MIPS router hacking

absolutely yes okay okay so we got one of those super secret password I have no idea what’s that for oh the actual screen goes down more no that’s the light switch is that as low as the screen actually goes try that okay um No we have the technology to fix this hold on hold on hold on hold on I’m gonna do I’m gonna go ahead and do that and I’m gonna do that just because you guys don’t need to see that okay and then I’m gonna lift this up a little bit how’s that I know right okay so yeah all right we’re gonna do this we’re gonna do this again and then in general kind of show you what’s what’s going on behind the scenes so on the d-link they have the ability to they have a in the event you blow away something that you you do something and you make it unbootable like this because i wanted to leave it in this state so that you understand it’s like oh god what do I do now okay well the D links have a recovery mode that can be accessed with the reset button okay so now if I’ve connected nope I sure didn’t and now you can’t do anything don’t accidentally plug in the 3.3 volt either I had the at the ground in the transmitter reversed hold on one would think that at this point I would have labeled all of the pins you could yeah you know all right so like I said getting into the recovery firmware it’s easy okay so there so now you’re actually in this is actually in you boot right now so that’s so by default on on this model of d-link you can’t actually bypass anything unless you have physical access so they’ve left just enough bits a lot of these vendors will leave just enough bits for us to play with if you know what you’re doing and you have the right screwdriver you can get in and you can get to this point the way that you start doing stuff so when you fire this thing I’m up into Linux it’s going to tell you a lot of stuff but what you want to start doing is working with a net boot environment you don’t actually want to touch the flash first because you want to get into a net boot environment and then you want to be able to DD the entire flash off of the machine when you’re starting to do prototyping on to somewhere else so you can pop it into a hex editor and actually see where the calibration is because just because you boot is going to tell you where it has been programmed to have what the layout of the flash is the flash is just a big 8 Meg’s 16 Meg

chunk and typically at least in the d-link universe they’re only using 8 Meg of that so right in right around the 6 megabyte portion of the flash will be the valuable calibration data and so when you start the thing up you’re like oh well I have 16 mega flash I’ll just use the whole thing and then you wipe out the calibration data and what’s that it’s literally unique to every single router that does wireless it’s the RF calibration data for the wireless transmitter receiver so ever so once you destroy that you have you have spent fifty dollars on learning is at that point the this you know it’s it’s a thing that happens I’ve done it I was warned as well by to to not do that and I did it anyway ya know the u-boot stuff is actually this is I would have to hook up a JTAG burner to change you boot so it’s in the rom of it’s part of the bootstrapping process of the machine it’s separate yes yeah so the this is I am I will not be modifying you boot or whatever no no this is this is the d-link modified version of you boot for this router so if i’ve if if my machine works correctly let’s see okay so on this machine we can actually TFTP an image off i’ve setup TFTP and if somebody’s interested in the details of that we can look at it I had to do this a couple of times to figure out what the file name you have to do it at least once to find out what file name it’s going to ask for and then we’re gonna tell it to boot from the image that we actually got and theoretically we should get some science so I haven’t actually touched the I haven’t actually touched the flash here I haven’t done anything really crazy there we go okay so it’s using is using a ram disk booting method that we have in the tree these things work things that I’m not satisfied with open wrt has a robust packaging system and a robust file system that understands flash uses jf FS you can’t install packages here this image is static so if you want drop bear SSH or you want a DHCP server you’re gonna have to burn you’re gonna have to build that in the image before you burn it onto the flash or you netboot it we’re I’m trying to I’m trying to understand how NAND FS works right now so that I can teach it all about the atheros flash layout and basically have to write a driver for it so that we can use it under nand FS and then that’ll allow us to do actual packages and stuff so anyway always bring a backup when you do a live demo that’s the lesson we’ve learned today does somebody want to take it does anybody have an Allen wrench star head no nothing all right somebody want to take a shot at getting these screws out well I’m up here Jen you want to try Lou’s I don’t know yeah they’re they’re star does anybody have a hacksaw well why not oh yeah so that one is too big but you might be able to don’t be gentle with it it’ll be yeah it’ll be fine so the okay you want to see it Boop yeah they hook right up to it and they figure out the they figure out all of the signaling characteristics of the Y and they enter in this calibration data go ahead I guess uh yeah correct yeah so all the drivers all the atheros

