hacking consumer devices for fun and profit - nslu2-linux · hacking consumer devices for fun and...

Hacking Consumer Devicesfor Fun and Profit

An Insider's View of theNSLU2-LinuxOpen-Source Project

Rod Whitby <[email protected]>NSLU2-Linux Project Lead

10 Feb 2007 Hacking Consumer Devices for Fun and Profit Rod Whitby <[email protected]>

2

Hacking Consumer Devicesfor Fun and Profit1. The Linksys NSLU2

Hardware SpecsLinksys FirmwareRedBoot Bootloader

2. Unslung FirmwareProject InceptionUnslung 1.xUnslung 2.x to 5.xUnslung 6.x

3. Optware PackagesNSLU2, WL500g, …Distributed Development

4. SlugOS FirmwareOpenSlug, “DebianSlug”

5. Official Kernel SupportNSLU2, NAS100D, Loft, …

6. Official Debian SupportDebian Etch Loves The Slug

7. The FunNSLU2-Linux ExhibitionsNSLU2-Linux CommunityNSLU2-Linux DevelopmentProject Infrastructure

8. The ProfitHow to Make a Small FortuneDonations for Hardware

9. The FutureWhat to do next


3

The Linksys NSLU2- Hardware Specs

Network Attached Storage (NAS) Consumer Device

27.5mm x 135mm x 96mm5V DC, Maximum 2 Amps

Intel XScale IXP420Big-endian ARM133MHz (under-clocked)

10/100 Ethernet2 x USB 2.0 Host Ports32 MB RAM8 MB FlashSerial, JTAG, I2C, …NSLU2 -> NSLUG -> “Slug”


4

The Linksys NSLU2- Stock Linksys Firmware

Designed to be a stand-alone Sambaserver for attached USB hard disks.

Ext3 filesystem with 3 partitionsMust be formatted on the device

Linux 2.4.22 KernelMajor modifications to theUSB and SCSI subsystems

Snapgear-based root filesystembusybox, samba, thttpd, etc.

Linksys binary-only utilitiesSet_Led, USB_Detect, Watchdog, CheckPowerButton, CheckResetButton

Source code available for kernel and root filesystem, but not for Linksys binaries


5

The Linksys NSLU2- RedBoot Bootloader

Loads kernel and initial ramdisk into memory, then executes kernel.Kernel size is limited to 1MBRamdisk size is set at 10MB (can extend to 12MB if required)MAC address for internal ethernet interface stored alongside Redboot

Significant modifications by LinksysAddition of “move”, “boot”, and “upgrade” commandsRemoval of FIS directory functions

Not intended to be user-accessible… unless you solder on a connector for a serial portLinksys left in a telnet 2 second window of opportunityUpgrade mode is another exploit mechanism

“Good enough” for our purposes, so left alone.


6

Unslung Firmware- Project Inception

12 July 2004Jim Buzbee finds the Telnet exploit.

31 July 2004nslu2-linux mailing list is created.

5 Aug 2004Tom’s Hardware article published.Mailing list has 13 members.

10 Aug 2004First successfully modified image.

11 Aug 2004Serial port and Redboot TFTP.“Unslung” concept based on /linuxrc.Jim’s journal links to the mailing list.

15 Aug 2004iTunes server ported.

16 Aug 2004Busybox, dropbear and wget ported.Donations requested ($240 on first day).

17 Aug 2004Rod’s NSLU2 arrives in the post.

18 Aug 2004Slug sacrificed to find JTAG traces.Jim’s journal page is slashdotted, and the mailing list feels the effect.

19 Aug 2004nslu2-linux.org domain registered.

22 Aug 2004nslu2-general mailing list created.

24 Aug 2004First boot from external hard disk.Serial port mod published.

25 Aug 2005Linksys releases kernel source.

30 Aug 2005RedBoot telnet access found.RedBoot upgrade mode found.

31 Aug 2005700 members and 1000 list emails.

13 Sep 2005Wiki installed at www.nslu2-linux.org


7

Unslung Firmware- Unslung 1.x

Designed to be a minimal-changes firmware replacementRetains all of the standard NSLU2 product functionality unchangedAdds the capability to load the root filesystem from external storageand download and install packages onto that external storageto be used alongside the standard product functionality.Also defines the package format for downloadable packages.

