Carousel is a LIE!

NWR04B: Checksum closer for new firmware

19 Feb 2005

Ha! In the Runtop firmware, there's the strings "Repotec" and "ip2014". Sure enough, a Google on the latter turns up lots of references to the IP2014 router from Repotec. This version of their firmware has the same structure as the Network Everywhere and Runtop firmware: bootloader + application.bin.gz. However, the firmware is much more similar to the RT bootloader (the one I haven't figured out the checksum for yet). The length is the same, but different md5sum. A quick diff of the hexdump outputs turns up this:

diff ../original_runtop/bl.hd bl.hd
1,4c1,4
< 00000000  06 00 00 ea 02 00 00 00  03 00 00 00 03 13 00 02  |................|
< 00000010  02 00 00 00 5f 6c 0a 00  cd 33 6e 05 67 02 00 00  |...._l...3n.g...|
< 00000020  13 00 00 ea 02 00 00 00  03 00 00 00 03 13 00 02  |................|
< 00000030  02 00 00 00 3f 6c 0a 00  4b 30 6e 05 c2 01 00 00  |....?l..K0n.....|
---
>  00000000  06 00 00 ea 02 00 00 00  0a 00 00 00 02 12 00 1b  |................|
>  00000010  02 00 00 00 6c 6b 09 00  26 27 e7 04 55 02 00 00  |....lk..&'..U...|
>  00000020  13 00 00 ea 02 00 00 00  0a 00 00 00 02 12 00 1b  |................|
>  00000030  02 00 00 00 4c 6b 09 00  05 24 e7 04 11 02 00 00  |....Lk...$......|

...which means this is where the checksum must be!

Tags:

15 Comments

From: Hugh Redelmeier
21-February-2005-09:17:46

Your link http://61.220.126.210/broadband_router/BR1307_0116V218.dlf does not work for me ("The connection was refused").

The ASCII portion of your diff has & # 8230 ; characters. According to my UNICODE reference manual, this is a CJK Unified Ideograph. I doubt that is what you intended to display.

My recently-flashed runtop firware reports itself as version 3.19.0002 (2003.11.11). That looks a bit like a portion of your diff "03 13 00 02".

Do you have a decent disassembler for ARM? Perhaps reading the code would let you figure out the checksum more easily than guessing and checking a bunch of checksum functions.

I would expect a simple checksum to be 32 bits or less. A tricky checksum (say, a cryptographic hash) might be longer. A reasonable checksum would probably have no 00 bytes (statistically, each byte has one chance in 256 of being zero).

From: Andrew
21-February-2005-12:52:10

Hello! This may seem a bit offtopic, but I've been following this NWR04B blog for a while, and was impressed with the result of flashing the Runtop firmware to the router. Of course, I couldn't stop at that, and after babelfishing through pages of German forums, I found another firmware that I wanted to try (to see if it could fix the occasional locking up the router would still do). This was at

http://lanware.org.uk/support/wr1200/WR1133_Lanware_0411V311.dlf
user:lanware
password:router

I have no idea if it's newer or older than the Runtop firmware, but I do know that it has caused an odd problem: the router still works (it connects, updates DynDNS, responds to pings, and routes just fine), but the web interface is completely inaccessible. Port 80 on the router reads as open, but things seem to fall apart after the HTTP "get" is sent, as the router kills the TCP connection immediately after the get is received.

Anyhow, I was wondering if anybody here might know a way to upload a different firmware other than cracking open the router and soldering on a serial connection (something I seriously doubt I could do). Is there some HTTP "post" command I could try to let me upload another firmware?

Thank you for any assistance,
Andrew.

From: Saint Aardvark
21-February-2005-14:07:17

Hugh: I noticed that the site stopped responding as I was writing; I'd assumed it was temporary, but maybe my download hosed their server or something. :-) I'll put up a link my own copy of the firmware in a bit.

Re: diff: yeah, the auto-htmlification of Wordpress gets annoying sometimes, and I haven't figured out a good workaround. I'll put up a proper diff of that at some point too, along with maybe reorganizing the pages in the wiki; the display is pretty annoying there, too. Back to vi and plain old tables.

Re: disassembler: I'm using disarm; don't have a link at the moment, but I probably found it on the HRI site. Trouble is that I don't really know assembler, let alone ARM assembler, so it's very slow work for me.

