Gaining root on Samsung FemtoCells

Written 2011-07-17

Tags:SCS-2U01 Serial port Samsung SCS-26UC SCS-26UC4 serial root 

prev next
To summarize the steps needed to take over a femtocell:
  1. Build a serial cable
  2. Find your baud rate: SCS-2U01 is 115200:8N1, the Sprint Airave and SCS-24UC4 are 57600:8N1
  3. Retrieve the bootloader key from their source code drop by diffing their u-boot with mainline u-boot (hint, it is "sys\r")
  4. log into u-boot by using above key - it is time-limited different amounts on different devices
  5. go read the u-boot manual so I don't have to read the nitty-gritty
  6. copy the u-boot settings by logging your console and running `printenv`
  7. quickly turn off the hardware watchdog with `setenv watchdog_off 1`. Otherwise this is a great bugger.
  8. root the device by adding `init=/bin/sh` to $ramboot
  9. boot the device with `onandboot`
  10. Almost there: "sh-3.00#" At this point you have root, but very little is mounted(/etc/shadow is present though)
  11. insmod the mdoc/tffs.ko and mdoc/tffsbd.ko from the /lib/modules/<yourkernelhere>/
  12. `mount /dev/tffsa1 /mnt/mdoc` - brings up the main disk
  13. `mount /proc` `mount /sys`
  14. `mkdir /mnt/mdoc`
  15. `mkdir /mnt/mdoc/RFS`
  16. `mdoc_cp RFAB /mnt/mdoc/RFS/append_rfs.tgz 900000`
  17. `cd /mnt/mdoc/RFS`
  18. `tar xzfm append_rfs.tgz`
  19. copy the created directories over / as needed.
  20. bring up GPS with `insmod /mnt/mdoc/RFS/PATH_MODE/lib/modules/GpsCtrlDev.ko`
  21. You can now fiddle around with the device. Keep in mind that many of the read/write areas will actually store results in RAM for now, but you may get a 'No space left on device' error if you write too much.

Interesting bits:
  1. The web interface (only available to verizon) is running thttpd, and stores a hash in /udata/htdocs/.htpasswd
  2. The cgi web interface is a set of ARM binaries in /udata/htdocs/cgi-bin/
  3. Shadow passwords are used, but you're root anyhow
  4. Component versions are in /udata/image.ver and /udata/oper.ver
  5. iked-v.conf contains some very interesting settings, like 'set local psk XXXXXX'

This is written as a summary of work on the SCS-24UC4, although it should apply directly to the SCS-2U01 and Airave.
This was a collaboration by RSAXVC and Doug.
prev next