Support for Mikrotik RB3011UiAS-RM?

robimarko · March 9, 2019, 10:07am

I wasnt thinking of modified npk but 6.41.4 NPK which you can then exploit with bytheway and get root shell.
This way signature is not touched, but NPK causes the image to be too large and it wont boot.
I have used bytheway on 6.41 branch and it works.

adron · March 9, 2019, 10:20am

More dig results:

#binwalk ./kernel.elf 

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             ELF, 32-bit LSB executable, ARM, version 1 (SYSV)
43472         0xA9D0          xz compressed data
43504         0xA9F0          xz compressed data
1649136       0x1929F0        xz compressed data

#dd if=kernel.elf bs=1 skip=1649136 of=./kernel.p3.xz
#xzcat ./kernel.p3.xz > ./initramfs.cpio
#mkdir cpio-fs
#cd cpio-fs
#cpio -idv < ../initramfs.cpio
#ls -l
итого 260
drwxrwxrwx 2 root  root    4096 мар  9 13:19 dev
-rwxr-xr-x 1 adron adron 198564 мар  9 13:19 init
-rwxr-xr-x 1 adron adron  58828 мар  9 13:19 order

!!! In teory we can then modify initramfs.cpio and pack it back !!!

robimarko · March 9, 2019, 10:20am

Well that seems really promising.
What does it contain?

adron · March 9, 2019, 10:21am

In contain a small file system with dev dir, and two ELF binaries(init and order).

robimarko · March 9, 2019, 10:22am

So in theory we could place whatever we want in it?
Are there size limits?

adron · March 9, 2019, 10:23am

In theory - YES.
But to say exactly we need to conduct some tests.

robimarko · March 9, 2019, 10:25am

Hm, actually I think that we could edit init to drop to rescue shell during boot.
That would actually be the simplest, and from it in theory we should be able to edit whatever

adron · March 9, 2019, 10:41am

I try to unpack, modify and then pack again. RouterOS with netbooted kernel works OK.

extract_kernel.pl

#!/usr/bin/perl

$p = 1;
@offs;
foreach(binwalk ./kernel.elf | grep "xz compressed data"){
chomp;
my($off) = split;
push(@offs, $off);
}
printf("dd if=kernel.elf bs=1 skip=0 " .
"count=$offs[0] " .
"of=./kernel.HEAD\n");
for(my $a = 0; $a < int(@offs); $a++){
my $off = $offs[$a];
my $size = defined $offs[$a + 1] ? $offs[$a + 1] - $offs[$a] : 0;
printf("dd if=kernel.elf bs=1 skip=$off " .
($size > 0 ? "count=$size " : "") .
"of=./kernel.p$p.xz\n");
$p++;
}

dd

dd if=kernel.elf bs=1 skip=0 count=43472 of=./kernel.HEAD
dd if=kernel.elf bs=1 skip=43472 count=32 of=./kernel.p1.xz
dd if=kernel.elf bs=1 skip=43504 count=1605632 of=./kernel.p2.xz
dd if=kernel.elf bs=1 skip=1649136 of=./kernel.p3.xz

unpack.sh

#!/bin/sh

xz -dc < kernel.p3.xz > initramfs.cpio

rm -Rf cpio-fs
mkdir cpio-fs
cd cpio-fs
cpio -idv < ../initramfs.cpio

pack.sh

#!/bin/sh

cd cpio-fs
find . 2>/dev/null | cpio --quiet -c -o | xz -9 --format=lzma > ../kernel.p3-new.xz
cd ..
#cat kernel.HEAD kernel.p1.xz kernel.p2.xz kernel.p3-new.xz > ./kernel-new.elf
cat kernel.HEAD kernel.p1.xz kernel.p2.xz kernel.p3.xz > ./kernel-new.elf
cat ./kernel-new.elf > /var/lib/tftpboot/linux_t1.bin

Oh. No. There is an error in the pack.sh script. With the modified itrams it does not load!

tmomas · March 9, 2019, 11:00am

@adron Please use "Preformatted text </>" for logs, scripts, configs and general console output.

adron · March 9, 2019, 11:25am

The problem to pack it back is in lzma. Mikrotik as always used some strange LZMA algorithm!
Oh. It seems to be used a concatenated cpio images! And for extract it we need this:

( xz -dc --single-stream > initramfs.cpio && cat > tail.bin ) < kernel.p3.xz

xz 5.1.1alpha and higher can do it.

adron · March 9, 2019, 1:34pm

First positive result:

