I wasnt thinking of modified npk but 6.41.4 NPK which you can then exploit with bytheway and get root shell.
This way signature is not touched, but NPK causes the image to be too large and it wont boot.
I have used bytheway on 6.41 branch and it works.
More dig results:
#binwalk ./kernel.elf
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 ELF, 32-bit LSB executable, ARM, version 1 (SYSV)
43472 0xA9D0 xz compressed data
43504 0xA9F0 xz compressed data
1649136 0x1929F0 xz compressed data
#dd if=kernel.elf bs=1 skip=1649136 of=./kernel.p3.xz
#xzcat ./kernel.p3.xz > ./initramfs.cpio
#mkdir cpio-fs
#cd cpio-fs
#cpio -idv < ../initramfs.cpio
#ls -l
итого 260
drwxrwxrwx 2 root root 4096 мар 9 13:19 dev
-rwxr-xr-x 1 adron adron 198564 мар 9 13:19 init
-rwxr-xr-x 1 adron adron 58828 мар 9 13:19 order
!!! In teory we can then modify initramfs.cpio and pack it back !!!
Well that seems really promising.
What does it contain?
In contain a small file system with dev dir, and two ELF binaries(init and order).
So in theory we could place whatever we want in it?
Are there size limits?
In theory - YES.
But to say exactly we need to conduct some tests.
Hm, actually I think that we could edit init to drop to rescue shell during boot.
That would actually be the simplest, and from it in theory we should be able to edit whatever
I try to unpack, modify and then pack again. RouterOS with netbooted kernel works OK.
extract_kernel.pl
#!/usr/bin/perl
$p = 1;
@offs;
foreach(binwalk ./kernel.elf | grep "xz compressed data"
){
chomp;
my($off) = split;
push(@offs, $off);
}
printf("dd if=kernel.elf bs=1 skip=0 " .
"count=$offs[0] " .
"of=./kernel.HEAD\n");
for(my $a = 0; $a < int(@offs); $a++){
my $off = $offs[$a];
my $size = defined $offs[$a + 1] ? $offs[$a + 1] - $offs[$a] : 0;
printf("dd if=kernel.elf bs=1 skip=$off " .
($size > 0 ? "count=$size " : "") .
"of=./kernel.p$p.xz\n");
$p++;
}
dd
dd if=kernel.elf bs=1 skip=0 count=43472 of=./kernel.HEAD
dd if=kernel.elf bs=1 skip=43472 count=32 of=./kernel.p1.xz
dd if=kernel.elf bs=1 skip=43504 count=1605632 of=./kernel.p2.xz
dd if=kernel.elf bs=1 skip=1649136 of=./kernel.p3.xz
unpack.sh
#!/bin/sh
xz -dc < kernel.p3.xz > initramfs.cpio
rm -Rf cpio-fs
mkdir cpio-fs
cd cpio-fs
cpio -idv < ../initramfs.cpio
pack.sh
#!/bin/sh
cd cpio-fs
find . 2>/dev/null | cpio --quiet -c -o | xz -9 --format=lzma > ../kernel.p3-new.xz
cd ..
#cat kernel.HEAD kernel.p1.xz kernel.p2.xz kernel.p3-new.xz > ./kernel-new.elf
cat kernel.HEAD kernel.p1.xz kernel.p2.xz kernel.p3.xz > ./kernel-new.elf
cat ./kernel-new.elf > /var/lib/tftpboot/linux_t1.bin
Oh. No. There is an error in the pack.sh script. With the modified itrams it does not load!
The problem to pack it back is in lzma. Mikrotik as always used some strange LZMA algorithm!
Oh. It seems to be used a concatenated cpio images! And for extract it we need this:
( xz -dc --single-stream > initramfs.cpio && cat > tail.bin ) < kernel.p3.xz
xz 5.1.1alpha and higher can do it.
First positive result:
RouterBOOT booter 6.43.7
RouterBOARD 3011UiAS
CPU frequency: 1400 MHz
Memory size: 1024 MiB
NAND size: 128 MiB
Press any key within 2 seconds to enter setup..
trying bootp protocol.... OK
Got IP address: 172.20.1.54
resolved mac address 0C:54:A5:45:C4:E9
Gateway: 172.20.1.1
transfer started ............. transfer ok, time=0.96s
setting up elf image... OK
jumping to kernel code
HEllo. I'm here!
Kernel panic - not syncing: Attempted to kill init!
{bf88ff0c} panic+0x84/0x1c0
{bf88ff44} do_exit+0x80/0x688
{bf88ff84} do_group_exit+0x4c/0xc0
{bf88ff9c} __wake_up_parent+0x0/0x18
CPU1: stopping
{bf8b9f5c} handle_IPI+0xf4/0x1e0
{bf8b9f7c} gic_handle_irq+0x94/0xa4
{bf8b9f94} __irq_svc+0x40/0x60
Exception stack(0xbf8b9f98 to 0xbf8b9fe0)
9f80: 80c8c890 00000000
9fa0: bf8b9fe0 00000000 bf8b8000 804541c8 8041dab8 80454448 4000406a 512f04d0
9fc0: 00000000 00000000 00000001 bf8b9fe0 8000e8a0 8000e8a4 60000013 ffffffff
{bf8b9fdc} default_idle+0x24/0x28
{bf8b9fe4} cpu_idle+0x50/0x8c
{bf8b9ff4} 0x40402a94
Rebooting in 1 seconds..
for test.c:
#include <stdio.h>
#include <stdlib.h>
int main(void){
printf("HEllo. I'm here!\n");
return 0;
}
Awesome, I was not home so just now saw this.
Gotta attempt to do something with it
busybox is already running! Right now I make this in order and share.
That would be awesome, then we can move along to getting this things networking running
It is strictly RAW, Now I cooking it to ready state.
Hm, it complainins about illegal instruction
RouterBOOT booter 6.44
RBLHGG-60ad
CPU frequency: 716 MHz
Memory size: 256 MiB
Storage size: 16 MiB
Press any key within 2 seconds to enter setup..
trying dhcp protocol.................. OK
resolved mac address C4:93:00:0F:30:DA
Gateway: 192.168.1.1
transfer started ............. transfer ok, time=1.15s
setting up elf image... OK
jumping to kernel code
Starting...
Initializing busybox
Illegal instruction
Launching telnetd
chroot: cannot execute telnetd: No such file or directory
Initializing busybox
Illegal instruction
Launching telnetd
chroot: cannot execute telnetd: No such file or directory
Starting services...
Initializing busybox
Illegal instruction
Launching telnetd
chroot: cannot execute telnetd: No such file or directory
Initializing busybox
Illegal instruction
Launching telnetd
chroot: cannot execute telnetd: No such file or directory
Initializing busybox
Illegal instruction
Launching telnetd
chroot: cannot execute telnetd: No such file or directory
Initializing busybox
Illegal instruction
Launching telnetd
chroot: cannot execute telnetd: No such file or directory
Initializing busybox
Illegal instruction
Launching telnetd
chroot: cannot execute telnetd: No such file or directory
Initializing busybox
Illegal instruction
Launching telnetd
chroot: cannot execute telnetd: No such file or directory
Initializing busybox
Illegal instruction
Launching telnetd
chroot: cannot execute telnetd: No such file or directory
Initializing busybox
Illegal instruction
Launching telnetd
chroot: cannot execute telnetd: No such file or directory
Initializing busybox
Illegal instruction
Launching telnetd
chroot: cannot execute telnetd: No such file or directory
Initializing busybox
Illegal instruction
Launching telnetd
chroot: cannot execute telnetd: No such file or directory
Initializing busybox
Illegal instruction
Launching telnetd
chroot: cannot execute telnetd: No such file or directory
my busybox is not working on your ARCH. Wery wery strange! I test it only on RB3011. Now I do tests on RB450Dx4.
Hmm. On rb450Gx4 my hack works OK. what is md5sum of you for_ftp_upload/OWL/bin/busybox copy?
My is: 93691d36a4175e2a94d07a83145ba807