Hackerboard Wiki HaboBlog
Hackerboard bei Facebook Hackerboard bei Google+ Hackerboard bei Twitter

[HaBo]

 
WLAN-Zone Support zu Wireless Netzwerken: Security, Installation, Hardware und Software

Hitronhub CVE-30360 (Kabel Deutschland) WLAN Hack?

Diskussion: Hitronhub CVE-30360 (Kabel Deutschland) WLAN Hack? im Forum WLAN-Zone, in der Kategorie Web, Network & Multimedia Palace; Just checked KD website searching for possible downloads. This is more than crazy. Current online order benefit is free WiFi ...

Like Tree29Likes

Antwort
Alt 06.01.14, 00:12   #106 (permalink)
 
Registriert seit: 03.01.14
hackerpeter Leistung: Facit NTK
Likes: 1
Standard

Just checked KD website searching for possible downloads. This is more than crazy. Current online order benefit is free WiFi modem (50Mbit+ package).

Maybe they will rethink current policy and will remove this WiFi disable crap from current firmware images again. (I have a dream...)

hackerpeter ist offline   Mit Zitat antworten
Alt 06.01.14, 15:42   #107 (permalink)
 
Registriert seit: 27.03.13
mogge Leistung: Facit NTK
Likes: 0
Standard

Tatsache, die bieten allen Neukunden von "Internet & Telefon 25, 50, 100" für die Vertragsdauer die WLAN Option kostenlos an.

Das nenne ich mal Kundenservice. Bloß nicht mal die Bestandskunden upgraden
mogge ist offline   Mit Zitat antworten
Alt 07.01.14, 14:08   #108 (permalink)
 
Registriert seit: 31.12.13
mrproxy Leistung: Facit NTK
Likes: 0
Standard

According to KD, a new hitron piece of crap is 150 to 200 eur. Just the hitron, no on-site service. Unbelievable. Be careful not to brick it.
mrproxy ist offline   Mit Zitat antworten
Alt 09.01.14, 00:05   #109 (permalink)
 
Registriert seit: 27.02.13
flipflop Leistung: Z3
Likes: 17
Standard

Habe mal ein kleines Werkzeug für Windows gestrickt damit auch Laien ihr WLAN aktivieren können. Hier eine kurze Beschreibung:

1. Tool herunterladen und entpacken
2. In Ordner hitron wechseln
3. Router neustarten mittels Schalter
4. hitron.exe ausführen
5. Abwarten bis es fertig ist ("Could not connect"- Ausgaben sind normal)


Code:
> hitron.exe --help

Usage: hitron.exe [options]

Options:
  -h, --help            show this help message and exit
  -r ROUTER, --router=ROUTER
                        ip of router
  -u USERNAME, --username=USERNAME
                        username
  -p PASSWORD, --password=PASSWORD
                        password
  -l LOG, --log=LOG     logging of responses
  -s SSH, --ssh=SSH     open ssh port
Quelltext ist hier.

Linuxer können das in Python geschriebene Programm auch nutzen. Installiert werden muss nur das Python-Paket paramiko. Zu finden mittels easy_install/pip.

Das Programm nutzt die von hackerpeter entdeckte Methode(cli->rg->Wls).
hackerpeter likes this.
flipflop ist offline   Mit Zitat antworten
Alt 09.01.14, 02:35   #110 (permalink)
 
Registriert seit: 03.01.14
hackerpeter Leistung: Facit NTK
Likes: 1
Standard

@flipflop: thx for automation of the necessary work from PC / "client" side

Btw. I am still trying to automate the stuff directly on the box itself, to solve the last drawback with restarts of the box. My first attempts failed to do that. But now I think I found a possible way.

Problem is, I don't have much time for playing here. Real task to enable wireless again is solved, so everything else is fun/luxury on top.

