Danke Danke:  0
Dislikes Dislikes:  0
Seite 8 von 14 ErsteErste ... 678910 ... LetzteLetzte
Ergebnis 106 bis 120 von 208

Thema: Hitronhub CVE-30360 (Kabel Deutschland) WLAN Hack?

  1. #106

    Registriert seit
    03.01.14
    Danke (erhalten)
    0
    Gefällt mir (erhalten)
    1

    Standard

    Anzeige
    Just checked KD website searching for possible downloads. This is more than crazy. Current online order benefit is free WiFi modem (50Mbit+ package).

    Maybe they will rethink current policy and will remove this WiFi disable crap from current firmware images again. (I have a dream...)

  2. #107

    Registriert seit
    27.03.13
    Danke (erhalten)
    0
    Gefällt mir (erhalten)
    0

    Standard

    Tatsache, die bieten allen Neukunden von "Internet & Telefon 25, 50, 100" für die Vertragsdauer die WLAN Option kostenlos an.

    Das nenne ich mal Kundenservice. Bloß nicht mal die Bestandskunden upgraden

  3. #108

    Registriert seit
    31.12.13
    Danke (erhalten)
    0
    Gefällt mir (erhalten)
    0

    Standard

    According to KD, a new hitron piece of crap is 150 to 200 eur. Just the hitron, no on-site service. Unbelievable. Be careful not to brick it.

  4. #109

    Registriert seit
    27.02.13
    Danke (erhalten)
    0
    Gefällt mir (erhalten)
    17

    Standard

    Habe mal ein kleines Werkzeug für Windows gestrickt damit auch Laien ihr WLAN aktivieren können. Hier eine kurze Beschreibung:

    1. Tool herunterladen und entpacken
    2. In Ordner hitron wechseln
    3. Router neustarten mittels Schalter
    4. hitron.exe ausführen
    5. Abwarten bis es fertig ist ("Could not connect"- Ausgaben sind normal)


    Code:
    > hitron.exe --help
    
    Usage: hitron.exe [options]
    
    Options:
      -h, --help            show this help message and exit
      -r ROUTER, --router=ROUTER
                            ip of router
      -u USERNAME, --username=USERNAME
                            username
      -p PASSWORD, --password=PASSWORD
                            password
      -l LOG, --log=LOG     logging of responses
      -s SSH, --ssh=SSH     open ssh port
    Quelltext ist hier.

    Linuxer können das in Python geschriebene Programm auch nutzen. Installiert werden muss nur das Python-Paket paramiko. Zu finden mittels easy_install/pip.

    Das Programm nutzt die von hackerpeter entdeckte Methode(cli->rg->Wls).

  5. Gefällt mir hackerpeter liked this post
  6. #110

    Registriert seit
    03.01.14
    Danke (erhalten)
    0
    Gefällt mir (erhalten)
    1

    Standard

    @flipflop: thx for automation of the necessary work from PC / "client" side

    Btw. I am still trying to automate the stuff directly on the box itself, to solve the last drawback with restarts of the box. My first attempts failed to do that. But now I think I found a possible way.

    Problem is, I don't have much time for playing here. Real task to enable wireless again is solved, so everything else is fun/luxury on top.

    What I am trying is to build a cross compiler toolchain for this specific ARM architecture (ARMv6b). I want to compile this very small but FUCKING awesome tool called "empty".
    empty - run processes and applications under pseudo-terminal (PTY) sessions (replace TCL/Expect with shell)
    or see it in action on Youtube
    Hak5 - Automate Interactive Processes in Linux without TCL/Expect, Hak5 1107.1 - YouTube
    Basically it is a pure C alternative for the very known expect tool. The cool thing here is, that it is working on a file base so you could work with all our usual shell friends like grep, sed, awk ... check out the Youtube video

    If someone already has a working toolchain (linux-gnueabi-gcc, uclibc, binutils) it would be very kind to share the empty-binary file.
    Geändert von hackerpeter (09.01.14 um 02:38 Uhr)

  7. #111

    Registriert seit
    27.02.13
    Danke (erhalten)
    0
    Gefällt mir (erhalten)
    17

    Standard

    Zitat Zitat von hackerpeter Beitrag anzeigen
    If someone already has a working toolchain (linux-gnueabi-gcc, uclibc, binutils) it would be very kind to share the empty-binary file.
    I am interested in that too. Will try to build that thing soon.

    The next thing I plan on doing is making a new firmware with nice additions(like python installed) and the update/block ssh port stuff removed.

  8. #112

    Registriert seit
    26.12.13
    Danke (erhalten)
    0
    Gefällt mir (erhalten)
    1

    Standard

    Hi Flipflop, have you any ideas on installing firmware whithout a hardware reflash? I, at least, haven't got the equipment to do that and I prefer a 'software' method.

    Have you ideas on blocking a software update for the time being (where we still can't reflash the Hitron ourself)?

