Kitz ADSL Broadband Information
adsl spacer  
Support this site
Home Broadband ISPs Tech Routers Wiki Forum
 
     
   Compare ISP   Rate your ISP
   Glossary   Glossary
 
Please login or register.

Login with username, password and session length
Advanced search  

News:

Author Topic: Attack vector search for CenturyLink C4000LG router  (Read 997 times)

ggeorgiev

  • Member
  • **
  • Posts: 23
Attack vector search for CenturyLink C4000LG router
« on: August 19, 2024, 02:47:13 PM »

Hello,

I want to put OpenWRT on Centurylink C4000LG DSL router and unlock more 5Ghz frequencies. The problem I have now is that I cannot get any vector for writing the image on the disk. The router offers an ssh login, but it's in a chroot environment and practically nothing is accessible.

The router uses GRX500 MIPS interAptiv (multi) V2.0 processor, and I shall be able to produce an image, but see no way to write it or load it remotely. Router has internal 3.3v serial port where I can get the boot messages as below.

Boot loader is unknown to me, here are commands and predefined variables: http://downloads.znet.ca/C4000LG/minicom_bootvars.cap.txt
Boot loader offers an tftp boot, but no network card is active at this point, so nothing can be loaded.
Router boot sequence: http://downloads.znet.ca/C4000LG/minicom.cap.txt
Router also has an USB port, but not sure how it can be used for boot/load image.
I tried holding the reset and/or front button during load, no difference.
Here are few images of the router card: http://downloads.znet.ca/C4000LG/

All ideas of how to load a custom (openwrt) firmware appreciated. I have few spares of this router, so if someone want to tinker with, will send a router and 3.3v serial port.

Thanks, George.
Logged

Alex Atkin UK

  • Addicted Kitizen
  • *****
  • Posts: 5444
    • Thinkbroadband Quality Monitors
Re: Attack vector search for CenturyLink C4000LG router
« Reply #1 on: August 19, 2024, 07:10:32 PM »

Seems you already asked this on the OpenWRT forum and they gave you the answer, you'd have to reverse engineer it yourself.

Besides that, you'd likely need to bypass legal requirements to enable channels it was never certified to support.  This is overall a bad idea as it can result in huge fines if you got caught doing so.

If you need more WiFi channels, you'd be far better off buying a dedicated Access Point and turning off WiFi in the router.  Assuming those other channels are legal to use in your country and so are available on other hardware.
Logged
Broadband: Zen Full Fibre 900 + Three 5G Routers: pfSense (Intel N100) + GL.iNet GL-X3000/ Spitz AX WiFi: Zyxel NWA210AX
Switches: Netgear MS510TXUP, Netgear MS510TXPP, Netgear GS110EMX My Broadband History & Ping Monitors

meritez

  • Content Team
  • Kitizen
  • *
  • Posts: 1681
Re: Attack vector search for CenturyLink C4000LG router
« Reply #2 on: August 20, 2024, 01:46:55 PM »

The router offers an ssh login, but it's in a chroot environment and practically nothing is accessible

what's available in the chroot environment?
Logged

ggeorgiev

  • Member
  • **
  • Posts: 23
Re: Attack vector search for CenturyLink C4000LG router
« Reply #3 on: August 20, 2024, 02:10:15 PM »

Hello Alex,

Thanks for the reply. I asked a similar question on OpenWRT forum, and it seems no one has a clue about this router, and I found no way to do something about it for now.

As for the 'huge fines' - little concern, and there is the 6E frequencies which I may try.  Also, wasn't there some modification for the DFS channels in Canada (I am in Montreal) some time ago? Will (may be) check that if I get things my way.

So, the point stays: how to intercept the boot loader or how to prepare a loadable firmware image. Not an evident endeavor.
Logged

ggeorgiev

  • Member
  • **
  • Posts: 23
Re: Attack vector search for CenturyLink C4000LG router
« Reply #4 on: August 20, 2024, 03:46:08 PM »

The router offers an ssh login, but it's in a chroot environment and practically nothing is accessible

what's available in the chroot environment?

