# **Security Assessment Report**

**CP-XR-DE21-S -4G Router** Firmware version 1.031.022

# **Company Details**

| Company Name | CPPLus - Aditya Infotech Ltd.(CP PLUS) |  |  |
|--------------|----------------------------------------|--|--|
| Email        | support@cpplusworld.com                |  |  |
| Telephone    | +91-8800952952                         |  |  |

# **Document History**

| Version | Date       | Author    | Remark      |
|---------|------------|-----------|-------------|
| 1.0     | 17/11/2024 | Yashodhan | First Draft |

## **Security Assessment Details**

### 1.1 Executive Summary

Security Assessment of **CP-XR-DE21-S -4G Router** - **Firmware version 1.031.022** model has been performed, considering below common security issues:

- ✓ If any Hardware debug ports are open.
- ✓ If any device logs are accessible to third person
- ✓ If proper access control is implemented across the device.
- ✓ If proper Authorization & Authentication System is implemented.

Overall security postures of the device are good, though some of the security controls/measures have not been properly thought of/implemented during the design and coding of the application.

The security assessment revealed 1 medium severity issue in this product.

The consolidated summary of the assessment has been presented in the Executive Summary section. Additional information is contained within the Detailed Vulnerability Information section of this report.

### 1.2 Scope and Objectives

The scope of this assessment was limited to Hardware, Firmware and Wireless Communication of CP-XR-DE21-S -4G Router .

#### 1.3 Technology Impact Summary

The security assessments on the Hardware, Firmware and Wireless communication has been performed. These assessments aim is to uncover any security issues in the assessed 4G router explain the impact and risks associated with the found issues, and provide guidance in the prioritization and remediation steps.

It was identified that CP-XR-DE21-S -4G Router is having UART port open to read the boot logs.

► An attacker can read boot logs such as BLE connection event, firmware version and sensor data from UART port

### 1.4 Business Impact Summary

Following is the business impact

► The boot logs and sensor data on UART is threat to IP of the product from the business competitors.

### 1.5 Testing Environment and Tools

To perform hardware security assessment over the CP-XR-DE21-S -4G Router hardware tools such as USB-UART converter, Picocom utility.

## 1.6 Table of Findings

| Vulnerability<br>ID | Scope    | Finding                              | CVSS Score | CVSS String | Severity | Status    |
|---------------------|----------|--------------------------------------|------------|-------------|----------|-----------|
| CP-XR-4G-<br>01     | Hardware | UART Port<br>Exposing<br>Serial Logs | <u>6.7</u> | CVSS:4.0/   | Medium   | Not Fixed |

### 1.7 Device Strengths

Not discussed.

#### 1.8 Device Weakness

The below mentioned vulnerabilities were identified during the process of Hardware security testing.

► The device logs can be accessible over UART port

## **Technical Findings**

#### 2.1 CP-XR-4G-01: UART Port Exposing Serial Logs

Potential Impact : MEDIUM

#### **Description**:

During the assessment it was identified that whenever logs from UART port are accessible that includes boot logs, hardware addresses, register dump,

**Affected Hosts**: UART Port, Device boot.

**Technical Risk**: The technical sensor parameters sensed and calculated by device are can be accessed in original data transmission format

**Business Risk**: By understanding the log structure, the malicious actor can craft the malicious payload and bypass boot or firmware update.

**Mitigations**: In the final production the UART logs can be disabled.

#### **Steps to Reproduce:**

1. Disassemble the CP-XR-DE21-S -4G Router and find UART pins viz 3.3 V, Gnd,TX and RX as shown in next image.





2. Solder the pins and connect to USB to UART Converter and connect to laptop as shown in image  $\,$ 



3. Run picocom serial utility on terminal as shown below

```
stellaris@stellaris-VivoBook-ASUSLaptop-X513EAN-K513EA:~$ sudo picocom -b 115200 /d ev/ttyACM0
```

