Horaco 2.5GbE Managed Switch (8 x 2.5GbE + 1 10Gb SFP+)

[up-n-atom]

I didn't get the hengrui password and login_ft.cgi to work. You can access the the factory methods using the admin credentials by cgi (attached is an example of changing the colour to pink)

/ftdft.cgi
/ftlogo.cgi
/ftcolor.cgi

Here's a Python script that will validate and/or update the header sums for the update firmware (without changing the file size ie. in-place mods only)

import argparse
import mmap
import os
import struct
import sys


HEADER_LENGTH = 20
HEADER_MAGIC = 0x12345678
HEADER_RESERVED = 0x332255FF
PAYLOAD_LENGTH = 0x2ffe + 0x1000


def main() -> None:
    parser = argparse.ArgumentParser(description='SWTG Update Firmware Checksum Calculator')
    parser.add_argument('-u', '--update', help='Re-calculate sums', action='store_true')
    parser.add_argument('firmware', type=argparse.FileType('r+b'))

    args = parser.parse_args()

    print_or_exit = print if args.update else sys.exit

    with args.firmware as f:
        with mmap.mmap(f.fileno(), 0) as mm:
            header = bytearray(mm.read(HEADER_LENGTH))
        
            magic, length, header_sum, payload_sum, reserved = struct.unpack('>5I', header)
        
            print(f"magic: {magic:08x}",
                  f"length: {length:08x}",
                  f"header sum: {header_sum:08x}",
                  f"payload sum: {payload_sum:08x}",
                  f"reserved: {reserved:08x}",
                  header.hex(), sep='\n')

            if magic != HEADER_MAGIC:
                sys.exit('Invalid header magic')

            if length + HEADER_LENGTH != mm.size():
                sys.exit('Invalid header file length')

            # Placeholder for the header sum
            header[8:12] = b'\x00' * 4

            if header_sum != sum(header):
                print_or_exit('Invalid header checksum')

            # Calculate payload sum...
            calc_sum = sum(mm.read(PAYLOAD_LENGTH))

            # Skip payload header
            mm.seek(HEADER_LENGTH, os.SEEK_CUR)

            # Placeholder for payload header sum
            calc_sum += 0xff * HEADER_LENGTH

            # Resume payload sum
            calc_sum += sum(mm.read())

            if calc_sum != payload_sum:
                print_or_exit('Invalid payload checksum')

            if args.update:
                # Update the payload sum
                header[12:16] = struct.pack('>I', calc_sum)

                # Calculate and update the header sum
                header[8:12] = struct.pack('>I', sum(header))

                print(header.hex())

                # Update headers
                mm[:HEADER_LENGTH] = header
                mm[PAYLOAD_LENGTH+HEADER_LENGTH:PAYLOAD_LENGTH+HEADER_LENGTH*2] = header

    sys.exit(0)


if __name__ == '__main__':
    main()

There is also a serial password which is Switch321


EDIT: Adding more details to a repo in the coming days GitHub - up-n-atom/SWTG118AS: SWTG118AS and SWTG115AS RE

 

[Viper_Rus]

Hi all. Is firmware 1.9 available for the 4+2 switch (ZX-SWTG124AS)?

 

[Viper_Rus]

The seller provided me with a link to firmware 1.9 for ZX-SWTG124AS (4+2)

RF_V1.9_HR-SWTGW124AS_0104.zip

drive.google.com

I flashed it, everything is ok. Same md5 as posted in #137

 

[tamuin]

A couple of posts have mentioned accessing the serial console. I am assuming that people are soldering on wires to the four connection points on what is labeled J2 on the PCB (I do not have my switch nearby, maybe it is not J2, but it is the four connection points on the side of the PCB).

Which pins are which (TD, RX, GND, VCC)?

 

[up-n-atom]

A couple of posts have mentioned accessing the serial console. I am assuming that people are soldering on wires to the four connection points on what is labeled J2 on the PCB (I do not have my switch nearby, maybe it is not J2, but it is the four connection points on the side of the PCB).

Which pins are which (TD, RX, GND, VCC)?

