Now Reading
Of Solar Ray laptops, MIPS and getting root on them

Of Solar Ray laptops, MIPS and getting root on them

2023-04-26 21:36:50

I like Solar Ray laptops. They make surprisingly helpful skinny shoppers. Right here, going from proper to left, I am taking part in Quake on my Solaris UltraBook IIi whereas it serves a Solar Ray session by way of Solar Ray Server Software program (SRSS) to my silver Solar Ray 2N within the center, and on my Accutech Gobi on the left I am root.

Wait, what? Root on a skinny shopper?

Let’s rewind just a little.

In 1984 Solar Microsystems adopted as their company slogan John Gage’s well-known remark that “The Community is the Laptop,” one in all many neat fragments of historical past left to rot after Larry “Destroyer of Worlds” Ellison’s Oracle purchased them out in 2010. (Fittingly, at the least to me, Cloudflare acquired the rights to the disused trademark in 2019. That is an official Solar swag mousepad I picked up again within the day.) False begins like NeWS apart, Solar believed within the thought so deeply that they put important sources into growing skinny shoppers serviced by their {hardware} to enhance their extra typical workstations.

In Solar’s superb world, a person would run packages on a central server (a Solar, after all), having their session observe their sensible card seamlessly from terminal to terminal together with every other shared sources they may require. Whereas Solar produced the JavaOS-based JavaStation in 1996 — satirically based mostly on Oracle’s Community Laptop idea — it used comparatively costly {hardware}, being primarily a miniaturized SPARCstation 4. As an alternative, the brand new proof of idea for a less expensive, extra related world was the 1997 NetWorkTerminal “NeWT” — one wonders if that abbreviation was a coincidence — based mostly on Solar’s MicroSPARC IIep CPU, and that prototype in flip developed into the primary Solar Ray skinny shopper in 1999, codenamed Corona.

We first talked in regards to the Solar Ray line some months again by taking a look at one in all its final examples, the laptop computer Tadpole M1400 and its General Dynamics rebadge. Solar produced the first era Solar Rays not solely as sidecar desktop units that related to a monitor, keyboard and mouse, however even constructed a few of them into CRT shows harking back to Apple’s up to date G3 iMac (which additionally inherited applied sciences from the Oracle Community Laptop by way of the unreleased Macintosh NC) and LCD flat panels.

Nevertheless, similar to it needed to go cheaper to win, if the Solar Ray method was to turn out to be actually omnipresent then it must go transportable as nicely. That was the place the 500nm microSPARC IIep, as diminutive because it was for SPARCs of the time, could not make the grade: the Solar Ray 1G required 20 watts simply to run, not counting the show it was related to, and at the least 5 watts of that went to the 100MHz CPU alone. Downclocking it wasn’t an choice both, because the CPU was already too underpowered to deal with the stream; a 2006 InfoWorld article accused early Solar Rays of being “network-clobbering” and “stuttering.” So Solar jumped from SPARC to MIPS with the Solar Ray 2, and that is the place our story begins.

The MIPS migration occurred as a consequence of changing the primary era Solar Rays to Solar’s bespoke Copernicus SoC, which mixed the IIep core with 4MB of DRAM on chip (the ATI Rage 128 dealing with 2D graphics remained separate with its personal devoted reminiscence). Throughout Copernicus’ growth, Sun Ray engineer Marc Schneider had thought-about utilizing the brand new low-power embedded MIPS Au1 core developed by fabless semiconductor firm Alchemy, however there was little urge for food on the time for rewriting the onboard firmware to run on a very new structure. Alchemy was based in 1999 by refugees from DEC’s StrongARM growth group, which was dissolved after Intel acquired the IP in 1997 and turned it into their XScale CPU line (different group members went on to discovered SiByte, which developed a MIPS core of their very own). The Au1 core was a scalar, in-order core based mostly on the 1999 MIPS32 specification with 5 pipeline levels. It featured an R4000-class MMU, a 16/32-bit multiply-accumulate unit and a one-bit-per-cycle {hardware} divider. Nevertheless, to shrink die area and cut back energy consumption, the Au1 eradicated the FPU, eliminated help for MIPS-16 compressed directions and supervisor mode, and changed digital handle translation with a TLB-based technique and an exception handler in software program as a substitute of getting the {hardware} stroll web page tables. It might additionally utterly cease all clocks to the core models till reactivated.

The primary Au1 chip was the Au1000 SoC in 2001, a 180nm half with built-in SDRAM, flash, USB, serial (IrDA and UART) and Ethernet controllers. It had 16K every of I- and D-cache and ran as much as 500MHz however with a high TDP of solely 900 milliwatts. Though the Au1000 household, notably the beefier 1.2W Au1500 with an on-board PCI controller, obtained design wins in a couple of embedded functions, Alchemy was nonetheless only a small startup and bumped into points touchdown a second funding spherical to broaden. In 2002 AMD purchased Alchemy outright to instantly compete with XScale within the embedded sector and launched the 130nm Au1550 in 2004, a die-shrink of the Au1500 supposed for high-security community functions with the SafeNet Safety Engine offering an entropy-based RNG and {hardware} acceleration for DES, 3DES, AES, RC4, MD5 and SHA-1. It additionally ran as much as 500MHz with the identical cache and on-die peripherals however a brand new decrease “typical” energy draw of below 600mW, maxing out at 1460mW. Nothing within the SPARC ecosystem might match it for energy consumption, making it appropriate for transportable Solar Rays, nevertheless it was however extra succesful than XScale, which means the identical chip might energy the following era of desktop Solar Rays too. Solar chosen the Au1550 and the primary Solar Ray 2 (internally designating the collection as “P8”) got here out in 2005, paired with 4MB of Flash and an ATI R100-derived ES1000 framebuffer sharing 16MB of RAM. With this design Solar met its purpose: the brand new {hardware} might extra effortlessly deal with extra demanding functions at larger resolutions, and typical energy consumption for the complete system was simply 4 watts plus show.

The Solar Ray laptop computer story is a little more prosaic. Sure, it could shock a few of you to listen to that there actually had been Solar laptops. That mentioned, nonetheless, Solar by no means designed a laptop computer of their very own themselves even for his or her high-margin SPARC line, totally counting on third events to take action, and even the laptops that Solar did promote had been designed and OEMed by others. Of those associate OEMs, essentially the most notable had been U.S.-based RDI and U.Ok.-based Tadpole, who later purchased out RDI, and Taiwan-based Nature Worldwide Technology Corporation, nicknamed Naturetech. What Solar bought as their Extremely-3 laptop computer was really a condominium of a minimum of 5 discrete fashions: Tadpole’s UltraSPARC IIIi Viper and each variations of their UltraSPARC IIi SPARCle (all based mostly on the Acer TravelMate 420 chassis) because the Extremely-3 A60, and Naturetech’s UltraSPARC IIIi Mesostation 999 and UltraSPARC IIi PowerBook 888P because the Extremely-3 A61. The 2 strains had been visually completely different, with the Tadpoles in an arresting lavender case and the 888 and 999 in extreme graphite and black, inflicting some confusion amongst patrons as they had been in any other case utterly unrelated. I’ve an Viper A60 Extremely-3, which places out a prodigious quantity of warmth and drains batteries dry in lower than an hour full tilt, and you must by no means apply it to your lap if you wish to have youngsters (or a filesystem).

