In my last post, I began detailing the reverse engineering of the Huawei e3372 device. This is a new version of the device, using the P711-HILINK firmware (fingerprinted through a memory dump, I can’t see any visible indicator on the board). Throughout the week, I learned a bit about the Android booting process, and was able to complete the compromise, to get a root shell.
This is clearly a changed firmware from a similar device I acquired last year – on initially UART’ing into the device, no console is presented, and the UART distribution (the L/V/M thing) doesn’t work. Instead, we are presented with an endless scroll of something about “IN drvStartModeGetFlag”.
I began my investigation by pausing the boot process to before the Android kernel had booted, and editing boot arguments:
Unfortunately, this did nothing (nor did init=/bin/sh, removing rdinit, single-user mode and all the trickery I could conceive).
My next approach was to investigate the userland process (suspected userland – investigated via a memory dump from 0xc0000000) which was causing the message loop. The “IN drvStartModeGetFlag” string was from libplatform.so (found through extracting a firmware blob) – specifically, we have a good guess that this code path is from drvStartModeGet (at 0x469C). We can easily nop out of this check:
This exits the crashed process, bringing us to the familiar authconsole interface:
From here, we patch the same 2 authconsole checks as we did to the e5573 to get the EUAP> prompt, and from there, a privileged shell.
I would like to thank the engineering team at Huawei for making this challenge not too easy that I didn’t learn anything, but not too hard that it is impossible. With this approach, we have a way of shelling this device which does not require abusing the update functionality / boot pin trick.
I look forward to seeing you all in Pragyan CTF this weekend.