Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

The bcm61650 is a 3G femtocell. A femtocell is a cellular base station that is commonly used at homes or a small businesses. This particular one allowed for a connection over a DSL/fiber line.

While in the box, the board presents itself as a PCI ethernet chip. The board present itself as a pci ethernet chip, that performs a bootp and load its firmware over tftp. Then, it connects to a hardcoded IP to establish an ipsec tunnel to the core network. To make their life easier, they desoldering the link between the Ethernet chip and the BCM61650.

With a few probes, the author managed to get the board powered and booting. Luckily for us, there is a nice UART output that we can see. The author wanted to boot their own firmware; however, the firmware loaded over TFTP had a digital signature, making it impossible to alter.

With the OS image in hand, the author extracts it with binwalk. In /etc/passwd, they build a nice hashcat rule to break the password. To his amazement, the password is completely empty!

Once they have access to the image (I assume over UART but it does not say), they load a kernel driver to the system. According to them, the classic dd command did not work on /dev/mem for whatever reason. With access to the ROM, they can now check out the firmware verification process.

After reversing the code for a while, they think the whole verification process is secure. This leads them to their OWN tweet: "When your rooting of a device implies breaking RSA or sha256, it's time to realize you're doing it the wrong way, and to be creative."

The code for loading the information for the headers of the firmware takes in a user provided length. From this length, it performs a memcpy into a static buffer. Below the data that we are copying in, is the stack pointer!

By smashing the stack with the perfect length, the $RA register (used for return address in MIPS), can be smashed. By overwriting this to the full bootloader process, the signature verification can be completely bypassed. From there, they patch the bootloader itself to skip the kernel verification process. Boom!

This turns out to be an unpatchable ROM secure boot bypass from memory corruption. If you do not program securely then the crazy crypto does not work! Good read but I wish some background/details were added for clarity, such as HOW the command line was being hit, which I assumed was UART.