Reversing the R216H (Brief Note)

Posted on December 5, 2017 by Norman

After working out how to shell the E5573 device, I briefly turned my attention to the Huawei R216H. Despite the considerable difference in packaging, the device looked somewhat familiar. On opening it, I was met with a similar scene, with JTAG and serial test points in precisely the same place:

For reference, the basic JTAG pin out is (from 0 at the top):

  • TCK 1
  • TMS 3
  • TDI 4
  • TDO 5
  • Reset 7

Pin 2 is grounded, and the voltage reference is ~1.5V from the boot pin.

The only visible difference I could see was the addition of a small green LED up the top. According to the packaging, this indicates if you have a new SMS or not (because clearly, SMS is what people use this for).

Initially, I had some trouble getting the wires to stick, but I found that curving the ends of the magnet wire inwards and “dipping” it into a blob of solder seemed to work a bit better than regular soldering – and was much more forgiving of poorly knife-stripped wire ends:

Exactly the same trick works as the E5573 (patching authconsole in memory), for exactly the same expected result:

My next task was to gain persistent shell, so I could continue investigating the device. On investigating the various bin directories, I figured my approach would be to FTP the authconsole binary to a second workstation, patch the executable and FTP it back. After a little bit of network fuckery (and wrestling against ftpput – you need to specify all the arguments), imagine my surprise when I couldn’t find the very bytes which I patched in memory to get the shell.

Instead, I found the following (refer to my last post on the E5573 for the original source chunk):

To me, this indicated that the binary “on disk” was affected by our in-memory patch, but was somehow overridden at the next reboot, based on behavioral analysis. Still, this presented a simpler problem than FTP trickery. I remounted /app as a rw partition, and renamed the file a bit.

To my astonishment, this committed the change to disk – and the device is now correctly perma-rooted, accepting any password, without overwriting NVRam or downgrading firmware.

About Norman

Sometimes, I write code. Occasionally, it even works.
This entry was posted in Bards, Computers, Jesting and tagged , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.