Reversing the e3372 – Completing the Compromise (P711-HILINK Remix)

In my last post, I began detailing the reverse engineering of the Huawei e3372 device. This is a new version of the device, using the P711-HILINK firmware (fingerprinted through a memory dump, I can’t see any visible indicator on the board). Throughout the week, I learned a bit about the Android booting process, and was able to complete the compromise, to get a root shell.

This is clearly a changed firmware from a similar device I acquired last year – on initially UART’ing into the device, no console is presented, and the UART distribution (the L/V/M thing) doesn’t work. Instead, we are presented with an endless scroll of something about “IN drvStartModeGetFlag”.

I began my investigation by pausing the boot process to before the Android kernel had booted, and editing boot arguments:

Unfortunately, this did nothing (nor did init=/bin/sh, removing rdinit, single-user mode and all the trickery I could conceive).

My next approach was to investigate the userland process (suspected userland – investigated via a memory dump from 0xc0000000) which was causing the message loop. The “IN drvStartModeGetFlag” string was from (found through extracting a firmware blob) – specifically, we have a good guess that this code path is from drvStartModeGet (at 0x469C). We can easily nop out of this check:

This exits the crashed process, bringing us to the familiar authconsole interface:

From here, we patch the same 2 authconsole checks as we did to the e5573 to get the EUAP> prompt, and from there, a privileged shell.

I would like to thank the engineering team at Huawei for making this challenge not too easy that I didn’t learn anything, but not too hard that it is impossible. With this approach, we have a way of shelling this device which does not require abusing the update functionality / boot pin trick.

I look forward to seeing you all in Pragyan CTF this weekend.

About Norman

Sometimes, I write code. Occasionally, it even works.
This entry was posted in Bards, Computers, Jesting. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s