NMT:telnetd
Enabling telnetd
It is entirely possible that you can break your hardware, for which I can not be held responsible, nor is it likely you will get help from Syabas. This guide should not be read by anyone
It all started with a theory that since the FTPD, NFSD, and SMBD all live on the HDD (since indeed, it would be pointless to run them if you had no storage to share) perhaps they could be tweaked with. I had been warned that the NMT might be using binary signatures so perhaps I would not be able to replace the binaries themselves, nor was I sure my cross-compile toolchain was correct anyway. But maybe I could wrap FTPD in a shell script or similar and see if I can not somehow gleam more information.
Step 1
I took out the HDD, and mounted it on OsX. (After installing that most excellent ext3 driver!). Lo-and-behold, there are two (well 3) partitions on the HDD:
initial mflag swap size 1 1 0 257008 2 0 1 506047 3 1 0 11805585
So, a 250MB partition 1, swap and then the rest of the disk for your media files. Taking a look at partition 1 we find:
# ls -l drwxr-xr-x 8 515 500 4096 Dec 22 07:58 syb8634 # ls -l syb8634 -rwxr-xr-- 1 515 500 4811 Dec 13 15:22 CHANGELOG -rwxr-xr-x 1 515 500 28 Dec 13 15:25 MIN_FIRMWARE_VER -rwxr-xr-- 1 515 500 24 Dec 13 15:25 VERSION drwxr-xr-x 2 515 500 4096 Dec 22 07:58 bin drwxr-xr-x 2 515 500 4096 Dec 31 21:19 etc drwxr-xr-x 2 515 500 4096 Dec 22 07:57 lib drwxr-xr-x 2 515 500 4096 Dec 22 07:58 nfsserver drwxrwxrwx 3 515 500 4096 Dec 31 21:19 server drwxrwxr-x 6 515 500 4096 Dec 22 07:57 web # ls -l syb8634/etc -rwxr-xr-x 1 515 500 575 Dec 6 18:52 btpd-env.sh -rwxr-xr-x 1 515 500 965 Oct 24 15:16 btpd-nvram.sh -rwxr-xr-x 1 515 500 1962 Dec 6 19:41 btpd.sh -rwxr-xr-x 1 515 500 203 Oct 24 15:16 btpd_get_setting.sh -rwxr-xr-x 1 515 500 523 Dec 30 21:00 ftpserver.sh -rwxr-xr-- 1 515 500 1978 Dec 13 15:19 nfsserver.sh -rw------- 1 root root 152 Dec 31 21:19 pureftpd.passwd -rw------- 1 root root 2228 Dec 31 21:19 pureftpd.pdb -rwxr-xr-x 1 515 500 718 Nov 29 12:37 smb.sh
Nice. pure-ftpd is there, and we know it has to be run as root (to be allowed to open port 25), but also, the startup script! As well as pure-ftpd password file. Nice. My next step, as I did not want to attempt to change any binary, nor startup script unless I had to, was to change the pure-ftpd passwd file to allow a root login.
As it turns out, pure-ftpd is too picky about root users, I had to change quite a lot just to be able to create the db file, let alone allow me to login. So, I modified ftpusers account to not be chroot. (Ie, remove the '/./' end part of the home directory.
This allowed me to login as ftpuser and look around from /. First thing I noticed was:
# ls -l /usr/sbin/ -rwxr-xr-x 1 514 root 12908 Jan 1 2000 boot_auth lrwxrwxrwx 1 514 root 17 Jan 1 2000 crond -> ../../bin/busybox lrwxrwxrwx 1 root root 31 Dec 31 21:19 exportfs -> /mnt/syb8634/nfsserver/exportfs lrwxrwxrwx 1 root root 29 Dec 31 21:19 mountd -> /mnt/syb8634/nfsserver/mountd lrwxrwxrwx 1 root root 27 Dec 31 21:19 nfsd -> /mnt/syb8634/nfsserver/nfsd lrwxrwxrwx 1 root root 30 Dec 31 21:19 portmap -> /mnt/syb8634/nfsserver/portmap lrwxrwxrwx 1 root root 28 Dec 31 21:19 statd -> /mnt/syb8634/nfsserver/statd lrwxrwxrwx 1 514 root 17 Jan 1 2000 telnetd -> ../../bin/busybox
Nice, telnetd! Saves me an hour trying to compile my own. I was also allowed to fetch /etc/shadow which informed me that root has no password. Nice, saves me another hour.
