ファーム 1.20b2 に telnet

PC-P1LAN ファーム 1.20b2 も telnet 可能にできるかな??

initrd の取り出し

bash-2.04$ dd if=/usr/local/BootServer/tftpboot/firm/initrd.boot of=initrd.gz bs=64 skip=1
96361+1 records in
96361+1 records out
bash-2.04$ gunzip initrd.gz

initrd のマウント

bash-2.04$ su - root
Password:
[root@link /root]# mkdir /tmp/root
[root@link /root]# cd /mnt/pc-p1lan/
[root@link pc-p1lan]# mount -o loop initrd /tmp/root

/etc/init.d/rcS の修正

1.20b1 の /etc/init.d/rcS と 1.20b2 の /etc/init.d/rcS とを比べる 
[root@link pc-p1lan]# diff -c /tmp/root/etc/init.d/rcS /tmp/rcS
*** /tmp/root/etc/init.d/rcS    2005-09-28 18:07:00.000000000 +0900
--- /tmp/rcS    2006-03-04 18:31:09.000000000 +0900
***************
*** 21,27 ****

  hostname PC-P1LAN

! /sbin/inetd

  /sbin/modprobe mpeg2
  /sbin/modprobe mpeg2_pcm_dec
--- 21,29 ----

  hostname PC-P1LAN

! #/sbin/inetd
! /usr/sbin/ntpdate gawa
! /sbin/telnetd

  /sbin/modprobe mpeg2
  /sbin/modprobe mpeg2_pcm_dec
[root@link pc-p1lan]#
[root@link pc-p1lan]# ls -l /tmp/root/sbin/telnetd
lrwxrwxrwx    1 500      501            14 Feb 27 11:23 /tmp/root/sbin/telnetd -> ../bin/busybox
[root@link pc-p1lan]# ls -l /usr/sbin/ntpdate
-rwxr-xr-x    1 root     root        49460 Mar  3  2002 /usr/sbin/ntpdate
[root@link pc-p1lan]#
rcS の変更は、前のままでいけそう。

rcS の変更

rcS を変更する 
[root@link pc-p1lan]# cp /tmp/root/etc/init.d/rcS /tmp/rcS.1.20b2
[root@link pc-p1lan]# vi /tmp/root/etc/init.d/rcS
	:
	:
[root@link pc-p1lan]# diff -c /tmp/rcS.1.20b2 /tmp/root/etc/init.d/rcS
*** /tmp/rcS.1.20b2     2006-03-04 18:35:41.000000000 +0900
--- /tmp/root/etc/init.d/rcS    2006-03-04 18:37:14.000000000 +0900
***************
*** 21,27 ****

  hostname PC-P1LAN

! /sbin/inetd

  /sbin/modprobe mpeg2
  /sbin/modprobe mpeg2_pcm_dec
--- 21,29 ----

  hostname PC-P1LAN

! #/sbin/inetd
! /usr/sbin/ntpdate link
! /sbin/telnetd

  /sbin/modprobe mpeg2
  /sbin/modprobe mpeg2_pcm_dec
[root@link pc-p1lan]#

標準ファームの待避

[root@link pc-p1lan]# pushd /usr/local/BootServer/
/usr/local/BootServer /mnt/pc-p1lan
[root@link BootServer]# ls -l
合計 76
-rwxr-xr-x    1 root     root        11124 Oct 15 13:57 fwupdated
-rwxr-xr-x    1 root     root        11869 Oct 15 13:57 rarpcfgd
-rwxr-xr-x    1 root     root        26036 Oct 15 13:57 rarpd
lrwxrwxrwx    1 root     root           15 Mar  4 15:02 tftpboot -> tftpboot_1.20b2
drwxr-xr-x    3 root     root         4096 Oct  5 11:27 tftpboot_1.00
drwxr-xr-x    3 root     root         4096 Mar  4 10:08 tftpboot_1.20b1+hack
drwxr-sr-x    3 yasunari yamasita     4096 Mar  4 14:59 tftpboot_1.20b2
-rwxr-xr-x    1 root     root        11160 Oct 15 13:57 tftpd
[root@link BootServer]# rm tftpboot
rm: `tftpboot' を削除しますか(yes/no)? y
[root@link BootServer]# mkdir tftpboot_1.20b2+hack
[root@link BootServer]# ln -s !$ tftpboot
ln -s tftpboot_1.20b2+hack tftpboot
[root@link BootServer]# ls -l
合計 80
-rwxr-xr-x    1 root     root        11124 Oct 15 13:57 fwupdated
-rwxr-xr-x    1 root     root        11869 Oct 15 13:57 rarpcfgd
-rwxr-xr-x    1 root     root        26036 Oct 15 13:57 rarpd
lrwxrwxrwx    1 root     root           20 Mar  4 18:39 tftpboot -> tftpboot_1.20b2+hack
drwxr-xr-x    3 root     root         4096 Oct  5 11:27 tftpboot_1.00
drwxr-xr-x    3 root     root         4096 Mar  4 10:08 tftpboot_1.20b1+hack
drwxr-sr-x    3 yasunari yamasita     4096 Mar  4 14:59 tftpboot_1.20b2
drwxr-xr-x    2 root     root         4096 Mar  4 18:39 tftpboot_1.20b2+hack
-rwxr-xr-x    1 root     root        11160 Oct 15 13:57 tftpd
[root@link BootServer]# (cd tftpboot_1.20b2; tar cf - .)|(cd tftpboot_1.20b2+hack; tar xvf -)
./
./files
./version
./firm/
./firm/initrd.boot
./firm/uImage
[root@link BootServer]# popd
/mnt/pc-p1lan

