Kitz ADSL Broadband Information
adsl spacer  
Support this site
Home Broadband ISPs Tech Routers Wiki Forum
 
     
   Compare ISP   Rate your ISP
   Glossary   Glossary
 
Please login or register.

Login with username, password and session length
Advanced search  

News:

Pages: 1 2 [3] 4 5 ... 21

Author Topic: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B  (Read 218625 times)

asbokid

  • Kitizen
  • ****
  • Posts: 1286
    • Hacking the 2Wire
Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
« Reply #30 on: January 25, 2012, 05:16:26 PM »

Hi UKLad.

The Huaweis do crop up from time to time on ebay.   As for hacking the ECI, now that you've obtained a full flash dump, most of the work can be done on the PC, and the ECI can be re-instated on your FTTC line.

In theory, the userspace in the firmware can even run in MIPS emulation on a PC.

We can try now to discover a compatible version of the unsquashfs tool so we can examine the file system and its contents.

That may be an interesting exercise.  From discussions with Jeremy Collake and Craig Heffner, who built and maintain the Firmware Modification Kit [1], the ECI VDSL2 modem is running yet another tweaked version of the squashfs kernel driver.

Attempts at unsquashing the root file system image using existing tools, are throwing up all sorts of strange errors, mainly from the LZMA decompression code. As such, only part of the file system can be extracted.

Corporations like Lantiq and Broadcom have a history of tweaking embedded file system drivers in undocumented ways. This is done to foil independent development. The idea is to modify the file system and its compression scheme in secret ways to make it difficult to unlock for modification. This attitude is disappointing. These giant Corporations rely heavily on open source software (because of the huge cost savings) and yet they feed back very little to the open source community. It is a parasitic relationship.  *sigh!*

That said, one version of the unsquashfs tool from the Kit at [1] works in part, but bombs out half way through. Amending the file system that you extracted worked correctly;  the mksquashfs successfully appended new files to the existing squashfs image.

cheers, a

[1] http://bitsum.com/firmware_mod_kit.htm
« Last Edit: April 06, 2012, 04:15:08 PM by asbokid »
Logged

uklad

  • Member
  • **
  • Posts: 55
Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
« Reply #31 on: January 25, 2012, 05:45:47 PM »

You will have a full dump tonight I know exactly what I did wrong, soon as the kids are in bed and the wife is as work ;)
« Last Edit: January 25, 2012, 06:18:41 PM by uklad »
Logged

uklad

  • Member
  • **
  • Posts: 55
Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
« Reply #32 on: January 25, 2012, 10:14:47 PM »

Nand dump done right i think

http://www.mediafire.com/?1tcdqu616xpfofe

Regards
Logged

asbokid

  • Kitizen
  • ****
  • Posts: 1286
    • Hacking the 2Wire
Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
« Reply #33 on: January 28, 2012, 04:17:10 AM »

excellent work, uklad!  an exhilarating sensation, like donating blood?!

cheers, a
---

A bit of progress..

This is based on the 8MByte NOR flash image that UKLad kindly uploaded. The development machine is running Debian Wheezy..

The firmware for the ECI has two root file systems in it.  One is a failsafe.  However, the two file systems are not the same. One was built several months earlier than the other.   Both file systems are read-only SquashFS format, with Big-Endian byte-sex and compressed with the JRO patch for LZMA compression  A compatible version of the squashfs tools to decompress these images is yet to be found.

There is also a read-write JFFS2 file system in the flash. JFFS2 is a dedicated flash file system with wear-levelling, garbage collection and fault recovery.

Demonstrated below, is the extraction and mounting of that JFFS2 file system on a Linux AMD64 machine.  The JFFS2 file system in this ECI contains just one file, btagent.conf.   BTAgent is a TR-069 remote management tool.   The btagent.conf file contains configuration data for the BTAgent tool.

