00:50.59 | *** join/#openjtag Openfree` (n=Openfree@116.228.88.98) |
05:39.24 | *** join/#openjtag Openfree` (n=Openfree@116.228.88.98) |
07:14.27 | *** join/#openjtag dirk (n=dirk@p5B040052.dip0.t-ipconnect.de) |
07:28.20 | *** join/#openjtag Openfree` (n=Openfree@116.228.88.98) |
09:15.53 | *** join/#openjtag Weaselweb (n=quassel@2001:6f8:9e4:123:21a:92ff:fe5a:1409) |
10:48.24 | *** join/#openjtag toi (n=toi@d54C2A96D.access.telenet.be) |
11:35.11 | *** join/#openjtag pirho (i=pirho@gateway/gpg-tor/key-0x2CEEC9CB) |
11:35.29 | *** part/#openjtag pirho (i=pirho@gateway/gpg-tor/key-0x2CEEC9CB) |
11:40.42 | *** join/#openjtag Weaselweb (n=quassel@77-64-189-43.dynamic.primacom.net) |
18:15.09 | *** join/#openjtag toi (n=toi@d54C2A96D.access.telenet.be) |
20:52.52 | *** join/#openjtag key2 (n=key2@gob75-7-82-247-113-230.fbx.proxad.net) |
20:52.58 | key2 | hey |
20:53.14 | key2 | is it possible with openjtag to inject some binary code into a running process ? |
20:53.53 | key2 | (openocd) |
20:57.54 | key2 | basically, if I have a running embedded linux that I can just access via jtag, what would be the best way to make it prone a remote shell ? ( i thought about injecting a shellcode to a process and running it, but there might be easyer way of doing it ?) |
21:26.50 | eigma | kay2, injecting shellcode into userspace would require you to find a slew of kernel data structures.. not an easy feat |
21:28.08 | eigma | kay2, you may want to instead hook an interrupt handler with a little bit of kernel-mode code.. the problem there is you would need to find the syscall table, and you're in interrupt context so you can't call most syscalls |
21:28.27 | eigma | kay2, what's the device and what are you trying to achieve, at a high level? |
21:43.23 | key2 | eigma: it's an arm926ejs |
21:43.43 | key2 | the console mode of the kernel + uboot has been disabled |
21:43.48 | key2 | and I'd like to get a shell |
21:44.03 | key2 | so up to now, I can only use jtag |
21:48.10 | eigma | arm926ejs is only the CPU. what SoC, what board, what device (the whole thing) |
21:48.37 | eigma | do you know where the RAM is mapped? |
21:48.57 | eigma | are you familiar with ARM interrupt handling? (I'm a bit rusty myself |
21:51.57 | eigma | and where do you plan on spawning that shell? is there a serial console? |
21:53.32 | key2 | it's a PC202 |
21:53.36 | key2 | from picochip |
21:53.54 | key2 | I have the kernel output, so I can see what is mapped where... |
21:54.03 | key2 | the device is a Femtocell |
21:56.27 | eigma | key2: this guy? http://www.picochip.com/page/66/PC82xx |
21:57.19 | key2 | something similar |
21:57.20 | key2 | yeah |
22:01.07 | eigma | can you pastebin the full kernel output? |
22:01.21 | key2 | can I query u a sec ? |
22:01.54 | eigma | sure |
22:21.23 | pytey | key2: u there? |
22:22.28 | key2 | pytey:yeah |
22:22.38 | pytey | we've rooted that device |
22:22.51 | pytey | (a different group) |
22:22.54 | key2 | pytey: what brand |
22:22.55 | key2 | ? |
22:22.59 | pytey | (that I'm involved with) |
22:23.00 | key2 | the vodafone one ? |
22:23.04 | pytey | yep |
22:23.07 | key2 | primeuser |
22:23.08 | key2 | thx |
22:23.08 | pytey | they are all the same |
22:23.09 | key2 | ;) |
22:23.11 | key2 | we did it first |
22:23.11 | key2 | hahaha |
22:23.27 | key2 | no but the ubiquisys one, u can't root it |
22:23.34 | pytey | 'we did it first' |
22:23.34 | key2 | no console |
22:23.36 | pytey | eh? |
22:23.55 | key2 | pytey: with dieter ? |
22:23.55 | pytey | we |
22:24.02 | key2 | harald |
22:24.03 | key2 | steve |
22:24.03 | key2 | ... |
22:24.11 | pytey | nope |
22:24.24 | key2 | the vodafone is easy to root |
22:24.24 | pytey | we worked on it independantly |
22:24.30 | key2 | from uboot, u dump, find passwd |
22:24.47 | key2 | u're done with john the ripper after few minutes with root: primeuser |
22:24.48 | key2 | the ubiquisys is really hard to root |
22:25.06 | pytey | well we just used console :) |
22:25.17 | pytey | or ssh |
22:25.28 | key2 | voda has also a udhcpd buffer overflow |
22:25.33 | key2 | we could root it also that way |
22:25.48 | key2 | there was a lot of different ways of doing it |
22:25.48 | key2 | .. |
22:26.10 | pytey | the primeuser passwd isn't the one we are using btw |
22:26.39 | key2 | there was two user |
22:26.41 | key2 | if my memory is good |
22:26.41 | key2 | root |
22:26.43 | key2 | and primeuser |
22:27.01 | pytey | nope, not that |
22:27.30 | pytey | you can ssh to it anyhow |
22:27.48 | pytey | I'm interested in the DS2460B |
22:27.56 | pytey | which is probably used for EAP-SIM |
22:28.08 | pytey | for part of the openswan IPSEC stuff |
22:28.22 | pytey | this is the blob that connects to the sagem GSM module inside |
22:28.31 | key2 | the password for root was newsys ? |
22:28.33 | key2 | if my mem is good |
22:28.39 | pytey | correct |
22:29.04 | pytey | do you have the serial console? |
22:29.09 | key2 | sure |
22:29.21 | pytey | ssh listens on 22 and 222 btw, dunno if you saw this |
22:29.25 | key2 | sure |
22:29.43 | key2 | but we did everything we needed to do with the voda one |
22:29.51 | key2 | could wiretap even people |
22:29.54 | key2 | add IMSI to the base.. |
22:29.55 | key2 | and so on |
22:29.56 | key2 | ... |
22:30.04 | pytey | yeah, same here |
22:30.08 | key2 | their security is ridiculious |
22:30.18 | pytey | who are you? |
22:30.22 | pytey | do I know you? |
22:30.26 | key2 | not sure |
22:30.28 | key2 | ;) |
22:30.29 | pytey | let's pm |
23:45.02 | *** join/#openjtag Radiotubes (n=Radiotub@rrcs-24-172-158-139.central.biz.rr.com) |
23:47.13 | Radiotubes | anyone have some experience with MIPS based targets? |