The svson.xyz blog

MDM4. A root without a shell

Published:
Tags: mdm-story breaking-and-entering
776 words
4 min read

So we have the root password hash, but where can we enter it? Running nmap -p 1-65535 -T4 -A -v 192.168.0.1 on the modem gives us some potential clues, plus some more info about the device!

[snip]
Running: Linux 3.X
OS CPE: cpe:/o:linux:linux_kernel:3
OS details: Linux 3.2 - 3.16
[snip]
53/tcp   open  domain  dnsmasq 10.0
80/tcp   open  http    Demo-Webs
4719/tcp open  telnet  BusyBox telnetd
[snip]

It appears that they’re running Linux on that tiny modem! Also there’s a telnet daemon listening on port 4719, cool!

Now that we have found a place where we can enter the password it would be rather useful to know what the password is. One method we could use to figure out the password is to brute-force it, but that takes time and resources. Before deciding to go for the brute-force route it’s usually worth to see if someone else has figured out the password.

Running an internet search for C98ULvDZe7zQ2 gives us a result in a thread about another modem on 4pda.ru, a Russian language technology site and forum. In that thread it’s posted that the corresponding text for that encrypted password is oelinux123. Let’s give it a shot!

We’re in!
We're in!

Cool! We’ve got a shell now! Let’s figure out what kind of hardware we’re running on, as I could not find a datasheet for the SoC.

~ # cat /proc/meminfo
MemTotal:          22184 kB
MemFree:            1896 kB
[snip]

~ # cat /proc/cpuinfo
Processor       : ARMv7 Processor rev 4 (v7l)
BogoMIPS        : 620.54
Features        : swp half thumb fastmult edsp tls 
CPU implementer : 0x41
CPU architecture: 7
CPU variant     : 0x0
CPU part        : 0xd03
CPU revision    : 4

Hardware        : TSP ZX297520V3
Revision        : 0000
Serial          : 0000000000000000

As expected, it’s a little ARM processor and we’ve got around 22 megs of RAM, most of which is occupied. No idea if the Revision and Serial are supposed to be zeroed out, but I didn’t alter them ;).

As you may remember the flash memory IC had a gigabit capacity according to the datasheet, and listing the filesystem usage using df confirms that. There’s even a few dozen megs free, should we want to run our own programs on it :).

~ # df -h
Filesystem                Size      Used Available Use% Mounted on
/dev/mtdblock5           46.0M     17.8M     28.2M  39% /
mtd:imagefs               8.0M      6.3M      1.7M  78% /mnt/imagefs
mtd:resource              8.0M      2.6M      5.4M  32% /mnt/resource
/dev/mtdblock7           59.0M      1.8M     57.2M   3% /mnt/userdata
/dev/mtdblock3            2.0M    464.0K      1.5M  23% /mnt/nvrofs

It’s also running adbd, the Android debug bridge daemon, maybe we’ll make use of it at a later date. Let’s make a note of what port adbd is listening on and see if there are some other services that nmap missed.

/mnt/userdata/cache # netstat -nutap
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 127.0.0.1:5037          0.0.0.0:*               LISTEN      663/adbd
tcp        0      0 0.0.0.0:53              0.0.0.0:*               LISTEN      1241/dnsmasq
tcp        0      0 :::4719                 :::*                    LISTEN      682/telnetd
tcp        0      0 :::80                   :::*                    LISTEN      662/goahead
tcp        0      0 :::53                   :::*                    LISTEN      1241/dnsmasq
tcp        0      0 ::ffff:192.168.0.1:4719 ::ffff:192.168.0.100:41444 ESTABLISHED 682/telnetd
udp        0      0 0.0.0.0:67              0.0.0.0:*                           1240/udhcpd
udp        0      0 0.0.0.0:53              0.0.0.0:*                           1241/dnsmasq
udp        0      0 0.0.0.0:1464            0.0.0.0:*                           1241/dnsmasq
udp        0      0 :::53                   :::*                                1241/dnsmasq

I noticed an interesting command available, nv, which sounds like it allows us to poke at non-volatile memory. Maybe there’s something interesting there ;).

~ # nv
usage: cfg [get name] [getro name] [set name=value] [unset name] [show] [erase] [save] [restore]
~ # nv show
imei=???????????????
imeiPrevious=
Model=
rootdev_modeldes=XXX
fota_models=ZTE7520V3
product_model=MF910W
rootdev_modelname=XXX

Note that I’ve culled the output of nv show to values I found to be of interest, there’s a ton of them (852 according to wc, to be exact). The imei field does contain the actual IMEI. I redacted the IMEI with question marks.

The IMEI appears to be stored in non-voltatile memory and also has a field to store the previous IMEI. That makes me wonder if it’s possible to change your IMEI on this modem.

It seems to be a ZTE reference software package which the reseller has done minimal(?) work on. All mentions of non-ZTE brand names have been replaced with DEMO or zeroed out, or maybe the reference package comes with those values in place.

PS. The command, filesystem and non-volatile configuration listings are available for your viewing pleasure, should you be interested in such things.

Command listing

Files listing

Non-volatile memory values (redacted values are marked)

There was an inspirational quote hidden inside /sbin/app_errmsg.txt: “server does not support the request of the tool”. At certain points in your life you might have to be the server and not support the requests of tools :^).

Next part: MDM4-1. IMEI? I'm YOUREI

Previous part: MDM3. Letting the cat out of the bag

Series outline