Andrew: Hi there, glad to hear from you, and thanks for the link to the Lanware firmware. I'll have a look at it later. What you're describing (web page not responding) sounds similar to what Hugh experienced; see comment 10 here for details.

As for different firmware: two of the three images I've seen have the regular upgrade-your-firmware page plus hidden pages (see this page at the bottom for details. Of course, if your web interface has gone away then you're going to have trouble doing that. You could try just a POST, but if GET doesn't work I'd suspect POST wouldn't either.

I'd try portscanning the router with nmap or some such to see if it's maybe listening on another port. Who knows, maybe it has telnet working. Another thing that might work is TFTP; the images I've seen have the ability (not tested very much so far) to get new firmware this way. The trouble is that so far I've only seen that through the serial port connection, and I have no idea how you might trigger it some other way.

From: julian
22-February-2005-12:53:03

Excellent site. I too have been taking my own wack at the nwr04b but haven't had the same luck. I was interested though in the hidden URL's that didn't exist in any of the documentation. I changed the interface to the runtop interface in the hopes to find a way to collect router information from the logs for both incoming and outgoing traffic. I am exploring what the one hidden page has that seems to allow you to buffer information for various items. My hope it to have it tie into wallwatcher.

http://www.sonic.net/wallwatcher/

So far all I can get from wallwatcher is that there is a ping, changing one of the options in the router, but yet no logs moving as of yet. Maybe by moving to a linux firmware I might have more luck.

From: Andrew
22-February-2005-20:16:00

Well, I have good news and bad on my front. Good is that the router has been stable as a rock since I flashed in the Lanware firmware - it runs a little warmer than with the Runtop firmware, but it hasn't had a single hitch in around two days now. Bad is that the web interface is still busted. Ports 1 and 80 are the only ones responding, and the both close the connection as soon as you send one byte of _anything_ after the connection is established.

I figure I might as well try setting up the serial connection and reflashing the same firmware (maybe the flash went bad, and I'd certainly like to keep the stability this firmware provides). I've noticed on this (http://saintaardvarkthecarpeted.com/pix/pictures/showPicture.php?image=645&album=20) page that there is a really whacky card in use - is that something I'll be having to find, or would something like this (http://www.iguanalabs.com/232Kit.htm) with a MAX232 & DB9 female suffice? Or do I need to find an actual MAX3232 chip (which looks like it could be quite a mission to do). Thanks again!

From: Saint Aardvark
23-February-2005-07:01:47

Julian -- Hi there, thanks for stopping by! After taking a quick look at the Wallwatcher site, I wonder if you'd be able to get the information it needs from the NWR04B's log pages. (I'm talking here about the original Network Everywhere firmware.) Firefox just crashed on me :-( when I tried to go there, but it did offer incoming and outgoing log pages; since I haven't beenusing this thing as a router, I'm unsure what might actually be there. I haven't really investigated the Runtop firmware's web interface yet. Linux would certainly be one way of getting syslog working. Although now that I think of it, I really don't know if syslog is in any of the current firmware or not; I haven't been listening for it.

When you talk about a ping from WW changing an option in the router, are you talking about an actual ICMP ping, or some kind of HTTP request?

Andrew -- Good to hear back from you. Just so I'm clear, you didn't reflash the Lanware firmware -- this is just from the first flash using the original Network Everywhere web interface, right? And port 1 -- weird. According to RFC 1078 and this page, it's TCPMUX; you should be able to telnet in, type HELP, and get a list of services it knows about. Seems like an odd thing for a router to have, but who knows.

As for the hardware to use to make a serial connection: the picture you saw is of some hardware Paul had that happened to do what was needed. The kit you show seems like it'd certainly do the trick, although you'll need a board to assemble it all on, plus some header pins to attach to the router. The chip itself doesn't seem to be that hard to come by; I was able to find it at a local electronics store w/o much difficulty (although it's a clone made by Sipex rather than the original from Max).

Everyone: I'm going to put up a blog entry about this, but I've added some links in the wiki page for details about how well different firmware works. I'm happy to summarize stuff from different comments on the blog, but if anyone wants to add details or opinions, please feel free.