4. Below are the logs available that discloses information over UART port showing the vulnerability after accessing UART data over Picocom.

```
Type [C-a] [C-h] to see available commands
Terminal ready
Finish loading TIM from: 0x0000001B
Init DDR: PASS
Load Image 0x4F424D49 : PASS
Verify Image: PASS
Xfer to OBM
start...
NezhaC/Falcon MIFI
Feb 11 2023 - 10:09:36
Core Is CR5
Project is DKB
Charger is Disable, OLED is Disable
GuilinLite: PMIC ID: 0x18
Cold power up
NO Production Mode
GuiLinLite Buck1 active voltage: 0x98
cpcore -> 624M
AXI -> 208M
DDR -> 1066M
FlashNumber: 0x1b
Bus clock: 13MHz, OSPI CLK: 0x5b
```

```
AXI -> 208M
DDR -> 1066M
FlashNumber: 0x1b
Bus clock: 13MHz, QSPI CLK: 0x5b
use intr 0, en tx dma 1, use xip 1
SPI-NOR: GD25LQ128D is found in table
SPI-NOR: mfr id: 0xc8, dev id: 0x6018
Bus clock: 104MHz, QSPI CLK: 0x1db
\mathtt{QE}(\mathtt{bit9}) already set to 1
Rx pins 4, \overline{\mathsf{Tx}} pins 4, Read op 13, \overline{\mathsf{write}} op 19
AHB data transfer size: 128
XIP Read mode enabled
Fixed LUT bit-map: 0x1fc
pFlashP->NumBlocks: 256
[OTA] TR069 Addr 00b60000
Tr069 Config Init Done
BootLoaderMain--Allow to boot up
[OTA]No need to upgrade
TR069 return 0x1
CORTEX MPH Region Init
CORTEX MPU Region Init
LWG/LTG switch flag 0x0
Select to 3Mode LWG
CRC check OK with flash address 0x20000
MRD FlashAddress Passed to CP: 0x20000, pMRD valid 0xd10000f8
CRC check OK with flash address 0x30000
_WG uboot
[mageID: 4f534c4f
FlashEntryAddr[00060000],LoadAddr[06000000]
read time
0x000001d6
Region CPZ struct detected from LDT
zma cpmpressed image
CODE PS] decompress from [0x7002000] to [0x6002000]
_ZMA Decompress start here......
0 \times 000000000
800000008
0x0000082d
0x00082ddb
0x082ddb42
.ZMA Decompress() : good!
[0] decompress intentental del decompress intentental
```

```
0x16ba5a04
LZMA Decompress() : good!
[0] decompress inLen[0x178000],outLen [0x2f1a78]
lzma cpmpressed image
[CODE PL] decompress from [0x738d000] to [0x674a000]
LZMA Decompress start here.......
0 \times 000000000
0x00000038
0x00003811
0x003811be
0x3811be0b
LZMA Decompress() : good!
[0] decompress inLen[0x134000],outLen [0x28a2d4]
lzma cpmpressed image
[REMAIN] decompress from [0x74c1000] to [0x69d42d4]
LZMA Decompress start here......
0 \times 000000000
0x0000000c
0x00000c3c
0x000c3c2f
0x0c3c2f4e
LZMA Decompress() : good!
[0] decompress inLen[0x13000].outLen [0x683b8]
```

```
*************
** OBM DONE JUMP TO CP IMAGE
** PC : 0x6000000
** SIZE : 0x9db9e0
buadrate=0
ART Boot Completed
Board Type: NezhaC/Falcon MIFI DKB
 Project Type: Nezha Marvell MIFI V5
Mode Type: LWG Only
BSP board type: 0x0
Software version: DE21 S india hx806 1.057.043 0013 Aug 22 2023 20:03:47
Compilation date: Aug 22 2023 and time: 20:03:47
Last time is not silent reset
Silent Reset Magic =ff00ff00 f700ff00
 ===== CIU register ======
 0xd4282d00: 0x158
 0xd4282d04: 0x1b39a
 0xd4282d08: 0x984ff0
 0xd4282d38: 0xca4ee098
```

```
0xd4282d44: 0x0
0xd4282d48: 0x0
0xd4282d4c: 0x0
PMIC ID: 0x18
PMIC type: Guilin Lite(PM803)
OBM set Flash type: QSPI nor
Bus clock: 13MHz QSPI CLK RES CTRL: 0x5b
use intr=0 en tx dma=1 use xip=1
SPI-NOR: GD25LQ128D is found in table
SPI-NOR: mfr id: 0xc8, dev id: 0x6018
Bus clock: 104MHz QSPI CLK RES CTRL: 0x1db
QE(bit9) already set to 1
Set rx pins: 4 tx pins: 4, chip->read op=13, chip->write op=19
AHB data transfer size: 128
XIP Read mode enabled
Fixed LUT bit-map: 0x1fc
pFlashP->NumBlocks: 256
Flash Type: 9, NumBlocks: 256, BlkSize: 65536, PageSize: 256
TimSize 0x1034
FlashManager Init: Version= 30400
Search BBT in 0x0
FlashManager Init done
```

```
27 psm block init, file num is 0,blk1 is 4
sm block init psm fdi info[0] is 4
sm block init, file num is 1,blk1 is 1
sm block init psm fdi info[1] is 1
sm block init, file num is 2,blk1 is 2
