Of Solar Ray laptops, MIPS and getting root on them
Wait, what? Root on a skinny shopper?
In 1984 Solar Microsystems adopted as their company slogan John Gage’s well-known remark that “The Community is the Laptop,” one in all many neat fragments of historical past left to rot after Larry “Destroyer of Worlds” Ellison’s Oracle purchased them out in 2010. (Fittingly, at the least to me, Cloudflare acquired the rights to the disused trademark in 2019. That is an official Solar swag mousepad I picked up again within the day.) False begins like NeWS apart, Solar believed within the thought so deeply that they put important sources into growing skinny shoppers serviced by their {hardware} to enhance their extra typical workstations.
In Solar’s superb world, a person would run packages on a central server (a Solar, after all), having their session observe their sensible card seamlessly from terminal to terminal together with every other shared sources they may require. Whereas Solar produced the JavaOS-based JavaStation in 1996 — satirically based mostly on Oracle’s Community Laptop idea — it used comparatively costly {hardware}, being primarily a miniaturized SPARCstation 4. As an alternative, the brand new proof of idea for a less expensive, extra related world was the 1997 NetWorkTerminal “NeWT” — one wonders if that abbreviation was a coincidence — based mostly on Solar’s MicroSPARC IIep CPU, and that prototype in flip developed into the primary Solar Ray skinny shopper in 1999, codenamed Corona.
We first talked in regards to the Solar Ray line some months again by taking a look at one in all its final examples, the laptop computer Tadpole M1400 and its General Dynamics rebadge. Solar produced the first era Solar Rays not solely as sidecar desktop units that related to a monitor, keyboard and mouse, however even constructed a few of them into CRT shows harking back to Apple’s up to date G3 iMac (which additionally inherited applied sciences from the Oracle Community Laptop by way of the unreleased Macintosh NC) and LCD flat panels.
Nevertheless, similar to it needed to go cheaper to win, if the Solar Ray method was to turn out to be actually omnipresent then it must go transportable as nicely. That was the place the 500nm microSPARC IIep, as diminutive because it was for SPARCs of the time, could not make the grade: the Solar Ray 1G required 20 watts simply to run, not counting the show it was related to, and at the least 5 watts of that went to the 100MHz CPU alone. Downclocking it wasn’t an choice both, because the CPU was already too underpowered to deal with the stream; a 2006 InfoWorld article accused early Solar Rays of being “network-clobbering” and “stuttering.” So Solar jumped from SPARC to MIPS with the Solar Ray 2, and that is the place our story begins.
The MIPS migration occurred as a consequence of changing the primary era Solar Rays to Solar’s bespoke Copernicus SoC, which mixed the IIep core with 4MB of DRAM on chip (the ATI Rage 128 dealing with 2D graphics remained separate with its personal devoted reminiscence). Throughout Copernicus’ growth, Sun Ray engineer Marc Schneider had thought-about utilizing the brand new low-power embedded MIPS Au1 core developed by fabless semiconductor firm Alchemy, however there was little urge for food on the time for rewriting the onboard firmware to run on a very new structure. Alchemy was based in 1999 by refugees from DEC’s StrongARM growth group, which was dissolved after Intel acquired the IP in 1997 and turned it into their XScale CPU line (different group members went on to discovered SiByte, which developed a MIPS core of their very own). The Au1 core was a scalar, in-order core based mostly on the 1999 MIPS32 specification with 5 pipeline levels. It featured an R4000-class MMU, a 16/32-bit multiply-accumulate unit and a one-bit-per-cycle {hardware} divider. Nevertheless, to shrink die area and cut back energy consumption, the Au1 eradicated the FPU, eliminated help for MIPS-16 compressed directions and supervisor mode, and changed digital handle translation with a TLB-based technique and an exception handler in software program as a substitute of getting the {hardware} stroll web page tables. It might additionally utterly cease all clocks to the core models till reactivated.
The primary Au1 chip was the Au1000 SoC in 2001, a 180nm half with built-in SDRAM, flash, USB, serial (IrDA and UART) and Ethernet controllers. It had 16K every of I- and D-cache and ran as much as 500MHz however with a high TDP of solely 900 milliwatts. Though the Au1000 household, notably the beefier 1.2W Au1500 with an on-board PCI controller, obtained design wins in a couple of embedded functions, Alchemy was nonetheless only a small startup and bumped into points touchdown a second funding spherical to broaden. In 2002 AMD purchased Alchemy outright to instantly compete with XScale within the embedded sector and launched the 130nm Au1550 in 2004, a die-shrink of the Au1500 supposed for high-security community functions with the SafeNet Safety Engine offering an entropy-based RNG and {hardware} acceleration for DES, 3DES, AES, RC4, MD5 and SHA-1. It additionally ran as much as 500MHz with the identical cache and on-die peripherals however a brand new decrease “typical” energy draw of below 600mW, maxing out at 1460mW. Nothing within the SPARC ecosystem might match it for energy consumption, making it appropriate for transportable Solar Rays, nevertheless it was however extra succesful than XScale, which means the identical chip might energy the following era of desktop Solar Rays too. Solar chosen the Au1550 and the primary Solar Ray 2 (internally designating the collection as “P8”) got here out in 2005, paired with 4MB of Flash and an ATI R100-derived ES1000 framebuffer sharing 16MB of RAM. With this design Solar met its purpose: the brand new {hardware} might extra effortlessly deal with extra demanding functions at larger resolutions, and typical energy consumption for the complete system was simply 4 watts plus show.
The Solar Ray laptop computer story is a little more prosaic. Sure, it could shock a few of you to listen to that there actually had been Solar laptops. That mentioned, nonetheless, Solar by no means designed a laptop computer of their very own themselves even for his or her high-margin SPARC line, totally counting on third events to take action, and even the laptops that Solar did promote had been designed and OEMed by others. Of those associate OEMs, essentially the most notable had been U.S.-based RDI and U.Ok.-based Tadpole, who later purchased out RDI, and Taiwan-based Nature Worldwide Technology Corporation, nicknamed Naturetech. What Solar bought as their Extremely-3 laptop computer was really a condominium of a minimum of 5 discrete fashions: Tadpole’s UltraSPARC IIIi Viper and each variations of their UltraSPARC IIi SPARCle (all based mostly on the Acer TravelMate 420 chassis) because the Extremely-3 A60, and Naturetech’s UltraSPARC IIIi Mesostation 999 and UltraSPARC IIi PowerBook 888P because the Extremely-3 A61. The 2 strains had been visually completely different, with the Tadpoles in an arresting lavender case and the 888 and 999 in extreme graphite and black, inflicting some confusion amongst patrons as they had been in any other case utterly unrelated. I’ve an Viper A60 Extremely-3, which places out a prodigious quantity of warmth and drains batteries dry in lower than an hour full tilt, and you must by no means apply it to your lap if you wish to have youngsters (or a filesystem).
In a like trend, the primary Solar Ray laptop computer did not come from Solar both. Tadpole, then newly acquired by Basic Dynamics, used a modification of the SPARCle design because the 2005 Comet 12 and Comet 15 with the identical UltraSPARC IIep and the identical primary drawbacks. The SPARCle case was wonderful for an precise Solaris laptop computer, however calling the comparatively heavy unit a skinny shopper was a poor joke, and Solar did not undertake it on the market. Naturetech subsequently took their very own shot on the market when the Solar Ray 2 was launched, utilizing the desktop unit as a reference design and the identical MIPS and ATI chipset however adapting the case and battery from one other Taiwanese OEM laptop computer, the G220 notebook from Elitegroup. Naturetech known as it the Jasper 320. Solar appreciated the thinner profile and lowered weight, and badged it because the Solar Ray 2N for test-marketing in Japan in 2006.
