Airmagnet 5010 Hackable?

[Mr-Protocol]

I have an AirMagnet 5010 wireless sensor.

Now I don't have all the fancy server software it wants, I don't even want to use it like that.

I was curious if anyone could help identify what open source router firmware/linux I could run on this device.

Here is lots of info on it from the FCC.

https://fjallfoss.fcc.gov/oetcf/eas/reports...AM5010-001'

It does have a laptop Atheros wifi card in it. Only one but I'm working on getting a second one.

Processor:

IDT 79RC32K438-200BB ZA0449P <-- what is written on the chip

http://www.idt.com/?partId=79RC32K438-200BB

32B INT CPU DDR PCI E-NET

32-bit MIPS CPU core with dual on-chip 10/100 Mbps Ethernet interface, DDR controller, 32-bit PCI interface, I2C controller, DMA controller, Serial Peripheral interface

RAM: 2x Samsung 256Mbit GDDR SDRAM - K4D551638F-TC60

http://www.datasheetcatalog.com/datasheets...638F-TC60.shtml

Closest info I could find for Flash Memory.

On the chip: MALAYSIA 29DL64DF-70PFTN

MBM29DL64DF is a 64 M-bit, 3.0 V-only Flash memory organized as 8 Mbytes of 8 bits each or 4 M words of 16
bits each. The device comes in 48-pin TSOP (1) and 48-ball FBGA packages. This device is designed to be
programmed in system with 3.0 V VCC supply. 12.0 V VPP and 5.0 V VCC are not required for write or erase operations.
The device can also be reprogrammed in standard EPROM programmers.
The device is organized into four physical banks : Bank A, Bank B, Bank C and Bank D, which are considered to
be four separate memory arrays operations. This device is the almost identical to Fujitsu’s standard 3 V only Flash
memories, with the additional capability of allowing a normal non-delayed read access from a non-busy bank of
the array while an embedded write (either a program or an erase) operation is simultaneously taking place on the
other bank.

Source: http://pdf1.alldatasheet.com/datasheet-pdf...+/datasheet.pdf

Wireless:

http://dl.metrix.net/support/docs/datashee...-Aries-Spec.pdf

NL-5354MP Aries 1.20

Atheros AR5212A-00

KA294.1B

3304

Taiwan

Wired RJ45:

http://www.realtek.com.tw/products/product...4&ProdID=24

Realtek RTL8201BL chip on the board.

Any thoughts on how to get Linux/DD-wrt/OpenWRT on this or if it is even supported?

I might even consider sending one out if someone really desires to play with one of these devices and shares what they have done. Working on getting a few more.

Info from:http://www.cccmn.com/used/air-magnet/wireless/am-5010-11ag.html

"The firmware executes on a Linux operating system but access to operating system operations is logically prevented."

Edited August 27, 2010 by Mr-Protocol

[digininja]

I don't know anything from the info here but AirMagnet isn't mentioned on the OpenWrt supported hardware list http://wiki.openwrt.org/toh/start . I think you've be better asking on their forums https://forum.openwrt.org/

[Mr-Protocol]

It's such an obscure device, I doubt they will know even what it is... Didn't know if you could tell from the hardware in it what linux distro to give a shot at first?

I would try to connect to it via Serial port BUT... I can't find out how to communicate to it...

Edited August 27, 2010 by Mr-Protocol

[digininja]

Can you get into it any way? Any command line access either telnet or ssh? What about redboot? Ping it on the usual IPs when powering it on and see if it responds for a few seconds.

[Mr-Protocol]

I have no clue how to use redboot, the stuipd device wont respond to pings with crossover cable or straight through. I can't figure out how to talk to it with Serial. It should be on 192.168.1.1 according to the user manual from the FCC link... I hit did the whole reset thing.

[digininja]

To check for redboot start a ping going on some of the common IPs, 192.168.0.1 .1.1 .0.254 etc and then power on the device. If you get a reply on any of them within the first few seconds then redboot is probably enabled. If it is then we can take it from there.

[Mr-Protocol]

Started a ping on what you suggested. Started them all at the same time. and put a count of 1000.

192.168.1.1 said Host Unreachable until a few seconds after i gave the device power which turned into Request timed out while all the rest still say unreachable.

[digininja]

what ip did you have during this? if you were on the .0.X network then you won't be able to talk to the .1.X network.

[Mr-Protocol]

192.168.1.2 was what I was on. Yeah forgot bout that, been a long day.