drivers assume that there is going to be a flash configuration partition and they’re going to be able to go into that flash configuration partition and find out all the magic signaling bits that are inside of it oh no I have to remember where it is right now yeah I could all right so so here’s here’s all that so the the important one there’s no internally called an art the heck is that even stand for regulatory something a I don’t make up a make up a configuration here or an acronym art I know you guys want to pipe them more I need to pipe it to a hex editor but so d di f equal dev map art vs equal 64 K why is it 64 K because I know and we’ll look at how I know that that’s 64 K in a minute I see what’s that yeah it’s called map I’ll show you that I’ll show you the kernel config so you can do all of the you can see what drivers and whatnot am I doing this right yes I’ll show you how to get the mapping here in a minute so maybe mmm password one two three okay so notice notice that the default subnet that the u-boot parameters use is different than the then what our image system comes up with right now so I will call this that one was that 20 I’m just thinking about yeah to make sure that’s working okay look derp try that alright and then we’re gonna hear the map art 64k don’t even worry about breaking it okay it’s star all right now what’s one minute hex dumped see thank you yeah you’ll actually will actually it’ll make a little bit more sense here alright so magic that’s magic that’s magic bits okay now this why why do I know that this is a model number of the prototype board because I do all right yes now there you go so yeah that’s where it’s actually that’s where all of the magic is actually burned into the wrong so this is this isn’t this is important stuff for the drivers yeah of course yeah it teaches the driver if you request this power setting this is your this is this is your fudge factor when you actually program the program the the transmitter or whatever there you go so that stuff there that’s that’s so the vendor burns that in and then the vendor

version of open wrt dd-wrt or whatever may or may not read that for whatever reason so it can or can’t use that that’s that’s arbitrary to to whatever they’re doing like our freebsd Wi-Fi stuff doesn’t actually look at that the more important stuff is all of the okay here’s you know channel you know primary channel 6 AP channel mode 11 all this kind of good stuff and then we start getting into what – what do actually attenuate this isn’t this is interesting not necessarily important but the the atheros wireless driver will fail if this stuff isn’t present and you haven’t mapped mapped it correctly lose are you about to get the you’re about to just go Wow well at this rate it’ll be done by dinner I know right yeah well if they had if they had if they had HP server gear because every single every ProLiant from come from the Compaq days they all have the right screwdriver on the back of them I just don’t have one with me because I don’t use that stuff anymore actually do I sometimes I wonder what I do it’s fine it’s fine no one’s ever gonna put that case lid back on anyway I it’s literally I brought that to be destroyed this week so don’t it’s not it’s not that big of a deal okay so that’s the configuration partition which is that’s the only part that we actually care about and when I say care about I mean never ever ever touch and you should immediately back it up like we have just done we have backed it up off of the machine here onto here and now you put it somewhere and you can absolutely you can DVD it back and it’s fine you should what he said I thought you should because because you will you will find when you’re doing science sometimes you have experiments that fail so let’s go just some of the more technical some of the more BSD centric stuff here so in the MIPS directory there’s all of this crap okay I can sit I consider the way the FreeBSD does this is a bit of a bug I kind of like the open wrt style I’ll look it will look at that in a second but for every one of those and those things get revved about every six months there is a kernel configuration so if you guys want to start messing with this stuff you’ll notice you’ll notice how quickly these things propagate so the the base system this one these are these guys right here are the atheros like this is what this model this reference platform can actually do these are all of the things in it and whatnot that you know this is where the the atheros Ethernet switch is this is where the atheros Wireless is this is what usually the flash looks like it’s the defaults and then here’s the reference board for this guy that you could get as an atheros developer and then these are two that I’ve been messing with the this one here is actually that one that’s over there here’s the tp-link that’s cut off that one quite a few people have had good success with oops again this one is a really really really easy to use not very secure in the slightest Buffalo model so it this one is really great to play with but don’t put it anywhere where you care about your data this one will TFTP anonymously on every boot so if you if somebody is on your network and provides a TFTP server with a flash image it will auto burn that image to its to its flash for you but it’s branded as open up open wrt friendly and there’s no way to turn that off unless you do something it’s a very it’s Vic so this one was the first one this is absolutely right because nobody’s gonna have a rogue TFTP server on your network this one it’s only like 12 months old yeah yeah it’s 24k atheros it’s got you know it works fine I have one I didn’t bring it with me for entertainment reasons yes yeah we should probably add that

