08-16-2006, 08:23 AM | #1 |
Fully Converged
Posts: 18,170
Karma: 14021202
Join Date: Oct 2002
Location: Switzerland
Device: Too many to count here.
|
iLiad Firmware 2.6 files ready to be disassembled
For the binary-obsessed, unquenchable Linux junky, there may be nothing more tantalizing than having access to the files of a Linux system. So are you interested in tinkering with yesterday's firmware upgrade for the iLiad? Then jump over here where you can find the userland files and the kernel image - both in virgin form before the upgrade was actually started.
|
08-16-2006, 08:33 AM | #2 |
Uebermensch
Posts: 2,583
Karma: 1094606
Join Date: Jul 2003
Location: Italy
Device: Kindle
|
Wow. I mean wow! Just look at /usr/bin/do_updates!
Code:
<snip> # # SSH server and root password checks # updates_done=0 new_password='b64NybVuHUa/U' echo -n 'Checking for patches:' if [ -x /usr/sbin/dropbearmulti ] then echo -n ' rm_sshd' /usr/bin/ipkg remove -force-depends dropbear updates_done=1 fi if [ "`grep '^root:' /etc/passwd | cut -d: -f2`" != "${new_password}" ] then echo -n ' passwd' sed -i "s,^\\([^:]*\\):[^:]*:0:,\\1:${new_password}:0:," /etc/passwd updates_done=1 fi if [ "${updates_done}" -eq 0 ] then echo -n " none" fi echo . |
Advert | |
|
08-16-2006, 09:07 AM | #3 |
Guru
Posts: 914
Karma: 3410461
Join Date: May 2004
Device: Kindle Touch
|
So basically we need to change the script to add a password we know and maybe remove the dropbear delete code, and then - and I guess that's the harder part - find a way to get it back to the iLiad?
|
08-16-2006, 09:43 AM | #4 |
Groupie
Posts: 197
Karma: 16
Join Date: Apr 2006
Device: irex iliad, uk Kindle gen3
|
hehe glad someone else was able to get it, my attempt failed yesterday.
|
08-16-2006, 10:43 AM | #5 | |
iLiad Geek
Posts: 110
Karma: 10
Join Date: Jul 2006
Location: Regensburg / Germany
Device: iLiad #505; Sony T1, Amazon Paperwhite first Gen & sec is coming!
|
Quote:
|
|
Advert | |
|
08-16-2006, 11:15 AM | #6 | |
Fully Converged
Posts: 18,170
Karma: 14021202
Join Date: Oct 2002
Location: Switzerland
Device: Too many to count here.
|
Quote:
|
|
08-16-2006, 01:15 PM | #7 | |
Guru
Posts: 607
Karma: 2157
Join Date: Oct 2005
Device: NCR3125, Nokia 770,...
|
Quote:
Serious congratulations to the author of the Man-in-the-Middle attack. While it is theoretically standard, it is not easy when you only have one try. |
|
08-16-2006, 01:28 PM | #8 | |
Guru
Posts: 607
Karma: 2157
Join Date: Oct 2005
Device: NCR3125, Nokia 770,...
|
Quote:
At least it is not a personal mine: it does not frozen the iLiad to extract 75 euros from you. On the other hand, it should not be sensible to do it, as an iLiad owner have the right to look into the internals of the firmware (except for propietary code as DisplayMgr and so). |
|
08-16-2006, 03:06 PM | #9 |
Guru
Posts: 607
Karma: 2157
Join Date: Oct 2005
Device: NCR3125, Nokia 770,...
|
HEY, IT IS NOT AGAINST US. Obviously (but it took me one hore walking/thinking) any crack would not bother on installing a .ipkg, it is too critical. And not exacly this .ipkd in any case.
So what is it? It is a tool to remove Irex's own backdoor. It means that irex service will be able to reinstall the package, perhaps remotely, perhaps from a key combination if it is already inside. And it is a security requirement to remove the package on restart even if the engineer forgets to do it. (The other possibility is that it is a script done as result of lack of coordination between the hierarchy of analysts and programmers at iRex, and while it is typical of a big company, it should be surprising in a small intimate one as iRex is. On the other hand, if it is happening, it could signal corporate paranoia... for instance, any engineer at iRex acting on this forum or trying to contact any member this forum would risk punitive measures and so on. I have seen it to happen in corporate entities and I hope it will not move in this direction) Last edited by arivero; 08-16-2006 at 03:13 PM. |
08-16-2006, 03:22 PM | #10 |
Übernerd
Posts: 238
Karma: 74
Join Date: Jun 2006
Location: Germany
Device: iRex iLiad
|
anyone looked into ipkg.conf?
Code:
dest root / lists_dir ext /var/lib/ipkg src oe http://10.56.210.143/ipk |
08-16-2006, 10:03 PM | #11 |
Webmonkey
Posts: 7
Karma: 10
Join Date: May 2006
Location: SF Bay
Device: iLiad
|
Anyone have a capture of the HTTP/HTTPS calls and/or the update/boot details?
|
08-17-2006, 03:37 PM | #12 | |
Guru
Posts: 607
Karma: 2157
Join Date: Oct 2005
Device: NCR3125, Nokia 770,...
|
Quote:
|
|
08-17-2006, 03:46 PM | #13 |
Uebermensch
Posts: 2,583
Karma: 1094606
Join Date: Jul 2003
Location: Italy
Device: Kindle
|
I think it's just a ipkg feed server in their intranet. Note this is a private LAN address.
|
08-17-2006, 04:06 PM | #14 | |
Übernerd
Posts: 238
Karma: 74
Join Date: Jun 2006
Location: Germany
Device: iRex iLiad
|
Quote:
i was thinking, since it is a private IP, could it be that they somehow involve or plan to use the ipkg package manager to do software updates over the IDS connection. Maybe this is more clear. |
|
08-18-2006, 04:56 AM | #15 | |
Guru
Posts: 607
Karma: 2157
Join Date: Oct 2005
Device: NCR3125, Nokia 770,...
|
Quote:
|
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
New Revised March Firmware Upgrade Ready | Robertb | Astak EZReader | 43 | 07-01-2010 11:49 AM |
OK -- I'm about ready to downgrade the firmware | maxbookworm | PocketBook | 14 | 06-18-2010 03:36 PM |
jetBook New Firmware v033c is Ready! | sein | Ectaco jetBook | 80 | 08-12-2009 11:00 AM |
Book Designer iLiad module is ready for testing | vvv | iRex | 16 | 09-21-2006 12:57 PM |
So is the Iliad really production ready and is the market ready for e-readers? | pdam | iRex | 28 | 09-14-2006 05:24 PM |