User comments on ISPs
  >> EE (Everything Everywhere) and Orange


Register (or login) on our website and you will not see this ad.


  Print Thread
Standard User glossywhite
(member) Thu 24-Jul-14 21:49:05
Print Post

[NEW] Bright Box 1 - latest (patched, 2014) firmware


[link to this post]
 
Here is the freshly ripped, latest firmware for Bright Box 1:

Screenshot of updated versions: https://farm4.staticflickr.com/3906/14549855780_1271...

Updates you to:
Runtime Code Version: v0.10.06.0001-OT (Wed Jan 22 22:50:41 2014)

Please see Scott Helme's fine article for more details:

https://scotthelme.co.uk/ee-brightbox-router-hacked/



Firmware download:

https://www.sendspace.com/file/hnbzdf


Follow this guide to update your Bright Box 1 to the latest (vulnerability-patched firmware, which was released in response to Scott Helme's fine work, earlier this year):


http://the-scream.co.uk/forums/showpost.php?p=242300...



## Don't wait for EE to update your Bright Box 1 - do it yourself, now - if you wait for EE, you could be waiting another two years! ##

!! IMPORTANT NOTE !!

If your bootloader (Advanced setup >> System) is newer than:

"Boot Code Version: v1.00.09.0002-OT (Wed Nov 9 10:21:21 2011)"


... then I wouldn't advise updating the bootloader image in this ZIP, as it is very likely older than your current installed bootloader. I had to downgrade mine for experimenting, last week, *before* I discovered my NAND backup method. It should work just fine - my Bright Box 1 is using the older (downgraded) bootloader and I have no issues.

[EDIT]

The bootloader may be updated by using the "bootldr" file inside THIS archive:

https://www.dropbox.com/s/r7e4zvfyyosdanh/Bright_Box...

Thank you smile

Edited by glossywhite (Thu 24-Jul-14 22:06:20)

Standard User Vincent517
(newbie) Fri 25-Jul-14 15:16:18
Print Post

Re: [NEW] Bright Box 1 - latest (patched, 2014) firmware *DELETED*


[re: glossywhite] [link to this post]
 
Post deleted by Vincent517
Standard User Vincent517
(newbie) Fri 25-Jul-14 15:31:15
Print Post

Re: [NEW] Bright Box 1 - latest (patched, 2014) firmware


[re: glossywhite] [link to this post]
 
It is interesting.
There is no firmware/bootloader download link in the EE's website..
However, firmware/bootloader provided in this post seems to be formal firmware and totally compatible to Bright Box 1.
May I know the skill to rip them from the box?
Thanks

Edited by Vincent517 (Fri 25-Jul-14 16:18:22)


Register (or login) on our website and you will not see this ad.

Standard User glossywhite
(member) Fri 25-Jul-14 18:30:54
Print Post

How to backup new Bright Box 1 firmware (educational)


[re: Vincent517] [link to this post]
 
In reply to a post by Vincent517:
It is interesting.
There is no firmware/bootloader download link in the EE's website..
However, firmware/bootloader provided in this post seems to be formal firmware and totally compatible to Bright Box 1.
May I know the skill to rip them from the box?
Thanks


How I ripped the firmware:


On the older firmware versions, you could get into "manufactory" mode by going to:

http://192.168.1.1/u132xzp32aai.htm

... and entering m;56ek as the password. On the latest firmware, you can type the password but the page just refreshes as if it's rejected it, and the "manufactory" button never appears. Therefore, I reached for one of my OLD OLD Orange Bright Box 1's, and did this:

## Preparation - connect a serial console to the Bright Box 1 (newest firmware one, from which we are ripping the NAND blocks) - make sure you know how to do this, and use Putty/gtkterm (Ubuntu/Linux) to connect @ 115,200 8N1 ##

DO ALL THESE STEPS OVER ETHERNET!

