The system security is state of the art, as one would expect from an IoT device.
# telnet 10.77.1.2Login is "root", the system doesn't even ask for password.
Trying 10.77.1.2...
Connected to 10.77.1.2.
Escape character is '^]'.
rlx-linux login: root
RLX Linux version 2.0
_ _ _
| | | ||_|
_ _ | | _ _ | | _ ____ _ _ _ _
| |/ || |\ \/ / | || | _ \| | | |\ \/ /
| |_/ | |/ \ | || | | | | |_| |/ \
|_| |_|\_/\_/ |_||_|_| |_|\____|\_/\_/
For further information check:
http://processor.realtek.com/
#
Sadly, the system is really cut down, most likely for security reasons, so it doesn't offer many useful commands:
#But that's fine, there's the "tftp" command, so let's see:
arp chmod egrep insmod killall modprobe reboot tar vi
arping cp free ip ledbtn mount rm telnetd
ash cut grep iwconfig ln mv rmmod tftp
brctl date halt iwcontrol login netstat route touch
busybox depmod hostname iwlist ls ping routed udhcpc
cat df ifconfig iwpriv lsmod poweroff sh udhcpd
cfg echo init kill mkdir ps switch umount
# tftp -g -r /srv/tftp/test -l /tmp/test 10.0.0.1The syntax is a bit odd, but -g means "get", "-l" means local, "-r" means remote. The busybox version is 1.13.6 or so and oddly cut down. But this looks good, we can download files onto the Smart Power Strip.
# ls /tmp/test
/tmp/test
Let's compile busybox with some more useful tools to dump the content of the flash, so we can politely ask vendor the for GPLed sources with a binary in hand.
The system runs RTL819x MIPS, uclibc 0.9.30 and Linux 2.6.30.9:
No modern MIPS toolchain would be able to produce binaries for that antique, but luckily there is RLX-linux SDK dump at github (link).
# cat /proc/cpuinfo
system type : RTL819x
processor : 0
cpu model : 52481
BogoMIPS : 379.28
hardware watchpoint : no
tlb_entries : 32
mips16 implemented : yes
# ls /lib/
ld-uClibc-0.9.30.3.so libcrypt.so.0 libm.so.0
ld-uClibc.so libgcc.so libpthread-0.9.30.3.so
ld-uClibc.so.0 libgcc_s.so libpthread.so.0
ld.so.1 libgcc_s.so.1 libuClibc-0.9.30.3.so
libc.so.0 libiw.so.29 modules
libcrypt-0.9.30.3.so libm-0.9.30.3.so
libcrypt.so libm.so
# ls /lib/modules/2.6.30.9/
build modules.dep.bin modules.pcimap
kernel modules.ieee1394map modules.seriomap
modules.alias modules.inputmap modules.symbols
modules.alias.bin modules.isapnpmap modules.symbols.bin
modules.ccwmap modules.ofmap modules.usbmap
modules.dep modules.order source
Then it's only a matter of doing a static build of busybox using the oldest SDK in the repo:
PATH=/path/to/rtl819x-toolchain/toolchain/rsdk-1.3.6-4181-EB-2.6.30-0.9.30/bin/:$PATHAnd finally, transfer the static busybox binary to the system:
export CROSS_COMPILE=mips-linux-
make menuconfig
make
# tftp -g -r /srv/tftp/busybox -l /tmp/busybox 10.0.0.1Good, replacement busybox with functionality like "netcat" is working. Finally, we can do something like this to pipe the content of flash over the network to a remote system:
# chmod a+x /tmp/busybox
# /tmp/busybox
BusyBox v1.21.0 (2018-04-27 18:51:36 CEST) multi-call binary.
...
cat /dev/mtdblock0 | /tmp/test/busybox nc 10.0.0.1 6666Or back up the rootfs binaries for later analysis
cat /dev/mtdblock1 | /tmp/test/busybox nc 10.0.0.1 6666
# tar -cf /tmp/root.tar /bin /etc /home /init /lib /mnt /usr /varI can only finish this article with a famous quote, S in IoT stands for Security.
tar: removing leading '/' from member names
tar: /var/tmp/root.tar: file is the archive; skipping
# cat /tmp/root.tar | /tmp/busybox nc 10.0.0.1 6666
1 comment:
Hello, is there a way to connect the SOW323 via ethernet instead of WiFI?
Thanks.
Post a Comment