[stephenw10]

The 2X10 pin header at the front left of the board is almost certainly a standard arm jtag.
Pins 1 and 2 are 3.3V and pins 4,6,8,10,12,14,16,18 and 20 are gnd.
However I only have an unbuffered jtag cable that hasn't proved too good in the past so I can't test.

Steve

[stephenw10]

There is a page in the web interface:
http://box-ip/debug.htm
It isn't linked to from anywhere else in the GUI. On that page you can 'enable console on external serial port'. This seems to transfer the console messages from the internal 3.3V port to the rear RS232 port. However it doesn't start until some way throught the boot up and it doesn't give shell access.

Does make you wonder if any other undocumented pages exist.

Steve

[stephenw10]

Another update.
I changed the firmware to Watchguards 10.2.12 to poke around in there.
They have an interesting feature on the debug.htm page in the newer firmware. You can list the contents of various files using links at the bottom of the page.
However it seems you can also list other files by crafting the url manually. E.g.

http://192.168.111.1/main.htm?mainFrame=debug.htm&file=/etc/passwd

Gives:

[Sash]

the main problem is that we dont have redboot access. the rest is some we could handle for sure. but without being able to falsh via redboot there is no chance for ddwrt right now. we have to change the fis settings to get ddwrt running

[stephenw10]

Sash, did you receive your box in the end then?

Do you know where Redboot stores the password? Would it be possible to extract it using jtag?

I suspect that Redboot on the Watchguard may be using RBL with the 'suppress_redboot' option sinve there is no output and it appears quite large.

http://www.ecoscentric.com/ecospro/doc.cgi/html/ecospro-ref/rbl.html

Steve

[Sash]

yes i have the unit under my desk.

for reference:
https://forum.openwrt.org/viewtopic.php?id=14106

[stephenw10]

Any thoughts on recovering the password using jtag?

This is the seond time I've found myself in need of a proper jtag cable and I don't mind spending some money but the situation is confusing. The more I read the more I find out how little I know!

Most of the useful jtag info is related to Broadcom mips routers. There's a lot of distracting stuff relating to cable boxes and xboxes. My current understanding is that I should use Urjtag and one of it's supported cables such as the Olimex ARM USB.

If I buy the Olimex ARM-USB-OCD then I at least end up with a USB serial adapter even if it doesn't work!

Comments?

Steve

[Sash]

im not that good in redbot but if the pw isnt encrypted it can be get out of the file...but it wouldnt be easy to find...

[stephenw10]

After playing around for a long time and trying many combinations I have successfully (for the first time!) made a jtag connection that works!
I used the simply unbuffered cable described in many places that mimics the 'wiggler'. See here. Despite saying that it doesn't work on that page, it does, sort of. Only after reading this page did I get it running.
I used 80Ohm resistors in the lines and a 100Ohm (beacuse I'd run out of 80!) to pull nTRST high.
Using URJTAG I am now able to detect the processor and the 1MB flash chip so theoretically could write a proper Redboot and take it from there.

However I'm stuck. I first tried to backup the complete flash chip. It takes ages (45mins) but not too bad for 1MB. I wouldn't want to try the 64MB chip at that speed! All seemed to go OK but the resulting file is just a repeating pattern. I have no way of knowing what the memory mapping is on the board but from my research it seems it can only be at 0x0 or 0x50000000 on an IXP425. I tried both as well as some other random sampling and I just get the same repeating pattern. I have no experience with JTAG, any ideas anyone?

Steve

[stephenw10]

I seem to be at a dead end or at least the limit of my skills!
After trying several pieces of software and a few different jtag cables I'm just getting the same result. The more I read up on JTAG the more I realise how little I know. I need someone who has exprience with JTAG on X scale hardware to outline the correct way to go about this.

Steve

[scrat78]

[stephenw10]

Hmm, interesting.
At least I'm not the only one trying things.

Steve

[scrat78]

I've found a bug in WG system. You can download the flash partitions with ftp.

Log in to the wg with ftp and admin user/password. The ftp root lives in /tmp/ftp_root but is not chrooted. You can download any file with get and an absolute path.

I've downloaded the RedBoot partition with "get /dev/wgrd.boot".

I've attached a zip file with the RedBoot partition for those interested.

When looking in the file I've found a suspected password hash. I've no idea how to crack it.

The suspected password hash is "F5BA25AB44724fb5A6DD37554809CE34".

Andreas

[scrat78]

[Sash]

what redboot version?