livebox:commandlineaccess

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
livebox:commandlineaccess [2012/04/27 13:39] – [Livebox Command line Access] brettlivebox:commandlineaccess [2013/09/11 18:29] (current) – [via the Serial Port] minerva9
Line 1: Line 1:
 ====== Livebox Command line Access ====== ====== Livebox Command line Access ======
  
-<box ground green>At this point you have downgraded your livebox to firmware 5.04 and its on your network with an IP of 192.168.1.1 what we need to do next is exploit a bug in its webserver so we can get to the command line.</box>+<box ground green>At this point you have downgraded your Livebox to firmware 5.04 and it'on your network with an IP of 192.168.1.1 what we need to do next is exploit a bug in its webserver so we can get to the command line.</box>
  
 +<note warning>If the IP address 192.168.1.1 collides with an existing piece of equipment on your network it's advisable to cable from your development computer directly to the Livebox, otherwise you are going to have all sort of problems with this phase.
 +</note>
 The Inventel Livebox box has a root password that isn't known, so how can you get to a shell prompt? The Inventel Livebox box has a root password that isn't known, so how can you get to a shell prompt?
  
 There are two methods to breaking into your livebox There are two methods to breaking into your livebox
-  * [[#via_the_Serial_Port|serial access]] (less steps)+  * [[#via_the_Serial_Port|serial access]] (fewer steps)
   * [[#with_telnet|telnet]] (more steps)   * [[#with_telnet|telnet]] (more steps)
  
Line 33: Line 35:
  
   - an MMJ to RJ11 cable   - an MMJ to RJ11 cable
-  - a PCB that holds the Max3232 device & has RJ11 and RJ45 connectors+  - a PCB that holds the Max3232cpe device & has RJ11 and RJ45 connectors, caps & diodes
   - an original Cisco console cable (worth £5 alone) RJ45 to DB9   - an original Cisco console cable (worth £5 alone) RJ45 to DB9
  
Line 39: Line 41:
 Be sure not to allow the PCB to touch metal objects - 5VDC is present on the PCB. Be sure not to allow the PCB to touch metal objects - 5VDC is present on the PCB.
  
-{{:livebox:livebox_console_pcb.jpg|Livebox Console Board }} {{:livebox:livebox_console_serial_brd.jpg?306|Livebox Console Serial PCB}}+ 
 +{{:livebox:p1000649.jpg?200}} {{:livebox:p1000650.jpg?200}} {{:livebox:livebox_console_serial_brd.jpg?200|Livebox Console Serial PCB}} 
  
 ===== via the Serial Port ===== ===== via the Serial Port =====
Line 46: Line 50:
 </note> </note>
  
-{{:livebox:cimg1759.jpg?320 }} Making an RS232 adaptor. Crimped up a RJ11 6P6C onto a piece of cat5 cable. Repurposed a PCB which has a Max232 onboard to do the hookup. N.B. The chip needed for this convertor is the MAX3232 - this works at 3.3V (costs rather more than a MAX232 - tried a MAX232, it doesn't work). Turns out that the serial port socket on the Livebox isn't a 'standard' RJ11 connector - it is a MMJ connector with the retaining clip offset from the centre of the socket - a standard RJ11 needs to have its clip cut off to allow the connector to enter. This gives 'reduced' insertion force, but there is a slight resistance - just enough to keep the connector in place. +{{:livebox:cimg1759.jpg?320 }} Making an RS232 adaptor. Crimped up a RJ11 6P6C onto a piece of cat5 cable. Repurposed a PCB which has a Max232 onboard to do the hookup. N.B. The chip needed for this convertor is the MAX3232 - this works at 3.3V (costs rather more than a MAX232 - tried a MAX232, it doesn't work). Turns out that the serial port socket on the Livebox isn't a 'standard' RJ11 connector - it is a MMJ connector with the retaining clip offset from the centre of the socket - a standard RJ11 needs to have its clip cut off to allow the connector to enter. This gives 'reduced' insertion force, but there is a slight resistance - just enough to keep the connector in place - not great for permanent setups.
  
