This is a Nokia G-010G-P ONT (Optical network terminal) recovered from a scrapyard running an embedded Linux 2.6.30.9. The ONTs are network devices usually installed in home fiber-optics broadband facilities. Their purpose is to convert the optical signal from the ISP into an electrical signal, so home Gigabit-Ethernet routers can interpret it. These devices can be internal, if integrated inside the router delivered by the ISP; or external, as in the case of this device. When external, it must be installed between the home router and the ISP network, and acts as a demarcation point between the carrier's local loop and the customer's premises wiring.
This is very easy to root this device as telnet port is open and root credentials can be easily found in internet; therefore, it is a good starting point for pentesters wanting to initiate themselves in the field of hardware/IoT hacking. Apart from telnet root, this write-up includes: rooting via UART port, Busybox upgrade, port scanning and web interface enumeration.
KEYWORDS
Nokia G-010G-P, ONT, UART, CP2120, GPON.
REFERENCES
TOOLING
Screwdriver, CP2102 USB to UART converter, Dupont wire connectors.
ENUMERATION
A quick Google search returns Nokia G-010G documentation links and datasheets.
First step is to remove the cover case to get access to the device internals. Just turn the ONT around and remove the top pads, there are 2 screws beneath them, unscrew them and open the case.
Inspect the PCB and identify the relevant items.
Realtek RTL90601b network chipset.
UART port, with soldered connection pins.
UART ROOT
First step is to find the UART ground with a multimeter, and proceed to find Rx and Tx pins. Then connect the UART pins to the CP2102 USB converter, which in turn is connected to the laptop USB port.
Keep in mind that UART GND goes to CP2102 GND, Tx UART goes to Rx CP2102, and Rx UART goes to Tx CP2102.
Open a picocom serial terminal at 115200 bauds in Kali and power on the device, the bootlog is dumped.
After load finishes, first step is to enable the login prompt. Login credentials are root:huigu309
These 2 resources are helpful:
Type enable to activate the login prompt, then type login to enter credentials.
ONT>enable
#ONT>login
User name:root
Password:
After entering credentials the screen is cleared and a new the prompt appears. In the new prompt, type help for a list of possible input commands.
#ONT>help
Description: CLI Root
+traffic Service CLI menu
+system System CLI menu
Spawn a Linux shell by typing system command, and then type shell
From this shell we can further enumerate the Busybox version, and view the allowed commands.
#ONT/system/shell>cd /bin
#ONT/system/shell>ls
Console dnsdomainname klogd pwd
EthMgr dropbear ln qc
GponCLI dsp loadconfig reboot
GponSLID echo login rm
LogMgr ecmh lp rmdir
MecMgr egrep lpadmin route
MiscMgr expr lpstat run-parts
NetMgr factory ls saveconfig
PonMgr false mReport sed
ShowStatus fgrep mdev sh
Ssp flash mfcv6d sleep
TimerMgr flatfsd miniupnpd slogd
WebMgr ftp mkdir startup
arp ftpd mknod stat
ash fuser mktemp stty
brctl grep mount sync
busybox gunzip mountpoint tar
cat gzip mpoactl telnetd
catv halt mpoad tftpd
chat hostname msh touch
chgrp ifconfig mv traceroute
chmod inetd netstat true
chown ip nice udhcpd
config ipaddr ntpclient umount
configd iplink parallel uname
cp iproute pidof usleep
date iprule ping vi
dd iptables ping6 vsntp
df iptables-batch poweroff zcat
diag iptunnel printenv
dmesg kill ps
#ONT/system/shell>./busybox
BusyBox v1.18.4 (2017-03-15 17:29:57 CST) multi-call binary.
Copyright (C) 1998-2009 Erik Andersen, Rob Landley, Denys Vlasenko
and others. Licensed under GPLv2.
See source distribution for full notice.
Usage: busybox [function] [arguments]...
or: busybox --list[-full]
or: function [arguments]...
BusyBox is a multi-call binary that combines many common Unix
utilities into a single executable. Most people will create a
link to busybox for each function they wish to use and BusyBox
will act like whatever it was invoked as.
