Archive

Tag Archives: Modem

OpenWrt for the Buffalo WBMR-HP-G300H comes with the ADSL annex B (ISDN) firmware pre-installed.

OpenWrt for the Buffalo WBMR-HP-G300H comes with the annex B ADSL firmware pre-installed.

OpenWrt for the Buffalo WBMR-HP-G300H comes with the ADSL annex B firmware pre-installed.

To install the more commonly used annex A (PSTN) firmware, proceed as follows:

1. First remove the annex B firmware:

opkg remove kmod-ltq-adsl-ar9-fw-b

2. Download the annex A firmware from OpenWrt.

3. Copy the firmware to the modem. On Windows you can use PuTTY’s pscp. On Linux you can use scp. Here I’m using pscp at a DOS prompt to copy kmod-ltq-adsl-ar9-fw-a_0.1-1_lantiq.ipk to 192.168.1.1 as fw.ipk.

>pscp -scp kmod-ltq-adsl-ar9-fw-a_0.1-1_lantiq.ipk root@192.168.1.1:fw.ipk
root@192.168.1.1's password:
kmod-ltq-adsl-ar9-fw-a_0. | 187 kB | 187.5 kB/s | ETA: 00:00:00 | 100%
>

The package will be copied to the root user’s home folder as fw.ipk:

root@OpenWrt:~# ls
fw.ipk
root@OpenWrt:~#

If you’re using scp on Linux, the command is similar: scp kmod-ltq-adsl-ar9-fw-a_0.1-1_lantiq.ipk root@192.168.1.1:fw.ipk .

4. Install the firmware:

root@OpenWrt:~# opkg install fw.ipk
Installing kmod-ltq-adsl-ar9-fw-a (0.1-1) to root...
Configuring kmod-ltq-adsl-ar9-fw-a.
root@OpenWrt:~#

… and you are done!

If you have any questions or if you spotted any errors or omissions, please leave me a comment.

Advertisements

In my previous post I showed you how to install OpenWrt 14.07 on the Buffalo WBMR-HP-G300H. In this post I’ll show you how you can restore the original Buffalo firmware. Numerous posts on the internet claim that going back to the original firmware is impossible once you’ve installed OpenWrt or DD-WRT. This is not true. If you’ve installed OpenWrt or DD-WRT on your WBMR-HP-G300H and you wish to go back to the original Buffalo firmware, keep reading.

Note to DD-WRT users: to restore the original Buffalo firmware you need to switch to OpenWrt first. You can check my previous post for instructions on installing OpenWrt.

With OpenWrt installed on the WBMR-HP-G300H, what prevents you from restoring the original Buffalo firmware once you’ve downloaded it from Buffalo’s site is that the firmware is encrypted. You need to decrypt the firmware (and also remove a header) before you try flashing it. The whole process is outlined by n0r1n0x in his excellent post here and I’ll be following it below. Briefly, here’s what needs to be done: to decrypt the firmware we’re going to get OpenWrt’s source files, compile the decryption program, modify the firmware, decrypt it and, lastly, flash it. Let’s begin.

1. Download the OpenWrt source files

Open a terminal window and issue the following command:

git clone git://git.openwrt.org/14.07/openwrt.git

This will download the OpenWrt source files in the openwrt directory (the directory will be created for you).

2. Locate, edit and compile buffalo-enc.c

The file buffalo-enc.c should be in /openwrt/tools/firmware-utils/src. Open it with a text editor and add the following line to the top:

#include "buffalo-lib.c"

Save the file and compile it with the command below:

gcc -o buffalo-enc buffalo-enc.c

We will use buffalo-enc to decrypt the firmware image in a moment.

3. Edit the encrypted firmware

Before decrypting the Buffalo firmware we need to strip off the first start section (if you haven’t already downloaded the original firmware, you can download it from here). Open wbmrhpg300h-179 with a hex editor, select the first 228 bytes (up until but not including the second start) and delete them.

Removing the first start section from the encrypted firmware.

Removing the first start section from the encrypted firmware.

Save the edited firmware as encrypted_fw and close the hex editor.

4. Decrypt the firmware

Decrypt the firmware by issuing:

buffalo-enc -d -i encrypted_fw -o decrypted.bin

The decrypted firmware will be saved as decrypted.bin.

For your convenience I have uploaded the decrypted firmware to OneDrive.You can find it here.

MD5: b4318c88e1aa472a1c299281e16061a0 – SHA1: 6f69f931d1bd09de2e516ee42fd8b780ee726a4a

5. Flash

Login to the OpenWrt admin page and go to System –> Backup/Flash Firmware. Under the “Flash new firmware image” section choose the decrypted firmware image and press Flash image.

About to flash the original firmware.

About to flash the original firmware.

