Se trata de una base wifi, que a mi parecer, puede tener mucho mas potencial del que le otorgan las compañías. Unas fotos:
El router tiene una memoria Flash de 4 Mb y una RAM de 16Mb. No es que sea potente, pero puede ser muy interesante tener uno de estos con OpenWRT por su puerto USB, ya que es posible utilizar una memoria como parte del sistema.
Las vistas por dentro del dispositivo son estas:
Vayamos al grano...
La carga del dispositivo (bootlog):
Código:
U-Boot 1.1.3 (Feb 26 2009 - 13:21:58)
Board: Ralink APSoC DRAM: 16 MB
relocate_code Pointer at: 80fac000
mips_cpu_feq=320000000
flash_protect ON: from 0xBF000000 to 0xBF0202E3
protect on 0
protect on 1
protect on 2
protect on 3
protect on 4
protect on 5
protect on 6
protect on 7
protect on 8
protect on 9
flash_protect ON: from 0xBF030000 to 0xBF03FFFF
protect on 10
*** Warning - bad CRC, using default environment
============================================
ZTE UBoot Version: 1.0.1
--------------------------------------------
ASIC 3052_MP2 (Port5<->None)
DRAM COMPONENT: 128Mbits
DRAM BUS: 16BIT
Total memory: 16 MBytes
Date:Feb 26 2009 Time:13:21:58
============================================
icache: sets:256, ways:4, linesz:32 ,total:32768
dcache: sets:128, ways:4, linesz:32 ,total:16384
freq = 320000000 MHZ
##### The CPU freq = 320 MHZ ####
SDRAM bus set to 16 bit
SDRAM size =16 Mbytes
PHY0 and PHY1 are used ,and other PHYS are powered down
Please choose the operation:
1: Load system code to SDRAM via TFTP.
2: Load system code then write to Flash via TFTP.
3: Boot system code via Flash (default).
4: Entr boot command line interface.
9: Load Boot Loader code then write to Flash via TFTP. 0
3: System Boot system code via Flash.
## Booting image at bf050000 ...
Image Name: Linux Kernel Image
Created: 2009-12-10 13:52:52 UTC
System Control Status = 0x00400000
Image Type: MIPS Linux Kernel Image (lzma compressed)
Data Size: 3104704 Bytes = 3 MB
Load Address: 80000000
Entry Point: 802d5000
Verifying Checksum ... OK
Uncompressing Kernel Image ... OK
No initrd
## Transferring control to Linux (at address 802d5000) ...
## Giving linux memsize in MB, 16
Starting kernel ...
LINUX started...
THIS IS ASIC
Linux version 2.6.21 (root@localhost.localdomain) (gcc version 3.4.2) #57 Thu Dec 10 08:52:33 EST 2009
The CPU feqenuce set to 320 MHz
CPU revision is: 0001964c
Determined physical RAM map:
memory: 01000000 @ 00000000 (usable)
Built 1 zonelists. Total pages: 4064
Kernel command line: console=ttyS1,115200n8 root=/dev/mtdblock4
Primary instruction cache 32kB, physically tagged, 4-way, linesize 32 bytes.
Primary data cache 16kB, 4-way, linesize 32 bytes.
Synthesized TLB refill handler (20 instructions).
Synthesized TLB load handler fastpath (32 instructions).
Synthesized TLB store handler fastpath (32 instructions).
Synthesized TLB modify handler fastpath (31 instructions).
Cache parity protection disabled
cause = 9080000c, status = 1100ff00
PID hash table entries: 64 (order: 6, 256 bytes)
calculating r4koff... 00138800(1280000)
CPU frequency 320.00 MHz
Using 160.000 MHz high precision timer.
Dentry cache hash table entries: 2048 (order: 1, 8192 bytes)
Inode-cache hash table entries: 1024 (order: 0, 4096 bytes)
Memory: 13116k/16384k available (2413k kernel code, 3268k reserved, 483k data, 120k init, 0k highmem)
Mount-cache hash table entries: 512
NET: Registered protocol family 16
SCSI subsystem initialized
usbcore: registered new interface driver usbfs
usbcore: registered new interface driver hub
usbcore: registered new device driver usb
Time: MIPS clocksource has been installed.
