Happy Hacking
Happy Hacking
Hacking HP ProCurve 1810G-8
I recently bought a new switch to my new apartment and of course I immediately started to research what’s inside the box. :)
Just shortly some interesting information what I’ve found at this moment.
* WEB-gui is not so crap what they normally are
* There is debug console in serial port
* I found lots of commands (there is not any kind of help at console)
* Board : BCM953314R24GS
* CPU type 0x29050: 200MHz
* Total memory: 0x1000000 bytes (16MB)
* SmartPATH (core os or boot loader)
* eCos 2.0 system inside
* web-server is called emweb
WEB-management
There is not much to say about web-management since I’ve not yet found anything interesting (related to hacking) from web-management. Web-management pages is basically just HTML and Javascript and all the configures are uploaded by POSTing data to web server. You have to have cookie to do something with WEB-management (except in /filesystem/* which can give current configuration or image) and cookie is naturally made while authentication.
Serial Console
I’m not so familiar with hardware hacking but I checked out also what’s inside the box. I noticed nine pins and text “console” on board and I immediately started to search my old adapter to small tomato motherboard which has exact same kind of pins to provide serial-port. I found it and it worked.
In linux:
$ cu -s 9600 -l /dev/ttyUSB0 and one enter and I have:
SmartPATH Debug >
Whole boot output: hp-bootup.txt
There is no help,manual or anything to show what commands are available. I started randomly to try basic commands to console and found that there is at least “ifconfig” and “reboot” commands. Thats not enough so I started googling and nothing. I have to figure out something else. (I soon figured out something).
Reverse engineering image-file
You can download backup image (and configuration) file from WEB-management and I started to wonder that there might be some kind of lead to do something more. After lots of trying to unpack image-file I noticed in console that there is mention about 7zip support. I installed 7zip to my linux box and lalaaa. Image was extracted. Just:
$ 7z e switchdrvr.stk
7-Zip 9.04 beta Copyright (c) 1999-2009 Igor Pavlov 2009-05-30 7zip Version 9.04 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,2 CPUs)Processing archive: switchdrvr.stk
Extracting switchdrvr.bin
Everything is Ok
Size: 6562892& Compressed: 1689146
File command can tell about extracted bin:
$ file switchdrvr.bin
switchdrvr.bin: ELF 32-bit MSB executable, MIPS, MIPS32 version 1 (SYSV), statically linked, stripped
I started googling about ELF-filesystems and etc. and found out there is elftools to linux and started to trying all kinds of stuff. E.g.:
$ readelf -a switchdrvr.bin
Section Headers:
[Nr] Name Type Addr Off Size ES Flg Lk Inf Al
[ 0] NULL 00000000 000000 000000 00 0 0 0
[ 1] .rom_vectors PROGBITS 80041000 001000 0000bc 00 AX 0 0 1
[ 2] .init PROGBITS 800410bc 642000 000000 00 W 0 0 1
[ 3] .text PROGBITS 800410bc 0010bc 474888 00 AX 0 0 64
[ 4] .fini PROGBITS 804b5944 642000 000000 00 W 0 0 1
[ 5] .rodata PROGBITS 804b5948 475948 14bf08 00 A 0 0 8
Full output: full-output-readelf-a.txt
While reading section 5 information I found something interesting:
$ readelf -p 5 switchdrvr.bin
...
[ 7ec] ../../../bsp/cpu/common/ecos/ipl/bootos.c
[ 818] clearConfig
[ 824] saveconfig
[ 830] setdhcp
[ 838] configDump
[ 844] hapiBroadDebugPkt
[ 858] logClear
[ 864] logConsole
[ 870] logShow
[ 878] mbufShow
[ 884] memShow
....
Full output: readelf-p-5-output.txt
Possible leads to have more fun
* You can put all kinds of characters to vlan name column in WEB-management
* There is dev command which is disabled
* Something is missing. Can’t find e.g password hashes.
* JTAG is also on board
* You can give arguments to some console commands with (‘’). E.g. eeprom_set_mac('xxxxxx-xxxxxx')
*While POSTing data to WEB-server you can avoid character checks after null ( %00 ) character.
*SNMP
* What’s in the configuration file which can be downloaded from web-management.
Console commands so far: clearConfig , saveconfig, setdhcp, configDump, hapiBroadDebugPkt, logClear, logConsole, logShow, mbufShow, memShow, osapiTaskShow, reboot, ifconfig, taskShow, ecos_net_stats, dev, netsnmpDebug, flashErase, copy, loopback_ext, eeprom_set_mac, eeprom_set_hwver, eeprom_set_serial, ssltShowGlobals, ssltConfigDataTestShow, ssltDebugLevelSet, port_phy_dump, port_phy_set, detectHPSFP, httpd_close_connections, showConnections, emwebWarnSet
Contribute!
If you figure out something or some detail is wrong, don’t hesitate to contact me. I would love to hack this thing little bit more. :)
e-mail: mikko.kenttala(ä)gmail.com
IRC: turmio@IRCnet
2010-01-27