Build a Hacking Gadget – ReaverPro P2

When we did successfull flash the OpenWRT Firmware we can continue with flashing the ReaverPro Firmware on the device.

Table of Contents:

Let’s start:

Extract the ReaverPro Firmware to the TFTP Directory. IP Adress and configuration is the same as in Part1.

The zip file contains 3 files. ReaverPro-14.0.49.bin, staging-firmware.bin and latest.bin. We will start with ReaverPro-14.0.49.bin. We need the staging-firmware.bin as step between that we can successfull upgrade to the latest version.

Please choose the operation:
   1: Entr boot command line interface.
   2: Load system code then write to Flash via TFTP.
   3: Boot system code via Flash (default).

You choosed 1

 0

ar7240> setenv serverip 192.168.1.254; setenv ipaddr 192.168.1.1


Verify connection to TFTP Server:

ar7240> ping 192.168.1.254


ar7240> tftp 0xa0800000 ReaverPro-14.049-beta.bin


ar7240> erase 0x9f050000 +0xf60000


ar7240> cp.b 0xa0800000 0x9f050000 0xf60000


Reboot Device and we should see something like this:

[   19.150000] device eth0 entered promiscuous mode
[   19.160000] IPv6: ADDRCONF(NETDEV_UP): br-lan: link is not ready
[   19.170000] IPv6: ADDRCONF(NETDEV_UP): eth1: link is not ready
[   22.070000] eth1: link up (100Mbps/Full duplex)
[   22.070000] IPv6: ADDRCONF(NETDEV_CHANGE): eth1: link becomes ready
[   33.910000] jffs2_scan_eraseblock(): End of filesystem marker found at 0x0
[   33.910000] jffs2_build_filesystem(): unlocking the mtd device... done.
[   33.920000] jffs2_build_filesystem(): erasing all blocks after the end marker... done.
[   75.900000] jffs2: notice: (974) jffs2_build_xattr_subsystem: complete building xattr subsystem, 0 of xdatum (0 unchecked, 0 orphan) and 0 of xref (0 dead, 0 orphan) found.
procd: - init complete -



BusyBox v1.19.4 (2014-02-18 14:26:37 EST) built-in shell (ash)
Enter 'help' for a list of built-in commands.



 (                                 (
 )\ )                              )\ )
(()/(   (     )   )      (   (    (()/( (
 /(_)) ))\ ( /(  /((    ))\  )(    /(_)))(    (
(_))  /((_))(_))(_))\  /((_)(()\  (_)) (()\   )\
| _ \(_)) ((_)_ _)((_)(_))   ((_) | _ \ ((_) ((_)
|   // -_)/ _` |\ V / / -_) | '_| |  _/| '_|/ _ \
|_|_\\___|\__,_| \_/  \___| |_|   |_|  |_|  \___/


              reaversystems.com

root@OpenWrt:/#


Connect Ethernetcable to the PoE Port. Open a Browser and go to http://10.9.8.1

default login: raever / foo

The attack webinterface has a green/black design. Under configure we can upload the staging-firmware.bin which is needed that we can go over to the latest firmware (otherwise it won’t work). This step took some patience. After reboot we can go back and upload the newest firmware latest.bin.

I just setup a WLAN AP with SSID: Swiss_Emmentaler

I set a WPA2 Encryption with a strong Password and did enable WPS

After 9 hours the WPS Pin was cracked 🙂

Kommentar hinterlassen

Schreib einen Kommentar

Ihre E-Mail-Adresse wird nicht veröffentlicht.


*