Hello,
As about the chroot environment - there is a busybox providing following (/usr/bin is a symlink to /bin, there is 'dropbear' and 'logread' in /sbin)
~ $ ls /bin/
ash      busybox  cat      date     echo     grep     ls       mpstat   ping     ps       pwd      sh       sleep    watch


The user is of course with limited privileges:
~ $ id
uid=10003(admin) gid=10000(chroot-users) groups=10000(chroot-users)


No way to get privileged access in a chroot environment, as normal. Would be too easy if possible.
There shall be a way, however as there is network related commands in the boot loader - but no network port is initialized or IP stack is loaded.
May be there is something possible via the USB port?
Logged

Alex Atkin UK

  • Addicted Kitizen
  • *****
  • Posts: 5444
    • Thinkbroadband Quality Monitors
Re: Attack vector search for CenturyLink C4000LG router
« Reply #5 on: August 20, 2024, 04:25:21 PM »

This is a puzzling one as the routers product data sheet claims it should support UNII-2 & UNII-2x (DFS) channels that you said on the OpenWRT forum it is not allowing you to use.  From what I can see of Canada regulations, you should only be locked out of 120-128.

As for bypassing the boot loader, its not uncommon to need to find the serial pins on the PCB in order to boot your own image.  However compiling that image is likely not trivial.

Then there's the whole complexity of figuring out the partition layout, as you don't want to wipe the WiFi radio calibration or its never going to work right.  But this is also why I doubt it will help your situation, as that configuration likely does not include the channels you want to use or they should already be working.

I tried converting a PC into an Access Point years ago, without the calibration data the performance was very poor and DFS wouldn't work. 

Also, that's a WiFi 6 router so wont support the 6e 6Ghz range.
Logged
Broadband: Zen Full Fibre 900 + Three 5G Routers: pfSense (Intel N100) + GL.iNet GL-X3000/ Spitz AX WiFi: Zyxel NWA210AX
Switches: Netgear MS510TXUP, Netgear MS510TXPP, Netgear GS110EMX My Broadband History & Ping Monitors

ggeorgiev

  • Member
  • **
  • Posts: 23
Re: Attack vector search for CenturyLink C4000LG router
« Reply #6 on: August 20, 2024, 05:13:31 PM »

This is a puzzling one as the routers product data sheet claims it should support UNII-2 & UNII-2x (DFS) channels that you said on the OpenWRT forum it is not allowing you to use.  From what I can see of Canada regulations, you should only be locked out of 120-128.
.....
Also, that's a WiFi 6 router so wont support the 6e 6Ghz range.

Hello Alex,
The router - and I have few of those - supports only channels 36-48 and 149-161. Those are the most crowded channels, and unlocking other ones will be an advantage. Also, for the 6E channels - not sure they cannot be unlocked - for example, with a specific firmware from the manufacturer a Mimosa C5x wireless bridge did unlock the 6E channels up to 6400Mhz, and I am using those now. Mimosa were nice to provide that firmware a couple of years back when I did ask them for.
As for the serial port - there is a 3.3v serial port, and the boot log is here: http://downloads.znet.ca/C4000LG/minicom.cap.txt
Boot loader commands and variables are here: http://downloads.znet.ca/C4000LG/minicom_bootvars.cap.txt
The boot log gives enough information for making an image, but I see no way to load anything.
Logged

Alex Atkin UK

  • Addicted Kitizen
  • *****
  • Posts: 5444
    • Thinkbroadband Quality Monitors
Re: Attack vector search for CenturyLink C4000LG router
« Reply #7 on: August 21, 2024, 03:28:12 AM »

The Mimosa C5x wireless bridge is not a WiFi device from what I can tell.  They specifically advertise a wider spectrum of 4.9 to 6.4 GHz, presumably making use of the slightly looser rules on some frequencies when used for point-to-point links.

