Firebox Edge x55e

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> ARM or PPC based Hardware
Goto page Previous  1, 2, 3, 4, 5, 6, 7  Next
Author Message
stephenw10
DD-WRT User


Joined: 25 Jun 2010
Posts: 53

PostPosted: Fri Oct 08, 2010 14:04    Post subject: Reply with quote
The 2X10 pin header at the front left of the board is almost certainly a standard arm jtag.
Pins 1 and 2 are 3.3V and pins 4,6,8,10,12,14,16,18 and 20 are gnd.
However I only have an unbuffered jtag cable that hasn't proved too good in the past so I can't test. Sad

Steve
Sponsor
stephenw10
DD-WRT User


Joined: 25 Jun 2010
Posts: 53

PostPosted: Sun Oct 10, 2010 20:42    Post subject: Reply with quote
There is a page in the web interface:
http://box-ip/debug.htm
It isn't linked to from anywhere else in the GUI. On that page you can 'enable console on external serial port'. This seems to transfer the console messages from the internal 3.3V port to the rear RS232 port. However it doesn't start until some way throught the boot up and it doesn't give shell access. Sad

Does make you wonder if any other undocumented pages exist.

Steve
stephenw10
DD-WRT User


Joined: 25 Jun 2010
Posts: 53

PostPosted: Sat Oct 16, 2010 11:23    Post subject: Reply with quote
Another update.
I changed the firmware to Watchguards 10.2.12 to poke around in there.
They have an interesting feature on the debug.htm page in the newer firmware. You can list the contents of various files using links at the bottom of the page.
However it seems you can also list other files by crafting the url manually. E.g.

http://192.168.111.1/main.htm?mainFrame=debug.htm&file=/etc/passwd

Gives:
Code:

Listing file: /etc/passwd

admin::0:0:admin:/root:/bin/ash
bin::1:1:bin:/bin:
nobody::99:99:Nobody:/:
wgntp::98:98:OpenNTP daemon:/var/run/ntpd:
openvpn::97:97:OpenVPN daemon:/:


I haven't been able to view anuthing except /etc/ and I have to guess what files exist as no errors are shown. This seems like an oversight but it could be only a small set of files are allowed. Interesting anyway.

Steve
Sash
DD-WRT Guru


Joined: 20 Sep 2006
Posts: 17344
Location: Hesse/Germany

PostPosted: Sat Oct 16, 2010 13:10    Post subject: Reply with quote
the main problem is that we dont have redboot access. the rest is some we could handle for sure. but without being able to falsh via redboot there is no chance for ddwrt right now. we have to change the fis settings to get ddwrt running
_________________
Forum Guidelines...How to get help
&
Forum Rules
&
RTFM/STFW
&
Throw some buzzwords into the WIKI search Exclamation
_________________
I'm NOT rude, just offer pure facts!
_________________
Atheros (TP-Link & Clones, etc ) debrick service in EU
_________________
Guide on HowTo be Safe, Secure and Protect Your Online Anonymity!
_________________
Andreas Baumert: "Kundige Menschen befragen Fachleute, ohne ihnen auf die Nerven zu gehen. Sie stellen keine Fragen, die sie mit etwas Fleiß und Lektüre selber beantworten können. Sie wissen, auf welche Quellen es ankommt,und wie man sich Zugang zu ihnen verschafft."
stephenw10
DD-WRT User


Joined: 25 Jun 2010
Posts: 53

PostPosted: Sun Oct 17, 2010 16:28    Post subject: Reply with quote
Sash, did you receive your box in the end then?

Do you know where Redboot stores the password? Would it be possible to extract it using jtag?

I suspect that Redboot on the Watchguard may be using RBL with the 'suppress_redboot' option sinve there is no output and it appears quite large.

http://www.ecoscentric.com/ecospro/doc.cgi/html/ecospro-ref/rbl.html

Steve
Sash
DD-WRT Guru


Joined: 20 Sep 2006
Posts: 17344
Location: Hesse/Germany

PostPosted: Sun Oct 17, 2010 21:13    Post subject: Reply with quote
yes i have the unit under my desk.

