View Single Post
Old 05-07-2012, 02:51 PM   #84
ixtab
(offline)
ixtab ought to be getting tired of karma fortunes by now.ixtab ought to be getting tired of karma fortunes by now.ixtab ought to be getting tired of karma fortunes by now.ixtab ought to be getting tired of karma fortunes by now.ixtab ought to be getting tired of karma fortunes by now.ixtab ought to be getting tired of karma fortunes by now.ixtab ought to be getting tired of karma fortunes by now.ixtab ought to be getting tired of karma fortunes by now.ixtab ought to be getting tired of karma fortunes by now.ixtab ought to be getting tired of karma fortunes by now.ixtab ought to be getting tired of karma fortunes by now.
 
ixtab's Avatar
 
Posts: 2,903
Karma: 6677559
Join Date: Dec 2011
Device: K3, K4, K5, KPW, KPW2
Quote:
Originally Posted by Dweia View Post
I don't know, why dropbear is explicitly named within the system_diags binary - I wonder, if it might actually be contained as a binary ressource or something, so that dropbear can be created "on the fly"... Whatever the reason, when "disabling diagnostics", the last line is executed any byebye dropbear. Maybe I'll try to install it in /usr/bin or something, and see if I can get a start-script to run it...
First off, thanks for posting the image! I took a look inside it - specifically I disassembled /opt/factory/system_diags. I'm not terribly proficient at ARM instructions, but anyway here are two relevant snippets:
Spoiler:

Code:
.text:0001ECD4
.text:0001ECD4 ; =============== S U B R O U T I N E =======================================
.text:0001ECD4
.text:0001ECD4 ; Attributes: bp-based frame
.text:0001ECD4
.text:0001ECD4 sub_1ECD4                               ; CODE XREF: sub_4A714+ACp
.text:0001ECD4                                         ; DATA XREF: .rodata:0004D644o
.text:0001ECD4
.text:0001ECD4 var_6C          = -0x6C
.text:0001ECD4 oldR4           = -0x10
.text:0001ECD4 oldR11          = -0xC
.text:0001ECD4 oldSP           = -8
.text:0001ECD4 oldLR           = -4
.text:0001ECD4
.text:0001ECD4                 MOV     R12, SP
.text:0001ECD8                 STMFD   SP!, {R4,R11,R12,LR,PC}
.text:0001ECDC                 SUB     R11, R12, #4
.text:0001ECE0                 SUB     SP, SP, #0x5C
.text:0001ECE4                 MOV     R4, R0
.text:0001ECE8                 LDR     R0, =aUsrLocalBinDro ; "/usr/local/bin/dropbearmulti"
.text:0001ECEC                 SUB     R1, R11, #-var_6C
.text:0001ECF0                 BLX     sub_4B29C
.text:0001ECF4                 CMP     R0, #0
.text:0001ECF8                 BNE     loc_1EDDC
.text:0001ECFC                 LDR     R3, [R4]
.text:0001ED00                 MOV     R0, R4
.text:0001ED04                 LDR     R1, =aMntrootRw ; "mntroot rw"
.text:0001ED08                 LDR     R3, [R3,#0x98]
.text:0001ED0C                 BLX     R3
.text:0001ED10                 LDR     R3, [R4]
.text:0001ED14                 LDR     R1, =aMkdirPUsrLocal ; "mkdir -p /usr/local/sbin"
.text:0001ED18                 MOV     R0, R4
.text:0001ED1C                 LDR     R3, [R3,#0x98]
.text:0001ED20                 BLX     R3
.text:0001ED24                 LDR     R0, =aUsrLocalSbinDr ; "/usr/local/sbin/dropbearkey"
.text:0001ED28                 SUB     R1, R11, #-var_6C
