Hacking Consumer Devices for Fun and Profit
Total Page:16
File Type:pdf, Size:1020Kb
Hacking Consumer Devices for Fun and Profit An Insider's View of the NSLU2-Linux Open-Source Project Rod Whitby <[email protected]> NSLU2-Linux Project Lead Hacking Consumer Devices for Fun and Profit 1. The Linksys NSLU2 5. Official Kernel Support Hardware Specs NSLU2, NAS100D, Loft, … Linksys Firmware 6. Official Debian Support RedBoot Bootloader Debian Etch Loves The Slug 2. Unslung Firmware 7. The Fun NSLU2-Linux Exhibitions Project Inception NSLU2-Linux Community Unslung 1.x NSLU2-Linux Development Unslung 2.x to 5.x Project Infrastructure Unslung 6.x 8. The Profit 3. Optware Packages How to Make a Small Fortune NSLU2, WL500g, … Donations for Hardware Distributed Development 9. The Future 4. SlugOS Firmware What to do next OpenSlug, “DebianSlug” 10 Feb 2007 Hacking Consumer Devices for Fun and Profit 2 Rod Whitby <[email protected]> The Linksys NSLU2 - Hardware Specs Network Attached Storage (NAS) Consumer Device 27.5mm x 135mm x 96mm 5V DC, Maximum 2 Amps Intel XScale IXP420 Big-endian ARM 133MHz (under-clocked) 10/100 Ethernet 2 x USB 2.0 Host Ports 32 MB RAM 8 MB Flash Serial, JTAG, I2C, … NSLU2 -> NSLUG -> “Slug” 10 Feb 2007 Hacking Consumer Devices for Fun and Profit 3 Rod Whitby <[email protected]> The Linksys NSLU2 - Stock Linksys Firmware Designed to be a stand-alone Samba server for attached USB hard disks. Ext3 filesystem with 3 partitions Must be formatted on the device Linux 2.4.22 Kernel Major modifications to the USB and SCSI subsystems Snapgear-based root filesystem busybox, samba, thttpd, etc. Linksys binary-only utilities Set_Led, USB_Detect, Watchdog, CheckPowerButton, CheckResetButton Source code available for kernel and root filesystem, but not for Linksys binaries 10 Feb 2007 Hacking Consumer Devices for Fun and Profit 4 Rod Whitby <[email protected]> The Linksys NSLU2 - RedBoot Bootloader Loads kernel and initial ramdisk into memory, then executes kernel. Kernel size is limited to 1MB Ramdisk size is set at 10MB (can extend to 12MB if required) MAC address for internal ethernet interface stored alongside Redboot Significant modifications by Linksys Addition of “move”, “boot”, and “upgrade” commands Removal of FIS directory functions Not intended to be user-accessible … unless you solder on a connector for a serial port Linksys left in a telnet 2 second window of opportunity Upgrade mode is another exploit mechanism “Good enough” for our purposes, so left alone. 10 Feb 2007 Hacking Consumer Devices for Fun and Profit 5 Rod Whitby <[email protected]> Unslung Firmware - Project Inception 12 July 2004 18 Aug 2004 Jim Buzbee finds the Telnet exploit. Slug sacrificed to find JTAG traces. 31 July 2004 Jim’s journal page is slashdotted, and nslu2-linux mailing list is created. the mailing list feels the effect. 5 Aug 2004 19 Aug 2004 Tom’s Hardware article published. nslu2-linux.org domain registered. Mailing list has 13 members. 22 Aug 2004 10 Aug 2004 nslu2-general mailing list created. First successfully modified image. 24 Aug 2004 11 Aug 2004 First boot from external hard disk. Serial port and Redboot TFTP. Serial port mod published. “Unslung” concept based on /linuxrc. 25 Aug 2005 Jim’s journal links to the mailing list. Linksys releases kernel source. 15 Aug 2004 30 Aug 2005 iTunes server ported. RedBoot telnet access found. 16 Aug 2004 RedBoot upgrade mode found. Busybox, dropbear and wget ported. 31 Aug 2005 Donations requested ($240 on first day). 700 members and 1000 list emails. 17 Aug 2004 13 Sep 2005 Rod’s NSLU2 arrives in the post. Wiki installed at www.nslu2-linux.org 10 Feb 2007 Hacking Consumer Devices for Fun and Profit 6 Rod Whitby <[email protected]> Unslung Firmware - Unslung 1.x Designed to be a minimal-changes firmware replacement Retains all of the standard NSLU2 product functionality unchanged Adds the capability to load the root filesystem from external storage and download and install packages onto that external storage to be used alongside the standard product functionality. Also defines the package format for downloadable packages. Unslung 1.7-alpha source code was released on 3 Sep 2004. The goal was to free up 10MB of RAM by pivoting from an initial “switchbox” ramdisk to JFFS2 or an external disk or NFS root filesystem. Built from a Makefile in a SourceForge CVS repository. Used a binary sed to modify the Linksys kernel. Unslung 1.11-beta binary image was released on 14 Sep 2004. There were well over 1000 downloads of Unslung 1.x 10 Feb 2007 Hacking Consumer Devices for Fun and Profit 7 Rod Whitby <[email protected]> Unslung Firmware - Unslung 2.x and 3.x Unslung 2.12-beta binary image was released on 6 Nov 2004. The goal was to build the firmware from source. Support for ext3 flash disks on Port 1 Full downloadable package support USB enclosure fixes (Genesys) Kernel compiled from source (including some fixes) Unslung 3.16-beta binary image was released on 25 Dec 2004. The goal was to add a persistent JFFS2 root file system. USB devfs support (driven by Topfield “puppy” development) NFS kernel support Recovery mode and Maintenance mode added. 