That is my private 2N, acquired virtually unused in its unique packaging.
If this manifest is to be believed, this unit was made and shipped in 2007. The 2N got here with each 10/100 Ethernet and 802.11b+g WiFi. The WiFi helps WEP, WPA-PSK and WPA2-PSK for authentication, and WEP, WPA-AES and WPA-TKIP for encryption.
All the pieces within the field, together with a really transient handbook (in English, nonetheless), battery and customary laptop computer energy provide.
In case you did not imagine it is a Solar, it is proper there on the highest.
And it is proper there on the keyboard. The structure is a normal JIS keyboard with Solar-specialized keys, although most aren’t lively in Solar Ray mode, and the firmware largely treats it like a US keyboard. The hole between the show hinges is the place the battery would go ordinarily. Any G220-compatible battery will work and the machine was shipped with one. The contact pad is not fabulous nevertheless it works.
On the left aspect is a VGA port for mirroring, Ethernet jack and (changing the G220’s PCMCIA slot) a smartcard slot. The cellphone jack on the nook, clearly initially for a built-in modem, is blocked off. The 2N’s VGA port solely helps show mirroring and can’t prolong the desktop, which is why I conclude it was based mostly on the unique Solar Ray 2 relatively than the improved 2FS, which might.
The suitable aspect simply has three USB 1.1 ports. The remainder is the place the optical drive would have been with the G220 however is totally blocked off within the 2N. The firmware will not mount any units related right here however does seem to acknowledge keyboards and mice. Three entire ports only for that function strikes me as an extreme quantity (in any case, it already has a keyboard and monitor pad!) and it appears to be merely as a result of the G220 had them.
On the entrance, there are headphone and microphone jacks (audio system are within the show), and on the rear are the battery terminals, Kensington lock and A/C barrel jack.
The underside is the place it begins to get extra attention-grabbing. Despite the fact that they served no actual function, Naturetech saved the CPU, laborious disk and RAM doorways of the G220 and tailored the Jasper logic board to suit. In addition they saved the fan vent regardless of the very fact none of those chips get scorching sufficient to even advantage a warmth sink.
Nevertheless, there’s completely nothing within the laborious disk bay, not even a connector.
Equally, within the RAM bay, there is not any RAM. As an alternative, the wi-fi card connects right here with an SO-DIMM like connector, based mostly on a Ralink RT2561T. Beneath it we see the Jasper designation on a sticker. The smartcard chip reader is seen on the southeast aspect.
The CPU is at place U25, a 500MHz Au1550. West of it on this view is the only Hynix 5DU281622ETP-5 16MB SDRAM chip, the lowest-binned 200MHz 8Mx16 in that household. Bear in mind: low-cost!
The close by ATI ES1000 framebuffer is an R100 spinoff and shares the SDRAM with the CPU. As a easy framebuffer that is ample.
The show is a 12″ 1024×768 75Hz/24-bit TFT LCD and is not too dangerous, contemplating (a digital desktop extends as much as 1280×1024 as you progress the pointer). Solar badging is outstanding not solely on the bezel however virtually golf equipment you over the top as nicely whenever you flip it on.
If you happen to’ve by no means used a Solar Ray system earlier than, you would possibly discover the show window relatively curious. Somewhat than localizing prompts and standing textual content within the firmware, Solar selected to make use of an icon show language (“On-Display Show”) which distributors had been obligated to implement. What textual content does seem is restricted to addresses and status codes. The OSD proven right here is an evolution of the blue-background OSD utilized by first era Solar Rays, however has the identical standing codes and primary semantics. The primary window it pops up reveals its MAC handle and standing 1, which means it is configuring the onboard Ethernet. Inside seconds it’s going to attempt to get a DHCP lease and discover a host, very like every other lively parasite.
It is time to join this silvery zombie to a supply of brains. The next grabs are instantly from the VGA port by my INOGENI VGA2USB3 on the native decision of 1024×768. The one edits are to censor my inner check community data as a result of a few of you’re pleasant and naughty.
Listed here are the 5 Kübler-Ross levels of Solar Ray grief connection:
Denial (1): I do not imagine there is a community (but).
Anger (21): I discovered Ethernet, however I’ve no DHCP handle! What the Larry Ellison! (The Ethernet pace is appropriately reported as 10Mbit half-duplex since I had it on the sluggish phase as a stress check. Bear in mind this once we speak in regards to the Gobi.)
Bargaining (22): I pleaded with the DHCP server and it gave me an handle.
Melancholy (26): I discovered a server nevertheless it will not speak to me but. (On this case, scottie, the Solaris laptop computer, had responded to the 2N’s broadcast question and can shortly begin the session. I suppose you might insert a pair extra levels in right here like really sending the printed question [27], however that interferes with my joke, dammit. It’s also possible to configure mounted DNS entries [sunray-config-servers, sunray-servers] or ship DHCP choice 49 [X Window System Display Manager] addresses to trace the shopper. The DHCP server on this community gives these entries.)
Acceptance (14): my siren name was answered, I’ve discovered a supply of brains and I’ll now drain its CPU and sources (over UDP-based Equipment Hyperlink Protocol, or ALP). This explicit connection will not be secured nor authenticated, however encryption and server authentication are usually doable (codes 11 by 13). A watchdog timer will soft-reset the unit and begin the levels of grief connection over once more if a profitable hyperlink is not made.
Having related, the display is now a normal X show supervisor login. You log in. Easy! With a acknowledged sensible card you’ll be able to even utterly skip this step.
Like most different Solar Ray shoppers together with the Tadpole M1400, hot keys to alter settings can be found, together with whereas related. These keys turn out to be dwell shortly after the machine begins. The principle menu is accessed with Cease-M (on this keyboard that is really a three-finger salute of “yellow” Fℕ-Alt-M) and choices are chosen with the cursor keys.
The “handbook” paperwork two scorching keys, Cease-M for this menu and Cease-W to entry wi-fi profiles, however really a lot of the documented scorching key combos work, together with Cease-V for displaying the unit’s firmware model. The menu is not notably in depth, so listed here are the highlights.
The wi-fi profiles menu (instantly accessible with Cease-W) gives three configurable profiles the place the channel, SSID, authentication/encryption and key could be specified. On this case none are lively as a result of my inner community is wired-only.
Disappointingly, the complete safety “menu” is one choice, merely to set a password. Sheesh.
Beneath the standing menu you’ll be able to select the radio standing (spoiler alert: it is not on) and the firmware model. This unit studies NWTC,KiboP8 3.1.1_2007.03.06.20.11 plus its MAC. I haven’t got the precise historical past however “Kibo” seems to have been the Naturetech inner codename.
Previous to Solar Ray Software program 5.2 firmware got here in two flavours, the “non-GUI” model right here with this minimal configuration menu and a “GUI” model with a extra in depth menu permitting you to enter express parameters. Afterward they had been unified right into a single firmware with the flexibility to enter the configuration menu appropriately managed by the server. I’m conscious of at the least one later GUI model of the 2N firmware tagged NWTC,KiboP8,Jasper320 GUI4.0_48_2007.09.05.16.59, however I haven’t got a duplicate of it.
