Hitronhub CVE-30360 (Kabel Deutschland) WLAN Hack?

I still have no clue what initiates the software image upload. As you said somewhere before, there are no obvious ports open from the WAN side. I am not sure about a SNMP port because I have no experience with that.
It can be that some watchdog process checks for updates. Enough processes in ps that suggests that. Have you run the dload command? I don't know what would happen and where the download would be stored. The dir command suggests (in my case) that I have two images present:

MAIN> dir

Filename in sector 1->CVE-30360-3.1.1.29-IMS-KDG-131106.sbn
Filename in sector 2->CVE-30360-3.1.1.22-IMS-KDG-130528.sbn
Selected sector is 1

and with me the newer one is active. The dates of the sector 1 file check with the dates found in the filesystem. Is 3.1.1.29 the newest image? may be a factory reset would get you the 3.1.1.22 image.
How did you get your image downloaded so that you could examine that?
It is vital that we get a new image immediately on a computer to get the password. The easiest way to stop us would be a new image with a new password, unless you could get it on your computer to search the password.


Carefull examination of the /etc/init.d/rcS script show that there is a file /nvram/0/0 that steers the startup process. If you could change a string there you could make your own startup additions. Unfortunately nvread is used to extract a string and an integer and there is no nvwrite. The workings of nvread is not completely clear to me and if you change this file /nvram/0/0 boot may be not possible anymore. I suppose that nvread is a lowlevel blockreader. Maybe there is another way to change things in nvram?
 
Zuletzt bearbeitet:
The newest firmware is 3.1.1.29, we have a zip of the extracted files in the git repo.

How did you get your image downloaded so that you could examine that?
It is vital that we get a new image immediately on a computer to get the password. The easiest way to stop us would be a new image with a new password, unless you could get it on your computer to search the password.
A kind stranger posted a link to a ftp server where it was temporarly(it is now offline) possible to download the newest firmware. But you also could open the casing of the router, take the flash chip out and extract the firmware from there.
What password do you need?
 
Sorry, my question was not very clear. I mean that when a new software image is uploaded to our Hitron and the app password is changed, we have no way in. So far we have no way to prevent new software installation except by pulling the cable plug. X(

Is your method of analyzing software by pulling out the flash memory chip
and reading it, possible?

I would prefer an other method...
 
Sorry, my question was not very clear. I mean that when a new software image is uploaded to our Hitron and the app password is changed, we have no way in.
That's right. Though the app password in version .29 is still the same. They changed something so that you can not connect via neither ssh nor telnet anymore. Not that this means anything, but you may have also noticed a different LED flashing/solid on pattern while booting.
Is your method of analyzing software by pulling out the flash memory chip and reading it, possible?

I would prefer an other method...
It is possible. That's how I obtained version .22 and .29. http://s10.postimg.org/dodzm65ah/openheart1a.jpg It's sufficient to just lift up the GND pin to not power up anything but the flash IC. Anything else can be soldered on directly.
 
Zuletzt bearbeitet:
Great job so far,

the modem can be flashed with usbjtag, but I think its not necessary

Flash layout:

0x20000(U-Boot)ro,
0x10000(env1),
0x10000(env2),
0x7b0000@0x40000(UBFI1),
0x7b0000@0x7f0000(UBFI2),
0x292400@0x10e000(RootFileSystem)ro,
0x50000@0xfb0000(nvram)

Thanks to sbhacker

There is a alternative firmware (forceware 1.2) made for Puma 5 chipset (tnetc550w) with full user access, it works great on docsis 3.0 Motorola Modems (6120, 6141, etc). It shoukd also work on the Hitron, but I think the tuner is not supported-until now (
mxl261 tuner??). Can somebody look after the tuner?

I dont have the hitron, but you should get allways on the modem via serial connection with usb-ttl cable, open up the modem and you will see 4 pin connector (rx,tx,vcc,gnd) near the flash. Connect the cable and set baudrate to 115200, open putty or hyperterminal set comport and push open. After the modem is finish with booting you should have shell/console access.

