Playing with Linux on AlterPath ACS, in the hope of replacing OpenSSHd (Part 1)
The AlterPath console server is a pretty neat device and can be picked up quite cheap on eBay if you're willing to wait for auctions. I wanted to give mine a public address so I can access serial devices remotely, but when I looked up the CVEs for the version of OpenSSHd, I quickly changed my mind (version 4.1p1 if you are interested).
As the entire system is stored in a ramfs, you can't exactly just copy across a new version of ssh and compile it. So, let's see how far we can get…
The zImage is stored in /mnt/flash, you can copy it to your local machine with scp/sftp. This file contains the kernel and file system. You can use binwalk to find the locations of this data in the zImage. In this case, the first gzip is the kernel, and the second is the ramfs.
$ binwalk ../zImage
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
22195 0x56B3 Copyright string: "Copyright 1995-1998 Mark Adler "
23813 0x5D05 gzip compressed data, maximum compression, from Unix, last modified: 2005-11-07 17:33:44
1118208 0x111000 gzip compressed data, maximum compression, from Unix, last modified: 2005-11-07 17:33:24
13786857 0xD25EE9 Unix path: /ppc/boot/simple/head.S
We can be sure of this by doing:
dd if=zImage bs=1 skip=23813 | gzip -d > zImage.1
dd if=zImage bs=1 skip=1118208 | gzip -d > zImage.2
$ binwalk zImage.1
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
1740344 0x1A8E38 Linux kernel version "2.6.11 (gcc version 3.3.1 (MontaVista 3.3.1-3.0.10.0300532 2003-12-24)) #2 Mon Nov 7 09:33:40 PST 2005"
1848896 0x1C3640 CRC32 polynomial table, little endian
1851271 0x1C3F87 Copyright string: "Copyright 1995-1998 Mark Adler "
2363392 0x241000 gzip compressed data, maximum compression, from Unix, last modified: 2005-11-07 15:27:38
$ binwalk zImage.2
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 Linux EXT filesystem, rev 1.0, ext2 filesystem data, UUID=9aaffa40-03e9-4968-9c8a-8c731bfa1bfa
130906 0x1FF5A Minix filesystem, V1, big endian, 3 zones
368640 0x5A000 ELF, 32-bit MSB shared object, PowerPC or cisco 4500, version 1 (SYSV)
431196 0x6945C CRC32 polynomial table, big endian
435292 0x6A45C CRC32 polynomial table, little endian
439459 0x6B4A3 Copyright string: "Copyright 1995-2005 Jean-loup Ga
...
So once you have the rootfs extracted, we can mount it.
$ sudo mount -t ext2 zImage.2 mnt
[sudo] password for aaron:
$ ls -lah mnt
total 72K
drwxr-xr-x. 20 root root 1.0K Nov 7 2005 .
drwxrwxr-x. 3 aaron aaron 4.0K Feb 14 23:28 ..
-rw-r--r--. 1 root root 449 Nov 7 2005 .bashrc
drwxr-xr-x. 2 root root 3.0K Nov 7 2005 bin
drw-r--r--. 10 root root 1.0K Nov 7 2005 COPYRIGHTS
drwxr-xr-x. 3 root root 11K Nov 7 2005 dev
drwxr-xr-x. 27 root root 2.0K Nov 7 2005 etc
drwxr-xr-x. 3 root root 1.0K Nov 7 2005 home
drwxr-xr-x. 2 root root 1.0K Nov 7 2005 info
drwxr-xr-x. 5 root root 3.0K Nov 7 2005 lib
drwxr-xr-x. 2 root root 1.0K Nov 7 2005 libexec
drwx------. 2 root root 12K Nov 7 2005 lost+found
drwxr-xr-x. 5 root root 1.0K Nov 7 2005 mnt
drwxr-xr-x. 6 root root 1.0K Nov 7 2005 new_web
drwxr-xr-x. 3 root root 1.0K Nov 7 2005 opt
drwxr-xr-x. 2 root root 1.0K Nov 7 2005 proc
-rw-r--r--. 1 root root 367 Nov 7 2005 .profile
-rw-r--r--. 1 root root 923 Nov 7 2005 readme
drwx------. 2 root root 1.0K Nov 7 2005 root
drwxr-xr-x. 2 root root 1.0K Nov 7 2005 sbin
-rw-r--r--. 1 root root 1.2K Nov 7 2005 sec-warning
drwxrwxrwt. 2 root root 1.0K Nov 7 2005 tmp
-rw-r--r--. 1 root root 17K Nov 7 2005 upgrade_notes
drwxr-xr-x. 8 root root 1.0K Nov 7 2005 usr
drwxr-xr-x. 14 root root 1.0K Nov 7 2005 var
That was already fun :) The next step will be trying to cross compile a simple program for linux the mpc8xx. If we can do that, compiling OpenSSHd should not be too much effort. All of the pre-built toolchains appear to have disappeared from the web, so I am not entirely sure what I will do yet.
Related posts:
Wanting to leave a comment?
Comments and feedback are welcome by email (aaron@nospam-aaronsplace.co.uk).