interested Posted September 9, 2013 Share #51 Posted September 9, 2013 cat /proc/bus/pci/devices >>> DSM 4.3.3776 (DS213+) 0000 19570110 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0200 19570110 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0300 10953132 10 c0000004 0 c0004004 0 1001 0 c0080000 80 0 4000 0 80 0 80000 sata_sil24 0400 19570110 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0500 1b6f7023 11 80000004 0 0 0 0 0 0 8000 0 0 0 0 0 0 etxhci_hcd_121130 Quote Link to comment Share on other sites More sharing options...
VeNoM Posted September 9, 2013 Author Share #52 Posted September 9, 2013 The check uses the sata controller in /proc/bus/pci/devices. 10953531 sata_sil24 10953132 Quote Link to comment Share on other sites More sharing options...
Trantor Posted September 9, 2013 Share #53 Posted September 9, 2013 I own a DS412+ if you want something Quote Link to comment Share on other sites More sharing options...
quicksilver Posted September 9, 2013 Share #54 Posted September 9, 2013 I have a DS1511+ running DSM 4.3-3776 and would be pleased to provide anything you want from it. Chris Quote Link to comment Share on other sites More sharing options...
k3dt Posted September 9, 2013 Share #55 Posted September 9, 2013 Post your results too pls edit; I have only this.. DSM 3.2 CubeStation CS-406 0060 10953512 14 bffff9 bffff5 bfffe9 bfffe5 bfffd1 bffffe00 0 8 4 8 4 10 200 80000 sata_sil 0068 10953512 10 bfffc9 bfffc5 bfffb9 bfffb5 bfffa1 bffffc00 0 8 4 8 4 10 200 80000 sata_sil 0070 10330035 11 bfffe000 0 0 0 0 0 0 1000 0 0 0 0 0 0 ohci_hcd 0071 10330035 11 bfffd000 0 0 0 0 0 0 1000 0 0 0 0 0 0 ohci_hcd 0072 103300e0 11 bfffcf00 0 0 0 0 0 0 100 0 0 0 0 0 0 ehci_hcd 0078 11ab4320 12 bfff8000 bffe01 0 0 0 0 0 4000 100 0 0 0 0 20000 sk98lin Quote Link to comment Share on other sites More sharing options...
doedels Posted September 9, 2013 Share #56 Posted September 9, 2013 Linux DiskStation 3.2.40 #3776 SMP Sat Aug 17 02:16:50 CST 2013 x86_64 GNU/Linux synology_x86_1010+ 0000 8086a000 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0010 8086a001 a fe880000 bc01 d0000008 fe700000 0 0 2 80000 8 10000000 100000 0 0 0 0011 8086a002 0 fe680000 0 0 0 0 0 0 80000 0 0 0 0 0 0 00d0 80862937 10 0 0 0 0 b881 0 0 0 0 0 0 20 0 0 uhci_hcd 00d1 80862938 15 0 0 0 0 b801 0 0 0 0 0 0 20 0 0 uhci_hcd 00d2 80862939 13 0 0 0 0 b481 0 0 0 0 0 0 20 0 0 uhci_hcd 00d7 8086293c 12 fe87bc00 0 0 0 0 0 0 400 0 0 0 0 0 0 ehci_hcd 00e0 80862940 28 0 0 0 0 0 0 0 0 0 0 0 0 0 0 pcieport 00e4 80862948 29 0 0 0 0 0 0 0 0 0 0 0 0 0 0 pcieport 00e5 8086294a 2a 0 0 0 0 0 0 0 0 0 0 0 0 0 0 pcieport 00e8 80862934 17 0 0 0 0 b401 0 0 0 0 0 0 20 0 0 uhci_hcd 00e9 80862935 13 0 0 0 0 b081 0 0 0 0 0 0 20 0 0 uhci_hcd 00ea 80862936 12 0 0 0 0 b001 0 0 0 0 0 0 20 0 0 uhci_hcd 00ef 8086293a 17 fe87b800 0 0 0 0 0 0 400 0 0 0 0 0 0 ehci_hcd 00f0 8086244e 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 00f8 80862916 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 00fa 80862922 2b ac01 a881 a801 a481 a401 fe87b000 0 8 4 8 4 20 800 0 ahci 00fb 80862930 e fe87ac04 0 0 0 401 0 0 100 0 0 0 20 0 0 0100 10953132 10 fe9ffc04 0 fe9f8004 0 cc01 0 fe900000 80 0 4000 0 80 0 80000 sata_sil24 0200 808610d3 2c feae0000 0 dc01 feadc000 0 0 0 20000 0 20 4000 0 0 0 e1000e 0300 808610d3 2d febe0000 0 ec01 febdc000 0 0 0 20000 0 20 4000 0 0 0 e1000e Quote Link to comment Share on other sites More sharing options...
