When we did successfull flash the OpenWRT Firmware we can continue with flashing the ReaverPro Firmware on the device.
Table of Contents:
- Build a Hacking Gadget – ReaverPro P1
- Build a Hacking Gadget – ReaverPro P2
Extract the ReaverPro Firmware to the TFTP Directory. IP Adress and configuration is the same as in Part1.
The zip file contains 3 files. ReaverPro-14.0.49.bin, staging-firmware.bin and latest.bin. We will start with ReaverPro-14.0.49.bin. We need the staging-firmware.bin as step between that we can successfull upgrade to the latest version.
Please choose the operation: 1: Entr boot command line interface. 2: Load system code then write to Flash via TFTP. 3: Boot system code via Flash (default). You choosed 1 0 ar7240> setenv serverip 192.168.1.254; setenv ipaddr 192.168.1.1
Verify connection to TFTP Server: ar7240> ping 192.168.1.254
ar7240> tftp 0xa0800000 ReaverPro-14.049-beta.bin
ar7240> erase 0x9f050000 +0xf60000
ar7240> cp.b 0xa0800000 0x9f050000 0xf60000
Reboot Device and we should see something like this:
[ 19.150000] device eth0 entered promiscuous mode [ 19.160000] IPv6: ADDRCONF(NETDEV_UP): br-lan: link is not ready [ 19.170000] IPv6: ADDRCONF(NETDEV_UP): eth1: link is not ready [ 22.070000] eth1: link up (100Mbps/Full duplex) [ 22.070000] IPv6: ADDRCONF(NETDEV_CHANGE): eth1: link becomes ready [ 33.910000] jffs2_scan_eraseblock(): End of filesystem marker found at 0x0 [ 33.910000] jffs2_build_filesystem(): unlocking the mtd device... done. [ 33.920000] jffs2_build_filesystem(): erasing all blocks after the end marker... done. [ 75.900000] jffs2: notice: (974) jffs2_build_xattr_subsystem: complete building xattr subsystem, 0 of xdatum (0 unchecked, 0 orphan) and 0 of xref (0 dead, 0 orphan) found. procd: - init complete - BusyBox v1.19.4 (2014-02-18 14:26:37 EST) built-in shell (ash) Enter 'help' for a list of built-in commands. ( ( )\ ) )\ ) (()/( ( ) ) ( ( (()/( ( /(_)) ))\ ( /( /(( ))\ )( /(_)))( ( (_)) /((_))(_))(_))\ /((_)(()\ (_)) (()\ )\ | _ \(_)) ((_)_ _)((_)(_)) ((_) | _ \ ((_) ((_) | // -_)/ _` |\ V / / -_) | '_| | _/| '_|/ _ \ |_|_\\___|\__,_| \_/ \___| |_| |_| |_| \___/ reaversystems.com root@OpenWrt:/#
Connect Ethernetcable to the PoE Port. Open a Browser and go to http://10.9.8.1
default login: raever / foo
The attack webinterface has a green/black design. Under configure we can upload the staging-firmware.bin which is needed that we can go over to the latest firmware (otherwise it won’t work). This step took some patience. After reboot we can go back and upload the newest firmware latest.bin.
I just setup a WLAN AP with SSID: Swiss_Emmentaler
I set a WPA2 Encryption with a strong Password and did enable WPS
After 9 hours the WPS Pin was cracked 🙂