Changing the GPON Serial on the Ubiquiti UFiber Nano G – Part Two

Published on January 8th, 2018
by Dylanger Daly

To CFE NVRAM and Beyond!

This post will be about permanently changing the GPON Serial Number.

To understand where/how the OS is setting things like OLT Vendor ID and GPON Password, let’s open up httpd in IDA, this is the HTTP Configuration server and it allows a user to set an OLT Vendor ID (Choose from 4) or specify a GPON Password.

httpd

libcms_dal.so

libcms_core.so

 

/dev/brcmboard

The wonderful world of kernel land…

Okay, okay, so where is it stored, and how can I change it?

NOTE: If you end up with a brick, I’m not to blame! Have a UART Cable handy.

Download the required files here

So the GPON Serial Number is stored in the CFE NVRam partition, this partition is mapped to /dev/mtdblock3 in boot, here is a struct from the OpenWRT website:

Creating a kaitai struct ksv to parse the data we end up with

We can see these struct addresses do indeed match up, to edit the serial number, all that is required is to use a hexeditor, then zero out the 4 byte checksum (When I say zero, I mean literal hex zero’s 0x0000000h and run gencrc32 against the header, this will output your new crc32, I have no idea why, but Broadcom are doing something funky with their CRC, its not a standard CRC32.

Let us become… Alcatel-Lucent

*Clears throat, I mean ALCL 🙂

Login and confirm current Serial Number:


➜ ~ ssh ubnt@192.168.1.1
ubnt@192.168.1.1's password:
BCM96838 Broadband Router
> sh

BusyBox v1.17.2 (2017-09-19 08:54:11 UTC) built-in shell (ash)
Enter 'help' for a list of built-in commands.

# cd /bin
# ./gponctl getSnPwd

======== Serial Number & Password ========

Serial Number: 55-42-4E-54-XX-XX-XX-XX
Password : 20-20-20-20-20-20-20-20-20-20

==========================================

Use cat + nc to get mtdblock3:

Host (At 192.168.1.5):

➜ ~ nc -l 4444 > mtdblock3.BIN

Target:

# cat /dev/mtdblock3 | nc 192.168.1.5 4444

Let’s get Hexxy!

Extract out the NV Data:

NV Data is specifically from 0x580h — 0x98fh

Copy and paste that range into another hex file.

Note down the current CRC and verify it

The CRC is the last 4 bytes of the NV Data file you created, note it down and zero it

For this example, mine is 0xE41322BCh

Zero the CRC

Run gencrc32 on the file

Confirm the output of this application matches the old CRC32 value you just zero’d, if it doesn’t match you’ve got the wrong range.

Editing the GPON Serial and MAC Address Base

Once you’ve confirmed the above, its now possible to actually start editing the values, lets use change the below:

  • GPON Serial Number (Position 0x12Ch): ALCLDEADBEEF (HEX is stored as ASCII)
  • Base MAC Address (Position 0x120h): 5C1A00000000 (HEX is stored as HEX)

Note: I’ve already changed my Serial and MAC to non-identifying values.

Before:

After:

Generate a brand-spankin new CRC32

Replace zero’d CRC32 in the file with your new CRC32

Copy the entire NV Value file and override it in mtdblock.BIN

Use python’s SimpleHTTPServer to serve the edited mtdblock3 back up to the target device

Host:


➜ ~ python -m SimpleHTTPServer

Target:


# wget http://192.168.1.5:8000/mtdblock3_new_serial.BIN
Connecting to 192.168.1.5:8000 (192.168.1.5:8000)
200 OK, File Get Success
# dd if=/tmp/mtdblock3_new_serial.BIN of=/dev/mtdblock3
2048+0 records in
2048+0 records out

Reboot the Device.

Confirm if the change was successful:


➜ ~ ssh ubnt@192.168.1.1
ubnt@192.168.1.1's password:
BCM96838 Broadband Router
> sh

BusyBox v1.17.2 (2017-09-19 08:54:11 UTC) built-in shell (ash)
Enter 'help' for a list of built-in commands.

# cd /bin
# ./gponctl getSnPwd

======== Serial Number & Password ========

Serial Number: 41-4C-43-4C-DE-AD-BE-EF
Password : 20-20-20-20-20-20-20-20-20-20

==========================================

# ip link
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: sit0: <NOARP> mtu 1480 qdisc noop state DOWN
link/sit 0.0.0.0 brd 0.0.0.0
3: ip6tnl0: <NOARP> mtu 1452 qdisc noop state DOWN
link/tunnel6 :: brd ::
4: bcmsw: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noop state UNKNOWN qlen 1000
link/ether 5c:1a:00:00:00:28 brd ff:ff:ff:ff:ff:ff
5: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1958 qdisc pfifo_fast state UP qlen 1000
link/ether 5c:1a:00:00:00:28 brd ff:ff:ff:ff:ff:ff
6: br0: <BROADCAST,MULTICAST,ALLMULTI,UP,LOWER_UP> mtu 1958 qdisc noqueue state UP
link/ether 5c:1a:00:00:00:28 brd ff:ff:ff:ff:ff:ff
7: eth0.0@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1958 qdisc noqueue master br0 state UP
link/ether 5c:1a:00:00:00:28 brd ff:ff:ff:ff:ff:ff

Conclusion

There you have it! No need to open the device up!

Dylanger Daly

If its Security, I'm there. I mainly work in the Security Research Field, most of my focus is Mobile Security, anything from the hardware to TrustZone to the Modem. Bypassing checks one NOP at a time.

You've reached the end!

back to top