Calificación:
  • 0 voto(s) - 0 Media
  • 1
  • 2
  • 3
  • 4
  • 5

[-]
Etiquetas
linksys usb wusbf54g al descubierto

Linksys WUSBF54G ( USB ) al Descubierto !!
#1
[Imagen: Imagen_WUSBF54G.jpg]

En la noticia de portada (, ya he anunciado las novedades de esta tarjeta que todavia tenemos mucho que descubrir,
para empezar, existe un Hack documentado donde se analiza en profundidad esta tarjeta abierta y con todos los
puntos de conexion al descubierto.

Mas detalles...

Existe una tarjeta tambien USB que tiene una electronica casi identica al 100%... respecto a la que analizamos.

ZyXEL AG-225H WiFi Finder

Texto original de http://www.maushammer.com
Idioma: Ingles

Introduction

I found a new WiFi Finder & Adapter available for sale for about $75*. When operating on its own internal battery, this small dongle listens for all available WiFi base stations. After a few seconds, the tiny LCD screen shows you the name of each base station, its type, signal strength, channel, and encryption protocol (if any). This is handy for conducting audits in a work area to make sure that no employee has set up a rogue base station that could compromise the security of the whole network. It is also makes finding a public access point easier when traveling. When plugged into a laptop, it becomes a WiFi adapter. Even if your laptop has built-in WiFi, this dongle can be connected through a short USB cable and be located at a place that has a better signal. * Update 2/2006 - I've seen the Trendnet
version available for $40 after rebate

As sold, this product is very useful. But, as a self-contained computer with a WiFi connection, I think this product could be made to do even more. For example, it may be able to modify the firmware in the device to make it automatically connect to any public WiFi stations and download news headlines, weather, or text messages -- all without lugging around a PDA or computer. It could also serve as an uplink for data collection - for example, weather stations in the back yard could post the latest readings onto the internet.

There is only one way to know how expandable this product is -- to analyze its design.

Preliminary Analysis

The device has three controls: an on/off switch, a Seek button, and a Next button. During normal operation, the Seek button causes the device to re-scan the area, while Next cycles through the available base stations. However, these two pushbuttons have two other purposes: holding down Seek while turning the power on enters a self-test mode. Holding down Next while turning on the power enters a firmware upgrade mode(!).

Next, let's take the thing apart -- here are the photos from my disassembly.

The main chip is ZyDAS ZD1211 -- the same chip used in many 802.11a/b/g USB dongles. As you can see from the finder's block diagram, there is a lot in there:

[Imagen: block_diagram.gif]

An Atmel AT24C64A Serial EEPROM provides 8kB of memory for the ZD1211.

My initial thought was that the 16-bit interface would connect to the LCD screen and the buttons, while all new functionality would be handled by specialized software -- all that would be needed to change the functionality would be a firmware upgrade. But, this isn't the case.

There is a 10-pin connector that links the two boards in the system. 2 pins are ground, 1 pin is power, 4 pins connect to the ZD1211 to the lower board, 2 pins connect the USB interface to the lower board, and 1 pin looks unused.

During the disassembly, I disconnected the two boards and turned on the power. To my surprise, the lower board (which connects to the battery and has the LCD and switches attached) powered up and acted pretty normal (except that it didn't find any signals, of course!)... I thought that the large chip on that board was just an LCD controller, but it turns out it must be a microcontroller. Closer inspection of the LCD showed that it had a controller built-in to the flex (known as chip-on-glass construction), so just a few pins are needed to control it.

The WHFX30 chip on the lower display board seems to be a custom chip - there were no references on the web, and it is close to the custom label on the PC Board - WHF-430X. It uses a 22.118 MHz clock -- this odd frequency is commonly used to generate standard serial rate clocks (9600, 19200, 115200, etc.), so that's a hint that the two processors communicate serially.

The battery is a lithium-ion polymer battery from High Energy battery company. The H602025 is stores 240mAh at 3.7 volts. (datasheet of the slimmer H402025). This is about the same total power an NiMH AAA battery, but at only 75% of the volume, 45% of the weight (mine weighed 5.3868g), and a higher voltage that is easier to use. It would be easy to reuse in other projects.