In a like trend, the primary Solar Ray laptop computer did not come from Solar both. Tadpole, then newly acquired by Basic Dynamics, used a modification of the SPARCle design because the 2005 Comet 12 and Comet 15 with the identical UltraSPARC IIep and the identical primary drawbacks. The SPARCle case was wonderful for an precise Solaris laptop computer, however calling the comparatively heavy unit a skinny shopper was a poor joke, and Solar did not undertake it on the market. Naturetech subsequently took their very own shot on the market when the Solar Ray 2 was launched, utilizing the desktop unit as a reference design and the identical MIPS and ATI chipset however adapting the case and battery from one other Taiwanese OEM laptop computer, the G220 notebook from Elitegroup. Naturetech known as it the Jasper 320. Solar appreciated the thinner profile and lowered weight, and badged it because the Solar Ray 2N for test-marketing in Japan in 2006.

That is my private 2N, acquired virtually unused in its unique packaging.

If this manifest is to be believed, this unit was made and shipped in 2007. The 2N got here with each 10/100 Ethernet and 802.11b+g WiFi. The WiFi helps WEP, WPA-PSK and WPA2-PSK for authentication, and WEP, WPA-AES and WPA-TKIP for encryption.

All the pieces within the field, together with a really transient handbook (in English, nonetheless), battery and customary laptop computer energy provide.

In case you did not imagine it is a Solar, it is proper there on the highest.

And it is proper there on the keyboard. The structure is a normal JIS keyboard with Solar-specialized keys, although most aren’t lively in Solar Ray mode, and the firmware largely treats it like a US keyboard. The hole between the show hinges is the place the battery would go ordinarily. Any G220-compatible battery will work and the machine was shipped with one. The contact pad is not fabulous nevertheless it works.

On the left aspect is a VGA port for mirroring, Ethernet jack and (changing the G220’s PCMCIA slot) a smartcard slot. The cellphone jack on the nook, clearly initially for a built-in modem, is blocked off. The 2N’s VGA port solely helps show mirroring and can’t prolong the desktop, which is why I conclude it was based mostly on the unique Solar Ray 2 relatively than the improved 2FS, which might.

The suitable aspect simply has three USB 1.1 ports. The remainder is the place the optical drive would have been with the G220 however is totally blocked off within the 2N. The firmware will not mount any units related right here however does seem to acknowledge keyboards and mice. Three entire ports only for that function strikes me as an extreme quantity (in any case, it already has a keyboard and monitor pad!) and it appears to be merely as a result of the G220 had them.

On the entrance, there are headphone and microphone jacks (audio system are within the show), and on the rear are the battery terminals, Kensington lock and A/C barrel jack.

The underside is the place it begins to get extra attention-grabbing. Despite the fact that they served no actual function, Naturetech saved the CPU, laborious disk and RAM doorways of the G220 and tailored the Jasper logic board to suit. In addition they saved the fan vent regardless of the very fact none of those chips get scorching sufficient to even advantage a warmth sink.

Nevertheless, there’s completely nothing within the laborious disk bay, not even a connector.

Equally, within the RAM bay, there is not any RAM. As an alternative, the wi-fi card connects right here with an SO-DIMM like connector, based mostly on a Ralink RT2561T. Beneath it we see the Jasper designation on a sticker. The smartcard chip reader is seen on the southeast aspect.

The CPU is at place U25, a 500MHz Au1550. West of it on this view is the only Hynix 5DU281622ETP-5 16MB SDRAM chip, the lowest-binned 200MHz 8Mx16 in that household. Bear in mind: low-cost!

The close by ATI ES1000 framebuffer is an R100 spinoff and shares the SDRAM with the CPU. As a easy framebuffer that is ample.

The show is a 12″ 1024×768 75Hz/24-bit TFT LCD and is not too dangerous, contemplating (a digital desktop extends as much as 1280×1024 as you progress the pointer). Solar badging is outstanding not solely on the bezel however virtually golf equipment you over the top as nicely whenever you flip it on.

If you happen to’ve by no means used a Solar Ray system earlier than, you would possibly discover the show window relatively curious. Somewhat than localizing prompts and standing textual content within the firmware, Solar selected to make use of an icon show language (“On-Display Show”) which distributors had been obligated to implement. What textual content does seem is restricted to addresses and status codes. The OSD proven right here is an evolution of the blue-background OSD utilized by first era Solar Rays, however has the identical standing codes and primary semantics. The primary window it pops up reveals its MAC handle and standing 1, which means it is configuring the onboard Ethernet. Inside seconds it’s going to attempt to get a DHCP lease and discover a host, very like every other lively parasite.

It is time to join this silvery zombie to a supply of brains. The next grabs are instantly from the VGA port by my INOGENI VGA2USB3 on the native decision of 1024×768. The one edits are to censor my inner check community data as a result of a few of you’re pleasant and naughty.

Listed here are the 5 Kübler-Ross levels of Solar Ray grief connection:

Denial (1): I do not imagine there is a community (but).

Anger (21): I discovered Ethernet, however I’ve no DHCP handle! What the Larry Ellison! (The Ethernet pace is appropriately reported as 10Mbit half-duplex since I had it on the sluggish phase as a stress check. Bear in mind this once we speak in regards to the Gobi.)

Bargaining (22): I pleaded with the DHCP server and it gave me an handle.

Melancholy (26): I discovered a server nevertheless it will not speak to me but. (On this case, scottie, the Solaris laptop computer, had responded to the 2N’s broadcast question and can shortly begin the session. I suppose you might insert a pair extra levels in right here like really sending the printed question [27], however that interferes with my joke, dammit. It’s also possible to configure mounted DNS entries [sunray-config-servers, sunray-servers] or ship DHCP choice 49 [X Window System Display Manager] addresses to trace the shopper. The DHCP server on this community gives these entries.)

Acceptance (14): my siren name was answered, I’ve discovered a supply of brains and I’ll now drain its CPU and sources (over UDP-based Equipment Hyperlink Protocol, or ALP). This explicit connection will not be secured nor authenticated, however encryption and server authentication are usually doable (codes 11 by 13). A watchdog timer will soft-reset the unit and begin the levels of grief connection over once more if a profitable hyperlink is not made.

Having related, the display is now a normal X show supervisor login. You log in. Easy! With a acknowledged sensible card you’ll be able to even utterly skip this step.

Like most different Solar Ray shoppers together with the Tadpole M1400, hot keys to alter settings can be found, together with whereas related. These keys turn out to be dwell shortly after the machine begins. The principle menu is accessed with Cease-M (on this keyboard that is really a three-finger salute of “yellow” Fℕ-Alt-M) and choices are chosen with the cursor keys.

The “handbook” paperwork two scorching keys, Cease-M for this menu and Cease-W to entry wi-fi profiles, however really a lot of the documented scorching key combos work, together with Cease-V for displaying the unit’s firmware model. The menu is not notably in depth, so listed here are the highlights.

The wi-fi profiles menu (instantly accessible with Cease-W) gives three configurable profiles the place the channel, SSID, authentication/encryption and key could be specified. On this case none are lively as a result of my inner community is wired-only.

Disappointingly, the complete safety “menu” is one choice, merely to set a password. Sheesh.

Beneath the standing menu you’ll be able to select the radio standing (spoiler alert: it is not on) and the firmware model. This unit studies NWTC,KiboP8 3.1.1_2007. plus its MAC. I haven’t got the precise historical past however “Kibo” seems to have been the Naturetech inner codename.

