This repository contains the results of my reverse engineering of the firmwareof the Swisscom Centro Grande ADSL box. I will probably do a blog post with allthose notes. But for that I need a blog.
Fortunately for me, the firmware updates are quite easy to find on the web. To download it simply run the following command (Bluewin is the.
Note: I am by no mean a Linux wizard, so I might miss interesting stuff, andsay wrong things. If you think something should be added / changed, feel free toopen an issue / make a pull request.
After a bit of googling, I found the download URL for a version of the firmware :
First of all, what's in the box ?
We can see in the output that there is a gzipped file which was called'vmlinux.bin'. Interesting. Let's extract this file :
Once again, binwalk is our friend, let's run it against vmlinux.bin :
So in order we have :
- A linux kernel image which is slightly old. I did not use the latestversion of the firmware, which might explain this.
- Some copyright strings, which, after a bit of Googling around seems to bethe copyright string of the deflate program of zlib. Nice.
- Some LZMA data, I have yet to undertand what they are.
- Some gzip'd data which was modified just before the linux kernel.
- Two CramFS file systems. CramFS is a filesystem designed to be embedded onflash / ROM. It is read only and can use LZMA compression to gain somespace.
![Swisscom Centro Grande Firmware Update Swisscom Centro Grande Firmware Update](https://rcp.scsstatic.ch/de/privatkunden/hilfe/geraet/internet-router/_jcr_content/stage/backgroundImage.stagebgimage.large.jpg/1478778395782.jpg)
Let's extract the file systems. For this we will need the size of the variousparts, which we can calculate by taking the diff between the start adress andthe end adress (the start of next element).
We can still run binwalk against cramfs1 and cramfs2 to check that weextracted exactly what we wanted.
For this part we will use some utilities from the firmware mod kit project :https://code.google.com/p/firmware-mod-kit/
First of all let's compile the tools we will need to extract it :uncramfs-lzma. I tried extracting the files using standard CramFS and it didnot work.
You will get some warnings, but you can safely ignore them. Now let's extractthe content of the two cramfs images.
Listing the content of cramfs1_content shows some directory structure familiarto the UNIX afficionado :
The first thing I noticed about /etc is it doesn't contain the usual
passwd
and shadow
files which would be very cool to have :(I think it is not possible for a box to boot without them and I just haven't found them yet.If anyone knows more on this topic, I would be really happy to hear from you.sshd_config
This file is the configuration for the OpenSSH server, which is used for remoteadministration of the router. I have cut some parts of the file to focus on whatseemed important to me.
At the start of the file, we see some instructions to tell the server to listenon any IPv4 adress, on port 22:
Then we have some declarations about which method of authentification are allowed:
Let's hope it is used for production with those settings ! :) That's about itfor sshd config, now let's move to something else.
Also, You can notice that the ssh v1 protocol is enabled by default. This could lead to some funny exploit.
It seems that there is another more recent version of the firmware (if I can understand Swisscom's file naming convention)available at : http://rmsdl.bluewin.ch/pirelli/Vx226x1_60208.sig Let's see what it hides.
![Centro Centro](/uploads/1/2/5/8/125851011/911870345.jpg)
This time it contains more data directly, for example two SquashFS instances that we will try extracting immediately.
Running
tree
against them reveals a directory structure that overlaps each other (we got /etc two times, etc..) but this times there is a lot more files, for example some init.dAfter checking /etc/version in both filesystems, it seems that there is a main version and a recovery one which is smaller than the main.
- user:
admin
- password:
1234
Sadly we don't land on a real shell but on their configuration system.Perhaps this can get changed ?
It seems that when we run the adslctl command, it really executes the binary in
/bin/adslctl
.At least string matches.show processes
run ps
and shows results.Warning, this may be bricking your router!
- Connect to the router :
telnet 192.168.1.1
. User:admin
, pass:1234
- Go to factory settings :
factory
and enter the commandfactory-mode
. This command is hidden, meaning it wont show up in autocomplete. - Your router will reboot. Once it has reboot, reset it using the reset button (at least I had to do it).
- You may have to re configure your network card manually.
- Telnet on it again, but this time use
admin
as username and password. - Lauch
system shell
. Tadaa.
To get back to normal mode, exit the shell and then run
restore default-setting
.The router will reboot into normal mode.