Escolar Documentos
Profissional Documentos
Cultura Documentos
Devices
Stefan Arentz
<stefan@soze.com>
Part I
Introduction
What is Embedded Linux?
Uid
0
0
TomTom GO
GPS Navigation
DreamBox
Digital TV/Radio Tuner
Linksys WRT54G
Wireless AP
Part II
Breaking the EULA
Real World Example
Our Goal
Get access to the contents of the (read-only)
filesystem that is embedded in the firmware.
If we can do this then we have basically opened up
the device; we can modify its default behavior and
add our own modifications.
WIFI
CPU/ETH
RADIO
RAM
FLASH
ETH SWITCH
POWER
-C
57
4e
48
00
~/WRT54G_1.30.1_US_code.bin
35 34 47 00 00 00 00 03 06
44 00 00 00 00 00 00 00 00
44 52 30 00 d0 29 00 78 53
00 00 00 00 00 00 00 00 00
struct trx_header {
uint32_t magic;
uint32_t len;
uint32_t crc32;
uint32_t flag_version;
uint32_t offsets[3];
};
/*
/*
/*
/*
/*
17
00
6c
00
01
00
d5
00
1e
00
00
00
01
00
00
00
55
00
01
00
32
00
00
00
|W54G..........U2|
|ND..............|
|HDR0.?).xSl?....|
|................|
"HDR0" */
Length of file including header */
32-bit CRC */
0:15 flags, 16:31 version */
Offsets of sections */
root
root
root
root
root
root
root
root
root
root
root
root 444
root
0
root
88
root 164
root
0
root
0
root 292
root
0
root
64
root
7
root 1328
1970-01-01
1970-01-01
1970-01-01
1970-01-01
1970-01-01
1970-01-01
1970-01-01
1970-01-01
1970-01-01
1970-01-01
1970-01-01
01:00
01:00
01:00
01:00
01:00
01:00
01:00
01:00
01:00
01:00
01:00
bin/
dev/
etc/
lib/
mnt/
proc/
sbin/
tmp/
usr/
var -> tmp/var
www/
# ls -l /mnt/bin
-rwxr-xr-x 1 root
lrwxrwxrwx 1 root
lrwxrwxrwx 1 root
lrwxrwxrwx 1 root
lrwxrwxrwx 1 root
lrwxrwxrwx 1 root
lrwxrwxrwx 1 root
lrwxrwxrwx 1 root
lrwxrwxrwx 1 root
lrwxrwxrwx 1 root
# file /mnt/bin/busybox
bin/busybox: ELF 32-bit LSB MIPS-I executable, MIPS,
version 1 (SYSV), for GNU/Linux 2.3.99,
dynamically linked (uses shared libs), stripped
% ls -l /mnt/lib
-rwxr-xr-x 1 root
-rwxr-xr-x 1 root
-rwxr-xr-x 1 root
-rwxr-xr-x 1 root
-rwxr-xr-x 1 root
-rwxr-xr-x 1 root
drwxr-xr-x 1 root
Header
Compressed Kernel
Compressed File System
(CRAMFS)
Conclusion
Hacking Linux-Powered devices is
definitely possible. Be creative and
persistent!
Dont underestimate the power of a
collective effort. Sharing is key.
References
http://www.openwrt.org
http://www.opentom.org
Google for embedded
linux
Q&A