|
(offline)
Posts: 2,907
Karma: 6736092
Join Date: Dec 2011
Device: K3, K4, K5, KPW, KPW2
|
Quote:
Originally Posted by Dweia
I don't know, why dropbear is explicitly named within the system_diags binary - I wonder, if it might actually be contained as a binary ressource or something, so that dropbear can be created "on the fly"... Whatever the reason, when "disabling diagnostics", the last line is executed any byebye dropbear. Maybe I'll try to install it in /usr/bin or something, and see if I can get a start-script to run it...
|
First off, thanks for posting the image! I took a look inside it - specifically I disassembled /opt/factory/system_diags. I'm not terribly proficient at ARM instructions, but anyway here are two relevant snippets:
Spoiler:
Code:
.text:0001ECD4
.text:0001ECD4 ; =============== S U B R O U T I N E =======================================
.text:0001ECD4
.text:0001ECD4 ; Attributes: bp-based frame
.text:0001ECD4
.text:0001ECD4 sub_1ECD4 ; CODE XREF: sub_4A714+ACp
.text:0001ECD4 ; DATA XREF: .rodata:0004D644o
.text:0001ECD4
.text:0001ECD4 var_6C = -0x6C
.text:0001ECD4 oldR4 = -0x10
.text:0001ECD4 oldR11 = -0xC
.text:0001ECD4 oldSP = -8
.text:0001ECD4 oldLR = -4
.text:0001ECD4
.text:0001ECD4 MOV R12, SP
.text:0001ECD8 STMFD SP!, {R4,R11,R12,LR,PC}
.text:0001ECDC SUB R11, R12, #4
.text:0001ECE0 SUB SP, SP, #0x5C
.text:0001ECE4 MOV R4, R0
.text:0001ECE8 LDR R0, =aUsrLocalBinDro ; "/usr/local/bin/dropbearmulti"
.text:0001ECEC SUB R1, R11, #-var_6C
.text:0001ECF0 BLX sub_4B29C
.text:0001ECF4 CMP R0, #0
.text:0001ECF8 BNE loc_1EDDC
.text:0001ECFC LDR R3, [R4]
.text:0001ED00 MOV R0, R4
.text:0001ED04 LDR R1, =aMntrootRw ; "mntroot rw"
.text:0001ED08 LDR R3, [R3,#0x98]
.text:0001ED0C BLX R3
.text:0001ED10 LDR R3, [R4]
.text:0001ED14 LDR R1, =aMkdirPUsrLocal ; "mkdir -p /usr/local/sbin"
.text:0001ED18 MOV R0, R4
.text:0001ED1C LDR R3, [R3,#0x98]
.text:0001ED20 BLX R3
.text:0001ED24 LDR R0, =aUsrLocalSbinDr ; "/usr/local/sbin/dropbearkey"
.text:0001ED28 SUB R1, R11, #-var_6C
.text:0001ED2C BLX sub_4B29C
.text:0001ED30 CMP R0, #0
.text:0001ED34 BEQ loc_1ED54
.text:0001ED38 LDR R3, [R4]
.text:0001ED3C MOV R0, R4
.text:0001ED40 LDR R1, =aLnSSS ; "ln -s %s %s"
.text:0001ED44 LDR R2, =aUsrLocalBinDro ; "/usr/local/bin/dropbearmulti"
.text:0001ED48 LDR R12, [R3,#0x98]
.text:0001ED4C LDR R3, =aUsrLocalSbinDr ; "/usr/local/sbin/dropbearkey"
.text:0001ED50 BLX R12
.text:0001ED54
.text:0001ED54 loc_1ED54 ; CODE XREF: sub_1ECD4+60j
.text:0001ED54 LDR R0, =aUsrLocalSbin_0 ; "/usr/local/sbin/dropbear"
.text:0001ED58 SUB R1, R11, #-var_6C
.text:0001ED5C BLX sub_4B29C
.text:0001ED60 CMP R0, #0
.text:0001ED64 BEQ loc_1ED84
.text:0001ED68 LDR R3, [R4]
.text:0001ED6C MOV R0, R4
.text:0001ED70 LDR R1, =aLnSSS ; "ln -s %s %s"
.text:0001ED74 LDR R2, =aUsrLocalBinDro ; "/usr/local/bin/dropbearmulti"
.text:0001ED78 LDR R12, [R3,#0x98]
.text:0001ED7C LDR R3, =aUsrLocalSbin_0 ; "/usr/local/sbin/dropbear"
.text:0001ED80 BLX R12
.text:0001ED84
.text:0001ED84 loc_1ED84 ; CODE XREF: sub_1ECD4+90j
.text:0001ED84 LDR R0, =aEtcDropbearDro ; "/etc/dropbear/dropbear_rsa_host_key"
.text:0001ED88 SUB R1, R11, #-var_6C
.text:0001ED8C BLX sub_4B29C
.text:0001ED90 CMP R0, #0
.text:0001ED94 BEQ loc_1EDB4
.text:0001ED98 LDR R3, [R4]
.text:0001ED9C MOV R0, R4
.text:0001EDA0 LDR R1, =aMkdirPEtcDropb ; "mkdir -p /etc/dropbear/ && %s -t rsa -f"...
