Conversation

Notices

1. Embed this notice
   Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Saturday, 01-Feb-2025 19:46:23 JST Ryan Castellucci :nonbinary_flag:

   I have about a dozen EnGenius EAP-1300 access points that I bought used in various batches for cheap. Two of them have unknown passwords set with the factory reset and serial console disabled. The flash is SOIC-16 SPI NOR. I am not having any luck accessing with a Bus Pirate and a test clip. :-(

   • Embed this notice
     Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Saturday, 01-Feb-2025 19:49:22 JST Ryan Castellucci :nonbinary_flag:

     in reply to

     I've ordered a CH341A programmer, and am ordering some of the same model chip to experiment with. Hopefully that'll help.

     One thing I want to do is patch the bootloader to netboot firmware. These things have plenty of RAM.

   • Embed this notice
     Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Saturday, 01-Feb-2025 19:50:15 JST Ryan Castellucci :nonbinary_flag:

     in reply to

     They use uboot, but the boot command seems to be hard coded so I can't simply configure them to netboot, but it does work if I manually enter the commands on the serial console.

   • Embed this notice
     Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Saturday, 01-Feb-2025 20:00:18 JST Ryan Castellucci :nonbinary_flag:

     in reply to

     I've also be pondering making a mod chip that connects up to the serial header on the board and just monitors for uboot starting up and then enters the netboot commands automatically, but just patching the suckers would be way easier...

   • Embed this notice
     Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Saturday, 01-Feb-2025 20:05:05 JST Ryan Castellucci :nonbinary_flag:

     in reply to

     • Attie Grande

     @attie In-situ with power off, and also with the chip removed from the board, though that board was fried.

   • Embed this notice
     Attie Grande (attie@chaos.social)'s status on Saturday, 01-Feb-2025 20:05:07 JST Attie Grande

     in reply to

     @ryanc Are you trying to do it in-situ, or did you remove the IC from the board? If it's on the board still, what have you tried? ... e.g: have you tried powering it and holding the main processor in reset (if you can find that signal)

   • Embed this notice
     Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Saturday, 01-Feb-2025 20:05:40 JST Ryan Castellucci :nonbinary_flag:

     in reply to

     • Attie Grande

     @attie Don't have u-boot console access on two of them that I can't get into, and also I want to experiment with patching u-boot.

   • Embed this notice
     Attie Grande (attie@chaos.social)'s status on Saturday, 01-Feb-2025 20:05:41 JST Attie Grande

     in reply to

     @ryanc If you have access to the u-boot console, can you just use that to dump / rewrite the flash?

   • Embed this notice
     Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Saturday, 01-Feb-2025 20:18:36 JST Ryan Castellucci :nonbinary_flag:

     in reply to

     • Attie Grande

     @attie I should have the other programmer later today, if you wanna help me figure it out live.