Previous to Solar Ray Software program 5.2 firmware got here in two flavours, the “non-GUI” model right here with this minimal configuration menu and a “GUI” model with a extra in depth menu permitting you to enter express parameters. Afterward they had been unified right into a single firmware with the flexibility to enter the configuration menu appropriately managed by the server. I’m conscious of at the least one later GUI model of the 2N firmware tagged NWTC,KiboP8,Jasper320 GUI4.0_48_2007., however I haven’t got a duplicate of it.

The one different choices management varied tunables in regards to the WiFi and display blanking.

If you happen to disconnect the zombie whereas it is feeding, it complains with an error 23, as all zombies do.

Whereas making an attempt to reconnect the 2N will even strive sending the “any server on the market” broadcast packet (27) over WiFi, although since this one is not configured with an SSID, there is not any one to listen to it scream.

Okay, wonderful, let’s log in.

On the Solaris 10 desktop with the model dialogue as much as show we’re right here. From the Solaris aspect /choose/SUNWut/sbin/utquery -d IPADDRESS will let you know details about a related shopper.

The 2N additionally works wonderful with kOpenRay, my very-occasionally-maintained up to date fork of jOpenRay, an open-source Java reimplementation of ALP. Be aware that kOpenRay doesn’t at present know the way to reply to broadcast requests, so since we won’t hardcode the handle within the 2N’s settings kOpenRay’s IP handle is supplied by the native DHCP server. The kOpenRay console reveals the system recognized itself as a NWTC,KiboP8,Jasper320 3.1.1_2007. Additionally be aware the MAC (used as an ID), namespace and precise display decision (but additionally the digital decision of 1280×1024).

Taking part in the default Tetpnc session. By the way, inserting a wise card labored and was recorded by kOpenRay.

Sadly, the Solar Ray 2N was the one laptop computer Solar Ray that Solar would ever name its personal. It achieved some sales in Japan and was spotted at various trade shows, however apart from native utilization by Solar’s regional places of work there was little market curiosity and Solar selected to quietly discontinue it.

For its half, Naturetech saved promoting the system below its unique Jasper 320 identify and supplied the design to different distributors, together with the later Amber 808, Opal 608 (8.4″) and Opal 612 pill variations. These had been the one recognized Solar Ray tablets, that includes RFID and even biometric help. Fellow Taiwanese vendor Arima was and deliberate to launch the complete line because the Dawn Extremely ThinPad and Solstice Extremely ThinTouch, although it is not clear if any had been really bought. There was additionally a VPN-enabled model of the Jasper 320.

Accutech Ultrasystems, nonetheless, one other Taiwanese laptop producer, noticed the {hardware} as a chance not solely to get into thin clients but additionally use Solar Ray expertise as a security surveillance solution.

Accutech took the essential Jasper board and considerably reworked it with customized firmware and a built-in {hardware} VPN module, promoting it because the Gobi8 with HSDPA/UMTS help and the Gobi7 with out. The Accutech Gobi laptops had been themselves resold by British vendor Aimtec under the same name.

To a cursory look the silver-clad Gobi and the 2N are virtually indistinguishable apart from the logos on every lid, however there are gentle variations within the exterior ports, and Accutech made important modifications to the {hardware}. That is the place the pwnage half is available in.

I have not had good luck with Gobis. Over time I’ve accrued three, however solely one in all them nonetheless absolutely works; the opposite two spontaneously suffered {hardware} failures such that they will not configure their community interfaces anymore. The latest one proven with the 2N is my sole utterly purposeful instance and was despatched to me by a beneficiant donor. However, meaning I’ve no compunction about stripping down the faulty ones to determine how they work.

The silver Gobis are the unique ones, bought because the Gobi7, although each of my models seem to have been subsequently upgraded to Gobi8 (putting in the extra 3G help and updating the firmware), apparently on the manufacturing facility because the barcode sticker reads Gobi8. The thrashed black unit perilously held along with binder clips is an precise Gobi8 and was a later unit. This one was was my first Gobi and got here to me busted up, so I maintain innocent to its mistreatment, although it was largely working on the time.

The keyboard is now common English and no extra Nihongo, sniffle.

Apart from that, essentially the most notable exterior variations between the 2N and the Gobis are a SIM card slot within the entrance subsequent to the audio jacks and a CardBus PCMCIA module within the optical drive slot. These are all lively although I haven’t got something that goes in them (and we do not have 3G anymore in america).

If we pull out the 3G module, we’re already getting hints that Accutech did a bit greater than a recent coat of firmware paint. Subsequent to the cardboard cage we see two Realtek RTL8201CP 10/100 Ethernet PHYceivers and a PH249015G quad 4-port pulse transformer to attach them to twisted pair Ethernet indicators. Beneath the cage are two Hynix HY57V281620FTP-6 SDRAMs, 16MB every to equal 32MB.

However flip it over and there is one other 32MB of RAM, plus 16MB of flash (Intel JS28F128), an ENE CB-1410QF PCI to CardBus bridge, and proper within the center — irony of ironies — an Intel XScale-based IXP425 Community Processor working on the lowest rated pace of 266MHz (PRIXP425ABB). This SoC helps UTOPIA 2 (for ATM networking), xDSL, 2x HSS (for cellular community authentication) and two Ethernet MACs, together with {hardware} help for SHA-1, MD5, DES, 3DES and AES. It has onboard controllers for a UART, SDRAM, USB and PCI. The Ethernet MACs little doubt connect with the PHYceivers on the opposite aspect. There are a complete bunch of apparent debug connectors right here however I do not know the pinout.

The inner variations are much more substantial. Accutech removed the fan vent and moved the ATI GPU nearer to the CPU, but additionally added one other 16MB SDRAM (to equal 32MB) subsequent to the Au1550. Though a number of areas at the moment are unpopulated, together with the SO-DIMMesque slot for the 2N’s WiFi module, there are a number of extra chips on the board — together with two, depend ’em, two Realtek RTL8305SC ICs. Every one in all these is a single-chip, 5 port (!) 10/100 Ethernet swap controller, related to a quad 4-port pulse transformer for twisted pair Ethernet (the YCL PH249015G chips), with the fifth port supplied by the Pulse Electronics NS0013-NF single-port transformer. What the heck are these items doing?

Right here is the whole logic board, which I dug out from my faulty silver Gobi7. Be aware that whereas all of the stickers say Gobi8, the board says Gobi7 too. On the primary picture you’ll be able to see the HD64F3437TF16 (H8/3437) sensible card reader chip with yellow grease pencil slashed throughout it, a Hitachi H8/300 16-bit microcontroller with 60K of on-board flash and 2K of RAM. Roughly within the centre of the second picture is the Au1550’s system flash chip, a 4MB Spansion S29AL032D.

By the best way, there was really one thing within the laborious disk bay too, with its personal RTL8305SC and transformer. Labeled the VPN Board (“REV. 2.0”), the WiFi antenna terminals join right here, exhibiting it additionally serves because the WiFi module. The entire thing bodily connects to the primary logic board utilizing the 44-pin laptop computer IDE connector, which can be populated within the Gobis.

There’s so much occurring with this little board. Apart from the Ethernet swap controller and pulse transformer, there’s 32MB of SDRAM (Hynix HY57V561620FTP-H) and 8MB of flash (the Spansion FL064AIF).

