Page 3 sur 3

Re: [ARCHIVE] Modify firmware Cisco RV016 RV042 RV042G RV082

Publié : 16 avril 2017, 02:13
par DOMin8or
after a little research i found something in the config file (what is mirrored into 2 other files)
i`ve connected with winscp, scp protocol, root, cisco2016*
/etc/nk_sysconfig (line 2534+, no ddns entries)
/etc/flash/etc/nk_sysconfig (2610+, shows my ddns entries)
/tmp/nk_sysconfig (shows my ddns entries. i think its the 24h temporary config, that will stored after 24h from tmp to the resistend flash?)

-------------- snip - interesting part of the config file ---------------------------------

---------------snap---- end of the interesting part from config file------------------------

webinterface base folder:

website for dyndns config
(this does the input field check, could be tricked to insert complete update url incl all user data)

unfortunaley the base update adress, & seems to be hardcoded.
i havent found any script.
only on github i found an interesting file, but it is already compiled. that suxx for my skillz.
if i have the sourcecode in a higher level language, i think i can modify it. ... dns_update
on the cisco, the bin file is under:

if i call it, it answear:
~ # ddns_update
DDNS1 ID 3 = [NO]
DDNS2 ID 3 = [NO]
DDNS3 ID 3 = [NO]
DDNS4 ID 3 = [NO]
DDNS1 ID 3 = [NO]
DDNS2 ID 3 = [NO]
DDNS3 ID 3 = [NO]
DDNS4 ID 3 = [NO]
no --help possible.

it seems hardcoded and i want to see inside :-)
maybe the hardcodet source could be modified a little bit, that the url from the form/config file
is called only, instead of of the hardcoded adresses.
everything what we need to call ddns_update, is inside the config file/webinterface.
loginname, password, update url. there is absolutely no need to bind or to the variables...
i think its done by changing one line in the source, maybe deleting some useless crap lines.
alternativly it could complete replaced by better readable cgi script?

update, i uploaded the bin file to an online disassembler, but i havent found the hardcoded part.
the disassembler is interesting and shows clearnames for the functions. but not comparable to ida. it shows not the referred textblocks. it looks horrible.

File: ddns_update
Format: ELF 64-bit MSB executable
MIPS64 rel2 version 1 (SYSV)
dynamically linked (uses shared libs)
for GNU/Linux 2.6.13
not stripped
Size: 41.7 KB
MD5: 02336de38783c9b2577ca245a2d1ae5e
SHA-1: 19e42a88216ad56a99f05f5903a0d010c11150ed

Address Type Name
0x120001460 T _init
0x1200014e0 T __start
0x120001530 t hlt
0x120001540 t call_gmon_start
0x120001570 t __do_global_dtors_aux
0x1200015e8 t frame_dummy
0x120001620 T find_special_word
0x1200016a0 T Generate_DDNS_Update_Header
0x1200016c4 T isService
0x12000176c T isWanIp
0x12000180c T isWan
0x1200018ac T printHex_T
0x120001a18 T setDdnsStatus
0x120001afc T Generate_DDNS_Update_Packet
0x120001edc T Converse_Wire_To_Name
0x120001f58 T parseRecvbuf
0x1200025b0 T getWanIp
0x120002654 T Converse_Name_To_Wire
0x12000277c T Generate_Zone_Section
0x1200027d0 T strncpyz
0x12000282c T Generate_Update_Section
0x1200028d4 T getTimeStatus
0x120002a94 T getNowTime
0x120002c74 T hmac_md5
0x120002e3c T Generate_TSIG_Sigature
0x1200031e0 T Generate_Additional_Section
0x1200032a8 T Generate_DNS_Messages
0x120003378 T ddns_printf
0x120003418 T name_get_value
0x120003604 T setQDns
0x1200039bc T Ddns_Main
0x120003da4 T isDdnsEnable
0x120003e70 T main
0x1200041f0 T base64enc
0x1200042cc T base64dec
0x120004428 T base_printf
0x1200044d0 T MD5Init
0x12000450c t Encode
0x120004588 t MD5_memcpy
0x1200045b4 t MD5_memset
0x1200045d8 t MD5Transform
0x1200053b0 T MD5Update
0x1200054dc T MD5Final
0x1200055b0 T __libc_csu_fini
0x1200055b8 T __libc_csu_init
0x120005670 t __do_global_ctors_aux
0x1200056e0 t .MIPS.stubs
0x120005900 T _fini

a C decomiler would be nicer... or the original source in C, or what ever it was.

Re: [ARCHIVE] Modify firmware Cisco RV016 RV042 RV042G RV082

Publié : 16 avril 2017, 07:17
par Etre_Libre

I think you can see this topic is "ARCHIVED", so there will be no change.

Also, I don't have the skill to change Cisco GUI (web interface) because a big part of the Cisco "open" firmware is binary, not with the source code.

Re: [ARCHIVE] Modify firmware Cisco RV016 RV042 RV042G RV082

Publié : 13 mai 2017, 15:16
par kompress_k
Thanks for your manual
By the way, after global compiling the firmware, you can speed up the process of further modifications. I edit the rootfs in /tmp/root-rootfs, then you can just collect it without compiling:

cd /root/GPL/CI005-ipv6
source env-setup OCTEON_CN50XX
cd linux/embedded_rootfs
./pkg_addon/tool/cramfs-1.1/mkcramfs -b /tmp/root-rootfs rootfs.cramfs
cd ..
mips64-octeon-linux-gnu-strip ./kernel_2.6/linux/vmlinux.64
./embedded_rootfs/pkg_addon/tool/buildimage -k ./kernel_2.6/linux/vmlinux.64 -r embedded_rootfs/rootfs.cramfs -i ./kernel_2.6/linux/code.bin
./embedded_rootfs/pkg_addon/tool/addchecksum -i ./kernel_2.6/linux/code.bin
chmod 644 ./kernel_2.6/linux/code.bin

Re: [ARCHIVE] Modify firmware Cisco RV016 RV042 RV042G RV082

Publié : 13 mai 2017, 15:21
par kompress_k
I cant setup setup dbclient auht with rsa_key, like: "dbclient -i id_rsa user@host" on my RV042G. I gеt the error: invalid format key. Not openssh and not dropberar nond work with rsa auth

Re: [ARCHIVE] Modify firmware Cisco RV016 RV042 RV042G RV082

Publié : 13 mai 2017, 15:23
par kompress_k
I'm trying to configure autossh on rv042g:)

Re: [ARCHIVE] Modify firmware Cisco RV016 RV042 RV042G RV082

Publié : 14 mai 2017, 08:45
par Etre_Libre
Hi, it's an archived topic, I don't have this device anymore and I will not help anymore about that.

Thank you.