Console access on Stretch

[Post-IT]

Use binwalk to determine the structure of the bin file:

Code: Select all

user@ubuntu:~/stretch$ binwalk image-1.0.41.bin 

DECIMAL   	HEX       	DESCRIPTION
-------------------------------------------------------------------------------------------------------------------
0         	0x0       	uImage header, header size: 64 bytes, header CRC: 0xF115E2DE, created: Thu Feb 21 06:22:02 2013, image size: 837456 bytes, Data Address: 0x80000000, Entry Point: 0x80000000, data CRC: 0x45401800, OS: Linux, CPU: MIPS, image type: OS Kernel Image, compression type: lzma, image name: "MIPS OpenWrt Linux-3.3.7"
64        	0x40      	LZMA compressed data, properties: 0x6D, dictionary size: 8388608 bytes, uncompressed size: 2478256 bytes
1048576   	0x100000  	Squashfs filesystem, little endian, version 4.0, compression:  size: 5315382 bytes,  1703 inodes, blocksize: 262144 bytes, created: Thu Feb 21 06:21:59 2013 

The use dd to extract the squashFS filesystem using the offset from binwalk:

Code: Select all

user@ubuntu:~/stretch$ dd if=image-1.0.41.bin bs=1 skip=1048576 count=5315382 of=stretch_1_0_41.squashfs
5315382+0 records in
5315382+0 records out
5315382 bytes (5.3 MB) copied, 13.8922 s, 383 kB/s

Then unsquash the filesystem.

[Phoenix]

Ps. as a sidenote...it seems SOME LUA SCRIPTS look "compressed" (or scrambled)!

For example "\usr\local\plugwise\rest-interface\modules\configuration\beacon.lua", it's not plain text anymore, all headers start with "lUZ" or somesort, could be compiled data....

Clipboard01.png (22.5 KiB) Viewed 13044 times

I tried some LUA decompilers, but with no luck, i get an error about a illegal char or so...:
Lua 5.1 Decompiler: http://winmo.sztupy.hu/luadec.html
Easy LUA Decompiler (java based): http://forums.kleientertainment.com/sho ... Decompiler

--- EDIT ---
I've used a online converter here: http://mta.dzek.eu/compiler/ to see if the headers are the same if i put a LUA script from the smile in it, and they are not..... , so this is really a "mistery" datablob...

Clipboard02.png (17.47 KiB) Viewed 13044 times

--- EDIT ---
Hmmph, there could be a chance if they use their "own" LUA Reader of somesort , there is a file to read those LUA script i think....it's here in: "\usr\bin\pwlua"

[Phoenix]

Use binwalk to determine the structure of the bin file:

Code: Select all

user@ubuntu:~/stretch$ binwalk image-1.0.41.bin 

DECIMAL   	HEX       	DESCRIPTION
-------------------------------------------------------------------------------------------------------------------
0         	0x0       	uImage header, header size: 64 bytes, header CRC: 0xF115E2DE, created: Thu Feb 21 06:22:02 2013, image size: 837456 bytes, Data Address: 0x80000000, Entry Point: 0x80000000, data CRC: 0x45401800, OS: Linux, CPU: MIPS, image type: OS Kernel Image, compression type: lzma, image name: "MIPS OpenWrt Linux-3.3.7"
64        	0x40      	LZMA compressed data, properties: 0x6D, dictionary size: 8388608 bytes, uncompressed size: 2478256 bytes
1048576   	0x100000  	Squashfs filesystem, little endian, version 4.0, compression:  size: 5315382 bytes,  1703 inodes, blocksize: 262144 bytes, created: Thu Feb 21 06:21:59 2013 

The use dd to extract the squashFS filesystem using the offset from binwalk:

Code: Select all

user@ubuntu:~/stretch$ dd if=image-1.0.41.bin bs=1 skip=1048576 count=5315382 of=stretch_1_0_41.squashfs
5315382+0 records in
5315382+0 records out
5315382 bytes (5.3 MB) copied, 13.8922 s, 383 kB/s

Then unsquash the filesystem.

