This page is about the ZXV10 H220N router from the Dutch ISP KPN. In order to disassemble this device, I had to remove two screws. One was located on the left of the DSL socket, the second one can be found on the right of the Power socket (through the "Warranty void if broken" seal). Pictures listed here are available in a higher resolution, simply click on it.
Why am I doing this? The web UI sucks and gives the user no possibilities to
control the device. My goal is to get a serial console which hopefully allows me
to configure more details such as routing tables and firewall. Perhaps I
can even make it route IPv6. IPv6 seems to get routed in a LAN, see MDNS
traffic for example, or ping6 a fe80::/64 address of another client
in the LAN. There is also hidden IPv6 functionality in the web interface, but
since KPN does not seem to route IPv6, external IPv6 traffic is still not
possible without a tunnel.
In the past, I could get a useful serial console on another "KPN Experia Box", the Siemens SX551 (notes + files) which helped debugging it and allowed me to put Linux on it. Unfortunately, it turns out that the serial port on this H220N does not provide a console. It is really "dichtgetimmerd" (completely useless). If you have more ideas, please contact the author of this article.
The most interesting side of the board: the front. On the top row, from left to right: Power socket, reset button, WAN port, Ethernet (4, 3, 3, 1), Phone2, Phone1, PSTN and DSL.
Below the red power button on the left side, two USB ports are available. The buttons below those ports are used to toggle WPS and ECO mode (save energy when the wireless link is not in use, whatever).
The LEDs on the bottom are labeled (from left to right): Power, Ethernet, USB, Wireless, Voice, Broadband, Internet, TV, Upgrade, WPS and ECO.
"Left" and "right" as seen from the top side. The center picture mostly covers the left side.
CPU: BCM6368VKPB6 (from Martijn Verbakel).
Details for the original KPN H220N Experiabox firmware:
X9 contains some pins for a serial connection. It can be found below the memory
chip (see section Individual chips). The purposes are
written in silk (13.3 TX RX GND R34). I soldered some wires to the TX, RX and
GND pins for use with a PL2303HX USB to TTL converter. Next, I ran screen
/dev/ttyUSB0 115200 and rebooted the router.
Unfortunately, I did not get a shell or access to the boot loader from this. All I got from this serial output was the following log with CRLF-terminated lines.
gInterruptCounter = 0x8110B500 gInterruptErrors = 0x8110B504 gNextRxDesc = 0x8110B4F4 gNextTxDesc = 0x8110B4F0 *** gStartRxDesc[0] = 0xA02E0000 *** gBufferSizeBytes = 640 *** gStartTxDesc[0] = 0xA02C3000 hal6368PcmInit 316 nextTxDesc = 0xA02C3000 hal6368PcmInit 316 nextTxDesc = 0xA02C3008 hal6368PcmInit 320 Ownership for TX desc not set. Use this buffer. DSP: Interrupt Masks --------------- IrqMask_high = 0x00000101 IrqMask = 0x003060B1 IrqMask1_high = 0x40000000 IrqMask1 = 0x00000000 PCM_IUDMA->ctrl[0].intMask = 0x00000005 PCM_IUDMA->ctrl[1].intMask = 0x00000005 DSP: Interrupt Status ----------------- IrqStatus_high = 0x00000000 IrqStatus = 0x00080040 IrqStatus1_high = 0x00000000 IrqStatus1 = 0x00080040 PCM_IUDMA->ctrl[0].intStat = 0x00000000 PCM_IUDMA->ctrl[1].intStat = 0x00000000
The firmware is vulnerable to directory traversal in two ways (both are
unauthenticated and allow only to show directory names). UPnP/DLNA allows to see
media files besides directories, a Bash shell-script to list arbitrary files is
available at upnp-dir.sh. This requires you to enable
UPnP and DLNA first and set a Media Source to /mnt/..
(Applications -> DLNA-DMS).
A more accessible method that does not require UPnP uses the webserver directly.
Simply access http://192.168.2.254/queryDir?/mnt/../ and it shows
all subdirectories. The NodeJS script map-fs.js allows
you to build a list of all directories on the server (example).
The previous bugs only allow me to list directories which tells me something about the kernel (Linux 2.6.21.5). It would be more interesting to see files. The next idea is to put symlinks on USB storage and use FTP to access it. The USB stick I hat laying around was FAT32-formatted, which does not support symlinks. I then tried EXT2 which was also unsupported. NTFS did get recognized though, so I started putting some test files on it:
dotdot, symlink to ..
parent, symlink to ../..
rootfold symlink to /
root.png, symlink to /
cpu.png, symlink to /proc/cpuinfo
mem.png, symlink to /proc/meminfo
Unfortunately the FTP service (modified vsftpd?) does not allow to get past the
/mnt/ directory. Samba returns STATUS_ACCESS_DENIED when I
try to change the directory to the root folder via symlinks. Similarly, attempts
to retrieve mem.png failed. DLNA did not show the symlink file either
(the real image was visible though).
By reading though all pages (JS is beautified using html-beatify), I discovered some hidden functionality. You can set up four SSIDs, all using different passwords. Furthermore, there are also signs of IPv6 support. This bookmarklet Unhide elements can be used to unhide hidden input fields, enable disabled fields and make invisible elements visible. Hidden input fields become pink and get a label prepended.
The UPnP implementation (libupnp 1.6.6) is vulnerable to stack-based buffer overflow. The services does crash when sending some payload, but exploiting it needs custom MIPS code.
I guess that The pins below the memory package on the second picture provide the
serial console. Otherwise, there are also some pins in the top center of the
third picture, labeled like "TP10 TXD" (Test Point 10).
