Hacking the Sapido gr-1102

Posted by admin - 30/05/10 at 05:05:30 pm

I bought a sapido gr-1102 because I figured hey, its small, runs linux, wireless n, can be powered from usb and it has 2 usb ports.

Initially I plugged it in, plugged in a mobile broadband dongle. It detected it, I set it up to dial #99 and after a minute I was connected to the web through this little travel 3g router.

I was happy.

In an effort to get root access to the device I grabbed the most recent firmware off of Sapido’s site. Noticed some gzip magic in the file and extracted the rootfs.

I knew there was a hidden page so I searched my hex editor for the terms command and I had a hit for System command.

The hidden page was/is called obama.asp . Interesting….

I fired up telnetd with telnetd -l /bin/sh and telnet’ed to the device. I had root access….

I was able to get my cellphone to work, with some hackery.
a vid and pid for the usb device are written to a file: /var/HSDPACARD

I found this out by reading the /bin/HSDPA.sh script.

Of course my cellphone is detected as a generic ttyACM device , so a quick search of the supported vids/pids gave me 0fa1 and 6010 for ttyACM0.

I wrote a little script that just echos this to the correct place.

echo “Vendor=0fa1 ProdID=6010″> /var/HSDPACARD

And now the cellphones connection can be shared.

Openwrt is next. I have a kernel booting, Just working out the rootfs now..

Stay tuned.

19 Comments »

RSS feed for comments on this post. TrackBack URI

  1. hi men! you are router guru! =)
    i want to make from sapido nas server, it is possible?

    Comment by jdie — June 22, 2010 #

  2. It is possible, by default it is supported in the stock firmware

    Comment by admin — June 23, 2010 #

  3. Hello! I’ve also sapido, but GR-1222 with NES server. Could you describe me more how to gain root access in such thing?
    I’ve problem with that router, it blocks all RTP packets from almost any VoIP software (well, only skype works, everything else based on SIP isn’t working…). Any help is welcomed :)
    Best regards, Marek

    Comment by Marek — June 24, 2010 #

  4. i have RB-1132. it doesnt have this function =(

    Comment by jdie — June 24, 2010 #

  5. could you write full recommendation for root access?

    Comment by jdie — June 24, 2010 #

  6. Jdie, have you updated to the latest firmware? I did not try it with anything else.

    You could just try to log in, then try to access obama.asp.
    So if the ip is 192.168.1.1 , then http://192.168.1.1 in your address bar to log in.
    Then http://192.168.1.1/obama.asp to get to the hidden page and fire up telnetd

    Comment by admin — June 24, 2010 #

  7. Marek, I will see what I can do with the gr1222 and I will take a look at the 1132’s firmware and post a guide

    Comment by admin — June 24, 2010 #

  8. i go to
    http://192.168.1.1/obama.asp

    but i dont know what i must type. i type “ls” and see directories, but when i type “cd usr”, example. it doenst nothing. =((

    when i connect by telnet, router ask me a password.
    =\

    Comment by jdie — June 24, 2010 #

  9. Hello! Thx 4 ur reply! The “obama.asp” trick with gr-1222 works too, I was able to launch telnetd and gain root access :) Could you be so kind and tell me if your router works with VoIP software? Like Kiax or twinkle… Also, I would like to see how did you strip firmware from website to be able to decompress gzip to extract rootfs. Will you try to install another firmware? Something like openwrt..? Is it possible anyway?
    Best regards, Marek

    Comment by Marek — June 25, 2010 #

  10. Please Man! Write in short, how take a root priv??

    Comment by jdie — June 29, 2010 #

  11. Jdie, when you’re on obama.asp instead of “ls” type in “telnetd -l /bin/sh”. Then just make telnet connection with your router and… this is it! It’s so hard to read with understanding? ;)

    Comment by Marek — June 30, 2010 #

  12. Thanks! its works! i saw, what firmware contain bz2 files. But i don know how i extract it. And i havent write file permission in telnet. Why?

    Comment by jdie — June 30, 2010 #

  13. You can’t write anything to the firmware, because it’s read-only. You can dump the firmware from /dev/mtdblockX (you have to check the number the X stands for) to external storage. Best way to do this is to mount pendrive or hdd via web-gui, then telnet to router, type in ‘mount’ and you will see devices. “MTDBLOCK” is usually squashfs root read-only filesystem, which you may dump. In mine GR-1222 any external storage is mounted under /var/tmp/usb/. Check yours, then using ‘dd if=/dev/mtdblockX of=/var/tmp/usb/sda1/dump.bin’ you can dump root-fs. Now, the best part – if you will be able to unsquash rootfs – you also will be able to make changes in your router firmware. I wasn’t able to do this :(

    Comment by Marek — July 1, 2010 #

  14. Marek: I converted the Binary firmware blob to hex with hexdump . Then I grepped the file for Gzip headers, and then extracted the gziped parts out. The rootfs is squashfs-lzma.

    I have made some headway on openwrt.

    Comment by admin — July 1, 2010 #

  15. As for your rtp port issue, you can try running
    this should fix the rtp issue.

    iptables -t nat -A PREROUTING -i eth0 -p udp \
    -m udp –dport 10000:10100 -j DNAT \
    –to-destination ip here
    iptables -t nat -A PREROUTING -i eth0 -p udp \
    -m udp –dport 5060 -j DNAT \
    –to-destination ip here

    Comment by admin — July 1, 2010 #

  16. I’ve dumped rootfs, I know it’s squashfs-lzma, I even have compiled squashfs-tools with lzma patch-set, but I can’t unsquash it… Same errors as with normal unsquash…
    Regarding rtp ports – when I go back home, I’ll try this. Tell me one thing – –to-destination IP is IP of what? My voip device? or IP of voip provider? Also ETH0 is always the same? Or it may be some other interface?
    Btw. few months ago I’ve spoke with Sapido staff about mine problem with voip. They’ve even connect to me via team-viewer to see my configuration, but they fail to help me… They just said it’s not working because of strange configuration of my linksys voip gate, but the gate is locked by provider…

    Comment by Marek — July 2, 2010 #

  17. Hello! I’ve tried your iptables suggestions, and it failed… Same effect as when enabling DMZ for pap2t (voip gate) or setting port forwarding. Even softphones won’t work… The only thing that’s keeping me from selling gr-1222 is great potential of that router (and it’s 64mb of ram).
    I’m awaiting your news with openwrt :)

    Comment by Marek — July 3, 2010 #

  18. Hi, I started telnet and tried to open the connection via open 192.168.1.1. After this, I get the screen: Please push a button to go on….. However, when I do this the connection is broken automatically (I used first “telnetd -l /bin/sh” in obama.asp).

    I have an external HD with 4 partitions, and only one is recognized by the router. How do I get access to the otherones.

    Also Im not able to access all directories on my exetrnal drive via ftp. How can I solve this.

    I hope someone can help me. Thanks in advance.

    Comment by JP — July 24, 2010 #

  19. Hi! i have a GR 1102, but each time i try configuring my EC226 CDMA2000 EV-DO modem, it connects but after a short while would disconnect and woudnt connect again until i reset the device.

    I hope someone can help figure out a solution. Thanks

    Comment by enseal — August 20, 2010 #

Leave a comment

XHTML: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Powered by WordPress with GimpStyle Theme design by Horacio Bella, Updated to work with wordpress 2.8.x by aliosa27.
Entries and comments feeds. Valid XHTML and CSS.