Last week I was asked if I knew how to enable SSH access on a Sphairon (ZyXEL) Speedlink 5501. My previous technique for the HomeBox 3232 (also manufactured by Sphairon) did not work as the expected magic bytes in the configuration backup file of the Speedlink 5501 could not be found. So I had to reverse this new file format to see, if a similar technique can be applied here.
In this post I will explain the details of this new file format. With this knowledge we can unpack, modify and repack config files. Secondly, I will show you what config options have to be modified, in order to enable SSH access. Unfortunately, I have no time to write a ready-to-use tool this time. But anyone is invited to use these results to code their own unpacker. Please let me know, if you publish something so I can link to it from here.
Reversing the config file format
I downloaded the Firmware V4.37.2.4.4 from Deutsche Telekom. Using binwalk two lzma-compressed SquashFS file systems were easily spotted.
192.168.1.1 is the default IP address of most Linksys routers. In this article, you can learn more about the IP address, other routers using this address, and how to access your router using the IP address. Chipset Speed Standard Frequency RF chip BB/MAC chip; RT2400: 11 Mbps: 802.11b: 2.4 GHz: RT2420: RT2460: RT2401: 11 Mbps: 802.11b: 2.4 GHz: RT2421: RT2460: RT2500: 54.
These filesystems were unpacked using the squashfs-tools from SquashFS 4.3 on a Debian system running 3.2.60 kernel (read here why this is important).
After browsing the first filesystem (named rootfs) it turned out, that it most likely contained no code related to the config file handling. So I started to investigate the second filesystem (named servfs) and quickly found a library called libconfig-export-api.so which sounded interesting to me.
By reverse engineering a part of the library’s code, the config file structure of the Speedlink 5501 could be reconstructed. It uses a 72 byte header followed by a gzipped tar archive (.tgz) of arbitary length.
The header contains two SHA-1 hashes. The first hash, tgz_sha1, is computed over the .tgz archive in which the actual configuration is stored. The second hash, header_sha1, is computed over the first 40 bytes of the header (i. e. up to header_sha1). Therefore, tgz_sha1 must be computed first, when assembling the header.
Enabling SSH access
After you have unpacked the .tgz file, you will have several subdirectories of which one is named sql. Inside you will find several .sql files. Open sql/persistent-network.db.sql with a text editor.
All Access Network
First we will modify the firewall to allow access on port 22. Search for “FirewallRulesStatic” and you will see the existing firewall rules (in my case 9 rules, IDs 0..8).
Simply append a 10th rule (with the ID 9) like this:
If you are curious for the syntax, you can scroll up a bit where the table FirewallRulesStatic is created. Most options should be self-explanatory.
Secondly, we will enable the SSH daemon. Search for the line
and change it to
Finally, we enable the existing SSH account. Search for
and change it to
Sphairon Access Network Login
It is advisable to change the username and password as well.
Sphairon Access Network Password
After you have made all your changes, save the .sql file and repack everything back to a .tgz file. Next, compute both SHA-1 hashes and modify the header accordingly. After the config file is uploaded to the router, it will reboot and start a SSH daemon for you.