Netool Reverse Engineering

The netool is a network diagnostics device sold by Netool LLC. The hardware itself is a chinese openwrt router + power bank. If you dig through the FCC documents for it you can find references to a 'CLOUD WIFI' / 'TOBY' company that is selling these with OpenWRT on them. The netool company took this hardware and did a lot of software work on it in order to create the Phone Apps and API server that runs on the device itself.

The hardware is a Ralink RT5350 SoC with 32M of DRAM and a 128M SPI flash for storage. More info can be found on the DevWiki page.



As for getting into the netool its fairly simple. I started out trying to probe the 4 pins on the side of the device hoping they were attached to the serial interface of the SoC. Turns out the 4 pins actually go to the Battery Management Controller. I don't see any other test / probe pads so I went ahead and just dumped the SPI Flash with a buspirate. Digging through the flash dump with binwalk shows a uBoot bootloader with OpenWRT kernel and rootfs. After extracting all the squashfs/jffs2 dumps we can finally dig into the underlying Linux/OpenWRT.

Since none of the rootfs images or anything had security features enabled I could of just re-created the rootfs with a telnetd and init script but really didn't feel like waiting 30+ minutes for the buspirate to flash. So digging into the web API files in /www I notice some really heavy use of PHP $_GET directly being passed to exec() calls; oops! After getting a shell escape into the exec() call you can wget a p0wny-shell into the /www/ directory and have a web-based terminal to make things much easier.



Unfortunately the busybox bin shipped with the netool is fairly stripped down. No telnetd or even passwd; now we need to compile busybox with all our features we want. Using crosstool-ng with the mipsel-unknown-linux-gnu sample we can cross compile busybox for the 24KEC CPU type. You'll need to enable the 'Try features marked as EXPERIMENTAL' in the menuconfig, then you can change your C library to musl. The target options are just MIPS with 24kec architecture and soft fpu.

After getting our busybox with telnetd enabled we can drop it into the /bin directory and start it with login disabled  through our PHP shell. Now you have a nice telnet shell into the netool with bash completions and all.

If you don't want to teardown your netool to examine the firmware you can grab a firmware update from the netool website. http://www.netool.io/update/bin/netool_72_final.bin

Comments

Post a Comment

Popular posts from this blog

Removing Steam Link Bandwidth Limit

A reddit thread brought to my attention that there is a bandwidth limit on the steam link. I've finally figured out where the stream settings are saved and how to read / write them.You will also have to make one file called streaming_args.txt, I'll explain below. streaming_settings.bin  This config file has its maximum_bitrate_kbps set to 0. Which signifies no limit. streaming_settings_100000.bin  This config file has its maximum_bitrate_kbps set to 100,000 for 100mbps. To use these you can either scp them into your /mnt/config/system/ folder as streaming_settings.bin or you can put the file on a USB pendrive as /steamlink/config/system/streaming_settings.bin and reboot with the pendrive inserted. (Note: You need to hard 'reboot' un-plug and re-plug the power, you should see the steamlink on a blue background icon thing.) To see if it worked goto your Streaming settings and press Y to go into Advanced Settings. If it worked your Bandwidth Limit row will b
Read more

Root and SSH Access on the Steam Link

Alright this was a lot easier than I expected. Thanks Valve! After digging through the full 332 update zip I found that Valve left their developer init scripts in /etc/init.d/startup. Not sure if they did this intentionally or not but I like it. So first and foremost I was wrong about the Android AOSP thing, it looks like its just a custom linux and the android stuff I was seeing earlier was just from them using the android signing utility for their updates. Basically they use signapk on their zip files which leaves some android stuff in META-INF. So sorry about the false alarm there. As for enabling ssh on your Steam Link its very easy. All you need to do is get a pendrive and make this file in these folders: /steamlink/config/system/enable_ssh.txt (Note: the file must have some data in it, if enable_ssh.txt is empty it will not work) Then reboot the Steam Link with the pendrive inserted, after its done connecting to the network you can ssh into the Steam Link as root with the p
Read more

Arch Linux Chroot on Steam Link (Easy Setup)

Alright, this should be a much more user-friendly method of getting an Arch Linux chroot going on your steam link. But by doing it this way you're going to have to have some trust in me as we're going to be downloading and running a shell script that could potentially screw up your Steam Link. Its very un-likely though, more likely is losing important data on any storage devices you may have plugged into the Link. So first things first you're going to need a USB HDD or pendrive that you don't care about as all of the data on it needs to be wiped. After you're certain that this storage device has nothing important on it plug it into the steam link. Then you're going to need SSH access to your steam link, after you've SSH'd into your steam link do `busybox sh` to switch to a better shell with tab auto-completion. Now do `cd` to enter /home/steam/ then do `wget http://fgthou.se/steamlink/create-chroot-device.sh` to download my script that will automate t
Read more