[Imagen: connector-pinout.jpg]

Connector Pinout

The upper board is interesting because the PC board has twice as many holes as it needs to:

[Imagen: imagen_009.jpg]

Eight of the ten pins on the two connectors are wired to each other. Pin 1 is different on the two connectors (use unknown). The two pin 10s are connected with a diode so that the device does not provide power out the USB connector when running on battery power.

[Imagen: imagen_004.jpg]

The USB interface is not used by the WHFX30 to talk to the ZD1211.

When in the "update firmware" mode, the WHFX30 sends a few multi-byte packets not seen in normal operation. This is probably asking it for USB data.

Liquid Crystal Display

The LCD is a graphical LCD with a Sitronix ST7565 controller chip built onto its flex connector. This arrangement is advantageous in a couple of ways.

First, LCD displays must be constantly refreshed to avoid damaging them -- this controller does that so the microcontroller can concentrate on other things. If you notice that when you turn off the unit, the controller stops refreshing the display and a few lines are lit up for a few seconds.

Second, the controller reduces the number of wires needed to connect to the microcontroller. The controller connects 128 wires on the glass to about a dozen on the microcontroller. Often times, the cost of an IC's package be almost as much as the silicon inside it. Adding 128 pins to the microcontroller would probably double or triple its price.

Third, a controller can have additional memory to store the fonts displayed. That's not the case for this display, but it's true for most of the character-based displays. Again, a possible cost reduction.

A variety of font sizes are used, but the smallest font -- used during the firmware upgrade mode -- makes it easy to calculate the resolution. This font shows 16 columns x 4 rows of characters at 6x8 pixels each. This works out to 96x32 pixels total. Knowing this can help identify the graphics in the microcontroller's memory.

This 96x32 resoulution also jives with the part number... I didn't record all of it before putting the device back together (whoops), but the picture shows it starts with something like "PG9632AR..."

Besides the 6x8 font, there is another complete font in use: the big 8x16 font used to display SSID names and the words "..Scanning..". Only 12 columns x 2 rows of this font would fit on the screen. I couldn't find this in the firmware update (below) and it doesn't seem to be built into the most common controller chips.

Interestingly, the PC Board has pads to mount 3 LEDs to illuminate the LCD screen. These are unpopulated, but could be used if the corresponding resistors are also installed.

Firmware Updates

At the end of 2005, ZyXel released their first firmware upgrade for this product - version 1.0.2.56. (This file was unavailable for a some time while they moved it on to a different server). The executable AG225H_v10256FCC.exe can be unzipped - it contains a file called "WHF430X_v10256FCC.bin" that seems to be the firmware for the display board. It is exactly 32KB is size and seems to be approximately 96% full. It contains the text "ZyDAS" and "USB2.0 WLAN" (which seem to be USB-related) and "..Scanning.." (which appears on the LCD screen), so it appears this file contains code for both chips.

Interesting portions of Firmware v10256FCC

[code linenumbers=false]bytes 0E and 0F may be a checksum
0000 55 4d 44 41 01 01 01 01 00 02 00 38 1f e0 23 4c |UMDA.......8..#L|
0010 37 32 33 30 5f 32 30 30 35 2f 31 30 2f 32 37 00 |7230_2005/10/27.|
0020 0a 95 d2 07 00 ee c1 d4 00 ee 0f 9f 95 f8 10 48 |...............H|
0030 10 00 06 00 00 00 00 00 55 66 66 66 00 00 70 70 |........Ufff..pp|
0040 70 70 70 70 70 70 70 70 70 70 70 70 00 00 60 60 |pppppppppppp..``|
0050 60 60 60 60 60 60 60 60 60 60 60 60 00 00 ff 07 |````````````....|
0060 00 00 12 01 00 02 ff ff ff 40 ce 0a 11 a2 10 48 |.........@.....H|
0070 10 20 00 01 04 03 09 04 00 00 00 00 00 00 50 50 |. ............PP|
0080 50 50 50 50 50 50 50 50 50 50 50 50 00 00 40 40 |PPPPPPPPPPPP..@@|
0090 40 40 40 40 40 40 40 4a 4a 4a 4a 50 50 00 40 40 |@@@@@@@JJJJPP.@@|
00a0 40 40 40 40 40 40 40 40 40 40 40 40 00 00 40 40 |@@@@@@@@@@@@..@@|
00b0 40 40 60 40 40 40 70 90 90 90 90 90 90 00 40 40 |@@`@@@p.......@@|
00c0 40 40 40 40 40 40 40 40 40 40 40 40 00 00 40 40 |@@@@@@@@@@@@..@@|
00d0 40 40 50 38 38 38 60 80 80 80 80 80 80 00 0c 03 |@@P888`.........|



USB text strings?

