Did you know that you can navigate the posts by swiping left and right?

Hacking HP ProCurve 1810G-8

27 Jan 2010 . category: Hacking .
#hacking #reverseengineering #HP1810G

hp1810G

I recently bought a new switch to my new apartment and of course I immediately started to research what’s inside the box. :)

Just shortly some interesting information what I’ve found at this moment.

  • WEB-gui is not so crap what they normally are
  • There is debug console in serial port
  • I found lots of commands (there is not any kind of help at console)
  • Board : BCM953314R24GS
  • CPU type 0x29050: 200MHz
  • Total memory: 0x1000000 bytes (16MB)
  • SmartPATH (core os or boot loader)
  • eCos 2.0 system inside
  • web-server is called emweb

WEB-management

There is not much to say about web-management since I’ve not yet found anything interesting (related to hacking) from web-management. Web-management pages is basically just HTML and Javascript and all the configures are uploaded by POSTing data to web server. You have to have cookie to do something with WEB-management (except in /filesystem/* which can give current configuration or image) and cookie is naturally made while authentication.

Serial console

I’m not so familiar with hardware hacking but I checked out also what’s inside the box. I noticed nine pins and text “console” on board and I immediately started to search my old adapter to small tomato motherboard which has exact same kind of pins to provide serial-port. I found it and it worked. In linux:

$ cu -s 9600 -l /dev/ttyUSB0 # and one enter
SmartPATH Debug >

Whole boot output: hp-bootup.txt

There is no help,manual or anything to show what commands are available. I started randomly to try basic commands to console and found that there is at least “ifconfig” and “reboot” commands. Thats not enough so I started googling and nothing. I have to figure out something else. (I soon figured out something).

Reverse engineer image-file

You can download backup image (and configuration) file from WEB-management and I started to wonder that there might be some kind of lead to do something more. After lots of trying to unpack image-file I noticed in console that there is mention about 7zip support. I installed 7zip to my linux box and lalaaa. Image was extracted. Just:

$ 7z e switchdrvr.stk 
7-Zip 9.04 beta  Copyright (c) 1999-2009 Igor Pavlov  2009-05-30 7zip Version 9.04 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,2 CPUs)Processing archive: switchdrvr.stk
Extracting  switchdrvr.bin
Everything is Ok
Size:       6562892& Compressed: 1689146

File command can tell about extracted bin:

$ file switchdrvr.bin 
switchdrvr.bin: ELF 32-bit MSB executable, MIPS, MIPS32 version 1 (SYSV), statically linked, stripped

I started googling about ELF-filesystems and etc. and found out there is elftools to linux and started to trying all kinds of stuff. E.g.:

$ readelf -a switchdrvr.bin
Section Headers:
[Nr] Name              Type            Addr     Off    Size   ES Flg Lk Inf Al
[ 0]                   NULL            00000000 000000 000000 00      0   0  0
[ 1] .rom_vectors      PROGBITS        80041000 001000 0000bc 00  AX  0   0  1
[ 2] .init             PROGBITS        800410bc 642000 000000 00   W  0   0  1
[ 3] .text             PROGBITS        800410bc 0010bc 474888 00  AX  0   0 64
[ 4] .fini             PROGBITS        804b5944 642000 000000 00   W  0   0  1
[ 5] .rodata           PROGBITS        804b5948 475948 14bf08 00   A  0   0  8

Full output: full-output-readelf-a.txt

While reading section 5 information I found something interesting:

$ readelf -p 5 switchdrvr.bin
...
[   7ec]  ../../../bsp/cpu/common/ecos/ipl/bootos.c
[   818]  clearConfig
[   824]  saveconfig
[   830]  setdhcp
[   838]  configDump
[   844]  hapiBroadDebugPkt
[   858]  logClear
[   864]  logConsole
[   870]  logShow
[   878]  mbufShow
[   884]  memShow
....

Full output: readelf-p-5-output.txt

Possible leads to have more fun

  • You can put all kinds of characters to vlan name column in WEB-management
  • There is dev command which is disabled
  • Something is missing. Can’t find e.g password hashes.
  • JTAG is also on board
  • You can give arguments to some console commands with (‘’). E.g. eeprom_set_mac(‘xxxxxx-xxxxxx’)
  • While POSTing data to WEB-server you can avoid character checks after null ( %00 ) character.
  • SNMP
  • What’s in the configuration file which can be downloaded from web-management.

Console commands so far: clearConfig , saveconfig, setdhcp, configDump, hapiBroadDebugPkt, logClear, logConsole, logShow, mbufShow, memShow, osapiTaskShow, reboot, ifconfig, taskShow, ecos_net_stats, dev, netsnmpDebug, flashErase, copy, loopback_ext, eeprom_set_mac, eeprom_set_hwver, eeprom_set_serial, ssltShowGlobals, ssltConfigDataTestShow, ssltDebugLevelSet, port_phy_dump, port_phy_set, detectHPSFP, httpd_close_connections, showConnections, emwebWarnSet

command-output.txt

Contribute!

If you figure out something or some detail is wrong, don’t hesitate to contact me. I would love to hack this thing little bit more. :)

e-mail: mikko.kenttala(ä)gmail.com IRC: turmio@IRCnet

2010-01-27

Me

Feel free to contact me for more info or just to give feedback. e-mail: mikko.kenttala(ä)gmail.com IRC: turmio@IRCnet