If you get kicked out after a few seconds through the hitron, than try this:

Power on hitron, than short/connect pin 8 of the flashchip to gnd. This will crash booting and give you shell access-i guess this worked on all Puma 5 modems until now! Than you can flash firmware or bootloader, etc
Thanks again to sbhacker

This is 2 years old but it may be helpful

https://github.com/duyunfu/U-boot/tree/master/docs/hitron

I will try to get a hitron on ebay and test it...:wink:

 
I am still trying to understand the initialization process of the modem. I see all kind of RUN scripts in /etc/init.d and you might expect them to be started in the rcS script. But I don't see where exactly. Can anybody find the place or the script where these scripts (R??*) are run/started?

Errata: it seems that these scripts are started by the runall command in the /etc/scripts/sys_startup.sh file.

It seems many of the things done there are spawned and are still running after the last command in this sys_startup.sh file.
 
Zuletzt bearbeitet:
I found a way to make it all bootproof. That is after power down or a reboot you can immediately login with the standard app password.



For this you must do a few things:

- login as mentioned before in this thread.

- make a file /nvram/my_sys_startup.sh: cp /etc/scripts/sys_startup.sh /nvram/my_sys_startup.sh

- make it executable: chmod 755 /nvram/my_sys_startup.sh

- edit my_sys_startup.sh and put /nvram/init in it at the end.

- edit /nvram/init and change sleep 15 into sleep 180

- start the command line interpreter : cli

- enter: cable

- enter: system

- enter: startup

- enter: show

Current Startup Settings
========================
Automatic startup: Enabled
Current startup script filename: /etc/scripts/sys_startup.sh

- enter: filename /nvram/my_sys_startup.sh

- enter: show

Current Startup Settings
========================
Automatic startup: Enabled
Current startup script filename: /nvram/my_sys_startup.sh

- enter: quit

- check that everything is ok:

~ # nvread 0.0.1 str
/nvram/my_sys_startup.sh
~ # nvread 0.0.2 long
1

- check for the last time the my_sys_startup.sh file

- reboot

After about 3-4 minutes you can login with the default app password.
The sleep 180 in the init file is important: at first I had a sleep 60 and nothing of my statements in the init file (iptables and route commands) seems to hold. Apparently the boot process did not complete in 1 minute. When you look at the logfile (logread) you can see that the whole boot process takes 3 minutes. I think you could change 180 into 120 but I am not that much in a hurry.:wink:

When all this works you could simplify the init script and leave out the if statement: the script is executed only once (during boot).


Next job to do is look how to prevent an upload of new software...
 
Zuletzt bearbeitet:
Hi,

I follow this thread now since I have to deal with KD (same Hitron device) and was searching for an alternative firmware (not yet found). In first time it wasn't necessary for me to collaborate here, because your second WiFi activation solution is same I found out too. But now these new stupid firmware makes me crazy and I still miss a way to activate it again (yet).

Thank you flipflop and roald for find out the login credentials and how to access via ssh. I tried to find the place where to enable WiFi again, but I think it is disabled directly by the Hitron WiFi firmware (/lib/modules/2.6.18_pro500/drivers/net/htwls.ko). Not sure if it reads a config file for this.

What I found out is something about the start process of our lovely piece of hardware. This will enable us to extend startup with custom commands, e.g. enable ssh iptable rule. I found these lines inside of /etc/init.d/rcS
Code:
...
if test -f /nvram/0/sys_setup.sh
then
    # Start alternative system start up
    source /nvram/0/sys_setup.sh
else 
    # Start default system start up
...
On my device the file /nvram/0/sys_setup.sh does not exist, so default start up is used. But nvram is nonvolatile so create it :D
What I did is creating this file with same instructions like the default start up and adding a new line sourcing my custom start up extensions located in /nvram.
Code:
~ # more /nvram/0/sys_setup.sh
#!/bin/sh
# Start default system start up  