It's all in my repo GitHub - up-n-atom/SWTG118AS: SWTG118AS and SWTG115AS RE and don't connect VCC. I actually need someone to dump their SWTG118AS v2.0 flash, ie. web managed.

hold v and plug in power and type r 0 65473 which overflows and seems to dump forever but you just need to stop it at 3FFFF0 which takes like 30 minutes (Need to use a terminal that logs).

 

[custom90gt]

Probably a dumb question, but does anyone worry about security with these cheap managed switches? What I mean by that is cheap Chinese routers have been found to have malware built in. Probably a nothing burger but thought I'd ask.

 

[tamuin]

Probably a dumb question, but does anyone worry about security with these cheap managed switches? What I mean by that is cheap Chinese routers have been found to have malware built in. Probably a nothing burger but thought I'd ask.

I am not saying it is impossible, but I think it would have to be a focused attack, I don't think these have a lot of excess computing power to do much packet inspection. While I am fine with using these on my home network, I would love to see open source firmware for these. Several posts have said that these are based on Relatek's example code, does anyone have access to Realtek's example code?

 

[Viper_Rus]

Probably a dumb question, but does anyone worry about security with these cheap managed switches? What I mean by that is cheap Chinese routers have been found to have malware built in. Probably a nothing burger but thought I'd ask.

I solved the problem radically: just in case, I blocked their access to the global network in the router.

 

[blunden]

I am not saying it is impossible, but I think it would have to be a focused attack, I don't think these has a lot of excess computing power to do much packet inspection. While I am fine with using these on my home network, I would love to see open source firmware for these. Several posts have said that these are based on Relatek's example code, does anyone have access to Realtek's example code?

Agreed.

If you use binwalk to pull apart the firmware image you'll see all the unused assets, hidden menus, version strings etc. that all point to it being based on Realtek's reference code (probably sort of like a Board Support Pack (BSP) that you see in the mobile space).

 

[up-n-atom]

Added photos incl. mods for testing firmware and the SWTG115AS v2.0 flash dump to my repo but I'll add that here as well.

Again, if anyone is willing to dump the SWTG118AS v2.0 via the serial console that'll be much appreciated. You can use either Real Term or Tera Term on Windows and this simple explanation on how-to

 

[AC613]

I have the Sodola 5+1 nanaged switch purchased about 2 months ago. Does anyone know the latest firmware for thus unit? Thanks

 

[oedo808]

Can't say I've found that password, but I can say what I've tried unsuccessfully. It isn't any 6 char or fewer password with any case, number, special. It isn't any 7 or 8 char lowercase-only password. Beyond that, I'd have to get GPU acceleration into hashcat and I haven't had the time to putter with that yet. Using variations of hashcat -O -a 3 -m 0 hengrui.hash hengrui?a?a?a?a?a?a to do it. Perhaps someone with GPU accel and some time can try adding a few ?a to that, but the complexity for a brute force goes up quick. Maybe there's a wordlist that would be a better approach.

I have tried ?a up to six times now with only exhausted results.

FYI, for anyone else attempting to try to crack this, using hengrui?a or any number of mask attack characters limits your performance significantly. I was getting 1.2mhs trying
`hashcat -O -a 3 -m 0 -i hengrui.hash hengrui?a?a?a?a?a?a?a?a'
After 6 ?a characters I decided to spin up an EC2 instance type g4dn.16xlarge
When I tried the same I was getting less performance than my home Radeon RX590
I then read: hashcat/docs/performance.txt at e194fec2291e487d01c313934932ba782eed1367 · hashcat/hashcat

I then tried:
`.\hashcat -O -a 3 -m 20 -i --increment-min=4 admin.hash.txt ?a?a?a?a?a`
where admin.hash.txt contains one line:
f6fdffe48c908deb0f4c3bd36c032e72:admin

The bruteforce ran much quicker treating the username as a salt and yielded:
f6fdffe48c908deb0f4c3bd36c032e72:admin:admin

I'm now running against hengrui.hash with a single line of:
81d57ea79621e8887914f40ee4122185:hengrui

locally using:
`.\hashcat -O -a 3 -m 20 -i --increment-min=7 .\hengrui.hash ?a?a?a?a?a?a?a?a`