  9. #113

    Registriert seit
    27.02.13
    Danke (erhalten)
    0
    Gefällt mir (erhalten)
    17

    Standard

    Zitat Zitat von roald Beitrag anzeigen
    Hi Flipflop, have you any ideas on installing firmware whithout a hardware reflash? I, at least, haven't got the equipment to do that and I prefer a 'software' method.
    You can use cli->rg->dload command. Parameters are:
    Code:
    dload $1 $2 $3
        $1 - A.B.C.D   TFTP server IP address
        $2 - STRING   filename of CM software
        $3 -
               0     download via LAN interface
               1     download via RF interface
               2     download via CPE interface
    So basically all you have to do is install a tftp server, do something like
    Code:
    dload x.x.x.x uberfirmware-v1.0 0
    and it should place the new firmware in sector 2 (check with cli->rg->dir).
    Then do
    Code:
    bootfrom 2 (is that correct?)
    and it should be booting from sector 2.

    For modification of current firmwares use firmware-mod-kit. It allows to unpack and repack the firmware files.
    So what you do is you unpack the thing, do your modification and repack it.

    If you want to put new binary programs onto the router you need to build the build toolchain for it.
    For this you can use crosstool-ng. I don't know the exact configuration you need. Currently trying
    "armeb-unknown-linux-uclibcgnueabi".

    Hints regarding arch/libs/config:
    Code:
    > file firmwares/3.1.1.29/bin/ls
    ELF 32-bit MSB executable, ARM, version 1 (SYSV), dynamically linked (uses shared libs), stripped
    Code:
    > objdump -p firmwares/3.1.1.29/bin/ls
    (...)
    Dynamic Section:
      NEEDED               libHtxShareUtils.so
      NEEDED               libm.so.0
      NEEDED               libpam.so.0
      NEEDED               libpam_misc.so.0
      NEEDED               libc.so.0
    (...)
    Code:
    > uname -a
    Linux CVE-30360 2.6.18_pro500 #1 PREEMPT Thu Sep 5 11:45:11 GMT 2013 armv6b GNU/Linux
    -> linux kernel 2.6.18
    -> arch is ARM
    -> MSB / big endian
    -> uses uClibc version 0.9.29

    Zitat Zitat von roald Beitrag anzeigen
    Have you ideas on blocking a software update for the time being (where we still can't reflash the Hitron ourself)?
    sw_dl is the tool to flash the firmware onto the device. So removing it will stop update.
    I will build a firmware where sw_dl is backup'd and replaced with a program that does nothing. That way programs accessing it do not fail.
    Geändert von flipflop (09.01.14 um 20:22 Uhr)

  10. #114

    Registriert seit
    26.12.13
    Danke (erhalten)
    0
    Gefällt mir (erhalten)
    1

    Standard

    Thanks for your quick answer.

    I am afraid I can't help you with your toolchain; you are obviously more knowledgable in C an crosscompiling.

    I think your right about how you could do an update yourself from your own ftp server. In my question I also meant that so long we can't do it the way you describe, we are vulnarable to a new software installation (alas only when you have to reboot, if I am correct). I think that blocking the tftp OUTPUT port just after the runall statement is not enough. What do you think. (but it can't do any harm too).

    I just noticed something stange in my Hitron:

    - I once did a dir (cli>rg>dir) and this was the reply:
    MAIN> dir

    Filename in sector 1->CVE-30360-3.1.1.29-IMS-KDG-131106.sbn
    Filename in sector 2->CVE-30360-3.1.1.22-IMS-KDG-130528.sbn
    Selected sector is 1

    - today I did it again:

    Filename in sector 1->CVE-30360-3.1.1.29-IMS-KDG-131106.sbn
    Filename in sector 2->EMPTY IMAGE
    Selected sector is 1

    I think this is a result of a dload or sw_dl command I may have given and terminated. So this suggests that a new dload comes in sector2. Bootfrom 2 would boot from the new installed software. But what would happen if this boot doesn't succeed. Would it then boot next time from sector 1?

  11. #115

    Registriert seit
    27.02.13
    Danke (erhalten)
    0
    Gefällt mir (erhalten)
    17

    Standard

    Zitat Zitat von roald Beitrag anzeigen
    I am afraid I can't help you with your toolchain; you are obviously more knowledgable in C an crosscompiling.
    Actually this is the first time I do stuff like this

    Zitat Zitat von roald Beitrag anzeigen
    I think that blocking the tftp OUTPUT port just after the runall statement is not enough. What do you think. (but it can't do any harm too).
    If the output port is always the same go for it.

    Zitat Zitat von roald Beitrag anzeigen
    I think this is a result of a dload or sw_dl command I may have given and terminated.
    Yes it is. Sector 2 gets nuked before the tftp download. You fed it no firmware so the sector stays empty. Also dload calls sw_dl with some more parameters set.