The one different choices management varied tunables in regards to the WiFi and display blanking.
If you happen to disconnect the zombie whereas it is feeding, it complains with an error 23, as all zombies do.
Whereas making an attempt to reconnect the 2N will even strive sending the “any server on the market” broadcast packet (27) over WiFi, although since this one is not configured with an SSID, there is not any one to listen to it scream.
Okay, wonderful, let’s log in.
On the Solaris 10 desktop with the model dialogue as much as show we’re right here. From the Solaris aspect /choose/SUNWut/sbin/utquery -d IPADDRESS will let you know details about a related shopper.
The 2N additionally works wonderful with kOpenRay, my very-occasionally-maintained up to date fork of jOpenRay, an open-source Java reimplementation of ALP. Be aware that kOpenRay doesn’t at present know the way to reply to broadcast requests, so since we won’t hardcode the handle within the 2N’s settings kOpenRay’s IP handle is supplied by the native DHCP server. The kOpenRay console reveals the system recognized itself as a NWTC,KiboP8,Jasper320 3.1.1_2007.03.06.20.11. Additionally be aware the MAC (used as an ID), namespace and precise display decision (but additionally the digital decision of 1280×1024).
Taking part in the default Tetpnc session. By the way, inserting a wise card labored and was recorded by kOpenRay.
Sadly, the Solar Ray 2N was the one laptop computer Solar Ray that Solar would ever name its personal. It achieved some sales in Japan and was spotted at various trade shows, however apart from native utilization by Solar’s regional places of work there was little market curiosity and Solar selected to quietly discontinue it.
For its half, Naturetech saved promoting the system below its unique Jasper 320 identify and supplied the design to different distributors, together with the later Amber 808, Opal 608 (8.4″) and Opal 612 pill variations. These had been the one recognized Solar Ray tablets, that includes RFID and even biometric help. Fellow Taiwanese vendor Arima was and deliberate to launch the complete line because the Dawn Extremely ThinPad and Solstice Extremely ThinTouch, although it is not clear if any had been really bought. There was additionally a VPN-enabled model of the Jasper 320.
Accutech Ultrasystems, nonetheless, one other Taiwanese laptop producer, noticed the {hardware} as a chance not solely to get into thin clients but additionally use Solar Ray expertise as a security surveillance solution.
Accutech took the essential Jasper board and considerably reworked it with customized firmware and a built-in {hardware} VPN module, promoting it because the Gobi8 with HSDPA/UMTS help and the Gobi7 with out. The Accutech Gobi laptops had been themselves resold by British vendor Aimtec under the same name.
To a cursory look the silver-clad Gobi and the 2N are virtually indistinguishable apart from the logos on every lid, however there are gentle variations within the exterior ports, and Accutech made important modifications to the {hardware}. That is the place the pwnage half is available in.
I have not had good luck with Gobis. Over time I’ve accrued three, however solely one in all them nonetheless absolutely works; the opposite two spontaneously suffered {hardware} failures such that they will not configure their community interfaces anymore. The latest one proven with the 2N is my sole utterly purposeful instance and was despatched to me by a beneficiant donor. However, meaning I’ve no compunction about stripping down the faulty ones to determine how they work.
The silver Gobis are the unique ones, bought because the Gobi7, although each of my models seem to have been subsequently upgraded to Gobi8 (putting in the extra 3G help and updating the firmware), apparently on the manufacturing facility because the barcode sticker reads Gobi8. The thrashed black unit perilously held along with binder clips is an precise Gobi8 and was a later unit. This one was was my first Gobi and got here to me busted up, so I maintain innocent to its mistreatment, although it was largely working on the time.
The keyboard is now common English and no extra Nihongo, sniffle.
Apart from that, essentially the most notable exterior variations between the 2N and the Gobis are a SIM card slot within the entrance subsequent to the audio jacks and a CardBus PCMCIA module within the optical drive slot. These are all lively although I haven’t got something that goes in them (and we do not have 3G anymore in america).
If we pull out the 3G module, we’re already getting hints that Accutech did a bit greater than a recent coat of firmware paint. Subsequent to the cardboard cage we see two Realtek RTL8201CP 10/100 Ethernet PHYceivers and a PH249015G quad 4-port pulse transformer to attach them to twisted pair Ethernet indicators. Beneath the cage are two Hynix HY57V281620FTP-6 SDRAMs, 16MB every to equal 32MB.
However flip it over and there is one other 32MB of RAM, plus 16MB of flash (Intel JS28F128), an ENE CB-1410QF PCI to CardBus bridge, and proper within the center — irony of ironies — an Intel XScale-based IXP425 Community Processor working on the lowest rated pace of 266MHz (PRIXP425ABB). This SoC helps UTOPIA 2 (for ATM networking), xDSL, 2x HSS (for cellular community authentication) and two Ethernet MACs, together with {hardware} help for SHA-1, MD5, DES, 3DES and AES. It has onboard controllers for a UART, SDRAM, USB and PCI. The Ethernet MACs little doubt connect with the PHYceivers on the opposite aspect. There are a complete bunch of apparent debug connectors right here however I do not know the pinout.
The inner variations are much more substantial. Accutech removed the fan vent and moved the ATI GPU nearer to the CPU, but additionally added one other 16MB SDRAM (to equal 32MB) subsequent to the Au1550. Though a number of areas at the moment are unpopulated, together with the SO-DIMMesque slot for the 2N’s WiFi module, there are a number of extra chips on the board — together with two, depend ’em, two Realtek RTL8305SC ICs. Every one in all these is a single-chip, 5 port (!) 10/100 Ethernet swap controller, related to a quad 4-port pulse transformer for twisted pair Ethernet (the YCL PH249015G chips), with the fifth port supplied by the Pulse Electronics NS0013-NF single-port transformer. What the heck are these items doing?
Right here is the whole logic board, which I dug out from my faulty silver Gobi7. Be aware that whereas all of the stickers say Gobi8, the board says Gobi7 too. On the primary picture you’ll be able to see the HD64F3437TF16 (H8/3437) sensible card reader chip with yellow grease pencil slashed throughout it, a Hitachi H8/300 16-bit microcontroller with 60K of on-board flash and 2K of RAM. Roughly within the centre of the second picture is the Au1550’s system flash chip, a 4MB Spansion S29AL032D.
By the best way, there was really one thing within the laborious disk bay too, with its personal RTL8305SC and transformer. Labeled the VPN Board (“REV. 2.0”), the WiFi antenna terminals join right here, exhibiting it additionally serves because the WiFi module. The entire thing bodily connects to the primary logic board utilizing the 44-pin laptop computer IDE connector, which can be populated within the Gobis.
There’s so much occurring with this little board. Apart from the Ethernet swap controller and pulse transformer, there’s 32MB of SDRAM (Hynix HY57V561620FTP-H) and 8MB of flash (the Spansion FL064AIF).
If we dig it out and pop the cage off, there’s another chip, and it is a doozy: an Atheros AR2316A. That is a third SoC! It integrates a 2.4GHz radio, 802.11b/g MAC and baseband, 802.3 10/100 Ethernet MAC and MII interface, SDRAM and Flash controllers, UART — and a 180MHz MIPS R4000 core. On the very backside (on this view) is one other apparent set of UART headers, however I by no means obtained something helpful from the modules within the busted Gobis with my logic analyzer. However, that may very well be as a result of these machines aren’t working, and I’m wondering if warmth had one thing to do with it as a result of this chip may be very poorly ventilated. One different attention-grabbing factor to notice is that I can solely see strains from two of the RTL8305SC’s 5 ports going to the transformer. I suppose they obtained a ok deal on these to waste the opposite three.