You will be asked to verify that you uploaded the correct image. Click proceed and the flash process will begin. The modem will reboot after a few minutes once or twice. Do not power off the modem. The process will take a few minutes to complete. Renew your ethernet connection and reconnect to the modem (default ip now is 192.168.11.1). The original Buffalo firmware is now restored!

Buffalo WBMR-HP-G300H firmware v1.79 restored.

Buffalo WBMR-HP-G300H firmware v1.79 restored.

If you have any questions or if you spotted any errors or omissions, please leave me a comment.

The Buffalo WBMR-HP-G300H is a little beast of a modem/router, based on the Lantiq AR9 SoC family, and built on the following hardware:

Type Part Notes
CPU Lantiq XWAY ARX168 PSB 50810 EL MIPS 34Kc @ 333MHz
Flash Macronix MX29GL256ELT2I-90Q 32MB
RAM Samsung K4H511638F-LCCC 64MB @ 166MHz
Switch Atheros AR8316 ?
WiFi Atheros AR9223  IEEE 802.11 b/g/n

The modem officially supports DD-WRT but we will be installing OpenWrt Barrier Breaker.

There are two ways of getting OpenWrt on the WBMR-HP-G300H. You can either install OpenWrt through DD-WRT (provided, of course, you’ve installed DD-WRT first) or you can talk to the modem’s bootloader via TFTP and upload an OpenWrt image. In this post I’ll be taking the DD-WRT route, which is really simple. Let’s begin.

Step 1: Install DD-WRT

If DD-WRT is not already installed on the modem (i.e. the modem is running the official Buffalo firmware), you need to install it. Download buffalo_to_dd-wrt_MULTI.enc from DD-WRT’s website and save it on your hard-drive. Turn on the modem and connect to 192.168.11.1. The default username is root, the password is blank. (Note: use IE or Opera, otherwise the pages won’t render properly). Now navigate to Admin Config/Update. Choose the file you just downloaded from DD-WRT’s website and press Update Firmware.

Updating to DD-WRT.

Updating to DD-WRT.

After you press Update Firmware you need to wait for about 6-7 minutes. A progress bar will be displayed in the browser to let you know how far along the process has got. Once the update is complete you should renew your ethernet connection. The new router ip will be 192.168.1.1.

Step 2: Flash OpenWrt

With DD-WRT installed we can proceed to flashing OpenWrt. From OpenWrt’s website download openwrt-lantiq-xway-WBMR-squashfs.image and save it on a USB stick (formatted either as ext2/3 or FAT32). Login to the DD-WRT admin page at 192.168.1.1 (on first access you will be prompted to set a new password) and navigate to Services/USB. We will enable USB support in order to copy the OpenWrt image from the USB stick to the modem’s internal storage. To do so, enable Core USB Support, USB Storage Support and Automatic Drive Mount, as pictured below, and apply settings.

Enabling USB support.

Enabling USB support on DD-WRT.

With USB support enabled, plug-in your USB stick to the modem. Telnet to the modem at 192.168.1.1 and login with username root (even if you have changed the username!) and the password you previously set. You can see below that, in my case, my USB stick has been mounted on /tmp/mnt/sda_part1.

The USB stick has been mounted on /tmp/mnt/sda_part1/.

We are now ready to flash OpenWrt. Change to the directory where the stick is mounted and issue the following command:

mtd -r write openwrt-lantiq-xway-WBMR-squashfs.image linux

This will write OpenWrt to the modem’s flash storage.

Writing OpenWrt.

Writing OpenWrt.

The telnet connection will be closed once the write is complete. At this point you have to wait while the modem boots OpenWrt for the first time. Do not turn off the modem. Once the modem is ready you will be able to ping it and telnet to it at 192.168.1.1 again.

Connecting to OpenWrt for the first time.

Connecting to OpenWrt for the first time.

Congratulations, OpenWrt Barrier Breaker is now installed.

If you have any questions or if you spotted any errors or omissions, please leave me a comment.

In a previous post I described how you can backup the flash image of the Netfaster WLAN 3. In this post I’ll show you how you can restore the image by writing directly to the modem’s flash.

To restore the image we will be using the following hardware and software:

  • Bus Pirate to connect computer and modem flash chip.
  • (Optional) Pomona 5250 SOIC 8-pin Test Clip, to simplify the task of attaching the Bus Pirate to the flash chip.
  • flashrom to perform the write to flash.

(I admit that the 5250 Test Clip is an expensive little piece of equipment – currently going for about $12 – but I find that it is nearly impossible to connect directly to the flash chip otherwise; the chip pins are 0.41 mm wide, spaced 1.27 mm apart. Perhaps you could try one of these (just the cable and clip) instead of the 5250; they should be cheaper. As I said above, this is optional).