neXus Posted September 9, 2013 Share #57 Posted September 9, 2013 Could be dumb question but : Someone with a silicon raid controller can give a try ? As it seems too be a common factor. What happens if we use only pata disks (/dev/hdX) ? The test seems in call near ptr dword_F6BB419C, we have to study it Quote Link to comment Share on other sites More sharing options...
doedels Posted September 9, 2013 Share #58 Posted September 9, 2013 Tried using only pata disk, still fails.. Quote Link to comment Share on other sites More sharing options...
neXus Posted September 10, 2013 Share #59 Posted September 10, 2013 Disassembly code contains anti reverse technique (Jump Trick with short near ptr loc+1) in order to avoid linear disassembly : 33 C0 XOR eax, eax 74 01 jz short near ptr loc+1 E9 58 C3 68 94 jmp near ptr 94A8D521h Should be disassembled as : 33 C0 xor eax,eax 74 01 jz short near ptr loc+1 E9 junk 58 Pop eax C3 retn It will be harder to find what is really done. It's the same countermeasure malware uses. More info here : http:http://books.google.fr/books?id=FQC8EPYy834C&lpg=PA329&ots=BsntpxIe6l&dq=Fool%20Linear%20Disassembly&hl=fr&pg=PA329#v=onepage&q=Fool%20Linear%20Disassembly&f=false Quote Link to comment Share on other sites More sharing options...
k3dt Posted September 10, 2013 Share #60 Posted September 10, 2013 Interesting.. good find neXus. I found this script for IDA: http://hooked-on-mnemonics.blogspot.cz/ ... n-ida.html Quote Link to comment Share on other sites More sharing options...
neXus Posted September 10, 2013 Share #61 Posted September 10, 2013 I came accross this one too but it only traverse defined func. It seems there is a mix of several obfuscation in here. The good point I think, the harder they try to hide what is done, easier it will be to fool once we figure out what is really done I'm working on the libdsm.so as it has the same pattern as cgi regarding obfuscation. I will share any progress here, do the same I have change a bit the python code to work on selected area : def fixTheJmpCalls(): # Fix the jmp call in select code selection, startaddr, endaddr = idaapi.read_selection() if selection: for opcode in range(startaddr,endaddr): if GetMnem(opcode) == "jmp" or GetMnem(opcode) == "call": if GetDisasm(opcode)[-2:-1] == "+" and GetDisasm(opcode)[-1:].isdigit(): print "Broken Instruction: %X"%opcode, GetDisasm(opcode) code_addr = GetOperandValue(opcode, 0) fix_addr = code_addr -1 MakeUnkn(fix_addr,1) MakeCode(code_addr) I'll give a try Quote Link to comment Share on other sites More sharing options...
VeNoM Posted September 10, 2013 Author Share #62 Posted September 10, 2013 I replaced /proc/bus/pci/devices with /PROC/bus_pci_devices and in this file I put : This is from a 1010 from page 6 from doedels. 0000 8086a000 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0010 8086a001 a fe880000 bc01 d0000008 fe700000 0 0 2 80000 8 10000000 100000 0 0 0 0011 8086a002 0 fe680000 0 0 0 0 0 0 80000 0 0 0 0 0 0 00d0 80862937 10 0 0 0 0 b881 0 0 0 0 0 0 20 0 0 uhci_hcd 00d1 80862938 15 0 0 0 0 b801 0 0 0 0 0 0 20 0 0 uhci_hcd 00d2 80862939 13 0 0 0 0 b481 0 0 0 0 0 0 20 0 0 uhci_hcd 00d7 8086293c 12 fe87bc00 0 0 0 0 0 0 400 0 0 0 0 0 0 ehci_hcd 00e0 80862940 28 0 0 0 0 0 0 0 0 0 0 0 0 0 0 pcieport 00e4 80862948 29 0 0 0 0 0 0 0 0 0 0 0 0 0 0 pcieport 00e5 8086294a 2a 0 0 0 0 0 0 0 0 0 0 0 0 0 0 pcieport 00e8 80862934 17 0 0 0 0 b401 0 0 0 0 0 0 20 0 0 uhci_hcd 00e9 80862935 13 0 0 0 0 b081 0 0 0 0 0 0 20 0 0 uhci_hcd 00ea 80862936 12 0 0 0 0 b001 0 0 0 0 0 0 20 0 0 uhci_hcd 00ef 8086293a 17 fe87b800 0 0 0 0 0 0 400 0 0 0 0 0 0 ehci_hcd 00f0 8086244e 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 00f8 80862916 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 00fa 80862922 2b ac01 a881 a801 a481 a401 fe87b000 0 8 4 8 4 20 800 0 ahci 00fb 80862930 e fe87ac04 0 0 0 401 0 0 100 0 0 0 20 0 0 0100 10953132 10 fe9ffc04 0 fe9f8004 0 cc01 0 fe900000 80 0 4000 0 80 0 80000 sata_sil24 0200 808610d3 2c feae0000 0 dc01 feadc000 0 0 0 20000 0 20 4000 0 0 0 e1000e 0300 808610d3 2d febe0000 0 ec01 febdc000 0 0 0 20000 0 20 4000 0 0 0 e1000e DiskStation43> find /lib -type f -print0 | xargs -0 grep "bus_pci_devices" /lib/libdsm.so.4:/PROC/bus_pci_devices /lib/libsynocgi.so.4:/PROC/bus_pci_devices Still doesn't work. /proc/self/comm is the process name. I can replace this one too, but with what ? Quote Link to comment Share on other sites More sharing options...