The underside line is, as we’ll reveal within the subsequent few screenshots, this laptop computer is not only a MIPS laptop computer: it is three apparently utterly impartial RISC programs with their very own reminiscence, flash and working system on an inner Ethernet community. All these NIC and swap chips are the inner communication interfaces from the Au1550 to the IXP425 and the AR2316A, however utilizing the IDE bus strains as a substitute of precise twisted pair. That is not what I used to be anticipating to search out in a Solar Ray!
It should not shock you that the interface on this unit is not customary both. Let’s fireplace it up.
Initially it looks as if the identical precise firmware because the 2N, even mainly the identical shade of blue background, apart from the Gobi brand. After which …
… the menu begins.
The Gobi firmware shops as much as eight built-in profiles. This Gobi has three profiles arrange in it usually: a “DHCP” profile that acts mainly just like the 2N did, fetching a lease and the show server addresses from the DHCP server; a hardcoded profile for kOpenRay; after which a 3rd, extra mysterious profile we’ll save for the top. You’ll be able to (with a little bit of kludginess, the interface is obnoxiously non-orthogonal) edit or overwrite them and most of the people by no means used a couple of anyhow. The Engrish command of the Taiwanese growth group was imperfect and varied odd typos and phrasings are scattered all through the interface.
The setup menu permits you to create a brand new profile, configure safety choices, show system firmware variations (or replace them) and do a manufacturing facility reset.
If you happen to request the firmware variations, the core firmware on the Au1550 (right here 4.0_VT035c) then queries each the 3G board (1.2.3.emobile.a) and the VPN board (2.1.0). This takes … time. The Au1550’s firmware could be up to date from an appropriately configured Solar Ray server however the 3G and VPN firmware require a separate native TFTP server to obtain from (FTP additionally supported by the VPN board, however not the 3G board). Once more, it’s because they’re really separate programs that simply occur to be crammed into the identical case.
Additionally be aware the separate MACs for the “LAN” (the VPN board) and the Solar Ray itself, along with the WiFi, after all. We’ll see an excessive instance of the inner communication community at work once we get to the ultimate profile.
Our first profile primarily makes the Gobi act like a 2N: no native configuration, get a DHCP handle, determine servers for itself (both from DHCP hints or broadcast queries).
Discover the road within the configuration about “Use internet authentication.” These of you who bear in mind our deep dive into the Sun Ray 3-based Tadpole M1400 will recall its personal built-in login browser for public WiFi and the like (initially Hyperlinks, and later WebKit). Simply maintain that at the back of your head for a couple of minutes.
On this mode, the ID comes up with the MAC of the Solar Ray 2 as anticipated, since we’re not clearly utilizing the VPN (and if you happen to do a fast arp -a on a related system, you may see the Solar Ray 2 MAC). However that is not the exterior Ethernet jack: this claims a full-duplex 100Mbit Ethernet connection once we’re related to the very same 10Mbit half-duplex Ethernet phase I used for testing the 2N. What you are really seeing is the inner Ethernet connection between the three part programs, which is 100Mbit.
Connecting to the Solaris Solar Ray server.
And on the login immediate. The Gobi, oddly, would not seem to help any scorching keys besides Props-F12 (yellow Fℕ-Ctrl-F12, the “moon” sleep key), which resets the unit — however solely inside the similar profile. Equally the watchdog timer simply resets the at present working profile as nicely. The one method I might discover to modify profiles was to powercycle the unit totally.
So that is what we’ll do and choose our second profile. Like the primary profile, this will get an handle from a neighborhood DHCP server, however hardcodes the Solar Ray server handle (you may also specify a firmware server handle) as a substitute of letting the shopper uncover it from DNS or DHCP.
This looks as if a minor, virtually trivial change, however the Gobi handles this case relatively otherwise.
As an alternative of going on to establishing a connection, the Gobi does a protracted dance to acquire an handle.
That is as a result of on this mode, it is not the Solar Ray firmware that is getting the handle and connecting to the host. As an alternative, it is the VPN board.
I’ve deliberately not suppressed this handle to reveal to you that we’re now utilizing a very Gobi-internal IP handle (192.168.100.2) on that huge “IDE-Ethernet” swap, once more on the false pace of 100Mbit, despite the fact that the Gobi remains to be plugged into the identical 10Mbit half-duplex port. This IP handle has no relationship to something on my inner check community. Actually, this completely confuses SRSS on the Solaris server and it seemingly will not speak to it.
In kOpenRay’s console we see what’s unsuitable: there are two addresses, the realIP (VPN-confabulatory) and remoteIP (precise). With the primary profile, these had been the identical; with this profile, solely one in all them is definitely legitimate. The UDP packets are appropriately despatched to SRSS, nevertheless it replies again to the VPN-generated phony handle which will not work (and is not what it obtained from the DHCP server), and thus the ALP connection isn’t established. Until your native community is or permits this subnet, you might not be capable of join in any respect both.
kOpenRay does work with the Gobi VPN as a result of I added code to answer to the distant IP it gives as a substitute of the phony “actual” one.
It’s my suspicion that the VPN board is concerned even within the case of the primary profile, given {that a}) the connection pace is unsuitable, b) the VPN boards are useless even by way of the UART ports and c) my useless Gobis energy up and attempt to initialize their community connections, however fail, which ought to work if the Solar Ray firmware had a direct unimpeded path to the skin. If the VPN board dies, it appears like all the pieces does. And it actually does get stuffy in that tough disk bay.
Properly, that is sufficient preamble. It is time to really break one thing.
The ultimate profile appears like the primary profile, however with one change: this time, we will use the built-in minibrowser for “internet authentication.” A few of you’re beginning to smile in anticipation, as a result of when there is a browser, there’s typically a gap. And there is a gap, by golly.
The primary odd half is that we go into the “lengthy dance” to get an IP relatively than the quick Solar Ray direct mechanism. After which a brand new window seems:
That is the mini-browser. Ignore the very fact it may possibly’t get to Snoracle’s web site, as this phase is not allowed out onto the general public Web.
However we are able to surf Floodgap native sources from right here, so let’s pull up the Floodgap important web page.
It is the precise colors, kind of, nevertheless it’s all textual content and no particular fonts or photographs.
If we press Escape for the menu as directed, we see a well-recognized set of choices. A few of what browser that is already. Trace: the M1400 was utilizing a related package.
No, you do not get a clue from visiting the “Gobi7 homepage” (despite the fact that that is technically a Gobi8). Surrender?
It is ELinks! (And it is a GPL violation!) Extra particularly, ELinks 0.11.3, which might be proper for the timeframe of this firmware model.
The notion right here is that you’d join, do no matter login course of you wanted to do, and having achieved so then give up the browser and let the VPN board do the remainder of its dance. Spoiler alert the second — we’re not going to let it get that far.
Two extra issues in regards to the browser earlier than we get caught into it. First, here is its person agent string: it is working Linux 2.4.25. Naturally it studies the structure as mips. However which one, the Au1550 or the AR2316A? I do not suppose the Solar Ray 2 firmware is Linux-based! (The M1400 was.)
