_ERR_UNSUPPORTED     -19
00049 
00050 #define CFE_ERR_HOSTUNKNOWN     -20
00051 
00052 #define CFE_ERR_TIMEOUT         -21
00053 
00054 #define CFE_ERR_PROTOCOLERR     -22
00055 
00056 #define CFE_ERR_NETDOWN         -23
00057 #define CFE_ERR_NONAMESERVER    -24
00058 
00059 #define CFE_ERR_NOHANDLES       -25
00060 #define CFE_ERR_ALREADYBOUND    -26
00061 
00062 #define CFE_ERR_CANNOTSET       -27
00063 #define CFE_ERR_NOMORE          -28
00064 #define CFE_ERR_BADFILESYS      -29
00065 #define CFE_ERR_FSNOTAVAIL      -30
00066 
00067 #define CFE_ERR_INVBOOTBLOCK    -31
00068 #define CFE_ERR_WRONGDEVTYPE    -32
00069 #define CFE_ERR_BBCHECKSUM      -33
00070 #define CFE_ERR_BOOTPROGCHKSUM  -34
00071 
00072 #define CFE_ERR_LDRNOTAVAIL     -35
00073 
00074 #define CFE_ERR_NOTREADY        -36
00075 
00076 #define CFE_ERR_GETMEM          -37
00077 #define CFE_ERR_SETMEM          -38
00078 
00079 #define CFE_ERR_NOTCONN         -39
00080 #define CFE_ERR_ADDRINUSE       -40

Last edited by whitenight639; 09-May-2013 at 04:23.
Reply With Quote
  #207  
Old 09-May-2013, 06:00
whitenight639 whitenight639 is offline
Screamer
 
Join Date: Mar 2013
Posts: 62
Default Re: [NEW] Orange "Bright Box" router hacking :-)

haha so just discovered the very lasy few bits / bytes of the priimg or Magicsignature is the hex CRC hash!, so I got a openWRT image and cat'd the Signature onto the end, The BB said this:

Code:
upload system image at 0x83519f58, length 4194688
BrightBox>DATE	: Fri Sep 21 03:00:26 2012
VER	: v0.09.94.0006
CRC	: CA7C2EC6
Invalid Image Checksum(calculated A0FB3449)
*** upgrade status = -41

Resetting board...
It didnt do that before, (look above) still atleast the devs were kind enough to drop us more clues, thanks :-)


So anyway I've got a python script that claims to be able to change CRC values, there are other programs that also make this claim, but CRC is not only calculated on the file it is also appended to the file so it maybe makes it more difficult to change both to a set value.



Bit of Trivia, Did anybody notice at the begining of this thread a new user who only posted 2 posts and only on this thread, username was interestedparty, So hello Astoria / arkadia employee, you could log in and give us a few pointers?
Reply With Quote
  #208  
Old 09-May-2013, 18:02
whitenight639 whitenight639 is offline
Screamer
 
Join Date: Mar 2013
Posts: 62
Default Re: [NEW] Orange "Bright Box" router hacking :-)

So comparing the Orange and the EE firmwares, each partition is exacly the same size so maybe the CRC is more about size than than security, I will padd out an openWRT image and see what happens.

Code:
whitenight639@jaguar:/opt/firmware-mod-kit/trunk/untitled/originalfirmwares/Orange$ jacksum -a crc32 -f -t default .
2778518919	57344	19700101010908	./bootloader
1777323551	318173	20120128234644	./BrightBox_www.zip
3392424699	4096	19700101010742	./manuf
3262941397	4096	19700101010758	./nvram
335975992	65536	19700101010843	./pricfg
1972726895	8257536	19700101010830	./priimg
1021624586	7208960	19700101010814	./rootfs
whitenight639@jaguar:/opt/firmware-mod-kit/trunk/untitled/originalfirmwares/Orange$ cd ..
whitenight639@jaguar:/opt/firmware-mod-kit/trunk/untitled/originalfirmwares$ cd EE
whitenight639@jaguar:/opt/firmware-mod-kit/trunk/untitled/originalfirmwares/EE$ jacksum -a crc32 -f -t default .
695217288	57344	19791231230000	./bootldr
2273578040	64	20130423004055	./EE_BOX_VERSION
1943249060	50640	19791231230000	./hw.txt
2166965968	4096	19791231230000	./manuf
1311363707	4096	19791231230000	./nvram
2636347797	814977	20130423004242	./Photo_Of_EE_Box.jpg
2572922547	65536	19791231230000	./pricfg
2240932231	8257536	19791231230000	./priimg
1971555349	7208960	19791231230000	./rootfs
whitenight639@jaguar:/opt/firmware-mod-kit/trunk/untitled/originalfirmwares/EE$ jacksum -a crc32 -x priimg
8591e987	8257536	priimg
whitenight639@jaguar:/opt/firmware-mod-kit/trunk/untitled/originalfirmwares/EE$ cd ..
whitenight639@jaguar:/opt/firmware-mod-kit/trunk/untitled/originalfirmwares$ cd Orange
whitenight639@jaguar:/opt/firmware-mod-kit/trunk/untitled/originalfirmwares/Orange$ jacksum -a crc32 -x priimg
75956c6f	8257536	priimg
whitenight639@jaguar:/opt/firmware-mod-kit/trunk/untitled/originalfirmwares/Orange$

