contact@p1sec.com
Comment are off

Huawei reverse engineering: legacy and new network elements surprises

Sometime, reverse engineering for bug hunting reveals some fun stuff.

So of course, when you’re dealing with Core Network elements such as Huawei MSC, MSC Proxy and SoftSwitch MSoftX 3000, you don’t expect to find these Chinese ASCII arts of an octopus being killed by an angel (!):

Screen Shot 2013-05-23 at 11.33.39 AM

We can see that internally, this is called “Cool Beauty System 1.0.3” build (?) 35808001, by HuaWei R&D CN (Research and Development Core Network).

We see also that this design dates back from when Huawei was spelled internally HuaWei, that is probably from the 1980s even if the build time of this firmware image (VxWorks Tornado based) is from 2010.

 

and even less usual but more interesting to find the PCB schematics in ASCII art (!!):

Screen Shot 2013-05-23 at 11.33.57 AM

That reveals it’s running (well… we saw that earlier) on PowerPC RISC processor MPC750 by Freescale Semiconductor, Inc. Here is the datasheet MPC750 RISC Processor by Freescale. Please note the JTAG interface on page 15.

By googling the other components, you will find the pinout of the JTAG interfaces of each chip as well as the UART and the way to to In-Circuit debugging (and dumping) of the bootrom.

Thanks to Huawei engineers for this moments of fun and education. Is it best practice to teach reverse engineers what your hardware architecture looks like?

Oh… and thanks for the 4 new vulnerabilities added in the VKB based on this reverse engineering and bug hunting session.

 

About the Author