sm block init psm fdi info[2] is 2
sm block init, file num is 3,blk1 is 3
sm block init psm fdi info[3] is 3
M ExitProdMode,,,flash layout->FBFStartAddress=b60000
M ExitProdMode++Header=0x54524657, current Prod Flag=0
DI fclose psm start, fileid:1
                              30 FDI fclose psm: done
MIC GuilinLite Configure Marvell LMIFI V5R0 Enter.
IB MMC1 IO REG 0x81
MIC GuilinLite Configure Marvell LMIFI V5R0 Exit.
P Initialize
lro efuse = 145
ew profile num = 1
LCN SVC FP[0] = 0 \times 15
LCN SVC FP[1] = 0 \times 18
RTC Phase2 Init:
```

```
Recorded 2024- 3-7
Recorded 17,54,25
Recorded 0,RTC=0x0
InnerRTCTimeSet: newTime 1709834065
InnerRTCTimeSet: 2024/3/7 17:54:25
eeHandlerPhase2Init
==sdio init==
SDIO:Base 0xD4280800
zsy Platform sdio config pin--board type is 0x80
zsy sdio config falcon 5803 mifi pin
zsy check if DCS mode() !=\overline{1}
HERON WIFI: read APB spare5 reg 0xd4090110 is 0x18702f
HERON WIFI: read PMU VRCR reg 0xd4050018 is 0x1
HERON WIFI: read vcxo reg mfpr 0xd401e0d4 is 0xb0c0
HERON WIFI: read clk reg mfpr 0xd401e0cc is 0xc0c1
SDIO:SDO HOST PMU AXI CLOCK=119,SD1 HOST PMU AXI CLOCK=112
SDIO:SD HOST CTRL offset=b00
SDIO:SDHCI TX CFG=0x403700c5
SDIO:SD CLOCK CTRL offset=4047
SDIO:SDHCI CAPABILITIES1=0x80
SDIO:SDHCI CAPABILITIES2=0x25fc
CDIO, CDUCT CADADILITIECO AVOET
```

```
sdio dump sdhci registers
                                     : DMA addr: 0x00000000
                        Version:
                                  0x00000002
: Blk size: 0x00000000
                         Blk cnt:
                                  0 \times 000000000
: Argument: 0x80000803
                         Trn mode: 0x00000000
: Present:
           0x01f70000 | Host ctl: 0x00000b02
: Host control2: 0x00004000
            0x0000000b | Clock: 0x00000207
: Power:
: Int stat: 0x00000000
: Int enab: 0xe0ff01ff |
                        Sig enab: 0xe0ff01ff
: AC12 err: 0x00000000
                       | Slot int: 0x00000000
                        Max curr: 0x00000000
: Caps:
            0x25fc0080
: Command: 0x00003402 | RX CFG REG:0x00000000
SDHCI HOST CTRL2: 0x00004000 | PRESET VALUE FOR SDR50: 0x
==sdio init OK==
GenRandMAC:00,00,00,00,00,00
!!![0xb20000]Invalid flash sys format data 0xfe 0xca 0xfe
nx get wifi mac: PHASE1 MACADDR exist, 0x5c354800ae1a
nx get wifi mac: 5c354800ae1a
```

```
diagPhase2Init start
Usb mode 0, Usb descriptor 30
cmux init
cmux physical device: UART
cmux dlc open: service id 1, func 0x6bb3c18
cmux dlc open: service id 2, func 0x6bb3c18
cmux dlc open: service id 3, func 0x6bb3c18
cmux dlc open: service id 9, func 0x6bb3c18
0: gSavePSMMSGQ=70af8a0
OnKeyPoweroff Task
GuilinLiteChargerInitPhase2: Out
ReadPATempTask: PATemp1=0x140; PATemp2=0x140 .
Baterry Update Task start
TSEN:Tsensor: Initilized.
Set SWversion From: Set SWversion from 2(1: RD; 2: Macro 3: XML)
zsy JM SwitchSimX will Call.
Start to UnPack Reliable data
ReliableDataUnPack MEP FIX size is 2036,
                                             filesize is 2037
ReliableDataUnPack Size of MEP FIX is 2036
ReliableDataUnPack Network MEP len is 116, password is
ReliableDataUnPack Service Provider MFP len is 68, nassword
```

```
filename: MEP.nvm
Save MEP.nvm to FS
AdcCalData.nvm not exist
AdcCalData Rtp.nvm not exist
I2CDeviceWaitStatus: I2C RC TIMEOUT ERROR
Enter initATCmdSvrPhase1
read_production_mode_in_flash++production_flag=0, production_mode_flag_0
read production mode in flash++not in production mode, not allowed to
                   aa initATCmdSvrPhase1, InProduction Mode 0
a initATCmdSvrPhase1, USB/UART bNotifyAllRsp=TRUE
OOTING COMPLETED
wnx get wifi mac: PHASE1 MACADDR exist, 0x5c354800ae1a
wnx get wifi mac: 5c354800ae1a
ifi driver init: rwnx mod params.drv dbg is 1
wnx cfg80211 init: wiphy->perm addr 0x5c354800ae1a
```

