Many moons ago I started a project on Hackaday.io regarding the rooting of the Telstra T-Hub. Whilst I've largely abandoned hackaday and its subsidiaries, this project is still sort of alive for me. There's a fair bit of detail on the old hackaday pages, so I strongly recommend you have a quick look at that page before continuing to read this post.
I mention in that page that there are two variants of the T-Hub, a more modern (and seemingly more plentiful) unit based on the iMX51 SOC from Freescale, and a harder to find unit based on the slower iMX31 SOC from the same company. The post there pretty well details how to pwn the iMX51 unit, but the operating system installed on the iMX31 is different (less FLASH memory space available) and so needs a slightly different payload. In a nutshell, the two key differences are these:
- No wget. Or, more accurately, a wget that doesn't work in the same way as the iMX51's. It is actually still present on the machine, but I ended up going for cURL instead.
- No dropbear. This means no SSH server once the firewall falls. This is countered by using busybox's built in telnetd service.
The rest of the attack is quite similar. In short:
- Boot the machine into the standard UI, then dial *352# in the phone application to drop into the debugger menu.
- Use the USB test function to execute commands as root. It has the same vulnerability as the iMX51.
- Adjust the filename/bootstrapper to use curl instead of wget when getting the real payload from the web.
- Drop the firewall.
- Enable the inetd service to start the telnetd server.
- Remount the / filesystem read-write
- Replace /etc/shadow so that we have a known login
- Telnet in.
Details to come...