Currently defined functions:
[, [[, ar, arp, arping, ash, awk, basename, bunzip2, bzcat, bzip2, cal,
cat, catv, chgrp, chmod, chown, cksum, cmp, comm, cp, cut, date, dd,
df, dirname, dmesg, dnsdomainname, dos2unix, du, echo, egrep, env,
expand, expr, false, fgrep, fold, free, ftpget, ftpput, grep, gunzip,
gzip, halt, head, hostid, hostname, id, ifconfig, ifdown, ifup, init,
insmod, install, ip, ipaddr, ipcs, iplink, iproute, iprule, iptunnel,
kill, killall, killall5, length, linuxrc, ln, logname, logread,
losetup, ls, lsmod, lspci, lsusb, md5sum, mkdir, mkfifo, mknod, mktemp,
modinfo, modprobe, mount, mountpoint, mv, netstat, nice, nohup, od,
pidof, ping, ping6, poweroff, printenv, printf, ps, pwd, readlink,
realpath, reboot, rm, rmdir, rmmod, route, run-parts, sed, seq, sh,
sha1sum, sha256sum, sha512sum, sleep, sort, split, stat, stty, sum,
sync, sysctl, syslogd, tac, tail, tar, tee, test, tftp, top, touch, tr,
traceroute, traceroute6, true, tty, udhcpc, umount, uname, unexpand,
uniq, unix2dos, usleep, uudecode, uuencode, vconfig, vi, wget, zcat
The defined functions available are limited, but enough to continue enumerating the system.
#ONT/system/shell>uname -a
Linux (none) 2.6.30.9-cig-sfu-1 #1 Fri Dec 11 11:48:11 CST 2015 rlx GNU/Linux
And the network config.
#ONT/system/shell>ifconfig
eth0 Link encap:Ethernet HWaddr A4:81:7A:CB:72:2C
inet6 addr: fe80::a681:7aff:fecb:722c/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:11 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:866 (866.0 B)
Interrupt:26 Base address:0x2000
lan0 Link encap:Ethernet HWaddr A4:81:7A:CB:72:2C
inet addr:192.168.100.1 Bcast:192.168.100.255 Mask:255.255.255.0
inet6 addr: fe80::a681:7aff:fecb:722c/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:468 (468.0 B)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
Good news are the currently installed Busybox allows to run wget, so we can transfer files from our Kali machine. Also, a writable directory is needed as destination, for example this one /var/tmp
Connect the ONT Ethernet port to your laptop with a network wire and launch Kali in bridged network mode in Virtual Box. Then configure an IP for the eth0 interface in Kali.
Verify there is connectivity with the ONT, keeping in mind the device configures itself with address 192.168.100.1.
> ping 192.168.100.1
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data.
64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=2.02 ms
64 bytes from 192.168.100.1: icmp_seq=2 ttl=64 time=1.15 ms
^C
--- 192.168.100.1 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1012ms
rtt min/avg/max/mdev = 1.147/1.581/2.015/0.434 ms
Launch a port scan with nmap
> export target=192.168.100.1
> nmap $target -p- --min-rate=5000 -Pn --open --reason
Starting Nmap 7.93 ( https://nmap.org ) at 2024-03-21 06:20 EDT
Nmap scan report for 192.168.100.1
Host is up, received user-set (0.0000040s latency).
Not shown: 45821 filtered tcp ports (no-response), 19406 filtered tcp ports (net-unreach), 306 closed tcp ports (conn-refused)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE REASON
23/tcp open telnet syn-ack
80/tcp open http syn-ack
Nmap done: 1 IP address (1 host up) scanned in 31.77 seconds
# enumerate the open ports
nmap $target -p23,80 -sV -sC -Pn -vv -n
Starting Nmap 7.93 ( https://nmap.org ) at 2024-03-21 07:03 EDT
Nmap scan report for 192.168.100.1
Host is up, received user-set (0.0014s latency).
