Thursday, August 28, 2014

serializing fun

In the quest of fiddling with more embedded devices I remembered about the little AP sitting on Kevin's shelf.
The documentation of the device is available here:
http://www.edimax.com/edimax/merchandise/merchandise_detail/data/edimax/global/home_legacy_access_points/ew-7206apg

Funny thing, if you search for this router first page with results will show vulnerabilities in its web interface: http://www.s3cur1ty.de/node/673

After disassembling the unit,finding serial port pinout, and pain of soldering pinout I was ready to rock'n'roll.  How-to on serial port pinouts: (http://www.devttys0.com/2012/11/reverse-engineering-serial-ports/)

With the soldered pinout in lower left: from the right: TXD, GROUND, RXD,VCC
first connection failed I thought about messed up soldering, but decreasing baudrate to 38400 solved the problem.
Connecting to the port yields a pre-boot console if device is bricked (more about it another time) and Linux console guarded by access control.
Credentials are: super/@gogolinux (found here: http://www.linux-mips.org/wiki/BR6104)
successful login yields a buysbox rootshell.






No comments:

Post a Comment