Code: [Select]
$ md5sum eciflashdump8mb.bin
2a2db35f797546c0e3e036a469a942d4  eciflashdump8mb.bin

$ ./ecisquash-extract eciflashdump8mb.bin
Size of firmware 'eciflashdump8mb.bin' : 8388608 octets
----------------------------------------------------------------

Signature of SquashFS found:
----------------------------------------------------------------
Signature : 0x71736873 ('qshs')
Format : LZMA-Big Endian
Offset : 0x1410c0
Version SquashFS : 3.0
Octets utilised : 284f05 octets
Date of creation : Mon Feb 14 06:44:14 2011
----------------------------------------------------------------

Signature of SquashFS found:
----------------------------------------------------------------
Signature : 0x71736873 ('qshs')
Format : LZMA-Big Endian
Offset : 0x4e10c0
Version SquashFS : 3.0
Octets utilised : 285216 octets
Date of creation : Tue Aug  9 04:31:35 2011
----------------------------------------------------------------

$ dd if=eciflashdump8mb.bin of=ecirootfs1 bs=1 skip=$((0x1410c0)) count=$((0x284f05))
2641669+0 records in
2641669+0 records out
2641669 bytes (2.6 MB) copied, 3.36489 s, 785 kB/s

$ dd if=eciflashdump8mb.bin of=ecirootfs2 bs=1 skip=$((0x4e10c0)) count=$((0x285216))
2642454+0 records in
2642454+0 records out
2642454 bytes (2.6 MB) copied, 3.40498 s, 776 kB/s

$ dd if=eciflashdump8mb.bin of=jffs2 bs=1 skip=$((0x790000)) count=$((0x10000))
65536+0 records in
65536+0 records out
65536 bytes (66 kB) copied, 0.09391 s, 698 kB/s

$ sudo apt-get install mtd-tools

$ sudo jffs2dump --bigendian jffs2 --endianconvert=jffs2.le

$ sudo modprobe mtdblock

$ sudo modprobe jffs2

$ sudo modprobe mtdram total_size=30000

$ cat /proc/mtd
dev:    size   erasesize  name
mtd0: 01d4c000 00020000 "mtdram test device"

$ sudo dd if=./jffs2.le of=/dev/mtdblock0
128+0 records in
128+0 records out
65536 bytes (66 kB) copied, 0.001695 s, 38.7 MB/s

$ sudo mount -t jffs2 /dev/mtdblock0 /mnt/

$ ls -l /mnt/
total 1
-rw-r--r-- 1 root root 681 Jan  1  2000 btagent.conf

$ cat /mnt/btagent.conf
|BTAgent.ForceReboot||1|ForceReboot
|BTAgent.Restart||1|Restart
|BTAgent.Version|1.21|4|
|BTAgent.FirmwareInformServerIP|firmware.mms.bt.com|6|
|BTAgent.FirmwareInformServerPort|80|6|
|BTAgent.FirmwareInformRequest|GET /%s.txt?modelName=%s&manufacturer=%s&serialnumber=%s&firmwareversion=%s%s HTTP/1.1|6|
|BTAgent.FirmwareInformPeriod|86400|6|
|BTAgent.Default.FirmwareInformPeriod|86400|4|
|BTAgent.Default.FirmwarePullEnable|0|4|
|BTAgent.FirmwarePullEnable|0|6|
|BTAgent.FirmwarePullDelay|0|6|
|BTAgent.FirmwareSupported||6|
|BTAgent.FirmwareAdditional1||6|
|BTAgent.FirmwareAdditional2||6|
|BTAgent.MaxAttempts|10|6|
|BTAgent.ConnectTimeout|60|6|
|BTAgent.TimeoutMultiple|2|6|

$
« Last Edit: April 06, 2012, 04:16:25 PM by asbokid »
Logged

JoshShep

  • Reg Member
  • ***
  • Posts: 266
Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
« Reply #34 on: January 29, 2012, 05:29:20 PM »

Any updates uklad?

uklad

  • Member
  • **
  • Posts: 55
Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
« Reply #35 on: January 29, 2012, 07:14:06 PM »

Any updates uklad?

Code: [Select]
Line Status
Line Status:   Connected
Operational Mode:   VDSL2-17a
CO VendorID:   IFTN
CO Version:   0xB201

DownStream Parameter
Max BitRate:   131990 kbps
ActualBitRate: 39998 kbps PASS
Capacity:   30.3 %
Latency:   Fast

UpStream Parameter
Max BitRate:   32787 kbps
ActualBitRate: 9995 kbps PASS
Capacity:   30.5 %
Latency:   Fast

Vendor id is IFTN basically Infineon (now Lantiq) and we now know the ECI openreach modems use Lantiq chipsets...

