ASUS has settled a lawsuit with the FTC over its home routers’ vulnerabilities and has agreed to implement a security program that will be independently audited for the next 20 years.

In February 2014, thousands of Asus router owners found a disturbing text file saved to their devices.

“This is an automated message being sent out to everyone effected [sic],” the message read. “Your Asus router (and your documents) can be accessed by anyone in the world with an Internet connection.” The anonymous sender then urged the readers to visit a site that explained more about the router vulnerability.

Ars’ Dan Goodin suggests it should be regarded as a wake-up call not only for other router manufacturers, but for the entire IoT industry as well.

Read more about it here.

OpenWrt for the Buffalo WBMR-HP-G300H comes with the ADSL annex B (ISDN) firmware pre-installed.

OpenWrt for the Buffalo WBMR-HP-G300H comes with the annex B ADSL firmware pre-installed.

OpenWrt for the Buffalo WBMR-HP-G300H comes with the ADSL annex B firmware pre-installed.

To install the more commonly used annex A (PSTN) firmware, proceed as follows:

1. First remove the annex B firmware:

opkg remove kmod-ltq-adsl-ar9-fw-b

2. Download the annex A firmware from OpenWrt.

3. Copy the firmware to the modem. On Windows you can use PuTTY’s pscp. On Linux you can use scp. Here I’m using pscp at a DOS prompt to copy kmod-ltq-adsl-ar9-fw-a_0.1-1_lantiq.ipk to 192.168.1.1 as fw.ipk.

>pscp -scp kmod-ltq-adsl-ar9-fw-a_0.1-1_lantiq.ipk root@192.168.1.1:fw.ipk
root@192.168.1.1's password:
kmod-ltq-adsl-ar9-fw-a_0. | 187 kB | 187.5 kB/s | ETA: 00:00:00 | 100%
>

The package will be copied to the root user’s home folder as fw.ipk:

root@OpenWrt:~# ls
fw.ipk
root@OpenWrt:~#

If you’re using scp on Linux, the command is similar: scp kmod-ltq-adsl-ar9-fw-a_0.1-1_lantiq.ipk root@192.168.1.1:fw.ipk .

4. Install the firmware:

root@OpenWrt:~# opkg install fw.ipk
Installing kmod-ltq-adsl-ar9-fw-a (0.1-1) to root...
Configuring kmod-ltq-adsl-ar9-fw-a.
root@OpenWrt:~#

… and you are done!

If you have any questions or if you spotted any errors or omissions, please leave me a comment.

Don’t use UNetbootin to write Fedora 22 to a USB stick – you’ll get boot errors like the following:

dracut-initqueue[434]: Warning: Could not boot.
systemd[1]: Received SIGRTMIN+20 from PID 436 (plymouthd).
dracut-initqueue[434]: Warning: /dev/disk/by-label/Fedora-Live-
WS-x86_64-22-3 does not exist
dracut-initqueue[434]: Warning: /dev/mapper/live-rw does not exist
systemd[1]: Starting Dracut Emergency Shell...
systemd[1]: Received SIGRTMIN+21 from PID 436 (plymouthd).

Fedora recommends using direct write methods to create the USB stick – check http://bit.ly/1efYWBu

In my previous post I showed you how to install OpenWrt 14.07 on the Buffalo WBMR-HP-G300H. In this post I’ll show you how you can restore the original Buffalo firmware. Numerous posts on the internet claim that going back to the original firmware is impossible once you’ve installed OpenWrt or DD-WRT. This is not true. If you’ve installed OpenWrt or DD-WRT on your WBMR-HP-G300H and you wish to go back to the original Buffalo firmware, keep reading.

Note to DD-WRT users: to restore the original Buffalo firmware you need to switch to OpenWrt first. You can check my previous post for instructions on installing OpenWrt.

With OpenWrt installed on the WBMR-HP-G300H, what prevents you from restoring the original Buffalo firmware once you’ve downloaded it from Buffalo’s site is that the firmware is encrypted. You need to decrypt the firmware (and also remove a header) before you try flashing it. The whole process is outlined by n0r1n0x in his excellent post here and I’ll be following it below. Briefly, here’s what needs to be done: to decrypt the firmware we’re going to get OpenWrt’s source files, compile the decryption program, modify the firmware, decrypt it and, lastly, flash it. Let’s begin.

1. Download the OpenWrt source files

Open a terminal window and issue the following command:

git clone git://git.openwrt.org/14.07/openwrt.git

This will download the OpenWrt source files in the openwrt directory (the directory will be created for you).

2. Locate, edit and compile buffalo-enc.c

The file buffalo-enc.c should be in /openwrt/tools/firmware-utils/src. Open it with a text editor and add the following line to the top:

#include "buffalo-lib.c"

Save the file and compile it with the command below:

gcc -o buffalo-enc buffalo-enc.c

We will use buffalo-enc to decrypt the firmware image in a moment.