It should only take 9 more hours for me to finish the 7 character attempt. 8 characters on my EC2 instance is going to take 6 days and 9 hours, and I'm probably going to cancel it tomorrow because I don't want to spend $3/hour for the next week to try. I am getting good speeds though at 12009.4 MH/s. Locally I'm only getting 1934.2 MH/s

Anyone else wanting to try, use the following options:
-O -a 3 -m 20 -i --increment-min=8 .\hengrui.hash ?a?a?a?a?a?a?a?a
with as many ?a's appended that you can afford.
Options:
-a 3
mask attack brute force
-m 20
md5($salt.$pass)
-i
incremental, tries each combo of ?a incrementally
--increment-min=8
I've ran ?a incrementally up to 6, and 7 should be done in 8 hours or so, this will start you at 8 and will run until ?a's are exhausted or a password is cracked

cat .\hengrui.hash
81d57ea79621e8887914f40ee4122185:hengrui

To test that it will work on admin:
cat .\admin.hash.txt
f6fdffe48c908deb0f4c3bd36c032e72:admin

If you're on Windows, be wary of how you create the text files to avoid incompatible line endings as hashcat expects CRLF linux line endings.

Now that I have this running better, I'm going to let 7 finish as a brute force attempt, cancel at 8 and try against more dictionary attacks with exotic rulesets. My previous attempts at this that have failed were:
.\hashcat.exe -O -w 3 -a 7 -m 0 hengrui.hash hengrui?a?a?a .\password-list-cn.tx
where password-list-cn.txt came from password-list/countries/password-list-cn.txt at main · scipag/password-list

I want to try with the m 20 attack mode, which will be faster along with other variations of much larger word lists using masks and known compromised passwords because I don't have the patience to wait a year to crack this through brute force means and don't want to drop the cash on a new graphics card or pay extravagant EC2 prices.

 

[up-n-atom]

I have tried ?a up to six times now with only exhausted results.

FYI, for anyone else attempting to try to crack this, using hengrui?a or any number of mask attack characters limits your performance significantly. I was getting 1.2mhs trying
`hashcat -O -a 3 -m 0 -i hengrui.hash hengrui?a?a?a?a?a?a?a?a'
After 6 ?a characters I decided to spin up an EC2 instance type g4dn.16xlarge
When I tried the same I was getting less performance than my home Radeon RX590
I then read: hashcat/docs/performance.txt at e194fec2291e487d01c313934932ba782eed1367 · hashcat/hashcat

I then tried:
`.\hashcat -O -a 3 -m 20 -i --increment-min=4 admin.hash.txt ?a?a?a?a?a`
where admin.hash.txt contains one line:
f6fdffe48c908deb0f4c3bd36c032e72:admin

The bruteforce ran much quicker treating the username as a salt and yielded:
f6fdffe48c908deb0f4c3bd36c032e72:admin:admin

I'm now running against hengrui.hash with a single line of:
81d57ea79621e8887914f40ee4122185:hengrui

locally using:
`.\hashcat -O -a 3 -m 20 -i --increment-min=7 .\hengrui.hash ?a?a?a?a?a?a?a?a`

It should only take 9 more hours for me to finish the 7 character attempt. 8 characters on my EC2 instance is going to take 6 days and 9 hours, and I'm probably going to cancel it tomorrow because I don't want to spend $3/hour for the next week to try. I am getting good speeds though at 12009.4 MH/s. Locally I'm only getting 1934.2 MH/s

Anyone else wanting to try, use the following options:
-O -a 3 -m 20 -i --increment-min=8 .\hengrui.hash ?a?a?a?a?a?a?a?a
with as many ?a's appended that you can afford.
Options:
-a 3
mask attack brute force
-m 20
md5($salt.$pass)
-i
incremental, tries each combo of ?a incrementally
--increment-min=8
I've ran ?a incrementally up to 6, and 7 should be done in 8 hours or so, this will start you at 8 and will run until ?a's are exhausted or a password is cracked

cat .\hengrui.hash
81d57ea79621e8887914f40ee4122185:hengrui

To test that it will work on admin:
cat .\admin.hash.txt
f6fdffe48c908deb0f4c3bd36c032e72:admin

If you're on Windows, be wary of how you create the text files to avoid incompatible line endings as hashcat expects CRLF linux line endings.