On a side note i`m liking my Max BitRates 132mbs down 32mbs up lots of scope for the future :)

Logged

asbokid

  • Kitizen
  • ****
  • Posts: 1286
    • Hacking the 2Wire
Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
« Reply #36 on: January 30, 2012, 12:01:15 AM »

A bit of progress with the squashfs root file system found in the ECI NOR flash image that was uploaded by uklad.

From the kernel boot log, we can see the following:
Code: [Select]
...
Kernel command line: root=/dev/mtdblock2 ro rootfstype=squashfs ip=5.57.33.103:5.57.33.111::::eth0:on console=ttyS0,115200 ethaddr=5C:33:8E:xx:xxx:xx phym=32M mem=31M panic=1
....
squashfs: version 3.2-r2 (2007/01/15) Phillip Lougher
squashfs: LZMA suppport for slax.org by jro
....
squashfsb->s_magic=71736873 SQUASHFS_MAGIC=71736873
ifx_nor0: squashfs filesystem found at 0x4e10a0.
ifx_mtd_init flash0: Using static image partition
Creating 9 MTD partitions on "ifx_nor0":
0x00000000-0x00030000 : "uboot"
0x00030000-0x00040000 : "h/w setting"
0x004e10c0-0x007670c0 : "rootfs"
0x00040000-0x00050000 : "rgdb"
0x00050000-0x003f0000 : "upgrade"
0x003f0000-0x00790000 : "upgrade2"
0x00790000-0x007f0000 : "btagent"
0x00000000-0x00800000 : "flash"
0x00000000-0x00800000 : "<NULL>"
....
VFS: Mounted root (squashfs filesystem) readonly.

The unsquashfs tool for that specific version (3.2-r2-lzma) of squashfs strangely doesn't work:

Code: [Select]
$ src/others/squashfs-3.2-r2-lzma/squashfs3.2-r2/squashfs-tools/unsquashfs -ls ecirootfs2
Reading a different endian SQUASHFS filesystem on ecirootfs2
Can't find a SQUASHFS superblock on ecirootfs2
$

Yet a slightly later version (3.3-lzma) of the tool will obtain the superblock info for the fs image.

Code: [Select]
$ ~/src/others/squashfs-3.3-lzma/squashfs3.3/squashfs-tools/unsquashfs -stat ecirootfs2
Reading a different endian SQUASHFS filesystem on ecirootfs2
Found a valid big endian SQUASHFS 3:0 superblock on ecirootfs2.
Creation or last append time Tue Aug  9 04:31:35 2011
Filesystem is exportable via NFS
Inodes are compressed
Data is compressed
Fragments are compressed
Check data is not present in the filesystem
Fragments are present in the filesystem
Always_use_fragments option is not specified
Duplicates are removed
Filesystem size 2580.52 Kbytes (2.52 Mbytes)
Block size 65536
Number of fragments 42
Number of inodes 844
Number of uids 2
Number of gids 1
$

That version will also list the full contents of the squashfs file system. (The full list is attached in a .txt file to this post.)