.text:0001ED2C                 BLX     sub_4B29C
.text:0001ED30                 CMP     R0, #0
.text:0001ED34                 BEQ     loc_1ED54
.text:0001ED38                 LDR     R3, [R4]
.text:0001ED3C                 MOV     R0, R4
.text:0001ED40                 LDR     R1, =aLnSSS     ; "ln -s %s %s"
.text:0001ED44                 LDR     R2, =aUsrLocalBinDro ; "/usr/local/bin/dropbearmulti"
.text:0001ED48                 LDR     R12, [R3,#0x98]
.text:0001ED4C                 LDR     R3, =aUsrLocalSbinDr ; "/usr/local/sbin/dropbearkey"
.text:0001ED50                 BLX     R12
.text:0001ED54
.text:0001ED54 loc_1ED54                               ; CODE XREF: sub_1ECD4+60j
.text:0001ED54                 LDR     R0, =aUsrLocalSbin_0 ; "/usr/local/sbin/dropbear"
.text:0001ED58                 SUB     R1, R11, #-var_6C
.text:0001ED5C                 BLX     sub_4B29C
.text:0001ED60                 CMP     R0, #0
.text:0001ED64                 BEQ     loc_1ED84
.text:0001ED68                 LDR     R3, [R4]
.text:0001ED6C                 MOV     R0, R4
.text:0001ED70                 LDR     R1, =aLnSSS     ; "ln -s %s %s"
.text:0001ED74                 LDR     R2, =aUsrLocalBinDro ; "/usr/local/bin/dropbearmulti"
.text:0001ED78                 LDR     R12, [R3,#0x98]
.text:0001ED7C                 LDR     R3, =aUsrLocalSbin_0 ; "/usr/local/sbin/dropbear"
.text:0001ED80                 BLX     R12
.text:0001ED84
.text:0001ED84 loc_1ED84                               ; CODE XREF: sub_1ECD4+90j
.text:0001ED84                 LDR     R0, =aEtcDropbearDro ; "/etc/dropbear/dropbear_rsa_host_key"
.text:0001ED88                 SUB     R1, R11, #-var_6C
.text:0001ED8C                 BLX     sub_4B29C
.text:0001ED90                 CMP     R0, #0
.text:0001ED94                 BEQ     loc_1EDB4
.text:0001ED98                 LDR     R3, [R4]
.text:0001ED9C                 MOV     R0, R4
.text:0001EDA0                 LDR     R1, =aMkdirPEtcDropb ; "mkdir -p /etc/dropbear/ && %s -t rsa -f"...
.text:0001EDA4                 LDR     R2, =aUsrLocalSbinDr ; "/usr/local/sbin/dropbearkey"
.text:0001EDA8                 LDR     R12, [R3,#0x98]
.text:0001EDAC                 LDR     R3, =aEtcDropbearDro ; "/etc/dropbear/dropbear_rsa_host_key"
.text:0001EDB0                 BLX     R12
.text:0001EDB4
.text:0001EDB4 loc_1EDB4                               ; CODE XREF: sub_1ECD4+C0j
.text:0001EDB4                 LDR     R3, [R4]
.text:0001EDB8                 MOV     R0, R4
.text:0001EDBC                 LDR     R1, =aUsrLocalSbin_0 ; "/usr/local/sbin/dropbear"
.text:0001EDC0                 LDR     R3, [R3,#0x98]
.text:0001EDC4                 BLX     R3
.text:0001EDC8                 LDR     R3, [R4]
.text:0001EDCC                 MOV     R0, R4
.text:0001EDD0                 LDR     R1, =aMntrootRo ; "mntroot ro"
.text:0001EDD4                 LDR     R3, [R3,#0x98]
.text:0001EDD8                 BLX     R3
.text:0001EDDC
.text:0001EDDC loc_1EDDC                               ; CODE XREF: sub_1ECD4+24j
.text:0001EDDC                 MOV     R0, #0
.text:0001EDE0                 SUB     SP, R11, #0x10
.text:0001EDE4                 LDMFD   SP, {R4,R11,SP,PC}
.text:0001EDE4 ; End of function sub_1ECD4