From: julian
23-February-2005-14:30:43

Well bad news for me as well. Teaches me to leave well enough alone. I had he runtop firmware running for about a day no problems and then this morning after a recycle one of my nodes and the router I started noticing some very odd things. First, all the nodes in my network starting showing up with a vary odd IP address. Not the usual 192.168.1.102 , 103, 104 etc address. Im talking 169.254 addresses on several nodes. Not to mention everything connectivity wise just started dying. Wireless should a connection but no activity in releasing and obtaining an new IP. I forced one of the nodes to a specific IP at the 130 range and was able to get back into the router but no surfing outside of that.
At this point, since I work from home, I really needed my connectivity back so I decided to reload the original firmware. Now I have connectivity to the network and internet but no connection back to the router as far as webpages go. This SUX Major and I cant figure or find my DMZ now.

re-ping : THis was a setting in one of the options to turn on icmp ping so machines could see the router on the network. I think on the runtop its one of the anti-hack options.

re-wallwatcher: Well assuming Ill be buying a new router now, Ill let you know how it goes. Really wish there was a way to recover my current one. I may get on my linux node and scan against it.


From: varu
23-February-2005-18:32:17

Last night at about 11PM, my router crapped out with the same problem. Upon a restart, it did the 169.254 thing. I fixed it with a reset from the button at the back, and upped my backup config settings [do that on the backup page, saves a 40(k?)byte file called config.bin on your disk], and it's working nicely again. I had a couple of AC/DC converters stacked up on it, the extra heat probably made it crash. So... I'll try to keep it cool and see if it happens again - it's been stable for more than a week.

From: julian
23-February-2005-18:46:01

Really hate to overcomment here but couldn't find an email. Anywho, in trying to look at where the web interface went I decided to do an nmap against the 192.168.1.1 address I'll assume the router still sits on. Came up with below..
nmap 192.168.1.1

Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
Interesting ports on (192.168.1.1):
(The 1594 ports scanned but not shown below are in state: closed)
Port State Service
1/tcp open tcpmux
67/tcp filtered dhcpserver
135/tcp filtered loc-srv
136/tcp filtered profile
137/tcp filtered netbios-ns
138/tcp filtered netbios-dgm
139/tcp filtered netbios-ssn

Not seeing a recognizable port for serving up a web page, how does the firewall do it? Still researching, yeah I could go grab some modular tabs and hack up a serial cable but hoping for something easier.

julian -

From: Saint Aardvark
24-February-2005-07:39:22

Varu: Thanks for the info on the new firmware. That's the one from the Runtop website, right? If you've got a minute, it'd be cool if you could add a few words to the wiki page; if not, no problem, I'll add it myself.

Julian: No problem about overcommenting. Email can be found on the front page of my site, but it's good to leave stuff here, too -- that way everyone can find it.

Is this after uploading the Runtop firmware or the Lanware firmware? If it's the Runtop -- I haven't come across that before. (Of course, I looked at the web interface for the first time this morning; I've been mostly working over the serial port on these things, and trying to figure out the checksum for the firmware.) Again, if you've got a moment, contributions are always welcome on the wiki page. If the web page isn't responding, I don't know what to suggest. You could try just turning it off and letting it cool down for a few minutes, since these things seem to run pretty hot.

If it's the Lanware firmware, I'm just running nmap right now against the whole 65535 ports, and I see pretty much the same thing you do:


Interesting ports on 192.168.1.1:
(The 65533 ports scanned but not shown below are in state: filtered)
PORT STATE SERVICE
1/tcp open tcpmux
113/tcp closed auth


However!


telnet 192.168.1.1 1
Trying 192.168.1.1...
Connected to 192.168.1.1.
Escape character is '^]'.
IDENT

HTTP/1.0 400 Bad Request
Content-Type: text/html

400 Bad Request400 Bad RequestConnection closed by foreign host.

telnet 192.168.1.1 1
Trying 192.168.1.1...
Connected to 192.168.1.1.
Escape character is '^]'.
GET / HTTP/1.1

HTTP/1.0 401 Unauthorized
Content-Type: text/html
WWW-Authenticate: Basic realm="Web Manager"

401 Unauthorized401 UnauthorizedConnection closed by foreign host.


If I had to guess, looks like it's a web server on port 1 w/a really short timeout.

From: julian
24-February-2005-10:28:18

Ok with that said, tried some different things. First on firefox I tried a http://192.168.1.1:1 and get a popup response saying "Access to port number has been disabled for security reasons." Thats interesting.

