Hacking the Netgear N300 Wireless Router
Hardware hacking the Netgear N300 Wireless Router (WNR2000v4).
Hardware
- Wireless Router - The device being penetration tested is the Netgear N300 Wireless Router (WNR2000v4). Note that this is the fourth hardware version of the router.
-
Jumper Wires - A total of three male to female jumper wires were used to connect the RX, TX, and GND pins. However, it does not hurt to have all three types of the jumper wires (Male to Male, Male to Female, Female to Female) in case they are ever required.
-
USB to UART Converter - This module allows for a connection to be created between a computer and the UART interface. Specifically, this board from Amazon was used. Note that the converter uses a Mini-USB port. Therefore, ensure that you have a proper cable to connect a Mini-USB port to your computer.
-
Multimeter - A multimeter is used to identify each individual pin from the UART interface.
-
Torx Bit - A T5 torx bit was used to open the wireless router’s case in order to access the eletronic board.
Hardware Disassembly
Use the T5 torx bit to remove the single screw from the bottom of the case. Afterwards, remove the plastic side cover and carefully pry out the electronic board. Review the disassembly video in the resources section if additional help is needed.
Locating UART Interface
With the board outside the case, one can notice that there exists a UART interface labeled JP1. However, the pins are not individually labeled so a multimeter is required.
Identifying GND, RX, TX, and VCC using a Multimeter
Now that the UART interface has been located, one must identify the individual UART pins as they are not labeled. This can be achieved using a multimeter.
-
Ground (GND) - To identify the ground (GND) pin, set the multimeter into continuity mode and move the probe over each pin until a tone is emitted. The tone means that there is very low resistance as the two points are connected electrically.
-
Receiver (RX) - The receiver (RX) pin can be identified using a multimeter set to 20V to measure the DC voltage. Because the RX pin receives data, it should have a value of 0 as there is no data being sent to the router. Ensure the router is powered on when measuring.
-
Transmitter (TX) - The transmitter (TX) pin can be identified using a multimeter set to 20V to measure the DC voltage. Because the TX pin transmits data, it should have a fluctuating value as data is being sent from the router. Ensure the router is powered on when measuring.
-
Voltage (VCC) - This can be identified by looking for a constant reading of 3.33V or 5V. This will be used in the next step when Ensure the router is powered on when measuring.
Connecting the UART Terminal to the Computer
Now that the individual pins have been identified on the UART terminal, the next step is to connect the wireless router to a computer using the USB to UART converter and jumper wires. Specifically, use three jumper wires to make the following connections:
- Connect the GND pin on the converter to the GND pin on the router’s UART interface.
- Connect the RX pin on the converter to the TX pin on the router’s UART interface.
- Connect the TX pin on the converter to the RX pin on the router’s UART interface.
Notice how the RX and TX connections connect to each other inversely. This is because the converter’s TX pin sends data to the router’s RX pin which receives it. Likewise, the converter’s RX pin receives data from the router’s TX pin which sends it. This is how a read and write connection is established between the router and computer.
Before the router can be connected to the computer, the correct voltage must be set on the converter in order to prevent damaging the hardware. This will either be 3.3V or 5V depending on the device. In this case, it is set to 3.3V as the multimeter read a constant value of 3.3V from the Voltage (VCC) UART pin.
Now that the jumper wires are properly connected and the correct voltage is set, connect the converter to the computer using a proper Mini-USB cable. This concludes the hardware steps.
Gaining Root Access
Note, all the following steps were performed on a Linux system.
First, list the system’s USB devices.
$ lsusb
...
Bus 001 Device 011: ID 0403:6001 Future Technology Devices International, Ltd FT232 Serial (UART) IC
...
Next, list the device files. The converter can be seen as ttyUSB0.
$ ls -lart /dev
...
crw-rw---- 1 root dialout 188, 0 Dec 29 14:08 ttyUSB0
...
Note, the current user should be added to the dialout group. Restart the session or restart for the group changes to take effect.
$ sudo usermod -a -G dialout $USER
$ groups
... dialout
To interact with the device, minicom, a serial communication program, will be used. Install minicom using the distro’s respective package manager. Once installed, start the process.
$ sudo minicom -s
+-----[configuration]------+
| Filenames and paths |
| File transfer protocols |
| Serial port setup |
| Modem and dialing |
| Screen and keyboard |
| Save setup as dfl |
| Save setup as.. |
| Exit |
| Exit from Minicom |
+--------------------------+
Navigate to the Serial port setup configuration and update the following settings:
A - Serial Device- Set to the correct serial device. In this case, the value should bettyUSB0as a serial adapter is used.F - Hardware Flow Control- Data can only be transmitted to the router when this option is disabled.
+-----------------------------------------------------------------------+
| A - Serial Device : /dev/ttyUSB0 |
| B - Lockfile Location : /var/lock |
| C - Callin Program : |
| D - Callout Program : |
| E - Bps/Par/Bits : 115200 8N1 |
| F - Hardware Flow Control : No |
| G - Software Flow Control : No |
| H - RS485 Enable : No |
| I - RS485 Rts On Send : No |
| J - RS485 Rts After Send : No |
| K - RS485 Rx During Tx : No |
| L - RS485 Terminate Bus : No |
| M - RS485 Delay Rts Before: 0 |
| N - RS485 Delay Rts After : 0 |
| |
| Change which setting? |
+-----------------------------------------------------------------------+
With the serial port setup completed, go back to the main configuration screen and navigate to Exit. This will bring up the terminal which is now reading data directly from the router via the UART converter.
Welcome to minicom 2.8
OPTIONS: I18n
Port /dev/ttyUSB0, 00:00:00
Press CTRL-A Z for help on special keys
Powering on the router shows the entire boot process then grants a root shell.
U-Boot 1.1.4 (Nov 26 2012 - 15:58:42)
DNI HW ID: 29763904 flash 4MB RAM 32MB U-boot dni29 V0.5
...
Boot up procedure is Finished!!!
Please press Enter to activate this console.
BusyBox v1.4.2 (2017-06-27 10:21:32 CST) Built-in shell (ash)
Enter 'help' for a list of built-in commands.
_______ ________ __
| |.-----.-----.-----.| | | |.----.| |_
| - || _ | -__| || | | || _|| _|
|_______|| __|_____|__|__||________||__| |____|
|__| W I R E L E S S F R E E D O M
KAMIKAZE (bleeding edge, r18571) ------------------
* 10 oz Vodka Shake well with ice and strain
* 10 oz Triple sec mixture into 10 shot glasses.
* 10 oz lime juice Salute!
---------------------------------------------------
root@WNR2000v4:/#
Success! With a root shell on the router, the next stage involves enumerating the system to look for any potential vulnerabilities in the firmware and software.