Scanned at 2024-03-21 07:03:37 EDT for 53s
PORT STATE SERVICE REASON VERSION
23/tcp open telnet syn-ack
| fingerprint-strings:
| GenericLines:
| Login as:
| Login as: Login as:
| GetRequest:
| Login as: GET / HTTP/1.0
| Password:
| Help:
| Login as: HELP
| Password:
| NCP:
| Login as: DmdT^@^@^@
| ^@^@^@^A^@^@^@^@^@
| NULL:
| Login as:
| RPCCheck:
| Login as:
| ^@^@(r
| SIPOptions:
| Login as: OPTIONS sip:nm SIP/2.0
| Via: SIP/2.0/TCP nm;branch=foo
| From: <sip:nm@nm>;tag=root
| <sip:nm2@nm2>
| Call-ID: 50000
| CSeq: 42 OPTIONS
| Max-Forwards: 70
| Content-Length: 0
| Contact: <sip:nm@nm>
| Accept: application/sdp
| Password:
| tn3270:
|_ Login as: ^@IBM-3279-4-E
80/tcp open http syn-ack GoAhead WebServer
|_http-favicon: Unknown favicon MD5: BD1E09910249CCA3E8EC3B66CE4EA36D
| http-methods:
|_ Supported Methods: GET HEAD
|_http-title: GPON Home Gateway
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port23-TCP:V=7.93%I=7%D=3/21%Time=65FC140F%P=x86_64-pc-linux-gnu%r(NULL
SF:,19,"\xff\xfd\x01\xff\xfd\x1f\xff\xfd!\xff\xfb\x01\xff\xfb\x03Login\x20
SF:as:\x20")%r(GenericLines,31,"\xff\xfd\x01\xff\xfd\x1f\xff\xfd!\xff\xfb\
SF:x01\xff\xfb\x03Login\x20as:\x20\r\n\r\nLogin\x20as:\x20Login\x20as:\x20
SF:")%r(tn3270,2A,"\xff\xfd\x01\xff\xfd\x1f\xff\xfd!\xff\xfb\x01\xff\xfb\x
SF:03Login\x20as:\x20\^@IBM-3279-4-E\xfb\^Y")%r(GetRequest,35,"\xff\xfd\x0
SF:1\xff\xfd\x1f\xff\xfd!\xff\xfb\x01\xff\xfb\x03Login\x20as:\x20GET\x20/\
SF:x20HTTP/1\.0\r\n\r\nPassword:\x20")%r(RPCCheck,23,"\xff\xfd\x01\xff\xfd
SF:\x1f\xff\xfd!\xff\xfb\x01\xff\xfb\x03Login\x20as:\x20\x80\^@\^@\(r\xfe\
SF:^\]")%r(Help,29,"\xff\xfd\x01\xff\xfd\x1f\xff\xfd!\xff\xfb\x01\xff\xfb\
SF:x03Login\x20as:\x20HELP\r\nPassword:\x20")%r(SIPOptions,102,"\xff\xfd\x
SF:01\xff\xfd\x1f\xff\xfd!\xff\xfb\x01\xff\xfb\x03Login\x20as:\x20OPTIONS\
SF:x20sip:nm\x20SIP/2\.0\r\nVia:\x20SIP/2\.0/TCP\x20nm;branch=foo\r\nFrom:
SF:\x20<sip:nm@nm>;tag=root\r\nTo:\x20<sip:nm2@nm2>\r\nCall-ID:\x2050000
SF:\nCSeq:\x2042\x20OPTIONS\r\nMax-Forwards:\x2070\r\nContent-Length:\x200
SF:\r\nContact:\x20<sip:nm@nm>\r\nAccept:\x20application/sdp\r\n\r\nPasswo
SF:rd:\x20")%r(NCP,53,"\xff\xfd\x01\xff\xfd\x1f\xff\xfd!\xff\xfb\x01\xff\x
SF:fb\x03Login\x20as:\x20DmdT\^@\^@\^@\x08\x20\x08\x08\x20\x08\x08\x20\x08
SF:\x08\x20\x08\x08\x20\x08\x08\x20\x08\x08\x20\x08\x08\x20\x08\x08\x20\x0
SF:8\x08\x20\x08\^@\^@\^@\^A\^@\^@\^@\^@\^@");
Nmap done: 1 IP address (1 host up) scanned in 53.92 seconds
Login with credentials admin:1234, the site basically allows to update the PLOAM password, which is essentially what authenticates the device in the network. Also, when clicking on "More Info" we gather additional info about the device.
Winbond 25Q128JSVQ flash memory to store the firmware ()
A full Busybox version would provide more flexibility. The the binary can be downloaded from here:
