Hacking COMPLETED Fusee-LEDE Dongle (6$ payload injector)

[Wierd_w]

Damnit.

Ok. Let's get clever. Show me the contents of the existing smbd.conf Maybe we can provide the smbd with a dummy location it already is trying to host, using tmpfs.

 

[OkazakiTheOtaku]

I'm just fascinated by the fact that it's straight up rejecting the usb storage device. That has to be by design, right?

 

[Wierd_w]

I'm just fascinated by the fact that it's straight up rejecting the usb storage device. That has to be by design, right?

I notice that there is a shell script called "storage.sh" in /usr/sbin

I suspect that there is a udev rule that is executing it, and that this shell script is doing something dickish, like ejecting the usb device. Not 100% sure, but that is the suspicion.

In any case, this device is clearly intended to run smbd. That is the samba daemon, which provides windows compatible file shares. I want to see what the default location for shares is. Once we know what that is, we can provide "storage" there with mount, with a type of tmpfs. (this uses ram as a backing for the filesystem.) We can then see if smbd is running (we have ps and grep), and if it is not, we can start it manually.

We should then be able to push our payload file to the device using the windows file share.

 

[Huntereb]

I notice that there is a shell script called "storage.sh" in /usr/sbin

I suspect that there is a udev rule that is executing it, and that this shell script is doing something dickish, like ejecting the usb device. Not 100% sure, but that is the suspicion.

See attached file. It seems to be for mounting devices to be used with SMB, however I cannot seem to get such a function to work properly, even with my USB in NTFS.

 

[Wierd_w]

That does all kinds of things, like setting up ftp (with a deamon that is not installed! Silly chinese firmware makers!)

In any case, lets not chase that. Give me the cat of /etc/samba/smb.conf

(or where ever smb.conf is)

I want to see what samba has for a default share. We have smpasswd, so we can set the samba password to whatever we damn well please, so that is not an obstacle. We just need to know where it expects its storage. We will provide it some, then see if the daemon is running. If it is not, we will start it.

 

[Huntereb]

I want to see what samba has for a default share. We have smpasswd, so we can set the samba password to whatever we damn well please, so that is not an obstacle. We just need to know where it expects its storage. We will provide it some, then see if the daemon is running. If it is not, we will start it.

There is no default share (no /etc/smb.conf). However, running "samba_add_dir.sh" with its default parameters creates smb.conf and an entry within it.

[media]
path = /media
valid users = admin
browseable = yes
writable = yes
create mask = 0664
directory mask = 0775

I've tried killing and then restarting smbd, but I can't see the server on other devices.

EDIT:

Actually, it turns out I can see another device, under the name "ZLMNET". I've tried "admin" as the username and password, but it won't let me access it.

 

[Wierd_w]

There is no default share (no /etc/smb.conf). However, running "samba_add_dir.sh" with its default parameters creates smb.conf and an entry within it.

[media]
path = /media
valid users = admin
browseable = yes
writable = yes
create mask = 0664
directory mask = 0775

I've tried killing and then restarting smbd, but I can't see the server on other devices.

Discovery is unimportant You can point directly at the IP address.

OK, we need to provide "storage" at /media

mount -t tmpfs tmpfs /media

then run

samba_add_dir.sh

then set the samba admin's login with smbpasswd

smbpasswd admin

then if samba is running, kill it. If it is not running, start it with the conf directive to point it to the generated conf file.

smbd -s /somepath/smb.conf

Then point whatever method you use for accessing a file share (windows, whatever) to the ip address of the device, at /media

On linux,
"connect to server" in your file manager
choose windows file share as the type
give the IP address as the server
use "admin" as the user
use whatever password you set with smbpasswd for the password
use "/media" for the share.
press connect.

On windows:

In explorer, on the address bar, type //<IP_Addr>/media
and press enter. When it prompts for user and pass, use "admin" and the password you set.

 

[lufeig]

you probably can flash using the "emergency restore boot" or whatever it's called.

it's a mode where only uboot is loaded, you find what IP address the router is looking for, then you set that ip to your ethernet port.

then you find the name of the file the router is requesting to that IP. then you send the firmware renamed after that file using tftp.

Just checking if this mode is available: turn off the router. press and hold the reset button. turn the router on.

does the blue led stays on?

 

[OkazakiTheOtaku]

it's a mode where only uboot is loaded, you find what IP address the router is looking for, then you set that ip to your ethernet port.

They didn't install uboot

 

[Wierd_w]

Actually, it turns out I can see another device, under the name "ZLMNET". I've tried "admin" as the username and password, but it won't let me access it.

You may need to add the admin user, and or-- set the admin password with smbpasswd.

to add the admin user:

smbpasswd -a admin

to set the password

smbpasswd admin

 

[Huntereb]

Hell yeah @Wierd_w, it worked!

# ls
a5ffe36011adda1b2e65324ec59faa52.png  Thumbs.db

Now, before I fuck anything up... Just copy the firmware.bin and uboot images to the share, and follow the installation process like normal?

 

[Wierd_w]

Hell yeah @Wierd_w, it worked!

# ls
a5ffe36011adda1b2e65324ec59faa52.png  Thumbs.db

Now, before I fuck anything up... Just copy the firmware.bin and uboot images to the share, and follow the installation process like normal?

Absofuckinglutely.

 

[RazorX2014]

what device is it? i don't think you mentioned it

 

[Huntereb]

@Wierd_w Fuck yeah! It worked! Thanks so much for all the help!! How absolutely convoluted a setup, but it actually did work! Huzzah!

 

[Wierd_w]

Muahahahahah!

Persistence is awesome, no?

 

[RazorX2014]

@Wierd_w Fuck yeah! It worked! Thanks so much for all the help!! How absolutely convoluted a setup, but it actually did work! Huzzah!

what device was that?

 

[Wierd_w]

Not a clue.

We might start having to ask for output of

uname -a

on these "I gots troubles in my dongles!" exchanges, so we can then positively identify factory firmwares, and their quirks (like this USB horse-shit), and work-arounds (like this tmpfs + smbd kludge method)

 

[RazorX2014]

Not a clue.

We might start having to ask for output of

uname -a

on these "I gots troubles in my dongles!" exchanges, so we can then positively identify factory firmwares, and their quirks (like this USB horse-shit), and work-arounds (like this tmpfs + smbd kludge method)

but he could atleast link the device he bought and show a image, did he say if it was a 3G/4G wifi Router or something else

 

[Wierd_w]

but he could atleast link the device he bought and show a image

He said he had one of the "with battery" versions of the "3g router" brandless hardware device. The issue is that there are many different motherboard versions in the wild inside identical external shells. We need to positively identify the beast we are dealing with when fielding these exchanges.

 

[Huntereb]

what device was that?

The same one shown here: https://gbatemp.net/threads/fusee-lede-dongle-6-payload-injector.508750/page-5#post-8119274

@Wierd_w I have the same issue as the person I linked to above! The USB is not working properly!

[  490.181664] usb usb2-port1: attempt power cycle
[  490.681515] usb 2-1: new full-speed USB device number 24 using ohci-platform
[  491.111591] usb 2-1: device not accepting address 24, error -62
[  491.301497] usb 2-1: new full-speed USB device number 25 using ohci-platform
[  491.731501] usb 2-1: device not accepting address 25, error -62
[  491.743721] usb usb2-port1: unable to enumerate USB device