NET: Registered protocol family 2
IP route cache hash table entries: 1024 (order: 0, 4096 bytes)
TCP established hash table entries: 512 (order: 0, 4096 bytes)
TCP bind hash table entries: 512 (order: -1, 2048 bytes)
TCP: Hash tables configured (established 512 bind 512)
TCP reno registered
squashfs: version 3.2-r2 (2007/01/15) Phillip Lougher
squashfs: LZMA suppport for slax.org by jro
io scheduler noop registered (default)
FLASH_API: MAN_ID=C2 DEV_ID=22CB SIZE=8MB
Ralink gpio driver initialized
spidrv_major = 217
HDLC line discipline: version $Revision: 1.1.1.1 $, maxframe=4096
N_HDLC line discipline registered.
Serial: 8250/16550 driver $Revision: 1.3 $ 2 ports, IRQ sharing disabled
serial8250: ttyS0 at I/O 0xb0000500 (irq = 37) is a 16550A
serial8250: ttyS1 at I/O 0xb0000c00 (irq = 12) is a 16550A
loop: loaded (max 8 devices)
rdm_major = 254
GDMA1_MAC_ADRH -- : 0x00000000
GDMA1_MAC_ADRL -- : 0x00000000
Ralink APSoC Ethernet Driver Initilization. v1.60 64 rx/tx descriptors allocated, mtu = 1500!
GDMA1_MAC_ADRH -- : 0x00000016
GDMA1_MAC_ADRL -- : 0x0026ed2b
PROC INIT OK!
PPP generic driver version 2.4.2
PPP BSD Compression module registered
NET: Registered protocol family 24
ralink flash device: 0x1000000 at 0xbf000000
Ralink SoC physically mapped flash: Found 1 x16 devices at 0x0 in 16-bit bank
Amd/Fujitsu Extended Query Table at 0x0040
number of CFI chips: 1
cfi_cmdset_0002: Disabling erase-suspend-program due to code brokenness.
Creating 5 MTD partitions on "Ralink SoC physically mapped flash":
0x00000000-0x00030000 : "Bootloader"
0x00030000-0x00040000 : "Config"
0x00040000-0x00050000 : "Factory"
0x00050000-0x00140000 : "Kernel"
0x00140000-0x00800000 : "RootFS"
block2mtd: version $Revision: 1.1.1.1 $
Initializing USB Mass Storage driver...
usbcore: registered new interface driver usb-storage
USB Mass Storage support registered.
usbcore: registered new interface driver usbserial
drivers/usb/serial/usb-serial.c: USB Serial support registered for generic
usbcore: registered new interface driver usbserial_generic
drivers/usb/serial/usb-serial.c: USB Serial Driver core
drivers/usb/serial/usb-serial.c: USB Serial support registered for GSM modem (1-port)
usbcore: registered new interface driver option
drivers/usb/serial/option.c: USB Driver for GSM modems: v0.7.1
usbcore: registered new interface driver usb-pcm
drivers/usb/serial/usb-pcm.c: usb to pcm Driver: V2.4.20_uC0_1B12
nf_conntrack version 0.5.0 (128 buckets, 1024 max)
GRE over IPv4 tunneling driver
ip_tables: (C) 2000-2006 Netfilter Core Team, Type=Restricted Cone
TCP cubic registered
NET: Registered protocol family 1
NET: Registered protocol family 10
NET: Registered protocol family 17
802.1Q VLAN Support v1.8 Ben Greear <greearb@candelatech.com>
All bugs added by David S. Miller <davem@redhat.com>
drivers/flash/flash_ioctl.c 538
drivers/flash/flash_ioctl.c 390
drivers/flash/flash_ioctl.c 396
drivers/flash/flash_ioctl.c 401
drivers/flash/flash_ioctl.c 415
DDNSPassword=simcard_roam=HT_MpduDensity=5PktAggregate=1CountryRegion=5wan_l2tp_user=l2tp_user
44444e5350617373776f72643d0073696d636172645f726f616d3d0048545f4d70647544656e736974793d3500506b744167677265676174653d3100436f756e747279526567696f6e3d350077616e5f6c3274705f757365723d6c3274705f7573657200
drivers/flash/flash_ioctl.c 440
drivers/flash/flash_ioctl.c 390
drivers/flash/flash_ioctl.c 396
drivers/flash/flash_ioctl.c 401
the [first:ff].[second:ff].[the last but one:ff].[last:ff], return
drivers/flash/flash_ioctl.c 390
drivers/flash/flash_ioctl.c 396
drivers/flash/flash_ioctl.c 401
the [first:ff].[second:ff].[the last but one:ff].[last:ff], return
drivers/flash/flash_ioctl.c 540
VFS: Mounted root (squashfs filesystem) readonly.