What I am trying is to build a cross compiler toolchain for this specific ARM architecture (ARMv6b). I want to compile this very small but FUCKING awesome tool called "empty".
empty - run processes and applications under pseudo-terminal (PTY) sessions (replace TCL/Expect with shell)
or see it in action on Youtube
Hak5 - Automate Interactive Processes in Linux without TCL/Expect, Hak5 1107.1 - YouTube
Basically it is a pure C alternative for the very known expect tool. The cool thing here is, that it is working on a file base so you could work with all our usual shell friends like grep, sed, awk ... check out the Youtube video

If someone already has a working toolchain (linux-gnueabi-gcc, uclibc, binutils) it would be very kind to share the empty-binary file.

Geändert von hackerpeter (09.01.14 um 02:38 Uhr)
hackerpeter ist offline   Mit Zitat antworten
Alt 09.01.14, 10:54   #111 (permalink)
 
Registriert seit: 27.02.13
flipflop Leistung: Z3
Likes: 17
Standard

Zitat:
Zitat von hackerpeter Beitrag anzeigen
If someone already has a working toolchain (linux-gnueabi-gcc, uclibc, binutils) it would be very kind to share the empty-binary file.
I am interested in that too. Will try to build that thing soon.

The next thing I plan on doing is making a new firmware with nice additions(like python installed) and the update/block ssh port stuff removed.
flipflop ist offline   Mit Zitat antworten
Alt 09.01.14, 12:03   #112 (permalink)
 
Registriert seit: 26.12.13
roald Leistung: Facit NTK
Likes: 1
Standard

Hi Flipflop, have you any ideas on installing firmware whithout a hardware reflash? I, at least, haven't got the equipment to do that and I prefer a 'software' method.

Have you ideas on blocking a software update for the time being (where we still can't reflash the Hitron ourself)?
roald ist offline   Mit Zitat antworten
Alt 09.01.14, 13:13   #113 (permalink)
 
Registriert seit: 27.02.13
flipflop Leistung: Z3
Likes: 17
Standard

Zitat:
Zitat von roald Beitrag anzeigen
Hi Flipflop, have you any ideas on installing firmware whithout a hardware reflash? I, at least, haven't got the equipment to do that and I prefer a 'software' method.
You can use cli->rg->dload command. Parameters are:
Code:
dload $1 $2 $3
    $1 - A.B.C.D   TFTP server IP address
    $2 - STRING   filename of CM software
    $3 -
           0     download via LAN interface
           1     download via RF interface
           2     download via CPE interface
So basically all you have to do is install a tftp server, do something like
Code:
dload x.x.x.x uberfirmware-v1.0 0
and it should place the new firmware in sector 2 (check with cli->rg->dir).
Then do
Code:
bootfrom 2 (is that correct?)
and it should be booting from sector 2.

For modification of current firmwares use firmware-mod-kit. It allows to unpack and repack the firmware files.
So what you do is you unpack the thing, do your modification and repack it.

If you want to put new binary programs onto the router you need to build the build toolchain for it.
For this you can use crosstool-ng. I don't know the exact configuration you need. Currently trying
"armeb-unknown-linux-uclibcgnueabi".

Hints regarding arch/libs/config:
Code:
> file firmwares/3.1.1.29/bin/ls
ELF 32-bit MSB executable, ARM, version 1 (SYSV), dynamically linked (uses shared libs), stripped
Code:
> objdump -p firmwares/3.1.1.29/bin/ls
(...)
Dynamic Section:
  NEEDED               libHtxShareUtils.so
  NEEDED               libm.so.0
  NEEDED               libpam.so.0
  NEEDED               libpam_misc.so.0
  NEEDED               libc.so.0
(...)
Code:
> uname -a
Linux CVE-30360 2.6.18_pro500 #1 PREEMPT Thu Sep 5 11:45:11 GMT 2013 armv6b GNU/Linux
-> linux kernel 2.6.18
-> arch is ARM
-> MSB / big endian
-> uses uClibc version 0.9.29

Zitat:
Zitat von roald Beitrag anzeigen
Have you ideas on blocking a software update for the time being (where we still can't reflash the Hitron ourself)?
sw_dl is the tool to flash the firmware onto the device. So removing it will stop update.
I will build a firmware where sw_dl is backup'd and replaced with a program that does nothing. That way programs accessing it do not fail.

