Jump to content
XPEnology Community

4.3 issues


VeNoM

Recommended Posts

Can we override unlink only for /dev/sd* with LD_PRELOAD or from the kernel ?

 

6465  stat64("/dev/sda", {st_mode=S_IFBLK|0644, st_rdev=makedev(8, 0), ...}) = 0
6465  unlink("/dev/sda")                = 0
6465  stat64("/dev/sda1", {st_mode=S_IFBLK|0644, st_rdev=makedev(8, 1), ...}) = 0
6465  unlink("/dev/sda1")               = 0
6465  stat64("/dev/sda2", {st_mode=S_IFBLK|0644, st_rdev=makedev(8, 2), ...}) = 0
6465  unlink("/dev/sda2")               = 0
6465  stat64("/dev/sda3", {st_mode=S_IFBLK|0644, st_rdev=makedev(8, 3), ...}) = 0
6465  unlink("/dev/sda3")               = 0

 

Or open for the list of checked files and replace them with /PROC /LIB /USR ...

Link to comment
Share on other sites

Ok, my hooking kernel module is almost ready, now we have to find the /proc/bus/pci/devices to feed it.

 

I tried why an handcrafted one, no luck :smile:

 

DiskStation> cat /proc/bus/pci/devices | openssl dgst -sha1
(stdin)= 0420d5aff0e976362758ec21d0d7e6def6730921

DiskStation> cat /root/devices | openssl dgst -sha1
(stdin)= 5d901113beb9d0b2a0ca458693d20a5697951c4e

DiskStation> insmod dsmcheck.ko 

DiskStation> cat /proc/bus/pci/devices | openssl dgst -sha1
(stdin)= 5d901113beb9d0b2a0ca458693d20a5697951c4e

Link to comment
Share on other sites

I did it on 1511+!

 

I created a custom kernel module that replaces /proc/bus/pci/devices with https://mega.co.nz/#!pEVljT4Z!bPaL0A4ZG ... bz4p6a8V4U and it works!

 

So the protection is a simple "hash check" that uses

/proc/bus/pci/devices

/usr/syno/bin/findhostd

/usr/syno/bin/scemd

/lib/libdsm.so

/lib/libsynocgi.so

/usr/syno/synoman/webman/modules/StorageManager/storagehandler.cgi

/usr/syno/synoman/webman/modules/StorageManager/volumehandler.cgi

/usr/syno/synoman/webman/modules/PkgManApp/PkgMan.cgi

/usr/syno/synoman/webman/modules/PkgManApp/PkgSynoMan.cgi

/usr/syno/synoman/webman/modules/DSMNotify/dsmnotify.cgi

 

4_3.jpg

 

PS : I did this for fun. I would not use this in production.

Link to comment
Share on other sites

No, it is not "hash check". Thoes files checks special table for allowed devices and compares it with strings in /proc/bus/pci/devices.

If more than two devices are not found in /proc/bus/pci/devices, then drives off. Note the number of checks for 3612xs and ds1511+ :wink: ;) :wink:

Here is the table:

synology_bromolow_3611xs
0200	111d806e	pcieport	
0310	111d806e	pcieport	
0318	111d806e	pcieport	
0320	111d806e	pcieport	
0328	111d806e	pcieport	
0400	11ab7042	sata_mv	
0500	11ab7042	sata_mv	
0600	11ab7042	sata_mv	
0700	11ab7042	sata_mv	
0800	11ab7042	sata_mv	
0a00	808610d3	e1000e	
0b00	808610d3	e1000e	
0c00	808610d3	e1000e	
0d00	808610d3	e1000e	

synology_bromolow_3612xs
0200	111d806e	pcieport	
0310	111d806e	pcieport	
0318	111d806e	pcieport	
0320	111d806e	pcieport	
0328	111d806e	pcieport	
0400	11ab7042	sata_mv	
0500	11ab7042	sata_mv	
0600	11ab7042	sata_mv	
0700	11ab7042	sata_mv	
0800	11ab7042	sata_mv	
0a00	808610d3	e1000e	
0b00	808610d3	e1000e	
0c00	808610d3	e1000e	
0d00	808610d3	e1000e	

synology_bromolow_rs3411rpxs
0200	111d806e	pcieport	
0310	111d806e	pcieport	
0318	111d806e	pcieport	
0320	111d806e	pcieport	
0328	111d806e	pcieport	
0400	11ab7042	sata_mv	
0500	11ab7042	sata_mv	
0600	11ab7042	sata_mv	
0700	11ab7042	sata_mv	
0800	11ab7042	sata_mv	
0a00	808610d3	e1000e	
0b00	808610d3	e1000e	
0c00	808610d3	e1000e	
0d00	808610d3	e1000e	

