Exploring the AT&T U-verse 5268AC DSL Modem – Part 1

When we last left off we had identified a possible point of attack for the U-verse gateway via a port open to the public internet. Now we will take a quick look at the gateway itself and find a way to take control.

In case you can’t tell it’s quite a large modem, promising tons of extra (what they like to call) “features”. The back of the modem has tons of ports and might even support cable internet.

Time to open’er up.

As you can see it’s a pretty busy board. My first instinct was to try and detect a signal from what appears to be a diagnostic port which is boxed in the picture below.

However, after several minutes of the device running while I probed with my Rigol 100MHz scope I decided that this port is dead to the world and it was time to move on. I probed around for a bit and discovered a copper pad which was connected to one of the data pins from the flash chip. This would prove to be very convenient later.

 

You can tell it’s a data pin from the flash chip because of the shape of the signal. Notice the peaks are very steep and nothing like the square wave type peaks from a UART serial connection.

And here’s a typical UART signal that I pulled from Google:

See the difference? UART is very clean and I can almost sit here and decode it with pen and paper. But all of you fancy folks can probably use either a bus pirate or logic analyzer.

Still no luck with finding a UART I decided to remove that heat sink enclosure that’s encasing the processor.

Hurrah, more pads! Good thinking Pace, I’ll never check under there! I did some probing on these and wouldn’t ja’ know it, we have UART! Here are the pins circled for those of you playing at home.

 

So I did some extra careful solder work and attached a couple of random wires I had laying around from my last TSA show-and-tell moment and then spread on the hot glue really thick to ensure that not even I could mess this up.

No the live round is not part of the circuit; yes we now have a direct line to… not much sadly. We see the bootloader start and pause for 5 seconds listening for a keypress from us.

 

Normally, when a key is pressed during this 5 second window we would get a bootloader shell however input has been intentionally blocked during this sequence and doesn’t get enabled until after the kernel has already loaded. This is a problem because the system is password protected at that point and I don’t have the password! Do you?

After trying several common default username/password combinations as well as righting a super-lame bruteforcing script, I came up with a solution. When I powered on the device I could wait for the bootloader to get loaded and executed and then while the bootloader tries to read the kernel from flash I will short one of the data lines (wink wink) to ground. This will obviously disrupt the read and force the bootloader to drop me a shell right?

So I just needed to touch the orange wire to that pad which is part of one of the data lines (a slave-out judging by the amount of data).

It took a few tries. If I did it too early the modem would just freak out and reboot. If I did it too late the kernel would cuss at me and then reboot. But I got it down finally and noticed that when I shorted the data while the bootloader was pulling the kernel, the bootloader would start marking every page as bad that it was unable to read until I released the wire! I didn’t get a screenshot of this but it basically went something like this.

This basically means that my modem will not boot again until those bad page markers in the chip’s OOB are cleared. This isn’t really a problem though since it doesn’t affect the actual data and the bootloader tools will read these pages regardless of what the OOB says. If I had to make a recommendation on how to improve this process I would say find the slave-in pins and find a way to short those instead (and all at the same time). This would make marking the blocks bad impossible.

Once I released the wire the modem rebooted and I noticed the words “Factory mode” in the boot log which hadn’t been there before.

Now, during that 5 second delay I was able to escape to the bootloader menu! Whew! What an ordeal!

After some playing around I decided to acquire a dump of NAND memory. I wrote a script to automate this process since only a page at a time can be dumped.

The command returns the content of each page in hexdump canonical format which then gets recorded by minicom (my terminal emulator which is handling the bus pirate) to a log file. Remember that I can’t just modify the boot parameters to skip the login prompt because the modem no longer boots to anything but the bootloader.

My script ran for 12 hours. But it worked!

I quickly converted the huge hexdump log file into a congruent binary dump of the flash chip. I tried unpacking the image with binwalk but couldn’t get it to unpack the squashfs so I tried simply looking for useful data and binaries in the raw image. Here are some samples of what I found.

