MELCO INC. AirStationPro Series BLR3-TX4 Ver 1.41
broad2 login: root
BusyBox v0.60.3 (2002.09.10-07:50+0000) Built-in shell (ash)
Enter 'help' for a list of built-in commands.
# help
Built-in commands:
-------------------
. : alias bg break builtin cd chdir continue eval exec exit export
false fc fg hash help jobs kill let local read readonly return
set setvar shift times trap true type ulimit umask unalias unset
wait
#
root にパスワードは付いていない
# df Filesystem 1k-blocks Used Available Use% Mounted on /dev/root 20148 14692 5456 73% /RAM DISK の容量は 20MB。5MB ほどあいている。
# ftp giga.yamasita.jp Connected to giga.yamasita.jp. 220 ProFTPD 1.2.10rc1 Server (ProFTPD Basic Configuration) [giga.yamasita.jp] Name (giga.yamasita.jp:root): yasunari 331 Password required for yasunari. Password: 230 User yasunari logged in. Remote system type is UNIX. Using binary mode to transfer files. ftp> bye 221 Goodbye. #ftp コマンドあり。5MB ほどまでのファイルなら持ち込める。
# cat /dev/fl0 > fl0 # as_flash /dev/fl0 get -n /tmp/conf_save.tar.gz --output /tmp/conf_save.tar.gz # tar ztvf /tmp/conf_save.tar.gz -rwxr--r-- root/root 71 2002-09-03 11:25:05 /etc/ap_servd.conf -rw-rw-r-- root/root 19 1970-01-01 00:04:24 /etc/apache/.htpasswd -rwxrw-r-- root/root 424 2002-10-19 08:54:31 /etc/bridge.conf -rw-rw-r-- root/root 0 1970-01-01 00:03:32 /etc/crontab -rw-r--r-- root/root 6 1970-01-01 00:03:32 /etc/hostname lrwxrwxrwx root/root 0 1970-01-01 00:00:05 /etc/localtime -> /usr/share/zoneinfo/GMT-0 -rw-rw-r-- root/root 121 2001-12-18 12:47:31 /etc/lnkitg.conf -rw-r--r-- root/root 338 2002-09-09 08:52:22 /etc/passwd -rw-r--r-- root/root 7 1970-01-01 00:04:24 /etc/passwd.nocrypto -rw-r--r-- root/root 8 1970-01-01 00:03:32 /etc/phymii.conf -rw-r--r-- root/root 141 1970-01-01 00:07:09 /etc/resolv.conf -rw-r--r-- root/root 141 1970-01-01 00:07:09 /etc/tmp/resolv.conf.manual : :fl0 には設定ファイルが収められている。LinkStation と同じ
# cat /dev/fl1 > fl1 cat: write: No space left on device/dev/fl1 は、5MB より大きい。おそらく 8MB 弱。 取り出せたところまでの fl1 を HD-HGLAN に ftp して od してみる。
[yasunari@giga /tmp]$ od -xc fl1 | less
0000000 0000 0001 0000 0201 424c 5233 2d54 5834
\0 \0 \0 001 \0 \0 002 001 B L R 3 - T X 4
0000020 0000 0000 0000 0000 0000 0000 0000 0000
\0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0
0000040 0000 0000 0000 0000 312e 3031 0000 0000
\0 \0 \0 \0 \0 \0 \0 \0 1 . 0 1 \0 \0 \0 \0
0000060 0000 0000 0000 0000 0000 0000 0000 0000
\0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0
0000100 0000 0000 0000 0000 0001 0029 0000 6805
\0 \0 \0 \0 \0 \0 \0 \0 \0 001 \0 ) \0 \0 h 005
0000120 0d0a 2c1e 005e 257a c908 194c 0000 006c
\r \n , 036 \0 ^ % z 311 \b 031 L \0 \0 \0 l
0000140 000b 2aa7 000b 2b13 0052 fa67 1f8b 0808
\0 \v * 247 \0 \v + 023 \0 R 372 g 037 213 \b \b
0000160 fad2 a240 0203 766d 6c69 6e75 7800 e45c
372 322 242 @ 002 003 v m l i n u x \0 344 \
:
まさに firmimg.bin そのもの。
# cat /dev/fl2 > /tmp/fl2HD-HGLAN で strings してみる
[yasunari@giga /tmp]$ strings fl2 | less
:
No PLD model
with PLD model
******* Product Information *******
----------------------------------
Product Name:
VER: %d.%02d
Date: %d/%d/%d %d:%d:%d
Firmware check:
Fail!:invalid Firmware size
Warning:invalid data size
Fail!:checksum error %08X
Done.
debug
Now Loading...
done.