Code: [Select]
$ ~/src/others/squashfs-3.3-lzma/squashfs3.3/squashfs-tools/unsquashfs -lls ecirootfs2
Reading a different endian SQUASHFS filesystem on ecirootfs2
drwxr-xr-x 505/users               181 2011-08-09 04:31 squashfs-root
drwxr-xr-x 505/users                26 2011-08-09 04:31 squashfs-root/BTAgent
drwxr-xr-x 505/users               280 2011-08-09 04:31 squashfs-root/BTAgent/ro
-rwxr-xr-x 505/users                13 2011-08-09 04:31 squashfs-root/BTAgent/ro/RWPath
-rwxr-xr-x 505/users             10701 2011-08-09 04:31 squashfs-root/BTAgent/ro/btagent
-rwxr-xr-x 505/users               681 2011-08-09 04:31 squashfs-root/BTAgent/ro/btagent.conf
-rwxr-xr-x 505/users               183 2011-08-09 04:31 squashfs-root/BTAgent/ro/btagentstart.sh
-rwxr-xr-x 505/users              5392 2011-08-09 04:31 squashfs-root/BTAgent/ro/libparseplugins.so
-rwxr-xr-x 505/users              6372 2011-08-09 04:31 squashfs-root/BTAgent/ro/libplugin.so
-rwxr-xr-x 505/users              5924 2011-08-09 04:31 squashfs-root/BTAgent/ro/libplugins.so
-rwxr-xr-x 505/users              7316 2011-08-09 04:31 squashfs-root/BTAgent/ro/libsourceplugins.so
-rwxr-xr-x 505/users              8264 2011-08-09 04:31 squashfs-root/BTAgent/ro/libtcp.so
-rwxr-xr-x 505/users              5888 2011-08-09 04:31 squashfs-root/BTAgent/ro/libtransportplugins.so
drwxr-xr-x 505/users                26 2011-08-09 04:31 squashfs-root/BTAgent/ro/plugin_parse
-rwxr-xr-x 505/users             14956 2011-08-09 04:31 squashfs-root/BTAgent/ro/plugin_parse/libxml.so
drwxr-xr-x 505/users               108 2011-08-09 04:31 squashfs-root/BTAgent/ro/plugin_source
-rwxr-xr-x 505/users              7944 2011-08-09 04:31 squashfs-root/BTAgent/ro/plugin_source/libalpha2.so
-rwxr-xr-x 505/users             10212 2011-08-09 04:31 squashfs-root/BTAgent/ro/plugin_source/libbtagent.so
-rwxr-xr-x 505/users             14248 2011-08-09 04:31 squashfs-root/BTAgent/ro/plugin_source/libfwm.so
-rwxr-xr-x 505/users             14316 2011-08-09 04:31 squashfs-root/BTAgent/ro/plugin_source/liblogger.so
-rwxr-xr-x 505/users              7836 2011-08-09 04:31 squashfs-root/BTAgent/ro/plugin_source/libprobe.so
-rwxr-xr-x 505/users             27328 2011-08-09 04:31 squashfs-root/BTAgent/ro/plugin_source/librsa.so
drwxr-xr-x 505/users                26 2011-08-09 04:31 squashfs-root/BTAgent/ro/plugin_transport
-rwxr-xr-x 505/users             51820 2011-08-09 04:31 squashfs-root/BTAgent/ro/plugin_transport/libsec.so
-rwxr-xr-x 505/users               286 2011-08-09 04:31 squashfs-root/BTAgent/ro/publickeys.dat
-rwxr-xr-x 505/users               183 2011-08-09 04:31 squashfs-root/BTAgent/ro/start
drwxr-xr-x 505/users                 3 2011-08-09 04:31 squashfs-root/BTAgent/rw
drwxr-xr-x 505/users               456 2011-08-09 04:31 squashfs-root/bin
-rwxr-xr-x 505/users             17992 2011-08-09 04:31 squashfs-root/bin/alphaFlashAgent
-rwxr-xr-x 505/users             33992 2011-08-09 04:31 squashfs-root/bin/alphaHousekeeper
-rwxr-xr-x 505/users             10512 2011-08-09 04:31 squashfs-root/bin/alphaLogd
-rwxr-xr-x 505/users              5272 2011-08-09 04:31 squashfs-root/bin/alpha_flash_cmd
-rwxrwxr-x 505/users            461960 2011-08-09 04:31 squashfs-root/bin/busybox
lrwxrwxrwx 505/users                 7 2011-08-09 04:31 squashfs-root/bin/cat -> busybox
       [..snipped..]
-rw-r--r-- 505/users             21189 2011-08-09 04:31 squashfs-root/www/layout/alpha.css
drwxr-xr-x 505/users                19 2011-08-09 04:31 squashfs-root/www/locale
drwxr-xr-x 505/users                20 2011-08-09 04:31 squashfs-root/www/locale/en
drwxr-xr-x 505/users                 3 2011-08-09 04:31 squashfs-root/www/locale/en/dsc
drwxr-xr-x 505/users               230 2011-08-09 04:31 squashfs-root/www/public
-rw-r--r-- 505/users               402 2011-08-09 04:31 squashfs-root/www/public/__all_need.js
-rw-r--r-- 505/users              2775 2011-08-09 04:31 squashfs-root/www/public/__button.js
-rw-r--r-- 505/users              3173 2011-08-09 04:31 squashfs-root/www/public/__comm.js
-rw-r--r-- 505/users              2595 2011-08-09 04:31 squashfs-root/www/public/__display.js
-rw-r--r-- 505/users               227 2011-08-09 04:31 squashfs-root/www/public/__head.js
-rw-r--r-- 505/users              7992 2011-08-09 04:31 squashfs-root/www/public/__ip.js
-rw-r--r-- 505/users             10249 2011-08-09 04:31 squashfs-root/www/public/__js_comm.js
-rw-r--r-- 505/users              4252 2011-08-09 04:31 squashfs-root/www/public/__menu.js
-rw-r--r-- 505/users              2242 2011-08-09 04:31 squashfs-root/www/public/__no_changes.js
-rw-r--r-- 505/users               184 2011-08-09 04:31 squashfs-root/www/public/__session_timeout.js
-rw-r--r-- 505/users              1473 2011-08-09 04:31 squashfs-root/www/public/__tb_display.js
-rwxr-xr-x 505/users              2115 2011-08-09 04:31 squashfs-root/www/public/__tree.js
-rw-r--r-- 505/users             13508 2011-08-09 04:31 squashfs-root/www/public/__wan_adv.js
lrwxrwxrwx 505/users                17 2011-08-09 04:31 squashfs-root/www/syslog -> /var/log/messages
lrwxrwxrwx 505/users                17 2011-08-09 04:31 squashfs-root/www/tsyslog.rg -> /var/log/tlogsmsg
$

