搁废品站捡的智能门禁, 小区里还有几个这样子的, 都断电了.
拆解
硬件信息
- SoC: MediaTek MT7628NN
- Flash: 8 MB
- RAM: 64 MB
- 电源: DC 5V - 25V
- 以太网: 1 x RJ45 (10/100 Mbps)
- 无线: 802.11n 2.4g-only
- 3 LED on board
网线: GPIO 43/555 active-low
Wifi: GPIO 44/556 active-low
电源: 常亮 - 按钮:
WPS/RESET: GPIO 14/526 active-low - 蓝牙: CC2541
- RFID: MF RC522 on I2C@28
- RTC硬解时钟: DS1339 on I2C@68
- Matrix keypad
LED: Green GPIO 3/515 active-high, Red GPIO 11/523 active-high, Yellow = Green + Red - UART: 1 x UART on PCB - 57600 8N1
- 继电器: GPIO 42/554 active-high
- 蜂鸣器: GPIO 15/527 active-high
固件分析
将以太网与电脑连接, 可 DHCP 到 10.10.10.0/24 的网段, nmap 对网关扫描可确定 OpenSSH 22 端口开放, Telnet 9900 端口
按下底部 RESET 按钮并将电脑手动设置上述 IP, 可打开 Firmware Upgrade Web 控制台, 不过实测无法刷入任何固件
直接上 TTL
OS 版本
QdWrt, 直接不演了, 就是 OpenWrt 14.07 (BARRIER BREAKER) 修改的
内核版本 3.10
root@qc202:/# cat /etc/openwrt_release
DISTRIB_ID="QdWrt"
DISTRIB_RELEASE="2.2.0"
DISTRIB_REVISION="fdf6082e9cb1c51d4b49b6965e33ff8cf39feae2"
DISTRIB_CODENAME="qc202"
DISTRIB_TARGET="ramips/generic"
DISTRIB_DESCRIPTION="QdWrt qc202 2.2.0"
DISTRIB_TAINTS="no-all busybox"
root@qc202:/# cat /etc/openwrt_version
2.2.0Opkg 更新软件
尝试使用 Opkg 更新软件, 是厂家自带的源, 不过已经打不开了, 应用商店也找不到 App 了, 确定是厂家跑路了
root@qc202:/# opkg update
Downloading http://www.qding.me/Packages.gz.
wget: bad address 'www.qding.me'
Collected errors:
* opkg_download: Failed to download http://www.qding.me/Packages.gz, wget returned 1.
root@qc202:/# cat /etc/opkg.conf
dest root /
dest ram /tmp
lists_dir ext /var/opkg-lists
option overlay_root /overlay
src/gz qc202 http://www.qding.me内核命令行
root@qc202:/# cat /proc/cmdline
console=ttyS1,57600n8 root=/dev/mtdblock5 rootfstype=squashfs,jffs2
分区布局
root@qc202:/# cat /proc/mtd
dev: size erasesize name
mtd0: 00800000 00010000 "ALL"
mtd1: 00030000 00010000 "Bootloader"
mtd2: 00010000 00010000 "Config"
mtd3: 00010000 00010000 "Factory"
mtd4: 007a0000 00010000 "firmware"
mtd5: 00661235 00010000 "rootfs"
mtd6: 00270000 00010000 "rootfs_data"
mtd7: 00010000 00010000 "qdinfo"端口监听状态
root@qc202:/# netstat -anp
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:53 0.0.0.0:* LISTEN 1198/dnsmasq
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 724/dropbear
tcp 0 0 :::9900 :::* LISTEN 733/telnetd
tcp 0 0 :::53 :::* LISTEN 1198/dnsmasq
tcp 0 0 :::22 :::* LISTEN 724/dropbear
udp 0 0 0.0.0.0:48400 0.0.0.0:* 1080/QDReader2
udp 0 0 0.0.0.0:30000 0.0.0.0:* 1080/QDReader2
udp 0 0 0.0.0.0:53 0.0.0.0:* 1198/dnsmasq
udp 0 0 0.0.0.0:67 0.0.0.0:* 1198/dnsmasq
udp 448 0 0.0.0.0:45450 0.0.0.0:* 1088/QDReaderWatche
udp 0 0 :::53 :::* 1198/dnsmasq
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags Type State I-Node PID/Program name Path
unix 7 [ ] DGRAM 843 612/logd /dev/log
unix 2 [ ACC ] STREAM LISTENING 345 377/ubusd /var/run/ubus.sock
unix 2 [ ] DGRAM 1436 1080/QDReader2
unix 2 [ ] DGRAM 1123 655/netifd
unix 3 [ ] STREAM CONNECTED 850 377/ubusd /var/run/ubus.sock
unix 2 [ ] DGRAM 1217 655/netifd
unix 3 [ ] STREAM CONNECTED 921 655/netifd
unix 3 [ ] STREAM CONNECTED 845 612/logd
unix 2 [ ] DGRAM 890 1/procd
unix 3 [ ] STREAM CONNECTED 922 377/ubusd /var/run/ubus.sock
unix 3 [ ] STREAM CONNECTED 709 1/procd
unix 3 [ ] STREAM CONNECTED 847 377/ubusd /var/run/ubus.sock
unix 2 [ ] DGRAM 1143 724/dropbear
unix 2 [ ] DGRAM 1520 1198/dnsmasq
unix 3 [ ] STREAM CONNECTED 710 377/ubusd /var/run/ubus.sock
unix 3 [ ] STREAM CONNECTED 849 613/logread WLAN 密码
密码统一是 abc123456
root@qc202:/# cat /etc/config/wireless
config wifi-device 'mt7628'
option type 'mt7628'
option vendor 'ralink'
option band '2.4G'
option channel '0'
option auotch '2'
option country 'CN'
option macaddr 'xx:xx:xx:xx:xx:xx'
config wifi-iface
option device 'mt7628'
option ifname 'ra0'
option network 'lan'
option mode 'ap'
option encryption 'psk2'
option key 'abc123456'
option ssid 'QD_xxxxxxxxxxxx'ROOT 密码 (OpenSSH/Telnet)
在我使用 TTL 修改 ROOT 密码重启后, ROOT 密码被改了
大概应该是有脚本重置密码, 可能是明文或者哈希
好巧不巧, 他确实用的是哈希, 但是旁边注释了明文, 注释立大功!