3. Edit the encrypted firmware

Before decrypting the Buffalo firmware we need to strip off the first start section (if you haven’t already downloaded the original firmware, you can download it from here). Open wbmrhpg300h-179 with a hex editor, select the first 228 bytes (up until but not including the second start) and delete them.

Removing the first start section from the encrypted firmware.

Removing the first start section from the encrypted firmware.

Save the edited firmware as encrypted_fw and close the hex editor.

4. Decrypt the firmware

Decrypt the firmware by issuing:

buffalo-enc -d -i encrypted_fw -o decrypted.bin

The decrypted firmware will be saved as decrypted.bin.

For your convenience I have uploaded the decrypted firmware to OneDrive.You can find it here.

MD5: b4318c88e1aa472a1c299281e16061a0 – SHA1: 6f69f931d1bd09de2e516ee42fd8b780ee726a4a

5. Flash

Login to the OpenWrt admin page and go to System –> Backup/Flash Firmware. Under the “Flash new firmware image” section choose the decrypted firmware image and press Flash image.

About to flash the original firmware.

About to flash the original firmware.

You will be asked to verify that you uploaded the correct image. Click proceed and the flash process will begin. The modem will reboot after a few minutes once or twice. Do not power off the modem. The process will take a few minutes to complete. Renew your ethernet connection and reconnect to the modem (default ip now is 192.168.11.1). The original Buffalo firmware is now restored!

Buffalo WBMR-HP-G300H firmware v1.79 restored.

Buffalo WBMR-HP-G300H firmware v1.79 restored.

If you have any questions or if you spotted any errors or omissions, please leave me a comment.

The Buffalo WBMR-HP-G300H is a little beast of a modem/router, based on the Lantiq AR9 SoC family, and built on the following hardware:

Type Part Notes
CPU Lantiq XWAY ARX168 PSB 50810 EL MIPS 34Kc @ 333MHz
Flash Macronix MX29GL256ELT2I-90Q 32MB
RAM Samsung K4H511638F-LCCC 64MB @ 166MHz
Switch Atheros AR8316 ?
WiFi Atheros AR9223  IEEE 802.11 b/g/n

The modem officially supports DD-WRT but we will be installing OpenWrt Barrier Breaker.

There are two ways of getting OpenWrt on the WBMR-HP-G300H. You can either install OpenWrt through DD-WRT (provided, of course, you’ve installed DD-WRT first) or you can talk to the modem’s bootloader via TFTP and upload an OpenWrt image. In this post I’ll be taking the DD-WRT route, which is really simple. Let’s begin.

Step 1: Install DD-WRT

If DD-WRT is not already installed on the modem (i.e. the modem is running the official Buffalo firmware), you need to install it. Download buffalo_to_dd-wrt_MULTI.enc from DD-WRT’s website and save it on your hard-drive. Turn on the modem and connect to 192.168.11.1. The default username is root, the password is blank. (Note: use IE or Opera, otherwise the pages won’t render properly). Now navigate to Admin Config/Update. Choose the file you just downloaded from DD-WRT’s website and press Update Firmware.

Updating to DD-WRT.

Updating to DD-WRT.

After you press Update Firmware you need to wait for about 6-7 minutes. A progress bar will be displayed in the browser to let you know how far along the process has got. Once the update is complete you should renew your ethernet connection. The new router ip will be 192.168.1.1.

Step 2: Flash OpenWrt

With DD-WRT installed we can proceed to flashing OpenWrt. From OpenWrt’s website download openwrt-lantiq-xway-WBMR-squashfs.image and save it on a USB stick (formatted either as ext2/3 or FAT32). Login to the DD-WRT admin page at 192.168.1.1 (on first access you will be prompted to set a new password) and navigate to Services/USB. We will enable USB support in order to copy the OpenWrt image from the USB stick to the modem’s internal storage. To do so, enable Core USB Support, USB Storage Support and Automatic Drive Mount, as pictured below, and apply settings.

Enabling USB support.

Enabling USB support on DD-WRT.

With USB support enabled, plug-in your USB stick to the modem. Telnet to the modem at 192.168.1.1 and login with username root (even if you have changed the username!) and the password you previously set. You can see below that, in my case, my USB stick has been mounted on /tmp/mnt/sda_part1.

The USB stick has been mounted on /tmp/mnt/sda_part1/.

We are now ready to flash OpenWrt. Change to the directory where the stick is mounted and issue the following command:

mtd -r write openwrt-lantiq-xway-WBMR-squashfs.image linux

This will write OpenWrt to the modem’s flash storage.

Writing OpenWrt.

Writing OpenWrt.

The telnet connection will be closed once the write is complete. At this point you have to wait while the modem boots OpenWrt for the first time. Do not turn off the modem. Once the modem is ready you will be able to ping it and telnet to it at 192.168.1.1 again.

Connecting to OpenWrt for the first time.

Connecting to OpenWrt for the first time.

Congratulations, OpenWrt Barrier Breaker is now installed.

If you have any questions or if you spotted any errors or omissions, please leave me a comment.

