SSH access - jamesmacwhite/hh70-ee GitHub Wiki

SSH access was disabled for EE customers since firmware HH70_E1_02.00_21 after an information security researcher reported through responsible disclosure to EE that the 4GEE Home Router has hard coded credentials present in the core_app binary which references the IP address of 192.168.225.1 which happens to be the modem part of the device.

However leveraging short comings in the backup and restore feature you can overwrite config files within the /etc/config path (and other locations) on the router filesystem by crafting your own backup.tar.gz payload and hex editing it into a valid configure.bin file which is generated by the backup config functionality. Providing you keep the original headers for the two tar.gz archives in tact, you can basically do what you want.

To regain SSH access you can abuse the restore functionality to overwrite the existing dropbear config with your own version in a backup.tar.gz tar archive that has the enable config value set to 1, to enable the dropbear daemon.

WPS button hotplug event

Alcatel or EE have also wrote a hotplug button event trigger to enable the dropbear service. It is present at /etc/hotplug.d/button/buttons. This is achieved by holding the WPS button for 15 or more seconds and then releasing it. The hotplug event code that is present checks for the WPS button press event and the duration it has been held down for. If all the conditions are met, the dropbear config is modified and the daemon started without rebooting.

This hotplug event was found on the HH70_E1_02.00_24 firmware. It may not be present in older firmware versions. I have only been able to verify it is not present in HH70_E1_02.00_18 but this was the only EE firmware sample I could find that is publicly available.

#!/bin/sh
logger the button was $BUTTON and the action was $ACTION the time is $SEEN

if [ "$BUTTON" = "wps" -a "$ACTION" = "released" -a "$SEEN" -ge 15 ];then
  logger enable dropbear the time is $SEEN
  uci set dropbear.@dropbear[0].enable='1'
  /etc/init.d/dropbear start
fi

The timing is key as the duration must be a minimum of 15 seconds to trigger this event. Using a timer app or any clock that counts seconds in real time will help you hold the WPS button for the right length of time. You can however hold it for longer than 15 seconds and this will also enable SSH as the condition is greater than or equal to 15 seconds -ge.

The uci set command doesn't actually change the config because uci commit dropbear is missing and would be required to modify dropbear config itself, however as the service itself is started this is less of a problem and you can the go ahead and enable it permanently once you've done the button press sequence. As the router is using OpenWrt, the filesystem is writable in most areas so changes can be persisted.

-ash: cat: not found bug

When logging into the 4GEE Home Router, you will notice -ash: cat: not found is displayed in your SSH console when logging in. This is due to a line within /etc/profile. You can comment out or remove the second line where cat /etc/banner is called to fix the error as it is being interpreted as a variable not as a command. You can also set a banner properly through the dropbear configuration.

#!/bin/sh
[ -f /etc/banner ] && cat /etc/banner

export PATH=/usr/bin:/usr/sbin:/bin:/sbin:/ipq-resource/bin
export HOME=$(grep -e "^${USER:-root}:" /etc/passwd | cut -d ":" -f 6)
export HOME=${HOME:-/root}
export PS1='\u@\h:\w\$ '

[ -x /bin/more ] || alias more=less
[ -x /usr/bin/vim ] && alias vi=vim || alias vim=vi

[ -z "$KSH_VERSION" -o \! -s /etc/mkshrc ] || . /etc/mkshrc

[ -x /usr/bin/arp ] || arp() { cat /proc/net/arp; }
[ -x /usr/bin/ldd ] || ldd() { LD_TRACE_LOADED_OBJECTS=1 $*; }

Multiple number 1 characters get printed in console when starting/reloading dropbear

The init.d script of dropbear has echo 1111111111111 within the dropbear_instance() function. This causes 1111111111111 to printed each time the dropbear service is started, restarted or reloaded through console. The reason for this is unknown as it serves no purpose other than being displayed in a console window when interacting with the daemon.

Securing SSH access

Because the default SSH login credentials are well known and present in various CVE listings, it would be strongly recommended to not have SSH permanently enabled, or alternatively use public key authentication and disable password authentication entirely. You can disable password authentication on the router without any problems or side effects.

However due to several hard coded sshpass calls to the modem IP 192.168.225.1 in scripts and binaries, it would not be advisable to change the password for the modem as this may break functionality.