Google Fiber Jack Shell and GPON Configuration

Written 2020-08-12

Tags:UART Shell GPON Google Fiber 

After looking inside a Google Fiber Jack, I found a similar 0.1 inch header strip like was present on the Google Fiber Network Box. Guessing the pinouts to be the same (Ground at one end connected to ground plane, then PCB-TX, then PCB-RX), and the baud to be the same(115200), I was presented with U-boot. After politely asking U-boot to stop the autoboot sequence, I found I was unable to enter single-user mode through the normal methods(single,1,init=/bin/sh) and attempting to do so led the unit to boot normally, without even a login prompt.

After adding debug=1, we can see more printouts during startup, and a login prompt, but now we need the password.

Back to U-boot. We can use 'sf' to read Serial Flash into RAM, and 'md.b' to print RAM over the bootloader console. Equipped with 32MB of Flash, and not wanting to risk byte-drop by increasing the baud-rate, dumping the flash takes several hours, but after converting both line-endings then hex to binary, I'm greeted with a 33554432 byte file, which is exactly correct.

After running binwalk several times recusively and a little manual extraction, I'm able to locate the shadow file and hashes within. A quick run through hashcat with a wordlist reveals the passwords. I won't post the password here, but I was disappointed I didn't guess it.

After rebooting Linux with debug=1 and logging in, we can see:

JAAG45202481# cat /sys/devices/platform/gpon/info/infoGpon 

ONT Full Information:
SN[VENDOR ID]:                 4A:41:41:47 [JAAG]
SN[Serial Number]:             45:20:24:81
ONU ID:                        255
ONU STATE:                     1 [INITIAL]
INIT STATE:                    TRUE
OMCC Valid:                    FALSE
OMCC Port:                     65535
BER Interval:                  0
SD Threshold:                  9
SF Threshold:                  5
Guard Bits:                    0
Preamble Type1 Size:           0
Preamble Type2 Size:           0
Preamble Type3 Pattern:        0xAA
Preamble Type3 Range Size:     0
Preamble Type3 Oper Size:      0
Delimiter:                     0x00AB5983 [0x00AB5983]
Internal Delay:                6532 [0x1984]
Equalization Delay:            0 [0x0] (HW:0x0)
Final Delay:                   32
Const Idle Ploam:              [0xFF040000][0x00000000][0x00000000]
Const Serial Number Ploam:     [0xFF014A41][0x41474520][0x24810505]
Serial Number Mask Enable:     FALSE
Serial Number Mask Match Mode: NO MATCH
Debug Mode:                    FALSE
Overhead Manual Mode:          FALSE
JAAG45202481# uname -a
Linux GFiberONU #3 Fri Apr 4 12:48:22 PDT 2014 armv5tel

This was disclosed to Google on October 26,2020 because given the password used I didn't think this would be a big deal, and it wasn't, but I wanted to be sure. On Dec 17, 2020 they reviewed this post before publishing. From their response: "customers having code execution on these devices is part of the threat model, and shouldn't lead to any harm to the network or other users."