ERON: read falcon APB spare5 reg 0xd4090110 is 0x18702b, PMU VRCR reg 0xd4050018 i

ERON: write falcon APB spare5 reg 0xd4090110 to 0x18702b, PMU VRCR reg 0xd4050018

wnx sdio download firmware fw type 1 fw len:141136 pad len:0 crc len:4 total len:1

ifi driver init: create rwnx wifi init task success. initRwnxWifiRef is 0x713e6e0

wnx start uncompress lzma bin: is not LzmaCompressed

wnx sdio download firmware retry 0 times

wnx platform on: rf caldata exists, no need to dnld cal bin!

1140 headers: 0x89abcdef-0x22750-0x100-0x228 crc:0xf67b9db8 wnx sdio download firmware send header of length=16 success!

WIFI MACADDR:5c,35,48,00,ae,1a

0x1

o 0x1

```
rwnx_start_uncompress_lzma_bin: is not LzmaCompressed
rwnx_platform_on: rf_caldata exists, no need to dnld cal bin!
rwnx_sdio_download_firmware retry 0 times
rwnx_sdio_download_firmware fw_type 1 fw_len:141136 pad_len:0 crc_len:4 total_len:1
41140 headers: 0x89abcdef-0x22750-0x100-0x228 crc:0xf67b9db8
rwnx_sdio_download_firmware send header of length=16 success!
wifi_driver_init: create rwnx_wifi_init task success, initRwnxWifiRef is 0x713e6e0
rwnx_sdio_download_firmware check CRC_SUCCESS ok!
rwnx_plat_bin_fw_upload: ret of rwnx_sdio_download_firmware is 0
rwnx_plat_lmac_load: ret is 0
rwnx_platform_on: check B00T_SUCCESS success!
rwnx_platform_on timelapse: dnld cal bin:0 us, cal:0 us, dnld fw bin:1460782 us
rwnxGpioIRQInit: GPI04 int config finished, MFPR 0xd401e0ec is 0x90c0
wifi mac fw version 1.031.022, host version SDK_1.031.022
fcd PM PWD
```

Note: The firmware version is available in the image above.

############ End of Document ################