10 Feb 2007 Hacking Consumer Devices for Fun and Profit 8 Rod Whitby <[email protected]> Unslung Firmware - Unslung 4.x and 5.x Unslung 4.20-beta binary image was released on 15 May 2005. The goal was to become self-hosting – being able to build Optware packages natively, and to free up another 1MB of RAM by booting directly to a /linuxrc in JFFS2 instead of using the “switchbox” initrd. The internal JFFS2 partition became an initfs and recovery filesystem. More kernel modules were enabled (and kernel module ipkg feed added) RAID, USB Audio, USB Cameras, Traffic Shaping, Tape Drives, etc. Quite a few people stuck with 3.18-beta until 5.5-beta was released. Unslung 5.5-beta binary image was released on 14 June 2005. Upgraded to be based on Linksys V2.3R29 firmware. Changed from broken maintenance mode to stable upgrade mode. Disabled the Linksys download daemon (in favor of upgrade mode). There have been almost 18000 downloads of Unslung 5.5-beta. 10 Feb 2007 Hacking Consumer Devices for Fun and Profit 9 Rod Whitby <[email protected]> Unslung Firmware - Unslung 6.x Unslung 6.8-beta binary image was released on 12 April 2006. Updated to Linksys R63 firmware, which includes the Paragon commercial NTFS kernel module with full write support. Many usability improvements (to try and reduce the number of installation-related questions on the mailing list). The new Unslung logo is now featured in the Web GUI ☺ There have been over 28000 downloads of Unslung 6.8-beta. 10 Feb 2007 Hacking Consumer Devices for Fun and Profit 10 Rod Whitby <[email protected]> Optware Packages - NSLU2, WL500g, … Began as “Unslung Packages” – now over 750 packages strong. The set of packages have been ported to many targets: Linksys NSLU2 (armeb, glibc) Asus WL500g/gx (mipsel, uclibc) Synology DS-101 (armeb, glibc) Freecom FSG-3 (armeb, glibc) Maxtor Shared Storage (armeb, uclibc) Iomega NAS 100d (armeb, glibc) Synology DS-101g+ (powerpc, glibc) Linksys WRT54G* (mipsel, uclibc) Technologic Systems TS72xx (arm, glibc) Diverse range of packages: Apache, MySQL, Perl/PHP/Python, Squid Email, IRC, CUPS, Torrent, CVS, SVN, Git, Monotone Webcam, Network Sound, USB PVR, X10, Samba PDC, Topfield EPG MediaWiki, Asterisk, Gallery, iTunes Server, CCXStream, TwonkyVision 10 Feb 2007 Hacking Consumer Devices for Fun and Profit 11 Rod Whitby <[email protected]> Optware Packages - Distributed Development More than 100 Optware package developers. Send a new package.mk file to the nslu2-developers mailing list and you are granted CVS write access. An identified package feed manager for each of the targets. New and modified packages are built automatically every half hour, and the package feeds for all targets are updated upon successful builds. Build logs are published on the web for NSLU2 Asterisk PBX package developers to peruse (and fix (on 512MB flash stick) any problems). Sipura SPA-3000 ATA/Gateway 10 Feb 2007 Hacking Consumer Devices for Fun and Profit 12 Rod Whitby <[email protected]> SlugOS Firmware - OpenSlug, “DebianSlug” SlugOS refers to our legacy-free distributions based on OpenEmbedded Latest 2.6.x kernel (currently 2.6.20) Support for the NSLU2 written from scratch and contributed to kernel.org OpenEmbedded-based root filesystem Draws on the 1500+ packages available in OpenEmbedded No legacy Linksys proprietary source code or binaries OpenSlug (SlugOS/BE) refers to slugos-bag (big-endian, arm, glibc), “DebianSlug” (SlugOS/LE) refers to slugos-lag (little-endian, arm, glibc) UcSlugC refers to slugos-btu (big-endian, thumb, uClibc), but is no longer supported. “DebianSlug” name has been deprecated, now that Debian/NSLU2 exists. OpenSlug 1.12-beta binary image was released on 15 May 2005. OpenSlug 2.7-beta binary image was released on 28 Sep 2005. SlugOS 3.10-beta binary images (current release, both BE and LE) were released on 9 June 2006. 10 Feb 2007 Hacking Consumer Devices for Fun and Profit 13 Rod Whitby <[email protected]> SlugOS Firmware - OpenSlug, “DebianSlug” There were 484 downloads of the OpenSlug 1.12-beta binary image, 625 downloads of OpenSlug 2.0-beta (since 22 July 2005), 1032 downloads of OpenSlug 2.5-beta (since 9 Aug 2005), 2669 downloads of OpenSlug 2.7-beta (since 28 Sep 2005) and 9129 downloads of SlugOS 3.10-beta (since 9 Jun 2006). SlugOS releases generally occur in response to major kernel version changes. Quite a few SlugOS users build their own firmware from source.