.text:0001EDA4 LDR R2, =aUsrLocalSbinDr ; "/usr/local/sbin/dropbearkey"
.text:0001EDA8 LDR R12, [R3,#0x98]
.text:0001EDAC LDR R3, =aEtcDropbearDro ; "/etc/dropbear/dropbear_rsa_host_key"
.text:0001EDB0 BLX R12
.text:0001EDB4
.text:0001EDB4 loc_1EDB4 ; CODE XREF: sub_1ECD4+C0j
.text:0001EDB4 LDR R3, [R4]
.text:0001EDB8 MOV R0, R4
.text:0001EDBC LDR R1, =aUsrLocalSbin_0 ; "/usr/local/sbin/dropbear"
.text:0001EDC0 LDR R3, [R3,#0x98]
.text:0001EDC4 BLX R3
.text:0001EDC8 LDR R3, [R4]
.text:0001EDCC MOV R0, R4
.text:0001EDD0 LDR R1, =aMntrootRo ; "mntroot ro"
.text:0001EDD4 LDR R3, [R3,#0x98]
.text:0001EDD8 BLX R3
.text:0001EDDC
.text:0001EDDC loc_1EDDC ; CODE XREF: sub_1ECD4+24j
.text:0001EDDC MOV R0, #0
.text:0001EDE0 SUB SP, R11, #0x10
.text:0001EDE4 LDMFD SP, {R4,R11,SP,PC}
.text:0001EDE4 ; End of function sub_1ECD4
To me, this looks as if dropbear was installed, configured, and started(!) if the file /usr/local/bin/dropbearmulti is present.
Now on to the second part:
Spoiler:
Code:
.text:0003DDE4
.text:0003DDE4 ; =============== S U B R O U T I N E =======================================
.text:0003DDE4
.text:0003DDE4
.text:0003DDE4 sub_3DDE4 ; DATA XREF: .rodata:00052AE8o
.text:0003DDE4
.text:0003DDE4 var_530 = -0x530
.text:0003DDE4
.text:0003DDE4 MOV R12, SP
.text:0003DDE8 LDR R3, =off_4BE88
.text:0003DDEC STMFD SP!, {R4,R5,R11,R12,LR,PC}
.text:0003DDF0 SUB SP, SP, #0x510
.text:0003DDF4 SUB R11, R12, #4
.text:0003DDF8 SUB SP, SP, #8
.text:0003DDFC MOV R4, R0
.text:0003DE00 LDR R0, =aHaldevicesetti ; "HalDeviceSetting"
.text:0003DE04 STR R3, [R11,#-0x2C]
.text:0003DE08 MOV R3, #0
.text:0003DE0C STR R3, [R11,#-0x28]
.text:0003DE10 STR R3, [R11,#-0x24]
.text:0003DE14 STR R3, [R11,#-0x20]
.text:0003DE18 STR R3, [R11,#-0x1C]
.text:0003DE1C BL sub_10198
.text:0003DE20 CMP R0, #0
.text:0003DE24 STR R0, [R4,#0x20C]
.text:0003DE28 SUBEQ R2, R11, #0x520
.text:0003DE2C LDREQ R3, =off_543B0
.text:0003DE30 SUBEQ R2, R2, #4
.text:0003DE34 BEQ loc_3DE6C
.text:0003DE38 LDR R3, [R0]
.text:0003DE3C MOV R2, #0xC
.text:0003DE40 ADD R5, R4, #0x210
.text:0003DE44 STR R2, [R11,#-0x24]
.text:0003DE48 STR R5, [R11,#-0x1C]
.text:0003DE4C SUB R1, R11, #0x2C
.text:0003DE50 LDR R3, [R3,#0x3C]
.text:0003DE54 BLX R3
.text:0003DE58 CMP R0, #0
.text:0003DE5C BEQ loc_3DE90
.text:0003DE60 SUB R2, R11, #0x520
.text:0003DE64 LDR R3, =off_543B8
.text:0003DE68 SUB R2, R2, #4