Yet, using the very same version of unsquash to actually uncompress the squashfs image, and an error is thrown by the LZMA code:

Code: [Select]
$ ~/src/others/squashfs-3.3-lzma/squashfs3.3/squashfs-tools/unsquashfs -li ecirootfs2
Reading a different endian SQUASHFS filesystem on ecirootfs2
drwxr-xr-x 505/users               181 2011-08-09 04:31 squashfs-root
drwxr-xr-x 505/users                26 2011-08-09 04:31 squashfs-root/BTAgent
drwxr-xr-x 505/users               280 2011-08-09 04:31 squashfs-root/BTAgent/ro
-rwxr-xr-x 505/users                13 2011-08-09 04:31 squashfs-root/BTAgent/ro/RWPath
-rwxr-xr-x 505/users             10701 2011-08-09 04:31 squashfs-root/BTAgent/ro/btagent
-rwxr-xr-x 505/users               681 2011-08-09 04:31 squashfs-root/BTAgent/ro/btagent.conf
-rwxr-xr-x 505/users               183 2011-08-09 04:31 squashfs-root/BTAgent/ro/btagentstart.sh
-rwxr-xr-x 505/users              5392 2011-08-09 04:31 squashfs-root/BTAgent/ro/libparseplugins.so
-rwxr-xr-x 505/users              6372 2011-08-09 04:31 squashfs-root/BTAgent/ro/libplugin.so
-rwxr-xr-x 505/users              5924 2011-08-09 04:31 squashfs-root/BTAgent/ro/libplugins.so
-rwxr-xr-x 505/users              7316 2011-08-09 04:31 squashfs-root/BTAgent/ro/libsourceplugins.so
-rwxr-xr-x 505/users              8264 2011-08-09 04:31 squashfs-root/BTAgent/ro/libtcp.so
-rwxr-xr-x 505/users              5888 2011-08-09 04:31 squashfs-root/BTAgent/ro/libtransportplugins.so
drwxr-xr-x 505/users                26 2011-08-09 04:31 squashfs-root/BTAgent/ro/plugin_parse
-rwxr-xr-x 505/users             14956 2011-08-09 04:31 squashfs-root/BTAgent/ro/plugin_parse/libxml.so
drwxr-xr-x 505/users               108 2011-08-09 04:31 squashfs-root/BTAgent/ro/plugin_source
-rwxr-xr-x 505/users              7944 2011-08-09 04:31 squashfs-root/BTAgent/ro/plugin_source/libalpha2.so
-rwxr-xr-x 505/users             10212 2011-08-09 04:31 squashfs-root/BTAgent/ro/plugin_source/libbtagent.so
-rwxr-xr-x 505/users             14248 2011-08-09 04:31 squashfs-root/BTAgent/ro/plugin_source/libfwm.so
-rwxr-xr-x 505/users             14316 2011-08-09 04:31 squashfs-root/BTAgent/ro/plugin_source/liblogger.so
-rwxr-xr-x 505/users              7836 2011-08-09 04:31 squashfs-root/BTAgent/ro/plugin_source/libprobe.so
-rwxr-xr-x 505/users             27328 2011-08-09 04:31 squashfs-root/BTAgent/ro/plugin_source/librsa.so
drwxr-xr-x 505/users                26 2011-08-09 04:31 squashfs-root/BTAgent/ro/plugin_transport
-rwxr-xr-x 505/users             51820 2011-08-09 04:31 squashfs-root/BTAgent/ro/plugin_transport/libsec.so
-rwxr-xr-x 505/users               286 2011-08-09 04:31 squashfs-root/BTAgent/ro/publickeys.dat
-rwxr-xr-x 505/users               183 2011-08-09 04:31 squashfs-root/BTAgent/ro/start
drwxr-xr-x 505/users                 3 2011-08-09 04:31 squashfs-root/BTAgent/rw
drwxr-xr-x 505/users               456 2011-08-09 04:31 squashfs-root/bin
-rwxr-xr-x 505/users             17992 2011-08-09 04:31 squashfs-root/bin/alphaFlashAgent
-rwxr-xr-x 505/users             33992 2011-08-09 04:31 squashfs-root/bin/alphaHousekeeper
-rwxr-xr-x 505/users             10512 2011-08-09 04:31 squashfs-root/bin/alphaLogd
-rwxr-xr-x 505/users              5272 2011-08-09 04:31 squashfs-root/bin/alpha_flash_cmd
-rwxrwxr-x 505/users            461960 2011-08-09 04:31 squashfs-root/bin/busybox
err -22
sqlzma_un: LZMA Unknown error 18446744073709551594
Aborted
$