Unslung 1.7-alpha source code was released on 3 Sep 2004.The goal was to free up 10MB of RAM by pivoting from an initial “switchbox” ramdisk to JFFS2 or an external disk or NFS root filesystem.Built from a Makefile in a SourceForge CVS repository.Used a binary sed to modify the Linksys kernel.

Unslung 1.11-beta binary image was released on 14 Sep 2004.There were well over 1000 downloads of Unslung 1.x


8

Unslung Firmware- Unslung 2.x and 3.x

Unslung 2.12-beta binary image was released on 6 Nov 2004.The goal was to build the firmware from source.Support for ext3 flash disks on Port 1Full downloadable package supportUSB enclosure fixes (Genesys)Kernel compiled from source (including some fixes)

Unslung 3.16-beta binary image was released on 25 Dec 2004.The goal was to add a persistent JFFS2 root file system.USB devfs support (driven by Topfield “puppy” development)NFS kernel supportRecovery mode and Maintenance mode added.


9

Unslung Firmware- Unslung 4.x and 5.x

Unslung 4.20-beta binary image was released on 15 May 2005.The goal was to become self-hosting – being able to build Optware packages natively, and to free up another 1MB of RAM by booting directly to a /linuxrc in JFFS2 instead of using the “switchbox” initrd.The internal JFFS2 partition became an initfs and recovery filesystem.More kernel modules were enabled (and kernel module ipkg feed added)

RAID, USB Audio, USB Cameras, Traffic Shaping, Tape Drives, etc.Quite a few people stuck with 3.18-beta until 5.5-beta was released.

Unslung 5.5-beta binary image was released on 14 June 2005.Upgraded to be based on Linksys V2.3R29 firmware.Changed from broken maintenance mode to stable upgrade mode.Disabled the Linksys download daemon (in favor of upgrade mode).There have been almost 18000 downloads of Unslung 5.5-beta.


10

Unslung Firmware- Unslung 6.x

Unslung 6.8-beta binary image was released on 12 April 2006.Updated to Linksys R63 firmware, which includes the Paragon commercial NTFS kernel module with full write support.Many usability improvements (to try and reduce the number of installation-related questions on the mailing list).The new Unslung logo is now featured in the Web GUI ☺There have been over 28000 downloads of Unslung 6.8-beta.


11

Optware Packages- NSLU2, WL500g, …

Began as “Unslung Packages” – now over 750 packages strong.The set of packages have been ported to many targets:

Linksys NSLU2 (armeb, glibc)Asus WL500g/gx (mipsel, uclibc)Synology DS-101 (armeb, glibc)Freecom FSG-3 (armeb, glibc)Maxtor Shared Storage (armeb, uclibc)Iomega NAS 100d (armeb, glibc)Synology DS-101g+ (powerpc, glibc)Linksys WRT54G* (mipsel, uclibc)Technologic Systems TS72xx (arm, glibc)

Diverse range of packages:Apache, MySQL, Perl/PHP/Python, SquidEmail, IRC, CUPS, Torrent, CVS, SVN, Git, Monotone Webcam, Network Sound, USB PVR, X10, Samba PDC, Topfield EPGMediaWiki, Asterisk, Gallery, iTunes Server, CCXStream, TwonkyVision


12

Optware Packages- Distributed Development

More than 100 Optware package developers.

Send a new package.mk file to the nslu2-developers mailing list and you are granted CVS write access.

An identified package feed manager for each of the targets.New and modified packages are built automatically every half hour, and the package feeds for all targets are updated upon successful builds.Build logs are published on the web for package developers to peruse (and fix any problems).