If we dig it out and pop the cage off, there’s another chip, and it is a doozy: an Atheros AR2316A. That is a third SoC! It integrates a 2.4GHz radio, 802.11b/g MAC and baseband, 802.3 10/100 Ethernet MAC and MII interface, SDRAM and Flash controllers, UART — and a 180MHz MIPS R4000 core. On the very backside (on this view) is one other apparent set of UART headers, however I by no means obtained something helpful from the modules within the busted Gobis with my logic analyzer. However, that may very well be as a result of these machines aren’t working, and I’m wondering if warmth had one thing to do with it as a result of this chip may be very poorly ventilated. One different attention-grabbing factor to notice is that I can solely see strains from two of the RTL8305SC’s 5 ports going to the transformer. I suppose they obtained a ok deal on these to waste the opposite three.

The underside line is, as we’ll reveal within the subsequent few screenshots, this laptop computer is not only a MIPS laptop computer: it is three apparently utterly impartial RISC programs with their very own reminiscence, flash and working system on an inner Ethernet community. All these NIC and swap chips are the inner communication interfaces from the Au1550 to the IXP425 and the AR2316A, however utilizing the IDE bus strains as a substitute of precise twisted pair. That is not what I used to be anticipating to search out in a Solar Ray!

It should not shock you that the interface on this unit is not customary both. Let’s fireplace it up.

Initially it looks as if the identical precise firmware because the 2N, even mainly the identical shade of blue background, apart from the Gobi brand. After which …

… the menu begins.

The Gobi firmware shops as much as eight built-in profiles. This Gobi has three profiles arrange in it usually: a “DHCP” profile that acts mainly just like the 2N did, fetching a lease and the show server addresses from the DHCP server; a hardcoded profile for kOpenRay; after which a 3rd, extra mysterious profile we’ll save for the top. You’ll be able to (with a little bit of kludginess, the interface is obnoxiously non-orthogonal) edit or overwrite them and most of the people by no means used a couple of anyhow. The Engrish command of the Taiwanese growth group was imperfect and varied odd typos and phrasings are scattered all through the interface.

The setup menu permits you to create a brand new profile, configure safety choices, show system firmware variations (or replace them) and do a manufacturing facility reset.

If you happen to request the firmware variations, the core firmware on the Au1550 (right here 4.0_VT035c) then queries each the 3G board (1.2.3.emobile.a) and the VPN board (2.1.0). This takes … time. The Au1550’s firmware could be up to date from an appropriately configured Solar Ray server however the 3G and VPN firmware require a separate native TFTP server to obtain from (FTP additionally supported by the VPN board, however not the 3G board). Once more, it’s because they’re really separate programs that simply occur to be crammed into the identical case.

Additionally be aware the separate MACs for the “LAN” (the VPN board) and the Solar Ray itself, along with the WiFi, after all. We’ll see an excessive instance of the inner communication community at work once we get to the ultimate profile.

Our first profile primarily makes the Gobi act like a 2N: no native configuration, get a DHCP handle, determine servers for itself (both from DHCP hints or broadcast queries).

Discover the road within the configuration about “Use internet authentication.” These of you who bear in mind our deep dive into the Sun Ray 3-based Tadpole M1400 will recall its personal built-in login browser for public WiFi and the like (initially Hyperlinks, and later WebKit). Simply maintain that at the back of your head for a couple of minutes.

On this mode, the ID comes up with the MAC of the Solar Ray 2 as anticipated, since we’re not clearly utilizing the VPN (and if you happen to do a fast arp -a on a related system, you may see the Solar Ray 2 MAC). However that is not the exterior Ethernet jack: this claims a full-duplex 100Mbit Ethernet connection once we’re related to the very same 10Mbit half-duplex Ethernet phase I used for testing the 2N. What you are really seeing is the inner Ethernet connection between the three part programs, which is 100Mbit.

Connecting to the Solaris Solar Ray server.

And on the login immediate. The Gobi, oddly, would not seem to help any scorching keys besides Props-F12 (yellow Fℕ-Ctrl-F12, the “moon” sleep key), which resets the unit — however solely inside the similar profile. Equally the watchdog timer simply resets the at present working profile as nicely. The one method I might discover to modify profiles was to powercycle the unit totally.

So that is what we’ll do and choose our second profile. Like the primary profile, this will get an handle from a neighborhood DHCP server, however hardcodes the Solar Ray server handle (you may also specify a firmware server handle) as a substitute of letting the shopper uncover it from DNS or DHCP.

This looks as if a minor, virtually trivial change, however the Gobi handles this case relatively otherwise.

As an alternative of going on to establishing a connection, the Gobi does a protracted dance to acquire an handle.

That is as a result of on this mode, it is not the Solar Ray firmware that is getting the handle and connecting to the host. As an alternative, it is the VPN board.

I’ve deliberately not suppressed this handle to reveal to you that we’re now utilizing a very Gobi-internal IP handle ( on that huge “IDE-Ethernet” swap, once more on the false pace of 100Mbit, despite the fact that the Gobi remains to be plugged into the identical 10Mbit half-duplex port. This IP handle has no relationship to something on my inner check community. Actually, this completely confuses SRSS on the Solaris server and it seemingly will not speak to it.

In kOpenRay’s console we see what’s unsuitable: there are two addresses, the realIP (VPN-confabulatory) and remoteIP (precise). With the primary profile, these had been the identical; with this profile, solely one in all them is definitely legitimate. The UDP packets are appropriately despatched to SRSS, nevertheless it replies again to the VPN-generated phony handle which will not work (and is not what it obtained from the DHCP server), and thus the ALP connection isn’t established. Until your native community is or permits this subnet, you might not be capable of join in any respect both.

kOpenRay does work with the Gobi VPN as a result of I added code to answer to the distant IP it gives as a substitute of the phony “actual” one.

It’s my suspicion that the VPN board is concerned even within the case of the primary profile, given {that a}) the connection pace is unsuitable, b) the VPN boards are useless even by way of the UART ports and c) my useless Gobis energy up and attempt to initialize their community connections, however fail, which ought to work if the Solar Ray firmware had a direct unimpeded path to the skin. If the VPN board dies, it appears like all the pieces does. And it actually does get stuffy in that tough disk bay.

Properly, that is sufficient preamble. It is time to really break one thing.

The ultimate profile appears like the primary profile, however with one change: this time, we will use the built-in minibrowser for “internet authentication.” A few of you’re beginning to smile in anticipation, as a result of when there is a browser, there’s typically a gap. And there is a gap, by golly.

The primary odd half is that we go into the “lengthy dance” to get an IP relatively than the quick Solar Ray direct mechanism. After which a brand new window seems:

That is the mini-browser. Ignore the very fact it may possibly’t get to Snoracle’s web site, as this phase is not allowed out onto the general public Web.

However we are able to surf Floodgap native sources from right here, so let’s pull up the Floodgap important web page.

It is the precise colors, kind of, nevertheless it’s all textual content and no particular fonts or photographs.

If we press Escape for the menu as directed, we see a well-recognized set of choices. A few of what browser that is already. Trace: the M1400 was utilizing a related package.

No, you do not get a clue from visiting the “Gobi7 homepage” (despite the fact that that is technically a Gobi8). Surrender?

It is ELinks! (And it is a GPL violation!) Extra particularly, ELinks 0.11.3, which might be proper for the timeframe of this firmware model.

The notion right here is that you’d join, do no matter login course of you wanted to do, and having achieved so then give up the browser and let the VPN board do the remainder of its dance. Spoiler alert the second — we’re not going to let it get that far.

Two extra issues in regards to the browser earlier than we get caught into it. First, here is its person agent string: it is working Linux 2.4.25. Naturally it studies the structure as mips. However which one, the Au1550 or the AR2316A? I do not suppose the Solar Ray 2 firmware is Linux-based! (The M1400 was.)

