Exploits



How to break into a Nokia N900

by on Dec.09, 2012, under Exploits, Posts

(Skip to the bottom of this post if you do not want to read the short story and if you just want the instructions).

This is sad to say, but this will probably be my last post on the Nokia N900. I am growing a bit tired of blogging specifically about this device though I do adore it, its capabilities, and what it has taught me. Per contra, I will still be supporting those who contact me for help regarding the N900 when I find the time to.

I am writing this post due to the fact that I actually had to buy a new replacement N900 this year due to water damage on my original N900. I tried the rice method, but this did not mend the issue. I also disassembled the phone and cleaned the components with rubbing alcohol, but this still didn’t work. So it was off to Ebay for a replacement N900 due to the fact that I wanted to finish my weaponizen900.sh program and I also planned on still using this device as an awesome media player.

I received my replacement N900 in less than a week. The seller from Ebay stated that the device was “NEW”, but I found out later that it wasn’t quite “NEW”. The seal on the packaging for the N900 was torn and I also noticed the default password ‘12345’ did not work along with other default passwords for Nokia (such as 0000, 00000, and I believe 1234). Foolishly, I ignored this and thought to myself, “I will not worry about this right now, I just need a functioning phone”.

Back to hacking away at my program and every couple lines of code that I would make changes, I would test my program on my N900. The replacement N900 had firmware version 1.2 which I thought I would test out my program on. I soon found out that my program was not compatible with the PR 1.2 firmware version and my phone would go into an infinite reboot sequence. To fix this issue, I flashed the phone with the PR 1.3 firmware version and my phone booted up as normal but this time it asked for the password before loading the Maemo operating system. The default password didn’t work ergo.. I WAS LOCKED OUT OF MY N900!

Obviously this N900 wasn’t “NEW” and since the phone had a password set I had to figure out how to break into my N900 without being able to fully boot it. Here is how you break into it:

1.) Flash your N900 with PR 1.2 firmware version. This version does not ask for the password before loading the Maemo operating system by default.

2.) You will be able to get into your N900.

3.) Then simply follow these directions: http://lifewithmaemo.blogspot.com/2011/01/recovering-n900-phone-lock-code.html to recover the phone lock code.

(If you’re curious, my original N900 phone lock code was 11552 🙂 )

7 Comments :, , , more...

Netgear RP614v4 exploit

by on Mar.24, 2010, under Code, Exploits, Posts

rp614v4

Website/Company: http://zitstif.no-ip.org
E-mail: zitstif[at]gmail.com

Name: Kyle Young

Device:
Netgear RP614v4
Firmware version: v1.1.2_09.01
Firmware release date: November 2009
HTTP service: Boa HTTPd 0.93.15
Exploit release date: Wednesday March 24, 2010

Default router credentials:
username: admin
password: password

Scope: Local/Remote

Vulnerability:

The Netgear RP614v4 is susceptible to an end user making a request for the netgear.cfg file which is located at:

http://[RouterIP]/vgn/jsp/netgear.cfg

This file, is a plain text ASCII file that contains the router’s password at line 216, which looks similar to this:

http_passwd=myvulnerablepassword

You don’t have to authenticate to obtain this file at all.

The qualm with this exploit is that, it works in the LAN that the router is on, or even remotely over a WAN, that is if the remote administration
option is enabled and the default port for this is 8080.

PoC: http://zitstif.no-ip.org/rp614v4/rp614v4exploit.txt

Additional notes:

After discovering this vulnerability, I’ve noticed with other routers that have http based administration, is that you can make requests for config files without authenticating. However, this does not always work and at times the config file is obfuscated.

From my experience, most of the config files for routers are in a binary format and can be viewed with a program like ‘bvi. At times, you can view credentials to the device and also PPPoE credentials.

I’m reporting this vulnerability to securityfocus.com, due to the lack of support on Netgear’s end.

Leave a Comment :, , , , , , more...

Looking for something?

Use the form below to search the site:

Still not finding what you're looking for? Drop a comment on a post or contact us so we can take care of it!