|
|
|
|
@ -30,14 +30,19 @@ fingerprinting, we will show here an example using \textbf{nmap}: |
|
|
|
|
|
|
|
|
|
\begin{Verbatim} |
|
|
|
|
nmap -P0 -O <IP address> |
|
|
|
|
Not shown: 1694 closed ports |
|
|
|
|
PORT STATE SERVICE |
|
|
|
|
631/tcp open ipp |
|
|
|
|
1033/tcp open netinfo |
|
|
|
|
6000/tcp open X11 |
|
|
|
|
Device type: general purpose |
|
|
|
|
Running: Apple Mac OS X 10.4.X |
|
|
|
|
OS details: Apple Mac OS X 10.4.8 (Tiger) |
|
|
|
|
Starting Nmap 4.20 ( http://insecure.org ) at 2007-01-08 11:05 CET |
|
|
|
|
Interesting ports on 192.168.2.1: |
|
|
|
|
Not shown: 1693 closed ports |
|
|
|
|
PORT STATE SERVICE |
|
|
|
|
22/tcp open ssh |
|
|
|
|
23/tcp open telnet |
|
|
|
|
53/tcp open domain |
|
|
|
|
80/tcp open http |
|
|
|
|
MAC Address: 00:13:xx:xx:xx:xx (Cisco-Linksys) |
|
|
|
|
Device type: broadband router |
|
|
|
|
Running: Linksys embedded |
|
|
|
|
OS details: Linksys WRT54GS v4 running OpenWrt w/Linux kernel 2.4.30 |
|
|
|
|
Network Distance: 1 hop |
|
|
|
|
\end{Verbatim} |
|
|
|
|
|
|
|
|
|
nmap is able to report whether your device uses a Linux TCP/IP stack, and if so, |
|
|
|
|
@ -50,7 +55,16 @@ on the device, and which version of the service is being used: |
|
|
|
|
|
|
|
|
|
\begin{verbatim} |
|
|
|
|
nmap -P0 -sV <IP address> |
|
|
|
|
|
|
|
|
|
Starting Nmap 4.20 ( http://insecure.org ) at 2007-01-08 11:06 CET |
|
|
|
|
Interesting ports on 192.168.2.1: |
|
|
|
|
Not shown: 1693 closed ports |
|
|
|
|
PORT STATE SERVICE VERSION |
|
|
|
|
22/tcp open ssh Dropbear sshd 0.48 (protocol 2.0) |
|
|
|
|
23/tcp open telnet Busybox telnetd |
|
|
|
|
53/tcp open domain ISC Bind dnsmasq-2.35 |
|
|
|
|
80/tcp open http OpenWrt BusyBox httpd |
|
|
|
|
MAC Address: 00:13:xx:xx:xx:xx (Cisco-Linksys) |
|
|
|
|
Service Info: Device: WAP |
|
|
|
|
\end{verbatim} |
|
|
|
|
|
|
|
|
|
The web server version, if identified, can be determining in knowing the Operating |
|
|
|
|
@ -147,9 +161,11 @@ CD-ROM the open source software used to build or modify the firmware. |
|
|
|
|
|
|
|
|
|
In conformance to the GPL license, you have to release the following sources: |
|
|
|
|
|
|
|
|
|
- complete toolchain that made the kernel and applications be compiled (gcc, binutils, libc) |
|
|
|
|
- tools to build a custom firmware (mksquashfs, mkcramfs ...) |
|
|
|
|
- kernel sources with patches to make it run on this specific hardware, this does not include binary drivers |
|
|
|
|
\begin{itemize} |
|
|
|
|
\item complete toolchain that made the kernel and applications be compiled (gcc, binutils, libc) |
|
|
|
|
\item tools to build a custom firmware (mksquashfs, mkcramfs ...) |
|
|
|
|
\item kernel sources with patches to make it run on this specific hardware, this does not include binary drivers |
|
|
|
|
\end{itemize} |
|
|
|
|
|
|
|
|
|
Thank you very much in advance for your answer. |
|
|
|
|
|
|
|
|
|
@ -201,7 +217,7 @@ VERSION = 2 |
|
|
|
|
PATCHLEVEL = x |
|
|
|
|
SUBLEVEL = y |
|
|
|
|
EXTRAVERSION = z |
|
|
|
|
NAME=Avast! A bilge rat! |
|
|
|
|
NAME=A fancy name |
|
|
|
|
\end{verbatim} |
|
|
|
|
|
|
|
|
|
So now, you know that you have to download a standard kernel tarball at |
|
|
|
|
@ -235,6 +251,42 @@ code that has been added to make the binary driver work with the Linux kernel. |
|
|
|
|
This code might not be useful if you plan on writing from scratch drivers for |
|
|
|
|
this hardware. |
|
|
|
|
|
|
|
|
|
\subsubsection{Using the device bootloader} |
|
|
|
|
|
|
|
|
|
The bootloader is the first program that is started right after your device has |
|
|
|
|
been powered on. This program, can be more or less sophisticated, some do let you |
|
|
|
|
do network booting, USB mass storage booting ... The bootloader is device and |
|
|
|
|
architeture specific, some bootloaders were designed to be universal such as |
|
|
|
|
RedBoot or U-Boot so that you can meet those loaders on totally different |
|
|
|
|
platforms and expect to work the same way. |
|
|
|
|
|
|
|
|
|
If your device runs a proprietary operating system, you are very likely to deal |
|
|
|
|
with a proprietary boot loader as well. This may not always be a limitation, |
|
|
|
|
some proprietary bootloaders can even have source code available (i.e : Broadcom CFE). |
|
|
|
|
|
|
|
|
|
According to the bootloader features, hacking on th device will be more or less |
|
|
|
|
easier. It is very probable that the bootloader, even exotic and rare, has a |
|
|
|
|
documentation somewhere over the Internet. In order to know what will be possible |
|
|
|
|
with your bootloader and the way you are going to hack the device, look over the |
|
|
|
|
following features : |
|
|
|
|
|
|
|
|
|
\begin{itemize} |
|
|
|
|
\item does the bootloader allow net booting via bootp/DHCP/NFS or tftp |
|
|
|
|
\item does the bootloader accept loading ELF binaries ? |
|
|
|
|
\item does the bootloader have a kernel/firmware size limitation ? |
|
|
|
|
\item does the bootloader expect a firmware format to be loaded with ? |
|
|
|
|
\item are the loaded files executed from RAM or flash ? |
|
|
|
|
\end{itemize} |
|
|
|
|
|
|
|
|
|
Net booting is something very convenient, because you will only have to set up network |
|
|
|
|
booting servers on your development station, and keep the original firmware on the device |
|
|
|
|
till you are sure you can replace it. This also prevents your device from being flashed, |
|
|
|
|
and potentially bricked every time you want to test a modification on the kernel/filesystem. |
|
|
|
|
|
|
|
|
|
If your device needs to be flashed every time you load a firmware, the bootlader might |
|
|
|
|
only accept a specific firmware format to be loaded, so that you will have to |
|
|
|
|
understand the firmware format as well. |
|
|
|
|
|
|
|
|
|
\subsubsection{Making binary drivers work} |
|
|
|
|
|
|
|
|
|
As we have explained before, manufacturers do release binary drivers in their GPL |
|
|
|
|
|
Florian Fainelli
18 years ago