00e0 5a 00 79 00 44 00 41 00 53 00 00 00 00 00 00 00 |Z.y.D.A.S.......|
00f0 00 00 00 00 18 03 55 00 53 00 42 00 32 00 2e 00 |......U.S.B.2...|
0100 30 00 20 00 57 00 4c 00 41 00 4e 00 00 00 00 00 |0. .W.L.A.N.....|
0110 00 00 00 00 00 00 00 00 00 00 00 00 00 00 88 88 |................|
0120 88 88 88 88 88 88 88 88 88 88 08 91 ff ed 09 93 |................|

0fa0 01 00 88 98 90 9a 00 00 00 00 00 00 00 00 00 00 |................|
0fb0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
1000 02 00 08 ec 00 00 ed f7 12 00 00 00 00 00 00 00 |................|

1ff0 00 00 04 83 01 00 01 84 08 14 02 84 98 80 00 00 |................|

--------------------------------------------------------------------------------
2000 55 4d 44 41 00 00 00 01 00 02 00 38 1f e0 b1 64 |UMDA.......8...d|
2010 32 32 33 30 5f 32 30 30 35 2f 30 39 2f 30 35 00 |2230_2005/09/05.|

The same USB text strings as above, and so is much of the data ... is this an alternate profile?
20e0 5a 00 79 00 44 00 41 00 53 00 ff ff ff ff ff ff |Z.y.D.A.S.......|
20f0 ff ff ff ff 18 03 55 00 53 00 42 00 32 00 2e 00 |......U.S.B.2...|
2100 30 00 20 00 57 00 4c 00 41 00 4e 00 ff ff ff ff |0. .W.L.A.N.....|

2f90 08 0b 01 00 40 f0 b1 fe 88 98 90 9a 88 da 08 0b |....@...........|
2fa0 01 00 88 98 90 9a 00 00 00 00 00 00 00 00 00 00 |................|
2fb0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
3000 02 00 08 ec 00 00 56 f7 98 00 00 00 00 00 00 00 |......V.........|

3fd0 04 83 01 00 01 84 08 14 02 84 98 80 00 00 00 00 |................|
3fe0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*

--------------------------------------------------------------------------------
4000 55 4d 44 41 05 01 01 01 00 02 00 38 3f e0 6e 33 |UMDA.......8?.n3|
4010 32 30 30 35 2f 31 31 2f 31 31 00 00 00 00 00 00 |2005/11/11......|
4020 78 7f e4 f6 d8 fd 75 81 a1 02 76 fb ff ff ff ff |x.....u...v.....|
4030 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |................|
*
4070 02 76 fb 22 ff ff ff ff ff ff ff ff ff ff ff ff |.v."............|
4080 32 ea 8b d0 22 12 40 80 85 d0 0b 75 d0 08 fa c2 |2...".@....u....|
4090 8c e5 8a 24 f7 f5 8a e5 8c 34 d8 f5 8c d2 8c ed |...$.....4......|

4550 f0 d0 e0 32 ff ff ff ff ff ff ff ff ff ff ff ff |...2............|
4560 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |................|
*

--------------------------------------------------------------------------------
4800 85 0e 4f 85 0f 50 75 51 00 75 52 00 75 53 00 c2 |..O..PuQ.uR.uS..|
4810 0a c2 0b c2 0c c2 0d c2 0e 85 50 82 85 4f 83 e0 |..........P..O..|
4820 64 aa 60 03 02 50 2f a3 e0 54 fc 60 03 02 50 2f |d.`..P/..T.`..P/|


5ba7-5c06 top \
5c07-5c66 \ This has the graphics for the
5c67-5cc6 / "Wifi finder" power-on screen.
5cc7-5d26 bottom /

5d27-5f01 has a font table 5x8 font table (with upper and lower cases).
The lowercase 'p' is unusual because it is sickle-shaped
(example in the word "Upgrading" in this picture) :

5eb7 ..######..##....
5eb8 ......##..##.... rotated 90 degrees
5eb9 ......##..##....
5eba ......##..##.... two characters per pixel
5ebb ........##......