I'm not sure if this unit was even known working. I'll have to wait for a few more to see what they do.

Edited August 27, 2010 by Mr-Protocol

[Mr-Protocol]

Found one that works. It's got a password on it and OF COURSE the reset button does not clear passwords... Any thoughts?

Had to hit it with https

They use this for the WEB GUI

http://www.goahead.com/products/webserver/default.aspx

And it hits my DHCP to get an IP.

Edited August 28, 2010 by Mr-Protocol

[digininja]

Have you tried popping off the lid and looking for a serial connector?

Otherwise scan it with nessus and anything else you can get your hands on to see if there are any vulnerabilities on it.

[Mr-Protocol]

It has a RS232 serial port on the outside of the case. Internally it has 2 rows of 7 pins that i'm not sure what it is.. You can see what i'm talking about if you view the FCC.gov link i posted in my first post. It has Internal photos there.

[digininja]

I'd get a serial cable on that then and see what you get from it. Might get a shell if you are lucky.

Try different baud rates and settings if you get garbage.

[Mr-Protocol]

That is where I am a little in the dark. Not really good at using serial cables. I'm on Win7 and using putty and it says "Connected" but the screen is blank and i type "help" and hit enter and nothin happens. I think the same happened when I used my USB to serial on my XP laptop. Not sure i did it right...

[Mr-Protocol]

I FINALLY got serial connection to this thing. I needed to get a Null Modem for my serial cable.

I think it is running Linux NET4.0 according to the serial connection info when I issued a reboot.

I also see BusyBox installed.

Info: https://docs.google.com/document/edit?id=1U...uthkey=CIGysOoP

Anyone have ideas for me to try to re-load linux on this thing?

Edited September 2, 2010 by Mr-Protocol

[digininja]

Looks like you are trapped in a custom shell. There is no redboot mentioned when it starts booting so you are out of luck with normal flashing. You could try looking up vulnerabilities in that kernel:

Linux version 2.4.18-amhw-4.0.0-1086

Other than that, not sure what you can do.

I love the number of errors and warnings that go through in the boot scripts, it makes me feel better about the few that I know are in some of my apps

[Mr-Protocol]

Yeah, in the lil shell they have an update command. One says update system image and the other is update application image. Not sure if i can utilize that at all...

Are there any interrupt keys that would halt before it loads the custom shell?

Edited September 2, 2010 by Mr-Protocol

[digininja]

Sounds like that is your best bet but you'll have to talk to someone good with hardware and firmware to work out what you would need to create to put something good on there.

[Mr-Protocol]

config>help
help            help message
diags           diagnostics command
ping            send ICMP packet to network host
reboot          reboot airmagnet sensor
restore         restore to factory default settings
show            display sensor setting
set             configure sensor setting
update          update sensor firmware
config>help update
Usage: update [option]
Option:
  sys   update sensor system image
  app   update sensor application image
config>

Not sure if this will be helpful to me at all. Not sure what they mean by sys and app images...

I am interested in what this line in the boot serial console means...

Kernel command line: ip=192.168.0.175:192.168.1.200::netmask::eth0

Edited September 2, 2010 by Mr-Protocol

[digininja]

that line looks like it is setting two IPs on one interface, eth0, for some reason. Can you talk to it on either in any way?

The update is probably useless to you unless you can find the format of the images and create yourself one.

[Mr-Protocol]

Nope, but now that I think about it... eth0 might be the WiFi card which essentially in this application is in monitor mode... Dual band wireless mini PCI card.

I sent an email to them using my college info so maybe they will respond again with an answer to my query about getting a linux console instead of theirs lol.

Edited September 3, 2010 by Mr-Protocol

[magzo]

Why would you take a really valuable & useful box like an AirMagnet Sensor, and waste it on just another router box?

There are dozens of cheap, easily available commodity routers convertabile to dd-wrt.

There are very few second hand expensive enterprise class wifi sniffers & jammers like these AirMagnets.

Why not use them for what they're designed for, and find out what's really going on around your own wireless environment.

Then your original question on how to get into these things and change the keys as Local Crypto Officer becomes far more relevant.

[Mr-Protocol]

Well, I had about ten of these I got at no cost. I wasn't going to pay for any license to get the software and server to use them in my house, that's not practical. So I was hoping to get past it's locked down interface to maybe make it into something useful. Spec wise, it had like 256 MB of RAM, 2 wifi cards built in, and figured that would give more flexibility.

All in all, they went to the local waste disposal center because I had no time to invest in trying to make them actually useful.