Friday, November 2, 2012

Looking at firmware update files and compiling files.

Update:  I was finally successful in replacing my old disabled by the corporation media box... Raspberry Pi using the Raspbmc distribution:  http://mystry-geek.blogspot.com/2013/05/finally-got-raspberry-pi-to-try-out.html


It is obvious that nobody ever managed to compile the little bit of code that netgear released for the eva2000.   And nobody ever got a firmware file to directly update the little box.  I am not even positive it can update other than over the network.  

Trying to find and extract out enough binaries from various similar boxes to my vendor deactivated netgear eva2000 in order to install a new firmware to the system.

I used the following command to see if the system could ID the file:

file binaryfilename.bin

And it told me:


So I took a look at the contents of the file directly with a hex viewer:

od -ah binaryfilename.bin | 

the output from that is:

0000000   e   a   f   b   2   6   b   c   0   b   1   9   d   3   f   1
           6165    6266    3632    6362    6230    3931    3364    3166
0000020   0   4   6   3   4   3   2   5   4   a   5   e   f   e   4   1
           3430    3336    3334    3532    6134    6535    6566    3134
0000040   E   =   M   ( nul   @ dc1 etx etx nul nul nul nul nul nul nul
           3d45    28cd    4000    0311    0003    0000    0000    0000
0000060   C   o   m   p   r   e   s   s   e   d  sp   R   O   M   F   S
           6f43    706d    6572    7373    6465    5220    4d4f    5346
0000100  fs   [  so   T nul nul nul nul   k   & nul nul   K  so nul nul
           db9c    d40e    0000    0000    266b    0000    0ecb    0000
0000120   C   o   m   p   r   e   s   s   e   d nul nul nul nul nul nul
           6f43    706d    6572    7373    6465    0000    0000    0000
0000140   m   A   l etx   D soh nul   d   @ eot nul nul   m   A   l etx
           41ed    03ec    0144    6400    04c0    0000    41ed    03ec

I could see the start of the compressed file system started 32 bytes in with the byte pattern "3d45    28cd", the header must have some sort of checksum or other meta data about the install.  So I extracted the file following the leading 32 bytes with:

dd if=binaryfilename.bin bs=1 skip=32 of=test.fs

And I was finally able to mount the compressed filesystem:


mkdir m #gives a place to mount the device
sudo mount -t cramfs test.fs m  # mounts the file test.fs onto m.

The you can browse into m and see everything installed on that drive.



I did a full scan of all open ports on the eva2000 with nmap

sudo nmap  -p 1-65535 192.168.1.70


 Starting Nmap 5.21 ( http://nmap.org ) at 2012-11-02 22:44 EDT
Nmap scan report for unknown0026f23a9297.att.net (192.168.1.70)
Host is up (0.0033s latency).
Not shown: 65533 closed ports
PORT      STATE SERVICE
51887/tcp open  unknown
63681/tcp open  unknown
MAC Address: 00:26:F2:3A:92:97 (Netgear)

Nmap done: 1 IP address (1 host up) scanned in 12.92 seconds


and saw the following two TCP ports open:  51887 and 63681

Telneting into both ports and hitting return a few times gave me this error:

>telnet 192.168.1.70 51887

Trying 192.168.1.70...
Connected to 192.168.1.70.
Escape character is '^]'.


HTTP/1.1 412 Failed
Server: Verismo, POSIX, DLNADOC/1.00 INTEL_NMPR/2.1 UPnP/1.0 Intel MicroStack/1.0.1677
Content-Length: 0


> telnet 192.168.1.70 63681

Trying 192.168.1.70...
Connected to 192.168.1.70.
Escape character is '^]'.



Connection closed by foreign host.


Connecting a web browser to both of them just gives an xml output on 63681:

<root><specVersion><major>1</major><minor>0</minor></specVersion><device><deviceType>urn:schemas-upnp-org:device:MediaRenderer:1</deviceType><X_DLNADOC>urn:schemas-dlna-org:device-1-0</X_DLNADOC><friendlyName>Netgear EVA2000</friendlyName><manufacturer>NETGEAR</manufacturer><manufacturerURL>http://www.netgear.com</manufacturerURL><modelDescription>Digital Entertainer Live</modelDescription><modelName>EVA2000</modelName><modelNumber>EVA2000</modelNumber><serialNumber> </serialNumber><UDN>uuid:[redacted]</UDN><serviceList><service><serviceType>urn:schemas-upnp-org:service:AVTransport:1</serviceType><serviceId>urn:upnp-org:serviceId:AVT_1-0</serviceId><SCPDURL>AVTransport/scpd.xml</SCPDURL><controlURL>AVTransport/control</controlURL><eventSubURL>AVTransport/event</eventSubURL></service></serviceList></device></root>

Which appears to be a DLNA server.

--

I will try to wireshark after a soft reboot to see what server it looks for an update on.  If I can go to that server myself it might tell me something.  And I might be able to do a man in the middle attack on my own box to intercept any encrypted communcation if they do it over https.

3 comments:

  1. I have one of these too. Would be nice if it could be upgraded to a version of XBMC. The thing doesn't do much.

    ReplyDelete
  2. Yeah, the box was good until the company deactivated them.

    I tried my best, but the firmware files they gave out did not compile and I couldn't get the unit to recognize firmware files from similar machines. If I could just get a hold of one firmware update then I might be able to reverse engineer that. But I can't find a single file on the internet that contains the info we need.

    ReplyDelete
  3. I know this is a bit dated, but there's a header inside for a serial port, looks like there's plenty of space to add packages, and there's USB. /sbin/telnetd exists and root with no password gets you in.
    # df -k
    Filesystem 1k-blocks Used Available Use% Mounted on
    /dev/mmcblk0p5 80876 65120 15756 81% /
    /tmpfs 97840 0 97840 0% /dev
    /tmpfs 97840 4 97836 0% /var
    /tmpfs 97840 152 97688 0% /tmp
    /dev/mmcblk0p14 240468 116622 111430 51% /data

    ReplyDelete