Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[sevenlayermuddle]

Thanks 7LM. So it appears to be a BusyBox command. One might hypothesise that only those routers which expose the BusyBox CLI to the telnet interface would have the nvram command available.

I'm not sure it's native to busybox, I was actually assuming it was just something netgear had added to their own firmware.  Netgear do have to publish much of their source code under the GPL licenses and I'm certain I have a copy of the router source lurking somewhere in the 5TB of disk space that sits on a shelf nearby.  I'll try to find the time for a few searches to see if there's anything relevant, but it's not likely to be anytime soon, it's an awfully busy time for me...

FYI busybox, see http://busybox.net/downloads/BusyBox.html

[sevenlayermuddle]

And (with apologies for consecutive posts), whereas 'ls' is a link to busybox, 'nvram is not...

# ls -l /usr/sbin/nvram
-rwxr-xr-x    1 0        0           10300 Jan 11  2010 /usr/sbin/nvram
# ls -l /bin/ls
lrwxrwxrwx    1 0        0               7 Jan 11  2010 /bin/ls -> busybox
#

[asbokid]

And (with apologies for consecutive posts), whereas 'ls' is a link to busybox, 'nvram is not...

# ls -l /usr/sbin/nvram
-rwxr-xr-x    1 0        0           10300 Jan 11  2010 /usr/sbin/nvram
# ls -l /bin/ls
lrwxrwxrwx    1 0        0               7 Jan 11  2010 /bin/ls -> busybox
#

Not an overwhelmingly large binary for MIPS32.. Every instruction is 32 bits long, so it's not the most space-efficient architecture. Though the binary is probably stripped of symbols to save space.

The nvram binary could be straced to see how it interfaces with the kernel to access the flash memory.  strace is a special tool for monitoring system calls made by a process.  Usually the interface between a tool like nvram and the Linux kernel is via a special character device node found under /dev/   Maybe there is something like /dev/nvram there, perhaps?

Typical kernel system calls are  open() read() or write(), etc, but usually ioctl() calls are used for these sorts of simple functions.

strace should reveal exactly what's going on.  The 6368 firmwares have a similar tool called equipcmd.   Getting the strace binary built (statically?) for MIPS32 and onto the embedded file system (via tftp or whatever) is the first challenge.

The task then is to reverse-engineer the ioctl() demultiplexer which is found in the kernel device driver that controls access to the nvram region of the flash.

Each of those command line options for nvram will have its own ioctl() control code.  These can be discovered by painstakingly strace-running nvram for each of those options.   The parameters passed by nvram in the ioctl() kernel calls can be recovered from the strace output.

Armed with those ioctl command codes, the next task is to examine the layout and the contents of the memory buffer that is passed to and from kernelspace with the ioctl() calls.

Reverse-engineering an embedded tool like nvram is quite a fun task 

cheers, a

[sevenlayermuddle]

The nvram binary could be straced to see how it interfaces with the kernel to access the flash memory.  strace is a special tool for monitoring system calls made by a process.  Usually the interface between a tool like nvram and the Linux kernel is via a special character device node found under /dev/   Maybe there is something like /dev/nvram there, perhaps?

I'm very familiar with strace (or 'truss' as the Unix equivalent was endearingly named), but I didn't think it was common to ship such utilities in embedded devices, where footprint reduction is a paramount goal?  Anyway I just checked, and there does not seem to be an strace on the router. 

I also checked for anything named 'nvram' in the /dev hierarchy, but there doesn't seem to be.

[roseway]

I've installed busybox (v1.19.3) on my Debian Testing system, and it certainly doesn't have nvram as a built-in command, so it's presumably an external program which is linked to:

Currently defined functions:
        [, [[, adjtimex, ar, arp, arping, ash, awk, basename, blockdev, brctl, bunzip2, bzcat, bzip2, cal, cat,
        chgrp, chmod, chown, chroot, chvt, clear, cmp, cp, cpio, cttyhack, cut, date, dc, dd, deallocvt, depmod,
        df, diff, dirname, dmesg, dnsdomainname, dos2unix, du, dumpkmap, dumpleases, echo, egrep, env, expr,
        false, fgrep, find, fold, free, freeramdisk, ftpget, ftpput, getopt, getty, grep, groups, gunzip, gzip,
        halt, head, hexdump, hostid, hostname, httpd, hwclock, id, ifconfig, init, insmod, ionice, ip, ipcalc,
        kill, killall, klogd, last, less, ln, loadfont, loadkmap, logger, login, logname, logread, losetup, ls,
        lsmod, lzcat, lzma, md5sum, mdev, microcom, mkdir, mkfifo, mknod, mkswap, mktemp, modinfo, modprobe,
        more, mount, mt, mv, nameif, nc, netstat, nslookup, od, openvt, patch, pidof, ping, ping6, pivot_root,
        poweroff, printf, ps, pwd, rdate, readlink, realpath, reboot, renice, reset, rev, rm, rmdir, rmmod,
        route, rpm, rpm2cpio, run-parts, sed, seq, setkeycodes, setsid, sh, sha1sum, sha256sum, sha512sum, sleep,
        sort, start-stop-daemon, stat, strings, stty, swapoff, swapon, switch_root, sync, sysctl, syslogd, tac,
        tail, tar, taskset, tee, telnet, test, tftp, time, timeout, top, touch, tr, traceroute, traceroute6,
        true, tty, udhcpc, udhcpd, umount, uname, uncompress, uniq, unix2dos, unlzma, unxz, unzip, uptime,
        usleep, uudecode, uuencode, vconfig, vi, watch, watchdog, wc, wget, which, who, whoami, xargs, xz, xzcat,
        yes, zcat

[sevenlayermuddle]

For anybody with a large amount of time on their hands, the source for the DG834GT (and other netgear devices) can be downloaded from here:

http://support.netgear.com/app/answers/detail/a_id/2649/~/gpl-open-source-code-for-programmers

...There may be other places, I found that just from searching.   I downloaded 1.03.23 earlier and began to peruse it.  There seem to be some 'nvram.c' files in the kernel driver trees for various architectures, but I can't find any corresponding utility by that name.  I may be missing something, but I really do have to get on with some other stuff today.

