skip to main |
skip to sidebar
Right, since it looks like subverting the firmware upgrade is going to require work to crack or circumvent the encryption maybe there's an easier way in.
Perhaps a serial console, for testing purposes, is just waiting to be found on the Barracuda board?
First, those pins on the headers which have obvious uses (power, display, keypad, usb etc.) were identified. Then, the rest of the pins, including the test points on the back of the board, were monitored with an oscilloscope during startup in the hopes of identifying something that looked like the Tx line of a UART. Nothing. Back to the drawing board.
One of the most obvious routes to shell access would be to subvert the firmware upgrade process.
Using ethereal to analyse network traffic turned up lots of interesting information about how the radio functions. Unfortunately it also showed that new firmware is transferred via an encrypted protocol - RTP (Reciva Transfer Protocol?). The curl application has been modified to implement this and accept urls of the form "reciva://xxx.xxx.xxx".
Ideally it would have been possible to intercept a firmware upgrade, analyse the contents and produce a version which would enable a telnet or SSH server. The encryption makes this a tougher task.
