After working out how to shell the E5573 device, I briefly turned my attention to the Huawei R216H. Despite the considerable difference in packaging, the device looked somewhat familiar. On opening it, I was met with a similar scene, with JTAG and serial test points in precisely the same place:
For reference, the basic JTAG pin out is (from 0 at the top):
- TCK 1
- TMS 3
- TDI 4
- TDO 5
- Reset 7
Pin 2 is grounded, and the voltage reference is ~1.5V from the boot pin.
The only visible difference I could see was the addition of a small green LED up the top. According to the packaging, this indicates if you have a new SMS or not (because clearly, SMS is what people use this for).
Initially, I had some trouble getting the wires to stick, but I found that curving the ends of the magnet wire inwards and “dipping” it into a blob of solder seemed to work a bit better than regular soldering – and was much more forgiving of poorly knife-stripped wire ends:
Exactly the same trick works as the E5573 (patching authconsole in memory), for exactly the same expected result:
My next task was to gain persistent shell, so I could continue investigating the device. On investigating the various bin directories, I figured my approach would be to FTP the authconsole binary to a second workstation, patch the executable and FTP it back. After a little bit of network fuckery (and wrestling against ftpput – you need to specify all the arguments), imagine my surprise when I couldn’t find the very bytes which I patched in memory to get the shell.
Instead, I found the following (refer to my last post on the E5573 for the original source chunk):
To me, this indicated that the binary “on disk” was affected by our in-memory patch, but was somehow overridden at the next reboot, based on behavioral analysis. Still, this presented a simpler problem than FTP trickery. I remounted /app as a rw partition, and renamed the file a bit.
To my astonishment, this committed the change to disk – and the device is now correctly perma-rooted, accepting any password, without overwriting NVRam or downgrading firmware.
