hacking consumer devices for fun and profit
play

Hacking Consumer Devices for Fun and Profit An Insider's View of - PowerPoint PPT Presentation

Hacking Consumer Devices for Fun and Profit An Insider's View of the NSLU2-Linux Open-Source Project Rod Whitby <rod@whitby.id.au> NSLU2-Linux Project Lead Hacking Consumer Devices for Fun and Profit 5. Official Kernel Support 1.


  1. Hacking Consumer Devices for Fun and Profit An Insider's View of the NSLU2-Linux Open-Source Project Rod Whitby <rod@whitby.id.au> NSLU2-Linux Project Lead

  2. Hacking Consumer Devices for Fun and Profit 5. Official Kernel Support 1. The Linksys NSLU2 NSLU2, NAS100D, Loft, … � Hardware Specs � 6. Official Debian Support Linksys Firmware � Debian Etch Loves The Slug RedBoot Bootloader � � 7. The Fun 2. Unslung Firmware NSLU2-Linux Exhibitions � Project Inception � NSLU2-Linux Community � Unslung 1.x � NSLU2-Linux Development � Unslung 2.x to 5.x � Project Infrastructure � Unslung 6.x � 8. The Profit 3. Optware Packages How to Make a Small Fortune � NSLU2, WL500g, … � Donations for Hardware � Distributed Development � 9. The Future 4. SlugOS Firmware What to do next � OpenSlug, “DebianSlug” � 10 Feb 2007 Hacking Consumer Devices for Fun and Profit 2 Rod Whitby <rod@whitby.id.au>

  3. The Linksys NSLU2 - Hardware Specs Network Attached Storage (NAS) � Consumer Device 27.5mm x 135mm x 96mm � 5V DC, Maximum 2 Amps � Intel XScale IXP420 � Big-endian ARM � 133MHz (under-clocked) � 10/100 Ethernet � 2 x USB 2.0 Host Ports � 32 MB RAM � 8 MB Flash � Serial, JTAG, I2C, … � NSLU2 -> NSLUG -> “Slug” � 10 Feb 2007 Hacking Consumer Devices for Fun and Profit 3 Rod Whitby <rod@whitby.id.au>

  4. The Linksys NSLU2 - Stock Linksys Firmware Designed to be a stand-alone Samba � server for attached USB hard disks. Ext3 filesystem with 3 partitions � Must be formatted on the device � Linux 2.4.22 Kernel � Major modifications to the � USB and SCSI subsystems Snapgear-based root filesystem � busybox, samba, thttpd, etc. � Linksys binary-only utilities � Set_Led, USB_Detect, Watchdog, � CheckPowerButton, CheckResetButton Source code available for kernel and root � filesystem, but not for Linksys binaries 10 Feb 2007 Hacking Consumer Devices for Fun and Profit 4 Rod Whitby <rod@whitby.id.au>

  5. The Linksys NSLU2 - RedBoot Bootloader Loads kernel and initial ramdisk into memory, then executes kernel. � Kernel size is limited to 1MB � Ramdisk size is set at 10MB (can extend to 12MB if required) � MAC address for internal ethernet interface stored alongside Redboot � Significant modifications by Linksys � Addition of “move”, “boot”, and “upgrade” commands � Removal of FIS directory functions � Not intended to be user-accessible � … unless you solder on a connector for a serial port � Linksys left in a telnet 2 second window of opportunity � Upgrade mode is another exploit mechanism � “Good enough” for our purposes, so left alone. � 10 Feb 2007 Hacking Consumer Devices for Fun and Profit 5 Rod Whitby <rod@whitby.id.au>

  6. Unslung Firmware - Project Inception 12 July 2004 18 Aug 2004 Jim Buzbee finds the Telnet exploit. Slug sacrificed to find JTAG traces. � � 31 July 2004 Jim’s journal page is slashdotted, and � the mailing list feels the effect. nslu2-linux mailing list is created. � 19 Aug 2004 5 Aug 2004 nslu2-linux.org domain registered. � Tom’s Hardware article published. � 22 Aug 2004 Mailing list has 13 members. � nslu2-general mailing list created. � 10 Aug 2004 24 Aug 2004 First successfully modified image. � First boot from external hard disk. � 11 Aug 2004 Serial port mod published. � Serial port and Redboot TFTP. � 25 Aug 2005 “Unslung” concept based on /linuxrc. � Linksys releases kernel source. � Jim’s journal links to the mailing list. � 30 Aug 2005 15 Aug 2004 RedBoot telnet access found. � iTunes server ported. � RedBoot upgrade mode found. � 16 Aug 2004 31 Aug 2005 Busybox, dropbear and wget ported. � 700 members and 1000 list emails. � Donations requested ($240 on first day). � 13 Sep 2005 17 Aug 2004 Wiki installed at www.nslu2-linux.org � Rod’s NSLU2 arrives in the post. � 10 Feb 2007 Hacking Consumer Devices for Fun and Profit 6 Rod Whitby <rod@whitby.id.au>