5f25-5f9c has the inverted 0-9 fonts used to show the channel numbers
6029 has a battery symbol
60dd-60ff has the lower half of the "WPA" symbol, rotated 90 degrees.
6141-6171 are the "F", "D" and "S" operating mode symbols.
6191-619f is the "CH:" (channel) symbol

62f1-632e top half \ the "FULL" battery symbol,
633e-637c lower half / used when charging.

6380 f0 f8 fc fe ff ff ff ff ff ff ff ff ff 25 32 64 |.............%2d|
6390 2f 25 64 00 25 64 00 20 00 20 4e 6f 20 53 65 72 |/%d.%d. . No Ser|
63a0 76 69 63 65 20 00 2e 2e 53 63 61 6e 6e 69 6e 67 |vice ...Scanning|
63b0 2e 2e 00 28 48 69 64 64 65 6e 29 00 20 31 2f 25 |...(Hidden). 1/%|
63c0 64 20 00 2e 2e 53 6c 65 65 70 69 6e 67 2e 2e 00 |d ...Sleeping...|
63d0 3f 00 58 01 fa 00 64 00 02 30 02 30 02 30 02 30 |?.X...d..0.0.0.0|

7a70 58 75 ab 50 3b 12 7a 1d 02 7a 43 ff ff ff ff ff |Xu.P;.z..zC.....|
7a80 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |................|
*
8000[/code]

There appears to be four distinct areas of memory. This is indicated by "filler" bytes that are used to start new sections at round-numbered addresses, and also by the reptition of the "UMDA" bytes. Also, the ZD1211's serial EEPROM is 8kB, and that fits neatly with the size of two of the sections.

The partitioning I'm assuming is:

[Imagen: imagen_010.jpg]

There are a couple of graphical images to look for (like the startup screen and the "WEP" icon), and there may be a font table (Alternatively, the font table may be in the LCD controller). Locating these pictures should tell if a section of code is used by the WHFX30 or by the ZD1211.

The C-style format string at $638D ("%2d/%d.%d") indicates that a C compiler was used. Because assembly language is more compact than C, it should be possible to add more functionality to the device (subject, of course, to whatever the processor that executes this code can do).

[Imagen: imagen_006.jpg]

Firmware Disassembly I

Here's some data from a suspected EEPROM Image area that looks like it could be code for the ZyDAS controller:

1150: c2 92 51 95 5a 95 02 93 c5 a2 c8 d2 09 93 a0 01 |..Q.Z...........|
1160: c8 d2 40 f0 c6 f7 42 00 42 00 88 98 90 9a 88 da |..@...B.B.......|

Disassembling this by hand into 8051 code, we get:

[Imagen: imagen_007.jpg]

... doesn't look promising yet, so this code is probably for another type of processor -- which makes sense; the 8051 wouldn't make a good baseband controller.

The earlier ZD1201 uses an Arm processor (at least according to the picture), so it's a good bet that the ZD1211 uses it, too.

Two other places to check for more information:

The official ZyXel ZD1211 Linux Driver. I haven't tested this, but at first glance it looks like exactly what I'd want from a hardware vendor. Documented source code, plus a user's manual. Great job, ZyXel.
The open source ath.cx ZD1211 Linux Driver (is this the same as the Sourceforge ZD1211 Linux Driver?) based on the above.
Both sources include firmware uploads for the ZD1211 - these can be compared to the the update file.

Another clue is a line in the zd1211.c driver file that has a snippet of zd1211 code:

{ 0x0F, 0x9F, 0x00, 0xEE }; // JMP 0xEE00

Thanks to Niel for finding this low-level ARM and Thumb documentation: Atmel Thumb info and ARMv5T specs. It didn't help disassembling the JMP instruction, but there is still a larger body of code I have to check it against.

Firmware Disassembly II

And here's some data from the suspected WHFX30 area:

6eb0: e6 75 f0 0a a4 24 21 fd 7b ff 7a 63 79 24 75 55 |.u...$!.{.zcy$uU|
6ec0: 00 75 56 04 7f 01 7e 00 12 79 44 78 8a e6 75 f0 |.uV...~..yDx..u.|
6ed0: 0a a4 24 21 fd 7b ff 7a 63 79 72 75 55 00 75 56 |..$!.{.zcyruU.uV|
6ee0: 04 80 23 7b ff 7a 62 79 f1 75 55 00 75 56 3e 7d |..#{.zby.uU.uV>}|

This data looks repetitive, so hopefully it disassembles into something meaningful.