Second, TLS v1.0 is supported, however there isn’t a certificates validation and no retailer. This was actually supposed for public networks anyway the place you’ll assume they had been untrustworthy to start with and presumably tunnel by them. There isn’t any help for FTP or Gopher.

Anyway, sufficient messing round. Though there may be at the least one presumably helpful buffer overflow on this model, we could have a fair simpler method to break it. The M1400’s set up of Hyperlinks was correctly chrooted by Tadpole, so let’s have a look at if Accutech did the identical. Will it allow us to take a look at file:///?

Oh no. All the pieces is busybox. However we are able to see that all the pieces is busybox. Let’s take a look at /bin.

Oh noooo. Is it going to be this straightforward?

See Also

Let’s have a look at if it’s going to let me open /bin/sh

… with /bin/sh.

It halted. However wait a second: is {that a} root immediate?

Oh sure.

Oh yessssss. It is that straightforward.

There is not any chroot in any respect. We’re into the working system. The Gobi is pwned.

The primary order of enterprise is to see what’s working. Among the many varied kernel duties and a pair self-explanatory processes, ps -ef tells us there is a Telnet daemon (!), a getty listening on what’s most certainly the serial UART at 115200bps (so this could positively reply there if I ever want to check it), ELinks, our shell course of, and a pair cases of a program known as icosconfig. A kind of was the job that stopped once we pulled the confused deputy gag on ELinks.

This can be a Busybox shell, and clearly an previous Busybox at that, however we are able to see from the surroundings variables that our dad or mum course of was the Telnet daemon (additionally Busybox), so this connection came to visit Telnet. One other bizarre factor is that our person ID is admin, not root. Let’s take a look on the password file.

Regardless of at the least one account claiming to be within the shadow file (pcap), there isn’t a /and so on/shadow, so all the pieces is definitely right here. There are 4 person IDs, one being no one, one named pcap (presumably for packet seize) that is successfully disabled, the admin account we’re logged in as that is apparently a root clone, and root, which can be disabled. Solely admin has a password.

However we are able to allow root, and Telnet is already listening, so let’s get a session up the place we are able to lower and paste and seize issues as a substitute of constructing one other thousand screenshots. (Vital be aware! If you happen to’re following alongside by yourself Gobi, DON’T change the password file for this, as a result of there’s a neater method. However I needed to do it myself to search out out.) With the basis password set to clean, let’s log i…huh?

% telnet ██████████
Linked to ██████████.
Escape character is '^]'.

(none) login: root

That is … not a root immediate.

  Error: ls - invalid command

  give up

  Utilization: present  <choices>

  auth ...
  config ...
  interface ...
  ip ...
  ipsec ...
  radio ...
  system ...
  vlan ...
  wi-fi ...
  wlan ...
  wds ...

Cedar>present system

  Mannequin: Cedar 860AG
  Firmware Model: 2.1.0
  Firmware Construct Time: Thu Nov 8 20:41:49 PST 2007
  System Identify: (none)
  Login Identify: root
  Session Timeout: 10 min
  System Time: 01/01/2000, 00:16:24
  System Uptime: 0 days 0 hours 16 minutes 24 secs

Clearly we’ve some extra corners of this technique to discover (and we simply discovered one other GPL violation, probably, in what Accutech did to Busybox). However proper now I might similar to a correct shell (and the Accutech terminal would not appear to deal with CTRL-C proper both), so let’s put telnetd on one other port and guarantee we get a shell. telnetd -p 2323 -l /bin/sh ought to do properly.

We’ll now swap over to a terminal session from my desktop Linux machine. However earlier than we do:

The Cedar 860AG is, as outlined by its producer Intelicis, an enterprise entry level with Ethernet and WiFi. That is little doubt what the Solar Ray firmware is utilizing to configure its community settings throughout the “lengthy dance,” and if it loses connection to it, we have demonstrated it’s going to doubtless be unable to connect with something. Which means a unsuitable transfer will brick this machine, particularly since we’re root and logged into the firmware, and there is not any assure you’ll be able to repair it from the UART. You probably have one in all these and also you’re following alongside, you deviate from this demonstration at your individual threat. I am not liable for you wrecking your uncommon Solar Ray laptop computer.

Very first thing: who’re we really speaking to? The Cedar 860AG mentions Atheros in its datasheet, so I’ve a good suggestion it is not the Au1550, and since there is a functioning /proc, /proc/cpuinfo confirms it:

# ls /
bin         dwelling        misplaced+discovered  root        usr
dev         lib         mnt         sbin        var
and so on         linuxrc     proc        tmp
# cat /proc/cpuinfo
system sort             : Atheros AR5315
processor               : 0
cpu mannequin               : unknown V6.4
BogoMIPS                : 183.50
wait instruction        : no
microsecond timers      : sure
tlb_entries             : 16
further interrupt vector  : sure
{hardware} watchpoint     : no
VCED exceptions         : not accessible
VCEI exceptions         : not accessible

Curiously it is detected as an “Atheros AR5315” however that is a part of the identical MIPS household. The structure is well known to OpenWrt as fairly a couple of routers use it, so add this little hidden one to the record.

The enjoyable half about it being an impartial system means even when the Au1550’s Solar Ray firmware watchdog fires and the machine tries to reset, apparently the AR2316A locks it out whereas it is lively. The console and framebuffer turn out to be inoperative till the machine is powercycled, however we stay logged in so long as we’re related remotely. Which results in one other query: who’s the grasp processor on this laptop computer actually?

# dmesg
# cat /proc/cmdline
console=ttyS0,115200 root=mtdblock2 mem=32M rw
# cat /proc/meminfo
        whole:    used:    free:  shared: buffers:  cached:
Mem:  30789632 10969088 19820544        0        0  4980736
Swap:        0        0        0
MemTotal:        30068 kB
MemFree:         19356 kB
MemShared:           0 kB
Buffers:             0 kB
Cached:           4864 kB
SwapCached:          0 kB
Lively:           1564 kB
Inactive:         5328 kB
HighTotal:           0 kB
HighFree:            0 kB
LowTotal:        30068 kB
LowFree:         19356 kB
SwapTotal:           0 kB
SwapFree:            0 kB
# cat /proc/swaps
Filename                        Sort            Dimension    Used    Precedence

No shock: we noticed a 32MB SDRAM chip, and that is what it has. There’s nothing in dmesg, however the kernel command line demonstrates the basis filesystem is flash via MTD. That is undoubtedly the flash chip we noticed.

