Wow, so I've been independently analysing the Wireless Booster this week too and had no idea this thread existed! Anyway, looks like you guys have gone down a slightly different route than me (hooking up a serial cable was still on my todo list), but I'll contribute all my findings so far:
Telnet is supported by the device, it's just disabled on boot. There is an nvram variable TELNET_ENABLED (as shown as TELNET_ENABLED=OFF in the log from ant_thomas). I believe that if you use 'setenv' and 'saveenv' commands in the CFE console to change it to TELNET_ENABLED=ON, it should work.
You can download the firmware image directly from the update web servers. Follow a similar process as defined here: https://code.google.com/p/sky-router-to … uto-Update
http://sb601.skyfirmware.com/timecheck/ … uct=skydsl (replace XXXXXXXXXXwith a valid MAC address)
The response will contain something like: http://sb601.skyfirmware.com/?mac=XXXXX … uct=skydsl
And that will respond with a URL similar to http://download-ext.skyfirmware.com/S/A … 0.0.31.bin (AAA and BBB are a session)
That final URL will you will give the AirTies_SB601_FW_220.127.116.11.bin
This firmware image extracts nicely with "binwalk -e AirTies_SB601_FW_18.104.22.168.bin":
5C0 5C0.7z AirTies_SB601_FW_22.214.171.124.bin DA580.squashfs squashfs-root
test@test:~/# ls squashfs-root/
bin dev etc lib mnt proc ramdisk root sbin sys tmp usr var webs webs-admin webs-guest webs.tar.lzma
The web.tar.gz is there (as you guys mentioned) and also extracts fine.
test@test:~/# ls webs/
air.css config.bin global images invalid_host.html lan lang.js login.html main.html menu_frame.html report tools wireless wizard_model.js cgi-bin errors homepage.html index.html js lang licence_information.html loginmain.html management ncsi.txt style top.html wizard.html
Theses addresses are stored in nvram (check for example f_rootfs_addr and f_rootfs_end):
uboot 0x00000000 - 0x0001ffff
config 0x00040000 - 0x0004ffff
asd 0x00050000 - 0x0005ffff
kernel 0x00060000 - 0x0042ffff
rootfs 0x00430000 - 0x007fffff
They match some of the addresses you have already.
As you guys have also noticed, this is a rebranded Airties 4400 and uses a skinned web interface. A lot of the original Airties web pages have been removed, but there are some still available (just the top navigation menu links disabled). All checks are done client-side by the Definitions.js file i.e. "var __DEF_HideLan_Menu = true;". You can use a web proxy (such as Burp proxy) to modify the Definitions.js file, to re-enable the menus. The most interesting one here is the page to save/restore the config. To do this, change:
var __DEF_ShowSaveConfigOnheToolsPage = false;
var __DEF_ShowRestoreConfigOnheToolsPage = false;
var __DEF_ShowSaveConfigOnheToolsPage = true;
var __DEF_ShowRestoreConfigOnheToolsPage = true;
You can also enable the buttons in the webpage via Firebug or similar (they are hidden via display: none CSS).
Now when you go to Tools -> you should see the Backup and Restore buttons. Backup will give you a config.bin file. This file is CRC checked on Restore, so you can't modify it and re-upload as far as I can tell.
Using the same approach as above, you can enable the Report (syslog) menu by changing:
var __DEF_HideMenuReport = 1; -> var __DEF_HideMenuReport = 0;
This will allow you to set a remote syslog server; useful for debugging.
Other useful hidden webapges
Modify settings via SOAP API
The web interface uses a SOAP (?) interface to save/query settings. You can use this same interface to edit the config file, it just requires a POST to /cgi-bin/webapp, with the correct XML.For example, to disable automatic updates:
The best way to find valid XML requests, is to use a proxy and record the requests to /cgi-bin/webapp
A UPNP Service appears to run on port 49152, but only for a while on first boot. You can query information from it, from /wps_device.xml and /wps_scpd.xml URLs
What's needed next for this project? Happy to help out
(Last edited by Atarii on 9 Jan 2014, 22:50)