The only one I’ve cracked is

$1$dfadif91$Q5FtHoUn91vcZWTIH7KRJ/:alcatel

but this isn’t being used on the login.

The more important find was this URL.

 

That’s hxxp://gaxeway.c01.sbcglobal.nex/firmware/00D09E/10.5.3.527283-PROD/5268.insxall.pkgsxream . Change every “x” to a “t” and you’ll have the link.

Let us try…

 

Cool, an official update image. Binwalk it.

And we have a file system.

I also can read all of the startup scripts and realize that the program listening on 49152 is none other than /usr/bin/wproxy. Join me in part two when we will have a look at this binary in depth.

 

Exploring the AT&T U-verse 5268AC DSL Modem – Intro

I recently recent swapped from Spectrum to AT&T. Long story short I didn’t like it and switched back. However, I did I notice something interesting and decided to order a device off of ebay to experiment with.

The first interesting thing I noticed was that the modem’s WiFi network name and PSK could be retrieved in plaintext from anywhere on the internet by logging in to att.com and taking the following steps.

Search for “forgot wifi password” in the search bar. Click “Find network name & password”

Click the blue “Get it” button when it appears as shown. Make sure the correct Modem / gateway is selected.

 

After a several seconds the WiFi network name and password appears near the bottom right hand corner of the screen. It doesn’t work in the screenshot below because my service has been disconnected for several weeks.

 

 

This feature works regardless of whether or not the user is on their home network or in another country. Therefore we can conclude that the ISP is retrieving this information directly from the modem and transporting it over the internet. Notice in the same photo the “Manage My Wi-Fi” link which allows the user to overwrite these parameters as well.

A full tcp portscan gives only two open ports (no UDP ports were scanned).

 

It is important to note that not only are these ports only available from the WAN but that in the case of 61001 that I can only connect to it from an ip that is not AT&T U-verse. The reason only other U-verse ip addresses are blacklisted remains a mystery. Throwing some random garbage into port 49152 yields promising results.

Port 61001 appears to be a TLS enabled web service (presumably password protected).

Note that the existence of these services is not limited to the 5286ac modem and seems to be present on the majority of Uverse DSL modems. Understanding the inner workings of these services will be the focus of this series of posts.

But first we must root the gateway. The saga begins with Exploring the AT&T U-verse 5268AC DSL Modem – Part 1.

Is this normal for sponsored advertising?

While debugging some problems with 64 and 32 bit Chrome (or more precisely, while downloading the different versions), one of our developers found a strange “Sponsored” ad, handed to him by Yahoo’s search engine.

The search term was “Chrome download”, nothing obscure and the following pictures tell the rest of the story.

This may take us into a review of sponsored ads that serve content to see how bad things really are.  Isn’t there a vetted process for allowing links/downloads from sponsoring agencies?

Some great SEO or a high value ad?

The site it directed us to.

Although the name of the executable immediately triggered suspicion, we downloaded it to take a peak and Panda AV triggered the minute it was downloaded.

Virus Total.

We’ll do a follow up technical post with information about the executable, but this was enlightening enough to make public.

A short ‘subjective’ view on crowdsourcing

Nomotion’s CEO wrote an article for Signal magazine, an AFCEA marketing venture.  While he represents the organization, his views on this topic are quite controversial, maybe even within his organization.  This blog serves as a research, and notification output vehicle for Nomotion’s team, this post is not meant as an apology for his views, but is as a simple statement to point out the freedom of opinion.

The article can be found here.

Modifying a small PCB without a microscope? Improvise!

To continue the trend of hacking everything with a chip on it (IoT), we decided to tear apart a small device from a home security system.   We are on the hunt for root access, but that’s not what this post is about, it’s about a cool improvisation we pulled off to save time and well … because it was traffic hour and we didn’t feel like driving.