先说结论, ROOT 密码是 szqdingnet123
root@qc202:/# cat /etc/rc.qding
...
set_root_password() {
# szqdingnet123
local pw_new="root:$1$YJZCSuYq$dAv3YWx0ahZcmWV9hfgMh1:16857:0:99999:7:::"
local pw_old=$(grep "root:" /etc/shadow)
if [ $pw_old == $pw_new ]; then
echo "root password is configed, return."
else
pw="root:\$1\$YJZCSuYq\$dAv3YWx0ahZcmWV9hfgMh1:16857:0:99999:7:::"
sed -i "s/^root:.*/${pw}/g" /etc/shadow
echo "set root password"
fi
}
...导出驱动包
root@qc202:/# opkg list-installed
kernel - 3.10.14-p112871-1-479cfba38eae3a80f46a23ab5e92588d
kmod-dnsresolver - 3.10.14-p112871-1
kmod-fs-nfs - 3.10.14-p112871-1
kmod-fs-nfs-common - 3.10.14-p112871-1
kmod-gpio-button-hotplug - 3.10.14-p112871-1
kmod-hw_wdg - 3.10.14-p112871-1
kmod-input-core - 3.10.14-p112871-1
kmod-input-evdev - 3.10.14-p112871-1
kmod-input-polldev - 3.10.14-p112871-1
kmod-ip6tables - 3.10.14-p112871-1
kmod-ipt-conntrack - 3.10.14-p112871-1
kmod-ipt-core - 3.10.14-p112871-1
kmod-ipt-nat - 3.10.14-p112871-1
kmod-ipt-nathelper - 3.10.14-p112871-1
kmod-ipv6 - 3.10.14-p112871-1
kmod-lib-crc-ccitt - 3.10.14-p112871-1
kmod-mt7628 - 3.10.14-p112871+p4rev-120396-1
kmod-ppp - 3.10.14-p112871-1
kmod-pppoe - 3.10.14-p112871-1
kmod-pppox - 3.10.14-p112871-1
kmod-qd-dev - 3.10.14-p112871-1
kmod-rdm - 3.10.14-p112871-1
kmod-slhc - 3.10.14-p112871-1
kmod-spi-dev - 3.10.14-p112871-1
libblobmsg-json - 2014-08-04-dffbc09baf71b294185a36048166d00066d433b5
qd-utils - 1
qding-files - 1-fdf6082e9cb1c51d4b49b6965e33ff8cf39feae2
qdspi-test - 0.1这厂子还是有点实力的, 自己写内核模块了, 不过 rmmod 就会导致 Kernel Panic
刷写固件
刷写 Breed
通过 OpenSSH 22 / Telnet 9900 连接到设备 10.10.10.1, 密码为 szqdingnet123
原厂固件并没有附带 sftp, 建议本地用 python -m http.server 起个 http 服务器, 用 wget 拉到设备里mtd write breed-mt7688-reset38.bin Bootloader通过 Breed Enter / UART 进入 Breed (RESET 按钮 GPIO 未知, 无法使用按钮)
建议备份EEPROM和编程器固件
刷入固件重启即可
2024-12-11 更新: 已向 OpenWrt 提交 PR 等待合并即可, 此固件可以使用 RTC 和 RFID(如果自行打上 kmod 的话)
再次通过 Breed Enter / UART 进入 Breed (RESET 按钮 GPIO 未知, 无法使用按钮)
公版 Breed 会导致部分硬件 (如 RTC 2082年, GPIO 错误) 异常, 所以通过 Breed 刷回原厂 Bootloader (下方原厂固件下载内的 dumps/mtdblock1)