Now that I have this running better, I'm going to let 7 finish as a brute force attempt, cancel at 8 and try against more dictionary attacks with exotic rulesets. My previous attempts at this that have failed were:
.\hashcat.exe -O -w 3 -a 7 -m 0 hengrui.hash hengrui?a?a?a .\password-list-cn.tx
where password-list-cn.txt came from password-list/countries/password-list-cn.txt at main · scipag/password-list

I want to try with the m 20 attack mode, which will be faster along with other variations of much larger word lists using masks and known compromised passwords because I don't have the patience to wait a year to crack this through brute force means and don't want to drop the cash on a new graphics card or pay extravagant EC2 prices.

It's irrelevant, you can change the hash in the update firmware and run the Python Script to update the checksums and find it's not used. Although I haven't tested after I wiped out the config and when those hard coded credentials come into use. Anyway the cgi's can be directly called so again irrelevant.

 

[tamuin]

I have tried ?a up to six times now with only exhausted results.

FYI, for anyone else attempting to try to crack this, using hengrui?a or any number of mask attack characters limits your performance significantly. I was getting 1.2mhs trying
`hashcat -O -a 3 -m 0 -i hengrui.hash hengrui?a?a?a?a?a?a?a?a'
After 6 ?a characters I decided to spin up an EC2 instance type g4dn.16xlarge
When I tried the same I was getting less performance than my home Radeon RX590
I then read: hashcat/docs/performance.txt at e194fec2291e487d01c313934932ba782eed1367 · hashcat/hashcat

I then tried:
`.\hashcat -O -a 3 -m 20 -i --increment-min=4 admin.hash.txt ?a?a?a?a?a`
where admin.hash.txt contains one line:
f6fdffe48c908deb0f4c3bd36c032e72:admin

The bruteforce ran much quicker treating the username as a salt and yielded:
f6fdffe48c908deb0f4c3bd36c032e72:admin:admin

I'm now running against hengrui.hash with a single line of:
81d57ea79621e8887914f40ee4122185:hengrui

locally using:
`.\hashcat -O -a 3 -m 20 -i --increment-min=7 .\hengrui.hash ?a?a?a?a?a?a?a?a`

It should only take 9 more hours for me to finish the 7 character attempt. 8 characters on my EC2 instance is going to take 6 days and 9 hours, and I'm probably going to cancel it tomorrow because I don't want to spend $3/hour for the next week to try. I am getting good speeds though at 12009.4 MH/s. Locally I'm only getting 1934.2 MH/s

Anyone else wanting to try, use the following options:
-O -a 3 -m 20 -i --increment-min=8 .\hengrui.hash ?a?a?a?a?a?a?a?a
with as many ?a's appended that you can afford.
Options:
-a 3
mask attack brute force
-m 20
md5($salt.$pass)
-i
incremental, tries each combo of ?a incrementally
--increment-min=8
I've ran ?a incrementally up to 6, and 7 should be done in 8 hours or so, this will start you at 8 and will run until ?a's are exhausted or a password is cracked

cat .\hengrui.hash
81d57ea79621e8887914f40ee4122185:hengrui

To test that it will work on admin:
cat .\admin.hash.txt
f6fdffe48c908deb0f4c3bd36c032e72:admin

If you're on Windows, be wary of how you create the text files to avoid incompatible line endings as hashcat expects CRLF linux line endings.

Now that I have this running better, I'm going to let 7 finish as a brute force attempt, cancel at 8 and try against more dictionary attacks with exotic rulesets. My previous attempts at this that have failed were:
.\hashcat.exe -O -w 3 -a 7 -m 0 hengrui.hash hengrui?a?a?a .\password-list-cn.tx
where password-list-cn.txt came from password-list/countries/password-list-cn.txt at main · scipag/password-list

I want to try with the m 20 attack mode, which will be faster along with other variations of much larger word lists using masks and known compromised passwords because I don't have the patience to wait a year to crack this through brute force means and don't want to drop the cash on a new graphics card or pay extravagant EC2 prices.

