NetLiteII

From Noisebridge
Revision as of 04:04, 7 August 2012 by Eric Vinyl (talk | contribs) (nburl)
Jump to navigation Jump to search
  • Symon NetLite II [1]
  • Has DHCP client and grabs an IP address with no problem
Starting Nmap 4.85BETA8 ( http://nmap.org ) at 2009-05-09 20:40 PDT
Interesting ports on 192.168.3.157 (old: 172.30.0.107):
Not shown: 997 closed ports
PORT    STATE SERVICE
23/tcp  open  telnet
80/tcp  open  http
700/tcp open  unknown
Starting Nmap 4.20 ( http://insecure.org ) at 2009-09-25 19:18 PDT
Interesting ports on 192.168.3.157:
Not shown: 1485 closed ports
PORT    STATE         SERVICE
69/udp  open|filtered tftp
137/udp open|filtered netbios-ns
161/udp open|filtered snmp
MAC Address: 00:00:E0:BC:2C:9B (Quadram)
  • Telnet port is open and connects without password. Once connected, typing "Logon=" gives you access to more settings.
SYMON NetLite II, Ver 2.60(181.21) 16x128 (Boot:175.01-S3d.BFE.fd13)
  System up time = 01:55:23
     Waiting On Connection
Statistics:                         Memory:   31195120 
   recvd packets =         0          used =   1324544(  4.2%) 
     bad packets =         0          free =  29870576( 95.7%) 
  queued packets =         0          blks = 4/264
  bytes received =         4          Msgs = 8 


                                   Refresh =   63Hz 
Serial Number   = 00.00.E0.BC.2C.9B   Name = Llama
     IP Address = 172.30.0.107        DHCP = 172.30.0.1
    Subnet Mask = 255.255.255.0        DNS = 172.30.0.1
Default Gateway = 172.30.0.1

CMD: 
  • "help" (after "logon=") outputs:
CMD's = Set Ip=n.n.n.n, Set SubNetMask=n.n.n.n, Set DHCP
        Set Gateway=n.n.n.n, Set WINS=n.n.n.n[, n.n.n.n], Set DNS=n.n.n.n,
        Set Name=name, Set Password=password, 
        Help Wireless, Help SNTP, LogOff, Exit, Reset, Help
        Show BOOT|FONT|APPL|ANIMATION|SNTP|WIRELESS
        Ping n.n.n.n, Arp, Clear
        CTRL-R = refresh display, CTRL-S = switch statistics, CTRL-D = exit
  • Communication with the sign is over port 700, but protocol is unknown and probably proprietary
  • Appears to require proprietary Symon Enterprise Server software in order to display messages.
  • It is running a TFTP server
  • It's running a web server for configuring things. Running Micro-Web
  • Outdated setup manual for an old model: [2]
  • Other Mentions: [3] [4] (already emailed user)

Hardware

  • Running on an ARM-based Sharp SOC (Sharp LH7A400-N0B)
  • Marked "Symon Communications / 201-1700-A01 / Rev D / 12/03/03"
  • 20-pin header marked "JTAG" -- presumably regular 20-pin ARM JTAG.
  • Some photos of the board here from jof
  • Photos from edrabbit
  • On-board flash -- 2x Sharp LH28F320BFE. Datasheet: File:SharpLH28F320BFE.pdf
  • On-board SDRAM -- 2x Samsung K4S281632F. Datasheet: File:SamsungK4S281632F.pdf

Observations

  • The sign appears to reboot if you write a null byte '\x00' to port 700
  • The read only snmp community is "public".

Location

It's on the shop wall next to the mooninite. It has a network address and a usb cable hanging down next to the SIP phone. You can see the IP address on the display. Pwn it.