VeNoM Posted September 10, 2013 Author Share #63 Posted September 10, 2013 And another thing, __cIpHeRtOkEn is also used on login. Quote Link to comment Share on other sites More sharing options...
neXus Posted September 10, 2013 Share #64 Posted September 10, 2013 As far as I know there are non senses obfuscation : loc_4ACF8: ; CODE XREF: LOAD:loc_4ACF8p LOAD:0004ACF8 E8 FC FF FF FF call near ptr loc_4ACF8+1 You can found the pattern "E8 FC FF FF FF" regulary on this bloc of code. I made a little script to undefine this as there is non sens for me. def fixTheJmpCalls(): # Fix the jmp call in select code selection, startaddr, endaddr = idaapi.read_selection() idaapi.unmark_selection() if selection: for opcode in range(startaddr,endaddr): if GetMnem(opcode) == "jmp" or GetMnem(opcode) == "call": if GetDisasm(opcode)[-2:-1] == "+" and GetDisasm(opcode)[-1:].isdigit(): print "Broken Instruction: %X"%opcode, GetDisasm(opcode) MakeUnkn(opcode,0) MakeArray(opcode,5) it seems to fix the flow, but there are still some other obfuscation to reveal, example : loc_4AE00: ; CODE XREF: LOAD:0004ADF6j LOAD:0004AE00 8B 8D 9C F8 FF FF mov ecx, [ebp-764h] LOAD:0004AE06 85 C9 test ecx, ecx LOAD:0004AE08 74 0E jz short loc_4AE18 LOAD:0004AE0A 8B 85 9C F8 FF FF mov eax, [ebp-764h] LOAD:0004AE10 89 04 24 mov [esp], eax LOAD:0004AE13 LOAD:0004AE13 loc_4AE13: ; CODE XREF: LOAD:loc_4AE13p LOAD:0004AE13 E8 FC FF FF FF call near ptr loc_4AE13+1 LOAD:0004AE18 LOAD:0004AE18 loc_4AE18: ; CODE XREF: LOAD:0004AE08j LOAD:0004AE18 85 DB test ebx, ebx The test eax,eax will always be true, so the jz will always jump and the code behind never used. It could be changes to : LOAD:0004AE00 loc_4AE00: ; CODE XREF: LOAD:0004ADF6j LOAD:0004AE00 8B 8D 9C F8 FF FF mov ecx, [ebp-764h] LOAD:0004AE06 85 C9 test ecx, ecx LOAD:0004AE08 74 0E jz short loc_4AE18 LOAD:0004AE08 ; --------------------------------------------------------------------------- LOAD:0004AE0A 8B 85 9C F8 FF FF 89 04 24 E8+junk db 'ïࣰ ë',4,'$Þ³ ' LOAD:0004AE18 ; --------------------------------------------------------------------------- LOAD:0004AE18 LOAD:0004AE18 loc_4AE18: ; CODE XREF: LOAD:0004AE08j Not sure it will help but I don't found any other explanation. Assembly guys, please contribute Quote Link to comment Share on other sites More sharing options...
porroto Posted September 11, 2013 Share #65 Posted September 11, 2013 hello and good night... sorry for my bad english and yes >I`m a noob ... I got stuck in diskstation login and pasword on usb boot menu... any idea thanks Quote Link to comment Share on other sites More sharing options...