In a previous post I described how you can backup the flash image of the Netfaster WLAN 3. In this post I’ll show you how you can restore the image by writing directly to the modem’s flash.

To restore the image we will be using the following hardware and software:

  • Bus Pirate to connect computer and modem flash chip.
  • (Optional) Pomona 5250 SOIC 8-pin Test Clip, to simplify the task of attaching the Bus Pirate to the flash chip.
  • flashrom to perform the write to flash.

(I admit that the 5250 Test Clip is an expensive little piece of equipment – currently going for about $12 – but I find that it is nearly impossible to connect directly to the flash chip otherwise; the chip pins are 0.41 mm wide, spaced 1.27 mm apart. Perhaps you could try one of these (just the cable and clip) instead of the 5250; they should be cheaper. As I said above, this is optional).

The flash chip is depicted below. It is the Macronix (MXIC) MX25L1606E M2 (2 MB, SPI, 200mil 8-SOP).

Netfaster WLAN 3 flash chip

The Netfaster WLAN 3 PCB. The position of the flash chip is shown.

Implement the following connection between Bus Pirate and flash chip. The modem must be turned off.

bus_pirate-flash_connection

The Bus Pirate connected to the flash chip.

Bus Pirate pin Flash Chip pin
CS 1
MISO 2
3.3v 3
GND 4
MOSI 5
CLK 6
3.3v 7
3.3v 8

Now connect the Bus Pirate to your computer via USB.

With the connection in place, we are ready to write the image file to the flash. (Here is the image backup I created in that previous post).

Do not turn on the modem. If you do, flashrom won’t be able to write to the flash. Assuming the image backup is named fw.bin and that you have installed flashrom (sudo apt-get install flashrom on Ubuntu, else check http://flashrom.org/Downloads), open a command terminal and issue the following command:

$sudo flashrom -p buspirate_spi:dev=/dev/ttyUSB0,spispeed=1M -w fw.bin

This will start the process of writing fw.bin to the flash. You will get the following output:

flashrom v0.9.6.1-r1563 on Linux 3.13.0-37-generic (x86_64)
flashrom is free software, get the source code at http://www.flashrom.org

Calibrating delay loop... OK.
Found Macronix flash chip "MX25L1605" (2048 kB, SPI) on buspirate_spi.
Reading old flash chip contents... done.
Erasing and writing flash chip... Erase/write done.
Verifying flash... VERIFIED.          
$

The whole process lasts about 12 minutes, with the ‘Reading old flash contents‘ and ‘Verifying flash‘ stages taking the most time. Just be patient. Notice that flashrom v0.9.6.1 reports having found an MX25L1605 flash chip, even though the modem uses an MX25L1606E. This is ok.

Once the process is completed you can disconnect the Bus Pirate and boot the modem. You should be good to go!

One last note: when you attempt to run flashrom, you may get an error along the lines of:

Found Generic flash chip "unknown SPI chip (RDID)" (0 kB, SPI) on
buspirate_spi.
===
This flash part has status NOT WORKING for operations: PROBE READ ERASE
WRITE

In this case proceed as follows:

  1. Disconnect the Bus Pirate from the computer USB port (not from the modem).
  2. With the modem PSU connected, do a quick on/off of the modem. Turn it on, wait 2 seconds, turn it off.
  3. Disconnect the modem PSU.
  4. Again do a quick on/off without the PSU connected.
  5. Connect the modem PSU but do not turn on the modem.
  6. Lastly, connect the Bus Pirate via USB, and rerun flashrom.

flashrom should now be able to identify the modem’s flash chip properly.

(I admit that the above procedure seems a bit like voodoo to me, but it’s the only way I’ve found to make flashrom identify the chip. Anybody can explain what is going on behind the scenes?)

If you have any questions or if you spotted any errors or omissions, please leave me a comment.

A recent Naked Security post reports that D-Link’s DSL-2740R modem/router is vulnerable to DNS hijacking and traffic rerouting. According to the post, the vulnerability lies in the ZynOS firmware used by the device. ZynOS is a proprietary operating system made by ZyXEL.

The flaw apparently allows an attacker to access the device’s web interface without the need for authentication.

If an administration panel is exposed to the internet – and we strongly recommend that you don’t do this! – then outsiders may be able to access and reconfigure your device’s DNS setting from afar.

The author suggests that the popularity of ZynOS means that other D-Link devices might be vulnerable too, as well as devices manufactured by TP-Link, ZTE and of course, I might add, ZyXEL.

ComputerWorld, reporting on the same vulnerability, suggests that the flaw could be exploited by CSRF attacks, even if the device’s configuration panel is only accessible from the LAN.

DSL-2740R is a wireless ADSL2+ modem router that is not in production anymore; the latest firmware available on D-Link’s website is version 1.01b02, released almost two years ago, on 22-Feb-2013, for revision B devices.

You can find the Naked Security post here.

If you have any questions or if you spotted any errors or omissions, please leave me a comment.