Thanks! That is pretty clear/concise discussion on how to use hascat

 

[lubmen]

I have a problem.

I accidentally uploaded the firmware from the switch 4x 2.5GbE plus 1x 10GbE SFP+ to the switch 8x 2.5GbE plus 1x 10GbE SFP+.

Please does anyone have a dump for ZX-SWTGW218AS.

Thanks for help

 

[switchfan]

I recently purchased a 2nd Horaco ZX-SWTGW218AS, because I was running out of ports....

When doing that, I also power-cycled my 1st ZX-SWTGW218AS. After the reboot, all worked fine, except that I can't reach this switch via IP anymore.
Pressing the reset button for 6 seconds does reset the switch, but the default settings seem to be gone, I cannot reach it neither through 192.168.2.1 nor the previously configured 192.168.1.4.
Any idea how to get this back to work?

Edit: The root-cause of this problem could have been, that I played around with the manufacturing menu ftdft.cgi; maybe I set an IP which I cannot remember anymore. Any chance to find it out without the serial console?

Edit2: Problem solved. I indeed changed the default IP-Address of Switch#1. And I configured Switch#2 to exact the same address...

 

[up-n-atom]

I recently purchased a 2nd Horaco ZX-SWTGW218AS, because I was running out of ports....

When doing that, I also power-cycled my 1st ZX-SWTGW218AS. After the reboot, all worked fine, except that I can't reach this switch via IP anymore.
Pressing the reset button for 6 seconds does reset the switch, but the default settings seem to be gone, I cannot reach it neither through 192.168.2.1 nor the previously configured 192.168.1.4.
Any idea how to get this back to work?

Edit: The root-cause of this problem could have been, that I played around with the manufacturing menu ftdft.cgi; maybe I set an IP which I cannot remember anymore. Any chance to find it out without the serial console?

if you got an idea of the network nmap can make a quick job of it. If not it's just easier to listen in for the arp requests with tshark/wireshark eg. I isolated to a single specific interface connected to the switch and filter for arp.

sudo tshark -i enp0s20f0u3 -f "arp"
Running as user "root" and group "root". This could be dangerous.
Capturing on 'enp0s20f0u3'
** (tshark:335844) 17:56:46.122609 [Main MESSAGE] -- Capture started.
** (tshark:335844) 17:56:46.122650 [Main MESSAGE] -- File: "/var/tmp/wireshark_enp0s20f0u3BEZPwx.pcapng"
    1 0.000000000 Shenzhen_1a:5c:ff → Broadcast    ARP 60 Who has 192.168.2.254? Tell 192.168.2.1

 

[switchfan]

Please does anyone have a dump for ZX-SWTGW218AS.

It's in the up-n-atom's repo: SWTG118AS/firmware/SWTG118AS-v1.0 at main · up-n-atom/SWTG118AS

 

[up-n-atom]

It's in the up-n-atom's repo: SWTG118AS/firmware/SWTG118AS-v1.0 at main · up-n-atom/SWTG118AS

No it's not, that's for the unmanaged dump version ie. 1

 

[up-n-atom]

I have a problem.

I accidentally uploaded the firmware from the switch 4x 2.5GbE plus 1x 10GbE SFP+ to the switch 8x 2.5GbE plus 1x 10GbE SFP+.

Please does anyone have a dump for ZX-SWTGW218AS.

Thanks for help

It shouldn't of touched the bootloader/backup partitions so if you have USB to 3.3V TTY serial adapter you can just hold ESC and power on the switch and it'll go into upload mode at http://192.168.1.1 where you can use the proper firmware update.

==========Loader start===========
Press any key to start the normal procedure.
To run SPI flash viewer, press [v]
To enforce the download of the runtime kernel, press [ESC] .
  cmd 27
sal_sys_runtime_crc_set
loader start
load MAC from nvcfg
  IP:192.168.1.1
Mask:255.255.255.0
  GW:192.168.1.254
 MAC:AA.BB.CC.DD.EE.FF