What can you do with a cheap Linux machine with limited flash and only a single free GPIO line? Probably not much, but sometimes, just getting root to prove you can is the main goal of a project. If that happens to lead somewhere useful, well, that’s just icing on the cake.
Like many interesting stories, this one starts on AliExpress, where [Easton] spied some low-cost WiFi repeaters, the ones that plug directly into the wall and extend your wireless network another few meters or so. Unable to resist the siren song, a few of these dongles showed up in the mailbox, ripe for the hacking. Spoiler alert: although the attempt on the first device had some success by getting a console session through the UART port and resetting the root password, [Easton] ended up bricking the repeater while trying to install an OpenWRT image.
The second attempt, this time on a different but similar device, proved more fruitful. The rudimentary web UI provided no easy path in, although it did a pretty good job enumerating the hardware [Easton] was working with. With the UART route only likely to provide temptation to brick this one too, [Easton] turned to a security advisory about a vulnerability that allows remote code execution through a specially crafted SSID. That means getting root on these dongles is as simple as a curl command — no hardware hacks needed!
As for what to do with a bunch of little plug-in Linux boxes with WiFi, we’ll leave that up to your imagination. We like [Easton]’s idea of running something like Pi-Hole on them; maybe Home Assistant would be possible, but these are pretty resource-constrained machines. Still, the lessons learned here are valuable, and at this price point, let the games begin.
Great, I hope more people will get their hands dirty with buildroot or yocto to own those cheap appliances !
Excellent investigations and write-ups!
Curious about those unpopulated SOIC footprints near Ethernet.. I’m guessing PCB is designed to be flexible to support either integrated or discrete magnetics, but the RJ45 connectors look awfully small… is it possible they just skimped on that altogether? (I got away with that on an old project..)
Was also surprised that the antennas on black one at least APPEAR to be functional
Noticed that as well, I guess they completely skipped the magnetics, because it works without them anyway.
As for bricking, can’t one just dump the 8MB SOIC Flash and have a “save point” to return to if you mess it up?
Hello,
Author here. I’ve attached the flash dumps to the blog post, thanks for the reminder.
The Part 2 link showed me that I have a YUGE deficit in my Linux skills!
Not using that rubbish even if they paid me to do so. Ethernet ports without magnetics (read: no galvanic insulation) on a device that connects to mains? Seriously!
For the record: Ethernet without transformers is indeed possible on a close board-to-board or same board communication between chips, and allows interesting hacks, like tapping on two interfaces using a third one, or build a star or even token-ring-like topology by carefully choosing the communication method, all without a switch in between, but those would be hacks outside of any safety standards.
Ethernet ports can’t be safe anymore if they skip the necessary transformers, this is cutting corners that went too far.
For Ethernet links, capacitive isolation is also possible. It would seem analogous to the use of transformers.
For the designated purpose of the (unaltered) device, the Ethernet port will probably not be utilized after setup.
I always thought the transformers in ethernet were for signal quality and not security?
Since main on the board is galvanically insulated, I don’t see the issue (except for disrupting Ethernet’s signal shapes, but this kind of device are plugged on switch already in a 1:1 fashion, so it’s unlikely it’ll perturb anyone else).
Great investigation and writeup!
I’ve looked at the repeater from the second post as well a while ago, and got the latest openwrt running on it. I’ve also got SPI broken out by piggy backing on the flash chip and using an LED as chip select. With that it’s easy to use something as an RP2040 as GPIO expander, or whichever MCU floats your boat.
Most of it is documented here on a hackaday project:
https://hackaday.io/project/192859-fun-with-wifi-repeaters
and the latest openwrt for this thing is on git:
https://github.com/biemster/funpeater-openwrt
(although I did not sync the fork for a while, but could do that easily if there is interest)
thanks a lot of information keren