Freeing unused kernel memory: 120k freed
init started: BusyBox v1.12.1 (2009-12-10 08:42:55 EST)
starting pid 602, tty '': '/etc_ro/rcS'
Algorithmics/MIPS FPU Emulator v1.5
devpts: called with bogus options
mount: mounting none on /proc/bus/usb failed: No such file or directory
* * * * * * * * * * * * * * * * * * * * * * * * * * * * *
* * * * * * * * * * * * * * * * * * * * * * * * * * * * *
* * * * * *
* * * * * *
* * * * * * * * * * * *
* * * * * * * * * * * *
* * * * * *
* * * * * * * * * * * * * * * * * *
* * * * * * * * * * * * * * * * * * * * *
* * * * * * * * * * * * *
* * * * * * * * * * *
* * * * * * * * * * *
* * * * * * * * * * * * * * *
* * * * * * * * * *
* * * * * * * * * *
* * * * * * * * * *
ralink_gpio SETPID_CDZERO
ralink_gpio statedect_pid.pid=612
ralink_gpio statedect_pid.use=1
RALINK_GPIO_SET_DIR_OUT cpu_to_le32(tmp)=dfbefe
internet.sh
Password for 'admin' changed
/sbin/internet.sh: line 257: wc: not found
[: 0: unknown operand
lm: no version for "struct_module" found: kernel tainted.
config usb otg
dwc_otg: version 2.72a 24-JUN-2008
DWC_otg: Core Release: 2.66a
DWC_otg: Periodic Transfer Interrupt Enhancement - disabled
DWC_otg: Multiprocessor Interrupt Enhancement - disabled
DWC_otg: Using DMA mode
DWC_otg: Device using Buffer DMA mode
dwc_otg lm0: DWC OTG Controller
dwc_otg lm0: new USB bus registered, assigned bus number 1
dwc_otg lm0: irq 18, io mem 0x00000000
DWC_otg: Init: Port Power? op_state=1
DWC_otg: Init: Power Port (0)
usb usb1: configuration #1 chosen from 1 choice
hub 1-0:1.0: USB hub found
hub 1-0:1.0: 1 port detected
insmod: bridge.ko: module not found
insmod: mii.ko: module not found
insmod: raeth.ko: module not found
phy_tx_ring = 0x009e6000, tx_ring = 0xa09e6000, size: 16 bytes
phy_rx_ring = 0x009e7000, rx_ring = 0xa09e7000, size: 16 bytes
GDMA1_FWD_CFG = 10000
ifconfig: ioctl 0x8913 failed: No such device
ifconfig: ioctl 0x8913 failed: No such device
ifconfig: ioctl 0x8913 failed: No such device
ifconfig: ioctl 0x8913 failed: No such device
ifconfig: ioctl 0x8913 failed: No such device
ifconfig: ioctl 0x8913 failed: No such device
ifconfig: ioctl 0x8913 failed: No such device
ifconfig: ioctl 0x8913 failed: No such device
ifconfig: ioctl 0x8913 failed: No such device
ifconfig: ioctl 0x8913 failed: No such device
ifconfig: ioctl 0x8913 failed: No such device
ifconfig: ioctl 0x8913 failed: No such device
ifconfig: ioctl 0x8913 failed: No such device
rmmod: rt2860v2_ap: No such file or directory
rmmod: rt2860v2_sta: No such file or directory
rt2860v2_ap: module license 'unspecified' taints kernel.
2860 version : 2.0.0.0 (Dec 10 2009)
=== pAd = c11f8000, size = 84120 ===
rmmod: nf_nat_pptp: No such file or directory
rmmod: nf_conntrack_pptp: No such file or directory
rmmod: nf_nat_proto_gre: No such file or directory
rmmod: nf_conntrack_proto_gre: No such file or directory
RX DESC a0b76000 size = 1024
1. Phy Mode = 9
2. Phy Mode = 9
3. Phy Mode = 9
MCS Set = ff 00 00 00 01
The primary RSNIE: c11fbcea, len = 22
0x0000 : 00 50 f2 01 01 00 00 50 f2 02 01 00 00 50 f2 02
0x0010 : 01 00 00 50 f2 02
zhaoyong isRadioOff==0
Main bssid = 00:26:ed:2b:40:24
The UUID Hex string is:2880288028801880a8800026ed2b4024
The UUID ASCII string is:28802880-2880-1880-a880-0026ed2b4024!
