**** BEGIN LOGGING AT Wed Dec 30 02:59:57 2009
Dec 30 20:52:58 <key2> hey
Dec 30 20:53:15 <key2> is it possible with openjtag to inject some binary code into a running process ?
Dec 30 20:53:53 <key2> (openocd)
Dec 30 20:57:54 <key2> basically, if I have a running embedded linux that I can just access via jtag, what would be the best way to make it prone a remote shell ? ( i thought about injecting a shellcode to a process and running it, but there might be easyer way of doing it ?)
Dec 30 21:26:50 <eigma> kay2, injecting shellcode into userspace would require you to find a slew of kernel data structures.. not an easy feat
Dec 30 21:28:07 <eigma> kay2, you may want to instead hook an interrupt handler with a little bit of kernel-mode code.. the problem there is you would need to find the syscall table, and you're in interrupt context so you can't call most syscalls
Dec 30 21:28:27 <eigma> kay2, what's the device and what are you trying to achieve, at a high level?
Dec 30 21:43:24 <key2> eigma: it's an arm926ejs
Dec 30 21:43:43 <key2> the console mode of the kernel + uboot has been disabled
Dec 30 21:43:49 <key2> and I'd like to get a shell
Dec 30 21:44:03 <key2> so up to now, I can only use jtag
Dec 30 21:48:09 <eigma> arm926ejs is only the CPU. what SoC, what board, what device (the whole thing)
Dec 30 21:48:37 <eigma> do you know where the RAM is mapped?
Dec 30 21:48:57 <eigma> are you familiar with ARM interrupt handling? (I'm a bit rusty myself
Dec 30 21:51:56 <eigma> and where do you plan on spawning that shell? is there a serial console?
Dec 30 21:53:32 <key2> it's a PC202
Dec 30 21:53:36 <key2> from picochip
Dec 30 21:53:54 <key2> I have the kernel output, so I can see what is mapped where...
Dec 30 21:54:04 <key2> the device is a Femtocell
Dec 30 21:56:27 <eigma> key2: this guy? http://www.picochip.com/page/66/PC82xx
Dec 30 21:57:19 <key2> something similar
Dec 30 21:57:20 <key2> yeah
Dec 30 22:01:07 <eigma> can you pastebin the full kernel output?
Dec 30 22:01:22 <key2> can I query u a sec ?
Dec 30 22:01:54 <eigma> sure
Dec 30 22:21:23 <pytey> key2: u there?
Dec 30 22:22:28 <key2> pytey:yeah
Dec 30 22:22:38 <pytey> we've rooted that device
Dec 30 22:22:51 <pytey> (a different group)
Dec 30 22:22:55 <key2> pytey: what brand
Dec 30 22:22:56 <key2> ?
Dec 30 22:22:59 <pytey> (that I'm involved with)
Dec 30 22:23:01 <key2> the vodafone one ?
Dec 30 22:23:04 <pytey> yep
Dec 30 22:23:07 <key2> primeuser
Dec 30 22:23:08 <pytey> they are all the same
Dec 30 22:23:08 <key2> thx
Dec 30 22:23:09 <key2> ;)
Dec 30 22:23:11 <key2> we did it first
Dec 30 22:23:12 <key2> hahaha
Dec 30 22:23:28 <key2> no but the ubiquisys one, u can't root it
Dec 30 22:23:34 <pytey> 'we did it first' 
Dec 30 22:23:35 <key2> no console
Dec 30 22:23:36 <pytey> eh?
Dec 30 22:23:55 <key2> pytey: with dieter ?
Dec 30 22:23:55 <pytey> we
Dec 30 22:24:02 <key2> harald
Dec 30 22:24:03 <key2> steve
Dec 30 22:24:04 <key2> ...
Dec 30 22:24:11 <pytey> nope
Dec 30 22:24:24 <pytey> we worked on it independantly
Dec 30 22:24:24 <key2> the vodafone is easy to root
Dec 30 22:24:30 <key2> from uboot, u dump, find passwd
Dec 30 22:24:45 <key2> u're done with john the ripper after few minutes with root: primeuser
Dec 30 22:24:49 <key2> the ubiquisys is really hard to root
Dec 30 22:25:06 <pytey> well we just used console :)
Dec 30 22:25:17 <pytey> or ssh
Dec 30 22:25:29 <key2> voda has also a udhcpd buffer overflow
Dec 30 22:25:33 <key2> we could root it also that way
Dec 30 22:25:48 <key2> there was a lot of different ways of doing it
Dec 30 22:25:49 <key2> ..
Dec 30 22:26:10 <pytey> the primeuser passwd isn't the one we are using btw
Dec 30 22:26:39 <key2> there was two user
Dec 30 22:26:41 <key2> if my memory is good
Dec 30 22:26:42 <key2> root
Dec 30 22:26:43 <key2> and primeuser
Dec 30 22:27:01 <pytey> nope, not that
Dec 30 22:27:30 <pytey> you can ssh to it anyhow
Dec 30 22:27:48 <pytey> I'm interested in the DS2460B
Dec 30 22:27:56 <pytey> which is probably used for EAP-SIM
Dec 30 22:28:08 <pytey> for part of the openswan IPSEC stuff
Dec 30 22:28:22 <pytey> this is the blob that connects to the sagem GSM module inside
Dec 30 22:28:31 <key2> the password for root was newsys ?
Dec 30 22:28:34 <key2> if my mem is good
Dec 30 22:28:39 <pytey> correct
Dec 30 22:29:04 <pytey> do you have the serial console?
Dec 30 22:29:09 <key2> sure
Dec 30 22:29:21 <pytey> ssh listens on 22 and 222 btw, dunno if you saw this
Dec 30 22:29:26 <key2> sure
Dec 30 22:29:44 <key2> but we did everything we needed to do with the voda one
Dec 30 22:29:51 <key2> could wiretap even people
Dec 30 22:29:54 <key2> add IMSI to the base..
Dec 30 22:29:56 <key2> and so on
Dec 30 22:29:56 <key2> ...
Dec 30 22:30:04 <pytey> yeah, same here
Dec 30 22:30:09 <key2> their security is ridiculious
Dec 30 22:30:18 <pytey> who are you?
Dec 30 22:30:22 <pytey> do I know you?
Dec 30 22:30:26 <key2> not sure
Dec 30 22:30:28 <key2> ;)
Dec 30 22:30:28 <pytey> let's pm
Dec 30 23:47:13 <Radiotubes> anyone have some experience with MIPS based targets?
Dec 31 00:19:40 <Radiotubes> yup
Dec 31 00:54:40 <key2> Radiotubes: some
Dec 31 00:54:47 <key2> Radiotubes: with ejtag ?
Dec 31 01:03:24 <Radiotubes> oh hello
Dec 31 01:03:31 <Radiotubes> yes using openocd
**** ENDING LOGGING AT Thu Dec 31 02:59:57 2009