synology_bromolow_rs3411xs
0200	111d806e	pcieport	
0310	111d806e	pcieport	
0318	111d806e	pcieport	
0320	111d806e	pcieport	
0328	111d806e	pcieport	
0400	11ab7042	sata_mv	
0500	11ab7042	sata_mv	
0600	11ab7042	sata_mv	
0700	11ab7042	sata_mv	
0800	11ab7042	sata_mv	
0a00	808610d3	e1000e	
0b00	808610d3	e1000e	
0c00	808610d3	e1000e	
0d00	808610d3	e1000e	

synology_bromolow_rs3412rpxs
0200	111d806e	pcieport	
0310	111d806e	pcieport	
0318	111d806e	pcieport	
0320	111d806e	pcieport	
0328	111d806e	pcieport	
0400	11ab7042	sata_mv	
0500	11ab7042	sata_mv	
0600	11ab7042	sata_mv	
0700	11ab7042	sata_mv	
0800	11ab7042	sata_mv	
0a00	808610d3	e1000e	
0b00	808610d3	e1000e	
0c00	808610d3	e1000e	
0d00	808610d3	e1000e	

synology_bromolow_rs3412xs
0200	111d806e	pcieport	
0310	111d806e	pcieport	
0318	111d806e	pcieport	
0320	111d806e	pcieport	
0328	111d806e	pcieport	
0400	11ab7042	sata_mv	
0500	11ab7042	sata_mv	
0600	11ab7042	sata_mv	
0700	11ab7042	sata_mv	
0800	11ab7042	sata_mv	
0a00	808610d3	e1000e	
0b00	808610d3	e1000e	
0c00	808610d3	e1000e	
0d00	808610d3	e1000e	

synology_bromolow_rs3413xs+
0200	111d806e	pcieport	
0310	111d806e	pcieport	
0318	111d806e	pcieport	
0320	111d806e	pcieport	
0328	111d806e	pcieport	
0400	11ab7042	sata_mv	
0500	11ab7042	sata_mv	
0600	11ab7042	sata_mv	
0700	11ab7042	sata_mv	
0800	11ab7042	sata_mv	
0a00	808610d3	e1000e	
0b00	808610d3	e1000e	
0c00	808610d3	e1000e	
0d00	808610d3	e1000e	

synology_bromolow_rs10613xs+
0100	10000072	mpt2sas	
0300	808610d3	e1000e	
0400	808610d3	e1000e	
0500	808610d3	e1000e	
0600	808610d3	e1000e	

synology_cedarview_412+
0100	808610d3	e1000e	
0200	808610d3	e1000e	
0300	10953531	sata_sil24	

synology_cedarview_713+
0100	808610d3	e1000e	
0200	808610d3	e1000e	
0300	10953531	sata_sil24	

synology_cedarview_1512+
0100	808610d3	e1000e	
0200	808610d3	e1000e	
0300	10953132	sata_sil24	

synology_cedarview_1513+
0100	80861533	igb	
0200	80861533	igb	
0300	10953132	sata_sil24	
0400	1b6f7023	etxhci_hcd	
0500	80861533	igb	
0600	80861533	igb	

synology_cedarview_1812+
0100	808610d3	e1000e	
0200	808610d3	e1000e	
0300	10953132	sata_sil24	
0400	10953132	sata_sil24	

synology_cedarview_1813+
0200	80861533	igb	
0300	10953132	sata_sil24	
0400	10953132	sata_sil24	
0500	1b6f7023	etxhci_hcd	
0600	10b58603	pcieport	
0708	10b58603	pcieport	
0710	10b58603	pcieport	
0800	80861533	igb	
0900	80861533	igb	

synology_cedarview_2413+
0100	808610d3	e1000e	
0200	808610d3	e1000e	
0300	11ab7042	sata_mv	
0400	10953132	sata_sil24	
0500	11ab7042	sata_mv	
0600	1b6f7023	etxhci_hcd	

synology_cedarview_rs812+
0100	808610d3	e1000e	
0200	808610d3	e1000e	
0300	10953531	sata_sil24	

synology_cedarview_rs812rp+
0100	808610d3	e1000e	
0200	808610d3	e1000e	
0300	10953531	sata_sil24	

synology_cedarview_rs2212+
0100	808610d3	e1000e	
0200	808610d3	e1000e	
0300	11ab7042	sata_mv	
0500	11ab7042	sata_mv	

synology_cedarview_rs2212rp+
0100	808610d3	e1000e	
0200	808610d3	e1000e	
0300	11ab7042	sata_mv	
0500	11ab7042	sata_mv	

synology_cedarview_rs2414+
0100	80861533	igb	
0200	10b58603	pcieport	
0308	10b58603	pcieport	
0310	10b58603	pcieport	
0400	1b6f7023	etxhci_hcd	
0500	80861533	igb	
0600	10953132	sata_sil24	
0700	11ab7042	sata_mv	
0800	1b4b9235	ahci	
0900	10b58603	pcieport	
0a08	10b58603	pcieport	
0a10	10b58603	pcieport	
0b00	80861533	igb	
0c00	80861533	igb	