soon I know right yeah we can probably add that tonight so this stuff here is if you guys are interested in 64 K MIPS which is not these talked to the Cambridge kids they have all of this 64 K Barry stuff which is based on FPGAs I think yeah and that’s where they’re doing it you see people walking around with these router stations they’re kind of cool Pico station friend of mine in and Adrian have been working on it’s about this big it’s a transmitter it’s a it really doesn’t it has one Ethernet port out to your network and a wireless transceiver and it’s really great as a little repeater or other things that you may want to do on wireless networks that you’re interested in seeing this one’s really good for that now alright so that’s these are all Colonel configs who gives a crap you know obviously the Colonel’s going to be able to compile why would you do that oh as a comparison all right oh so this is this is one of my one of my objections to the way that we do stuff so if you’re familiar with the FreeBSD kernel configuration file alright so this is for that one we start off with this is our base parameter we have a whole bunch of device specific hints and this is how we do device enumeration in this world it’s actually kind of gruesome we’ll look at that in a second it’s got GPIO bus this one this unit itself with that little tiny thing can set can do VLAN switching all kinds of really awesome things all right in order to in order to do the magic with doing a compressed disk image burning it on to flash and then uncompressing it at a ram you need this guy this is this is the the magical flag that does all that so you’re gonna build a compressed image and then burn that on to flash and then at boot time the kernel is gonna go oh my root filesystem is here let me uncompress that and then mount it as a ram disk this is the configurations that I use to netboot obviously and this is the only thing you need when you’re actually burning it on to flash so you need this and this and this stuff is for TFTP booting in this universe well how are you gonna get to it because it’s on the flash compressed so you have to uncompress it but you don’t know what the name of anyway yeah yeah I mean you don’t have you don’t have EFI protecting you and giving you this warm embrace of love and joy so this is where it gets super messy I hate this crap it’s taken me it’s taking me at least a year to get to the point where I can go oh okay so – I’m not gonna get into a knock we can we can talk about mechanically what this stuff actually means what the buses are why we have these offsets and instead of having you know having the driver do things that would be sensible it’s really really makes me it makes me angry this this say what well yeah because we don’t have we don’t have did you get it that’s why we keep that’s why we keep that’s why that’s why we keep losing around thank you the the the most and so don’t worry about the rest of this you can you can ask me in email it’ll be fine notice I’ve left up here this guy it’s very important to know where that is that’s gonna be passed to the driver notice this stuff here I noticed this the the wireless adapters on that machine are on a PCI bus I put air quotes around that because it’s on a PCI bus so you can LS PCI and you can actually see things this is what I kind of wanted to get into how how I know that stuff is where I think it is right that I know that this is where it is you boot will tell me the vendor firmware will tell me which we’ll see in a minute and then we have to do the magic of telling everything where we know where

are the partitions what are the offsets in hexadecimal on the flash device and how we get to stuff so for example I’ve taken this partition here that is called the Lang partition for so that they could sell this thing in different different countries and whatnot they just burn they take the same unit and they burn a different language into it I’ve just taken that and called at my arbitrarily arbitrary config partition for this unit and I’ve set the read-only flag off so this is the only part of flash from user land when the thing is actually up and running that you can read and write from then a little bit more and the management so the Mac atheros especially this one has a 64 K piece of flash dedicated to store the MAC addresses in ASCII we can look at that we can look at that later it really really entertained me when we found that and then this is the magical art never ever ever ever touch it back it up forever and ever and ever back up the whole slash as Lou said ok so kernel config device hints once you mess with it and you figure you get to a point where your net booting and stuff works then we can start talking about actually burning it onto flash that’s gonna be vendor-specific every vendor is gonna have a different way of getting stuff lose actually turned me on to this syntax right here you guys kind of understand what that’s doing it’s very very goofy so it’s saying your partition is going to start at that address into flash and then I’m going to search in starting the end of this partition is going to be starting somewhere around here searching in this size for something that looks like that into okay so in other words when the Colonel boots up it’s gonna go oh well I think the colonel ends here because I saw this and this comes out of the very first thing that’s in the file system and then obvious tum’ we do the we do the inverse we say okay start there for the beginning search in this size chunks and look for this and that’s the beginning and then I have a hard end in flash at here because the next partition is here and then here and then here so what does all that mean there are a thousand different ways you can do this Adrienne myself and here in punch a serif kind of whacked on this there’s ear out ER we may want to resurrect any router at some point because it’s actually got a lot of features that we like crochet is another thing that you can use to do this I use this because it uses make and I like make and on here you can actually yeah so as long as you got the kernel on the flash you can have your root filesystem be on a USB storage device so in the event you know 8 Meg or 4 magazine sufficient ok we’ll get a terabyte it works you can ufs ZFS I don’t know 128 mega RAM I don’t know talk to the arm kids talk to the arm kids they’re doing it why not I have I have I have primitive a primitive explanation on how to do net booting stuff generally all the configurations and whatnot this is a subversion project that’s out of tree I try to go into you know quality soldering you notice you notice the I don’t know what I was I must have had way too much coffee because that thing ended up down here and those are over there and then the cables go in but I just want to generally give people an idea of what the layout looks like and then what its gonna look like when it boots up what the menus are kind of this stuff we just went over right and so this is in general what the thing looks like when that one boots up so unlike unlike our amd64 universe let’s go look at this guy so I’ve got a little bit of stuff how to build the firmware like what is the command once you’ve checked out this code what is the command line you should run so this one again completely different way to get it get firmware