0x1300 = 00064380
insmod: 8021q.ko: module not found
BusyBox v1.12.1 (2009-12-10 08:42:55 EST) multi-call binary
Usage: ifconfig [-a] interface [address]
ifconfig: ioctl 0x8913 failed: No such device
brctl: bridge br0: No such device or address
iptables v1.4.0rc1: can't initialize iptables table `mangle': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
device ra0 entered promiscuous mode
##### restore RT3052 to dump switch #####
switch reg write offset=14, value=5555
switch reg write offset=40, value=1001
switch reg write offset=44, value=1001
switch reg write offset=48, value=1001
switch reg write offset=4c, value=1
switch reg write offset=50, value=2001
switch reg write offset=70, value=ffffffff
switch reg write offset=98, value=7f7f
switch reg write offset=e4, value=0
device eth2 entered promiscuous mode
br0: port 2(eth2) entering learning state
br0: port 1(ra0) entering learning state
route: ioctl 0x890c failed: No such process
route: ioctl 0x890b failed: Invalid argument
br0: port 2(eth2) entering disabled state
br0: port 1(ra0) entering disabled state
br0: port 2(eth2) entering learning state
br0: port 1(ra0) entering learning state
ifconfig: ioctl 0x8914 failed: Cannot assign requested address
ifconfig: ioctl 0x8914 failed: Cannot assign requested address
/sbin/lan.sh: line 63: hostname: not found
Set: phy[0].reg[0] = 3900
Set: phy[0].reg[0] = 3100
Set: phy[1].reg[0] = 3900
Set: phy[1].reg[0] = 3100
Warning in PHY reset script
Warning in PHY reset script
Warning in PHY reset script
ifconfig: ioctl 0x8913 failed: No such device
killall rt2860apd 1>/dev/null 2>&1
iptables -F -t filter 1>/dev/null 2>&1
iptables -D FORWARD -j macipport_filter 1>/dev/null 2>&1
iptables -F macipport_filter 1>/dev/null 2>&1
iptables -D FORWARD -j web_filter 1>/dev/null 2>&1
iptables -F web_filter 1>/dev/null 2>&1
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -t filter -N web_filter 1>/dev/null 2>&1
iptables -t filter -N macipport_filter 1>/dev/null 2>&1
iptables -t filter -A FORWARD -j web_filter 1>/dev/null 2>&1
iptables -t filter -A FORWARD -j macipport_filter 1>/dev/null 2>&1
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu 1>/dev/null 2>&1
iptables -t filter -F INPUT
iptables -t filter -A INPUT -i ppp0 -p tcp --dport 80 -j DROP
iptables -t filter -A INPUT -i ppp0 -p icmp -j DROP
save index:0
iptables -t nat -D PREROUTING -j port_forward 1>/dev/null 2>&1
iptables -t nat -F port_forward 1>/dev/null 2>&1; iptables -t nat -X port_forward 1>/dev/null 2>&1
iptables -t nat -D PREROUTING -j DMZ 1>/dev/null 2>&1
iptables -t nat -F DMZ 1>/dev/null 2>&1; iptables -t nat -X DMZ 1>/dev/null 2>&1
iptables -t nat -N port_forward 1>/dev/null 2>&1; iptables -t nat -I PREROUTING 1 -j port_forward 1>/dev/null 2>&1
iptables -t nat -N DMZ 1>/dev/null 2>&1; iptables -t nat -I PREROUTING 2 -j DMZ 1>/dev/null 2>&1
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
ip_table: set wan_name=ppp0
echo 1 > /proc/sys/net/ipv4/ip_forward
ntp.sh
greenap.sh init
ddns.sh
route delete 239.255.255.250 1>/dev/null 2>&1
killall wscd 1>/dev/null 2>&1
killall -9 wscd 1>/dev/null 2>&1
iwpriv ra0 set WscConfMode=0 1>/dev/null 2>&1
iwpriv ra0 set WscConfMode=0 1>/dev/null 2>&1
killall -q klogd
killall -q syslogd
syslogd -C8 1>/dev/null 2>&1
klogd 1>/dev/null 2>&1
killall -q zebra
killall -q ripd
webs: Listening for HTTP requests at address 192.168.0.1
SG device open error, it is not a auto setup modem.