#1 Ensure you are logged in to OLD Bright Box 1 and NEW Bright Box 1 (the one to rip from)

#2 On the OLD (Orange) Bright Box 1, go to: http://192.168.1.1/u132xzp32aai.htm

#3 Enter "5;m6ek" (no quotes!) if necessary, then click the "manufactory" button (the ONLY button)

#4 When the Javascript popup appears to confirm "manufactory" mode reboot DO NOT CLICK IT YET; remove your ethernet cable from OLD Bright Box 1 (Orange/EE) and plug it into the NEW (latest firmware) Bright Box 1, and on the Javascript popup CLICK OK WITHIN TWO SECONDS - if you leave it too long, the page will reset and you'll need to start over.

#5 New Bright Box 1 will now reboot into "manufactory" mode, and you'll see this confirmed on the serial console. Keep pressing CTRL+C on serial console until you see a root prompt...

#6 Once you see a root prompt (serial console) type "killall5" [return key]

#7 Insert a FAT32 USB stick (I used 64GB, but use 1GB-8GB, whatever) and in serial console, navigate to the USB flash drive by doing:

cd /mnt/<name_of_usb_drive> and remain in that directory


#8 Now, to backup firmware, run these commands one at a time, pressing [return key] after each command:

cat /dev/mtd0 > manuf
cat /dev/mtd1 > nvram
cat /dev/mtd2 > rootfs
cat /dev/mtd3 > priimg
cat /dev/mtd4 > pricfg
cat /dev/mtd5 > bootldr


Next, power off the Bright Box 1 (new one) and remove the USB key - et voila! Backed up smile


In a nutshell, we're preparing and loading the page (and scripts) needed to send the relevant http requests to the Bright Box to put it into "manufactory mode" , using the (allowed) "manufactory" mode interface from older versions of the firmware. Once it gets to the crucial step where we are saying "Okay, DO IT!" - we swap the ethernet cable to the NEW box, and it sends all the commands to IT.

Once that is done and it reboots, we can access the root prompt and concatenate the NAND partitions out to block level backup files, stored on our USB flash drive smile


I hope that helps you all smile


Thanks, Matt.
Standard User Vincent517
(newbie) Sat 26-Jul-14 08:37:14
Print Post

Re: How to backup new Bright Box 1 firmware (educational)


[re: glossywhite] [link to this post]
 
This method is cool.
#4 is very tricky. I like it.
Since I only have one Bright Box 1, I think that I can't copy your steps in my site.
Thanks for sharing me this fancy method to rip firmware.
Standard User glossywhite
(member) Sat 26-Jul-14 15:10:28
Print Post

Re: How to backup new Bright Box 1 firmware (educational)


[re: Vincent517] [link to this post]
 
In reply to a post by Vincent517:
This method is cool.
#4 is very tricky. I like it.
Since I only have one Bright Box 1, I think that I can't copy your steps in my site.
Thanks for sharing me this fancy method to rip firmware.


Thank you Vincent smile it was what immediately sprung to mind as the simplest way to accomplish the task. I am sure there is a more elegant solution, but this one worked. I am sure there was some way I could capture the requests that page sends to the box - I took a long scroll through FireFox's "Live HTTP headers" (one of the tools I use) but couldn't see anything obvious - (http is not my strong point) - we'll get there smile

<inquisitive mode ON>

I wonder if this same attack vector could be deployed against the Bright Box 2 to gain root prompt?

<inquisitive mode PERSISTANT>
Standard User glossywhite
(member) Sun 27-Jul-14 22:47:51
Print Post

Re: How to backup new Bright Box 1 firmware (educational)


[re: glossywhite] [link to this post]
 
Okay, sending the "manufactory mode" header from BB1 to BB2 didn't work. I'll keep investigating. smile
Standard User Vincent517
(newbie) Tue 29-Jul-14 07:56:27
Print Post

Re: How to backup new Bright Box 1 firmware (educational)


[re: glossywhite] [link to this post]
 
Got it.
I don't have Bright Box 2.
So, I can do nothing on this investigating.
But I think that it makes sense since BB1 and BB2 are two different products.

Edited by Vincent517 (Tue 29-Jul-14 08:00:57)

  Print Thread

Jump to