Netool Reverse Engineering
The netool is a network diagnostics device sold by Netool LLC. The hardware itself is a chinese openwrt router + power bank. If you dig through the FCC documents for it you can find references to a 'CLOUD WIFI' / 'TOBY' company that is selling these with OpenWRT on them. The netool company took this hardware and did a lot of software work on it in order to create the Phone Apps and API server that runs on the device itself.
The hardware is a Ralink RT5350 SoC with 32M of DRAM and a 128M SPI flash for storage. More info can be found on the DevWiki page.
As for getting into the netool its fairly simple. I started out trying to probe the 4 pins on the side of the device hoping they were attached to the serial interface of the SoC. Turns out the 4 pins actually go to the Battery Management Controller. I don't see any other test / probe pads so I went ahead and just dumped the SPI Flash with a buspirate. Digging through the flash dump with binwalk shows a uBoot bootloader with OpenWRT kernel and rootfs. After extracting all the squashfs/jffs2 dumps we can finally dig into the underlying Linux/OpenWRT.
Since none of the rootfs images or anything had security features enabled I could of just re-created the rootfs with a telnetd and init script but really didn't feel like waiting 30+ minutes for the buspirate to flash. So digging into the web API files in /www I notice some really heavy use of PHP $_GET directly being passed to exec() calls; oops! After getting a shell escape into the exec() call you can wget a p0wny-shell into the /www/ directory and have a web-based terminal to make things much easier.
Unfortunately the busybox bin shipped with the netool is fairly stripped down. No telnetd or even passwd; now we need to compile busybox with all our features we want. Using crosstool-ng with the mipsel-unknown-linux-gnu sample we can cross compile busybox for the 24KEC CPU type. You'll need to enable the 'Try features marked as EXPERIMENTAL' in the menuconfig, then you can change your C library to musl. The target options are just MIPS with 24kec architecture and soft fpu.
After getting our busybox with telnetd enabled we can drop it into the /bin directory and start it with login disabled through our PHP shell. Now you have a nice telnet shell into the netool with bash completions and all.
If you don't want to teardown your netool to examine the firmware you can grab a firmware update from the netool website. http://www.netool.io/update/bin/netool_72_final.bin
The hardware is a Ralink RT5350 SoC with 32M of DRAM and a 128M SPI flash for storage. More info can be found on the DevWiki page.
As for getting into the netool its fairly simple. I started out trying to probe the 4 pins on the side of the device hoping they were attached to the serial interface of the SoC. Turns out the 4 pins actually go to the Battery Management Controller. I don't see any other test / probe pads so I went ahead and just dumped the SPI Flash with a buspirate. Digging through the flash dump with binwalk shows a uBoot bootloader with OpenWRT kernel and rootfs. After extracting all the squashfs/jffs2 dumps we can finally dig into the underlying Linux/OpenWRT.
Since none of the rootfs images or anything had security features enabled I could of just re-created the rootfs with a telnetd and init script but really didn't feel like waiting 30+ minutes for the buspirate to flash. So digging into the web API files in /www I notice some really heavy use of PHP $_GET directly being passed to exec() calls; oops! After getting a shell escape into the exec() call you can wget a p0wny-shell into the /www/ directory and have a web-based terminal to make things much easier.
Unfortunately the busybox bin shipped with the netool is fairly stripped down. No telnetd or even passwd; now we need to compile busybox with all our features we want. Using crosstool-ng with the mipsel-unknown-linux-gnu sample we can cross compile busybox for the 24KEC CPU type. You'll need to enable the 'Try features marked as EXPERIMENTAL' in the menuconfig, then you can change your C library to musl. The target options are just MIPS with 24kec architecture and soft fpu.
After getting our busybox with telnetd enabled we can drop it into the /bin directory and start it with login disabled through our PHP shell. Now you have a nice telnet shell into the netool with bash completions and all.
If you don't want to teardown your netool to examine the firmware you can grab a firmware update from the netool website. http://www.netool.io/update/bin/netool_72_final.bin
Comments
Post a Comment