The saga continues!..

[attachment deleted by admin]
« Last Edit: April 06, 2012, 04:17:02 PM by asbokid »
Logged

uklad

  • Member
  • **
  • Posts: 55
Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
« Reply #37 on: January 30, 2012, 08:25:41 AM »

good work my friend keep at it :)
Logged

JoshShep

  • Reg Member
  • ***
  • Posts: 266
Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
« Reply #38 on: January 31, 2012, 06:42:27 PM »

Any more updates mate?

burakkucat

  • Respected
  • Senior Kitizen
  • *
  • Posts: 38300
  • Over the Rainbow Bridge
    • The ELRepo Project
Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
« Reply #39 on: January 31, 2012, 09:15:21 PM »

Any more updates mate?

Any information obtained will be revealed, in good time.  ;)

Advice: "Nay harry a hacker".  ::)
Logged
:cat:  100% Linux and, previously, Unix. Co-founder of the ELRepo Project.

Please consider making a donation to support the running of this site.

uklad

  • Member
  • **
  • Posts: 55
Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
« Reply #40 on: January 31, 2012, 09:19:06 PM »

Any more updates mate?

Any information obtained will be revealed, in good time.  ;)

Advice: "Nay harry a hacker".  ::)

;) not that im any the wiser
Logged

asbokid

  • Kitizen
  • ****
  • Posts: 1286
    • Hacking the 2Wire
Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
« Reply #41 on: January 31, 2012, 09:21:37 PM »

Any more updates mate?

Hi Josh,

Debug output to the squashfs tools has been enabled.

From call tracing, it looks like ECI has achieved a 'lock-down' by patching the LZMA compression code for squashfs, the root file system used in the device. [1]

Specifically, code in the file LzmaDecode.c (part of the LZMA Software Development Kit [2]) is unexpectedly returning an LZMA_RESULT_DATA_ERROR when decoding one of the squashfs data blocks to a large file.

No obvious explanations yet for why that is happening!

It may simply be that Lantiq, who built the toolchain, has cobbled together an arbitrary version of squashfs with an arbitrary version of the LZMA decoder. 

We now have a compatible version of the squashfs tools (v.3.3) [3] insofar as the tools can correctly read the metadata of the file system: the superblock, the directory structures, the inodes and the data blocks.

The search now is to find a compatible version of LZMA Decode to correctly decompress those data blocks.

