Happy Hacking

 

Hacking HP ProCurve 1810G-8

 

I recently bought a new switch to my new apartment and of course I immediately started to research what’s inside the box. :)


Just shortly some interesting information what I’ve found at this moment.

  * WEB-gui is not so crap what they normally are

  * There is debug console in serial port

  * I found lots of commands (there is not any kind of help at console)

  * Board : BCM953314R24GS

  * CPU type 0x29050: 200MHz

  * Total memory: 0x1000000 bytes (16MB)

  * SmartPATH (core os or boot loader)

  * eCos 2.0 system inside

  * web-server is called emweb


WEB-management


There is not much to say about web-management since I’ve not yet found anything interesting (related to hacking)  from web-management. Web-management pages is basically just HTML and Javascript  and all the configures are uploaded by POSTing data to web server. You have to have cookie to do something with WEB-management (except in /filesystem/* which can give current configuration or image) and cookie is naturally made while authentication. 


Serial Console



I’m not so familiar with hardware hacking but I checked out also what’s inside the box. I noticed nine pins and text “console” on board and I immediately started to search my old adapter to small tomato motherboard which has exact same kind of pins to provide serial-port.  I found it and it worked.

In linux:

$ cu -s 9600 -l /dev/ttyUSB0 and one enter and I have:

SmartPATH Debug >

Whole boot output: hp-bootup.txt


There is no help,manual  or anything to show what commands are available. I started randomly to try basic commands to console and found that there is at least “ifconfig” and “reboot” commands. Thats not enough so I started googling and nothing. I have to figure out something else. (I soon figured out something).


Reverse engineering image-file

You can download backup image (and configuration) file from WEB-management and I started to wonder that there might be some kind of lead to do something more. After lots of trying to unpack image-file I noticed in console that there is mention about 7zip support. I installed 7zip to my linux box and lalaaa. Image was extracted. Just:

$ 7z e switchdrvr.stk

7-Zip 9.04 beta  Copyright (c) 1999-2009 Igor Pavlov  2009-05-30 7zip Version 9.04 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,2 CPUs)Processing archive: switchdrvr.stk

Extracting  switchdrvr.bin

Everything is Ok

Size:       6562892& Compressed: 1689146


File command can tell about extracted bin:

$ file switchdrvr.bin

switchdrvr.bin: ELF 32-bit MSB executable, MIPS, MIPS32 version 1 (SYSV), statically linked, stripped


I started googling about ELF-filesystems and etc. and found out there is elftools to linux and started to trying all kinds of stuff. E.g.:

$ readelf -a switchdrvr.bin

Section Headers:

[Nr] Name              Type            Addr     Off    Size   ES Flg Lk Inf Al

[ 0]                   NULL            00000000 000000 000000 00      0   0  0

[ 1] .rom_vectors      PROGBITS        80041000 001000 0000bc 00  AX  0   0  1

[ 2] .init             PROGBITS        800410bc 642000 000000 00   W  0   0  1

[ 3] .text             PROGBITS        800410bc 0010bc 474888 00  AX  0   0 64

[ 4] .fini             PROGBITS        804b5944 642000 000000 00   W  0   0  1

[ 5] .rodata           PROGBITS        804b5948 475948 14bf08 00   A  0   0  8


Full output: full-output-readelf-a.txt


While reading section 5 information I found something interesting:

$ readelf -p 5 switchdrvr.bin

...

[   7ec]  ../../../bsp/cpu/common/ecos/ipl/bootos.c

[   818]  clearConfig

[   824]  saveconfig

[   830]  setdhcp

[   838]  configDump

[   844]  hapiBroadDebugPkt

[   858]  logClear

[   864]  logConsole

[   870]  logShow

[   878]  mbufShow

[   884]  memShow

....

Full output: readelf-p-5-output.txt


Possible leads to have more fun

  1. * You can put all kinds of characters to vlan name column in WEB-management

  2. * There is dev command which is disabled

  3. * Something is missing. Can’t find e.g password hashes.

  4. * JTAG is also on board

  5. * You can give arguments to some console commands with (‘’). E.g. eeprom_set_mac('xxxxxx-xxxxxx')

  6. *While POSTing data to WEB-server you can avoid character checks after null ( %00 ) character.

  7. *SNMP

  8. * What’s in the configuration file which can be downloaded from web-management.


Console commands so far: clearConfig , saveconfig, setdhcp, configDump, hapiBroadDebugPkt, logClear, logConsole, logShow, mbufShow, memShow, osapiTaskShow, reboot, ifconfig, taskShow, ecos_net_stats, dev, netsnmpDebug, flashErase, copy, loopback_ext, eeprom_set_mac, eeprom_set_hwver, eeprom_set_serial, ssltShowGlobals, ssltConfigDataTestShow, ssltDebugLevelSet, port_phy_dump, port_phy_set, detectHPSFP, httpd_close_connections, showConnections, emwebWarnSet


command-output.txt


Contribute!

If you figure out something or some detail is wrong, don’t hesitate to contact me. I would love to hack this thing little bit more. :)


e-mail: mikko.kenttala(ä)gmail.com

IRC: turmio@IRCnet

 

2010-01-27

 
 

next >

< previous