Linksys Velop WiFi 5 Hacking (CVE-2024-36821) | Ivan Glinkin

Walkthrough

analiser analyzer assembling CH341A debugger Debugger Module disassembling EEPROM Flash BIOS firmware flashrom hack hacking hardware iot linksys linsys linux logic logic analyzer lynksis lynksys macos module penetration testing pentest router terminal tty uart USB to UART velop waveshare WHW01v1 wifi

Linksys Velop WiFi 5 Hacking (CVE-2024-36821)

Ivan Glinkin 06.06.2024

IoT Hardware Penetration testing / Hacking against Linksys Velop WiFi 5 (WHW01v1) version 1.1.13.202617 (issued on September 18, 2020)

Useful links:

Web-site: https://www.ivanglinkin.com/
Twitter: https://twitter.com/glinkinivan
LinkedIn: https://www.linkedin.com/in/ivanglinkin/
Buy me a coffee: https://www.paypal.com/paypalme/iglinkin

Sponsor:

Telegram: https://t.me/EASM_HydrAttack
Twitter: https://twitter.com/EASM_HydrAttack
LinkedIn: https://www.linkedin.com/company/HydrAttack

Steps:

Disassembling
Extracting and analyzing the firmware
Get initial access
Escalate the privileges to root

Equipment:

Waveshare USB to UART Debugger Module -> Link
CH341A 24 25 Series EEPROM Flash BIOS USB Programmer Module -> Link
USB Logic Analyzer Set Mini Digital Pocket Size 8 Channel -> Link

Time frames:

00:10 – Intro
01:00 – Legal announcement
01:24 – Equipment
02:57 – Disassembling
08:58 – Disassembling deeply
11:48 – Extracting the firmware
18:18 – Analyzing the firmware
23:50 – Assemble back
26:57 – UART wires connection
44:27 – UART login
49:49 – Get in and enumeration
55:10 – Privilege escalation
01:02:08 – Get root access
01:09:56 – Wrapping up