initrd.boot の作成

以前作ったスクリプトを実行する。 
[root@link pc-p1lan]# umount /tmp/root
[root@link pc-p1lan]# cat mkinitrd.boot.sh
#        tools/mkimage -A arch -O os -T type -C comp -a addr -e ep \
#                      -n name -d data_file image
#          -A ==> set architecture to 'arch'
#          -O ==> set operating system to 'os'
#          -T ==> set image type to 'type'
#          -C ==> set compression type 'comp'
#          -a ==> set load address to 'addr' (hex)
#          -e ==> set entry point to 'ep' (hex)
#          -n ==> set image name to 'name'
#          -d ==> use image data from 'datafile'
#
#[root@gawa u-boot-1.1.4]# ./tools/mkimage -l /tmp/p1lan/initrd.boot
#Image Name:   RAM Disk
#Created:      Sat Dec 17 16:43:56 2005
#Image Type:   ARM Linux RAMDisk Image (gzip compressed)
#Data Size:    7248200 Bytes = 7078.32 kB = 6.91 MB
#Load Address: 0x00000000
#Entry Point:  0x00000000
#
#
u-boot-1.1.4/tools/mkimage \
        -A "ARM" \
        -O "Linux" \
        -T "ramdisk" \
        -C "gzip" \
        -a "0x00000000" \
        -e "0x00000000" \
        -n "RAM Disk" \
        -d "initrd" \
        /usr/local/BootServer/tftpboot/firm/initrd.boot

ls -l /usr/local/BootServer/tftpboot/firm/

/etc/rc.d/init.d/ltbootd stop
/etc/rc.d/init.d/ltbootd start
[root@link pc-p1lan]# sh mkinitrd.boot.sh
Image Name:   RAM Disk
Created:      Sat Mar  4 18:43:20 2006
Image Type:   ARM Linux RAMDisk Image (gzip compressed)
Data Size:    16777216 Bytes = 16384.00 kB = 16.00 MB
Load Address: 0x00000000
Entry Point:  0x00000000
合計 17292
-rwxr--r--    1 yasunari yamasita 16777280 Mar  4 18:43 initrd.boot
-rwxr--r--    1 yasunari yamasita   898316 Sep 24 18:41 uImage
Stop services: rarpd/sbin/start-stop-daemon: warning: failed to kill 14788: No such process
/sbin/start-stop-daemon: warning: failed to kill 14787: No such process
/sbin/start-stop-daemon: warning: failed to kill 14784: No such process
 tftpd rarpcfgd/sbin/start-stop-daemon: warning: failed to kill 14794: No such process
/sbin/start-stop-daemon: warning: failed to kill 14791: No such process
 fwupdated.
Starting services: rarpd tftpd rarpcfgd fwupdated.
[root@link pc-p1lan]#

PC-P1LAN 起動

PC-P1LAN をコールドブートする

PC-P1LAN ファーム 1.20b2 に telnet

[root@link pc-p1lan]# telnet p1lan
Trying 192.168.1.51...
Connected to p1lan.
Escape character is '^]'.


Linux-2.6.5 (Buffalo PC-PLAN1)

PC-P1LAN login: root
Password:


BusyBox v1.00-pre10 (2005.09.03-02:53+0000) Built-in shell (ash)
Enter 'help' for a list of built-in commands.

~ # ps -aux
  PID  Uid     VmSize Stat Command
    1 root        576 S   init
    2 root            SWN [ksoftirqd/0]
    3 root            SW< [events/0]
    4 root            SW< [kblockd/0]
    5 root            SW  [pdflush]
    6 root            SW  [pdflush]
    7 root            SW  [kswapd0]
    8 root            SW< [aio/0]
    9 root            SW  [mtdblockd]
   17 root            SWN [jffs2_gcd_mtd2]
   39 root        536 S   /usr/sbin/dhcpcd -n -l 60
   51 root        444 S   /sbin/telnetd
   74 root        568 S   /usr/bin/mbwatch /home/mediasession
   75 root        536 S   /sbin/getty 115200 ttyS0 vt100
   76 root       4680 S   /home/mediasession
   77 root       4680 S   /home/mediasession
   78 root       4680 S   /home/mediasession
   79 root       4680 S   /home/mediasession
   80 root       4680 S   /home/mediasession
   81 root       4680 S   /home/mediasession
   82 root       4680 S   /home/mediasession
   83 root       4680 S   /home/mediasession
   84 root       4680 S   /home/mediasession
   85 root       4680 S   /home/mediasession
   86 root       4680 S   /home/mediasession
   87 root        764 S   -sh
   88 root        692 R   ps -aux
~ #
OK.
1.20b2 も同じ方法で telnet 可能。

PC-P1LAN ファームウェア 1.20β2 		ハックの記録
PC-P1LAN をハックしよう
次なる目標?
Copyright (C) 2006 Yasunari Yamashita. All Rights Reserved.
yasunari @ yamasita.jp 山下康成@京都府向日市