Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[zcutlip]

It's reporting the following which is the same version listed in your advisory.

Code: [Select]

Hub Firmware Information

Current firmware: V100R001C01B031SP09_L_B
Last updated: Unknown


Hmmm. Not sure what the problem might be.  So, to be clear, when you tried my configuration of 192.168.99.64, that was your computer's IP address, as reported by ifconfig?  So the HH3b's IP address was 192.168.99.254?

If for some reason the hub wasn't able to phone home due to addresses misconfigured or some other fluke, it's possible, even likely, that the exploit crashed bcmupnp running on the target.  You may want to reboot the HH3b each time you run the exploit, just to be sure.

You can also use Craig Heffner's miranda tool to verify whether bcmupnp is up and responding to SSDP.   Run miranda and do an msearch.  You should get back a WFADevice in the results.

Here's a link to miranda:
https://code.google.com/p/miranda-upnp/

[Howlingwolf]

Well...   That was fun...

The Law of Unintended Consequences bites one on the behind yet again 


It seems that disabling the wireless interface stops the exploit from working.


Thanks for your help Zach. It is much appreciated.

Jonathan

[zcutlip]

Well...   That was fun...

The Law of Unintended Consequences bites one on the behind yet again 


It seems that disabling the wireless interface stops the exploit from working.


Thanks for your help Zach. It is much appreciated.

Jonathan

Whoops. Yup. Makes sense.  bcmupnp is for management of the wireless interfaces via UPnP.  Got it working now?

[Howlingwolf]

Well...   That was fun...

The Law of Unintended Consequences bites one on the behind yet again 


It seems that disabling the wireless interface stops the exploit from working.


Thanks for your help Zach. It is much appreciated.

Jonathan

Whoops. Yup. Makes sense.  bcmupnp is for management of the wireless interfaces via UPnP.  Got it working now?

Ah...

I wasn't aware of that. I must admit I didn't look too closely at what you were targeting before trying it.

Once I had confirmed that upnp was working using miranda I did a factory reset and went from there. It worked first time of course.

After that it was just a case of determining which config setting was stopping it.

[burakkucat]

(a) intercept the device's update process and snag an update file.  There are a few ways to approach this problem.

I have been thinking about the means to achieve such a result and, to date, have either drifted off into sleep or hit a mental 'brick-wall'. Zach, would you have any general procedures to share, please? 

[Howlingwolf]

(a) intercept the device's update process and snag an update file.  There are a few ways to approach this problem.

I have been thinking about the means to achieve such a result and, to date, have either drifted off into sleep or hit a mental 'brick-wall'. Zach, would you have any general procedures to share, please? 

One idea I had was to run BTAgent in qemu using a 'standard' rootfs.

Unfortunately, I'm having trouble getting Buildroot to play nice. The build stops and starts asking lots and lots of questions about things I know absolutely nothing about. Can't seem to find any documentation on them either.

I may have to try using OpenWART instead but the old saying about pigs ears and silk purses comes to mind

[zcutlip]

@burakkucat
A couple of approaches come to mind.  One would be to write a program (this could be as simple as a shell script) that monitors for the existence of the downloaded update file.  When that file appears, and as long as it continues to exist, loop and make a copy of it. At one point I had worked out what the file gets named when BTAgent downloads it.  I'll look into that and post back.

Another approach would be to run your WAN/PPPoE connection through a hub or LAN tap, and do a full packet capture, for days, or more likely, weeks. Tcpdump has options for chunking and compressing the capture.  Analyze the capture in wireshark every few days to see what is going on between your HH3b and the mothership.  Even if you don't see a firmware downloaded, you may see SOAP chatter that contains valuable intelligence.

@howlingwolf
At the risk of discouraging you, I suspect BTAgent has substantial dependencies on the BT hardware.  At the very least, I think it will want to pull configuration information from NVRAM.

If you do want to pursue this, I'd download a ready-built Debian MIPS QEMU image.  Copy the BT's root filesystem into a subdirectory of your Debian QEMU system. Then chroot into the BT root filesystem to run BTAgent.