Second, TLS v1.0 is supported, however there isn’t a certificates validation and no retailer. This was actually supposed for public networks anyway the place you’ll assume they had been untrustworthy to start with and presumably tunnel by them. There isn’t any help for FTP or Gopher.
Anyway, sufficient messing round. Though there may be at the least one presumably helpful buffer overflow on this model, we could have a fair simpler method to break it. The M1400’s set up of Hyperlinks was correctly chrooted by Tadpole, so let’s have a look at if Accutech did the identical. Will it allow us to take a look at file:///?
Oh no. All the pieces is busybox. However we are able to see that all the pieces is busybox. Let’s take a look at /bin.
Oh noooo. Is it going to be this straightforward?
Let’s have a look at if it’s going to let me open /bin/sh …
… with /bin/sh.
It halted. However wait a second: is {that a} root immediate?
Oh sure.
Oh yessssss. It is that straightforward.
There is not any chroot in any respect. We’re into the working system. The Gobi is pwned.
The primary order of enterprise is to see what’s working. Among the many varied kernel duties and a pair self-explanatory processes, ps -ef tells us there is a Telnet daemon (!), a getty listening on what’s most certainly the serial UART at 115200bps (so this could positively reply there if I ever want to check it), ELinks, our shell course of, and a pair cases of a program known as icosconfig. A kind of was the job that stopped once we pulled the confused deputy gag on ELinks.
This can be a Busybox shell, and clearly an previous Busybox at that, however we are able to see from the surroundings variables that our dad or mum course of was the Telnet daemon (additionally Busybox), so this connection came to visit Telnet. One other bizarre factor is that our person ID is admin, not root. Let’s take a look on the password file.
Regardless of at the least one account claiming to be within the shadow file (pcap), there isn’t a /and so on/shadow, so all the pieces is definitely right here. There are 4 person IDs, one being no one, one named pcap (presumably for packet seize) that is successfully disabled, the admin account we’re logged in as that is apparently a root clone, and root, which can be disabled. Solely admin has a password.
However we are able to allow root, and Telnet is already listening, so let’s get a session up the place we are able to lower and paste and seize issues as a substitute of constructing one other thousand screenshots. (Vital be aware! If you happen to’re following alongside by yourself Gobi, DON’T change the password file for this, as a result of there’s a neater method. However I needed to do it myself to search out out.) With the basis password set to clean, let’s log i…huh?
% telnet ██████████ Attempting... Linked to ██████████. Escape character is '^]'. (none) login: root Cedar>
That is … not a root immediate.
Cedar>ls Error: ls - invalid command Cedar>assist allow exit assist ping give up present ? Cedar>present Utilization: present <choices> <choices>: arp auth ... config ... filter interface ... ip ... ipsec ... reminiscence radio ... snmp sntp ssh standing syslog system ... telnet vlan ... internet wi-fi ... wlan ... wds ... Cedar>present system Mannequin: Cedar 860AG Firmware Model: 2.1.0 Firmware Construct Time: Thu Nov 8 20:41:49 PST 2007 System Identify: (none) Login Identify: root Session Timeout: 10 min System Time: 01/01/2000, 00:16:24 System Uptime: 0 days 0 hours 16 minutes 24 secs
Clearly we’ve some extra corners of this technique to discover (and we simply discovered one other GPL violation, probably, in what Accutech did to Busybox). However proper now I might similar to a correct shell (and the Accutech terminal would not appear to deal with CTRL-C proper both), so let’s put telnetd on one other port and guarantee we get a shell. telnetd -p 2323 -l /bin/sh ought to do properly.
We’ll now swap over to a terminal session from my desktop Linux machine. However earlier than we do:
The Cedar 860AG is, as outlined by its producer Intelicis, an enterprise entry level with Ethernet and WiFi. That is little doubt what the Solar Ray firmware is utilizing to configure its community settings throughout the “lengthy dance,” and if it loses connection to it, we have demonstrated it’s going to doubtless be unable to connect with something. Which means a unsuitable transfer will brick this machine, particularly since we’re root and logged into the firmware, and there is not any assure you’ll be able to repair it from the UART. You probably have one in all these and also you’re following alongside, you deviate from this demonstration at your individual threat. I am not liable for you wrecking your uncommon Solar Ray laptop computer.
Very first thing: who’re we really speaking to? The Cedar 860AG mentions Atheros in its datasheet, so I’ve a good suggestion it is not the Au1550, and since there is a functioning /proc, /proc/cpuinfo confirms it:
# ls / bin dwelling misplaced+discovered root usr dev lib mnt sbin var and so on linuxrc proc tmp # cat /proc/cpuinfo system sort : Atheros AR5315 processor : 0 cpu mannequin : unknown V6.4 BogoMIPS : 183.50 wait instruction : no microsecond timers : sure tlb_entries : 16 further interrupt vector : sure {hardware} watchpoint : no VCED exceptions : not accessible VCEI exceptions : not accessible
Curiously it is detected as an “Atheros AR5315” however that is a part of the identical MIPS household. The structure is well known to OpenWrt as fairly a couple of routers use it, so add this little hidden one to the record.
The enjoyable half about it being an impartial system means even when the Au1550’s Solar Ray firmware watchdog fires and the machine tries to reset, apparently the AR2316A locks it out whereas it is lively. The console and framebuffer turn out to be inoperative till the machine is powercycled, however we stay logged in so long as we’re related remotely. Which results in one other query: who’s the grasp processor on this laptop computer actually?
# dmesg # cat /proc/cmdline console=ttyS0,115200 root=mtdblock2 mem=32M rw # cat /proc/meminfo whole: used: free: shared: buffers: cached: Mem: 30789632 10969088 19820544 0 0 4980736 Swap: 0 0 0 MemTotal: 30068 kB MemFree: 19356 kB MemShared: 0 kB Buffers: 0 kB Cached: 4864 kB SwapCached: 0 kB Lively: 1564 kB Inactive: 5328 kB HighTotal: 0 kB HighFree: 0 kB LowTotal: 30068 kB LowFree: 19356 kB SwapTotal: 0 kB SwapFree: 0 kB # cat /proc/swaps Filename Sort Dimension Used Precedence
No shock: we noticed a 32MB SDRAM chip, and that is what it has. There’s nothing in dmesg, however the kernel command line demonstrates the basis filesystem is flash via MTD. That is undoubtedly the flash chip we noticed.
