GNU social JP
  • FAQ
  • Login
GNU social JPは日本のGNU socialサーバーです。
Usage/ToS/admin/test/Pleroma FE
  • Public

    • Public
    • Network
    • Groups
    • Featured
    • Popular
    • People

Conversation

Notices

  1. Embed this notice
    Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Saturday, 13-Apr-2024 03:26:02 JST Ryan Castellucci :nonbinary_flag: Ryan Castellucci :nonbinary_flag:

    Hmm, this AP is having issues.

    The OEM firmware has a failsafe loader that comes up on http://192.168.99.9/ if u-boot fails to boot the system. Unclear what firmware it will work with.

    ...and according to the changelog on the OpenWRT wiki, I added that.

    I guess I need to do serial to this.

    In conversation about a year ago from infosec.exchange permalink

    Attachments


    • Embed this notice
      Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Saturday, 13-Apr-2024 05:02:13 JST Ryan Castellucci :nonbinary_flag: Ryan Castellucci :nonbinary_flag:
      in reply to

      Well, it's dead now... 🤷

      I managed to TFTP boot OpenWRT on it, then somehow in the process of pulling the safety pins out of the holes for the serial pins killed it. It won't power on.

      I bought four of them as spares, and the other three do boot, though factory reset isn't working on two of them...

      I guess I'll solder pin headers on first.

      In conversation about a year ago permalink
    • Embed this notice
      Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Saturday, 13-Apr-2024 05:02:37 JST Ryan Castellucci :nonbinary_flag: Ryan Castellucci :nonbinary_flag:
      in reply to

      The one that died was working until I tried to update the firmware 😭

      In conversation about a year ago permalink
    • Embed this notice
      Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Monday, 15-Apr-2024 05:06:35 JST Ryan Castellucci :nonbinary_flag: Ryan Castellucci :nonbinary_flag:
      in reply to

      What the actual fuck. I appear to have killed another one by swapping the ground and TX or RX pin on the serial cable?

      Also, two of the four have apparently factory installed pin headers, but no serial console. So of the four, only one works. This is really annoying.

      In conversation about a year ago permalink
    • Embed this notice
      Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Monday, 15-Apr-2024 05:44:14 JST Ryan Castellucci :nonbinary_flag: Ryan Castellucci :nonbinary_flag:
      in reply to

      They were apparently pulled from a country club, so the password is probably guessable...

      In conversation about a year ago permalink
    • Embed this notice
      Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Monday, 15-Apr-2024 05:51:49 JST Ryan Castellucci :nonbinary_flag: Ryan Castellucci :nonbinary_flag:
      in reply to
      • Graham Sutherland / Polynomial

      @gsuberland It's stored in NAND flash on a JFFS2 filesystem using MD5Crypt. I see a NOR flash chip, but I think the NAND is part of the SOC.

      In conversation about a year ago permalink
    • Embed this notice
      Graham Sutherland / Polynomial (gsuberland@chaos.social)'s status on Monday, 15-Apr-2024 05:51:51 JST Graham Sutherland / Polynomial Graham Sutherland / Polynomial
      in reply to

      @ryanc in almost all cases they're just ASCII text config files (bunch of var=value\n and a null terminator at the end) so you don't need to do any reverse engineering. dump flash, whole thing in the clear.

      In conversation about a year ago permalink
    • Embed this notice
      Graham Sutherland / Polynomial (gsuberland@chaos.social)'s status on Monday, 15-Apr-2024 05:51:52 JST Graham Sutherland / Polynomial Graham Sutherland / Polynomial
      in reply to

      @ryanc if you open it up and find the 8-pin SPI flash chip, there's usually a config block somewhere in there where there will be a bunch of copies of the configuration table with the passwords and stuff in cleartext. typically it's implemented as a circular buffer for wear levelling purposes, so each time you save persistent config it writes a new copy after the last, so you'll often get historical passwords from it too in case they reused any elsewhere.

      In conversation about a year ago permalink
    • Embed this notice
      Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Monday, 15-Apr-2024 05:53:44 JST Ryan Castellucci :nonbinary_flag: Ryan Castellucci :nonbinary_flag:
      in reply to
      • Graham Sutherland / Polynomial

      @gsuberland If the bloody serial terminal worked - the factory installed headers are taunting me - I have the manufacturer's console password. 😭

      In conversation about a year ago permalink
    • Embed this notice
      Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Monday, 15-Apr-2024 05:54:20 JST Ryan Castellucci :nonbinary_flag: Ryan Castellucci :nonbinary_flag:
      in reply to
      • Graham Sutherland / Polynomial

      @gsuberland Maybe I also fried the serial cable?

