Hello world!
This is my first ever **blog** in my own website. I'll be dropping my unwanted opinions here and you can feel free to read all or just anything you want:)
How we built an IR-controlled Truck
### How we built an IR-controlled Truck --- As a sophomore in university, our final project for our major subject was to make a truck that produces a siren sound with lights. This was the only requirement and nothing else. Me and my partner decided to go all out and add features not only to flex but to challenge ourselves beyond what was taught in class. To extend the features of our truck, we decided to add front lights, a motor to move the truck, and lastly use an IR receiver to control the whole thing. We weren't allowed to use any microcontrollers so this was not an easy task. ### The Senses: Directional VS838 IR receivers Since decoding IR commands without microcontrollers or setting up a complex circuit, I decided to just put 3 IR receivers in three different sides of the truck. Infrared needs a line of sight to its receiver in order for it to work, just like light, if there's an obstruction, it likely will not reach the receiver. Funny thing, a few weeks prior, my remote controlled lamp fell down from the top of my loft bed and broke, exposing its internal parts outside. When I first saw it I thought there was a *transistor* looking component inside it. It was then after some research that I realized it was an IR receiver, a **VS838**. This was actually when I decided to use it for this project. 1. Receiver 1: Controls the headlights, siren and lights 2. Receiver 2: Moves the truck forward 3. Receiver 3: Moves the truck backward and makes a beeping noise ### The Brain: Hooking up a **VS838** directly to a **4017** will have erratic behavior as IR remote controllers send pulses that are in binary. We do not need to decode this instruction. We just need the receiver to detect a single IR pulse. The **IC555** configured in a monostable will let us convert a modulated IR signal to a single pulse. This can also be done easier by hooking a capacitor in parallel, but I did not realize this earlier. This particular piece of schematic is what controls most of the trucks functionalities. A VS838 connects to an **IC555** timer's input and sends a pulse to the **4017** counter. It's kind of like a state machine where its output is tied to whether the headlights, fog lights, toplights and siren will turn on. It's not visible here in the schematic but pin 9 is hooked to the transistor for the siren to turn it on.  ### Moving the truck Moving the truck forwards and backwards from a single motor, and with enough power requires us to use a motor driver like **L298N**. It already includes an H-bridge and other circuits to let us do this. It is not also visible in the schematic but the OUT2 of the motor driver which moves the motor backward is in parallel with a beeping speaker. Similar to how some trucks has that *beep beep beep* sound while backing up.  ### Other parts... I'm not good enough to build my own one yet so I copied this guy's [wailing siren circuit](https://www.youtube.com/watch?v=LKhYthqrJH0) The top lights are made from a knight rider circuit. Everything is powered by a 9V battery, but some parts like **VS838** only works at 5V so I had to make a small "heart" circuit, which involved an **LM7805** and decoupling ceramic capacitors to ensure I wouldn't damage some parts from not smoothing out voltage spikes (I did). ### Actual Prototype YouTube Video for it [here](https://youtu.be/VNUm7RyBjTU)
A Day in My Life
September 15, 2025 --- I went to school and we did math. Thats all
Hacking my first Router
Router Hacking --- ## Short Intro A few days ago, a good friend of mine approached me and asked if I could regain access to their old TP-LINK router installed with an **OpenWRT 14.07 Barrier Breaker** firmware. It's a Linux-based operating system that is free and open-source for embedded devices such as routers. It's mostly used to replace a router's stock firmware, which might not have extensive settings and features. I have no prior experience in these kinds of stuff, and I only recently started deep diving into hardware hacking, but I accepted it as a part of a challenge. It should be noted that this is done with full consent from the owner. Readers should be aware that I am not liable for any damages that you commit following this blog. If you want to do these kinds of activities, ensure that you have proper authorization to do so, or do it on your own equipments. I tried basic troubleshooting first: - Tried default and common credentials on the wifi and web interface (you can access the router's services if you connect a PC with an ethernet port to the LAN port of the router) - Tried hard-reset through the router's reset button But these did not work. I then tried to map open ports on the router using **nmap** and saw only ports 80 (http), 53 (dns) and ssh (22) was open. I tried fingerprinting the versions of these running services and looked for exploits but I could not find any. --- ## Enumerating the router I had no choice but to open up the router and analyze the board inside. There was even a live spider inside of it. I guess you can say that the web is accessible through a router. **The motherboard**:  There seems to