If I do a wget against 192.168.1.1 I get ...
wget 192.168.1.1:1
--11:42:12-- http://192.168.1.1/
=> `index.html'
Connecting to 192.168.1.1:80... failed: Connection refused.

However with the 192.168.1.1:1 I get ...

Connecting to 192.168.1.1:1... connected.
HTTP request sent, awaiting response... 401 Unauthorized
Authorization failed.

So with the :1 is it implying that I can authenticate? Looking at wget I see there are some options but not sure if they apply..

--http-user=USER set http user to USER.
--http-passwd=PASS set http password to PASS.

Now here comes the fun part. My websites and other machines are still being routed just fine. I decided to see what happens when I tried calling a wget against one of the pages that requires and authentication. Note below..

wget http://192.168.1.103/mp3
--11:53:54-- http://192.168.1.103/mp3
=> `mp3'
Connecting to 192.168.1.103:80... connected.
HTTP request sent, awaiting response... 401 Authorization Required
Authorization failed.

Am I hunting down the wrong path here? Could there be a way to perl script out some requests?





From: Andrew
24-February-2005-15:55:31

I just tried something odd today; I tried connecting to the router from outside my network, and oddly enough, the web interface worked. And now after reading Julian's post here, I just put http://192.168.0.1:1 into my browser at home, and that worked too! (BTW Julian, Firefox & Opera won't allow you to connect to port 1 for some reason. MSIE, however, does just fine)

I had enabled remote admin on the router (set to port four thousand and something) before I flashed to the Lanware firmware (my sequence of firmwares went: Network Everywhere Original -> Current Runtop -> Older Runtop -> Current Runtop -> Lanware) and somehow things got mixed up and the remote admin port became set to port 80 and the local admin port (which should be 80) became port 1. *scratches head*

Anyhow, since I got the web interface going, I tried the Repotec firmware too. Here are the "alternate" firmwares I've tried:

Runtop (new): 3.19.0002 - 2003.11.11
Runtop (old): 3.14.0014 - 2003.07.15
Lanware : 3.11.0008 - 2003.04.11
Repotec(old): 2.18.0027 - 2004.01.16

I don't really know much about all of these firmwares - I was mostly just looking to see if there are any obvious differences between them (there aren't as far as wired connections and menu options go). I'm back on the Lanware firmware for now, just because it hasn't caused any router crashes yet (around four days now). The only other firmware that I spent a measurable time with was the "new" Runtop one, which crashed after about 12 hours of work (and geez does that thing get hot when it crashes!). Unfortunately, I can't say anything about how these firmwares affect wireless connections, as I don't have any wireless hardware (only reason I have this thing is because it was cheap). I suppose someone else will have to test the wireless themselves. Also, I'm still going to try the "new" Repotec firmware (http://61.220.126.210/wirelessLan/RP-WR1134%202004-09-17%201230-1250-NB1F.dlf), but I'm going to have to wait until their server is back online. Judging from the filename, it looks to be the most recently published firmware.

To finish things off, I used the "reset to factory defaults" command on the hidden /revive.htm page, and the web interface is now snugly back on port 80 - exactly where it should be. :)

From: Saint Aardvark
25-February-2005-06:33:45

Just read Andrew's post, and I'm able to get web pages back on port 80 by holding down the reset button for 10-30 seconds (long enough for all the LEDs on the front to flash). Julian, does that work for you?

From: Julian
25-February-2005-08:04:06

Great news. Thanks to the previous posts, I was able to get the interface back by going throught the :1 using IE. Go figure. Also I noticed, as previously stated, that the remote management was disabled but the port number was indeed set to 1 for some reason. I changed it back to the 80 and we are back up and running.

Well that was an adventure. Now back to sq1 in that I really need a way to manage the logs from the router. Do any of the firmwares allow for the router to submit the logs to an IP like in some linksys models. Still haven't been able to figure out a way to get wallwatcher to work with this router. I'd even be happy with trying to get linux working on it and put up a better firewall altogether.

Again, my hats off to Andrew on the easier fix to this previous problem.

From: Joe
17-February-2005-22:51:35

We're pretty excited about it over here.

Add a comment:

Name and email required; email is not displayed.

Name (required)
Email (required)
Website
The site is named after Saint ________ the Carpeted: (required)
Comment

Related Posts