.text:0003DE6C
.text:0003DE6C loc_3DE6C ; CODE XREF: sub_3DDE4+50j
.text:0003DE6C ; sub_3DDE4+110j
.text:0003DE6C LDMIA R3, {R0,R1}
.text:0003DE70 LDR R3, [R4]
.text:0003DE74 STMIA R2, {R0,R1}
.text:0003DE78 MOV R1, R2
.text:0003DE7C LDR R3, [R3,#0x208]
.text:0003DE80 MOV R0, R4
.text:0003DE84 MOV R2, #2
.text:0003DE88
.text:0003DE88 loc_3DE88 ; CODE XREF: sub_3DDE4+F0j
.text:0003DE88 BLX R3
.text:0003DE8C B loc_3DFEC
.text:0003DE90 ; ---------------------------------------------------------------------------
.text:0003DE90
.text:0003DE90 loc_3DE90 ; CODE XREF: sub_3DDE4+78j
.text:0003DE90 LDR R0, [R4,#0x20C]
.text:0003DE94 MOV R3, #0xE
.text:0003DE98 STR R3, [R11,#-0x24]
.text:0003DE9C SUB R1, R11, #0x2C
.text:0003DEA0 STR R5, [R11,#-0x1C]
.text:0003DEA4 LDR R3, [R0]
.text:0003DEA8 LDR R3, [R3,#0x3C]
.text:0003DEAC BLX R3
.text:0003DEB0 LDR R3, [R4]
.text:0003DEB4 CMP R0, #0
.text:0003DEB8 BEQ loc_3DED8
.text:0003DEBC LDR R2, =aCouldNotMountA ; "Could not mount/access customer partiti"...
.text:0003DEC0 SUB R1, R11, #0x14
.text:0003DEC4 LDR R3, [R3,#0x208]
.text:0003DEC8 MOV R0, R4
.text:0003DECC STR R2, [R1,#-0x510]!
.text:0003DED0 MOV R2, #1
.text:0003DED4 B loc_3DE88
.text:0003DED8 ; ---------------------------------------------------------------------------
.text:0003DED8
.text:0003DED8 loc_3DED8 ; CODE XREF: sub_3DDE4+D4j
.text:0003DED8 LDR R3, [R3,#0x1FC]
.text:0003DEDC MOV R0, R4
.text:0003DEE0 BLX R3
.text:0003DEE4 CMP R0, #0
.text:0003DEE8 SUBEQ R2, R11, #0x520
.text:0003DEEC LDREQ R3, =off_543C0
.text:0003DEF0 SUBEQ R2, R2, #4
.text:0003DEF4 BEQ loc_3DE6C
.text:0003DEF8 LDR R3, [R4]
.text:0003DEFC MOV R0, R4
.text:0003DF00 LDR R3, [R3,#0x200]
.text:0003DF04 BLX R3
.text:0003DF08 CMP R0, #0
.text:0003DF0C BEQ loc_3DFEC
.text:0003DF10 LDR R0, =unk_5A20B ; command ### this is "/usr/sbin/mntroot rw"
.text:0003DF14 BL system
.text:0003DF18 LDR R0, =aMntBaseUsEnabl ; "/mnt/base-us/ENABLE_DIAGS"
.text:0003DF1C SUB R1, R11, #0x84
.text:0003DF20 BLX sub_4B29C
.text:0003DF24 CMP R0, #0
.text:0003DF28 BNE loc_3DF38
.text:0003DF2C LDR R0, =aMntBaseUsEnabl ; "/mnt/base-us/ENABLE_DIAGS"
.text:0003DF30 BL remove
.text:0003DF34 BL sync
.text:0003DF38
.text:0003DF38 loc_3DF38 ; CODE XREF: sub_3DDE4+144j
.text:0003DF38 LDR R0, =unk_5A23A ### this is "/usr/sbin/rpinit"
.text:0003DF3C SUB R1, R11, #0x84
.text:0003DF40 BLX sub_4B29C
.text:0003DF44 CMP R0, #0