for reference:
https://forum.openwrt.org/viewtopic.php?id=14106

_________________
Forum Guidelines...How to get help
&
Forum Rules
&
RTFM/STFW
&
Throw some buzzwords into the WIKI search Exclamation
_________________
I'm NOT rude, just offer pure facts!
_________________
Atheros (TP-Link & Clones, etc ) debrick service in EU
_________________
Guide on HowTo be Safe, Secure and Protect Your Online Anonymity!
_________________
Andreas Baumert: "Kundige Menschen befragen Fachleute, ohne ihnen auf die Nerven zu gehen. Sie stellen keine Fragen, die sie mit etwas Fleiß und Lektüre selber beantworten können. Sie wissen, auf welche Quellen es ankommt,und wie man sich Zugang zu ihnen verschafft."
stephenw10
DD-WRT User


Joined: 25 Jun 2010
Posts: 53

PostPosted: Sun Oct 24, 2010 15:17    Post subject: Reply with quote
Any thoughts on recovering the password using jtag?

This is the seond time I've found myself in need of a proper jtag cable and I don't mind spending some money but the situation is confusing. The more I read the more I find out how little I know! Rolling Eyes

Most of the useful jtag info is related to Broadcom mips routers. There's a lot of distracting stuff relating to cable boxes and xboxes. My current understanding is that I should use Urjtag and one of it's supported cables such as the Olimex ARM USB.

If I buy the Olimex ARM-USB-OCD then I at least end up with a USB serial adapter even if it doesn't work!

Comments?

Steve
Sash
DD-WRT Guru


Joined: 20 Sep 2006
Posts: 17344
Location: Hesse/Germany

PostPosted: Fri Oct 29, 2010 10:03    Post subject: Reply with quote
im not that good in redbot but if the pw isnt encrypted it can be get out of the file...but it wouldnt be easy to find...
_________________
Forum Guidelines...How to get help
&
Forum Rules
&
RTFM/STFW
&
Throw some buzzwords into the WIKI search Exclamation
_________________
I'm NOT rude, just offer pure facts!
_________________
Atheros (TP-Link & Clones, etc ) debrick service in EU
_________________
Guide on HowTo be Safe, Secure and Protect Your Online Anonymity!
_________________
Andreas Baumert: "Kundige Menschen befragen Fachleute, ohne ihnen auf die Nerven zu gehen. Sie stellen keine Fragen, die sie mit etwas Fleiß und Lektüre selber beantworten können. Sie wissen, auf welche Quellen es ankommt,und wie man sich Zugang zu ihnen verschafft."
stephenw10
DD-WRT User


Joined: 25 Jun 2010
Posts: 53

PostPosted: Mon Nov 01, 2010 0:29    Post subject: Reply with quote
After playing around for a long time and trying many combinations I have successfully (for the first time!) made a jtag connection that works! Very Happy
I used the simply unbuffered cable described in many places that mimics the 'wiggler'. See here. Despite saying that it doesn't work on that page, it does, sort of. Only after reading this page did I get it running.
I used 80Ohm resistors in the lines and a 100Ohm (beacuse I'd run out of 80!) to pull nTRST high.
Using URJTAG I am now able to detect the processor and the 1MB flash chip so theoretically could write a proper Redboot and take it from there.

However I'm stuck. I first tried to backup the complete flash chip. It takes ages (45mins) but not too bad for 1MB. I wouldn't want to try the 64MB chip at that speed! All seemed to go OK but the resulting file is just a repeating pattern. I have no way of knowing what the memory mapping is on the board but from my research it seems it can only be at 0x0 or 0x50000000 on an IXP425. I tried both as well as some other random sampling and I just get the same repeating pattern. I have no experience with JTAG, any ideas anyone? Crying or Very sad

Steve
stephenw10
DD-WRT User


Joined: 25 Jun 2010
Posts: 53

PostPosted: Sat Nov 20, 2010 13:27    Post subject: Reply with quote
I seem to be at a dead end or at least the limit of my skills! Wink
After trying several pieces of software and a few different jtag cables I'm just getting the same result. The more I read up on JTAG the more I realise how little I know. I need someone who has exprience with JTAG on X scale hardware to outline the correct way to go about this.

