Mr-Protocol Posted August 26, 2010 Posted August 26, 2010 (edited) I have an AirMagnet 5010 wireless sensor. Now I don't have all the fancy server software it wants, I don't even want to use it like that. I was curious if anyone could help identify what open source router firmware/linux I could run on this device. Here is lots of info on it from the FCC. https://fjallfoss.fcc.gov/oetcf/eas/reports...AM5010-001' It does have a laptop Atheros wifi card in it. Only one but I'm working on getting a second one. Processor: IDT 79RC32K438-200BB ZA0449P <-- what is written on the chip http://www.idt.com/?partId=79RC32K438-200BB 32B INT CPU DDR PCI E-NET 32-bit MIPS CPU core with dual on-chip 10/100 Mbps Ethernet interface, DDR controller, 32-bit PCI interface, I2C controller, DMA controller, Serial Peripheral interface RAM: 2x Samsung 256Mbit GDDR SDRAM - K4D551638F-TC60 http://www.datasheetcatalog.com/datasheets...638F-TC60.shtml Closest info I could find for Flash Memory. On the chip: MALAYSIA 29DL64DF-70PFTN MBM29DL64DF is a 64 M-bit, 3.0 V-only Flash memory organized as 8 Mbytes of 8 bits each or 4 M words of 16 bits each. The device comes in 48-pin TSOP (1) and 48-ball FBGA packages. This device is designed to be programmed in system with 3.0 V VCC supply. 12.0 V VPP and 5.0 V VCC are not required for write or erase operations. The device can also be reprogrammed in standard EPROM programmers. The device is organized into four physical banks : Bank A, Bank B, Bank C and Bank D, which are considered to be four separate memory arrays operations. This device is the almost identical to Fujitsu’s standard 3 V only Flash memories, with the additional capability of allowing a normal non-delayed read access from a non-busy bank of the array while an embedded write (either a program or an erase) operation is simultaneously taking place on the other bank. Source: http://pdf1.alldatasheet.com/datasheet-pdf...+/datasheet.pdf Wireless: http://dl.metrix.net/support/docs/datashee...-Aries-Spec.pdf NL-5354MP Aries 1.20 Atheros AR5212A-00 KA294.1B 3304 Taiwan Wired RJ45: http://www.realtek.com.tw/products/product...4&ProdID=24 Realtek RTL8201BL chip on the board. Any thoughts on how to get Linux/DD-wrt/OpenWRT on this or if it is even supported? I might even consider sending one out if someone really desires to play with one of these devices and shares what they have done. Working on getting a few more. Info from:http://www.cccmn.com/used/air-magnet/wireless/am-5010-11ag.html "The firmware executes on a Linux operating system but access to operating system operations is logically prevented." Edited August 27, 2010 by Mr-Protocol
digininja Posted August 27, 2010 Posted August 27, 2010 I don't know anything from the info here but AirMagnet isn't mentioned on the OpenWrt supported hardware list http://wiki.openwrt.org/toh/start . I think you've be better asking on their forums https://forum.openwrt.org/
Mr-Protocol Posted August 27, 2010 Author Posted August 27, 2010 (edited) It's such an obscure device, I doubt they will know even what it is... Didn't know if you could tell from the hardware in it what linux distro to give a shot at first? I would try to connect to it via Serial port BUT... I can't find out how to communicate to it... Edited August 27, 2010 by Mr-Protocol
digininja Posted August 27, 2010 Posted August 27, 2010 Can you get into it any way? Any command line access either telnet or ssh? What about redboot? Ping it on the usual IPs when powering it on and see if it responds for a few seconds.
Mr-Protocol Posted August 27, 2010 Author Posted August 27, 2010 I have no clue how to use redboot, the stuipd device wont respond to pings with crossover cable or straight through. I can't figure out how to talk to it with Serial. It should be on 192.168.1.1 according to the user manual from the FCC link... I hit did the whole reset thing.
digininja Posted August 27, 2010 Posted August 27, 2010 To check for redboot start a ping going on some of the common IPs, 192.168.0.1 .1.1 .0.254 etc and then power on the device. If you get a reply on any of them within the first few seconds then redboot is probably enabled. If it is then we can take it from there.
Mr-Protocol Posted August 27, 2010 Author Posted August 27, 2010 Started a ping on what you suggested. Started them all at the same time. and put a count of 1000. 192.168.1.1 said Host Unreachable until a few seconds after i gave the device power which turned into Request timed out while all the rest still say unreachable.
digininja Posted August 27, 2010 Posted August 27, 2010 what ip did you have during this? if you were on the .0.X network then you won't be able to talk to the .1.X network.