But who knows, with the above source download, maybe we could combine efforts and start work on a DG834GT  'kitz' custom firmware build with all our favourite features?  Only joking, but I hope I don't regret the suggestion, and end up with even more of my precious retirement time spoken for     

[les-70]

  If it is any interest to some one, with Netgear's I have found editing the .cfg file, that saves settings, a convenient way of changing things not available on the routers web pages. As a mainly windows user I have opened the cfg with excel to get nice view of things then edited carefully with notepad.

[asbokid]

strace has to be built especially for the platform. This usually means compiling it against the uclibc library.  A pre-compiled version of strace for mips32-linux-uclibc-0.29 (iirc) is here:

https://docs.google.com/open?id=0B6wW18mYskvBNmE2YTE4OTMtZTNmMC00NjgwLWI3ODMtMDE3ODk5NWI1MzQ1

Perhaps the greater challenge is getting the binary onto the device.  Is there a suitable network service to do that? ftp, tftp or similar?

cheers, a

[geep]

http://en.wikipedia.org/wiki/BusyBox lists nvram as one of the commands, but doesn't explain what it does.

nvram works on my brand-new Netgear N150 DGN1000 (£2 from car boot sale).
I see similar listing to that above, with a few additional things, via command nvram show entered on webpage
http://192.168.1.254/syscmd.htm ( default would be http://192.168.0.1/syscmd.htm )
Ordinary telnet isn't supported on DGN1000. In fact almost no monitoring is possible, that I've been able to find, except for speed, noise margin and attenuation.

Cheers,
Peter

[sevenlayermuddle]

http://en.wikipedia.org/wiki/BusyBox lists nvram as one of the commands

That is indeed interesting, since I certainly never thought I'd see the day that I questioned wikipedia       Seriously, commands that run in busybox are simple to identify as, when you look at the binary, it is simply a link to the busybox binary.  Busybox then looks at it's own command line invocation  eg 'ls' or 'cp' or 'grep' or whatever, to decide what to do.

For example, here's the /bin directory of a DG834GT...

# ls -l /bin/     
lrwxrwxrwx    1 0        0               7 Jan 11  2010 ash -> busybox
-rwxr-xr-x    1 0        0          261920 Jan 11  2010 busybox
lrwxrwxrwx    1 0        0               7 Jan 11  2010 cat -> busybox
lrwxrwxrwx    1 0        0               7 Jan 11  2010 chmod -> busybox
lrwxrwxrwx    1 0        0               7 Jan 11  2010 cp -> busybox
lrwxrwxrwx    1 0        0               7 Jan 11  2010 dd -> busybox
lrwxrwxrwx    1 0        0               7 Jan 11  2010 dmesg -> busybox
lrwxrwxrwx    1 0        0               7 Jan 11  2010 echo -> busybox
lrwxrwxrwx    1 0        0               7 Jan 11  2010 false -> busybox
lrwxrwxrwx    1 0        0               7 Jan 11  2010 grep -> busybox
lrwxrwxrwx    1 0        0               7 Jan 11  2010 ip -> busybox
lrwxrwxrwx    1 0        0               7 Jan 11  2010 kill -> busybox
lrwxrwxrwx    1 0        0               7 Jan 11  2010 lash -> busybox
lrwxrwxrwx    1 0        0               7 Jan 11  2010 ln -> busybox
lrwxrwxrwx    1 0        0               7 Jan 11  2010 ls -> busybox
lrwxrwxrwx    1 0        0               7 Jan 11  2010 mkdir -> busybox
lrwxrwxrwx    1 0        0               7 Jan 11  2010 more -> busybox
lrwxrwxrwx    1 0        0               7 Jan 11  2010 mount -> busybox
lrwxrwxrwx    1 0        0               7 Jan 11  2010 mv -> busybox
lrwxrwxrwx    1 0        0               7 Jan 11  2010 ping -> busybox
lrwxrwxrwx    1 0        0               7 Jan 11  2010 ps -> busybox
lrwxrwxrwx    1 0        0               7 Jan 11  2010 rm -> busybox
lrwxrwxrwx    1 0        0               7 Jan 11  2010 sh -> busybox
lrwxrwxrwx    1 0        0               7 Jan 11  2010 sleep -> busybox
lrwxrwxrwx    1 0        0               7 Jan 11  2010 touch -> busybox
lrwxrwxrwx    1 0        0               7 Jan 11  2010 true -> busybox
lrwxrwxrwx    1 0        0               7 Jan 11  2010 umount -> busybox

.. As you can see, none of these really exist as separate binaries, they are just links to /bin/busybox.  The purpose of busybox in embedded linux is to implement all of these common commands in a single binary, re-using as much of the code paths as possible by finding common functionality, thereby reducing the overall memory footprint compared to the duplication of code that would arise if each command were a separate binary.

On the other hand, it can be seen that nvram command lives in /usr/sbin

# type nvram
nvram is /usr/sbin/nvram

and it can be seen that it is not a link to busybox

# ls -l /usr/sbin/nvram
-rwxr-xr-x    1 0        0           10300 Jan 11  2010 /usr/sbin/nvram

So, far be it from me to question wikipedia but the evidence suggests that, in this case at least, the nvram command is not implemented by busybox.

- 7LM