To me, this looks as if dropbear was installed, configured, and started(!) if the file /usr/local/bin/dropbearmulti is present.

Now on to the second part:
Spoiler:

Code:
.text:0003DDE4
.text:0003DDE4 ; =============== S U B R O U T I N E =======================================
.text:0003DDE4
.text:0003DDE4
.text:0003DDE4 sub_3DDE4                               ; DATA XREF: .rodata:00052AE8o
.text:0003DDE4
.text:0003DDE4 var_530         = -0x530
.text:0003DDE4
.text:0003DDE4                 MOV     R12, SP
.text:0003DDE8                 LDR     R3, =off_4BE88
.text:0003DDEC                 STMFD   SP!, {R4,R5,R11,R12,LR,PC}
.text:0003DDF0                 SUB     SP, SP, #0x510
.text:0003DDF4                 SUB     R11, R12, #4
.text:0003DDF8                 SUB     SP, SP, #8
.text:0003DDFC                 MOV     R4, R0
.text:0003DE00                 LDR     R0, =aHaldevicesetti ; "HalDeviceSetting"
.text:0003DE04                 STR     R3, [R11,#-0x2C]
.text:0003DE08                 MOV     R3, #0
.text:0003DE0C                 STR     R3, [R11,#-0x28]
.text:0003DE10                 STR     R3, [R11,#-0x24]
.text:0003DE14                 STR     R3, [R11,#-0x20]
.text:0003DE18                 STR     R3, [R11,#-0x1C]
.text:0003DE1C                 BL      sub_10198
.text:0003DE20                 CMP     R0, #0
.text:0003DE24                 STR     R0, [R4,#0x20C]
.text:0003DE28                 SUBEQ   R2, R11, #0x520
.text:0003DE2C                 LDREQ   R3, =off_543B0
.text:0003DE30                 SUBEQ   R2, R2, #4
.text:0003DE34                 BEQ     loc_3DE6C
.text:0003DE38                 LDR     R3, [R0]
.text:0003DE3C                 MOV     R2, #0xC
.text:0003DE40                 ADD     R5, R4, #0x210
.text:0003DE44                 STR     R2, [R11,#-0x24]
.text:0003DE48                 STR     R5, [R11,#-0x1C]
.text:0003DE4C                 SUB     R1, R11, #0x2C
.text:0003DE50                 LDR     R3, [R3,#0x3C]
.text:0003DE54                 BLX     R3
.text:0003DE58                 CMP     R0, #0
.text:0003DE5C                 BEQ     loc_3DE90
.text:0003DE60                 SUB     R2, R11, #0x520
.text:0003DE64                 LDR     R3, =off_543B8
.text:0003DE68                 SUB     R2, R2, #4
.text:0003DE6C
.text:0003DE6C loc_3DE6C                               ; CODE XREF: sub_3DDE4+50j
.text:0003DE6C                                         ; sub_3DDE4+110j
.text:0003DE6C                 LDMIA   R3, {R0,R1}
.text:0003DE70                 LDR     R3, [R4]
.text:0003DE74                 STMIA   R2, {R0,R1}
.text:0003DE78                 MOV     R1, R2
.text:0003DE7C                 LDR     R3, [R3,#0x208]
.text:0003DE80                 MOV     R0, R4
.text:0003DE84                 MOV     R2, #2
.text:0003DE88
.text:0003DE88 loc_3DE88                               ; CODE XREF: sub_3DDE4+F0j
.text:0003DE88                 BLX     R3
.text:0003DE8C                 B       loc_3DFEC
.text:0003DE90 ; ---------------------------------------------------------------------------
.text:0003DE90
.text:0003DE90 loc_3DE90                               ; CODE XREF: sub_3DDE4+78j
.text:0003DE90                 LDR     R0, [R4,#0x20C]
.text:0003DE94                 MOV     R3, #0xE
.text:0003DE98                 STR     R3, [R11,#-0x24]
.text:0003DE9C                 SUB     R1, R11, #0x2C
.text:0003DEA0                 STR     R5, [R11,#-0x1C]
.text:0003DEA4                 LDR     R3, [R0]
.text:0003DEA8                 LDR     R3, [R3,#0x3C]
.text:0003DEAC                 BLX     R3
.text:0003DEB0                 LDR     R3, [R4]
.text:0003DEB4                 CMP     R0, #0
.text:0003DEB8                 BEQ     loc_3DED8
.text:0003DEBC                 LDR     R2, =aCouldNotMountA ; "Could not mount/access customer partiti"...
.text:0003DEC0                 SUB     R1, R11, #0x14
.text:0003DEC4                 LDR     R3, [R3,#0x208]
.text:0003DEC8                 MOV     R0, R4
.text:0003DECC                 STR     R2, [R1,#-0x510]!
.text:0003DED0                 MOV     R2, #1
.text:0003DED4                 B       loc_3DE88
.text:0003DED8 ; ---------------------------------------------------------------------------
.text:0003DED8
.text:0003DED8 loc_3DED8                               ; CODE XREF: sub_3DDE4+D4j
.text:0003DED8                 LDR     R3, [R3,#0x1FC]
.text:0003DEDC                 MOV     R0, R4
.text:0003DEE0                 BLX     R3
.text:0003DEE4                 CMP     R0, #0
.text:0003DEE8                 SUBEQ   R2, R11, #0x520
.text:0003DEEC                 LDREQ   R3, =off_543C0
.text:0003DEF0                 SUBEQ   R2, R2, #4
.text:0003DEF4                 BEQ     loc_3DE6C