NSLU2 Asterisk PBX(on 512MB flash stick)Sipura SPA-3000 ATA/Gateway


13

SlugOS Firmware- OpenSlug, “DebianSlug”

SlugOS refers to our legacy-free distributions based on OpenEmbeddedLatest 2.6.x kernel (currently 2.6.20)

Support for the NSLU2 written from scratch and contributed to kernel.orgOpenEmbedded-based root filesystem

Draws on the 1500+ packages available in OpenEmbeddedNo legacy Linksys proprietary source code or binaries

OpenSlug (SlugOS/BE) refers to slugos-bag (big-endian, arm, glibc), “DebianSlug” (SlugOS/LE) refers to slugos-lag (little-endian, arm, glibc)

UcSlugC refers to slugos-btu (big-endian, thumb, uClibc), but is no longer supported.“DebianSlug” name has been deprecated, now that Debian/NSLU2 exists.

OpenSlug 1.12-beta binary image was released on 15 May 2005.OpenSlug 2.7-beta binary image was released on 28 Sep 2005.SlugOS 3.10-beta binary images (current release, both BE and LE) were released on 9 June 2006.


14

SlugOS Firmware- OpenSlug, “DebianSlug”

There were 484 downloads of the OpenSlug 1.12-beta binary image, 625 downloads of OpenSlug 2.0-beta (since 22 July 2005), 1032 downloads of OpenSlug 2.5-beta (since 9 Aug 2005), 2669 downloads of OpenSlug 2.7-beta (since 28 Sep 2005) and 9129 downloads of SlugOS 3.10-beta (since 9 Jun 2006).

SlugOS releases generally occur in response to major kernel version changes.Quite a few SlugOS users build their own firmware from source.

“DebianSlug” (SlugOS/LE) is compatible with packages from the official Debian ARM port.


15

Official Kernel Support- NSLU2, NAS100d, Loft, …

Kernel support (2.6.20) for the supported targets:MACH_NSLU2 Linksys NSLU2MACH_NAS100D Iomega NAS 100dMACH_LOFT GiantShoulderInc LoftMACH_DS101 Synology DS101

NSLU2-Linux team has contributed to other items:Maclist supportRTC classNew LEDs classOpen Source IXP Ethernet driver

Many patches already pushed upstreamBut many patches still to be pushed …


16

Official Debian Support- Debian Etch Loves The Slug

Debian Etch has full support for the NSLU2, including all the latest Kernel patches and the open source IXP ethernet driver.debian-installer will read configuration from flash, bring up network and SSH. Installation done via SSH.Normal Debian installation to external USB storage.Full support for in-place kernel upgrades.There have been over 4400 downloads of the Debian/NSLU2 installation image.


17

The Fun- NSLU2-Linux Exhibitions

Linux World Expo 2005 SCALE 4x 2006


18

The Fun- NSLU2-Linux Community

Unslung, Optware and SlugOS are good examples of user-supported / user-developed software done right.What makes it work so well?

Separate lists for users and developers.Revision-control systems. We use monotone and subversion.Wikis. We have a community rule that encourages users to add to and improve the wiki.Freenode IRC. The core developers are available to help on a number of IRC channels e.g. #nslu2-linux. Community rules about bothering them.Easy to become a developer. Publicly post a working package recipe and you get cvs write access. We have had no “rogue developers” yet, and if we did, any damage would be reverted. A wiki-like model of development.


19

NSLU2-Linux Community- The Community Rules

1. Never ever use the Linksys EraseAlltool - it will brick your slug permanently.

2. You will search the wiki first and read the FAQ before asking questions on the mailing lists or IRC channels.

3. You must read and follow the steps in the README file precisely when flashing firmware.

4. Those who ask the questions, update the wiki when they get the answers.

5. Those who complain about the documentation, update the wiki to make it better.

6. Friends don't let friends flash custom firmware without confirmed RedBoot upgrade mode access.

7. Friends don't let friends flash custom boot loaders without confirmed JTAG access.

The Development RulesNSLU2-Linux is run as a “meritocracy”– those who contribute the most are the ones who get to make the key development decisions.Key contributors are invited to become part of the Core Team, and are assigned a role in line with their major contribution, skill, or external influence.“If it’s not in the source repository, then it doesn’t exist.”“If it cannot be built automatically from source, then it cannot be released.”“It either goes up (-stream) or it goes out.”