A little background first.  There are no references to the schematics for the PCB we are trying to modify, there is however an ARM processor which we were able to obtain a reference manual for and it clearly detailed JTAG pins for us.  The problem: size.  The chip has (as many hardware folks know) very little spacing between the pins that latch it onto the board.  We thought we were being clever when we used a glue gun, outlined the entire chip’s external perimeter with a big chunk of clear glue and stuck needles onto it to ‘make contact’.

Figure 1

We are still convinced it should have worked, but for some reason it didn’t!  So we removed the glue, and went to plan b.  We were to map the pins we needed to the back of the board, and solder raised pins on it to latch our gear …

Figure 2

The problem continued, we were only able to map ONE pin to the back of the board!  With camaraderie enabling us to continue this frustrating endeavor, we devised a third attack plan, the ARM chip had (what we thought) flat copper parallel contacts around the chip mapped to each pin so we should solder a tiny wire to it then happily latch our clips.

Figure 3

We managed to solder 49, 51, we were stoked it was cake!

Figure 4

Motivation highly increased, we were refreshed with confidence and ready to finish this task (2.5 – 3 hours in at this poitn).  Then pin pin 53 wasn’t mapped to the golden strips around the ARM chip!  We were convinced a supreme being hated us somewhere in the multi-verse!  Quit?  Plan D?  We swapped places from holding magnifying glasses, wires, flash light and solderer and again, we managed to keep going! Plan D it is: A hybrid approach.  This involved using some pins (directly on the chip) and some golden strips.

As if on purpose, the only mapped pin to the easy part of the board was the optional one -_- pin 50 (see Figure 2).  Pin 33 latched with a soldered needle, on to the the second on-chip pin (on the chip) BRIDGED!  Yes, after all this, we bridged 2 pins together with solder and spent the next 1 – 1.5 hours undoing this in an attempt at salvaging the board.

It was late, we were tired, frustrated, and our eyes were shot due to the size of the components on the board.  The magnifying glass we were using wasn’t enough, no microscope, so I ran to get my HDMI to microUSB (Phone to TV/Monitor) adapter.  I had an idea.  It was a long, long shot, but worth it if we could salvage the board.  Testing the bridge was the worse of it, because we had no visual way to predetermine if we had removed enough solder to test if the bridge was broken (annoying!!!).

 I got my old S6, plugged it onto the adapter, plugged it onto my top monitor, and turned the camera on the phone on.  The visual was useless, it was a bigger picture of the chip, but still not enough to help us.  As a last and desperate attempt for a little break, I zoomed in all the way via the touch screen zoom on the S6 and failed, it was too blurry! Then it hit us, we could focus it with the magnifying glass!

Figure 5

So to recap:

Phone to HDMI Adapter
Camera on Chip
Zoom in (and light up the board/chip with a good desk lamp)
Focus with the magnifying glass!

Here’s what it looked like!  The picture does little to merit to convey the success, but remember the 32″ monitor is a tad larger than the chip in real life.

Figure 6

Bridge was removed, we were ready to throw in the towel but we already had 2 of the 4 contacts on the ARM chip needed to obtain our JTAG connection!  We originally had three, two on the copper parallel strips, and one on pin 33 directly but while fixing the bridge we ripped one of the copper wires off.

One last breath, I hold two needles manually on two pins while Joseph plugged away at OpenOCD communicating with the ARM chip!  Success!

I hope our improvised electro-mobile-scope hack helps someone else!

Defense CyberSecurity Requirements – DFARS 252.204-7012 Need To Know

Under the interim rule issued late in 2015 (DFARS 252.204-7012), DoD contractors including small businesses. 