# ip addr
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue 
    hyperlink/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet scope host lo
2: eth0: <BROADCAST,MULTICAST,PROMISC,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    hyperlink/ether 00:19:25:f1:c8:7d brd ff:ff:ff:ff:ff:ff
3: wifi0: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast qlen 199
    hyperlink/ether 00:19:25:f1:c8:7c brd ff:ff:ff:ff:ff:ff
4: sta0: <BROADCAST,MULTICAST> mtu 1500 qdisc noqueue 
    hyperlink/ether 00:19:25:f1:c8:7c brd ff:ff:ff:ff:ff:ff
5: wan: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue 
    hyperlink/ether 00:19:25:f1:c8:7d brd ff:ff:ff:ff:ff:ff
    inet &block;&block;&block;&block;&block;&block;&block;&block;&block;&block;/&block;&block; brd &block;&block;&block;&block;&block;&block;&block;&block;&block;&block; scope international wan
6: lan: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue 
    hyperlink/ether 00:19:25:f1:c8:7d brd ff:ff:ff:ff:ff:ff
    inet brd scope international lan
    inet brd scope international lan:1
7: eth0.0: <BROADCAST,MULTICAST,PROMISC,UP> mtu 1500 qdisc noqueue 
    hyperlink/ether 00:19:25:f1:c8:7d brd ff:ff:ff:ff:ff:ff
8: eth0.2: <BROADCAST,MULTICAST,PROMISC,UP> mtu 1500 qdisc noqueue 
    hyperlink/ether 00:19:25:f1:c8:7d brd ff:ff:ff:ff:ff:ff
# netstat -a
Lively Web connections (servers and established)
Proto Recv-Q Ship-Q Native Tackle           International Tackle         State      
tcp        0      0 *:2323                  *:*                     LISTEN      
tcp        0      0 *:telnet                *:*                     LISTEN      
tcp        0      0 &block;&block;&block;&block;&block;&block;&block;&block;&block;&block;:2323         &block;&block;&block;&block;&block;&block;&block;&block;&block;&block;:39326  ESTABLISHED 
tcp        0      0      ESTABLISHED 
Lively UNIX area sockets (servers and established)
Proto RefCnt Flags       Sort       State         I-Node Path
unix  2      [ ACC ]     STREAM     LISTENING     1426   /tmp/socket0
unix  3      [ ]         DGRAM                    21     /dev/log
unix  3      [ ]         STREAM     CONNECTED     1391   
unix  3      [ ]         STREAM     CONNECTED     1390   
unix  2      [ ]         DGRAM                    633    

The output right here is nearly proof optimistic the VPN board absolutely controls the Ethernet jack. The one interface with the “exterior” (i.e., my inner check community) handle is wan, and that MAC is the VPN board’s (scroll again up for proof). What’s attention-grabbing is that the identical MAC is used for the inner Ethernet interconnect, and there is a second community 192.168.11.* to go along with 192.168.100.*. Our stalled out console connection is over that community despite the fact that the VPN board appears to be listening on all interfaces and clearly responds on them.

I did just a little check at this level simply to see how broad open a barn door we had, however (to my aid and simultaneous obscure disappointment) nothing responded to Telnet with the opposite two profiles. It appears like the outlet solely opens when the Accutech console browser does.

Let’s carry the shell again up. What else solutions on the inner community? We’ll begin with the place the unique Telnet connection originates from, however would not reply on Telnet.

# telnet
telnet: Unable to connect with distant host ( Connection refused

However after repeatedly checking numbers in that subnet, we discover that responds to pings. Does it speak to us?

# telnet

Getting into character mode
Escape character is '^]'.

3g login: root
Login incorrect

3g login: admin

Welcome to ICOS model 8.0

        Copyright (c) 2004-2007, Intelicis Company
        All rights reserved


We simply discovered the IPX425 on the 3G board! And there is not any password on the admin account! It appears prefer it’s working the identical sort of embedded router working system as a result of we’ve a Cedar immediate. It calls itself “ICOS.”

Cedar>present system

  Mannequin: Cedar 860AG
  Firmware Model: 1.2.3.emobile.a
  Firmware Construct Time: Mon Oct 15 15:23:02 PDT 2007

  System Identify: 3g
  Login Identify: admin
  Session Timeout: 10 min
  System Time: 01/01/1970, 00:07:35
  System Uptime: 0 days 0 hours 19 minutes 35 secs
Cedar>present config

# Widespread Wi-fi Setting

# WLAN Intelicis-a
wlan add Intelicis-a
wlan Intelicis-a ssid Intelicis-a

# WLAN Intelicis-g
wlan add Intelicis-g
wlan Intelicis-g ssid Intelicis-g

# Serial port 1 configuration

# Radio 1 configuration
radio 1 freq a
radio 1 auto_channel_list 36,149
radio 1 basic_rates 6,12,24
radio 1 supported_rates 6,9,12,18,24,36,48,54
radio 1 wlanadd Intelicis-a

# Radio 2 configuration
radio 2 freq bg
radio 2 auto_channel_list 1,6,11
radio 2 basic_rates 1,2,5.5,11
radio 2 supported_rates 1,2,5.5,11,6,9,12,18,24,36,48,54
radio 2 wlanadd Intelicis-g

  Error: No /tmp/icos/bridge listing existed
# Community Protocol Configuration

Cedar>give up
Connection closed by overseas host.

It is a bit of a shock to see this XScale core additionally establish itself as a Cedar 860AG. That mentioned, the behaviour is a bit completely different from the Cedar immediate we obtained on the Atheros; it is fairly presumably an earlier launch of the software program regardless of the later construct date. It additionally appears like there’s an embedded Linux or Unix below this too based mostly on that error message referencing a lacking /tmp/icos/bridge, however moving into it’s going to in all probability require determining the place the UART is. A venture for one more day.

From this we are able to fairly conclude that 192.168.11.* is the inner “Ethernet-over-IDE” community, with .2 being the 3G board, .5 being the Au1550, and .1 being this, the VPN board (once more: who’s really the primary CPU?). Nothing appeared to reply on the 192.168.100.* community, so let’s get again to the VPN board and this time dig round within the filesystem.

# df -k
Filesystem           1k-blocks      Used Obtainable Use% Mounted on
/dev/mtdblock2            6976      5304      1672  76% /
# cat /proc/mtd
dev:    dimension   erasesize  identify
mtd0: 00030000 00010000 "RedBoot"
mtd1: 000e0000 00010000 "ICOS"
mtd2: 006d0000 00010000 "rootfs"
mtd3: 00010000 00010000 "RedBootCfg"
mtd4: 00010000 00010000 "AtherosCfg"

Aha, the boot loader is RedBoot! That is what Dusted-off Dreamcast Linux makes use of. With the rickety nature of this setup I am involved about dumping the person partitions to the filesystem to exfiltrate them for evaluation, however the firmware photographs I used to be supplied by a sort soul appear compressed with a way I (nor binwalk) have not discovered but, so we would be capable of get them off one other method. Whereas we take into consideration that, let’s take a look at a few of the different binaries we noticed working.

# busybox
BusyBox v1.00 (2007.11.01-21:12+0000) multi-call binary

Utilization: busybox [function] [arguments]...
   or: [function] [arguments]...

        BusyBox is a multi-call binary that mixes many widespread Unix
        utilities right into a single executable.  Most individuals will create a
        hyperlink to busybox for every perform they want to use, and BusyBox
        will act like no matter it was invoked as.

