View Full Version : iLiad Thoughts on 2.5 and root password


TadW
07-25-2006, 10:39 AM
I was just thinking what should we do if we cannot crack the root password using conventional mentions like John The Ripper, at least not in a suitable time? Possibilities:

- start a distributed brute-force attack
- stick to 2.4 (I know, bad idea ;))
- sniff the traffic to catch the 2.5 flash update. Save it to a file, hex it on a PC to change password, then manually put it back on the iRex and run the flash upgrade routines.

Any more ideas or possible solutions?

tribble
07-25-2006, 10:59 AM
we could easily replace it with a password of our choice. But i would like to have it cracked rather, so we dont have to fiddle with the passwd file.

DHer
07-25-2006, 11:00 AM
we don't need to crack the root password, i think.

with netcat we spawned a root shell, i think. so we can just create a new password hash for the passwd file and insert it there. it only works till the next update, so cracking the password is only useful for the future.

Or we just add a new user with superuser privilegues :)

Did i say we? I meant you. I'm just watching :P

TadW
07-25-2006, 11:12 AM
I see where you guys are getting... love the netcat idea... trust me Dher, I am quite upset myself about your misfortune. Let's hope you can get your iLiad fixed asap.

If we had the real password, couldn't iRex just replace it again with another one during the next update? I think it doesn't really matter whether we have the real password or just replace it with our own.

dive1770
07-25-2006, 11:18 AM
why don't you just overwrite the current (new) passwd file with the old one?
doing this will result in a root account without password.

then create client certificates on your computer and store the public key of the certificate in the file ~/.ssh/authorized_keys (on the iliad)
if you do this and iRex does not fiddle with the userhomes you will always have root access with ssh.

DHer
07-25-2006, 11:52 AM
is there still a ssh daemon in 2.5 or did they remove it completely?

If it's still there, the idea with the user certificate is really great.

Tscherno
07-25-2006, 12:11 PM
is there still a ssh daemon in 2.5 or did they remove it completely?

If it's still there, the idea with the user certificate is really great.
Even if they remove the ssh deamon, we can put our own on the device...

arivero
07-25-2006, 12:11 PM
with netcat we spawned a root shell, i think. so we can just create a new password hash for the passwd file and insert it there. it only works till the next update, so cracking the password is only useful for the future.

Or we just add a new user with superuser privilegues :)


I like this approach, netcat plus a different user. Plus "sudo gainroot" to go from this user to the root one.

BTW, I have found that a funny system to execute things is to use cntrl-P in the first page of a pdf file, and then selecting the "print command".

Kristoffer
07-25-2006, 12:18 PM
Even if they remove the ssh deamon, we can put our own on the device...

As far as I could see, they have removed the ssh daemon namely 'dropbear' completely, so we will need a new one

Kristoffer
07-25-2006, 12:21 PM
...
if you do this and iRex does not fiddle with the userhomes you will always have root access with ssh.

I had some Data stored in the root's home directory, the update to 2.5 deleted all of it, but maybe that isn't true for other users' homes....

arivero
07-25-2006, 12:24 PM
As far as I could see, they have removed the ssh daemon namely 'dropbear' completely, so we will need a new one

Kristoffer, have you upgraded to the whole 2.5, ie the three upgrading steps? Just to be sure I can still pdf-exec.

Secondly, if the ssh is removed... are you using netcat or similar tricks, or just navegating across the html? Or does it the xrvt work?

Tscherno
07-25-2006, 12:35 PM
We could simply use the tar.gz from the 2.4 version to restore the sshd ;)

Kristoffer
07-25-2006, 12:37 PM
Yes I took the 3 steps completely...

I used the new hacking pdf from Dher in conjunction with netcat for windows to gain console access... the pdf-execution is still working

arivero
07-25-2006, 12:51 PM
Yes I took the 3 steps completely...

I used the new hacking pdf from Dher in conjunction with netcat for windows to gain console access... the pdf-execution is still working
Ok I assume you refer to
http://www.mobileread.com/forums/showpost.php?p=34301&postcount=28

Well I will try to upgrade and to provide a non-network hacking method, assuming the pdf execution still works. I hope your 2.5 is 2.5b and not 2.5a (there is some comment (http://www.mobileread.com/forums/showthread.php?t=7124&page=5) about a earlier corrected on the flight)

astfgl
07-25-2006, 11:53 PM
BTW, I have found that a funny system to execute things is to use cntrl-P in the first page of a pdf file, and then selecting the "print command".

Is DHer's user interface still working? If so, he can use this to run a "ps -e > {content_path}/ps.txt" to put the process listing in a file which can be displayed on the screen, then run "kill -9 {PID}" to kill the netcat process and un-block the networking.

EDIT: Oops, CTRL-p implies a keyboard and PC, not the Illiad. My bad. However, if he can still access the UI, loading a pdf/script/etc on CF/USB and killing the process that way might still be possible. My Illiad is still a long way from delivery, so this is just speculation on my part.

DHer
07-26-2006, 03:39 AM
ok, there seems to be a script to flash the file system, check out /oldroot/linuxrc

now there's 2 questions: how to get the os.gz in the folder where it should be (/mnt/protected/images, fstab tells me its /dev/tffsa5 - in the flash?) and how to get it in this flash mode :)

arivero
07-26-2006, 04:37 AM
ok, there seems to be a script to flash the file system, check out /oldroot/linuxrc

Yes, if you check bin of oldroot you will see that bin/init is simply a link to linuxrc

Now the launching process (2.4) is not trivial. dmesg tels that
Kernel command line: root=/dev/tffsa1 rw console=ttyS2,115200 mem=64M

while oldroot is ttfsa2

Actually the partition of ttfs is

tffs: TrueFFS driver 632.70
tffs: Socket 0: type 7 0x9876 chips 4 floors 4 size 256M in addr 0xc8000 ebs 0x10000
tffs: Device 0x0: size 0xea00000 HW sector 0x200 (recommended 0x800)
tffs: Registered module at major 100
Partition check:
tffsa: tffsa1 tffsa2 tffsa3 < tffsa5 tffsa6 tffsa7 >
tffs: partition 0x1 size 0x305800 start offset 0x6800
tffs: partition 0x2 size 0x4884000 start offset 0x30c000
tffs: partition 0x3 size 0x400 start offset 0x4b90000
tffs: partition 0x5 size 0x1d39800 start offset 0x4b96800
tffs: partition 0x6 size 0x803f800 start offset 0x68d6800
tffs: partition 0x7 size 0xe3800 start offset 0xe91c800



According mount,
partition 2 is mounted as / (and /old-root, but this is somehow wrong),
partition 5 is mounted as /mnt/protected (it contains the images, when updating)
partition 6 as /mnt/free (and it is a vfat, to store content)
partition 7 as /mnt/settings

but the content of /old-root when I look at it seems to be equal to partition 1. I think that mount is a bit confused by the pivot_root procedures.