# Disable low priority prints from the Kernel
echo 5 > /proc/sys/kernel/printk

# Setup IPv6 default parameters
echo 0 > /proc/sys/net/ipv6/conf/default/autoconf
echo 0 > /proc/sys/net/ipv6/conf/default/dad_transmits
echo 0 > /proc/sys/net/ipv6/conf/default/accept_ra   
echo 0 > /proc/sys/net/ipv6/conf/default/accept_redirects
echo 0 > /proc/sys/net/ipv6/conf/default/router_solicitations

# Start ICC service
if test -f /usr/sbin/iccctl
then
    /usr/sbin/iccctl start
fi

# Start custom system start up
if test -f /nvram/custom_startup.sh
then
    source /nvram/custom_startup.sh
fi
My custom_startup.sh is just the entry point to run commands in background. So for enable ssh again I have a second script enable_ssh.sh, you can see both here.
Code:
~ # more /nvram/custom_startup.sh 
#!/bin/sh
#

# Custom startup extensions
/nvram/enable_ssh.sh &

~ # more /nvram/enable_ssh.sh 
#!/bin/sh
#
sleep 180
# add iptables rule to allow ssh on default port 22
iptables -I LOCAL_MANAGEMENT_CONTROL 1 -p tcp --dport 22 -j ACCEPT
I still hope someone is able to find out how to enable the WiFi. I also tried to set wireless true in /nvram/.rgsetup.cfg, but after reboot this file has default content again.

I hope my two cents help you guys.

Edit: changed the sleep timeout to 180, roald is right - it is good to wait here a little bit longer ;)
 
Zuletzt bearbeitet:
From what I see in Peter's reply we have different software. What version do you have? I have
CVE-30360-3.1.1.29-IMS-KDG-131106.sbn.

You can find this in cli, rg, dir.

Errata: I am sorry, it is the same software I think.
Funny that we found almost the same trick to make it work.

Sorry, but I am not that much interested in the WLAN thing. I have a cheap Wlan AccessPoint just after the Hitron.
But the whole WLAN on/off thing is created by some stupid KD marketeers: it only inspires people to try to hack the modem.

If it was made possible for me to add some routes, I would not have gone to all the trouble. The other side of my openvpn network is a speedtouch modem in which I can change many things on the command line in a cli. Not so many have been sold as this Hitron modem but nobody is interested in hacking that modem (because you can do your thing in a cli??)
 
Zuletzt bearbeitet:
In the cli I have seen at two places the command dload. It takes three parameters: <tftp-ip> < filename > < interface name/number>

I started that with some fantasy names and it started the command /usr/sbin/sw-dl.

sw-dl takes these parameters: <trigger><sector><filename><IP type><server address> <interface name>[-d <dest point>][-n]


I then got a bit nervous and stopped it all.
I suppose it has all kinds of failsafes but maybe somebody else has the nerve (this Hitron modem is my only link with civilization):wink:
 
Zuletzt bearbeitet:
All I can say is that I totally bricked my hitron trying to modify the startup as described. Unfortunately, luma88's tricks for emergency recovery don't work for me (pin 8 to GND).

No webinterface, no ethernetport LEDs on, only 1 LED on hitron solid green, another red one is on for a couple of seconds. then red turns off and a few seconds later the hitron reboots. -> BRICKED

I dont know what mode you put the hitron into when pressing and holding reset button and then turning on the hitron. one led is solid green, ethernet leds turn on, and I think the wifi led is flashing.I thought this was some kind of emergency recovery mode. I tried webinterface access AND tftp firmware upload, no luck. -> BRICKED

No more fast internet for me I guess...

:rolleyes:

edit: I dont blame anyone but myself. I just shared this to make sure others will be more careful!
 
Zuletzt bearbeitet:
I am very sorry to hear that.

Did you follow my tricks or those of peter. As far as I can see they come down to the same.

If you followed my suggestions, did you check with the nvread statements that they pointed to the right file and that automatic boot was still enabled.

That is the most tricky part: if that is not correct or the file is not similar to the standard /etc/scipts/sys_startup.sh file the boot will stop and the startupscipts will not run.

