hack

Remote code execution on no-name wifi repeaters: Part 2

After bricking the last wifi repeater in my last post, I was determined not do that again. At least not intentionally.

This time around, I purchased the same model as before (U13) as well as three more units of a different model, for $10 and $7 CAD respectively. The goal here is to get root access via SSH/telnet and use these devices as general purpose Linux single board computers. With an ethernet port, built in power supply and wifi, these boards are great for single-purpose servers.

 

New hardware

 

These models kept popping up in recommended items in the Aliexpress app, so I thought I would check it out. Just like the previous model, there's no technical information about these devices or who makes them. All we know is that there's an ethernet port, it has 2.4Ghz wifi...and that there's a WPS button. Some listings display the brand as iMice but nothing turns up on Google. 


Searching around YouTube, I was able to find branded devices using the same hardware:

  • MECO WIFI Wireless Signal Amplifier 
  • Accmor 300Mbps 802.11 n Wireless WiFi Repeater
  • AMAKE Wifi Repeater 300M Range Extender
  • NoyoKere Wifi Repeater 300Mbps Range Expander
  • Seaidea 300Mbps Wireless-N Mini Wifi Repeater
  • iMeshbean® Wifi Repeater 300M Range Extender
  • NINISEI Wifi Router/Repeater
  • F&M Wireless-N 300Mbps 2.4G Wifi Repeater
  • PIX-LINK WR03 Wireless WiFi Repeater 
  • Wi-Fi Repeater XY-300MZJ1

One funny misspelling is the username "admim" on the sticker:

The 4 LED model seems to differ from the 7 LED model, and on the latter model listing the seller displays the chipset as RTL8196E with 16MB flash and 128MB RAM.

Software


Plugging the device into the wall, and going to the printed address (192.168.11.1) we get a very familiar web admin UI. This time, the manufacturer decided to use orange instead of blue.

Tags

Getting root access on a $10 Aliexpress Wifi repeater

I have a fixation of buying little electronic trinkets and gadgets on foreign websites for cheap prices. Something about the cost of such little things, and that it takes 3-4 weeks to arrive to my door, provides me with excitement when I visit the post office to pick up my parcels. Lately, I purchased some ESP32 and ESP8266 boards for around $3, and various other programmers and jumper cables for around the same price point. It makes experimenting with a new project fun and inexpensive (great if you like to drop projects after a month too).

In the hot summer we're having out here, I like to sit in my yard and read online tech news and blogs on my phone. Being the hedonistic person I am, I cannot wait 3-4 seconds for a page to load. The wifi coverage at my house is sufficient in doors, but when I go 150 yards away, it can be abysmal. 

 

The purchase



So, in my regular late night Aliexpress shopping sprees, I found a $10 ($7 USD) wifi repeater that might fit the bill. 

It seems the price has gone up since I purchased the device

There's really no information about this device, anywhere. No model number. These seem to get the model numbers of AC1200M and also U13 if you poke around Aliexpress. If you look on Amazon, you'll find the exact same model selling for over double. It seems to connect this device to your wifi network, you use the WPS button and voila, it connects and you have a repeated signal.

So when it finally arrived the other day, I plugged it into the wall, followed the not-so-cryptic instruction manual and I was on my way. 

Tags