br0: topology change detected, propagating
br0: port 2(eth2) entering forwarding state
br0: topology change detected, propagating
br0: port 1(ra0) entering forwarding state
starting pid 1253, tty '/dev/ttyS1': '/bin/sh'
BusyBox v1.12.1 (2009-12-10 08:42:55 EST) built-in shell (ash)
Enter 'help' for a list of built-in commands.
-> filename:options,path:/var/ppp/options
uaUserNameSvr:vodafone,uaPassWordLoc:vodafone
filename:wcdma_chat,path:/var/ppp/wcdma_chat
uaUserNameSvr:vodafone,uaPassWordLoc:vodafone
filename:pap-secrets,path:/var/ppp/pap-secrets
uaUserNameSvr:vodafone,uaPassWordLoc:vodafone
filename:chap-secrets,path:/var/ppp/chap-secrets
uaUserNameSvr:vodafone,uaPassWordLoc:vodafone
CreateSoftTimer index 0 success:
usTimerID = 4,
ucFlag = 1,
ulCurInterval = 25,
ulNextInterval = 25,
procCallBack = 0x00000000,
args = 0x00000000.
CreateSoftTimer index 1 success:
usTimerID = 1,
ucFlag = 1,
ulCurInterval = 25,
ulNextInterval = 25,
procCallBack = 0x00000000,
args = 0x00000000.
fac Server start
wait...
start accept......
mkdir: cannot create directory '/var/lock': File exists
mkdir: cannot create directory '/var/log': File exists
Un primer analisis del dispositivo me revela un backdoor en el puerto 4719 (telnet, acceso por defecto con admin.):
Código:
Starting Nmap 6.46 ( http://nmap.org ) at 2014-05-08 21:10 CEST
NSE: Loaded 118 scripts for scanning.
NSE: Script Pre-scanning.
Initiating ARP Ping Scan at 21:10
Scanning 192.168.0.1 [1 port]
Completed ARP Ping Scan at 21:10, 0.01s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 21:10
Completed Parallel DNS resolution of 1 host. at 21:10, 13.00s elapsed
Initiating SYN Stealth Scan at 21:10
Scanning 192.168.0.1 [65535 ports]
Discovered open port 80/tcp on 192.168.0.1
Discovered open port 4719/tcp on 192.168.0.1
Discovered open port 3535/tcp on 192.168.0.1
Completed SYN Stealth Scan at 21:10, 16.85s elapsed (65535 total ports)
Initiating Service scan at 21:10
Scanning 3 services on 192.168.0.1
Completed Service scan at 21:12, 126.17s elapsed (3 services on 1 host)
Initiating OS detection (try #1) against 192.168.0.1
NSE: Script scanning 192.168.0.1.
Initiating NSE at 21:12
Completed NSE at 21:13, 30.11s elapsed
Nmap scan report for 192.168.0.1
Host is up (0.0012s latency).
Not shown: 65532 closed ports
PORT STATE SERVICE VERSION
80/tcp open http GoAhead httpd (WAP http config)
|_http-favicon: Unknown favicon MD5: F0990331A8F325ED616BEE55FFD6359D
|_http-methods: No Allow or Public header in OPTIONS response (status code 400)
|_http-title: Wireless Broadband Router
3535/tcp open unknown
4719/tcp open telnet BusyBox telnetd
MAC Address: 00:26:ED:2B:40:24 (zte)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.13 - 2.6.32
Uptime guess: 0.005 days (since Thu May 8 21:05:45 2014)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=195 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: Device: WAP
TRACEROUTE
HOP RTT ADDRESS
1 1.23 ms 192.168.0.1
NSE: Script Post-scanning.
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 192.67 seconds
Raw packets sent: 65555 (2.885MB) | Rcvd: 65551 (2.623MB)
Estando dentro del dispositivo, puedo ver que usa BusyBox, lo que me limita el manejo del dispositivo.