The flash chip is depicted below. It is the Macronix (MXIC) MX25L1606E M2 (2 MB, SPI, 200mil 8-SOP).

Netfaster WLAN 3 flash chip

The Netfaster WLAN 3 PCB. The position of the flash chip is shown.

Implement the following connection between Bus Pirate and flash chip. The modem must be turned off.

bus_pirate-flash_connection

The Bus Pirate connected to the flash chip.

Bus Pirate pin Flash Chip pin
CS 1
MISO 2
3.3v 3
GND 4
MOSI 5
CLK 6
3.3v 7
3.3v 8

Now connect the Bus Pirate to your computer via USB.

With the connection in place, we are ready to write the image file to the flash. (Here is the image backup I created in that previous post).

Do not turn on the modem. If you do, flashrom won’t be able to write to the flash. Assuming the image backup is named fw.bin and that you have installed flashrom (sudo apt-get install flashrom on Ubuntu, else check http://flashrom.org/Downloads), open a command terminal and issue the following command:

$sudo flashrom -p buspirate_spi:dev=/dev/ttyUSB0,spispeed=1M -w fw.bin

This will start the process of writing fw.bin to the flash. You will get the following output:

flashrom v0.9.6.1-r1563 on Linux 3.13.0-37-generic (x86_64)
flashrom is free software, get the source code at http://www.flashrom.org

Calibrating delay loop... OK.
Found Macronix flash chip "MX25L1605" (2048 kB, SPI) on buspirate_spi.
Reading old flash chip contents... done.
Erasing and writing flash chip... Erase/write done.
Verifying flash... VERIFIED.          
$

The whole process lasts about 12 minutes, with the ‘Reading old flash contents‘ and ‘Verifying flash‘ stages taking the most time. Just be patient. Notice that flashrom v0.9.6.1 reports having found an MX25L1605 flash chip, even though the modem uses an MX25L1606E. This is ok.

Once the process is completed you can disconnect the Bus Pirate and boot the modem. You should be good to go!

One last note: when you attempt to run flashrom, you may get an error along the lines of:

Found Generic flash chip "unknown SPI chip (RDID)" (0 kB, SPI) on
buspirate_spi.
===
This flash part has status NOT WORKING for operations: PROBE READ ERASE
WRITE

In this case proceed as follows:

  1. Disconnect the Bus Pirate from the computer USB port (not from the modem).
  2. With the modem PSU connected, do a quick on/off of the modem. Turn it on, wait 2 seconds, turn it off.
  3. Disconnect the modem PSU.
  4. Again do a quick on/off without the PSU connected.
  5. Connect the modem PSU but do not turn on the modem.
  6. Lastly, connect the Bus Pirate via USB, and rerun flashrom.

flashrom should now be able to identify the modem’s flash chip properly.

(I admit that the above procedure seems a bit like voodoo to me, but it’s the only way I’ve found to make flashrom identify the chip. Anybody can explain what is going on behind the scenes?)

If you have any questions or if you spotted any errors or omissions, please leave me a comment.

A recent Naked Security post reports that D-Link’s DSL-2740R modem/router is vulnerable to DNS hijacking and traffic rerouting. According to the post, the vulnerability lies in the ZynOS firmware used by the device. ZynOS is a proprietary operating system made by ZyXEL.

The flaw apparently allows an attacker to access the device’s web interface without the need for authentication.

If an administration panel is exposed to the internet – and we strongly recommend that you don’t do this! – then outsiders may be able to access and reconfigure your device’s DNS setting from afar.

The author suggests that the popularity of ZynOS means that other D-Link devices might be vulnerable too, as well as devices manufactured by TP-Link, ZTE and of course, I might add, ZyXEL.

ComputerWorld, reporting on the same vulnerability, suggests that the flaw could be exploited by CSRF attacks, even if the device’s configuration panel is only accessible from the LAN.

DSL-2740R is a wireless ADSL2+ modem router that is not in production anymore; the latest firmware available on D-Link’s website is version 1.01b02, released almost two years ago, on 22-Feb-2013, for revision B devices.

You can find the Naked Security post here.

If you have any questions or if you spotted any errors or omissions, please leave me a comment.

The Netfaster WLAN 3 is an ADSL modem/router provided by greek ISP Hellas Online. Internally the device is identified as AR7505SW11 7-A-LIC and built around the following hardware:

Type Part Notes
CPU Lantiq PSB 50601 HL v1.2 133/266 MHz
Flash Macronix (MXIC) MX25L1606E M2 2 MB, SPI, 200mil 8-SOP
RAM Winbond W9812G6JH-6 16MB @ 166 MHz
Switch Lantiq PSB 6970V v1.3
WiFi Atheros AR9271-ALJA

The admin page of this modem will not give you the option to backup the firmware the device is running (you can only backup your configuration), and you won’t be able to find it anywhere on the internet either, which means that if you accidentally erase or in any way corrupt the firmware, you won’t have a clean, working version to restore. The purpose of this post is to show you how you can get this backup.