Mr-Protocol Posted August 27, 2010 Author Posted August 27, 2010 (edited) 192.168.1.2 was what I was on. Yeah forgot bout that, been a long day. I'm not sure if this unit was even known working. I'll have to wait for a few more to see what they do. Edited August 27, 2010 by Mr-Protocol
Mr-Protocol Posted August 28, 2010 Author Posted August 28, 2010 (edited) Found one that works. It's got a password on it and OF COURSE the reset button does not clear passwords... Any thoughts? Had to hit it with https They use this for the WEB GUI http://www.goahead.com/products/webserver/default.aspx And it hits my DHCP to get an IP. Edited August 28, 2010 by Mr-Protocol
digininja Posted August 28, 2010 Posted August 28, 2010 Have you tried popping off the lid and looking for a serial connector? Otherwise scan it with nessus and anything else you can get your hands on to see if there are any vulnerabilities on it.
Mr-Protocol Posted August 29, 2010 Author Posted August 29, 2010 It has a RS232 serial port on the outside of the case. Internally it has 2 rows of 7 pins that i'm not sure what it is.. You can see what i'm talking about if you view the FCC.gov link i posted in my first post. It has Internal photos there.
digininja Posted August 29, 2010 Posted August 29, 2010 I'd get a serial cable on that then and see what you get from it. Might get a shell if you are lucky. Try different baud rates and settings if you get garbage.
Mr-Protocol Posted August 29, 2010 Author Posted August 29, 2010 That is where I am a little in the dark. Not really good at using serial cables. I'm on Win7 and using putty and it says "Connected" but the screen is blank and i type "help" and hit enter and nothin happens. I think the same happened when I used my USB to serial on my XP laptop. Not sure i did it right...
Mr-Protocol Posted September 1, 2010 Author Posted September 1, 2010 (edited) I FINALLY got serial connection to this thing. I needed to get a Null Modem for my serial cable. I think it is running Linux NET4.0 according to the serial connection info when I issued a reboot. I also see BusyBox installed. Info: https://docs.google.com/document/edit?id=1U...uthkey=CIGysOoP Anyone have ideas for me to try to re-load linux on this thing? Edited September 2, 2010 by Mr-Protocol
digininja Posted September 2, 2010 Posted September 2, 2010 Looks like you are trapped in a custom shell. There is no redboot mentioned when it starts booting so you are out of luck with normal flashing. You could try looking up vulnerabilities in that kernel: Linux version 2.4.18-amhw-4.0.0-1086 Other than that, not sure what you can do. I love the number of errors and warnings that go through in the boot scripts, it makes me feel better about the few that I know are in some of my apps
Mr-Protocol Posted September 2, 2010 Author Posted September 2, 2010 (edited) Yeah, in the lil shell they have an update command. One says update system image and the other is update application image. Not sure if i can utilize that at all... Are there any interrupt keys that would halt before it loads the custom shell? Edited September 2, 2010 by Mr-Protocol
digininja Posted September 2, 2010 Posted September 2, 2010 Sounds like that is your best bet but you'll have to talk to someone good with hardware and firmware to work out what you would need to create to put something good on there.
Mr-Protocol Posted September 2, 2010 Author Posted September 2, 2010 (edited) config>help help            help message diags          diagnostics command ping            send ICMP packet to network host reboot          reboot airmagnet sensor restore        restore to factory default settings show            display sensor setting set            configure sensor setting update          update sensor firmware config>help update Usage: update [option] Option:   sys  update sensor system image   app  update sensor application image config> Not sure if this will be helpful to me at all. Not sure what they mean by sys and app images... I am interested in what this line in the boot serial console means... Kernel command line: ip=192.168.0.175:192.168.1.200::netmask::eth0 Edited September 2, 2010 by Mr-Protocol
digininja Posted September 2, 2010 Posted September 2, 2010 that line looks like it is setting two IPs on one interface, eth0, for some reason. Can you talk to it on either in any way? The update is probably useless to you unless you can find the format of the images and create yourself one.
Mr-Protocol Posted September 3, 2010 Author Posted September 3, 2010 (edited) Nope, but now that I think about it... eth0 might be the WiFi card which essentially in this application is in monitor mode... Dual band wireless mini PCI card. I sent an email to them using my college info so maybe they will respond again with an answer to my query about getting a linux console instead of theirs lol. Edited September 3, 2010 by Mr-Protocol
magzo Posted November 22, 2012 Posted November 22, 2012 Why would you take a really valuable & useful box like an AirMagnet Sensor, and waste it on just another router box? There are dozens of cheap, easily available commodity routers convertabile to dd-wrt. There are very few second hand expensive enterprise class wifi sniffers & jammers like these AirMagnets. Why not use them for what they're designed for, and find out what's really going on around your own wireless environment. Then your original question on how to get into these things and change the keys as Local Crypto Officer becomes far more relevant.
Mr-Protocol Posted November 22, 2012 Author Posted November 22, 2012 Well, I had about ten of these I got at no cost. I wasn't going to pay for any license to get the software and server to use them in my house, that's not practical. So I was hoping to get past it's locked down interface to maybe make it into something useful. Spec wise, it had like 256 MB of RAM, 2 wifi cards built in, and figured that would give more flexibility. All in all, they went to the local waste disposal center because I had no time to invest in trying to make them actually useful.
Recommended Posts