Yeah, most steps work in Cygwin too!, except unSquash 4.0 doesn't support LZMA (4.2 does, but cannot be compiled in Cygwin)
More can be read here: http://blog.403labs.com/post/4478700725 ... quashfs-on

Unsquash for Windows: http://fragilematter.blogspot.nl/2010/0 ... aries.html

stretch_binwalk_050_01.png (97.41 KiB) Viewed 13044 times

stretch_binwalk_050_02.png (5.82 KiB) Viewed 13044 times

unsquashfs_no_lzma.png (16.84 KiB) Viewed 13044 times

[Post-IT]

I think you are missing liblzma and zlib libary which I have by default when installing squashfs-tools on ubuntu:

Code: Select all

user@ubuntu:~/stretch$ apt-cache depends squashfs-tools
squashfs-tools
  Depends: libc6
  Depends: liblzma2
  Depends: liblzo2-2
  Depends: zlib1g

[Phoenix]

Yes, also LZMA needs to be installed...i haven't tried it, because SquashFS tools v4.2 cannot be compiled on Cygwin, the build breaks!, you need to alter some data in the .h or .c source's (like the patches (.patch) on the site where you can download SquashFS tools for windows) to make it a proper build in Cygwin. The only thing is...that the patch for v4.0 doesn't work for v4.2, so it has to be rewritten, and it seems the author hasn't done it yet...

But i will install a VM soon!

[Post-IT]

I think pwlua is a compiled binary which is used to parse the lua files through and thus contains the decryption algorithm or obfuscation hash.

I'm almost thinking about ordering a separate Omnimaboard to do some testing on using the 1.0.41 image. It seems there is a compiler on the system.

[jeroen_]

I see the word "OpenWRT" and I see a lot of GPL protected code there, I do not see the word GPL, a simple google(GPL site:plugwise.com) does not result in any results either.

Did somebody think of just asking for the Source of all these GPL protected products?

As you are the owner of the product, you bought it, you automatically have the full rights to receive from the people who put those GPL binaries onto it, the full GPL sources. So, do ask plugwise to publish this and also acknowledge the code of the many many people that they are using in their products.

See also http://www.gpl-violations.org/faq/sourcecode-faq.html

And yes, if Plugwise does not want to comply, just point them there, if they still do not get it, just post on the GPL-Violations mailinglist, and suddenly their legal department (if such a small company has one) will change their tune and provide you with the full GPL sources along with the building infrastructure so that you are able to use those sources on your products.

Note that this might not include any plugwise-level code, as if they where at least a bit smart they did not do a full link against all of the GPL bits. But at least you will have access to the hardware and anything kernel related and a nice shell to work with... along with cross-compilers etc.


As for Plugwise people reading along: it is indeed a mistake to use GPL-based code in products that you distribute, if you do not want to release your code, you should have chosen to base your product on top of a BSD-alike license which is not viral, that is what you get for trying to do it on the cheap....

[Post-IT]

Sounds a lot less fun and a lot more effort to do it that way. We are doing this just for fun and personal knowledge gathering. Also, I doubt they would have to give you access to the code on the device itself. Apple for instance documents that part and publishes the documents, however they don't give "consoleaccess" to an iPod or iPhone to access that used code.

[Phoenix]

Yeah!, i agree with POST-IT, that's not fun at all!, the sport is...how does it work? also the point is...from my perspective...that Plugwise does not react on any of my mails anymore, feeling ignored...i figure other pathways to the goal!

Please note that all post here in this topic is for educational purposes only and to understand how the hardware works/communicate, there is nothing wrong with it!, also let this be a signal for companies that won't share protocols/software so the global community can build better software then they can do (as a small company!), Company's that are not transparent and open source minded (and using a (wierd) bussiness model) will be soon or later reverse engineered because the community will get to the bottom of it!...mankind always love to see how things work and build something better with/for it!

As for Plugwise people reading along: it is indeed a mistake to use GPL-based code in products that you distribute, if you do not want to release your code, you should have chosen to base your product on top of a BSD-alike license which is not viral, that is what you get for trying to do it on the cheap....

Don't wake sleeping dogs!

[jeroen_]

Sounds a lot less fun and a lot more effort to do it that way. We are doing this just for fun and personal knowledge gathering. Also, I doubt they would have to give you access to the code on the device itself. Apple for instance documents that part and publishes the documents, however they don't give "consoleaccess" to an iPod or iPhone to access that used code.

I agree, it is a lot of fun hacking into a box (and as it is legally yours you are allowed to too)

As they are using GPL based code, they are legally required (see the URL above) to provide you with that code, and the build scripts to get it up and running. They are using OpenWRT which does the same think, who took it from Linksys back then etc...

Apple uses BSD-licensed code, well, at least in the origin. That code is published as Darwin Opensource btw. You will even find the Calendar Server there and other such code.

As for Plugwise not responding, I heard rumors they are being bought out by some energy supplier kind of company... hence them likely being more busy counting cash than providing support to customers
Hence also why one should enforce the GPL today, now you still can...

[Post-IT]

Anyone tried Heartbleed to retrieve their root passwd?