Rocket Hub a.k.a Ericsson W35 Official Rogers Unlocking Questions

Need Help?

That's what we're here for! The goal of the Rogers Community is to help you find answers on everything Rogers. Can't find what you're looking for? Just ask!
cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
Highlighted
I'm Here A Lot
Posts: 7

Re: Rocket Hub a.k.a Ericsson W35 Official Rogers Unlocking Questions

Can somebody try these steps and report back?

 

load backtrack 5

load metaspoilt framework

format a flash drive ext2 then put into w35

samba symlink directory transversal

this should create a share than can browse root

the password file is /etc/passwd

Highlighted
I'm an Advisor
Posts: 842

Re: Rocket Hub a.k.a Ericsson W35 Official Rogers Unlocking Questions

@jps44:

 

Some questions on your request:

 

1. by "load" I assume you mean download.

2. I just checked the W35 User Guide.  It states that it will mount an EXT2-formatted USB flash drive.

3. is "samba symlink directory transversal" input as a CLI command on the W35?  If so, this will not work as we currently do not have CLI access.

 

As I have mentioned before, the encrypted password information is in /etc/shadow.  You are correct that the original Unix password file was /etc/password.  That file originally contained the passwords "in the clear".  It still exists on Linux as well as Unix systems.  However, today encryption is used, and it is my understanding that passwords are now stored encrypted in /etc/shadow.

 

So, unless I understand this process incorrectly, it seems to indicate that some kind of CLI access is mandatory in order to perform this exploit.

 

Please do comment and critique my statements and assumptions, as I do not consider myself expert in this area by any means.

 

TIA

 

skinorth

 

Highlighted
I Plan to Stick Around
Posts: 16

Re: Rocket Hub a.k.a Ericsson W35 Official Rogers Unlocking Questions

update - I found another USB flash drive (Kinsgton Data Traveler) and stuck it in and it works.  I can now see the storage device name on the W35 and the share on Windows.

 

Not sure why the SanDisk doesn't work - I assumed both formattted FAT32 but the cruzer may be done for.  Anyway I can concentrate on the Samba bits now.  I probably  won't have time until monday-ish to get back to this but will check back in for (or with) any news asap.

 

Thanks ips44 and skinorth.  Hope you have a good weekend...

Highlighted
I'm Here A Lot
Posts: 7

Re: Rocket Hub a.k.a Ericsson W35 Official Rogers Unlocking Questions

Hey skinorth, here are my thoughts on your points:

1. I mean download and get it setup/running on a pc plugged into the w35. I think metsploit is part of backtrack

2. Glad to hear this should be ok.

3. As I understand it the input is enterd on the pc running metasploit/backtrack. It tries to connect to the w35 hosted usb stick over the network then does its thing and lets you browse whatever.

 

Not sure if the passwords are in etc/shadow or etc/password. It is possible that the linux vvrsion on w35 is old and still using etc/password. We should be able to get to either file if the exploit works.

 

So just to very clear I think the symlink thing works over the network with no cli access.

 

BTW it is possible to try ssh or telnet into the w35. it does ask for username and password. I tried to bruteforce this way but it was way too slow.

 

Also, not an expert. Do not take my statements as facts. Only guessing and assuming. Confirm what you can.

I have not had physical access to my w35 but will pick it up next week and try some things out.

Highlighted
I'm an Advisor
Posts: 842

Re: Rocket Hub a.k.a Ericsson W35 Official Rogers Unlocking Questions

@jsp44 & tmiktlui:

 

sounds like you guys are serious about this.  So, here is our assigned reading for this "project":

 

http://tools.question-defense.com/Cracking_Passwords_Guide.pdf

 

Enjoy!!!

 

I needed some bed-time reading anyway, so I can have some restful nights this weekend.

 

skinorth

 

Highlighted
I'm Here A Lot
Posts: 7

Re: Rocket Hub a.k.a Ericsson W35 Official Rogers Unlocking Questions

Hello again. I can't get ahold of my w35 until next week but thought I'd update you on my readings.

There are still 2 parts our approach:

1. Getting to read the password file

2. Cracking the password(s)

 

For part 1, metasploit runs on windows. It's easy to install and the samba symlink traversal exploit is in the command line interface. Ready to try when I get my hands on the w35.

