Hacking the 2-Wire

So, I've been trying to find an exploit in the 2-wire modem I received. In my journeys, I found one guy who has already done a lot of work on it. His blog is here

Now, here is a quick summary:

  • It uses a TriMedia SoC with a proprietary instruction set
  • It uses some kind of *nix
  • It has an SSH server, but it ships disabled
  • It has an exposed JTAG connector, but it's very involved to try to get anything out of it.

He's ran arbitrary code on it, but he's failed at flashing it so that it uses it's standard firmware, but with sshd enabled.

So, I'm now refocusing my efforts on finding an external (black-box) exploit against the DNS and HTTP servers. I've been poking around the HTTP server, trying to find a simple command-injection type exploit, but even where it looks like it should work, it just doesn't. This seems quite hardened. The only significant thing I've forced it to do is to run out of memory (apparently the HTTP server doesn't have a maximum request size)

The DNS server, however, I've already found a bug with. It apparently doesn't clear the response memory properly... So, if I go to facebook.com and then I go to the DNS server and send an invalid commmand, it'll send back a garbled response with a mention to facebook.com. That's a pretty scary privacy flaw heh. It also has recursion disabled, so the DNS server seems quite weak, but I've never tried to exploit DNS

Happy hacking

Posted: 6/1/2013 8:42:45 PM

Hacking Another Modem

So someone was nice enough to donate a 2-Wire 3801HGV to me. For what purpose? I don't have U-Verse! Why to root it of course! Apparently no one knows how to make a decent modem these days. So, my goals for this are to get as much info as possible, hopefully find a remote exploit like I did with the NVG510 and publish what's possible and what's not, as well as lay the groundwork for future hackers that probably know a lot more about this stuff than I do. My primary goal at this very second is to get a serial port working and get a root shell.

I'll publish more as I work through this

Posted: 5/21/2013 12:43:19 AM