Now Booting
:
ブートローダ。
# cat /dev/fl3 > /tmp/fl3 cat: /dev/fl3: No such file or directoryfl3 はない。
ということで、フラッシュメモリの構成は、LinkStation とほぼ同じ。
やってみるか
BLR3-TX4 に玄人志向の Mini PCI 無線 LAN モジュール 802.11G-MPCI を刺し、
WHR-G54 のファームウェアをインストールすれば、
WHR-G54 になるといううわさがある。
ただし、まだ「できた」という報告は見たことがない。
人柱になってみることにするが、、、
失敗すれば、BLR3-TX4 はレンガと化することは確実である。
# df Filesystem 1k-blocks Used Available Use% Mounted on /dev/root 20148 14692 5456 73% /ここを何とか 6.6MB まで空ける。
# rm -fr /usr/local # df Filesystem 1k-blocks Used Available Use% Mounted on /dev/root 20148 13631 6517 68% /まだまだ
# lsmod Module Size Used by # rm -fr /lib/modules # df Filesystem 1k-blocks Used Available Use% Mounted on /dev/root 20148 13472 6676 67% /もうちょい
# rm -fr /debug # df Filesystem 1k-blocks Used Available Use% Mounted on /dev/root 20148 13133 7015 66% / #こんなところか。
# cat whrg54-213b.bin > /dev/fl1いつものことながら、フラッシュの書き込み中はどきどきはらはら。
No PLD model
******* Product Information *******
----------------------------------
Product Name: WHR-G54
VER: 2.13
Date: 2004/5/13 17:57:29
----------------------------------
Firmware check:Done.
>>
Now Loading...done.
Now Booting
hwid(0) : CLK_DCR value(0x3878) --> unknown hwtype
value(0x3878)
Memory BAT mapping: BAT2=64Mb, BAT3=0Mb, residual: 0Mb
HWTYPE:None PLD Model
Linux version 2.4.18_mvl30-sandpoint (root@localhost.localdomain) (gcc version 2.95.3 20010315 (release/MontaVista)) #121 木
5月 13 17:57:08 JST 2004
PCI Autoconfig: Found Bus 0, Device 11, Function 0
PCI Autoconfig: BAR 0x10, I/O, size=0x100, address=0xbfff00
PCI Autoconfig: BAR 0x14, Mem size=0x400, address=0xbffffc00
PCI Autoconfig: Found Bus 0, Device 12, Function 0
PCI Autoconfig: BAR 0x10, I/O, size=0x100, address=0xbffe00
PCI Autoconfig: BAR 0x14, Mem size=0x400, address=0xbffff800
AirStation Pro Series
802.11b Wireless Access Point
2002 MELCO INC. (c)
On node 0 totalpages: 16384
zone(0): 16384 pages.
zone(1): 0 pages.
zone(2): 0 pages.
Kernel command line:
OpenPIC Version 1.2 (1 CPUs and 26 IRQ sources) at 80040000
Calibrating delay loop... 130.66 BogoMIPS
Memory: 56708k available (1244k kernel code, 480k data, 184k init, 0k highmem)
Dentry-cache hash table entries: 8192 (order: 4, 65536 bytes)
Inode-cache hash table entries: 4096 (order: 3, 32768 bytes)
Mount-cache hash table entries: 1024 (order: 1, 8192 bytes)
Buffer-cache hash table entries: 4096 (order: 2, 16384 bytes)
Page-cache hash table entries: 16384 (order: 4, 65536 bytes)
POSIX conformance testing by UNIFIX
PCI: Probing PCI hardware
Linux NET4.0 for Linux 2.4
Based upon Swansea University Computer Society NET3.039
Initializing RT netlink socket
Starting kswapd
Disabling the Out Of Memory Killer
pty: 256 Unix98 ptys configured
MELCO WLM-L11G RTC DRIVER ver 1.00
MELCO WLM-L11G INIT SWICH DRIVER ver 1.01
initsw: Done.