Geändert von flipflop (09.01.14 um 20:22 Uhr)
flipflop ist offline   Mit Zitat antworten
Alt 09.01.14, 15:20   #114 (permalink)
 
Registriert seit: 26.12.13
roald Leistung: Facit NTK
Likes: 1
Standard

Thanks for your quick answer.

I am afraid I can't help you with your toolchain; you are obviously more knowledgable in C an crosscompiling.

I think your right about how you could do an update yourself from your own ftp server. In my question I also meant that so long we can't do it the way you describe, we are vulnarable to a new software installation (alas only when you have to reboot, if I am correct). I think that blocking the tftp OUTPUT port just after the runall statement is not enough. What do you think. (but it can't do any harm too).

I just noticed something stange in my Hitron:

- I once did a dir (cli>rg>dir) and this was the reply:
MAIN> dir

Filename in sector 1->CVE-30360-3.1.1.29-IMS-KDG-131106.sbn
Filename in sector 2->CVE-30360-3.1.1.22-IMS-KDG-130528.sbn
Selected sector is 1

- today I did it again:

Filename in sector 1->CVE-30360-3.1.1.29-IMS-KDG-131106.sbn
Filename in sector 2->EMPTY IMAGE
Selected sector is 1

I think this is a result of a dload or sw_dl command I may have given and terminated. So this suggests that a new dload comes in sector2. Bootfrom 2 would boot from the new installed software. But what would happen if this boot doesn't succeed. Would it then boot next time from sector 1?
roald ist offline   Mit Zitat antworten
Alt 09.01.14, 16:49   #115 (permalink)
 
Registriert seit: 27.02.13
flipflop Leistung: Z3
Likes: 17
Standard

Zitat:
Zitat von roald Beitrag anzeigen
I am afraid I can't help you with your toolchain; you are obviously more knowledgable in C an crosscompiling.
Actually this is the first time I do stuff like this

Zitat:
Zitat von roald Beitrag anzeigen
I think that blocking the tftp OUTPUT port just after the runall statement is not enough. What do you think. (but it can't do any harm too).
If the output port is always the same go for it.

Zitat:
Zitat von roald Beitrag anzeigen
I think this is a result of a dload or sw_dl command I may have given and terminated.
Yes it is. Sector 2 gets nuked before the tftp download. You fed it no firmware so the sector stays empty. Also dload calls sw_dl with some more parameters set.

Zitat:
Zitat von roald Beitrag anzeigen
So this suggests that a new dload comes in sector2. Bootfrom 2 would boot from the new installed software. But what would happen if this boot doesn't succeed. Would it then boot next time from sector 1?
That's a good question. Better to not try it
flipflop ist offline   Mit Zitat antworten
Alt 09.01.14, 16:59   #116 (permalink)
 
Registriert seit: 26.12.13
roald Leistung: Facit NTK
Likes: 1
Standard

So, it may be wise to tftp the normal image .29 from your own ftp server with no changes and see if the upload is succesfull. After that you can make changes in the image and hope everything goes well too.

That is how I would do it, anyway (for what it's worth).

Hopefully you would never have to find out if you can boot from the old image if the new image won't start. But you might still wonder ...
roald ist offline   Mit Zitat antworten
Alt 09.01.14, 21:41   #117 (permalink)
 
Registriert seit: 27.02.13
flipflop Leistung: Z3
Likes: 17
Standard

armeb-unknown-linux-uclibcgnueabi is the correct toolchain.
I just compiled a simple program and it works on the router.

Here the listing of commands:
Code:
sudo apt-get install build-essential libncurses5-dev
sudo apt-get install automake libtool bison flex texinfo
sudo apt-get install libexpat1-dev python-dev
wget http://crosstool-ng.org/download/crosstool-ng/crosstool-ng-1.19.0.tar.bz2
tar -xf crosstool-ng-1.19.0.tar.bz2
cd crosstool-ng-1.19.0
./configure
make
sudo make install
cd ..
mkdir toolchain
cd toolchain
ct-ng armeb-unknown-linux-uclibcgnueabi
ct-ng build
The last command will take very long. On my machine it took like 45 minutes.