The contents of the /nvram/init script is not so important: if something goes wrong there all other scripts will still complete. (and you will have your webinterface).

I am sorry but I don't know anything of a recovery boot but I think it must be possible in some way to boot into the factory reset image.
 
I followed peters instructions. I dont know what I did wrong.

luma88, do you have more informations about the flash layout?

Flash layout:

0x20000(U-Boot)ro,
0x10000(env1),
0x10000(env2),
0x7b0000@0x40000(UBFI1),
0x7b0000@0x7f0000(UBFI2),
0x292400@0x10e000(RootFileSystem)ro,
0x50000@0xfb0000(nvram)
I'm asking because at 0xfb0000 I dont see the NVRAM content (I have extracted the whole 128MBit of both flash chips).
 
Zuletzt bearbeitet:
In the modem I found this memory map:

MTDs:
dev: size erasesize name
mtd0: 00020000 00010000 "U-Boot"
mtd1: 00010000 00010000 "env1"
mtd2: 00010000 00010000 "env2"
mtd3: 00fb0000 00010000 "UBFI1"
mtd4: 00fb0000 00010000 "UBFI2"
mtd5: 00972800 00010000 "RootFileSystem"
mtd6: 00050000 00010000 "nvram"
mtd7: 01000000 00010000 "sf0"
mtd8: 01000000 00010000 "sf1"


seems different to me than your list

a bit more:

NVRAMSIZE=0x50000
NVRAMOFFSET=0x1fb0000
ubootpartsize=0x20000
envpartsize=0x10000
UBFIADDR1=0x48040000
UBFIADDR2=0x48ff0000
UBFIPARTSIZE=0xfb0000
ver=U-Boot 1.2.0-g74a31715 (Nov 24 2011 - 14:53:41)
PSPU-Boot 1.0.16.22-H2.8.7
 
Zuletzt bearbeitet:
Now I understand that hey spread the wohle data over two flash chips as if it was one big one.

Map of the flash chips:
Code:
the one on the top of the pcb:
offset       size         description
0x00000000   0x00020000   u-boot
0x00020000   0x00010000   env1
0x00030000   0x00010000   env2
0x00040000   0x00FB0000   UBFI1 (CVE-30360-3.1.1.22-IMS-KDG-130528.bin in my case)
0x00FF0000   0x00010000   UBFI2 (CVE-30360-3.1.1.29-IMS-KDG-131106.bin in my case) (part 1/2)

the one on the bottom of the pcb:
0x00000000   0x00FA0000   UBFI2 (CVE-30360-3.1.1.29-IMS-KDG-131106.bin in my case) (part 2/2)
0x00FB0000   0x00050000   NVRAM
The flash was read with a microcontroller while the hitron was turned off.

env1 and env2: I dont know exactly what the use of those two is. Anyone who is interested can see env1 here: .29 env1 readable - Pastebin.com . To make it easier to read I replaced 0x00 with "<NULL>" and added a new line command after that. Also I added new lines after every ";".
They have some interesting things in them, I guess.
env1 and env2 are exactly the same except for one byte: in env1 the byte is 0, in env2 this byte is 1. (byte offset in env1 and env2: 4, so pretty much at the beginning).

Please understand that I can not share the complete images of the two onboard flashs without beeing sure that they don't contain personal information of me or information that can tell my ISP who I am.
 
Zuletzt bearbeitet:
The things you found in env1 and env2 can also be seen when you are in the cli: system>environment.

I don't know what that is , but they call it environment.:wink:
 
I am almost certain that the download (of new software) is done by a program /usr/sbin/sw_dl. There are all kind of strings talking of images OK or not, CRC checks and tftp and such. This program is called once at boot and is not a daemon. I suppose it ends when there is nothing to download (no new image to install?) or when a new image is installed.

So maybe, when you never boot, you won't get a new image?
Or when you boot and immediately kill sw_dl , when it runs, you keep your current image? Not a nice method but ...
 
MRPROXY: can you already say that your nvram seems correct: contains the file you made with the correct contents?
 
Zurück
Oben