  7. Unslung Firmware - Unslung 1.x Designed to be a minimal-changes firmware replacement � Retains all of the standard NSLU2 product functionality unchanged � Adds the capability to load the root filesystem from external storage � and download and install packages onto that external storage to be used alongside the standard product functionality. Also defines the package format for downloadable packages. � Unslung 1.7-alpha source code was released on 3 Sep 2004. � The goal was to free up 10MB of RAM by pivoting from an initial � “switchbox” ramdisk to JFFS2 or an external disk or NFS root filesystem. Built from a Makefile in a SourceForge CVS repository. � Used a binary sed to modify the Linksys kernel. � Unslung 1.11-beta binary image was released on 14 Sep 2004. � There were well over 1000 downloads of Unslung 1.x � 10 Feb 2007 Hacking Consumer Devices for Fun and Profit 7 Rod Whitby <rod@whitby.id.au>

  8. Unslung Firmware - Unslung 2.x and 3.x Unslung 2.12-beta binary image was released on 6 Nov 2004. � The goal was to build the firmware from source. � Support for ext3 flash disks on Port 1 � Full downloadable package support � USB enclosure fixes (Genesys) � Kernel compiled from source (including some fixes) � Unslung 3.16-beta binary image was released on 25 Dec 2004. � The goal was to add a persistent JFFS2 root file system. � USB devfs support (driven by Topfield “puppy” development) � NFS kernel support � Recovery mode and Maintenance mode added. � 10 Feb 2007 Hacking Consumer Devices for Fun and Profit 8 Rod Whitby <rod@whitby.id.au>

  9. Unslung Firmware - Unslung 4.x and 5.x Unslung 4.20-beta binary image was released on 15 May 2005. � The goal was to become self-hosting – being able to build Optware � packages natively, and to free up another 1MB of RAM by booting directly to a /linuxrc in JFFS2 instead of using the “switchbox” initrd. The internal JFFS2 partition became an initfs and recovery filesystem. � More kernel modules were enabled (and kernel module ipkg feed added) � RAID, USB Audio, USB Cameras, Traffic Shaping, Tape Drives, etc. � Quite a few people stuck with 3.18-beta until 5.5-beta was released. � Unslung 5.5-beta binary image was released on 14 June 2005. � Upgraded to be based on Linksys V2.3R29 firmware. � Changed from broken maintenance mode to stable upgrade mode. � Disabled the Linksys download daemon (in favor of upgrade mode). � There have been almost 18000 downloads of Unslung 5.5-beta. � 10 Feb 2007 Hacking Consumer Devices for Fun and Profit 9 Rod Whitby <rod@whitby.id.au>

  10. Unslung Firmware - Unslung 6.x Unslung 6.8-beta binary image was released on 12 April 2006. � Updated to Linksys R63 firmware, which includes the Paragon � commercial NTFS kernel module with full write support. Many usability improvements (to try and reduce the number of � installation-related questions on the mailing list). The new Unslung logo is now featured in the Web GUI ☺ � There have been over 28000 downloads of Unslung 6.8-beta. � 10 Feb 2007 Hacking Consumer Devices for Fun and Profit 10 Rod Whitby <rod@whitby.id.au>

  11. Optware Packages - NSLU2, WL500g, … Began as “Unslung Packages” – now over 750 packages strong. � The set of packages have been ported to many targets: � Linksys NSLU2 (armeb, glibc) � Asus WL500g/gx (mipsel, uclibc) � Synology DS-101 (armeb, glibc) � Freecom FSG-3 (armeb, glibc) � Maxtor Shared Storage (armeb, uclibc) � Iomega NAS 100d (armeb, glibc) � Synology DS-101g+ (powerpc, glibc) � Linksys WRT54G* (mipsel, uclibc) � Technologic Systems TS72xx (arm, glibc) � Diverse range of packages: � Apache, MySQL, Perl/PHP/Python, Squid � Email, IRC, CUPS, Torrent, CVS, SVN, Git, Monotone � Webcam, Network Sound, USB PVR, X10, Samba PDC, Topfield EPG � MediaWiki, Asterisk, Gallery, iTunes Server, CCXStream, TwonkyVision � 10 Feb 2007 Hacking Consumer Devices for Fun and Profit 11 Rod Whitby <rod@whitby.id.au>

  12. Optware Packages - Distributed Development More than 100 Optware package � developers. Send a new package.mk file to the � nslu2-developers mailing list and you are granted CVS write access. An identified package feed manager � for each of the targets. New and modified packages are built � automatically every half hour, and the package feeds for all targets are updated upon successful builds. Build logs are published on the web for � NSLU2 Asterisk PBX package developers to peruse (and fix (on 512MB flash stick) any problems). Sipura SPA-3000 ATA/Gateway 10 Feb 2007 Hacking Consumer Devices for Fun and Profit 12 Rod Whitby <rod@whitby.id.au>

Recommend


More recommend