.text:0003DEF8                 LDR     R3, [R4]
.text:0003DEFC                 MOV     R0, R4
.text:0003DF00                 LDR     R3, [R3,#0x200]
.text:0003DF04                 BLX     R3
.text:0003DF08                 CMP     R0, #0
.text:0003DF0C                 BEQ     loc_3DFEC
.text:0003DF10                 LDR     R0, =unk_5A20B  ; command ### this is "/usr/sbin/mntroot rw"
.text:0003DF14                 BL      system
.text:0003DF18                 LDR     R0, =aMntBaseUsEnabl ; "/mnt/base-us/ENABLE_DIAGS"
.text:0003DF1C                 SUB     R1, R11, #0x84
.text:0003DF20                 BLX     sub_4B29C
.text:0003DF24                 CMP     R0, #0
.text:0003DF28                 BNE     loc_3DF38
.text:0003DF2C                 LDR     R0, =aMntBaseUsEnabl ; "/mnt/base-us/ENABLE_DIAGS"
.text:0003DF30                 BL      remove
.text:0003DF34                 BL      sync
.text:0003DF38
.text:0003DF38 loc_3DF38                               ; CODE XREF: sub_3DDE4+144j
.text:0003DF38                 LDR     R0, =unk_5A23A ### this is "/usr/sbin/rpinit"
.text:0003DF3C                 SUB     R1, R11, #0x84
.text:0003DF40                 BLX     sub_4B29C
.text:0003DF44                 CMP     R0, #0
.text:0003DF48                 BNE     loc_3DF6C
.text:0003DF4C                 SUB     R0, R11, #0x520
.text:0003DF50                 LDR     R1, =aSStart    ; "%s start"
.text:0003DF54                 SUB     R0, R0, #4      ; s
.text:0003DF58                 LDR     R2, =unk_5A23A
.text:0003DF5C                 BL      sprintf
.text:0003DF60                 SUB     R0, R11, #0x520
.text:0003DF64                 SUB     R0, R0, #4      ; command
.text:0003DF68                 BL      system
.text:0003DF6C
.text:0003DF6C loc_3DF6C                               ; CODE XREF: sub_3DDE4+164j
.text:0003DF6C                 LDR     R0, =aRmRfUsrLocal ; "rm -rf /usr/local/*"
.text:0003DF70                 BL      system
.text:0003DF74                 LDR     R3, [R4]
.text:0003DF78                 MOV     R0, R4
.text:0003DF7C                 LDR     R3, [R3,#0xB0]
.text:0003DF80                 BLX     R3
.text:0003DF84                 LDR     R1, =aSSendingMntroo ; "%s: sending  mntroot_ro: idme -d --boot"...
.text:0003DF88                 MOV     R2, R0
.text:0003DF8C                 MOV     R0, R4
.text:0003DF90                 BL      sub_38410
.text:0003DF94                 LDR     R0, =unk_5A29A  ; command
.text:0003DF98                 BL      system
.text:0003DF9C                 LDR     R3, [R4]
.text:0003DFA0                 MOV     R0, R4
.text:0003DFA4                 LDR     R5, [R3,#0x1A0]
.text:0003DFA8                 LDR     R3, [R3,#0xB0]
.text:0003DFAC                 BLX     R3
.text:0003DFB0                 MOV     R3, #0x9F
.text:0003DFB4                 MOV     R1, #1
.text:0003DFB8                 SUB     R2, R11, #0x124
.text:0003DFBC                 STR     R0, [SP,#0x530+var_530]
.text:0003DFC0                 MOV     R0, R4
.text:0003DFC4                 BLX     R5
.text:0003DFC8                 LDR     R0, =aIdmeDBootmodeM ; "idme -d --bootmode main"
.text:0003DFCC                 BL      system
.text:0003DFD0                 BL      sync
.text:0003DFD4                 LDR     R3, =unk_70CD0
.text:0003DFD8                 MOV     R0, #0
.text:0003DFDC                 STR     R0, [R3,#0x7C]
.text:0003DFE0                 MOV     R3, #1
.text:0003DFE4                 STR     R3, [R4,#0xC]
.text:0003DFE8                 B       loc_3DFF8
.text:0003DFEC ; ---------------------------------------------------------------------------
.text:0003DFEC
.text:0003DFEC loc_3DFEC                               ; CODE XREF: sub_3DDE4+A8j
.text:0003DFEC                                         ; sub_3DDE4+128j
.text:0003DFEC                 MOV     R0, 0xFFFFFFFF
.text:0003DFF0                 MOV     R3, #2
.text:0003DFF4                 STR     R3, [R4,#0xC]
.text:0003DFF8
.text:0003DFF8 loc_3DFF8                               ; CODE XREF: sub_3DDE4+204j
.text:0003DFF8                 SUB     SP, R11, #0x14
.text:0003DFFC                 LDMFD   SP, {R4,R5,R11,SP,PC}
.text:0003DFFC ; End of function sub_3DDE4
.text:0003DFFC


... and here, the relevant logic seems to be: if /mnt/us-base/ENABLE_DIAGS exists, remove it, AND rm -rf /usr/local/*, THEN reboot to main.

Now go figure how these two things go together (as the second part would also remove /usr/local/bin/dropbearmulti, which is needed for the first part to make sense)... WTF?

PS: I also don't know what that "/usr/sbin/rpinit start" command would mean, this file doesn't exist either. WTF²?

Last edited by ixtab; 05-07-2012 at 02:58 PM.
ixtab is offline   Reply With Quote