Author Topic: Anyone know how to dump firmware from a Yinuo-Link network board?  (Read 998 times)

0 Members and 1 Guest are viewing this topic.

Offline thecomputerdudeTopic starter

  • Newbie
  • Posts: 4
  • Country: us
Like the title says, I'm trying to assess a Yinuo-Link device that's been rebranded and re-flashed for any potential malicious code. Being it's pretty locked down and configured with a private SSH server I have no normal ways to access the data on it. The existing code is likely an OpenWRT/Gargoyle fork though.

Observed boot time network traffic suggests connections to Chinese C&C servers for firmware updates. The only component that's reportedly capable of accessing these addresses is the Quectel cellular modem, which has been removed during testing. Does anyone with sharper eyes than I happen to see test points on this board I could hook a UART or other serial adapter to? There is nothing on the board under the foam pads besides the power pins at the phoenix connector.
 

Offline AndyBeez

  • Frequent Contributor
  • **
  • Posts: 855
  • Country: nu
Re: Anyone know how to dump firmware from a Yinuo-Link network board?
« Reply #1 on: May 14, 2022, 09:19:15 pm »
The layout looks very 'box standard' for a domestic router. What is the CPU/SOC? There are no visible test points except... for the pins at JP1. This looks like a serial header.

One pin will be ground, one TX and the other RX. The fourth pin might be the 3V3 power rail. You can try connecting your serial UART to this, respecting the 3V3 rail. You'll just have to best-guess the pinout, baud speed and bit settings. 19200-8-N-1 is always a good start.

If this is a serial port, you should be able to read the OEM bootlog. Another feature of a serial connection can be, by hitting RETURN [or another other key] at power on, drops into the bootloader prompt: granting access to the environment variables. You might then spot a local host address for a TFTP server.

If I am not mistaken, if the distro is OpenWRT-like, somewhere there should be a public repo (github?) with their code - either in full or as a fork of the main branch. Otherwise Yinuo-Link are taking an angle grinder to the open source license. If it's proprietory, then you are stuck. btw, some cellular modem cards have their own OS, which might be Android based. A whole new house of pain.

The bootloader and firmware are likely held inside the Winbond chip (U5/6) to the left of JP1. From the lo-res image, it's a jellybean SPI type. Is it a 2/4/8/16Mb flash size?

You might be able to read out U5/6 by attaching a SOIC clip directly. If not, you'll need to remove the chip, read it, and resolder it. Not so easy but this will give you all the bytes. This should include the bootloader, firmware and settings regions. Hopefully a bootlog will provide the file system mappings.

You can then use Linux strings to hunt for any E.T. phone home IP addresses. You should also be able to compare the SHA256 hashes against the 'official firmware'.

Try JP1 and get a bootlog.

Happy angle grinding :-/O
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf