Hack Transcend SDHC wifi (firmware suite)

Analyse du fichier initramfs3.gz

Pour cette partie j’ai tout bêtement suivi le tutoriel trouvé sur le site de lemoidului

$ head -c 10 initramfs3.gz
KAGZ(???
$ hexdump -C initramfs3.gz | more
00000000  4b 41 47 5a 00 28 a1 98  1f 8b 08 00 62 11 2b 51  |KAGZ.(......b.+Q|
$ dd if=initramfs3.gz of=initramfs.gz bs=1 skip=8
$ ls -l initramfs.gz 
-rw-rw-r-- 1 scolas scolas 2662808 Apr  3 18:44 initramfs.gz
$ gunzip initramfs.gz
$ mkdir RFS
$ cd RFS/
$ cpio -i < ../initramfs
$ ls
bin  etc   init  linuxrc     mnt   root  sys  ts_version.inc  var
dev  home  lib   lost+found  proc  sbin  tmp  usr             www


Dans le fichier initramfs3.gz

  • Les 4 premiers octets (4b 41 47 5a) sont une entête invariable.
  • Les 4 octets suivants sont la taille (2662808 => 0x0028A198).

On peut maintenant se balader dans l’arborescence de notre firmware.

Le fichier /etc/init.d/rcS

Je vous mets le contenu ci dessous:

#! /bin/sh
echo "KeyASIC WifiSD console ..."
date -s 201201010000
mount -t jffs2 /dev/mtdblock0 /mnt/mtd > /tmp/log  2>&1 
ret=$?
if [ $ret -ne 0 ] ; then
	echo "Faled cmd: mount -t jffs2 /dev/mtdblock0 /mnt/mtd" >> /tmp/log.rcS
	cat /tmp/log >> /tmp/log.rcS
	cat /tmp/log
	rm /tmp/log
fi

insmod /lib/ka2000-sdhc.ko max_sd_blk=8 > /tmp/log 2>&1
ret=$?
if [ $ret -ne 0 ] ; then
	echo "Faled cmd: insmod /lib/ka2000-sdhc.ko" >> /tmp/log.rcS
	cat /tmp/log >> /tmp/log.rcS
	cat /tmp/log
	rm /tmp/log
fi

sleep 2
mount_sd > /tmp/log 2>&1
if [ $ret -ne 0 ] ; then
	echo "Faled cmd: mount_sd" >> /tmp/log.rcS
	cat /tmp/log >> /tmp/log.rcS
	cat /tmp/log
	rm /tmp/log
fi



buzzer -f 2

/etc/init.d/rcS.p     
  
# Memory policy
echo 2 > /proc/sys/vm/overcommit_memory
echo 100 > /proc/sys/vm/overcommit_ratio


# production test  
if [ -f /mnt/sd/WIFI_TEST.TXT ]
then
	sleep 5
	echo "start production test"
	production_test

	rm /mnt/sd/WIFI_TEST.TXT	
	sleep 1
	sync
	refresh_sd     
fi                               


echo "wsd to sd"
cp /mnt/mtd/config/wsd.conf /etc
sync
#cp /mnt/mtd/config/wsd.conf /mnt/sd

if [ ! -f /etc/cimgconf ]
then
echo "wsd to sd"
cp /mnt/mtd/config/cimgconf /etc
sync; refresh_sd
fi

/sbin/ifconfig lo 127.0.0.1 up
udpsvd 127.0.0.1 55778 /usr/bin/cmd_server &

# Start Identity server.
udpsvd 0 55777 idS &

# Firmware Upgrade Just Done 
if [ -f /etc/hostapd-fu.conf ]; then
	echo "Start Hostapd for finishing firmware upgrade"
	cp /mnt/mtd/config/dnsd.conf /etc
	#cp /mtd/udhcpd.conf to /etc
	cp /mnt/mtd/config/udhcpd.conf /etc
	cp /mnt/mtd/config/wsd_backup.conf /etc/wsd_backup.conf
	cp /mnt/mtd/config/instant_upload.conf /etc
	cp /mnt/mtd/config/ia.passwd /etc/boa
	if [ -f /mnt/mtd/config/is_wifi_list.json ]; then
		echo "Found is_wifi_list.json. copy to /etc/json/"
		cp /mnt/mtd/config/is_wifi_list.json /etc/json/is_wifi_list.json
	fi

	wifi_get_config -c "GPlus-Enable"
	gplus_setting=`cat /config_value`

    # Avoid starting instant upload
	/usr/bin/wifi_set_config -c "GPlus-Enable" "NO"

	#kcard_app --nohidden &
	/usr/bin/kcard_app.sh start

	/usr/bin/wifi_set_config -c "GPlus-Enable" "$gplus_setting"

	/usr/bin/ap_fu.sh

	sleep 1

	#pkill kcard_app
	/usr/bin/kcard_app.sh stop

	exit 0
fi


if [ ! -f "/mnt/mtd/wsdinfo" ]; then

	echo "Faled cmd: Can't find /mnt/mtd/wsdinfo" >> /tmp/log.rcS
	
	/usr/bin/kcard_app.sh start
	kcard_startup -s 0
	sleep 3 
	/usr/bin/kcard_app.sh stop

fi

# autorun.sh from sd in case need to perform some test mode
if [ -f /mnt/sd/autorun.sh ]
then
	echo "run autorun.sh"
	echo "run autorun.sh" >> /tmp/log.rcS
	sleep 1
	chmod 777 /mnt/sd/autorun.sh
	/mnt/sd/autorun.sh 
fi

/usr/bin/check_card.pl
ret=$?
if [ $ret -eq 0 ] ; then
	# Ts card
	echo "Transcend Card"
	echo "Transcend Card" >> /tmp/log.rcS
else 
	# Not ts card
	echo "Not Transcend Card"
	echo "Not Transcend Card" >> /tmp/log.rcS
	kcard_startup -s 0
	exit 0
fi





#cp /mtd/dnsd.conf to /etc
cp /mnt/mtd/config/dnsd.conf /etc
#cp /mtd/udhcpd.conf to /etc
cp /mnt/mtd/config/udhcpd.conf /etc
cp /mnt/mtd/config/wsd_backup.conf /etc/wsd_backup.conf
cp /mnt/mtd/config/instant_upload.conf /etc
cp /mnt/mtd/config/ia.passwd /etc/boa
if [ -f /mnt/mtd/config/is_wifi_list.json ]; then
	echo "Found is_wifi_list.json. copy to /etc/json/"
	cp /mnt/mtd/config/is_wifi_list.json /etc/json/is_wifi_list.json
fi

# Gen Boa Password file from wsd.conf
/usr/bin/gen_boa_passwd.sh

#echo "start telnetd server"
rcS1 & 

# httpd
rcS2 & 


echo "rcS done" 

ver
#ARM sleep disable
kcard_cmd -s 0

wifi_get_config -c "Auto WIFI"
Auto_WIFI=`cat /config_value`

wifi_get_config -c "Auto Mode"
Auto_Mode=`cat /config_value`

echo "Auto_WIFI = $Auto_WIFI" >> /tmp/log.rcS
echo "Auto_Mode = $Auto_Mode" >> /tmp/log.rcS
# Create the file to record the state of bootup before any login.
# If someone is logined, remove it.
touch /etc/bootup

if [ "$Auto_WIFI" = "Yes" ]; then
	if [ "$Auto_Mode" = "DS" ]; then
		echo "Start ap_server.sh" >> /tmp/log.rcS
		/usr/bin/ap_server.sh
	elif [ "$Auto_Mode" = "IN" ]; then
		echo "Start ap_client.sh" >> /tmp/log.rcS
		/usr/bin/ap_client.sh
	else
		echo "Auto WiFi mode $Auto_Mode is not valid. Use direct-share mode"
		echo "Auto WiFi mode $Auto_Mode is not valid. Use direct-share mode" >> /tmp/log.rcS
		/usr/bin/ap_server.sh
	fi
fi

/usr/bin/kcard_app.sh start

kcard_startup -s 0

sleep 1

/usr/bin/bodyguard.sh &


echo "Decompress libcrypto ..."
cp /mnt/mtd/libcrypto.so.0.9.8.bz2  /lib/
bunzip2 /lib/libcrypto.so.0.9.8.bz2

Les liens

http://lemoidului.wordpress.com/2013/02/11/linux-is-everywhere-pqi-aircard-partie-i/