 {{http://farm4.static.flickr.com/3070/2786661562_8513d3cb3b_m.jpg}} {{http://farm4.static.flickr.com/3070/2786661562_8513d3cb3b_m.jpg}}
  
 On the PCB, there are solder pads for an RJ11 style socket - but no socket is populated on the board. It was hoped that this might expose a second serial port, but this is not the case.  On the PCB, there are solder pads for an RJ11 style socket - but no socket is populated on the board. It was hoped that this might expose a second serial port, but this is not the case. 
-  * http://www.agp.dsl.pipex.com/schematic.html+  * http://andyp.dyndns.info/livebox/livebox_schematic.html
  
 When connected at 115200 Baud, No Parity , 8 Data Bits , 1 Stop Bit we are presented with a Login prompt.  w00t!  But we are asked for a root password.  Doh! When connected at 115200 Baud, No Parity , 8 Data Bits , 1 Stop Bit we are presented with a Login prompt.  w00t!  But we are asked for a root password.  Doh!
  
 So now getting in is going to be so much easier.  Just change the Livebox Name (in browser UI menu Configuration→Advanced→Wireless) to each of the following in sequence:  This works with UK firmware: 5.04.3.  We only have 32 characters to play with in the wireless name so it must be entered as seen. So now getting in is going to be so much easier.  Just change the Livebox Name (in browser UI menu Configuration→Advanced→Wireless) to each of the following in sequence:  This works with UK firmware: 5.04.3.  We only have 32 characters to play with in the wireless name so it must be entered as seen.
 +
 +First change the livebox hostname to what is below and Save.
 <code> <code>
 ;echo root::0:0:::/bin/sh>/tmp/x ;echo root::0:0:::/bin/sh>/tmp/x
 +</code>
 +Then change the livebox hostname to what is below and Save.
 +<code>
 ;cp /tmp/x /etc/passwd ;cp /tmp/x /etc/passwd
 </code> </code>
Line 85: Line 94:
   port: 23; login program: /bin/sh   port: 23; login program: /bin/sh
 # #
 +</code>
 +
 +Of course once I'm in via the serial port I don't need to even bother with setting up a TELNETD server I could just cut straight to the chase and fetch the new RedBoot loader and flash it.
 +<code>
 +# cd /tmp
 +# wget ftp://192.168.1.12/redboot_blueg5.6-patched
 +# fcp -v redboot_blueg5.6-patched /dev/mtd0
 </code> </code>
  
Line 105: Line 121:
 {{:livebox:inventel2.jpg}} {{:livebox:inventel2.jpg}}
  
-4. Download {{:livebox:etc.tar|}} into the FTP area on your PC and rename this file as **u**+4. Download {{:livebox:etc.tar|}} into the FTP area on your PC and rename this file as **u**.  We do this because we only have a limited number of characters available to us in the field we are using for the backdoor hack.
  
 For info, here is what the tarfile contains: For info, here is what the tarfile contains:
Line 165: Line 181:
 # #
 </code> </code>
 +
 +If you find that you cannot access the Livebox via telnet, try unplugging/re-plugging power to the unit at this stage. Then re-try the telnet connection.
  
 **At this point, if you are working towards loading the HAH firmware, just skip to [[http://www.dbzoo.com/livebox/buildingfirmware#replacing_the_redboot_loader|here]] to find out how to replace the RedBoot loader. **At this point, if you are working towards loading the HAH firmware, just skip to [[http://www.dbzoo.com/livebox/buildingfirmware#replacing_the_redboot_loader|here]] to find out how to replace the RedBoot loader.
  • livebox/commandlineaccess.1335533975.txt.gz
  • Last modified: 2012/04/27 13:39
  • by brett