Serial Connection

To get the firmware backup we first need to connect to the modem’s serial port. To implement this connection you’ll need a USB-to-UART serial converter such as this one.

The modem board and the serial port are pictured below. (Note you will need to do a little soldering in order to use the serial port).

Netfaster WLAN 3 PCB

The Netfaster WLAN 3 PCB. The serial port pin positions are shown.

Assuming you have the USB-to-UART converter I mentioned above or similar, with the modem powered off, implement a straight connection between converter and serial port:

  • Converter GND to modem GND (pin 4)
  • Converter Rx to modem Rx (pin 3)
  • Converter Tx to modem Tx (pin 2)

Do not power on the modem yet. Launch your preferred terminal emulator (I’ll be using PuTTY in this post) and point it to the serial line (/dev/ttyUSB0 in my case). Set connection speed 115200, data bits 8, parity None, stop bits 1 (8N1) and open the connection.

PuTTY serial connection settings.

PuTTY serial connection settings.

Note: For PuTTY to be able to open /dev/ttyUSB0 on Ubuntu you need to run it as root. To do so, open a command terminal and enter gksudo putty & .

With the PuTTY connection opened power on the modem. You will receive the following output:

ROM VER: 1.2.0
CFG 04
EEPROM Data OK

=========================================================================
Wireless ADSL Gateway AMAZON_SE Loader 7505.03 build Sep 20 2010 11:36:23
                      Arcadyan Technology Corporation
=========================================================================
SPI FLASH
RDID: c22015

Copying boot params.....DONE

Press Space Bar 3 times to enter command mode ...

Immediately press spacebar 3 times. This will halt the boot process and take you to the bootloader prompt. At the bootloader prompt press ! to enter administrator mode.

Press Space Bar 3 times to enter command mode ...123
Yes, Enter command mode ...

[AMAZON_SE Boot]:!

Enter Administrator Mode !

Once you enter administrator mode close PuTTY but do not disconnect the modem from the converter. To perform the backup we will use a different program called ‘brntool’. You can download brntool from https://github.com/rvalles/brntool.

Performing the Backup

Before running brntool we need to make a few modifications to its code, so that it is compatible with this modem. Open brntool.py with a text editor and comment-out lines 22-23, 29-31 and 59-60 by inserting a ‘#’ at the beginning of each line. Conversely, uncomment line 58 and, optionally, change the value of bs to 2048 or to any other number you prefer, as long as it is less than 10000 (bs denotes the number of bytes the program will read at a time). In the screenshots below I’ve set bs to 2048.

code

code2

Comment-out lines 22-23, 29-31 and 59-60. Uncomment line 58 and, optionally, change bs to 2048.

With the changes detailed above completed, the modem at the administrative bootloader prompt and PuTTY closed, open a command terminal and run brntool by issuing the following command:

$sudo ./brntool.py --read=fw.bin --addr=0x0 --verbose --size=0x200000

If all has gone well you should see a series of dots appear as the firmware is being read. Each ‘.’ represents a successful read of ‘bs’ bytes. A ‘!’ means the read attempt failed, and the program will retry until the read succeeds. When reading is complete, the firmware will be saved as ‘fw.bin’. I recommend you perform a second backup and then compare the two backups to make sure no errors occurred (for example, in my case, the Rx pin had come loose after some point, and I only found out when I performed two successive backups and compared them; the loose Rx pin was distorting the output, so each new backup differed from the previous one).

For your reference I have uploaded my backup to http://1drv.ms/1uYcBn9 .

If you followed the instructions above you should now have a backup of the Netfaster WLAN 3 firmware. In my next post I’ll show you how to restore the firmware to the modem.

If you have any questions or if you spotted any errors or omissions, please leave me a comment.

A Team Cymru report published on Monday finds more than 300,000 SOHO routers hacked, having their DNS settings modified to point to DNS servers controlled by the attackers. The affected devices come from various manufacturers, including, but not limited to, D-Link, Micronet, Tenda and TP-Link.

The vast majority of the compromised routers (more than 160,000) is found in Vietnam; other locations with large infections include India, Italy, Thailand, Colombia, Bosnia and Herzegovina, Turkey, Ukraine, Serbia and Ecuador.

The exploit techniques used include Cross-Site Request Forgery (CSRF) for TP-Link devices and an authentication bypass vulnerability in devices running ZyXEL firmware (ZynOS). The routers exploited have their DNS settings point to ip addresses 5.45.75.11 and 5.45.75.36.

You can find the Team Cymru report here. There’s also a post by Ars Technica here.

If you have any questions or if you spotted any errors or omissions, please leave me a comment.