Archiv der Kategorie: openwrt

Linux distribution for embedded devices.
Instead of trying to create a single, static firmware, OpenWrt provides a fully writable filesystem with package management. This frees you from the application selection and configuration provided by the vendor and allows you to customize the device through the use of packages to suit any application. For developer, OpenWrt is the framework to build an application without having to build a complete firmware around it; for users this means the ability for full customization, to use the device in ways never envisioned.

ea6200 AC900 linksys open tha case tty console

bricked device !

ea6200 linksys router

Broadcom BCM47081A0
Gigabit in BCM47081A0

RAM 128MB
FLASH 128MB
Broadcom BCM43217
2×2 802.11b/g/n transceiver
Broadcom BCM4352
2×2 802.11a/b/g/n/ac transceiver
– RMFD RFFM4501
802.11a/n/ac Front End Module (x3)

1 console

es sind sogar 2 Serial console anschlüsse am ea6200 linksys router vorhanden einer davon 4 Pins von links nach rechts
VCC   # sollte nicht angeschlossen werden
TX # dieser ist mit dem gelben kabel verbunden und wird am UART anschluss  auf rx  nageschlossen
RX # und hier genau umgekehrt
GND # und masse sollte immer als erstes angeschlossen werden am besten sollte der

mittels Screen ,cu oder minicom etc 115200 8n1 sind die zu übergebeneden parameter

 

ausgeschalten sein damit mann auch den boot Prozess beobachten kann

bevor man herum  spielt sollte  man auf jeden fall die cfe.  sichern

 

zu beginn ist es möglich uboot params zu übegeben
mittels “ help“ in die console  eingegeben erhält man einen überblick aller verfügbaren befehle :
 
Available commands:
mfg                 Do a verify functionality of the major H/W components: nand flash/led/buttons
gpio                GPIO pins control
flashrw             Flash Read/Write.
devinfo             devinfo utility.
nvram               NVRAM utility.
reboot              Reboot.
set console         Change the active console device
loop                Loop a command
flash               Update a flash memory device
memtest             Test memory.
f                   Fill contents of memory.
e                   Modify contents of memory.
d                   Dump memory.
u                   Disassemble instructions.
batch               Load a batch file into memory and execute it
go                  Verify and boot OS image.
boot                Load an executable file into memory and execute it
load                Load an executable file into memory without executing it
save                Save a region of memory to a remote file via TFTP
ping                Ping a remote IP host.
arp                 Display or modify the ARP Table
ifconfig            Configure the Ethernet interface
show clocks         Show current values of the clocks.
show heap           Display information about CFE’s heap
show memory         Display the system physical memory map.
show devices        Display information about the installed devices.
unsetenv            Delete an environment variable.
printenv            Display the environment variables
setenv              Set an environment variable.
help                Obtain help for CFE commands
 
 
 
 
 
 
Decompressing…done
Decompressing…done
Found a Samsung NAND flash:
Total size:  128MB
Block size:  128KB
Page Size:   2048B
OOB Size:    64B
Sector size: 512B
Spare size:  16B
ECC level:   8-bit
Device ID: 0xec 0xf1 0x00 0x95 0x40
find_devinfo: devinfo block found at 0x00180000!
CFE version 6.39.163.14 (r374748) based on BBP 1.0.37 for BCM947XX (32bit,SP,)
Build Date: Tue Jun 11 11:59:51 CST 2013 (proc@f8acerpro), for the WG9116FAC22_88 board
Copyright (C) 2000-2008 Broadcom Corporation.
Copyright (C) 2013 Arcadyan Corporation.
WG9116FAC22_88 board, flashing LED…
Init Arena
Init Devs.
Boot partition size = 262144(0x40000)
DDR Clock: 400 MHz
Info: DDR frequency set from clkfreq=800,*400*
et0: Broadcom BCM47XX 10/100/1000 Mbps Ethernet Controller 6.39.163.14 (r374748)
CPU type 0x0: 800MHz
Tot mem: 131072 KBytes
CFE mem:    0x00F00000 – 0x0109240C (1647628)
Data:       0x00F58A9C – 0x00F58FC0 (1316)
BSS:        0x00F58FD0 – 0x00F9040C (226364)
Heap:       0x00F9040C – 0x0109040C (1048576)
Stack:      0x0109040C – 0x0109240C (8192)
Text:       0x00F00000 – 0x00F4C2B4 (311988)
Boot:       0x01093000 – 0x010D3000
Reloc:      I:00000000 – D:00000000
Boot version: v0.5.6
Device eth0:  hwaddr 98-FC-11-F3-5A-F3, ipaddr 192.168.10.2, mask 255.255.255.0
        gateway not set, nameserver not set
 