RouterBOOT booter 6.43.7

RouterBOARD 3011UiAS

CPU frequency: 1400 MHz
  Memory size: 1024 MiB
    NAND size: 128 MiB

Press any key within 2 seconds to enter setup..
trying bootp protocol.... OK
Got IP address: 172.20.1.54
resolved mac address 0C:54:A5:45:C4:E9
Gateway: 172.20.1.1
transfer started ............. transfer ok, time=0.96s
setting up elf image... OK
jumping to kernel code
HEllo. I'm here!
Kernel panic - not syncing: Attempted to kill init!
{bf88ff0c} panic+0x84/0x1c0
{bf88ff44} do_exit+0x80/0x688
{bf88ff84} do_group_exit+0x4c/0xc0
{bf88ff9c} __wake_up_parent+0x0/0x18
CPU1: stopping
{bf8b9f5c} handle_IPI+0xf4/0x1e0
{bf8b9f7c} gic_handle_irq+0x94/0xa4
{bf8b9f94} __irq_svc+0x40/0x60
Exception stack(0xbf8b9f98 to 0xbf8b9fe0)
9f80:                                                       80c8c890 00000000
9fa0: bf8b9fe0 00000000 bf8b8000 804541c8 8041dab8 80454448 4000406a 512f04d0
9fc0: 00000000 00000000 00000001 bf8b9fe0 8000e8a0 8000e8a4 60000013 ffffffff
{bf8b9fdc} default_idle+0x24/0x28
{bf8b9fe4} cpu_idle+0x50/0x8c
{bf8b9ff4} 0x40402a94
Rebooting in 1 seconds..

for test.c:

#include <stdio.h>
#include <stdlib.h>

int main(void){
	printf("HEllo. I'm here!\n");

	return 0;
}

robimarko · March 9, 2019, 2:51pm

Awesome, I was not home so just now saw this.
Gotta attempt to do something with it

adron · March 9, 2019, 2:52pm

busybox is already running! Right now I make this in order and share.

robimarko · March 9, 2019, 2:54pm

That would be awesome, then we can move along to getting this things networking running

adron · March 9, 2019, 3:12pm

Take a look at this
The result elf kernel

adron · March 9, 2019, 3:44pm

It is strictly RAW, Now I cooking it to ready state.

adron · March 9, 2019, 5:14pm

Ok. I done. Please try it.

robimarko · March 9, 2019, 5:46pm

Hm, it complainins about illegal instruction

RouterBOOT booter 6.44

RBLHGG-60ad

CPU frequency: 716 MHz
  Memory size: 256 MiB
 Storage size:  16 MiB

Press any key within 2 seconds to enter setup..
trying dhcp protocol.................. OK
resolved mac address C4:93:00:0F:30:DA
Gateway: 192.168.1.1
transfer started ............. transfer ok, time=1.15s
setting up elf image... OK
jumping to kernel code
Starting...
Initializing busybox
Illegal instruction
Launching telnetd
chroot: cannot execute telnetd: No such file or directory
Initializing busybox
Illegal instruction
Launching telnetd
chroot: cannot execute telnetd: No such file or directory
Starting services...
Initializing busybox
Illegal instruction
Launching telnetd
chroot: cannot execute telnetd: No such file or directory
Initializing busybox
Illegal instruction
Launching telnetd
chroot: cannot execute telnetd: No such file or directory
Initializing busybox
Illegal instruction
Launching telnetd
chroot: cannot execute telnetd: No such file or directory
Initializing busybox
Illegal instruction
Launching telnetd
chroot: cannot execute telnetd: No such file or directory
Initializing busybox
Illegal instruction
Launching telnetd
chroot: cannot execute telnetd: No such file or directory
Initializing busybox
Illegal instruction
Launching telnetd
chroot: cannot execute telnetd: No such file or directory
Initializing busybox
Illegal instruction
Launching telnetd
chroot: cannot execute telnetd: No such file or directory
Initializing busybox
Illegal instruction
Launching telnetd
chroot: cannot execute telnetd: No such file or directory
Initializing busybox
Illegal instruction
Launching telnetd
chroot: cannot execute telnetd: No such file or directory
Initializing busybox
Illegal instruction
Launching telnetd
chroot: cannot execute telnetd: No such file or directory
Initializing busybox
Illegal instruction
Launching telnetd
chroot: cannot execute telnetd: No such file or directory

adron · March 9, 2019, 5:57pm

my busybox is not working on your ARCH. Wery wery strange! I test it only on RB3011. Now I do tests on RB450Dx4.

adron · March 9, 2019, 6:08pm

Hmm. On rb450Gx4 my hack works OK. what is md5sum of you for_ftp_upload/OWL/bin/busybox copy?
My is: 93691d36a4175e2a94d07a83145ba807