Last edited by whitenight639; 09-May-2013 at 18:08.
Reply With Quote
  #209  
Old 10-May-2013, 22:20
whitenight639 whitenight639 is offline
Screamer
 
Join Date: Mar 2013
Posts: 62
Default Re: [NEW] Orange "Bright Box" router hacking :-)

So I got it to take an openWRT image that was exacly the same size, I edited the last few bytes to match its hash, which then changed the hash, but the BB still accepted it via TFTP - I but it said it had an invalid uBoot image,

then I gave it back its original image and booted it and did something stupid,

having missed / fogotten unlockias post:

Code:
root@BrightBox:/proc # cat mtd 
dev:    size   erasesize  name
mtd0: 00001000 00001000 "manuf"
mtd1: 00001000 00001000 "nvram"
mtd2: 006e0000 00001000 "rootfs"
mtd3: 007e0000 00001000 "priimg"
mtd4: 00010000 00001000 "pricfg"
mtd5: 0000e000 00001000 "bootldr"

I tried to work out which partition was which and erased the bootloader and other paartitions by:

Code:
root@BrightBox:/www # mtd_utils_flash_eraseall --jffs2 /dev/mtd4
Erasing 4 Kibyte @ 10000 -- 100 % complete.leanmarker written at f000.

root@BrightBox:/ # mtd_utils_flash_eraseall --jffs2 /dev/mtd5
Erasing 4 Kibyte @ e000 -- 100 % complete.Cleanmarker written at d000.

root@BrightBox:/ # mtd_utils_flash_eraseall --jffs2 /dev/mtd6     
mtd_utils_flash_eraseall: /dev/mtd6: No such device

root@BrightBox:/ # mtd_utils_flash_eraseall --jffs2 /dev/mtd3
Erasing 4 Kibyte @ 7e0000 -- 100 % complete.Cleanmarker written at 7df000.
I've tried sending the bootldr as a raw binary file over serial but the box does nothing, its bricked, Looked at similar Broadcom chips the Jtag pins are around pin 12 but looking at this board pin 12 looks to me like USB, I can find any other pinouts for this chip, I removed the heatsyn and the full chip number is: BCM63281TKFBG
Reply With Quote
  #210  
Old 10-May-2013, 22:25
unlokia unlokia is offline
Screamager
 
Join Date: Jun 2006
Posts: 237
Default Re: [NEW] Orange "Bright Box" router hacking :-)

So I got it to take an openWRT image that was exacly the same size, I edited the last few bytes to match its hash, which then changed the hash, but the BB still accepted it via TFTP - I but it said it had an invalid uBoot image,

then I gave it back its original image and booted it and did something stupid,

having missed / fogotten unlockias post:

Code:
root@BrightBox:/proc # cat mtd 
dev:    size   erasesize  name
mtd0: 00001000 00001000 "manuf"
mtd1: 00001000 00001000 "nvram"
mtd2: 006e0000 00001000 "rootfs"
mtd3: 007e0000 00001000 "priimg"
mtd4: 00010000 00001000 "pricfg"
mtd5: 0000e000 00001000 "bootldr"

I tried to work out which partition was which and erased the bootloader and other paartitions by:

Code:
root@BrightBox:/www # mtd_utils_flash_eraseall --jffs2 /dev/mtd4
Erasing 4 Kibyte @ 10000 -- 100 % complete.leanmarker written at f000.

root@BrightBox:/ # mtd_utils_flash_eraseall --jffs2 /dev/mtd5
Erasing 4 Kibyte @ e000 -- 100 % complete.Cleanmarker written at d000.

root@BrightBox:/ # mtd_utils_flash_eraseall --jffs2 /dev/mtd6     
mtd_utils_flash_eraseall: /dev/mtd6: No such device

root@BrightBox:/ # mtd_utils_flash_eraseall --jffs2 /dev/mtd3
Erasing 4 Kibyte @ 7e0000 -- 100 % complete.Cleanmarker written at 7df000.
I've tried sending the bootldr as a raw binary file over serial but the box does nothing, its bricked, Looked at similar Broadcom chips the Jtag pins are around pin 12 but looking at this board pin 12 looks to me like USB, I can find any other pinouts for this chip, I removed the heatsyn and the full chip number is: BCM63281TKFBG
Originally Posted by whitenight639 View Post
http://www.youtube.com/watch?v=9NIdtlEsIe8
Reply With Quote
Reply

Tags
419, adsl, beauty, brightbox, broadband, compare, delay, dhcp, dns, feature, files, firmware, flash, hack, hacking, home, key, line, lock, make, mobile, nat, network, orange, port, product, router, settings, sharing, tools, web, wireless

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Help!! Weird Router Issue The Latman Networking 17 15-January-2011 17:39
Staic IP, Port Forward, DMZ CanineKiller TalkTalk 4 03-April-2010 09:43
Make Your Own Router - secrets revealed silver Networking 356 09-February-2010 01:13
Valve's Blocks Orange Box Users MAN WHO Games 5 07-November-2007 10:54


All times are GMT +1. The time now is 09:54.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2018, vBulletin Solutions, Inc.
Copyright 1999-2014 The Scream!