While I was working at the proto-shield development for Geremia, I found myself getting more and more interested in electronics. At the very same time, I found intriguing the intersection between hardware and security.
It was about time to give it a try.
While trying to sort out the clutter in my drawers, I found an extremely old Netgear WNCE3001 WiFi repeater. It is more than five years old and no longer helpful. What about trying to tear it apart and play with it?
I took it to my desk and started to remove the plastics. That was easy since I had an iFixit kit. I ended up with the motherboard, and a quick inspection revealed that an RTL8196C-GR Realtek microprocessor powered the device and that a nice MX25L3206E CMOS flash was on the other side of the motherboard.
A deeper inspection of the motherboard revealed six pins without any text on the motherboard. Those may have been a JTAG or UART connection.
I picked up my multimeter, powered up the device, and measured the voltage from those pins. I quickly found the ground pin and noticed a varying voltage from another pin. That started to look like a serial interface.
A few months ago, I picked up a second oscilloscope for a little bit more than a hundred bucks and connected one probe to those two pins. After a few seconds of looking at the screen, it was obvious that it was a serial connection.
A few calculations from the scope measurements and I found out it was a 38400 bps serial connection. I connected those two pins to a USB TTL-UART converter and fired up a serial terminal on my Mac. I could quickly look at the boot sequence on my PC screen. A few minutes later, I found the RX pin on the device, and I have a working serial connection between the repeater and my pc.
It was interesting to notice that the boot sequence ended with my terminal in a working shell with root privileges.
I now have a root shell on a Linux box.
I looked around the file system and closely at the boot sequence. In a few minutes, I found my WPA2 key in plain text.
Even if I knew nothing about hardware hacking and electronics, that was extremely easy to find.
I also wanted to explore the CMOS Flash, trying to dump its content. I had a Buspirate lying around and used it to dump the firmware. The SPI protocol is relatively easy to understand, but, in this case, you don’t need to know it since the Flashrom utility deals with it for you.
I could not read the flash chip while it was on the motherboard. I had to desolder it. No big deal; I would trash the device at the end of the experiment.
After the memory dump, I used binwalk to extract the files from the dump file.
No more exciting things to do with this device.
I could not define this device as the most secure one out there.
Maybe the next time I could try to get one of those cheap security cameras and look at what’s in there.