Freitag, 4. Juli 2008
All your FreeWave HTplus transceivers are belong(ed) to us
zoro, 22:10h
Ever needed to bridge an Ethernet connection over a couple of miles?
FreeWave Technologies Inc. sales some 900 MHz wireless data transceivers which are specified to work in a distance of up to 40 miles with a clear line of sight.
By following the installation guide, you only need to perform some basic configuration (IP address, radio channels, encryption ...), attach an antenna, connect a computer each site - and everything should work.
Three month ago, one of my new HTplus/HT devices just did not accept its IP configuration made via the serial port setup connection. No matter which IP had been set up, the box did not answer to HTTP request to its web front end over Ethernet.
After some useless calls of the FreeWave support I took a look at their firmware image which is provided for updating from older firmware releases. (You will find it in the customer support section of their homepage. Just ask FreeWave for a login.)
The firmware contains all partitions for the radio transceiver. To access the root partition, simply rename the file to firmware.gz and gunzip it. Afterwards, use your favored editor to open the file. Search for "-rom1" and remove everything before this text.
Now you can mount romfs image by mount -t romfs -o loop firmware /mnt
Now, apart from finding a BusyBox Linux in your local /mnt, it has been discovered that the serial configuration interface of the HTplus is performed through the program bin/fwSETUP. In this program you could see some interesting lines:
Finally, the reason for the HTplus device to not properly configuring its Ethernet interface was caused by a broken config.xml somewhere in /var. By copying the default file from /etc/config.xml to this location the problem was solved.
Unfortunately, FreeWave removed the master password and the hidden setup menu in firmware version 2.11. Now you have either to get an older firmware or you have to patch the most recent one in order to get access to the running Linux system.
Note to self: Contact FreeWave asking for the source code since BusyBox is GPL.
FreeWave Technologies Inc. sales some 900 MHz wireless data transceivers which are specified to work in a distance of up to 40 miles with a clear line of sight.
By following the installation guide, you only need to perform some basic configuration (IP address, radio channels, encryption ...), attach an antenna, connect a computer each site - and everything should work.
Three month ago, one of my new HTplus/HT devices just did not accept its IP configuration made via the serial port setup connection. No matter which IP had been set up, the box did not answer to HTTP request to its web front end over Ethernet.
After some useless calls of the FreeWave support I took a look at their firmware image which is provided for updating from older firmware releases. (You will find it in the customer support section of their homepage. Just ask FreeWave for a login.)
The firmware contains all partitions for the radio transceiver. To access the root partition, simply rename the file to firmware.gz and gunzip it. Afterwards, use your favored editor to open the file. Search for "-rom1" and remove everything before this text.
Now you can mount romfs image by mount -t romfs -o loop firmware /mnt
Now, apart from finding a BusyBox Linux in your local /mnt, it has been discovered that the serial configuration interface of the HTplus is performed through the program bin/fwSETUP. In this program you could see some interesting lines:
Enter Password: ^@J0rdan,Fu3rst1!^@r^@/mnt/webpassword^@
HELLO MASTER JORDAN^M ^@^M 1) Enter Radio Setup^@^M 2) Switch Images^@^M 3) System Console^@^M Esc) Exit^@^MFirst, this leads to the correct assumption, that a guy (probably Jordan) implemented the secret master password "J0rdan,Fu3rst1!". Second, there seems to be a hidden setup menu which offers a terminal to the Linux system (key 'B' by manual trying).
Finally, the reason for the HTplus device to not properly configuring its Ethernet interface was caused by a broken config.xml somewhere in /var. By copying the default file from /etc/config.xml to this location the problem was solved.
Unfortunately, FreeWave removed the master password and the hidden setup menu in firmware version 2.11. Now you have either to get an older firmware or you have to patch the most recent one in order to get access to the running Linux system.
Note to self: Contact FreeWave asking for the source code since BusyBox is GPL.
... comment