Serial driver version 5.05c (2001-07-08) with MANY_PORTS SHARE_IRQ SERIAL_PCI enabled
ttyS00 at 0x80004600 (irq = 22) is a ST16650
ttyS01 at 0x80004500 (irq = 21) is a ST16650
Software Watchdog Timer: 0.05, timer margin: 100 msec
block: 128 slots per queue, batch=32
RAMDISK driver initialized: 16 RAM disks of 20480K size 1024 blocksize
loop: loaded (max 8 devices)
FLASHDISK:Boot From OnBoard Flash
Can't find MiniPCI Board
Initialized [TOSHIBA VT641FT]
Find Onbord Flash dev_winbond 0
Linux Tulip driver version 1.1.1-NAPI (Feb 16, 2002)
eth0: ADMtek Comet rev 17 at 0xbfff00, 00:07:40:49:xx:yy, IRQ 16.(一部伏字)
tulip1: MII transceiver #1 config 3100 status 7849 advertising 05e1.
eth1: ADMtek Comet rev 17 at 0xbffe00, 00:07:40:49:xx:yy, IRQ 17.(一部伏字)
PPP generic driver version 2.4.1
Linux Kernel Card Services 3.1.22
options: [pci] [cardbus]
NET4: Linux TCP/IP 1.0 for NET4.0
IP Protocols: ICMP, UDP, TCP
IP: routing cache hash table of 512 buckets, 4Kbytes
TCP: Hash tables configured (established 4096 bind 4096)
ip_conntrack (512 buckets, 4096 max)
PPTP netfilter connection tracking: registered
PPTP netfilter NAT helper: registered
ip_tables: (C) 2000-2002 Netfilter core team
NET4: Unix domain sockets 1.0/SMP for Linux NET4.0.
NET4: Ethernet Bridge 008 for NET4.0
ds: no socket drivers loaded!
RAMDISK: Compressed image found at block 0
Freeing initrd memory: 5825k freed
VFS: Mounted root (ext2 filesystem).
Freeing unused kernel memory: 184k init 4k openfirmware
modprobe: modprobe: Can't open dependencies file /lib/modules/2.4.18_mvl30-sandpoint/modules.dep (No such file or directory)
INIT: version 2.78 booting
Activating swap...
Checking all file systems...
Parallelizing fsck version 1.19 (13-Jul-2000)
Setting kernel variables.
Init SW watching daemon starting: done
Mounting local filesystems...
mount: none already mounted or /dev/pts busy
mount: according to mtab, devpts is already mounted on /dev/pts
Cleaning: /tmp /var/lock /var/run.
17:57:29: not found
Previous Configuration longing: /bin/tar: Removing leading `/' from member names
done
rm: cannot remove `/etc/ppp/ip-down.d/00delresolv': No such file or directory
ver_up: Ver 141 to 213: execute script.
+/etc/ver_up/09wordswap: +/etc/ver_up/10upnpd: no action.
+/etc/ver_up/11pppconf: +/etc/ver_up/20syslog: Swaping /var/log/attack_log -> |/var/log/attack_pipe
success to save configuration
Install IPSec Path Through
Using /lib/modules/2.4.18_mvl30-sandpoint/kernel/net/ipv4/netfil* VPN Masqurade -- IPsec Support ter/ip_conntrack
_ipsec.o
reg isakmp:done
reg ESP protocol:
reg ESP conntrack:done
Using /lib/modules/2.4.18_mvl30-sandpoint/kernel/net/ipv4/netfilip_nat_ipsec : isakmp : ter/ip_nat_ipsecdone.
.o
ip_nat_ipsec : esp : done.
set phy to wired lan device: done
set phy to wired wan device: done
install pcml11g moudule
no pcmcia driver in /proc/devices
insmod: pcml11g: no module by that name found
cardmgr[155]: starting, version is 3.1.24
cardmgr[155]: no pcmcia driver in /proc/devices
cardmgr[155]: exiting
no pcmcia driver in /proc/devices
installed pcml11g module
Using /lib/modules/2.4.18_mvl30-sandpoint/kernel/drivers/net/broadcom/11g/hnd/hnd.o
Using /lib/modules/2.4.18_mvl30-sandpoint/kernel/drivers/net/broadcom/11g/wl/wl.o
/lib/modules/2.4.18_mvl30-sandpoint/kernel/drivers/net/broadcom/11g/wl/wl.o: init_module: No such device
Hint: insmod errors can be caused by incorrect module parameters, including invalid IO or IRQ parameters
modprobe: modprobe: Can't locate module wlang0
wlang0: unknown interface: No such device
installed Broadcom Wireless Modules BCM4306
Bridge device breakes up!!
ifname = brg0
AddBridge <-- success
SetBridgeStpState <-- success
Add Device eth0
eth0 is initialized and uped
device eth0 entered promiscuous mode
eth0: Promiscuous mode enabled.
eth0: Promiscuous mode enabled.
eth0: Promiscuous mode enabled.
eth0: Promiscuous mode enabled.