be 4 jumper pins which could be a UART (its the one on the top right of the image with 4 holes in it) with a root shell waiting for me, but that is highly unlikely it is not protected with a password. What's most interesting is this [25Q128FVSG](https://www.alldatasheet.com/datasheet-pdf/pdf/506517/WINBOND/25Q128FVSG.html) chip **The NOR storage chip labeled 25Q128FVSG**:  It is a Serial Flash Memory which holds the ROM of the router, kind of like your hard drive, but extremely small in capacity, and requires little power, perfect for embedded devices like a router. For my workflow, I may be able to get hold of the password hash of an account inside OpenWrt and crack it if it's weak. --- ## Extracting the router's firmware So, I immediately grabbed my **CH341A** programmer and clipped it on the chip, this hardware tool allows me to "sniff" the data on the chip, which contains the ROM. It took me a bit of try but I was able to get it to align properly and then I ran the command below to read and extract the firmware to a file.  > $ sudo flashrom --programmer ch341a_spi -r tp.bin the **flashrom** commands allows you to write or read to and from a chip, which can be installed via your package manager. In Ubuntu it's > $ sudo apt install flashrom **Extracting firmware via flashrom**:  It took around 2 minutes to extract everything, and when it did, I ran **binwalk** to extract the files. I was very excited to see it extracted a SquashFS and a JFFS2 file systems that holds the ROM of the router. See [OpenWrt Wiki for flash layout why there are two filesystems inside.](https://openwrt.org/docs/techref/flash.layout); but in a nutshell the SquashFS which is a read-only filesystem contains all the files that are available when the router is booted into fail-safe mode. This cannot be modified (unless reflashed), the JFFS2 on the other hand is the writeable part which contains configurations. This is **binwalk**'s output:  I browsed through the files and could confirm this is it. **OpenWrt version from Web Interface checks out**:  --- ## Recovering and cracking the hashed password But what we're actually for is the hashed password of the account running on the router so we could hopefully use it to login through ssh or web interface and reset the account password and the wifi password. In Linux, this is found at the */etc/shadow* file but requires root privileges to read and write. Since we're not on a live environment, and only reading through the extracted firmware, we are able to read this. **Password hash of users**:  I saw root and another account we'll refer to as XXX, which both has a login shell. I fired up **hashcat** with **rockyou.txt** as wordlist to crack this MD5Crypt hash. The root account password is not in the wordlist, but XXX's hash was cracked almost immediately, it was only a very short password! **THIS IS WHY IT'S IMPORTANT TO KEEP YOUR PASSWORDS STRONG** I tried logging into the web interface now that I have a pair of credentials, but for some reason Luci (the web interface), isn't letting this account in. So, I tried to ssh inside which worked. --- ## Privilege escalation Without privileges, I couldn't do much. Our goal right now is to escalate our privileges, and hopefully the root account can access the web interface. I tried enumerating any misconfigurations, old and vulnerable binaries like sudo, even running **linpeas** just to check but didn't work. What I didn't realize earlier was I could run sudo with no restrictions. This means I can spawn an interactive shell as **root** user! I ran the command: > $ sudo -i -u root This prompted me for XXX's password, and I got a root shell! **Verifying root**:  But this doesn't end here! What use is this if I can't have the password? I used a trick that I always use in CTF challenges. Replacing root password hash in the */etc/shadow* with my own hash. To create a valid MD5Crypt hashed password, we use **openssl** to generate one for us: > $ openssl passwd -1 This prompts for a password, and outputs the md5crypt hash. I then rewrote the shadow file and logging in the web interface as root with my new password worked like a charm! **Web interface after accessing**:  --- ## Getting the wifi password... Before we conclude everything, we still have to recover the wifi password. This isn't a complex process as it's written in plaintext at */etc/config/wireless*.  The password is **covered** in red. --- ## Conclusion With that, I was able to come from zero to full admin access to the router. I couldn't have done this if it not for the user account with a weak password and also had an unrestricted access to the **sudo** command. If you're a non-technical person reading this. Try to make sure your router firmware is up to date (you can contact a friend or call your internet service provider), and your passwords are strong and changed frequently. Outdated software, misconfigurations, weak passwords are common reasons why somebody gets hacked. This experience has made me realize that vulnerable systems are everywhere, and it is not a matter of if, but when, will they be hacked. Weak credentials should not be neglected as they can be an entry point to something bigger. I conclude my experience here and hopefully soon we'll hack something bigger. Thanks for reading! With love, kairo