Huawei reverse engineering: legacy and new network elements surprises
Sometime, reverse engineering for bug hunting reveals some fun stuff.
So of course, when you’re dealing with Core Network elements such as Huawei MSC, MSC Proxy and SoftSwitch MSoftX 3000, you don’t expect to find these Chinese ASCII arts of an octopus being killed by an angel (!):
We can see that internally, this is called “Cool Beauty System 1.0.3” build (?) 35808001, by HuaWei R&D CN (Research and Development Core Network).
We see also that this design dates back from when Huawei was spelled internally HuaWei, that is probably from the 1980s even if the build time of this firmware image (VxWorks Tornado based) is from 2010.
and even less usual but more interesting to find the PCB schematics in ASCII art (!!):
That reveals it’s running (well… we saw that earlier) on PowerPC RISC processor MPC750 by Freescale Semiconductor, Inc. Here is the datasheet MPC750 RISC Processor by Freescale. Please note the JTAG interface on page 15.
By googling the other components, you will find the pinout of the JTAG interfaces of each chip as well as the UART and the way to to In-Circuit debugging (and dumping) of the bootrom.
Thanks to Huawei engineers for this moments of fun and education. Is it best practice to teach reverse engineers what your hardware architecture looks like?
Oh… and thanks for the 4 new vulnerabilities added in the VKB based on this reverse engineering and bug hunting session.
Copyright 2020
As for the precise firmware image this is about:
iovxst: IO board’s vxworks image
PowerPC code, statically linked, not stripped (!)
MD5 (iovxst) = a4f166490b38d6e53c8399e41219ce96
Update path: setup/BamSetup/Package/data
https://twitter.com/philpraxis/status/337507995195949056
https://twitter.com/philpraxis/status/337507794318143489
https://twitter.com/philpraxis/status/337507623203135488