      In conversation about a year ago permalink
    • Embed this notice
      Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Monday, 15-Apr-2024 05:56:00 JST Ryan Castellucci :nonbinary_flag: Ryan Castellucci :nonbinary_flag:
      in reply to
      • Graham Sutherland / Polynomial

      @gsuberland Nope. The JFFS2 is read/write. I already reverse engineered the shit out of this model.

      It's a squashfs root filesystem with a JFFS2 overlay.

      OpenWRT variant.

      In conversation about a year ago permalink

      Attachments

      1. No result found on File_thumbnail lookup.
        http://model.It/
    • Embed this notice
      Graham Sutherland / Polynomial (gsuberland@chaos.social)'s status on Monday, 15-Apr-2024 05:56:01 JST Graham Sutherland / Polynomial Graham Sutherland / Polynomial
      in reply to

      @ryanc typically you'll have firmware on JFFS2 on NAND flash, mounted read-only, but with a binary on the device that writes to a separate EEPROM which contains config data. typically they'll refer to it as nvram.

      In conversation about a year ago permalink
    • Embed this notice
      Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Monday, 15-Apr-2024 05:59:07 JST Ryan Castellucci :nonbinary_flag: Ryan Castellucci :nonbinary_flag:
      in reply to
      • Graham Sutherland / Polynomial

      @gsuberland

      They're these: https://openwrt.org/toh/engenius/eap1300

      Circa 2015/2016 hardware.

      In conversation about a year ago permalink

      Attachments

      1. No result found on File_thumbnail lookup.
        [OpenWrt Wiki] toh:engenius:eap1300circa
    • Embed this notice
      Graham Sutherland / Polynomial (gsuberland@chaos.social)'s status on Monday, 15-Apr-2024 05:59:08 JST Graham Sutherland / Polynomial Graham Sutherland / Polynomial
      in reply to

      @ryanc oh interesting, maybe high write cycle NAND flash got cheap enough these days for them to eliminate the EEPROM from their BOM.

      In conversation about a year ago permalink
    • Embed this notice
      Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Monday, 15-Apr-2024 06:00:08 JST Ryan Castellucci :nonbinary_flag: Ryan Castellucci :nonbinary_flag:
      in reply to
      • Graham Sutherland / Polynomial

      @gsuberland Want to tried to fix one of the ones I apparently bricked?

      In conversation about a year ago permalink
    • Embed this notice
      Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Monday, 15-Apr-2024 06:13:05 JST Ryan Castellucci :nonbinary_flag: Ryan Castellucci :nonbinary_flag:
      in reply to
      • Graham Sutherland / Polynomial

      @gsuberland Yeah, it's a 3.3V UART. I was using an adafruit FTDI cable. It was working before I fried the first AP.

      In conversation about a year ago permalink
    • Embed this notice
      Graham Sutherland / Polynomial (gsuberland@chaos.social)'s status on Monday, 15-Apr-2024 06:13:07 JST Graham Sutherland / Polynomial Graham Sutherland / Polynomial
      in reply to

      @ryanc maybe incompatible logic levels? normally it's just 3.3V UART.

      in my experience cheap USB UART cables are extremely prone to failure. cost optimised to the extreme and zero onboard protection against shorts, overvoltage, data line overcurrent, ESD, ground loops, etc.

      In conversation about a year ago permalink

      Attachments


    • Embed this notice
      Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Monday, 15-Apr-2024 06:14:30 JST Ryan Castellucci :nonbinary_flag: Ryan Castellucci :nonbinary_flag:
      in reply to
      • Royce Williams

      @tychotithonus You wanna help me with strategic password guessing?

      In conversation about a year ago permalink
    • Embed this notice
      Royce Williams (tychotithonus@infosec.exchange)'s status on Monday, 15-Apr-2024 06:23:52 JST Royce Williams Royce Williams
      in reply to

      @ryanc Sure! Adjust visibility to taste (if needed), and lemme know as much context as you've got

      In conversation about a year ago permalink

Feeds

  • Activity Streams
  • RSS 2.0
  • Atom
  • Help
  • About
  • FAQ
  • TOS
  • Privacy
  • Source
  • Version
  • Contact

GNU social JP is a social network, courtesy of GNU social JP管理人. It runs on GNU social, version 2.0.2-dev, available under the GNU Affero General Public License.

Creative Commons Attribution 3.0 All GNU social JP content and data are available under the Creative Commons Attribution 3.0 license.