# ip addr 1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue hyperlink/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo 2: eth0: <BROADCAST,MULTICAST,PROMISC,UP> mtu 1500 qdisc pfifo_fast qlen 1000 hyperlink/ether 00:19:25:f1:c8:7d brd ff:ff:ff:ff:ff:ff 3: wifi0: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast qlen 199 hyperlink/ether 00:19:25:f1:c8:7c brd ff:ff:ff:ff:ff:ff 4: sta0: <BROADCAST,MULTICAST> mtu 1500 qdisc noqueue hyperlink/ether 00:19:25:f1:c8:7c brd ff:ff:ff:ff:ff:ff 5: wan: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue hyperlink/ether 00:19:25:f1:c8:7d brd ff:ff:ff:ff:ff:ff inet ██████████/██ brd ██████████ scope international wan 6: lan: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue hyperlink/ether 00:19:25:f1:c8:7d brd ff:ff:ff:ff:ff:ff inet 192.168.100.1/24 brd 192.168.100.255 scope international lan inet 192.168.11.1/24 brd 192.168.11.255 scope international lan:1 7: eth0.0: <BROADCAST,MULTICAST,PROMISC,UP> mtu 1500 qdisc noqueue hyperlink/ether 00:19:25:f1:c8:7d brd ff:ff:ff:ff:ff:ff 8: eth0.2: <BROADCAST,MULTICAST,PROMISC,UP> mtu 1500 qdisc noqueue hyperlink/ether 00:19:25:f1:c8:7d brd ff:ff:ff:ff:ff:ff # netstat -a Lively Web connections (servers and established) Proto Recv-Q Ship-Q Native Tackle International Tackle State tcp 0 0 *:2323 *:* LISTEN tcp 0 0 *:telnet *:* LISTEN tcp 0 0 ██████████:2323 ██████████:39326 ESTABLISHED tcp 0 0 192.168.11.1:telnet 192.168.11.5:50889 ESTABLISHED Lively UNIX area sockets (servers and established) Proto RefCnt Flags Sort State I-Node Path unix 2 [ ACC ] STREAM LISTENING 1426 /tmp/socket0 unix 3 [ ] DGRAM 21 /dev/log unix 3 [ ] STREAM CONNECTED 1391 unix 3 [ ] STREAM CONNECTED 1390 unix 2 [ ] DGRAM 633
The output right here is nearly proof optimistic the VPN board absolutely controls the Ethernet jack. The one interface with the “exterior” (i.e., my inner check community) handle is wan, and that MAC is the VPN board’s (scroll again up for proof). What’s attention-grabbing is that the identical MAC is used for the inner Ethernet interconnect, and there is a second community 192.168.11.* to go along with 192.168.100.*. Our stalled out console connection is over that community despite the fact that the VPN board appears to be listening on all interfaces and clearly responds on them.
I did just a little check at this level simply to see how broad open a barn door we had, however (to my aid and simultaneous obscure disappointment) nothing responded to Telnet with the opposite two profiles. It appears like the outlet solely opens when the Accutech console browser does.
Let’s carry the shell again up. What else solutions on the inner community? We’ll begin with the place the unique Telnet connection originates from, however 192.168.11.5 would not reply on Telnet.
# telnet 192.168.11.5 telnet: Unable to connect with distant host (192.168.11.5): Connection refused
However after repeatedly checking numbers in that subnet, we discover that 192.168.11.2 responds to pings. Does it speak to us?
# telnet 192.168.11.2 Getting into character mode Escape character is '^]'. 3g login: root Password: Login incorrect 3g login: admin Welcome to ICOS model 8.0 Copyright (c) 2004-2007, Intelicis Company All rights reserved Cedar>
We simply discovered the IPX425 on the 3G board! And there is not any password on the admin account! It appears prefer it’s working the identical sort of embedded router working system as a result of we’ve a Cedar immediate. It calls itself “ICOS.”
Cedar>present system Mannequin: Cedar 860AG Firmware Model: 1.2.3.emobile.a Firmware Construct Time: Mon Oct 15 15:23:02 PDT 2007 System Identify: 3g Login Identify: admin Session Timeout: 10 min System Time: 01/01/1970, 00:07:35 System Uptime: 0 days 0 hours 19 minutes 35 secs Cedar>present config # Widespread Wi-fi Setting # WLAN Intelicis-a wlan add Intelicis-a wlan Intelicis-a ssid Intelicis-a # WLAN Intelicis-g wlan add Intelicis-g wlan Intelicis-g ssid Intelicis-g # Serial port 1 configuration # Radio 1 configuration radio 1 freq a radio 1 auto_channel_list 36,149 radio 1 basic_rates 6,12,24 radio 1 supported_rates 6,9,12,18,24,36,48,54 radio 1 wlanadd Intelicis-a # Radio 2 configuration radio 2 freq bg radio 2 auto_channel_list 1,6,11 radio 2 basic_rates 1,2,5.5,11 radio 2 supported_rates 1,2,5.5,11,6,9,12,18,24,36,48,54 radio 2 wlanadd Intelicis-g Error: No /tmp/icos/bridge listing existed # Community Protocol Configuration Cedar>give up Connection closed by overseas host.
It is a bit of a shock to see this XScale core additionally establish itself as a Cedar 860AG. That mentioned, the behaviour is a bit completely different from the Cedar immediate we obtained on the Atheros; it is fairly presumably an earlier launch of the software program regardless of the later construct date. It additionally appears like there’s an embedded Linux or Unix below this too based mostly on that error message referencing a lacking /tmp/icos/bridge, however moving into it’s going to in all probability require determining the place the UART is. A venture for one more day.
From this we are able to fairly conclude that 192.168.11.* is the inner “Ethernet-over-IDE” community, with .2 being the 3G board, .5 being the Au1550, and .1 being this, the VPN board (once more: who’s really the primary CPU?). Nothing appeared to reply on the 192.168.100.* community, so let’s get again to the VPN board and this time dig round within the filesystem.
# df -k Filesystem 1k-blocks Used Obtainable Use% Mounted on /dev/mtdblock2 6976 5304 1672 76% / # cat /proc/mtd dev: dimension erasesize identify mtd0: 00030000 00010000 "RedBoot" mtd1: 000e0000 00010000 "ICOS" mtd2: 006d0000 00010000 "rootfs" mtd3: 00010000 00010000 "RedBootCfg" mtd4: 00010000 00010000 "AtherosCfg"
Aha, the boot loader is RedBoot! That is what Dusted-off Dreamcast Linux makes use of. With the rickety nature of this setup I am involved about dumping the person partitions to the filesystem to exfiltrate them for evaluation, however the firmware photographs I used to be supplied by a sort soul appear compressed with a way I (nor binwalk) have not discovered but, so we would be capable of get them off one other method. Whereas we take into consideration that, let’s take a look at a few of the different binaries we noticed working.
# busybox BusyBox v1.00 (2007.11.01-21:12+0000) multi-call binary Utilization: busybox [function] [arguments]... or: [function] [arguments]... BusyBox is a multi-call binary that mixes many widespread Unix utilities right into a single executable. Most individuals will create a hyperlink to busybox for every perform they want to use, and BusyBox will act like no matter it was invoked as. At the moment outlined capabilities: [, ash, awk, busybox, cat, chgrp, chmod, chown, chroot, cp, cut, date, dd, df, dirname, dmesg, echo, egrep, expr, false, ftpget, ftpput, getty, grep, gunzip, gzip, halt, head, hostname, httpd, id, ifconfig, ifdown, ifup, inetd, init, insmod, iproute, kill, killall, klogd, linuxrc, ln, logger, login, ls, lsmod, md5sum, mkdir, mknod, modprobe, mount, mv, netstat, od, passwd, ping, printf, ps, pwd, reboot, rm, rmmod, route, run-parts, sdiff, sed, sh, sleep, sort, start-stop-daemon, swapoff, swapon, sync, sysctl, syslogd, tail, tar, telnet, telnetd, test, tftp, top, touch, tr, traceroute, true, tty, udhcpc, udhcpd, umount, uname, uptime, usleep, vconfig, vi, wc, which, whoami, zcat # which icosconfig /usr/sbin/icosconfig # icosconfig Error: Missing argument Usage: icosconfig save <module name>
I FTPed both files to my Linux desktop. file says they’re an ELF 32-bit MSB executable, MIPS, MIPS32 version 1 (SYSV), dynamically linked, interpreter /lib/ld-uClibc.so.0, stripped. Combine uClibc (/lib/libuClibc-0.9.27.so) with the fact everything is busybox and we’re actually looking at a uClinux system here. Cool.
