wiki:PS121

Hardware

adm5120p embeded system. one ethernet port, one usb2.0 port. no obvious spots for serial or jtag (possibly solder pads on underside, below usb port?)

Observed Behaviors

When booting normally, the PS121 requests an address via RARP, and DHCP.

After assigning an address, the following ports are open:

PORT      STATE SERVICE
21/tcp    open  ftp
23/tcp    open  telnet
80/tcp    open  http
139/tcp   open  netbios-ssn
515/tcp   open  printer
631/tcp   open  ipp
3010/tcp  open  unknown
9100/tcp  open  jetdirect
34443/tcp open  unknown

Port 34443 is LPR. Port 3010? who knows.

Identifying the Firmware

to identify the firmware version, telnet to port 21 on the print server, and issue the 'help' command. for instance:

juri@hime:~$ telnet 10.200.0.203 21
Trying 10.200.0.203...
Connected to 10.200.0.203.
Escape character is '^]'.
220 Print Server Ready.
help
215 Print Server FW 6031

A newer version of the firmware is downloadable from netgear.

Config Files

It is possible to use FTP to upload a configuration file to the unit. Configuration files are formatted very specially.

to figure out how a configuration file is formatted, the following values were pulled from a firmware image. In the firmware image exists a table of values, being the strings in question, the value on the left side (which must be in the configuration file presented), and a 'type' after the value.

Value Types

30: Unknown 06: Unknown 08: Bool (Enable|Disable)

Empty Config File

The following config file is meant as a template ONLY. many of these settings will cause the machine to halt.

0001 BOX_NAME:PSXXXXXX (last half of mac address with PS at the beginning) (30)
0002 MAC_ADDR:(empty)
0006 IPXSPX_P:Disable
0012 TCPIP_P :Enable
0013 APTALK_P:Disable
0014 NETB_P:Disable
0040 P1_NAME:P1
0100 L1_PROUT:P1
0101 L1_PREST:
0102 L1_POSTR:
0103 L1_CHGLF:No
0120 L2_PROUT:P1
0121 L2_PREST:
0122 L2_POSTR:
0123 L2_CHGLF:No
0140 L3_PROUT:P1
0141 L3_PREST:
0142 L3_POSTR:
0143 L3_CHGLF:No
0501 LPT1MODE:Busy
4000 IP_ADDR:10.200.0.206
4001 GATEWAY:10.200.0.1
4002 MASK   :255.255.255.0
4010 TCP_INT:2
4011 TCP_CNT:254
4012 WINS_IP:0.0.0.0
4020 DHCP_MODE:Enable
5000 SMBGNAME:
5001 SMBDROP:No
5002 SMBDELAY:0
9000 BGN_DEF:
9001 END_DEF:
9005 SETPASS:
9007 GET_PID:
9008 SET_IP:
9009 ROM_CHECK: -- kills machine
9010 PRT_DIAG:
9011 PRT_DIAG0:
9020 PRT_STA:
9100 GET_CONF:
9101 GET_NCONF:
9102 GET_ACON:
9103 GET_UCON:

If you try to login to the FTP server as a user " ". the machine will stop. If you put a CONFIG file that does not have a newline at the end, the machine will stop. If you issue 9009 ROM CHECK: , the machine will stop.

The password [+_*] is burned into the unit's ftp service, but has not yet been useful.

Firmware Updating

The firmware update process appears to be similar to the nslug's update process.

Last modified 10 years ago Last modified on Jan 16, 2012, 11:20:46 AM