Step 2
So, it is time to start telnetd. I made my changes like this:
# cat syb8634/etc/ftpserver.sh
#!/bin/sh
#
# Pure FTP Server
#
start() {
echo "Starting FTP Server..."
/mnt/syb8634/bin/nmt_services.cgi cmd=ftp_passwd opt=ftpuser
/mnt/syb8634/bin/pure-ftpd -j -lpuredb:/mnt/syb8634/etc/pureftpd.pdb -U 000:000 -c 10 -k 100 &
/usr/sbin/telnetd &
}
Notice the & is part of the command, to put it in the background.
Step 3
Boot up and:
# telnet 192.168.11.21 Connected to 192.168.11.21. Escape character is '^]'. BusyBox v1.5.0 (2007-12-14 18:01:15 MYT) Built-in shell (ash) Enter 'help' for a list of built-in commands. / # uname -a Linux nmt 2.6.15-sigma #1282 PREEMPT Tue Dec 18 22:06:01 MYT 2007 mips unknown / #
For those of you who like information like myself, the system looks like this when idle:
/ # df -h Filesystem Size Used Available Use% Mounted on /dev/hda1 247.0M 58.6M 175.9M 25% /mnt /dev/hda3 292.7G 140.9G 137.0G 51% /opt/sybhttpd/localhost.drives/HARD_DISK
/ # ps -w PID Uid VSZ Stat Command 1 root 1940 S init 2 root SWN [ksoftirqd/0] 3 root SW< [events/0] 4 root SW< [khelper] 5 root SW< [kthread] 6 root SW< [kblockd/0] 9 root SW< [khubd] 52 root SW [pdflush] 53 root SW [pdflush] 55 root SW< [aio/0] 54 root SW [kswapd0] 56 root SW [cifsoplockd] 57 root SW [cifsdnotifyd] 640 root SW< [kseriod] 666 root SW [mtdblockd] 704 root SW< [scsi_eh_0] 705 root SW< [usb-storage] 734 root 1128 S < udevd 772 root 1956 S udhcpc -R -b -p /var/run/udhcpc.eth0.pid -i eth0 836 root 1384 S lircd 840 root 1116 S fipd 854 root 1944 S crond 881 root SW [kjournald] 888 root SW [kjournald] 899 root 2516 S ./sybhttpd /opt/sybhttpd 900 root 1092 S mounter 901 root 1712 S cdstatus 905 root 2784 S /upnp/upnpapp 915 root 2784 S /upnp/upnpapp 916 root 2784 S /upnp/upnpapp 917 root 1392 S mDNSNetMonitor 918 root 2784 S /upnp/upnpapp 919 root 2744 S /upnp/upnpapp 931 root 14276 S ./gaya 932 root 1160 S ./ipmonitor 952 root 14276 S ./gaya 977 root 1608 S pure-ftpd (SERVER) 982 root 1940 S /usr/sbin/telnetd 999 daemon 1392 S /usr/sbin/portmap 1002 root SW< [nfsd4] 1005 root 1472 S /usr/sbin/mountd 1007 root 1408 S /usr/sbin/statd 1003 root SW [nfsd] 1013 root SW [lockd] 1014 root SW< [rpciod/0] 1034 nobody 39312 S ./httpd -d /mnt/syb8634/server -f /mnt/syb8634/server/httpd.conf 1035 root 1012 S ./msUPnP-mips --port 8088 1037 root 928 S ./mDNSrespd-mips -n nmt myihome -t _difi._tcp. -p 8088 -b 1039 root 928 S ./mDNSrespd-mips -n nmt myihome (SMP8634 Media Server) -t _http._tcp. -p 8088 -b 