Recon

The first step in any security test is to gather information about the target using publicly available information.

Since the router uses RF communication, it will have an FCC id - a unique code that identifies and certifies that an electronic device meets FCC standards for wireless communication in the US. This id will typically be under the router.

As these certifications are publicly avaliable on the internet, I can search the FCC id to see a variety of device-related documents including internal pictures of the device. This will help me to identify internal components, interfaces, debug ports, and other specifications without diassemblying the device myself.

Using the above internal pictures of the router from the FCC report, I was able to identify 4 important components:

1. RAM
2. System On Chip (SOC Chip) - combines many elements of a computer system onto a single chip eg. CPU, GPU, memory.
3. Read Only Memory (ROM chip) - contains the device's firmware flash. A firmware contains important instructions for the hardware to operate and interface with software.
4. UART Interface - used for serial communication with the device. I can use this interface to get a root shell on the device.

Cracking the hardware

To confirm I correctly identified the above components, I cracked the router opened and looked up the parts number online:

In addition to confirming my identification of the components from online reconnisance, I also learned that the ROM chip is an EEPROM. An EEPROM is a type of ROM chip which can be erased and reprogrammed using a programmer. Thus, I can extract, read, modify, and write firmware to the ROM chip of the router.

Communicating with software

As far as I know, there are two primary ways to interact with the router's software:

1. Using the UART Interface: This method allows me to connect to the router's hardware interface and gain a root shell, providing direct access to the operating system and its functionalities.
2. Extracting and Modifying Firmware: I can read or write the router's firmware by interfacing with the EEPROM chip. This involves analysing or updating the foundational software that controls the device's operation.

Interface 1 - UART

This interface is used for serial communication with the device which can be typically identified by 4 pins that are unpopulated on the PCB board:

To interact with the UART interface, you would need an UART adapter which I don't have :(

This means I won't be able to obtain a shell on the device.

Interface 2 - Extracting and Modifying the Firmware

By extracting and analysing the router's firmware, I can understand its structure and functionality without executing it on the router itself, in contrast to obtaining a shell through the UART method. This offline analysis makes intrusion detection less likely as I've copied the software in an isolated environment away from the router which bypasses runtime protections/logs.

There are two ways to obtain the router's firmware:

1. Downloading the firmware from the vendor's website. This is the easiest method but relies on the firmware being publicly available which isn't always the case + boringg
2. Extract the firmware using an SPI programmer

To extract the firmware from the EEPROM chip, I used a CH341A SPI programmer, and a SOP8 flash clip + socket to connect the programmer to the EEPROM chip.

CH341A SPI programmer:

Programmer + Flash Clip + Socket:

Putting the tool together:

Attaching the programmer to the EEPROM chip:

Once the programmer is attached to the EEPROM chip, I connected it to my laptop and used the AsProgrammer software to extract the router's firmware:

Firmware Analysis

Using Binwalk, it was able to identify the firmware contains a Squashfs file system:

The file system of a firmware can reveal lots of valuable information such as scripts, config files, hardcoded credentials, and many more.

Using Binwalk, I was able to extract and navigate the filesystem - the first step in hacking any device.

Upon exploring the file system, I noticed a credentials file at /etc/passwd.bak which contains the encrypted passwords to user accounts.

Admin seems to have a $1 (MD5crypt) password which Hashcat was able to crack:

So "1234" is admin/root's password which is probably the default credentials considering how simple it is. I could use this insight to login as root on the shell when connecting to the router's serial port (UART). This highlights to me how important it is to not keep default credentials (easy to crack, can find online) and to use complicated passwords to make bruteforcing impractical.

To be continued ???

As I mentioned before, having access to a device's filesystem is the first step in hacking any device. I was able to achieve this by extracting the router's firmware from the EEPROM chip with a programmer. With this access, I can statically analyse the router's firmware for vulnerabilities. From my analysis so far, I was able to identify weak passwords and how the firmware is unencrypted - allowing for unauthorised access and modification of the device's firmware.

I will update this page with any further findings I can find!