GL iNet 300M Fun (Pt.1)

I would like to preface this by stating that I have no idea what I am doing, I am just playing and messing around and you probably shouldn’t take my word as gospel! That being said, I feel like I’ve learnt some things, hopefully you can from this blog also.

So I bought a couple of mini routers from amazon, thinking they would be prime targets for learning hardware hacking. Heres the listing for this router:

Yup at the time “OpenWrt” didn’t register in my brain and I was expecting something with custom stuff on it to pull and reverse! needless to say it was still a fun little device to play with.

Heres how it looks once you get it out of the box:

Nice, default wifi password of “goodlife”.

The first thing I did was plug in the USB and connect to the wifi, then load up the webpage to configure the device (http://192.168.8.1)

First it asks you the time, then to insert a password for the device, after that you can log in. There’s not much here really, standard router stuff. At the top right I notice “Advanced Settings” – Of course I go there. I’m greeted with another login page this time it asks for a username and password, but the username is pre-populated with “root”. I don’t know the root password, I figure I’d try the password I’d just created to access the basic web settings. It works! so I do a quick portsan of the routers IP (192.168.8.1) and find SSH open, low and behold I can login with the same root user and password.

I’m greeted with a “LEDE” banner, “LEDE Reboot 17.01.4 r3560-79f57e422d” specifically, so now I know the software in use, and that everything runs as root! It turns out this is a build of openwrt.

There’s not much to play with with the webapp or openwrt, I didn’t figure there would be, it’s open source so could have played with it to look for vulns without buying this router.
I originally noted that it’s running on lighttpd: 1.4.37 and running an out of date version of jQuery, again – pretty useless.

It turns out there’s no brute force protection on either of the login pages!
For the basic login page you have to request a token each time you try to log in, I couldn’t be bothered to script this up, especially when there’s no such protection on the advanced settings login page, as demonstrated below:

After having a play with the webapp for all of 2 seconds It’s time to open the box, it’s fairly simple, just a couple of plastic clips and the bottom falls off.

Heres some magnified pics of the chips, they might helps someone:

Hopefully you spotted the three male header pins that came attached to the PCB in the photo above, lets take a closer look:

GND, RX0 & TX0 These seem a lot like serial to me, what a perfect excuse to pull out my new oscilloscope:

Yup that looks like data! Ok now lets get the USB->Serial cable out and find out what baud rate it’s running at!

To find the baud rate I used the script “baudrate.py” from https://github.com/biw/Baudrate.py the following command is how the script works

╰» ./baudrate.py -p /dev/ttyUSB1 -a 

The following command is then used to see what is being transmitted over that serial port:

╰» screen /dev/ttyUSB1 115200

Which drops me into a root shell, no password needed!

I then reboot the router a few times to see if I can get into the bootloader as I am suspicious that it should be possible, low-and-behold it is:

Well I didn’t expect this post to be this long and I have yet to show the hacks/mods I’ve done to this device. So I think I’ll end this here, I hope you’ve learnt something, I’ve certainly had fun so far.

Next up I do some hardware hacks/mods to this little router: GL iNet 300M Fun (Pt.2)

Leave a Reply