My Ubiquiti Litebeam also does things that WiFi does not, such as being able to use as small as 5Mhz channels and a more robust radio protocol than WiFi to endure the interference of outdoor use, at the cost of lower peak speeds than WiFi.

WiFi cards/chips have specific hardware in them designed to operate only over the relevant radio channels that WiFi version is certified for.  As I understand it, the bulk of the WiFi functionality is actually done done in the WiFi chip/card itself on its own SoC, the router/AP merely talks to this over an API and converts the traffic into standard ethernet, bridging the traffic onto the LAN.

If you've gotten into the serial port, you may also need to do something similar to what Home Hub 5 requires to change the boot mode.  How to figure out which pin, I have no idea.
Logged
Broadband: Zen Full Fibre 900 + Three 5G Routers: pfSense (Intel N100) + GL.iNet GL-X3000/ Spitz AX WiFi: Zyxel NWA210AX
Switches: Netgear MS510TXUP, Netgear MS510TXPP, Netgear GS110EMX My Broadband History & Ping Monitors

ggeorgiev

  • Member
  • **
  • Posts: 23
Re: Attack vector search for CenturyLink C4000LG router
« Reply #8 on: August 27, 2024, 11:56:41 PM »

Hello,

I am now able to stop the boot process and pass parameters to the kernel - but still cannot get to the command line with running system. The point is that the boot process does not start a shell or similar - it prints boot messages, but there is no login prompt or a command line in the end. The console prints characters I type, but nothing more happens.

First idea was to pass init=/bin/sh (or /bin/bash, ash, dash, etc) to the kernel, however nothing of those exists. It for sure runs busybox, but how to get a shell? As you see from the command line init=/etc/preinit, and it stays there forever.

[    0.000000] Kernel command line: earlycon=lantiq,0x16600000 nr_cpus=4 nocoherentio clk_ignore_unused root=/dev/ram ro rd_start=0x60a36000 rd_size=25384976 ubi.mtd=system_sw console=ttyLTQ0,115200 ethaddr=88:6A:E3:72:D0:69 panic=1 mtdparts=17c00000.nand-parts:1m(uboot),256k(ubootconfigA),256k(ubootconfigB),256k(gphyfirmware),256k(dsd),506m(system_sw),-(res) init=/etc/preinit active_bank=A update_chk=0 maxcpus=4 pci=pcie_bus_perf ethwan= ubootver=U-Boot 2016.07-INTEL-v-3.1.177 GWS-1.6 (Jul 13 2022 - 21:46:48 +0000) mem=480M@512M


I cannot mount the root filesystem from uboot prompt to check what is there, uboot does not understand this. So, someone to have an idea what can I put for init= to get a console?

To be noted that if I login with ssh to the box I get a chroot environment which has /bin/sh  (busybox), but how can I know where it is located? And I have yet to see an UNIX system without some shell - but I am not expert in system-on-chip devices.
Logged

meritez

  • Content Team
  • Kitizen
  • *
  • Posts: 1681
Re: Attack vector search for CenturyLink C4000LG router
« Reply #9 on: August 29, 2024, 11:07:32 AM »

if you are in uboot, can you printenv for me?

bootmode=secure < concerns me
Logged

ggeorgiev

  • Member
  • **
  • Posts: 23
Re: Attack vector search for CenturyLink C4000LG router
« Reply #10 on: August 29, 2024, 01:06:52 PM »

Hello meritez,
Boot variables + available commands are printed just two posts above, but here is the link again: http://downloads.znet.ca/C4000LG/minicom_bootvars.cap.txt Boot log is just aside: http://downloads.znet.ca/C4000LG/minicom.cap.txt - but seems you have seen it.

I got a firmware update file from Centurylionk, and it's in u-boot format, but seems scrambled, only the header is readable. 
Logged
 

anything