ℹ️ The following method has been discussed and confirmed on https://discord.pon.wiki as I don't have physical access to the hardware.
The AN5500 is manufactured by Gemtek Technology Co. and deployed by Lumen/Quantum/CenturyLink for use on their PON network.
The latest firmware can be acquired from CenturyLink https://www.centurylink.com/home/help/internet/modems-and-routers/c5500xk.html and extracted by binwalk.
mkdir c500xk && cd $_
wget http://internethelp.centurylink.com/internethelp/modems/C5500XK/firmware/CKX001-02.00.13.00.bin
binwalk -e CKX001-02.00.13.00.binTTY serial access
Failsafe mode is active and an entrypoint into the system.
mount_root or rather /lib/libfstools.so has been modified to cleanse the /overlay of directories and files not whitelisted within /etc/overlay_whitelist.conf thus preventing nonobtuse root access.
The serial console ttyS0 is not the standard getty, it's locked down to /usr/bin/avec_console within /etc/inittab.
A limited chroot environment is exposed over SSH with the environment being generated by /etc/init.d/chroot and started by /opt/econet/etc/dropbear init scripts.
With the typical edits being infeasible, we look towards what has been handed to us.
- Failsafe allows us access to the squashfs and the subsequent overlayfs, albeit whitelisted.
- We could trouble ourselves to disassemble
avec_consolelooking for a signs of a backdoor. - Lets not even bother with the chroot SSH but take note of
dropbear's presence.
Choosing the path of least resistance, we opt for #1. The whitelist leaves a lot to discovery but the one file that stands out is /etc/config/dhcp. Those in the know, know that DHCP services have a bestowed privilege of executing shell scripts and dnsmasq is no exception; the dhcpscript option spells it out, so lets abuse that privilege.
But before we do that, there are two caveats... First, from the manpage: "<path> must be an absolute pathname, no PATH search occurs". Second and most important, it must be a file that has been whitelisted.
Nearly all the whitelisted files are configuration files, with the exception of a handful... For the brevity of this guide, /etc/urandom.seed is the least necessary to the system functionality and anything within, is seeded as binary, but more importantly, seeding takes place after network bringup — i.e. /etc/rc.d/S19dnsmasq before /etc/rc.d/S99urandom_seed.
- Break into failsafe mode on bootup and mount the overlayfs
mount_root- Modify the lease script in
/etc/config/dhcp
uci set dhcp.dnsmasq_lan.dhcpscript="/etc/urandom.seed"
uci commit dhcp- Generate the trojaned lease script
/etc/urandom.seed
cat > /etc/urandom.seed << 'EOF'
#!/bin/sh
SCRIPT="/usr/lib/dnsmasq/dhcp_notify_event.sh"
[ -e /var/run/jailbreak.pid ] || (dropbear -P /var/run/jailbreak.pid -E -p 2222 &>/dev/null; uci -q set dhcp.dnsmasq_lan.dhcpscript="$SCRIPT" && uci -q commit dhcp && /etc/init.d/dnsmasq reload &>/dev/null)
exec $SCRIPT $@
EOF- Modify the root password to something memorable and known
passwd- Reboot with a network cable attached to a remote PC and SSH in after boot — e.g.
ssh root@192.168.0.1:2222
rebootThe pppd daemon has been modified to accept an encrypted password file that is decrypted by /usr/lib/pppd/2.4.7/passwordfile.so.
The password file is generated by encrypting a plain-text password using the RSA algorithm and public key /etc/axon_ppp_public.pem — e.g. found in /lib/netifd/proto/ppp.sh
echo "$password" | openssl rsautl -out "$passwdfile" -pubin -inkey /etc/axon_ppp_public.pem -encryptThe private key can be extracted from /usr/lib/pppd/2.4.7/passwordfile.so using binwalk on a remote PC.
scp -O root@192.168.0.1:2222:/usr/lib/pppd/2.4.7/passwordfile.so ./
binwalk -D="private:der:mv '%e' axon_ppp_private.der" ./passwordfile.soA default password file also exists, /etc/ppp/ctlcred, and can be decrypted with the acquired private key — e.g.
scp -O root@192.168.0.1:2222:/etc/ppp/ctlcred ./
openssl pkeyutl -in ./ctlcred -inkey ./axon_ppp_private.der -decrypt