shteve Posted September 11, 2013 Share #66 Posted September 11, 2013 hello and good night... sorry for my bad english and yes >I`m a noob ... I got stuck in diskstation login and pasword on usb boot menu... any idea thanks This thread's more for development discussion of 4.3 rather than support problems with (I'm assuming) 4.2. However, once it's at the login stage, that's it. The rest of it is managed via the web interface - point your browser at the address you gave it during the install process: http://your IP:5000/webman/index.cgi If you've not installed it yet, you need to download DSAssistant from synology and then run that. It should find your DS and allow you to install it. There are plenty of instructions on this site if you look. Quote Link to comment Share on other sites More sharing options...
neXus Posted September 11, 2013 Share #67 Posted September 11, 2013 Giving up for now static analysis, I will make my custom kernel with debug enabled and start dynamic analysis. Obfuscation is pretty hard to read, that's the point of this Anyway, seems the cgi don't have any obfuscation, how did you manage to get the core ? (Not familliar with web stuff ) Thanks Quote Link to comment Share on other sites More sharing options...
k3dt Posted September 12, 2013 Share #68 Posted September 12, 2013 neXus: that was LITTLE tricky part (you need "freeze" the process then kill it with some of coredump-making signals... strace says it fopens synoinfo.conf so...) mv /etc/synoinfo.conf /etc/synoinfo.conf.bak ; mkfifo /etc/synoinfo.conf ; (this is tricky part. you need ipkg and install... coreutils maybe? dont remember) ./storagehandler.cgi (second ssh) ulimit -c unlimited ; kill -SIGABRT DiskStation> ./storagehandler.cgi Aborted (core dumped) find / -name \*core\* And you are done. IDA PRO can open coredump files. Then remove /etc/synoinfo.conf and mv /etc/synoinfo.conf.bak /etc/synoinfo.conf EDIT: here is coredump http://www.k3dt.eu/storagehandler..core.gz Quote Link to comment Share on other sites More sharing options...
Vortex Posted September 15, 2013 Share #69 Posted September 15, 2013 Do you realize that the attempt to adapt the DSM to other systems, disassembly and removal of protection from their own (non-GPL) files this is piracy? It's no longer just a harmless digging in the kernel/drivers. Some of them are protected so that they can not be patched directly. Synology implements explicit protection and does not want to spread DSM. Is not it obvious? Quote Link to comment Share on other sites More sharing options...
k3dt Posted September 15, 2013 Share #70 Posted September 15, 2013 Do not see any differences. Patching synobios in DSM<4.3 is same piracy as this. Quote Link to comment Share on other sites More sharing options...
fonix232 Posted September 15, 2013 Share #71 Posted September 15, 2013 Do you realize that the attempt to adapt the DSM to other systems, disassembly and removal of protection from their own (non-GPL) files this is piracy?It's no longer just a harmless digging in the kernel/drivers. Some of them are protected so that they can not be patched directly. Synology implements explicit protection and does not want to spread DSM. Is not it obvious? Well given that most of those who use XPEnology releases wouldn't buy a Synology NAS any way, it cannot be counted as piracy. DSM is not sold, it is not a product - it is merely a feature, and based on what you say, it would be illegal to port iOS to other devices (I know it would never really work, but basically we are doing the same thing). So no, it is not illegal. We are making no profit out of it (except if you count personal experience, especially for those whom patch the releases, profit), and it is only used in home environment, where the other options are either (pirated) Windows, or some crappy Linux distro that does not offer even closely as much features as DSM. Quote Link to comment Share on other sites More sharing options...
neXus Posted September 15, 2013 Share #72 Posted September 15, 2013 Any way, Is there anyone with a genuine Synology to just dump and share some information. I will need i2cdetect -l i2cdetect -y 0 Try to find addresses of i2c devices (number located on the table) and i2cdump -y 0 Thanks ! Quote Link to comment Share on other sites More sharing options...
joad Posted September 15, 2013 Share #73 Posted September 15, 2013 I'm happy to help. But I did not get i2c-tools to work .... Do you have a working version? Quote Link to comment Share on other sites More sharing options...
yold Posted September 16, 2013 Share #74 Posted September 16, 2013 @neXus: sorry but i2cdetect is not present on my 4.3 genuine synology Quote Link to comment Share on other sites More sharing options...
nsfw Posted September 17, 2013 Share #75 Posted September 17, 2013 Just thought I'd pass on these 4.3 vulnerabilities. http://www.securityfocus.com/archive/1/528543 Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.