[Howlingwolf]

@howlingwolf
At the risk of discouraging you, I suspect BTAgent has substantial dependencies on the BT hardware.  At the very least, I think it will want to pull configuration information from NVRAM.

If you do want to pursue this, I'd download a ready-built Debian MIPS QEMU image.  Copy the BT's root filesystem into a subdirectory of your Debian QEMU system. Then chroot into the BT root filesystem to run BTAgent.

I don't thing it's that bad actually. The only error being reported is File not found for libhuawei.so 

Seriously, I've managed to get it running since my last post. I solved the problem with Buildroot by simply moving to the latest release. I had been trying to use the same version used to create the HomeHub rootfs (Buildroot 2010.02).

BTAgent seems to run ok apart from the above mentioned error. It then appears to go into a loop reporting firmware version, serial number, manufacturer, etc. are null.

My next step is to try and determine where that info is coming from (libhuawei ?) and fake it from there

Another approach would be to run your WAN/PPPoE connection through a hub or LAN tap, and do a full packet capture, for days, or more likely, weeks. Tcpdump has options for chunking and compressing the capture.  Analyze the capture in wireshark every few days to see what is going on between your HH3b and the mothership.  Even if you don't see a firmware downloaded, you may see SOAP chatter that contains valuable intelligence.

Honeywall might be suitable for this. It's intended for building honeypots but it functions as a fully transparent bridge so it may be adaptable to other uses such as this.

[burakkucat]

@burakkucat
A couple of approaches come to mind.  One would be to write a program (this could be as simple as a shell script) that monitors for the existence of the downloaded update file.  When that file appears, and as long as it continues to exist, loop and make a copy of it. At one point I had worked out what the file gets named when BTAgent downloads it.  I'll look into that and post back.

Another approach would be to run your WAN/PPPoE connection through a hub or LAN tap, and do a full packet capture, for days, or more likely, weeks. Tcpdump has options for chunking and compressing the capture.  Analyze the capture in wireshark every few days to see what is going on between your HH3b and the mothership.  Even if you don't see a firmware downloaded, you may see SOAP chatter that contains valuable intelligence.

Thanks, Zach. Thinking about the latter, the Beattie Home Hubs 3.0A or B have both an xDSL port (for connection to a telephone line) or an 'Ethernet' port for connecting to the active CPE (just a Huawei HG612 or a ECI B-FOCuS acting in bridge mode). So the obvious point for such a tap would be between the active CPE and the HH (if a UK VDSL2 [FTTC] user) or something like a DrayTek Vigor 120 and the HH (if a UK ADSL2+ user).

[Matt1234123]

Hello, I do not own a BBHH3B, but I was wondering if someone could send be some files from it.  In the /etc/wlan ? dir, there appears to be some small .bin files starting with bcm43xx.  I'm after the bcm4322_map.bin file inparticular for another router, but all the .bin's would be good.

[asbokid]

Hello, I do not own a BBHH3B, but I was wondering if someone could send be some files from it.  In the /etc/wlan ? dir, there appears to be some small .bin files starting with bcm43xx.  I'm after the bcm4322_map.bin file in particular for another router, but all the .bin's would be good.

http://docs.google.com/file/d/0B6wW18mYskvBY2FZalRBUzRwR2M/edit

cheers, a

[towcow]

full featured busybox compiled for homehub (mips)

https://skydrive.live.com/#cid=0E86B6C68CC33600&id=E86B6C68CC33600%21103

copy to memory stick and access via /mnt/usb/<disklabel>

[asbokid]

Welcome to the forum, towcow :-)  Good stuff!  Did you root the box using zcutlip's exploit?   It would be nice to make something good of this device.  Peeps over on ThinkBroadband are grumbling at its lack of configurability.  That needn't be the case.  Underneath its  idiot-proof GUI is a very nice device!  It would be great to get OpenWRT running on it :-)

cheers, a

[Matt1234123]

http://docs.google.com/file/d/0B6wW18mYskvBY2FZalRBUzRwR2M/edit

Thank you!

[towcow]

Yes used zcutlip's exploit, ran it from Cygwin. Native Windows Python does not work due lack of fork() support