CFE> ▒▒Decompressing…done
Decompressing…done
Found a Samsung NAND flash:
Total size:  128MB
Block size:  128KB
Page Size:   2048B
OOB Size:    64B
Sector size: 512B
Spare size:  16B
ECC level:   8-bit
Device ID: 0xec 0xf1 0x00 0x95 0x40
find_devinfo: devinfo block found at 0x00180000!
CFE version 6.39.163.14 (r374748) based on BBP 1.0.37 for BCM947XX (32bit,SP,)
Build Date: Tue Jun 11 11:59:51 CST 2013 (proc@f8acerpro), for the WG9116FAC22_88 board
Copyright (C) 2000-2008 Broadcom Corporation.
Copyright (C) 2013 Arcadyan Corporation.
WG9116FAC22_88 board, flashing LED…
Init Arena
Init Devs.
Boot partition size = 262144(0x40000)
DDR Clock: 400 MHz
Info: DDR frequency set from clkfreq=800,*400*
et0: Broadcom BCM47XX 10/100/1000 Mbps Ethernet Controller 6.39.163.14 (r374748)
CPU type 0x0: 800MHz
Tot mem: 131072 KBytes
CFE mem:    0x00F00000 – 0x0109240C (1647628)
Data:       0x00F58A9C – 0x00F58FC0 (1316)
BSS:        0x00F58FD0 – 0x00F9040C (226364)
Heap:       0x00F9040C – 0x0109040C (1048576)
Stack:      0x0109040C – 0x0109240C (8192)
Text:       0x00F00000 – 0x00F4C2B4 (311988)
Boot:       0x01093000 – 0x010D3000
Reloc:      I:00000000 – D:00000000
Boot version: v0.5.6
Device eth0:  hwaddr 98-FC-11-F3-5A-F3, ipaddr 192.168.10.2, mask 255.255.255.0
        gateway not set, nameserver not set
 
 
Variable Name        Value
——————– ————————————————–
BOOT_CONSOLE         uart0
CFE_VERSION          1.0.37
CFE_BOARDNAME        BCM947XX
CFE_MEMORYSIZE       131072
NET_DEVICE           eth0
NET_IPADDR           192.168.10.2
NET_NETMASK          255.255.255.0
NET_GATEWAY          0.0.0.0
NET_NAMESERVER       0.0.0.0
STARTUP              go;
*** command status = 0

openwrt spoof all to local web server

ganz einfacher redirect

unter /etc/config/firewall

 

config redirect
option src lan
option proto tcp
option src_dport 80
option src_ip !192.168.1.1       
 #hier die locale ip adresse vom router die nicht gespoofed werden #soll sondern alle anderen
option dest_port 80

für port http

ziel von den anfragen solllen hier landen am router

option dest_ip 192.168.1.1
option target DNAT

 

#und dsas ganze nochmal für https

config redirect
option src lan
option proto tcp
option src_dport 443
option src_ip !192.168.1.1
option dest_port 443
option dest_ip 192.168.1.1
option target DNAT

ausserdem noch hinzufügen bei
/etc/config/dhcp

config ‚domain‘
option name ‚#‘
option ip ‚192.168.1.1‘


die sollten wegkommentiert werden

#list rebind_domain example.lan 
#option local ‚/lan/‘
#option domain ‚lan‘
#list server ‚/mycompany.local/1.2.3.4‘
#option nonwildcard 1
#list interface br-lan
#list notinterface lo
#list bogusnxdomain ‚64.94.110.11‘

HORNET U-BOARD X2 64/16 aka UB64

original ub64 files if someone need that

[ ] ART.bin 2016-05-18 03:54 64K  
[ ] NVRAM.bin 2016-05-18 03:54 64K  
[ ] rootfs.bin 2016-05-18 03:54 14M  
[ ] u-boot-env.bin 2016-05-18 03:54 64K  
[ ] u-boot.bin 2016-05-18 03:54 256K  
[ ] uImage.bin 2016-05-18 03:54 1.6M  

http://dl.raimond.at/hornet-ux2/

tftpboot 0x80600000 kernel.bin
erase 0x9fe50000 +0x190000
cp.b 0x80600000 0x9fe50000 120000

tftp 0x80600000 rootfs.bin
erase 0x9f050000 +0xE00000
cp.b 0x80600000 0x9f050000 240000

 

pineapple

Lost my pineapple mark5 alias mk5 in peru

so i wanted to get a new one and saw there is an pienapple nano and tera avaible at hak5

i grabbed  the firmware, binwalked it .
(get it from github or via apt)

cut kernel, rootfs etc out from the upgrade file and here ist the roofs  as bin just swquah it with or get it extraced her:

http://dl.raimond.at/pineapple/

bought me an hornet board with 64 named x2

there is also the original hornet x board firmware avaiable in all parts  rootfs kernel etc also from firmware udprage file

http://dl.raimond.at/hornet-ux2/

HORNET UBOARD ALFA + USBHUB+ RTL8187

ea6200

linksys ea6200

lets download the original fw from linksys
binwalk  FW_EA6200_1.1.41.164830_prod.img
i renamed it to ea6200_direct.img
lets binwalk a lil bit

http://www.devttys0.com/tag/binwalk/

we see

DECIMAL       HEXADECIMAL     DESCRIPTION
——————————————————————————–
0             0x0             TRX firmware header, little endian, header size: 28 bytes, image size: 14577664 bytes, CRC32: 0xF1AEBE86 flags: 0x0, version: 1
28            0x1C            LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 4867904 bytes
1990256       0x1E5E70        Squashfs filesystem, little endian, version 4.0, compression:lzma (non-standard type definition), size: 12585799 bytes,  2986 inodes, blocksize: 131072 bytes, created: Mon Dec 22 10:14:57 2014

lets cut the trx header out
cli:
dd if=ea6200_direct.img of=trx_header.bin bs=1 count=28

we get n file called trx_header.bin
next lets cut the lzma out
cli:
dd if=ea6200_direct.img of=lzma.bin bs=1 skip=28 count=1990256
we get an file called lzma.bin out
so last is the rootfs
dd if=ea6200_direct.img of=squashfs_rootfs.bin bs=1 skip=1990256

Hornet-uboard

Available through pineapple repository from hak5

some missing  packages in normal openwrt