    Zitat Zitat von roald Beitrag anzeigen
    So this suggests that a new dload comes in sector2. Bootfrom 2 would boot from the new installed software. But what would happen if this boot doesn't succeed. Would it then boot next time from sector 1?
    That's a good question. Better to not try it

  12. #116

    Registriert seit
    26.12.13
    Danke (erhalten)
    0
    Gefällt mir (erhalten)
    1

    Standard

    So, it may be wise to tftp the normal image .29 from your own ftp server with no changes and see if the upload is succesfull. After that you can make changes in the image and hope everything goes well too.

    That is how I would do it, anyway (for what it's worth).

    Hopefully you would never have to find out if you can boot from the old image if the new image won't start. But you might still wonder ...

  13. #117

    Registriert seit
    27.02.13
    Danke (erhalten)
    0
    Gefällt mir (erhalten)
    17

    Standard

    armeb-unknown-linux-uclibcgnueabi is the correct toolchain.
    I just compiled a simple program and it works on the router.

    Here the listing of commands:
    Code:
    sudo apt-get install build-essential libncurses5-dev
    sudo apt-get install automake libtool bison flex texinfo
    sudo apt-get install libexpat1-dev python-dev
    wget http://crosstool-ng.org/download/crosstool-ng/crosstool-ng-1.19.0.tar.bz2
    tar -xf crosstool-ng-1.19.0.tar.bz2
    cd crosstool-ng-1.19.0
    ./configure
    make
    sudo make install
    cd ..
    mkdir toolchain
    cd toolchain
    ct-ng armeb-unknown-linux-uclibcgnueabi
    ct-ng build
    The last command will take very long. On my machine it took like 45 minutes.

    You can build a program using:
    Code:
    ~/x-tools/armeb-unknown-linux-uclibcgnueabi/bin/armeb-unknown-linux-uclibcgnueabi-gcc -o hello hello.c

  14. Gefällt mir hackerpeter liked this post
  15. #118

    Registriert seit
    27.02.13
    Danke (erhalten)
    0
    Gefällt mir (erhalten)
    17

    Standard

    Zitat Zitat von hackerpeter Beitrag anzeigen
    If someone already has a working toolchain (linux-gnueabi-gcc, uclibc, binutils) it would be very kind to share the empty-binary file.
    Here you go.
    Geändert von flipflop (09.01.14 um 22:22 Uhr)

  16. Gefällt mir hackerpeter liked this post
  17. #119

    Registriert seit
    31.12.13
    Danke (erhalten)
    0
    Gefällt mir (erhalten)
    0

    Exclamation

    flip please dont forget to use the corrected version 29 binary that someone sent to you via private message on the 4th of january for any testing or device recovery. uploading the wrong binary of version 29 to the hitron (which is currently on git and currently missing some (65536 bytes) of its head) may cause major problems. you probably know that, i just wanted to make sure, because you did not answer said person.

    i dont know if anyone else has got the wrong version, because i honstely dont know if and how you can download it from github.com.
    the correct version i extracted of both flashs and joined together has 11013120 bytes. the smaller one (10947584 bytes) is the incomplete one, which noone should use (except for filesystemextraction, which works with both).

  18. #120

    Registriert seit
    03.01.14
    Danke (erhalten)
    0
    Gefällt mir (erhalten)
    1

    Standard

    Anzeige
    @flipflop
    Awesome to see you are doing same I do/try.. my ct-ng build faild with some segfaults (don't know why yet). So I skipped building the cross compiler toolchain and uploaded your empty binary to my box. At least it is executable, a simple ./empty -h works. But I wasn't able to get it further doing something, my output is always empty.
    After looking into empty.c I think I found the reason.
    Code:
        106 #define tmpdir "/tmp"
    Could you please change that line to /var/tmp and recompile it again? This assumption about /tmp existing on nearly all Linux systems isn't true for our box

Ähnliche Themen

  1. Kabel Deutschland + Wlan Router
    Von FloKe im Forum WLAN-Zone
    Antworten: 4
    Letzter Beitrag: 03.04.12, 08:46
  2. Kabel Deutschland I.net Flat
    Von Pesci. im Forum Internet Allgemein
    Antworten: 12
    Letzter Beitrag: 29.10.08, 10:44
  3. Kabel Deutschland
    Von Pingman im Forum Network · LAN, WAN, Firewalls
    Antworten: 5
    Letzter Beitrag: 11.12.06, 17:43
  4. Kabel Deutschland und WLAN
    Von ripperchris im Forum WLAN-Zone
    Antworten: 41
    Letzter Beitrag: 07.04.06, 15:28
  5. Kabel Deutschland
    Von Dragoon im Forum Off topic-Zone
    Antworten: 7
    Letzter Beitrag: 12.12.04, 16:30

Stichworte

Berechtigungen

  • Neue Themen erstellen: Nein
  • Themen beantworten: Nein
  • Anhänge hochladen: Nein
  • Beiträge bearbeiten: Nein
  •