Update: I straced et
to dive deeper:
root@OpenWrt:/# strace -s 100 -E LD_LIBRARY_PATH=/root /root/et -i eth0 robowr 0x0 0x18 0x1ff
execve("/root/et", ["/root/et", "-i", "eth0", "robowr", "0x0", "0x18", "0x1ff"], 0xb7550 /* 15 vars */) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS|1<<MAP_HUGE_SHIFT, -1, 0) = 0xb6fb3000
open("/root/libc.so.0", O_RDONLY) = 3
fstat(3, {st_mode=S_IFREG|0755, st_size=420536, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS|1<<MAP_HUGE_SHIFT, -1, 0) = 0xb6fb2000
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0(\0\1\0\0\0\220I\1\0004\0\0\0\250f\6\0\2\0\0\0054\0 \0\10\0(\0\32\0\31\0\1\0\0p\210N\6\0\210N\6\0\210N\6\08\0\0\08\0\0\0\4\0\0\0\4\0\0\0\6\0\0\0004\0\0\0004\0\0\0004\0\0\0"..., 4096) = 4096
mmap2(NULL, 475136, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb6f34000
mmap2(0xb6f34000, 413376, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 0) = 0xb6f34000
mmap2(0xb6fa1000, 4980, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 3, 0x65000) = 0xb6fa1000
mmap2(0xb6fa3000, 17872, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0xb6fa3000
close(3) = 0
munmap(0xb6fb2000, 4096) = 0
stat("/lib/ld-uClibc.so.0", {st_mode=S_IFREG|0755, st_size=21256, ...}) = 0
open("/dev/urandom", O_RDONLY) = 3
read(3, "N\f \252", 4) = 4
close(3) = 0
mprotect(0xb6fa1000, 4096, PROT_READ) = 0
mprotect(0xb6fb4000, 4096, PROT_READ) = 0
ioctl(0, TCGETS, {B38400 opost isig icanon echo ...}) = 0
ioctl(1, TCGETS, {B38400 opost isig icanon echo ...}) = 0
socket(AF_INET, SOCK_DGRAM, IPPROTO_IP) = 3
ioctl(3, _IOC(_IOC_NONE, 0x89, 0xff, 0), 0xbe8d5c20) = -1 EOPNOTSUPP (Not supported)
write(2, "etcrobowr", 9etcrobowr) = 9
write(2, ": ", 2: ) = 2
write(2, "Operation not supported", 23Operation not supported) = 23
write(2, "\n", 1
) = 1
exit(1) = ?
+++ exited with 1 +++
So the culprit is the ioctl
syscall. Looking at Netgear's open source code from here, we can see that
- the
et
binary is prebuilt
- the
et
kernel module is prebuilt too
- there is some interesting stuff in
src/shared/bcmrobo.c
, which is apparently broadcom's switch driver