If the theory is correct, that version of LZMA decoder will have to be patched into squashfs, just as Lantiq is believed to have done.

cheers, a


[1] https://sourceforge.net/projects/squashfs/files/squashfs/
[2] https://sourceforge.net/projects/sevenzip/files/LZMA%20SDK/
[3] http://firmware-mod-kit.googlecode.com/svn-history/trunk/trunk/src/others/squashfs-3.3-lzma/
« Last Edit: January 31, 2012, 11:48:28 PM by asbokid »
Logged

uklad

  • Member
  • **
  • Posts: 55
Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
« Reply #42 on: January 31, 2012, 09:35:33 PM »

Any more updates mate?
Hi Josh,

Debug output to the squashfs tools has been enabled. From call tracing, it looks like ECI has achieved a 'vendor lock' by patching the LZMA compression code for squashfs, the root file system used in the ECI.

Specifically, code in the file LzmaDecode.c (part of the LZMA SDK) is unexpectedly returning an LZMA_RESULT_DATA_ERROR when decoding one of the squashfs data blocks to a large file.

No obvious explanations yet for why that is happening!

cheers, a

Bastardos !! I may have to have a poke around in some of the shell scripts that set-up the Vlans on the Lans ports and see if i can allocate an ip to Vlan 102 that is associated to Lan 2
Logged

asbokid

  • Kitizen
  • ****
  • Posts: 1286
    • Hacking the 2Wire
Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
« Reply #43 on: January 31, 2012, 10:24:36 PM »

Hi uklad!

BT locked the Huawei by firewalling all LAN-side access to the device.   It is by dropping the relevant firewall rule(s) that LAN-side access is re-enabled.

In Linux, the kernel-level firewall is called netfilter. We can see from the ECI boot logs you uploaded that the code for netfilter is compiled 'monolithically' into the kernel image itself.

The kernel-side of the Linux firewalling framework is normally interfaced with the userspace using a tool called iptables. [1]

iptables is invoked by init scripts to define the firewall rule chains.

However, in the case of the ECI, that is not how it is done.

The kernel boot logs reveal the presence of the netfilter kernel modules but there is no sign of any corresponding iptables binary in the root file system.   As such, it's not clear how the firewall is actually configured.

The iptables tool is not strictly needed to configure the firewall. Its functioning could be replicated through kernel calls hidden away in other userspace code.  That's not a normal thing to do though.  Maybe it is being used here to obfuscate?

With a serial console, it should still be possible to determine exactly what is being run at boot time. And, in particular,  how and where the firewall is configured.  It's just a case of following the boot sequence.

The first userspace process executed by every Unix machine is '/sbin/init'.  The 'init' process is shown as process id (pid) #1.

In many embedded systems, /sbin/init is actually a symbolic link to /bin/busybox.  Busybox attempts to mimic the functionality of Unix System V initscripts, but without the resource overheads.

The init process loads its configuration from the file /etc/inittab [2]

That inittab config file identifies the scripts that are to be executed by the init process.

The code invoked by those scripts will configure the firewall.  ;-)

Studying those initscripts should reveal the nature of the firewalling, and how to remove the firewall rules. Ultimately this could be used to re-enable LAN-side access to the web interface.

cheers, a

[1] http://www.netfilter.org/
[2] http://www.kerneltravel.net/downloads/Building.Embedded.Linux.Systems.pdf  (ch.6.8 )
« Last Edit: January 31, 2012, 11:49:07 PM by asbokid »
Logged

asbokid

  • Kitizen
  • ****
  • Posts: 1286
    • Hacking the 2Wire
Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
« Reply #44 on: February 01, 2012, 06:09:47 PM »

The squashfs tools are currently running on a development machine.

Igor Pavlov's LZMA (Lempel–Ziv–Markov Algorithm) used by squashfs to compress the data blocks in the ECI file system has been isolated. The Algorithm can now be used to process an individual compressed data block from the file system. This allows each variant of LZMA to be tested for compatibility with the ECI.  At this stage it is suspected that no compatible version is publicly available.

First impressions are that Pavlov's decompression code has been modified at a very low-level by ECI and/or Lantiq. Those code tweaks serve as a mechanism to lock the device.

Those source-level modifications to LZMA have not been published.

ECI has a US$2.5 billion deal to supply DSLAMs and CPE to British Telecom. Surely those whose software is used by ECI in this equipment deserve a share in that bonanza.

cheers, a

« Last Edit: February 03, 2012, 05:41:34 PM by asbokid »
Logged
Pages: 1 2 [3] 4 5 ... 21