You can build a program using:
Code:
~/x-tools/armeb-unknown-linux-uclibcgnueabi/bin/armeb-unknown-linux-uclibcgnueabi-gcc -o hello hello.c
hackerpeter likes this.
flipflop ist offline   Mit Zitat antworten
Alt 09.01.14, 22:15   #118 (permalink)
 
Registriert seit: 27.02.13
flipflop Leistung: Z3
Likes: 17
Standard

Zitat:
Zitat von hackerpeter Beitrag anzeigen
If someone already has a working toolchain (linux-gnueabi-gcc, uclibc, binutils) it would be very kind to share the empty-binary file.
Here you go.
hackerpeter likes this.

Geändert von flipflop (09.01.14 um 22:22 Uhr)
flipflop ist offline   Mit Zitat antworten
Alt 10.01.14, 01:08   #119 (permalink)
 
Registriert seit: 31.12.13
mrproxy Leistung: Facit NTK
Likes: 0
Exclamation

flip please dont forget to use the corrected version 29 binary that someone sent to you via private message on the 4th of january for any testing or device recovery. uploading the wrong binary of version 29 to the hitron (which is currently on git and currently missing some (65536 bytes) of its head) may cause major problems. you probably know that, i just wanted to make sure, because you did not answer said person.

i dont know if anyone else has got the wrong version, because i honstely dont know if and how you can download it from github.com.
the correct version i extracted of both flashs and joined together has 11013120 bytes. the smaller one (10947584 bytes) is the incomplete one, which noone should use (except for filesystemextraction, which works with both).
mrproxy ist offline   Mit Zitat antworten
Alt 10.01.14, 03:26   #120 (permalink)
 
Registriert seit: 03.01.14
hackerpeter Leistung: Facit NTK
Likes: 1
Standard

@flipflop
Awesome to see you are doing same I do/try.. my ct-ng build faild with some segfaults (don't know why yet). So I skipped building the cross compiler toolchain and uploaded your empty binary to my box. At least it is executable, a simple ./empty -h works. But I wasn't able to get it further doing something, my output is always empty.
After looking into empty.c I think I found the reason.
Code:
    106 #define tmpdir "/tmp"
Could you please change that line to /var/tmp and recompile it again? This assumption about /tmp existing on nearly all Linux systems isn't true for our box
hackerpeter ist offline   Mit Zitat antworten
Antwort

Stichworte
hack, hitronhub, kabel deutschland, wlan
   
- Anzeige -

Werbung ist gerade online    

[HaBo] » Web, Network & Multimedia Palace » WLAN-Zone » Hitronhub CVE-30360 (Kabel Deutschland) WLAN Hack?
Themen-Optionen
Ansicht

Forumregeln
Es ist Ihnen nicht erlaubt, neue Themen zu verfassen.
Es ist Ihnen nicht erlaubt, auf Beiträge zu antworten.
Es ist Ihnen nicht erlaubt, Anhänge hochzuladen.
Es ist Ihnen nicht erlaubt, Ihre Beiträge zu bearbeiten.

BB-Code ist an.
Smileys sind an.
[IMG] Code ist an.
HTML-Code ist aus.
Trackbacks sind aus
Pingbacks sind aus
Refbacks sind aus


Ähnliche Themen
Thema Autor Forum Antworten Letzter Beitrag
Kabel Deutschland + Wlan Router FloKe WLAN-Zone 4 03.04.12 08:46
Kabel Deutschland I.net Flat Pesci. Internet Allgemein 12 29.10.08 10:44
Kabel Deutschland Pingman Network · LAN, WAN, Firewalls 5 11.12.06 17:43
Kabel Deutschland und WLAN ripperchris WLAN-Zone 41 07.04.06 15:28
Kabel Deutschland Dragoon Off topic-Zone 7 12.12.04 16:30


1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62