icosconfig appears to be some sort of all-singing, all-dancing configurator like a proto-systemd, but worse, because it’s even hackier. Shell commands appear liberally in the output of strings like
brctl addbr lan; ifconfig lan up; ifconfig eth0 up brctl addbr lan; ifconfig lan up; ifconfig eth0 up; brctl addif lan eth0 brctl addbr vlan%d; ifconfig vlan%d up; vconfig add eth0 %d; ifconfig eth0.%d up brctl addbr vlan%d; ifconfig vlan%d up; vconfig add eth0 %d; ifconfig eth0.%d up ps -ef | grep "/sbin/dhcpcd-bin -Y -N %s " | grep -v grep 1>/dev/null 2>&1 route del default 1>/dev/null 2>&1 ; route add default gw %s dev %s 1>/dev/null 2>&1 grep -v "add -net 0.0.0.0 netmask 0.0.0.0 gw %s" %s/routecurr.conf > %s/routecurr.tmp; mv -f %s/routecurr.tmp %s/routecurr.conf echo "add -net 0.0.0.0 netmask 0.0.0.0 gw %s dev %s" >> %s/routecurr.conf
It also contained the error message string we got when we were connected to the Cedar configuration prompt (and it contains the string Cedar), so it seems like Busybox login is hardcoded to call it by default. To prove this:
# login "-?" login: illegal option -- ? BusyBox v1.00 (2007.11.01-21:12+0000) multi-call binary Usage: login [OPTION]... [username] [ENV=VAR ...] Start a brand new session on the system Choices: -f Don't authenticate (person already authenticated) -h Identify of the distant host for this login. -p Protect surroundings. # login -f admin Cedar>present config Utilization: present config <choices> <choices>: all|startup|working|<config file identify> Cedar>present config all Cedar>present config working # IPSEC setting ipsec off ipsec autodial off ipsec join off ipsec eazyvpn off ipsec nat_traversal on ipsec aggr_mode off ipsec pfs off ipsec replay_protect off ipsec encryption 3des ipsec hash md5 ipsec psk ipsec remote_ip ipsec remote_subnet ipsec remote_dhcp ipsec group_name ipsec group_key ipsec xauth_user ipsec xauth_password ipsec dns ipsec sunray ipsec firmware ipsec mtu 1356 # Interface setting interface lan on interface lan ip 0 addr 192.168.100.1 netmask 255.255.255.0 mode static interface lan ip 1 addr 192.168.11.1 netmask 255.255.255.0 mode static interface wan on interface wan ip 0 addr 0.0.0.0 netmask 0.0.0.0 mode dhcp interface sta0 off interface sta0 ip 0 addr 0.0.0.0 netmask 0.0.0.0 mode dhcp # WLAN Intelicis-g wlan add Intelicis-g wlan Intelicis-g ssid Intelicis-g # Radio 1 (5GHz) configuration radio 1 freq bg radio 1 basic_rates 1,2,5.5,11 radio 1 supported_rates 1,2,5.5,11,6,9,12,18,24,36,48,54 radio 1 wlanadd Intelicis-g # Community Protocol Configuration Cedar>give up #
Principally the configuration confirms what we noticed from ip addr. It is attention-grabbing that present config all did not really present any config at, um, all.
To substantiate icosconfig was the supply of the immediate, I appeared on the output of ps -ef from the shell on port 2323, then did login -f admin from the console and checked out ps -ef once more. The brand new course of was icosconfig shell, so:
# icosconfig shell Cedar>
Now that we are able to entry the Cedar immediate with out having to log in over Telnet, at this level I went forward and undid the change I made to root in /and so on/passwd on the off likelihood it comes again to chunk us later. That is why you do not want to do this your self if you happen to’re following in my footsteps, as by this level we have discovered the right way to run it instantly.
In spite of everything that, although, what was the password for the VPN board’s admin account? After I first wrote this, I censored the hash in that screenshot as a result of I figured that Accutech would have modified it to one thing random and embedded that of their binary. Certainly, letting John the Ripper at it on my 64-thread POWER9 Raptor Talos II for 72 hours did not come out something apparent. Then I discovered the handbook for the Cedar 860AG and the default username and password, that are admin and (no joke) changeitnow. Properly, guess what labored on the primary strive, together with for the Cedar immediate’s allow command for extra privileges? And on the IPX425 3G board as nicely? You do not even must crack the hash now. I imply, this factor simply will get higher and higher the extra I play with it.
Anyway, again to the filesystem. Exploration of ls -lR / reveals many paths containing icos. ICOS appears like Intelicis’ embedded baseline working system which Accutech then personalized as essential for the 3G and VPN boards. Most of what is listed here are textual content configuration recordsdata like this one (I am unsure if the enterprise quantity is meant to be confidential, so I’ve suppressed it):
# cat /and so on/icos/system/data #Base template for system module to dynamically generate #proprietary snmpd config file upon initialization # #Enterprise variety of Intelicis Corp. is ████ immediate=Cedar enable_prompt=Cedar mannequin=Cedar 860AG enterprise=████ syslocation=Intelicis Company syscontact=help@intelicis.com
For apparent causes, I will not mess with these configuration recordsdata; we’ll follow the instructions uncovered to us on the Cedar immediate.
Trying round some extra, a good quantity of knowledge was unpacked to /tmp for causes unclear to me since /tmp is simply a part of the filesystem relatively than in-memory. Thankfully a few of these recordsdata have uncommon dates, suggesting that they had been simply left there relatively than the flash overwritten with new copies each time the VPN board begins (whew, that might be actually dangerous).
# ls -l /tmp -rwxr--r-- 1 root root 1354 Jan 1 00:00 elinks.conf drwxr-xr-x 1 root root 0 Jan 1 00:00 and so on -rw-r--r-- 1 root root 21 Jan 1 00:00 eth0.out drwxr-xr-x 1 root root 0 Jan 1 00:00 icos drwxr-xr-x 1 root root 0 Dec 9 2006 icosscripts drwxr-xr-x 1 root root 0 Jan 1 00:00 lib drwxr-xr-x 1 root root 0 Jan 1 00:00 lock drwxr-xr-x 1 root root 0 Jan 1 00:00 run srw------- 1 root root 0 Jan 1 00:01 socket0 -rw-r--r-- 1 root root 21 Jan 1 00:00 sta0.out drwxr-xr-x 1 root root 0 Jan 1 00:00 tmp # ls -ldt /tmp drwxrwxrwx 1 root root 0 Jan 1 00:00 /tmp
Many of the elinks.conf file is feedback. There are solely a pair terminal choices set and nothing else. When does the fail cease, precisely? Can I get off this fail bus?
There are additionally stub shell scripts in /usr/native/lib/ipsec/mips-uclibc/bin for mips-uclibc-gcc and others, however the precise compilers should not current, so these recordsdata simply take up area similar to the opposite items of ICOS that are not really used.
The general impression is that Accutech simply threw ICOS on the flash and did the minimal to make it work. Specifically, I think icosconfig is mainly as shipped; I do not suppose Accutech wrote it. Admittedly you in all probability would not be motivated to scrub the home both if you happen to did not suppose you’d get any uninvited friends.
Our final thriller is to determine the place the kernel is. We’ll begin by making an attempt to get the RedBootCfg partition and see what it masses.