AddIf <-- success
SetBridgeStpState <-- success
SetBridgeFowardDelay <-- success
SetBridgeHelloTime <-- success
SetBridgeMaxAge <-- success
SetGcInterval <-- success
SetBridgePriority <-- success
SetAgeingTime <-- success
SetPortPriority <-- success
Start 11b wireless configuration setting
modprobe: modprobe: Can't locate module wlan0
wireless device not found.
Start 11g wireless configuration setting
modprobe: modprobe: Can't locate module wlang0
wireless device not found.
Hostname: broad2.
Configuration network interface:
netifctl[191]: Boot up network device
netifctl[191]: lo starts to up
netifctl[191]: brg0 starts to up
brg0: port 1(eth0) entering listening state
brg0: port 1(eth0) entering learning state
modprobe: modprobe: Can't locate module wlang0
wlang0: No such device
modprobe: modprobe: Can't locate module wlang0
wlang0: No such device
brg0: port 1(eth0) entering forwarding state
brg0: topology change detected, propagating
netifctl[191]: eth1 starts to up
Start PPPoE connection
/usr/bin/setsid /usr/sbin/pppd pppoe_retransmit 5 noipdefault noauth defaultroute hide-password nodetach usepeerdns mtu
1492 mru 1454 user (削除) lcp-echo-interval 30 lcp-echo-failure 6 noccp nolog demand force persist idle 0
ipcp-accept-remote ipcp-accept-local connect true unit 0 linkname pppoe01.conf eth1 &
Start PPPoE connection
Plugin pppoe.so loaded.
PPPoE Plugin Initialized
Start PPPoE connection
Start PPPoE connection
Start PPPoE connection
modprobe: modprobe: Can't locate module escape
modprobe: modprobe: Can't locate module escape
modprobe: modprobe: Can't locate module crtscts
netifctl[191]: Success
done.
Initializing random number generator... modprobe: modprobe: Can't locate module crtscts
done.
Checking password and group files... modprobe: modprobe: Safe mode parameter starts with '-'
grpck: not found
Starting system log daemon: syslogdmodprobe: modprobe: Safe mode parameter starts with '-'
modprobe: modprobe: Can't locate module nocrtscts
modprobe: modprobe: Can't locate module nocrtscts
modprobe: modprobe: Can't locate module cdtrcts
syslogd: /var/log/attack_pipe: No such file or directory
klogd.
Setting Networking rules..
INIT: Entering runlevel: 2
---> ehernet_lnk <--
---> check_all_wl <--
---> check_bcwl <--
-ne Starting web server: apache
---> check_pcml11g <--
no pcmcia driver in /proc/devices
Start LED (4)
.
Starting AP serv daemon:AP serv starting on brg0
Starting periodic command scheduler: cron/var/spool/cron: No such file or directory
/var/spool/cron: created
crontabs: No such file or directory
crontabs: created
.
Starting internet superserver: inetd.
create default bridge_port file.
[IPTABLES START]
+Packet Filter
+Enabled
/sbin/iptables (削除)
+Disable NBT Routing
+Reject IDENT Packet
+ ATTACK BLOCK
+Allow ICMP Echo reply
+IP MASQUAREDE
+Enabled
+UPnP Settings
[DONE]
Starting Zebra daemons (prio:10): (zebra) (ripd).
default: not found
ppp0: not found
ppp1: not found
ppp2: not found
ppp3: not found
ppp4: not found
Start DNS Relay Daemon
Notice: caching turned off
$Starting fwlogwatch:
Setting Authentication Manager Configuration: ****** Starting macfilter manager instead of EapolRadius ********
****** it named EapolRadius, but its a fake! ********
wlang0: No such device
wlang0: No such device
done
MELCO Daemon reboot Deamon 'NINJYA'
0: dnsrd /var/run/dnrd.pid /etc/init.d/dns-relay start
1: apservd /var/run/apservd-brg0.pid /etc/init.d/apservd start
2: wcc /var/run/wcc.pid /etc/init.d/wcc restart
MELCO INC. AirStationPro Series WHR-G54 Ver 2.13
broad2 login:
だはっ。802.11G-MPCI 刺すの忘れてた。| ← | ハックの記録 | → WHR-G54 化(2) |