Hacking an Axis 9010 Bluetooth AP

This information is from ~2002, and so may be extremely out of date or useless.

Overview

This device behaves similarly to a normal personal router/firewall or 802.11b router/firewall, only it is a gateway for bluetooth devices rather than normal ethernet.

It runs an embedded version of Linux called uClinux. By default, ftp and http are the only running services. It does have a telnet server installed, but it is disabled by default. The web server it uses is boa. The obvious use of this web server is for configuring the device (also similar to other routers). The not-so-obvious use is for running semi-hidden administration cgi scripts. One of these scripts allows you to edit text files stored in /tmp or /mnt/flash.

About /mnt/flash… It is /dev/flash2, which is just a flash chip in the device which stores files. Changes are maintained when power is disconnected, but when the reset button is used to reset the device to factory defaults, the flash file system is overwritten with a default configuration. The important thing to note is that /etc is a symlink to /mnt/flash/etc

Doing Stuff

By connecting via ftp and poking around a bit, I noticed that an inetd server was installed, but does not run by default. Running the inetd server is all that is needed to enable telnet access (a telnet service is run by inetd when a connection is made). I found that /etc/inittab contained a line to start the inetd server, but it is commented out by default. So I accesssed http://10.1.61.240/admin-bin/editcgi.cgi, selected /etc/inittab as the file to edit, and changed #inet:3:respawn:/sbin/inetd -n to inet:3:respawn:/sbin/inetd -n

Voilà, telnet access. Since there is a limited amount of space on these flash drives, many standard unix commands are missing. Grep, less, gcc, vi, emacs, and pico, to name a few.

Exerpts

First thing is the login prompt. Then some commands. The prompt is the pid of the login process. Oh yeah, and “cat /proc/kcore” is not usually a good idea…

Linux 2.0.38 (Dan118d-Bluetooth-AP) (ttyp0)


Dan118d-Bluetooth-AP login: root
Password:

Sash (version 2.2)
567# cd /proc



567# cat cpuinfo
cpu             : Etrax
cpu revision    : 11
cpu model       : Unknow
cache size      : 0 kB
fpu             : no
mmu             : no
ethernet        : 10 Mbp
token ring      : no
scsi            : no
ata             : no
usb             : no
irq bug         : no
bogomips        : 99.84



567# cat version
Linux version 2.0.38 (pkj@saur) (gcc version 2.96 20000427
 (experimental)) #16 Tue Jan 8 06:38:34 EST 2002
567# cat devices
Character devices:
 1 mem
 2 pty
 3 ttyp
 4 ttyp
 5 cua
60 Flash/ROM device
120 etrax gpio
124 ttyBT

Block devices:
 1 ramdisk
31 Kernel ROM disk
60 Flash/ROM device
567# cat filesystems
        romfs
        ext2
nodev   proc
nodev   nfs
        jffs



567# cat serial
Current time: 8007.489687

ttyS0:
rx_pending:            0
max_rx_pending:        0
rx_tot:                0
tx_tot:                0
last_tx_active:        0.000000
last_rx_active:        0.000000
overrun_cnt:           0
early_errors_cnt:      0
ser_ints_ok_cnt:       0
errors_cnt:            0
timeout_flush_cnt:     0
rx_dma_ints:           0
tx_dma_ints:           0
tty->flip.count:       -1
        
ttyS1:
rx_pending:            0
max_rx_pending:        0
rx_tot:                0
tx_tot:                0
last_tx_active:        0.000000
last_rx_active:        0.000000
xmit_cnt:              0
overrun_cnt:           0
early_errors_cnt:      0
ser_ints_ok_cnt:       0 
errors_cnt:            0
timeout_flush_cnt:     0
rx_dma_ints:           0
tx_dma_ints:           0
tty->flip.count:       -1

ttyS2:
rx_pending:            0
max_rx_pending:        0
rx_tot:                0
tx_tot:                1475
last_tx_active:        1444.569947
last_rx_active:        0.000000
xmit_cnt:              0
overrun_cnt:           0
early_errors_cnt:      0
ser_ints_ok_cnt:       0 
errors_cnt:            0
timeout_flush_cnt:     0
rx_dma_ints:           0
tx_dma_ints:           229
tty->flip.count:       0

ttyS3:
rx_pending:            0
max_rx_pending:        258
rx_tot:                7120
tx_tot:                6734
last_tx_active:        1627.065989
last_rx_active:        20.989114
xmit_cnt:              0
overrun_cnt:           0
early_errors_cnt:      8
ser_ints_ok_cnt:       320
errors_cnt:            0
timeout_flush_cnt:     319
rx_dma_ints:           320
tty->flip.count:       0



567# cat meminfo
Free pages:        6984kB
 ( 0*4kB 11*8kB 19*16kB 12*32kB 3*64kB 3*128kB 4*256kB
 1*512kB 0*1024kB 2*2048kB = 6984kB)
        total:    used:    free:  shared: buffers:  cached:
Mem:  12099584  4947968  7151616        0   790528   233472
Swap:        0        0        0
MemTotal:     11816 kB
MemFree:       6984 kB
MemShared:        0 kB  
Buffers:        772 kB
Cached:         228 kB
SwapTotal:        0 kB
SwapFree:         0 kB



594# cat interrupts
 2:     817202   timer
 3:       1578   fast timer int
 6:          0   Etrax 100 ethernet controller
 8:        328 + serial
16:       6734   Etrax 100 ethernet controller
17:       7032   Etrax 100 ethernet controller
18:        229   serial 2 dma tr
19:          0   serial 2 dma rec
20:        157   serial 3 dma tr
21:        320   serial 3 dma rec
22:          0 + serial 0 dma tr
23:          0 + serial 0 dma rec
24:          0 + serial 1 dma tr
25:          0 + serial 1 dma rec



594# df -h
Filesystem           1k-blocks      Used Available Use% Mounted on
/dev/root                 3441      3441         0 100% /
none                         0         0         0   -  /proc
/dev/flash2                224        92       132  41% /mnt/flash
/dev/ram0                  487        53       409  11% /tmp

Other Notes

Most of the html/php pages are in /usr/html. /usr/html/local is a symlink to /mnt/flash/etc/httpd/html, which is writable by you. So you can put your own web pages up, and maybe even have your own access restrictions to it?

I think boa does not have a php plugin, because it is meant to be simple. So to parse their php pages, I think Axis pipes them through a php interpreter.

/tmp gets cleared on reboots. /mnt/flash gets cleared on resets. /etc is a symlink to /mnt/flash/etc, it gets reset to factory defaults when you reset the AP. Default username and password are root and pass, by the way.