At the moment outlined capabilities:
        [, ash, awk, busybox, cat, chgrp, chmod, chown, chroot, cp, cut,
        date, dd, df, dirname, dmesg, echo, egrep, expr, false, ftpget,
        ftpput, getty, grep, gunzip, gzip, halt, head, hostname, httpd,
        id, ifconfig, ifdown, ifup, inetd, init, insmod, iproute, kill,
        killall, klogd, linuxrc, ln, logger, login, ls, lsmod, md5sum,
        mkdir, mknod, modprobe, mount, mv, netstat, od, passwd, ping,
        printf, ps, pwd, reboot, rm, rmmod, route, run-parts, sdiff, sed,
        sh, sleep, sort, start-stop-daemon, swapoff, swapon, sync, sysctl,
        syslogd, tail, tar, telnet, telnetd, test, tftp, top, touch, tr,
        traceroute, true, tty, udhcpc, udhcpd, umount, uname, uptime,
        usleep, vconfig, vi, wc, which, whoami, zcat
# which icosconfig
# icosconfig
  Error: Missing argument
  Usage: icosconfig   save   <module name>  

I FTPed both files to my Linux desktop. file says they’re an ELF 32-bit MSB executable, MIPS, MIPS32 version 1 (SYSV), dynamically linked, interpreter /lib/, stripped. Combine uClibc (/lib/ with the fact everything is busybox and we’re actually looking at a uClinux system here. Cool.

icosconfig appears to be some sort of all-singing, all-dancing configurator like a proto-systemd, but worse, because it’s even hackier. Shell commands appear liberally in the output of strings like

brctl addbr lan; ifconfig lan up; ifconfig eth0 up
brctl addbr lan; ifconfig lan up; ifconfig eth0 up; brctl addif lan eth0
brctl addbr vlan%d; ifconfig vlan%d up; vconfig add eth0 %d; ifconfig eth0.%d up
brctl addbr vlan%d; ifconfig vlan%d up; vconfig add eth0 %d; ifconfig eth0.%d up
ps -ef | grep "/sbin/dhcpcd-bin -Y -N %s " | grep -v grep 1>/dev/null 2>&1
route del default 1>/dev/null 2>&1 ; route add default gw %s dev %s 1>/dev/null 2>&1
grep -v "add -net netmask gw %s" %s/routecurr.conf > %s/routecurr.tmp; mv -f %s/routecurr.tmp %s/routecurr.conf
echo "add -net netmask gw %s dev %s" >> %s/routecurr.conf

It also contained the error message string we got when we were connected to the Cedar configuration prompt (and it contains the string Cedar), so it seems like Busybox login is hardcoded to call it by default. To prove this:

# login "-?"
login: illegal option -- ?
BusyBox v1.00 (2007.11.01-21:12+0000) multi-call binary

Usage: login [OPTION]... [username] [ENV=VAR ...]

Start a brand new session on the system

        -f      Don't authenticate (person already authenticated)
        -h      Identify of the distant host for this login.
        -p      Protect surroundings.

# login -f admin
Cedar>present config
  Utilization: present config  <choices>

  all|startup|working|<config file identify>

Cedar>present config all

Cedar>present config working

# IPSEC setting
ipsec off
ipsec autodial off
ipsec join off
ipsec eazyvpn off
ipsec nat_traversal on
ipsec aggr_mode off
ipsec pfs off
ipsec replay_protect off
ipsec encryption 3des
ipsec hash md5
ipsec psk 
ipsec remote_ip 
ipsec remote_subnet 
ipsec remote_dhcp 
ipsec group_name 
ipsec group_key 
ipsec xauth_user 
ipsec xauth_password 
ipsec dns 
ipsec sunray 
ipsec firmware 
ipsec mtu 1356

# Interface setting
interface lan on
interface lan ip 0 addr netmask mode static
interface lan ip 1 addr netmask mode static
interface wan on
interface wan ip 0 addr netmask mode dhcp
interface sta0 off
interface sta0 ip 0 addr netmask mode dhcp

# WLAN Intelicis-g
wlan add Intelicis-g
wlan Intelicis-g ssid Intelicis-g

# Radio 1 (5GHz) configuration
radio 1 freq bg
radio 1 basic_rates 1,2,5.5,11
radio 1 supported_rates 1,2,5.5,11,6,9,12,18,24,36,48,54
radio 1 wlanadd Intelicis-g

# Community Protocol Configuration

Cedar>give up

Principally the configuration confirms what we noticed from ip addr. It is attention-grabbing that present config all did not really present any config at, um, all.

To substantiate icosconfig was the supply of the immediate, I appeared on the output of ps -ef from the shell on port 2323, then did login -f admin from the console and checked out ps -ef once more. The brand new course of was icosconfig shell, so:

# icosconfig shell

Now that we are able to entry the Cedar immediate with out having to log in over Telnet, at this level I went forward and undid the change I made to root in /and so on/passwd on the off likelihood it comes again to chunk us later. That is why you do not want to do this your self if you happen to’re following in my footsteps, as by this level we have discovered the right way to run it instantly.

In spite of everything that, although, what was the password for the VPN board’s admin account? After I first wrote this, I censored the hash in that screenshot as a result of I figured that Accutech would have modified it to one thing random and embedded that of their binary. Certainly, letting John the Ripper at it on my 64-thread POWER9 Raptor Talos II for 72 hours did not come out something apparent. Then I discovered the handbook for the Cedar 860AG and the default username and password, that are admin and (no joke) changeitnow. Properly, guess what labored on the primary strive, together with for the Cedar immediate’s allow command for extra privileges? And on the IPX425 3G board as nicely? You do not even must crack the hash now. I imply, this factor simply will get higher and higher the extra I play with it.

Anyway, again to the filesystem. Exploration of ls -lR / reveals many paths containing icos. ICOS appears like Intelicis’ embedded baseline working system which Accutech then personalized as essential for the 3G and VPN boards. Most of what is listed here are textual content configuration recordsdata like this one (I am unsure if the enterprise quantity is meant to be confidential, so I’ve suppressed it):

# cat /and so on/icos/system/data
#Base template for system module to dynamically generate 
#proprietary snmpd config file upon initialization
#Enterprise variety of Intelicis Corp. is &block;&block;&block;&block;
mannequin=Cedar 860AG
syslocation=Intelicis Company

For apparent causes, I will not mess with these configuration recordsdata; we’ll follow the instructions uncovered to us on the Cedar immediate.

Trying round some extra, a good quantity of knowledge was unpacked to /tmp for causes unclear to me since /tmp is simply a part of the filesystem relatively than in-memory. Thankfully a few of these recordsdata have uncommon dates, suggesting that they had been simply left there relatively than the flash overwritten with new copies each time the VPN board begins (whew, that might be actually dangerous).

# ls -l /tmp
-rwxr--r--    1 root     root         1354 Jan  1 00:00 elinks.conf
drwxr-xr-x    1 root     root            0 Jan  1 00:00 and so on
-rw-r--r--    1 root     root           21 Jan  1 00:00 eth0.out
drwxr-xr-x    1 root     root            0 Jan  1 00:00 icos
drwxr-xr-x    1 root     root            0 Dec  9  2006 icosscripts
drwxr-xr-x    1 root     root            0 Jan  1 00:00 lib
drwxr-xr-x    1 root     root            0 Jan  1 00:00 lock
drwxr-xr-x    1 root     root            0 Jan  1 00:00 run
srw-------    1 root     root            0 Jan  1 00:01 socket0
-rw-r--r--    1 root     root           21 Jan  1 00:00 sta0.out
drwxr-xr-x    1 root     root            0 Jan  1 00:00 tmp
# ls -ldt /tmp
drwxrwxrwx    1 root     root            0 Jan  1 00:00 /tmp

Many of the elinks.conf file is feedback. There are solely a pair terminal choices set and nothing else. When does the fail cease, precisely? Can I get off this fail bus?

There are additionally stub shell scripts in /usr/native/lib/ipsec/mips-uclibc/bin for mips-uclibc-gcc and others, however the precise compilers should not current, so these recordsdata simply take up area similar to the opposite items of ICOS that are not really used.

The general impression is that Accutech simply threw ICOS on the flash and did the minimal to make it work. Specifically, I think icosconfig is mainly as shipped; I do not suppose Accutech wrote it. Admittedly you in all probability would not be motivated to scrub the home both if you happen to did not suppose you’d get any uninvited friends.

