NetLiteII

From Noisebridge
(Difference between revisions)
Jump to: navigation, search
(Location)
m (nburl)
 
(One intermediate revision by one user not shown)
Line 77: Line 77:
 
== Observations ==
 
== Observations ==
 
* The sign appears to reboot if you write a null byte '\x00' to port 700
 
* The sign appears to reboot if you write a null byte '\x00' to port 700
 +
* The read only snmp community is "public".
  
 
== Location ==
 
== Location ==
 
It's on the shop wall next to the mooninite. It has a network address and a usb cable hanging down next to the SIP phone. You can see the IP address on the display. Pwn it.
 
It's on the shop wall next to the mooninite. It has a network address and a usb cable hanging down next to the SIP phone. You can see the IP address on the display. Pwn it.
 +
 +
[[Category:Pages with a Noisebridge Tiny URL]]

Latest revision as of 04:04, 7 August 2012

  • Symon NetLite II [1]
  • Has DHCP client and grabs an IP address with no problem
Starting Nmap 4.85BETA8 ( http://nmap.org ) at 2009-05-09 20:40 PDT
Interesting ports on 192.168.3.157 (old: 172.30.0.107):
Not shown: 997 closed ports
PORT    STATE SERVICE
23/tcp  open  telnet
80/tcp  open  http
700/tcp open  unknown
Starting Nmap 4.20 ( http://insecure.org ) at 2009-09-25 19:18 PDT
Interesting ports on 192.168.3.157:
Not shown: 1485 closed ports
PORT    STATE         SERVICE
69/udp  open|filtered tftp
137/udp open|filtered netbios-ns
161/udp open|filtered snmp
MAC Address: 00:00:E0:BC:2C:9B (Quadram)
  • Telnet port is open and connects without password. Once connected, typing "Logon=" gives you access to more settings.
SYMON NetLite II, Ver 2.60(181.21) 16x128 (Boot:175.01-S3d.BFE.fd13)
  System up time = 01:55:23
     Waiting On Connection
Statistics:                         Memory:   31195120 
   recvd packets =         0          used =   1324544(  4.2%) 
     bad packets =         0          free =  29870576( 95.7%) 
  queued packets =         0          blks = 4/264
  bytes received =         4          Msgs = 8 


                                   Refresh =   63Hz 
Serial Number   = 00.00.E0.BC.2C.9B   Name = Llama
     IP Address = 172.30.0.107        DHCP = 172.30.0.1
    Subnet Mask = 255.255.255.0        DNS = 172.30.0.1
Default Gateway = 172.30.0.1

CMD: 
  • "help" (after "logon=") outputs:
CMD's = Set Ip=n.n.n.n, Set SubNetMask=n.n.n.n, Set DHCP
        Set Gateway=n.n.n.n, Set WINS=n.n.n.n[, n.n.n.n], Set DNS=n.n.n.n,
        Set Name=name, Set Password=password, 
        Help Wireless, Help SNTP, LogOff, Exit, Reset, Help
        Show BOOT|FONT|APPL|ANIMATION|SNTP|WIRELESS
        Ping n.n.n.n, Arp, Clear
        CTRL-R = refresh display, CTRL-S = switch statistics, CTRL-D = exit
  • Communication with the sign is over port 700, but protocol is unknown and probably proprietary
  • Appears to require proprietary Symon Enterprise Server software in order to display messages.
  • It is running a TFTP server
  • It's running a web server for configuring things. Running Micro-Web
  • Outdated setup manual for an old model: [2]
  • Other Mentions: [3] [4] (already emailed user)

[edit] Hardware

  • Running on an ARM-based Sharp SOC (Sharp LH7A400-N0B)
  • Marked "Symon Communications / 201-1700-A01 / Rev D / 12/03/03"
  • 20-pin header marked "JTAG" -- presumably regular 20-pin ARM JTAG.
  • Some photos of the board here from jof
  • Photos from edrabbit
  • On-board flash -- 2x Sharp LH28F320BFE. Datasheet: File:SharpLH28F320BFE.pdf
  • On-board SDRAM -- 2x Samsung K4S281632F. Datasheet: File:SamsungK4S281632F.pdf

[edit] Observations

  • The sign appears to reboot if you write a null byte '\x00' to port 700
  • The read only snmp community is "public".

[edit] Location

It's on the shop wall next to the mooninite. It has a network address and a usb cable hanging down next to the SIP phone. You can see the IP address on the display. Pwn it.

Personal tools