Hand disassembling into 8051 code, we get:

[Imagen: imagen_008.jpg]

This looks like it could be valid code! It looks like it is setting up registers (R1,2,3,5,6,7) in preparation for calling a subroutine. And, just as a sanity check, let's see what is at $7944...

[Imagen: imagen_009.jpg]

This code seems to be using the data that was being passed to it! Register R5 -- which is was a parameter -- is saved before being used for other things. On the face of it, the routine at that point looks like reasonable code to find at the start of a function -- a good start!

To Do

Experiment with changing the code. Niel confirms that the firmware can be uploaded multiple times (i.e. a newer version number isn't required)

Finish analyzing the link between PC boards.
Determine if/how I can get this thing to do more.

Find firmware upgrade protocol (and does it apply to both processors?)
Identify what is inside the WHFX30 (it probably contains a standard microprocessor core plus some custom logic)

Resources

ZyDAS ZD1211 Product Page: http://www.zydas.com.tw/product/ZD1211.asp
Engadget Linksys WUSBF54G Discussion: http://www.engadget.com/entry/1234000147063376
ZyXel Firmware Upgrade Site: ftp://ftp.us.zyxel.com/AG-225H/firmware/
Portelligent's professional teardown of the Linksys WUSBF54G. Like my disassembly, but much more focused on manufacturing cost estimates and methods and less on hacking. Their market is companies that develop similar products, and the industry analysts that cover those companies. 62 pages, $950.

*** Esta tarjeta Zyxel al descubierto: http://www.zero13wireless.net/foro/viewt...=8161#8161
Zero13

"Así como el hierro se oxida por falta de uso, también la inactividad destruye el intelecto.." - Leonardo Da Vinci

Síguenos en TwitterYoutube

#2
el zyxel te dice si es wpa o wep sin emabrgo el linksys pues no, pero tu que sabes igual se puede modificar para que lo muestre¿?


-----------------

Interestingly, the PC Board has pads to mount 3 LEDs to illuminate the LCD screen. These are unpopulated, but could be used if the corresponding resistors are also installed.


es un detallito que le fataba y que molaria ponerle =)
#3
Para eso es precisamente el Hack!... para acceder a la informacion a nivel de codigo. Wink
Zero13

"Así como el hierro se oxida por falta de uso, también la inactividad destruye el intelecto.." - Leonardo Da Vinci

Síguenos en TwitterYoutube

#4
se ve bien la tarjeta pero yo he visto unos llaveros que detectan los AP pero no te conectan al mismo solo son como un detector de wifi esas llevaran chipset algo asi como atheros,orinoco,ZayDas o solo un chip de RF para capturar la emision de los AP?
#5
Hola! que tal? Funciona aircrack con esta tarjeta ya? en windows? thx


Posibles temas similares...
Tema Autor Respuestas Vistas Último mensaje
  R4 Wifi al descubierto txetxu 13 8,209 18-08-2010, 11:56
Último mensaje: txetxu
  R4 Wifi al descubierto txetxu 0 1,030 08-08-2010, 17:43
Último mensaje: txetxu
  Tarjeta Linksys WPC54G Pcmania santravis 3 2,161 14-04-2008, 10:17
Último mensaje: mundodamian
  Problemas WPC300 LINKSYS RiotSquad 6 2,010 28-10-2006, 20:55
Último mensaje: kezon
  Novedad: Linksys WUSBF54G ( USB ) Zero13 3 7,639 27-09-2006, 01:48
Último mensaje: Zero13
  LinkSys: Adaptador red inalámbrico USB b+g (Modelo: WUSB5 daheca 6 5,922 03-08-2006, 17:57
Último mensaje: imported_kykyly
  MOD: pcmcia Linksys WPC54G regu 2 1,924 12-05-2006, 20:18
Último mensaje: regu
  Targeta linksys WPC54G regu 1 1,400 12-05-2006, 15:26
Último mensaje: Zero13
  Donde soldar el pigtail en Linksys Wpc11 v.4 voltlon 1 2,293 03-04-2006, 22:33
Último mensaje: Zero13
  Linksys Wpc11 V.4 arizgoiti 3 3,724 10-03-2006, 00:08
Último mensaje: arizgoiti

Salto de foro:


Usuarios navegando en este tema: 1 invitado(s)