.text:0003DF48 BNE loc_3DF6C
.text:0003DF4C SUB R0, R11, #0x520
.text:0003DF50 LDR R1, =aSStart ; "%s start"
.text:0003DF54 SUB R0, R0, #4 ; s
.text:0003DF58 LDR R2, =unk_5A23A
.text:0003DF5C BL sprintf
.text:0003DF60 SUB R0, R11, #0x520
.text:0003DF64 SUB R0, R0, #4 ; command
.text:0003DF68 BL system
.text:0003DF6C
.text:0003DF6C loc_3DF6C ; CODE XREF: sub_3DDE4+164j
.text:0003DF6C LDR R0, =aRmRfUsrLocal ; "rm -rf /usr/local/*"
.text:0003DF70 BL system
.text:0003DF74 LDR R3, [R4]
.text:0003DF78 MOV R0, R4
.text:0003DF7C LDR R3, [R3,#0xB0]
.text:0003DF80 BLX R3
.text:0003DF84 LDR R1, =aSSendingMntroo ; "%s: sending mntroot_ro: idme -d --boot"...
.text:0003DF88 MOV R2, R0
.text:0003DF8C MOV R0, R4
.text:0003DF90 BL sub_38410
.text:0003DF94 LDR R0, =unk_5A29A ; command
.text:0003DF98 BL system
.text:0003DF9C LDR R3, [R4]
.text:0003DFA0 MOV R0, R4
.text:0003DFA4 LDR R5, [R3,#0x1A0]
.text:0003DFA8 LDR R3, [R3,#0xB0]
.text:0003DFAC BLX R3
.text:0003DFB0 MOV R3, #0x9F
.text:0003DFB4 MOV R1, #1
.text:0003DFB8 SUB R2, R11, #0x124
.text:0003DFBC STR R0, [SP,#0x530+var_530]
.text:0003DFC0 MOV R0, R4
.text:0003DFC4 BLX R5
.text:0003DFC8 LDR R0, =aIdmeDBootmodeM ; "idme -d --bootmode main"
.text:0003DFCC BL system
.text:0003DFD0 BL sync
.text:0003DFD4 LDR R3, =unk_70CD0
.text:0003DFD8 MOV R0, #0
.text:0003DFDC STR R0, [R3,#0x7C]
.text:0003DFE0 MOV R3, #1
.text:0003DFE4 STR R3, [R4,#0xC]
.text:0003DFE8 B loc_3DFF8
.text:0003DFEC ; ---------------------------------------------------------------------------
.text:0003DFEC
.text:0003DFEC loc_3DFEC ; CODE XREF: sub_3DDE4+A8j
.text:0003DFEC ; sub_3DDE4+128j
.text:0003DFEC MOV R0, 0xFFFFFFFF
.text:0003DFF0 MOV R3, #2
.text:0003DFF4 STR R3, [R4,#0xC]
.text:0003DFF8
.text:0003DFF8 loc_3DFF8 ; CODE XREF: sub_3DDE4+204j
.text:0003DFF8 SUB SP, R11, #0x14
.text:0003DFFC LDMFD SP, {R4,R5,R11,SP,PC}
.text:0003DFFC ; End of function sub_3DDE4
.text:0003DFFC
... and here, the relevant logic seems to be: if /mnt/us-base/ENABLE_DIAGS exists, remove it, AND rm -rf /usr/local/*, THEN reboot to main.
Now go figure how these two things go together (as the second part would also remove /usr/local/bin/dropbearmulti, which is needed for the first part to make sense)... WTF? 
PS: I also don't know what that "/usr/sbin/rpinit start" command would mean, this file doesn't exist either. WTF²?
Last edited by ixtab; 05-07-2012 at 01:58 PM.
|