installed it’s gonna look different it’s got a the firmware files have signatures on them sometimes it’s just a string sometimes it’s padding sometimes it’s whatever when the system boots up it’ll tell you you boot will tell you what it’s what Linux is probably going to look for so MTD parts is the the term that’s used to explain where all of the where where the subdivisions of stuff are you boot only cares about where the kernel is when it looks at when it actually looks at the firmware file before it flashes it it’ll look to see if there’s some signature string and also I’ll show you what I’ll show you exactly what I mean that’s it yeah so that you could so that you don’t accidentally put the wrong firmware on the machine and so like this one this one obviously is quite a while ago it’s 10 alpha and it does all the things and it’s got all the stuff and all the bits here’s a little bit more with all the things so um let me see if I can browse to the right spots here build bin build and we’ll look at air station all right a little bit of arbitrary stuff notice at the bottom so when we actually go to concatenate the image together into into bits and pieces that’s if this string isn’t at the beginning it’ll reject the firmware file how do we know that with a hex editor and look at the firmware file we look at the d-link let’s see did I move that okay so in the d-link guess what we have two different models of D links and they have two different text signatures this one here and this one here and those have to be in the image file when it’s created all right yeah so this is so let me let me let me clear up some terminology because I am I am kind of bouncing around from topic to topic so when I say the firmware image the freebsd firmware image I mean this product so this is the entire kernel the entire root filesystem and whatever arbitrary signature this is the thing that’s going to get burned to flash precisely yeah it’s not it’s not you know there isn’t any super maximum security wizardry happening here it’s literally okay cat cat and then echo me more or less the did that shell are there any so this is publicly available BSD license to have fun with it it depends on the base system having a kernel configuration for the router if you have an out of tree kernel config that you don’t want to commit to FreeBSD you can do that with this project so if you have if you for reasons if you have a piece of hardware that you don’t want the kernel configuration to be publicly available sure oh man really check tonight I know right I’ll talk louder I like hearing the sound of my own voice anyway um oh really is that scotch tape holding this thing on Wow oh right yeah I’m sorry cellophane adhesive on plastic okay that antenna is actually glued on good okay all right everybody so I’m gonna pass this around and we’re gonna play spot the serial console if you can identify where the serial console on this is you

win absolutely nothing no actually I just I looked at it there will be no soldering required I’m sorry the pins are already on what do you want to do with it gonna put PF on it you want to put VLANs on it you want to correct so the problems oh yeah PF pfsense is way ahead of this worship this worship correct absolutely so what I’m what I’m aiming for my magical goal would be that there would be something good enough that people would stop using open wrt as the basis of their embedded projects I don’t yeah I mean so we would love so right now I need to corner so I need to drag Warner off into a corner and extract from him and Adrian the flash specifications for the atheros stuff so that I can hook it directly in tune and FS that way we can have a read writable filesystem it it’ll be fine it’ll be fine there are no problems Oh have you guys not seen everything is fine no have you not seen this oh it’s great it’s great all right thank you indeed all right so everything is fine is there is there a speaker Jack go oh the volume yeah sure you guys can’t hear this well they do yell a lot do you think drive it muted no I don’t if only I had somebody here who knew about the FreeBSD sound system Alexander so anyway everything is fine no it’s going around it’s going around the room anyway you guys can watch this on your own I literally only have five minutes levels Oh what well okay so real briefly okay so FreeBSD has this directory filled with files that are kernel configs that are specific to FreeBSD and if we look at open wrt I think if I do this so I did a check out this weekend okay we go here notice how they have everything laid out and if we look at the very specific kernel configuration file for the c1 it’s not a configuration file it’s something that I can be completely ignorant of I don’t have to know how Linux works I can read see I’m reading that I’m like oh okay there is a data structure that handles LEDs there is a data structure that handles the pins there is a data it’s it’s clear it’s clear to me what the this is their configuration file well I don’t have to know I don’t I don’t have to care about Linux I don’t have to know what it is I just go oh this is this is a correct and they had to do this because of what I showed you with the large amount of configure I mean every single product you know I’ve got to deal inks I have a b-1 and a c1 that the same manufacturer the same model number different revisions require different kernel configs with different hints files and different file system layouts probably I think that’s I think yes I mean do something like that yeah okay and that’s it so I’m gonna migrate to the hallway track and we’re gonna we’re gonna actually we’re gonna actually boot this thing up but I’m gonna give I’m gonna give the room back and you know

thanks for being hopefully it was of some value and there are things happening in this space and if you’re interested in doing it I’m on the internet you can find me anyway thank you