 

For part 2, I want to use oclhashcat-plus. It seemss fast enough and I have some gpu's to use with it. I also have it installed on windows but need help with the command to run. It loads the hashes I posted earlier (trim the front and ends off to just salt and hash)from a textfile and starts running. I need to know how to specify 8 length uppercase, lowercase digits. Also knowing how to puse and resume would be nice.

Highlighted
I'm an Advisor
Posts: 842

Re: Rocket Hub a.k.a Ericsson W35 Official Rogers Unlocking Questions

@jps44:

 

I did download and install metasploit on my Windows 7  "main" laptop.  The download was about 330 MBytes, so not too large.  However, I uninstalled it once I realized it required me to shut down my Windows anti-virus, and firewall as well as suspend all Windows updates in order to run it.  That I considered too dicy on my "main" machine.

 

As for your comments on its use with the Samba exploit, I remain to be convinced that it can be done as you describe it, but am willing to try it to see what happens.  You never know.........

 

When I get a chance, I will transfer the download to my backup WinXP Pro laptop and try it there.  It has very little stuff on it that is critical to me, so I can risk that.  However, it is an older, slower machine.  So the downside is that it will take longer to do whatever is required.  And a Metasploit install does take a looooong time.  As, if I understand correctly, the running of the program to perform its functions.

 

Backtrack is a different story.  It is a 3.1 GByte download, and needs to be put either on a large enough USB stick, or burned to DVD.  As the W35 cannot boot a DVD that is kind of pointless.  And I doubt if the W35 will boot off a USB stick either.

 


And, with the download speeds available to me the 3.1GByte file download takes way too long.

 

skinorth

 

Highlighted
I'm Here A Lot
Posts: 7

Re: Rocket Hub a.k.a Ericsson W35 Official Rogers Unlocking Questions

Great news: the samba symlink traversal explot worked!

Ran metaspliot off my win7 laptop. Used the 3  commads off the page mentioned earlier. Ext2 usb stick was in the w35. 

Am now browsing the entire file system. Did not fin a shadow file. Here is the contents of passwd:

root:$1$QeUoekTR$NtbPHdFKR/rz372mzYVyt.:0:0:root:/root:/bin/sh
ftp:*:15:14:ftp:/var/ftp:/bin/sh
sshd:*:18:19:sshd:/var/run/sshd:/bin/sh
operator:$1$z1NlHNTA$i7uJaFeH04mwAI/kmDcdv.:500:500:operator:/home/operator:/bin/sh
user:$1$BE0ItmiI$X7v4WWf3XS6J/TbF2Vfoe.:1000:1000:user:/home/user:/bin/false
smbuser:*:1500:1500:Samba Guest Account:/home/smbuser:/bin/false
nobody:*:65534:65534:nobody:/nonexistent:/bin/sh

 

 

Highlighted
I've Been Around
Posts: 1

Re: Rocket Hub a.k.a Ericsson W35 Official Rogers Unlocking Questions

Well, in all honesty, the "easiest" way to do it is to ask Rogers for it - just need to get a hold of the right person, and have something that you can hold them to... in my case, I had to get a VPN running behind this thing and as bridging was not documented particularly so I had to have my Cisco VPN router NAT'd behind the W35...

 

It wasn't working off the bat so the only thing I could figure was that I needed to forward protocols as well... not just ports... which is not a part of the GUI and can only be done at a command line level, and so here I am, a person who read up on the W35 and bought it because it has VPN pass-thu.

 

Well, after being transferred to the Presidents Office, and explaining the situation 2-3 times, and insisting that this be solved, I was finally given to someone who "doesn't talk to the customers"....and he found the password for me.

 

I would give it but I promised that I wouldn't, so good luck on the hacking - and otherwise, just remember one thing... the customer is always right

Highlighted
I Plan to Stick Around
Posts: 9

Re: Rocket Hub a.k.a Ericsson W35 Official Rogers Unlocking Questions

My approach to this problem was different. I attacked the hardware and literarily disassembled a w35 unit to its components. The bad news is that the 3G modem card is completly stock and unlocked. It seems that all the restrictions are baked into the custom Rogers firmware.

 

I'm wondering what will be the next step for Rogers now that they changed their device unlocking policies. Will they allow unlocking the rogers branded w35 and if yes then how ?

 

 

cheers

 

G.