Ryan Castellucci :nonbinary_flag:
Hmm, this AP is having issues.
The OEM firmware has a failsafe loader that comes up on http://192.168.99.9/ if u-boot fails to boot the system. Unclear what firmware it will work with.
...and according to the changelog on the OpenWRT wiki, I added that.
I guess I need to do serial to this.
Ryan Castellucci :nonbinary_flag:
Well, it's dead now... 🤷
I managed to TFTP boot OpenWRT on it, then somehow in the process of pulling the safety pins out of the holes for the serial pins killed it. It won't power on.
I bought four of them as spares, and the other three do boot, though factory reset isn't working on two of them...
I guess I'll solder pin headers on first.
Ryan Castellucci :nonbinary_flag:
The one that died was working until I tried to update the firmware 😭
Ryan Castellucci :nonbinary_flag:
What the actual fuck. I appear to have killed another one by swapping the ground and TX or RX pin on the serial cable?
Also, two of the four have apparently factory installed pin headers, but no serial console. So of the four, only one works. This is really annoying.
Ryan Castellucci :nonbinary_flag:
They were apparently pulled from a country club, so the password is probably guessable...
Ryan Castellucci :nonbinary_flag:
@gsuberland It's stored in NAND flash on a JFFS2 filesystem using MD5Crypt. I see a NOR flash chip, but I think the NAND is part of the SOC.
Graham Sutherland / Polynomial
@ryanc in almost all cases they're just ASCII text config files (bunch of var=value\n and a null terminator at the end) so you don't need to do any reverse engineering. dump flash, whole thing in the clear.
Graham Sutherland / Polynomial
@ryanc if you open it up and find the 8-pin SPI flash chip, there's usually a config block somewhere in there where there will be a bunch of copies of the configuration table with the passwords and stuff in cleartext. typically it's implemented as a circular buffer for wear levelling purposes, so each time you save persistent config it writes a new copy after the last, so you'll often get historical passwords from it too in case they reused any elsewhere.
Ryan Castellucci :nonbinary_flag:
@gsuberland If the bloody serial terminal worked - the factory installed headers are taunting me - I have the manufacturer's console password. 😭
Ryan Castellucci :nonbinary_flag:
@gsuberland Maybe I also fried the serial cable?
Ryan Castellucci :nonbinary_flag:
@gsuberland Nope. The JFFS2 is read/write. I already reverse engineered the shit out of this model.
It's a squashfs root filesystem with a JFFS2 overlay.
OpenWRT variant.
Graham Sutherland / Polynomial
@ryanc typically you'll have firmware on JFFS2 on NAND flash, mounted read-only, but with a binary on the device that writes to a separate EEPROM which contains config data. typically they'll refer to it as nvram.
Ryan Castellucci :nonbinary_flag:
They're these: https://openwrt.org/toh/engenius/eap1300
Circa 2015/2016 hardware.
Graham Sutherland / Polynomial
@ryanc oh interesting, maybe high write cycle NAND flash got cheap enough these days for them to eliminate the EEPROM from their BOM.
Ryan Castellucci :nonbinary_flag:
@gsuberland Want to tried to fix one of the ones I apparently bricked?
Ryan Castellucci :nonbinary_flag:
@gsuberland Yeah, it's a 3.3V UART. I was using an adafruit FTDI cable. It was working before I fried the first AP.
Graham Sutherland / Polynomial
@ryanc maybe incompatible logic levels? normally it's just 3.3V UART.
in my experience cheap USB UART cables are extremely prone to failure. cost optimised to the extreme and zero onboard protection against shorts, overvoltage, data line overcurrent, ESD, ground loops, etc.
Ryan Castellucci :nonbinary_flag:
@tychotithonus You wanna help me with strategic password guessing?
Royce Williams
@ryanc Sure! Adjust visibility to taste (if needed), and lemme know as much context as you've got
GNU social JP is a social network, courtesy of GNU social JP管理人. It runs on GNU social, version 2.0.2-dev, available under the GNU Affero General Public License.
All GNU social JP content and data are available under the Creative Commons Attribution 3.0 license.