Los datos mas relevantes:
Todos los comandos existentes
Código:
[ ethtool lan.sh ripd
[[ expr lld2d rm
ash facSvr logger rmmod
at firewall.sh login route
at-server flash logread rt2860apd
ated free ls sed
automount.sh global.sh lsmod sh
brctl goahead macgo sigmon
busybox gpio mainControl sleep
cat greenap.sh mii_mgr startpppd
cdzero grep mkdir statedect
cfg halt mount switch
chat ifconfig mtd_write syslogd
chkSvr igmpproxy nat.sh telnetd
chpasswd igmpproxy.sh net2tty_dload.sh test
chpasswd.sh inadyn net2tty_qxdm.sh touch
close init ntp.sh ttyswitch
comgt insmod ntpclient udhcpc
config-3g-ppp.sh internet.sh nvram_daemon udhcpc.sh
config-dns.sh iptables nvram_get udhcpd
config-igmpproxy.sh ipupdown nvram_set upnp_xml.sh
config-l2tp.sh iwconfig ping upnpd
config-pppoe.sh iwevent poweroff uptime
config-pptp.sh iwgetid pppd vconfig
config-udhcpd.sh iwlist pptp vi
config-vlan.sh iwpriv pptp.sh vpn-passthru.sh
config.sh iwspy ps wan.sh
cp kill qos_run wifi_unload.sh
daemon_zte killall radvd wscd
date klogd ralink_init zebra
ddns.sh l2tp-control reboot zte_wlan.sh
dnsmasq l2tp.sh reg
echo l2tpd remserial
mount output:
Código:
-> mount
rootfs on / type rootfs (rw)
/dev/root on / type squashfs (ro)
proc on /proc type proc (rw)
none on /var type ramfs (rw)
none on /etc type ramfs (rw)
none on /tmp type ramfs (rw)
none on /media type ramfs (rw)
none on /sys type sysfs (rw)
none on /dev/pts type devpts (rw)
Free output:
Código:
-> free
total used free shared buffers
Mem: 13236 12304 932 0 1124
Swap: 0 0 0
Total: 13236 12304 932
/dev:
Código:
video0 ttyUSB0 random ptyp0 mtdblock3 mtd3 mem flash0
urandom ttyS1 ram3 pts mtdblock2 mtd2ro kmem console
ttyp1 ttyS0 ram2 ptmx mtdblock1 mtd2 i2cM0 acl0
ttyp0 swnat0 ram1 ppp mtdblock0 mtd1ro hwnat0 ac0
ttyUSB3 spiS0 ram0 null mtd4ro mtd1 gpio PCM
ttyUSB2 sg0 ram mtr0 mtd4 mtd0ro flash2 I2S
ttyUSB1 rdm0 ptyp1 mtdblock4 mtd3ro mtd0 flash1
Si nos fijamos en el bootlog, podemos ver que tiene 5 particiones:
Citar
Creating 5 MTD partitions on "Ralink SoC physically mapped flash":
0x00000000-0x00030000 : "Bootloader"
0x00030000-0x00040000 : "Config"
0x00040000-0x00050000 : "Factory"
0x00050000-0x00140000 : "Kernel"
0x00140000-0x00800000 : "RootFS"
0x00000000-0x00030000 : "Bootloader"
0x00030000-0x00040000 : "Config"
0x00040000-0x00050000 : "Factory"
0x00050000-0x00140000 : "Kernel"
0x00140000-0x00800000 : "RootFS"
Para hacer el backup de estas particiones he utilizado el comando mount en la carpeta /dev
Código:
mount --bind /dev /etc_ro/web/
Y posteriormente las he descargado accediendo a cada archivo desde la ip del router. Por ejemplo:
Código:
http://192.168.0.1/mtd2
Esto me ha servido para "engañar" al servidor web y cambiar las rutas para mi beneficio (en este caso bajar archivos que me interesan).
El problema que se me plantea ahora es conseguir subir archivos al router. Como habréis visto, solo tiene telnet, un protocolo que no permite transferencia de archivos. El USB que tiene no puede ser usado, porque al parecer no tiene los módulos del kernel necesarios para detectar y montar unidades USB (o eso parece).
Lo que necesito es subirle el firmware OpenWRT (que ya he compilado) y utilizar el comando mtd_write (que ya viene incluido), pero no sé como subir el archivo.
Alguna idea?
Salu2