synology_cedarview_rs2414rp+
0100	80861533	igb	
0200	10b58603	pcieport	
0308	10b58603	pcieport	
0310	10b58603	pcieport	
0400	1b6f7023	etxhci_hcd	
0500	80861533	igb	
0600	10953132	sata_sil24	
0700	11ab7042	sata_mv	
0800	1b4b9235	ahci	
0900	10b58603	pcieport	
0a08	10b58603	pcieport	
0a10	10b58603	pcieport	
0b00	80861533	igb	
0c00	80861533	igb	

synology_x86_411+
00d0	80862937	uhci_hcd	
00d1	80862938	uhci_hcd	
00d2	80862939	uhci_hcd	
00d7	8086293c	ehci_hcd	
00e8	80862934	uhci_hcd	
00e9	80862935	uhci_hcd	
00ea	80862936	uhci_hcd	
00ef	8086293a	ehci_hcd	
00fa	80862922	ahci	
0200	10953531	sata_sil24	

synology_x86_411+II
00d0	80862937	uhci_hcd	
00d1	80862938	uhci_hcd	
00d2	80862939	uhci_hcd	
00d7	8086293c	ehci_hcd	
00e8	80862934	uhci_hcd	
00e9	80862935	uhci_hcd	
00ea	80862936	uhci_hcd	
00ef	8086293a	ehci_hcd	
00fa	80862922	ahci	
0200	10953531	sata_sil24	

synology_x86_710+
00c8	808610e5	e1000e	
00d0	80862937	uhci_hcd	
00d1	80862938	uhci_hcd	
00d2	80862939	uhci_hcd	
00d7	8086293c	ehci_hcd	
00e8	80862934	uhci_hcd	
00e9	80862935	uhci_hcd	
00ea	80862936	uhci_hcd	
00ef	8086293a	ehci_hcd	
00fa	80862922	ahci	
0100	10953132	sata_sil24	

synology_x86_712+
0100	10953531	sata_sil24	
0200	808610d3	e1000e	
0300	808610d3	e1000e	

synology_x86_1010+
0100	10953132	sata_sil24	
0200	808610d3	e1000e	
0300	808610d3	e1000e	

synology_x86_1511+
0100	10953132	sata_sil24	
0200	808610d3	e1000e	
0300	808610d3	e1000e	

synology_x86_2411+
0100	11ab7042	sata_mv	
0200	11ab7042	sata_mv	
0300	11ab7042	sata_mv	
0400	11ab7042	sata_mv	
0500	808610d3	e1000e	
0600	808610d3	e1000e	

synology_x86_rs810+
0100	10953531	sata_sil24	
0200	808610d3	e1000e	
0300	808610d3	e1000e	

synology_x86_rs810rp+
0100	10953531	sata_sil24	
0200	808610d3	e1000e	
0300	808610d3	e1000e	

synology_x86_rs2211+
0100	11ab7042	sata_mv	
0200	11ab7042	sata_mv	
0300	11ab7042	sata_mv	
0400	11ab7042	sata_mv	
0500	808610d3	e1000e	
0600	808610d3	e1000e	

synology_x86_rs2211rp+
0100	11ab7042	sata_mv	
0200	11ab7042	sata_mv	
0300	11ab7042	sata_mv	
0400	11ab7042	sata_mv	
0500	808610d3	e1000e	
0600	808610d3	e1000e	

synology_evansport_214+
0160	80862e6e	e1000	
0200	1b6f7023	etxhci_hcd	
0300	10953531	sata_sil24	

synology_evansport_114+
0160	80862e6e	e1000	
0200	1b6f7023	etxhci_hcd	
0300	10953531	sata_sil24	

Link to comment
Share on other sites

With the info you posted I can probably manualy create a devices file for synology_bromolow_3612xs :smile:

Yes, you're right, it is a hash check for files + check for hardcodes devices (like sata controller/network controller) in files vs /proc/bus/pci/devices.

 

I do not understand why they did not also check synobios.ko

Edited by Guest
Link to comment
Share on other sites

Works fine here too with my module. I was digging on the disassembly code to check what was really checked.

 

Vortex is faster than me :smile: I have some issue with my coredump as there is no symbols on it. I'm not a professional so I have to make it step by step.

Link to comment
Share on other sites

As long we will have the hand on the kernel, we could fool the checks.

 

My next challenge will be to simulate the ttyS1 serial device and the Uart device check by synobios to avoid any patching.

 

It will be harder but that's a nice playground :smile:

 

They don't seems to have hardware "protection" stuff as we can found on readynas for example (encryption key in OTP for example).

Link to comment
Share on other sites

I dont think so as in the dump we have the memory dump with shared objects in it. It's more the memory program (un packed).

 

It's like rebuild the the windows kernel from a bsod kernel dump.

 

No need to repack we found the way to fake the system to make it believe it's a genuine one (except for synobios which still need to be patched).

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...