# dd bs=512 depend=128 if=/dev/mtd3 | od -x 0000000 5265 6442 6f6f 7400 0000 0000 0000 0000 0000020 a800 0000 a800 0000 0003 0000 0000 0000 0000040 0003 0000 0000 0000 0000 0000 0000 0000 0000060 0000 0000 0000 0000 0000 0000 0000 0000 * 0000360 0000 0000 0000 0000 0000 0000 c69f f81b 0000400 5265 6442 6f6f 7420 636f 6e66 6967 0000 0000420 a87e f000 a87e f000 0000 1000 0000 0000 0000440 0000 0000 0000 0000 0000 0000 0000 0000 * [...] * 0177760 0000 0000 0000 0000 useless useless a06c e27e 0200000
I lower and pasted the output as enter to this Perl script on my workstation:
#!/usr/bin/perl $pos = 0; choose(STDOUT); $|++; whereas(<>) { chomp; subsequent if (/+/); # skip dd output if (/^*s+$/) { $star = 1; subsequent; } @h = (); ($oc, $h[0], $h[1], $h[2], $h[3], $h[4], $h[5], $h[6], $h[7], $x) = break up(/s+/, $_); subsequent if size($x); $hex = ''; map { $hex .= $_ } @h; $npos = oct($oc); if ($star) { print STDOUT " " x ($npos - $pos); $star = 0; } print STDOUT pack("H*", $hex); $pos = $npos + size($hex)/2; }
This yielded a 64K binary, precisely the scale of the partition, so I figured it doubtless transferred appropriately nevertheless it wasn’t very useful:
% strings mtd3 RedBoot RedBoot config FIS listing kernel rootfs boot_script boot_script_data boot_script fis load -d -b 0x80040000 kernel go 0x80040000 boot_script_timeout boot_script bootp bootp_my_gateway_ip bootp bootp_my_ip bootp bootp_my_ip_mask bootp bootp_server_ip console_baud_rate gdb_port info_console_force info_console_number info_console_force net_debug
Subsequent I exfiltrated the ICOS partition. This appeared relatively bigger and was a superb guess.
% file mtd1 mtd1: gzip compressed information, final modified: Fri Nov 9 04:44:12 2007, from Unix, unique dimension modulo 2^32 0 % gunzip -c < mtd1 > gobi.kernel gzip: stdin: decompression OK, trailing rubbish ignored % strings gobi.kernel | grep Linux Linux model 2.4.25 (jiant@develop) ( /choose/devicescape/toolchains/mips-linux/bin/../libexec/gcc/mips-linux/3.4.1/collect2 --eh-frame-hdr -EB -dynamic-linker /lib/ld.so.1 -L/choose/devicescape/toolchains/mips-linux/mips-linux-uclibc/lib -L/choose/devicescape/toolchains/mips-linux/mips-linux-uclibc/lib -L/choose/devicescape/toolchains/mips-linux/bin/../lib/gcc/mips-linux/3.4.1 -L/choose/devicescape/toolchains/mips-linux/bin/../lib/gcc -L/choose/devicescape/toolchains/mips-linux/bin/../lib/gcc/mips-linux/3.4.1/../../../../mips-linux/lib -L/choose/devicescape/toolchains/mips-linux/bin/../lib/gcc/mips-linux/3.4.1/../../.. --dynamic-linker /lib/ld-uClibc.so.0 -rpath-link /choose/devicescape/toolchains/mips-linux/mips-linux-uclibc/lib /choose/devicescape/toolchains/mips-linux/mips-linux-uclibc/lib/crti.o /choose/devicescape/toolchains/mips-linux/mips-linux-uclibc/lib/crtbegin.o /choose/devicescape/toolchains/mips-linux/mips-linux-uclibc/lib/crt1.o -lgcc -lgcc_eh -lc -lgcc -lgcc_eh /choose/devicescape/toolchains/mips-linux/mips-linux-uclibc/lib/crtend.o /choose/devicescape/toolchains/mips-linux/mips-linux-uclibc/lib/crtn.o) #422 Thu Nov 8 20:41:49 PST 2007 [...]
Seems like we obtained it; the complete partition is the kernel, which looking back I ought to have instantly suspected from the identify. I am unable to inform if this was one thing Accutech or Intelicis constructed however I am going to lay good odds it was the latter.
That is sufficient messing round. Now that we’re in it, what can we do with it? I might love a method to open a shopper socket apart from Telnet, for one factor, nevertheless it would not look simply doable. The Busybox model right here lacks quite a lot of core applets like netcat/nc and its shell would not perceive /dev/tcp, and of the opposite non-Busybox executable recordsdata current none appear to supply such performance. Making a cross-compiler setup for a kernel this previous (and matching the included uClibc) is prone to be a problem. I did discover some precompiled big-endian MIPS binaries of issues like netcat and socat, however they both had been for later variations of Linux or later CPUs, neither of which labored right here.
However this Busybox does have awk, so at the least we’ve some form of scripting language higher than the shell, and we do definitely have elinks, which obtained us up to now within the first place. We are able to do so much with awk and an HTTP shopper. Perhaps I am going to strive my hand at writing a MIPS ELF binary in a hex editor that does netcat in meeting language with syscalls. That feels like an awesome future entry …
The Gobis are in my humble opinion essentially the most spectacular of the Solar Ray laptops for these practically deadly idiosyncrasies, however whereas they had been in all probability the Solar Ray 2 laptop computer produced within the largest numbers, no MIPS Solar Ray laptop computer is quite common and none bought in quantity. Each Accutech and Naturetech closed up store shortly after. Put up-Oracle, the 2011 Solar Ray 3 collection made the 64-bit soar with the MIPS64 RMI (later Broadcom) XLS104, an SMT-4 750MHz CPU on a 90nm course of, however though the core design remained very related, energy consumption ranged from a typical 14W to as excessive as 36W.
No laptop computer Solar Ray 3 was ever produced. Whereas the facility requirement was a partial clarification, the largest motive was merely that laptop computer Solar Rays had been changed … by laptops. The 2008 Tadpole M1400 we explored previously and its kinfolk had been the final Solar Ray cellular programs, with the firmware newly ported to run on off-the-shelf Linux-based x86 {hardware} as a substitute of MIPS. The best way ahead was thus apparent. Solar launched a pure-software shopper in 2009, the Solar Desktop Entry Consumer, which ran on Home windows and in a while Mac. With improved central administration instruments, some great benefits of a firmware-locked purpose-built Solar Ray cellular system had been outweighed by the associated fee and adaptability benefits of deploying locked-down commodity laptops as a substitute. Oracle rebranded the Desktop Entry Consumer because the Oracle Digital Desktop Consumer earlier than discontinuing the complete expertise in 2014.
Within the meantime, it seems I had “one other” MIPS Linux system inside my MIPS Solar Ray laptop computer all alongside and obtained to spend a pleasant few days breaking into it. The 2N is so much safer to make use of however so much much less attention-grabbing to work with even when the Gobi is attention-grabbing for all of the unsuitable causes: a singular however ramshackle multisystem structure liable to failure, gaping holes that might have been trivially mitigated, and the indefensible use internally of default passwords. Actually, the Gobis’ crucial dependence on the VPN board for connectivity can not help however lead me to conclude that the AR2316A is the actual central processor, and the Au1550 is simply its entrance finish. Solely their rarity and the non-standard configuration required for penetration prevented these machines from being the stuff of hacker legend throughout their period. Like IoT, the S in “embedded” is seemingly for safety too.