20

NSLU2-Linux Community- Community Growth

Over 12,000 mailing list subscribers.Over 50,000 downloads of the Unslung firmware.Over 10,000 downloads of the SlugOSfirmware.Over 10,000 downloads of the Debian/NSLU2 firmware.The www.nslu2-linux.org wiki serves over 12000 hits and 200MB of data each day.The ipkg.nslu2-linux.org package feeds serve over 5GB of data per day (in total) from four world-wide mirror locations.We maintain over 2.5GB of publicly accessible information, source code and executables.

NSLU2-Linux Community Growth

0

5000

10000

15000

20000

25000

Aug-04 Feb-05 Aug-05 Feb-06 Aug-06 Feb-07

Members Posts


21

The Fun- NSLU2-Linux Development

100 Optware package developers20 Core Team membersSlugTime covers the globe:

HST, PST, CST, EST, GMT, CET, ACST, NZST

4 Firmware DistributionsUnslung, SlugOS/BE, SlugOS/LE,Debian/NSLU2

"While Linksys does not support any of the alternate firmware available for the NSLU2, we are always delighted to see a product gain such widespread acceptance. Like the similar community that emerged to enhance the WRT54G before it, the creativity and ingenuity of Linksys customers inspires us to continually improve our products." -- Mike Wagner, Director of Marketing, Linksys.


22

NSLU2-Linux Development- Build Systems and SCM

Unslung 1.x was developed using a simple Makefile in a CVS repository on SourceForge.net

It unpacked the Linksys firmware binary image, modified the kernel using a binary sed, added new files to the rootfs, and then packed it all back up again ready to be flashed.

Unslung 2.x was developed using the OpenEmbedded build system in a BitKeeper repository in bkbits.net

Kernel built from source, rootfs unpacked from Linksys firmware image.Optware packages continue to be developed using a simple template-based Makefile build system in a Subversion repository at svn.nslu2-linux.org

This is designed to minimize the barrier to entry for new developers.Unslung 3.x and later, and SlugOS, use the OpenEmbedded build system and a monotone repository at monotone.nslu2-linux.org


23

The Fun- Project Infrastructure

Web, Wiki, SVN, Monotone, Bug trackinglimax.nslu2-linux.org

Automated Cross-compile Build Machinenudi.nslu2-linux.org

Automated Native Unslung Build Machinegastro.nslu2-linux.org

Automated Native OpenSlug Build Machinebanana.nslu2-linux.org

Four ipkg mirrors around the worldipkg.nslu2-linux.org

Norway, Oregon, California, Illinois, Georgia.

Limax maximus

Nudibranch

Gastropoda

Banana Slug


24

The Profit- How to Make a Small Fortune

How do you make a small fortune hacking Linux firmware for consumer devices?

… Start with a large fortune!


25

The Profit- Donations for Hardware

The project has raised almost USD$10,000 since 16 Aug 2004All monies are spent on hardware or project expensesExamples of purchases:

Intel/AMD Infrastructure ServersIntel/AMD Development/Build ServerNative Build HostsCore Team Development SlugsNotable Third Party Developer SlugsDeveloper Bounty Hardware

Up to $50 hardware driver bountyDomain feesExhibition expenses (LinuxWorld Expo 2005, SCALE 2006)Donations to cia.navi.cx, irc.freenode.net, www.loglibrary.com, …


26

The Future- What to do next …

Complete the task of pushing all patches upstreamPush the open source IXP ethernet driver upstreamTrack latest kernel versionsDebian support for NAS100d, DSM-G600, FSG-3, …Add OpenWRT firmware supportFind the next new device to hack …

hacking consumer devices for fun and profit - nslu2-linux · hacking consumer devices for fun and...

Documents