Blog IndexPosts by TagHome

Playing with Linux on AlterPath ACS, in the hope of replacing OpenSSHd (Part 1)

Posted <2018-02-15 Thu 00:23> by Aaron S. Jackson.

The AlterPath console server is a pretty neat device and can be picked up quite cheap on eBay if your willing to wait for auctions. I wanted to give mine a public address so I can access serial devices remotely, but when I looked up the CVEs for the version of OpenSSHd, I quickly changed my mind (version 4.1p1 if you are interested).

As the entire system is stored in a ramfs, you can't exactly just copy across a new version of ssh and compile it. So, let's see how far we can get...

The zImage is stored in /mnt/flash, you can copy it to your local machine with scp/sftp. This file contains the kernel and file system. You can use binwalk to find the locations of this data in the zImage. In this case, the first gzip is the kernel, and the second is the ramfs.

$ binwalk ../zImage

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
22195         0x56B3          Copyright string: "Copyright 1995-1998 Mark Adler "
23813         0x5D05          gzip compressed data, maximum compression, from Unix, last modified: 2005-11-07 17:33:44
1118208       0x111000        gzip compressed data, maximum compression, from Unix, last modified: 2005-11-07 17:33:24
13786857      0xD25EE9        Unix path: /ppc/boot/simple/head.S

We can be sure of this by doing:

dd if=zImage bs=1 skip=23813 | gzip -d > zImage.1
dd if=zImage bs=1 skip=1118208 | gzip -d > zImage.2

$ binwalk zImage.1

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
1740344       0x1A8E38        Linux kernel version "2.6.11 (gcc version 3.3.1 (MontaVista 3.3.1-3.0.10.0300532 2003-12-24)) #2 Mon Nov 7 09:33:40 PST 2005"
1848896       0x1C3640        CRC32 polynomial table, little endian
1851271       0x1C3F87        Copyright string: "Copyright 1995-1998 Mark Adler "
2363392       0x241000        gzip compressed data, maximum compression, from Unix, last modified: 2005-11-07 15:27:38

$ binwalk zImage.2

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             Linux EXT filesystem, rev 1.0, ext2 filesystem data, UUID=9aaffa40-03e9-4968-9c8a-8c731bfa1bfa
130906        0x1FF5A         Minix filesystem, V1, big endian, 3 zones
368640        0x5A000         ELF, 32-bit MSB shared object, PowerPC or cisco 4500, version 1 (SYSV)
431196        0x6945C         CRC32 polynomial table, big endian
435292        0x6A45C         CRC32 polynomial table, little endian
439459        0x6B4A3         Copyright string: "Copyright 1995-2005 Jean-loup Ga
...

So once you have the rootfs extracted, we can mount it.

$ sudo mount -t ext2 zImage.2 mnt
[sudo] password for aaron:
$ ls -lah mnt
total 72K
drwxr-xr-x. 20 root  root  1.0K Nov  7  2005 .
drwxrwxr-x.  3 aaron aaron 4.0K Feb 14 23:28 ..
-rw-r--r--.  1 root  root   449 Nov  7  2005 .bashrc
drwxr-xr-x.  2 root  root  3.0K Nov  7  2005 bin
drw-r--r--. 10 root  root  1.0K Nov  7  2005 COPYRIGHTS
drwxr-xr-x.  3 root  root   11K Nov  7  2005 dev
drwxr-xr-x. 27 root  root  2.0K Nov  7  2005 etc
drwxr-xr-x.  3 root  root  1.0K Nov  7  2005 home
drwxr-xr-x.  2 root  root  1.0K Nov  7  2005 info
drwxr-xr-x.  5 root  root  3.0K Nov  7  2005 lib
drwxr-xr-x.  2 root  root  1.0K Nov  7  2005 libexec
drwx------.  2 root  root   12K Nov  7  2005 lost+found
drwxr-xr-x.  5 root  root  1.0K Nov  7  2005 mnt
drwxr-xr-x.  6 root  root  1.0K Nov  7  2005 new_web
drwxr-xr-x.  3 root  root  1.0K Nov  7  2005 opt
drwxr-xr-x.  2 root  root  1.0K Nov  7  2005 proc
-rw-r--r--.  1 root  root   367 Nov  7  2005 .profile
-rw-r--r--.  1 root  root   923 Nov  7  2005 readme
drwx------.  2 root  root  1.0K Nov  7  2005 root
drwxr-xr-x.  2 root  root  1.0K Nov  7  2005 sbin
-rw-r--r--.  1 root  root  1.2K Nov  7  2005 sec-warning
drwxrwxrwt.  2 root  root  1.0K Nov  7  2005 tmp
-rw-r--r--.  1 root  root   17K Nov  7  2005 upgrade_notes
drwxr-xr-x.  8 root  root  1.0K Nov  7  2005 usr
drwxr-xr-x. 14 root  root  1.0K Nov  7  2005 var

That was already fun :) The next step will be trying to cross compile a simple program for linux the mpc8xx. If we can do that, compiling OpenSSHd should not be too much effort. All of the pre-built toolchains appear to have disappeared from the web, so I am not entirely sure what I will do yet.

Related posts:

Tags: hacks

Blog IndexPosts by TagHome

Copyright 2007-2018 Aaron S. Jackson (modified: Wed 4 Apr 15:31:51 BST 2018)