For immediate assistance or questions please contact us here

The requirements are fairly vague but reference documents that do dig into the technical components that are necessary to comply with their two main requirements:

  • Must provide “adequate” security to include protective measures for the loss, misuse, unauthorized access to, or modification of information on unclassified information systems.
  • Must rapidly report incidents and cooperate with DoD to respond to any security incidents.
Nomotion has produced and is in the process of vetting the process to ensure organizations needing to comply with these requirements do so, in an effective and efficient manner.
If you are interested in digging into the details of the cybersecurity standards referred to by the DFAR, they are described in further detail here DFAR 204.73, here NIST Special Publication 800-171 (fourteen areas to be secured minimally) and here NIST Special Publication 800-53.
Deadline to Get Compliant: December 31, 2017 
 
You still have time, but don’t let linger as organizations with remote branches, and contracts with multiple agencies must be approved by each agency.
Already suffered a breach?
 
No need to panic.  Just make some time soon (real soon) to deal with reporting the incident to the DIB, found at http://dibnet.dod.mil.
General questions to officials ready to help Small to Medium Businesses (SMB’s) here is a list of people ready to help!
U.S. Army – Pamela Monroe
U.S. Navy – Brad Taylor
U.S. Air Force – David Sikora
DCMA – Shelly Thomas
DHA – Dan Duckwitz
DIA – Maria Kersey
DLA – Trish Culbreth
MDA – Ruth Dailey
NGA – Diana Hughes
NSA – Jim Higgins

We don’t list their contact information to protect them from SPAM, however finding it on their agency directory is trivial.Don’t hesitate to drop us a note, let’s get you ahead of the curve in a timely manner!

New Training Course – Android Forensics – No $5 Wrench Required!

This course discusses the growing number of challenges
facing forensic examiners, reverse engineers, and law enforcement agencies when
working with a modern Android device.  Attendees will learn novel techniques for
evidence extraction, bypassing security features, and basic malware analysis
techniques.
With new tactics developed by one of our researchers, we’re excited to announce that we can unlock certain up-to-date Android devices for forensic analysis.  Send us a note, we will be scheduling a date for the new course within the next weeks stay tuned!

20 Million Users Vulnerable to Cisco’s WebEx Browser Extention

The vulnerability was discovered by Tavis Ormandy a well known security researcher and privately reported to Cisco which was patched on Monday January 23rd, 2017.  The seriousness of the issue was the seemingly trivial exploitation vector.

“All that’s required for a malicious or compromised website to exploit the vulnerability is to host a file or other resource that contains the string “cwcsf-nativemsg-iframe-43c85c0d-d633-af5e-c056-32dc7efc570b.html” in its URL. That’s a “magic” pattern the WebEx service uses to remotely start a meeting on visiting computers that have the Chrome extension installed.”

If you haven’t done so, UPDATE or UNINSTALL the WebEx extension to remove the vulnerability.  More information on the patch can be found here:  Cisco Security Advisory

Kudos to Cisco on producing a patch in two days!

The Cyber Secure Texas Project!

We are pleased to announce the release of a joint project Cyber Secure Texas (CST), with the support of Ultimatum Security, we aim to bring enterprise security services to the Small Business world in Texas.  There are plans to expand, so keep your eye on the project if you’re out of the area however.

About CST 

As opposed to hiring a full time IT staff,
The Cyber Secure Texas project aims to provide professional and high
quality cyber security services on a monthly basis, for an extremely
affordable flat rate. You’ll know exactly what you are getting, and
exactly how much it will cost. We believe small and medium sized
businesses deserve to benefit from premium security services.  Visit the site to learn more!  http://www.cybersecuretexas.com

Nomotion Will Be at The CyberTexas 2016 Conference

Come visit us at the CyberTexas 2016 Exhibitor Floor!

Grab some toys, meet our staff, and if you’re tech savvy … maybe a challenge or two for some prizes!

https://www.cybertexas.org

If you’ve never been to San Antonio, now is the perfect time to come, meet some of the local military and commercial talent, network, and discuss trending security practices.  We hope to see you there!

If you would like to set some time aside with us please shoot us a note at info@nomotion.net.