Our final thriller is to determine the place the kernel is. We’ll begin by making an attempt to get the RedBootCfg partition and see what it masses.

# dd bs=512 depend=128 if=/dev/mtd3 | od -x
0000000     5265    6442    6f6f    7400    0000    0000    0000    0000
0000020     a800    0000    a800    0000    0003    0000    0000    0000
0000040     0003    0000    0000    0000    0000    0000    0000    0000
0000060     0000    0000    0000    0000    0000    0000    0000    0000
0000360     0000    0000    0000    0000    0000    0000    c69f    f81b
0000400     5265    6442    6f6f    7420    636f    6e66    6967    0000
0000420     a87e    f000    a87e    f000    0000    1000    0000    0000
0000440     0000    0000    0000    0000    0000    0000    0000    0000
0177760     0000    0000    0000    0000    useless    useless    a06c    e27e

I lower and pasted the output as enter to this Perl script on my workstation:


$pos = 0;
choose(STDOUT); $|++;

whereas(<>) {
        subsequent if (/+/); # skip dd output
        if (/^*s+$/) {
                $star = 1;
        @h = ();
        ($oc, $h[0], $h[1], $h[2], $h[3], $h[4], $h[5], $h[6], $h[7], $x) =
                break up(/s+/, $_);
        subsequent if size($x);
        $hex = ''; map { $hex .= $_ } @h;

        $npos = oct($oc);
        if ($star) {
                print STDOUT "" x ($npos - $pos);
                $star = 0;
        print STDOUT pack("H*", $hex);
        $pos = $npos + size($hex)/2;

This yielded a 64K binary, precisely the scale of the partition, so I figured it doubtless transferred appropriately nevertheless it wasn’t very useful:

% strings mtd3
RedBoot config
FIS listing
fis load -d -b 0x80040000 kernel
go 0x80040000

Subsequent I exfiltrated the ICOS partition. This appeared relatively bigger and was a superb guess.

% file mtd1
mtd1: gzip compressed information, final modified: Fri Nov  9 04:44:12 2007, from Unix, unique dimension modulo 2^32 0
% gunzip -c < mtd1 > gobi.kernel

gzip: stdin: decompression OK, trailing rubbish ignored
% strings gobi.kernel | grep Linux
Linux model 2.4.25 (jiant@develop) ( /choose/devicescape/toolchains/mips-linux/bin/../libexec/gcc/mips-linux/3.4.1/collect2 --eh-frame-hdr -EB -dynamic-linker /lib/ -L/choose/devicescape/toolchains/mips-linux/mips-linux-uclibc/lib -L/choose/devicescape/toolchains/mips-linux/mips-linux-uclibc/lib -L/choose/devicescape/toolchains/mips-linux/bin/../lib/gcc/mips-linux/3.4.1 -L/choose/devicescape/toolchains/mips-linux/bin/../lib/gcc -L/choose/devicescape/toolchains/mips-linux/bin/../lib/gcc/mips-linux/3.4.1/../../../../mips-linux/lib -L/choose/devicescape/toolchains/mips-linux/bin/../lib/gcc/mips-linux/3.4.1/../../.. --dynamic-linker /lib/ -rpath-link /choose/devicescape/toolchains/mips-linux/mips-linux-uclibc/lib /choose/devicescape/toolchains/mips-linux/mips-linux-uclibc/lib/crti.o /choose/devicescape/toolchains/mips-linux/mips-linux-uclibc/lib/crtbegin.o /choose/devicescape/toolchains/mips-linux/mips-linux-uclibc/lib/crt1.o -lgcc -lgcc_eh -lc -lgcc -lgcc_eh /choose/devicescape/toolchains/mips-linux/mips-linux-uclibc/lib/crtend.o /choose/devicescape/toolchains/mips-linux/mips-linux-uclibc/lib/crtn.o) #422 Thu Nov 8 20:41:49 PST 2007

Seems like we obtained it; the complete partition is the kernel, which looking back I ought to have instantly suspected from the identify. I am unable to inform if this was one thing Accutech or Intelicis constructed however I am going to lay good odds it was the latter.

That is sufficient messing round. Now that we’re in it, what can we do with it? I might love a method to open a shopper socket apart from Telnet, for one factor, nevertheless it would not look simply doable. The Busybox model right here lacks quite a lot of core applets like netcat/nc and its shell would not perceive /dev/tcp, and of the opposite non-Busybox executable recordsdata current none appear to supply such performance. Making a cross-compiler setup for a kernel this previous (and matching the included uClibc) is prone to be a problem. I did discover some precompiled big-endian MIPS binaries of issues like netcat and socat, however they both had been for later variations of Linux or later CPUs, neither of which labored right here.

However this Busybox does have awk, so at the least we’ve some form of scripting language higher than the shell, and we do definitely have elinks, which obtained us up to now within the first place. We are able to do so much with awk and an HTTP shopper. Perhaps I am going to strive my hand at writing a MIPS ELF binary in a hex editor that does netcat in meeting language with syscalls. That feels like an awesome future entry …

The Gobis are in my humble opinion essentially the most spectacular of the Solar Ray laptops for these practically deadly idiosyncrasies, however whereas they had been in all probability the Solar Ray 2 laptop computer produced within the largest numbers, no MIPS Solar Ray laptop computer is quite common and none bought in quantity. Each Accutech and Naturetech closed up store shortly after. Put up-Oracle, the 2011 Solar Ray 3 collection made the 64-bit soar with the MIPS64 RMI (later Broadcom) XLS104, an SMT-4 750MHz CPU on a 90nm course of, however though the core design remained very related, energy consumption ranged from a typical 14W to as excessive as 36W.

No laptop computer Solar Ray 3 was ever produced. Whereas the facility requirement was a partial clarification, the largest motive was merely that laptop computer Solar Rays had been changed … by laptops. The 2008 Tadpole M1400 we explored previously and its kinfolk had been the final Solar Ray cellular programs, with the firmware newly ported to run on off-the-shelf Linux-based x86 {hardware} as a substitute of MIPS. The best way ahead was thus apparent. Solar launched a pure-software shopper in 2009, the Solar Desktop Entry Consumer, which ran on Home windows and in a while Mac. With improved central administration instruments, some great benefits of a firmware-locked purpose-built Solar Ray cellular system had been outweighed by the associated fee and adaptability benefits of deploying locked-down commodity laptops as a substitute. Oracle rebranded the Desktop Entry Consumer because the Oracle Digital Desktop Consumer earlier than discontinuing the complete expertise in 2014.

Within the meantime, it seems I had “one other” MIPS Linux system inside my MIPS Solar Ray laptop computer all alongside and obtained to spend a pleasant few days breaking into it. The 2N is so much safer to make use of however so much much less attention-grabbing to work with even when the Gobi is attention-grabbing for all of the unsuitable causes: a singular however ramshackle multisystem structure liable to failure, gaping holes that might have been trivially mitigated, and the indefensible use internally of default passwords. Actually, the Gobis’ crucial dependence on the VPN board for connectivity can not help however lead me to conclude that the AR2316A is the actual central processor, and the Au1550 is simply its entrance finish. Solely their rarity and the non-standard configuration required for penetration prevented these machines from being the stuff of hacker legend throughout their period. Like IoT, the S in “embedded” is seemingly for safety too.

Source Link

What's Your Reaction?
In Love
Not Sure
View Comments (0)

Leave a Reply

Your email address will not be published.

2022 Blinking Robots.
WordPress by Doejo

Scroll To Top