1045 root 1560 S < ./ms-mips start 1046 nobody 39336 S ./httpd -d /mnt/syb8634/server -f /mnt/syb8634/server/httpd.conf 1047 nobody 39336 S ./httpd -d /mnt/syb8634/server -f /mnt/syb8634/server/httpd.conf 1048 nobody 39336 S ./httpd -d /mnt/syb8634/server -f /mnt/syb8634/server/httpd.conf 1049 nobody 39336 S ./httpd -d /mnt/syb8634/server -f /mnt/syb8634/server/httpd.conf 1050 nobody 39336 S ./httpd -d /mnt/syb8634/server -f /mnt/syb8634/server/httpd.conf 1059 root 4348 S /mnt/syb8634/bin/nmbd -D 1061 root 9084 S /mnt/syb8634/bin/smbd -D 1063 root 9084 S /mnt/syb8634/bin/smbd -D 1098 root 1948 S /mnt/syb8634/bin/btpd -d /opt/sybhttpd/localhost.drives/HARD_DISK/.btpd -p 8881 --bw-in 0 --bw-out 0 --max 4243 root 1944 S /bin/sh 4252 root 1940 R ps -w
The main player appears to be something called mono, but I expect it actually uses a few depending on format. The internal GUI appears to live:
/ # ls -l /opt/sybhttpd/default/ -rw-r--r-- 1 root root 9857 Dec 31 21:19 display.html -rw-r--r-- 1 root root 8427 Dec 31 21:19 dvd.html -rw-r--r-- 1 root root 6278 Dec 31 21:19 dvd_password.html -rw-r--r-- 1 root root 6947 Dec 31 21:19 dvdpwd.html -rwxr-xr-x 1 514 500 36712 Dec 18 23:05 filemanager.cgi -rw-r--r-- 1 root root 7244 Dec 31 21:19 maintenance.html -rw-r--r-- 1 root root 8416 Dec 31 21:19 media_server.html -rw-r--r-- 1 root root 9837 Dec 31 21:19 network.html -rw-r--r-- 1 root root 7303 Dec 31 21:19 network_manual.html -rw-r--r-- 1 root root 6853 Dec 31 21:19 network_share.html -rw-r--r-- 1 root root 8251 Dec 31 21:19 network_wireless_manual.html -rwxr-xr-x 1 514 500 82920 Dec 18 23:05 nmtwizard.cgi -rw-r--r-- 1 root root 9786 Dec 31 21:19 preferences.htm -rw-r--r-- 1 root root 185 Dec 31 21:19 restore_factory.html -rw-r--r-- 1 root root 258 Dec 31 21:19 server_update.html -rwxr-xr-x 1 514 500 498564 Dec 18 23:05 setups.cgi -rwxr-xr-x 1 514 500 1663388 Dec 18 23:03 smbclient.cgi -rwxr-xr-x 1 514 500 37352 Dec 18 23:05 start.cgi -rw-r--r-- 1 root root 7180 Dec 31 21:19 sys_change_password.html drwxr-xr-x 3 514 500 0 Dec 18 23:05 torrent -rw-r--r-- 1 root root 7432 Dec 31 21:19 torrent_setting.html -rw-r--r-- 1 root root 248 Dec 31 21:19 update.html drwxr-xr-x 2 514 500 0 Dec 18 23:05 upnp -rwxr-xr-x 1 514 500 30116 Dec 18 23:05 upnpnat -rwxr-xr-x 1 514 500 98436 Dec 18 23:05 webservices.cgi -rw-r--r-- 1 root root 9417 Dec 31 21:19 webservices_edit.html -rw-r--r-- 1 root root 7761 Dec 31 21:19 webservices_list.html
But personally, I am not so interested in any of that.