Steve


Last edited by stephenw10 on Sat Feb 05, 2011 17:43; edited 1 time in total
scrat78
DD-WRT Novice


Joined: 21 Nov 2009
Posts: 4

PostPosted: Tue Feb 01, 2011 8:52    Post subject: Reply with quote
stephenw10 wrote:
Another update.
I changed the firmware to Watchguards 10.2.12 to poke around in there.
They have an interesting feature on the debug.htm page in the newer firmware. You can list the contents of various files using links at the bottom of the page.
However it seems you can also list other files by crafting the url manually. E.g.

http://192.168.111.1/main.htm?mainFrame=debug.htm&file=/etc/passwd

Gives:
Code:

Listing file: /etc/passwd

admin::0:0:admin:/root:/bin/ash
bin::1:1:bin:/bin:
nobody::99:99:Nobody:/:
wgntp::98:98:OpenNTP daemon:/var/run/ntpd:
openvpn::97:97:OpenVPN daemon:/:


I haven't been able to view anuthing except /etc/ and I have to guess what files exist as no errors are shown. This seems like an oversight but it could be only a small set of files are allowed. Interesting anyway.

Steve


Found some interesting things poking around with debug.htm. You can list devices such as the flash memory with the file command.
Code:

Available devices:
/dev/wgrd.boot
/dev/wgrd.bootcfg
/dev/wgrd.cfg0
/dev/wgrd.cfg1
/dev/wgrd.mfg
/dev/wgrd.sysa_kernel
/dev/wgrd.sysa_code
/dev/wgrd.sysa_data
/dev/wgrd.sysb_kernel
/dev/wgrd.sysb_code


I didn't find anything useful though but what I missed someone else might find.

/Andreas
stephenw10
DD-WRT User


Joined: 25 Jun 2010
Posts: 53

PostPosted: Sat Feb 05, 2011 17:39    Post subject: Reply with quote
Hmm, interesting.
At least I'm not the only one trying things. Smile

Steve
scrat78
DD-WRT Novice


Joined: 21 Nov 2009
Posts: 4

PostPosted: Mon Feb 07, 2011 15:12    Post subject: Reply with quote
I've found a bug in WG system. You can download the flash partitions with ftp.

Log in to the wg with ftp and admin user/password. The ftp root lives in /tmp/ftp_root but is not chrooted. You can download any file with get and an absolute path.

I've downloaded the RedBoot partition with "get /dev/wgrd.boot".

I've attached a zip file with the RedBoot partition for those interested.

When looking in the file I've found a suspected password hash. I've no idea how to crack it.

The suspected password hash is "F5BA25AB44724fb5A6DD37554809CE34".

Andreas
scrat78
DD-WRT Novice


Joined: 21 Nov 2009
Posts: 4

PostPosted: Tue Feb 08, 2011 12:04    Post subject: Reply with quote
scrat78 wrote:
I've found a bug in WG system. You can download the flash partitions with ftp.

Log in to the wg with ftp and admin user/password. The ftp root lives in /tmp/ftp_root but is not chrooted. You can download any file with get and an absolute path.

I've downloaded the RedBoot partition with "get /dev/wgrd.boot".

I've attached a zip file with the RedBoot partition for those interested.

When looking in the file I've found a suspected password hash. I've no idea how to crack it.

The suspected password hash is "F5BA25AB44724fb5A6DD37554809CE34".

Andreas


LOL. "F5BA25AB44724fb5A6DD37554809CE34" is the password. I have RedBoot access!!!

What should I do next?

Andreas
Sash
DD-WRT Guru


Joined: 20 Sep 2006
Posts: 17344
Location: Hesse/Germany

PostPosted: Tue Feb 08, 2011 12:58    Post subject: Reply with quote
what redboot version?
Code:
fis list

_________________
Forum Guidelines...How to get help
&
Forum Rules
&
RTFM/STFW
&
Throw some buzzwords into the WIKI search Exclamation
_________________
I'm NOT rude, just offer pure facts!
_________________
Atheros (TP-Link & Clones, etc ) debrick service in EU
_________________
Guide on HowTo be Safe, Secure and Protect Your Online Anonymity!
_________________
Andreas Baumert: "Kundige Menschen befragen Fachleute, ohne ihnen auf die Nerven zu gehen. Sie stellen keine Fragen, die sie mit etwas Fleiß und Lektüre selber beantworten können. Sie wissen, auf welche Quellen es ankommt,und wie man sich Zugang zu ihnen verschafft."
Goto page Previous  1, 2, 3, 4, 5, 6, 7  Next Display posts from previous:    Page 3 of 7
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> ARM or PPC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum