Recommended Posts

On my 1010+ no i2c devices detected

 

DiskStation> ./i2cdetect -l

DiskStation> ./i2cdetect -y 0

Error: Could not open file `/dev/i2c-0' or `/dev/i2c/0': No such file or directory

 

 

But i can see this mod loaded.

 

DiskStation> lsmod |grep i2c

i2c_algo_bit 4808 0

 

 

DiskStation> ./lspci
00:00.0 Host bridge: Intel Corporation Device a000 (rev 02)
00:02.0 VGA compatible controller: Intel Corporation Device a001 (rev 02)
00:02.1 Display controller: Intel Corporation Device a002 (rev 02)
00:1a.0 USB Controller: Intel Corporation USB UHCI Controller #4 (rev 02)
00:1a.1 USB Controller: Intel Corporation USB UHCI Controller #5 (rev 02)
00:1a.2 USB Controller: Intel Corporation USB UHCI Controller #6 (rev 02)
00:1a.7 USB Controller: Intel Corporation USB2 EHCI Controller #2 (rev 02)
00:1c.0 PCI bridge: Intel Corporation PCI Express Port 1 (rev 02)
00:1c.4 PCI bridge: Intel Corporation PCI Express Port 5 (rev 02)
00:1c.5 PCI bridge: Intel Corporation PCI Express Port 6 (rev 02)
00:1d.0 USB Controller: Intel Corporation USB UHCI Controller #1 (rev 02)
00:1d.1 USB Controller: Intel Corporation USB UHCI Controller #2 (rev 02)
00:1d.2 USB Controller: Intel Corporation USB UHCI Controller #3 (rev 02)
00:1d.7 USB Controller: Intel Corporation USB2 EHCI Controller #1 (rev 02)
00:1e.0 PCI bridge: Intel Corporation 82801 PCI Bridge (rev 92)
00:1f.0 ISA bridge: Intel Corporation LPC Interface Controller (rev 02)
00:1f.2 SATA controller: Intel Corporation 6 port SATA AHCI Controller (rev 02)
00:1f.3 SMBus: Intel Corporation SMBus Controller (rev 02)
01:00.0 Mass storage controller: Silicon Image, Inc. SiI 3132 Serial ATA Raid II Controller (rev 01)
02:00.0 Ethernet controller: Intel Corporation Device 10d3
03:00.0 Ethernet controller: Intel Corporation Device 10d3
DiskStation> ./lspci  -n
00:00.0 0600: 8086:a000 (rev 02)
00:02.0 0300: 8086:a001 (rev 02)
00:02.1 0380: 8086:a002 (rev 02)
00:1a.0 0c03: 8086:2937 (rev 02)
00:1a.1 0c03: 8086:2938 (rev 02)
00:1a.2 0c03: 8086:2939 (rev 02)
00:1a.7 0c03: 8086:293c (rev 02)
00:1c.0 0604: 8086:2940 (rev 02)
00:1c.4 0604: 8086:2948 (rev 02)
00:1c.5 0604: 8086:294a (rev 02)
00:1d.0 0c03: 8086:2934 (rev 02)
00:1d.1 0c03: 8086:2935 (rev 02)
00:1d.2 0c03: 8086:2936 (rev 02)
00:1d.7 0c03: 8086:293a (rev 02)
00:1e.0 0604: 8086:244e (rev 92)
00:1f.0 0601: 8086:2916 (rev 02)
00:1f.2 0106: 8086:2922 (rev 02)
00:1f.3 0c05: 8086:2930 (rev 02)
01:00.0 0180: 1095:3132 (rev 01)
02:00.0 0200: 8086:10d3
03:00.0 0200: 8086:10d3

Link to post
Share on other sites

Ok I can now start a dynamic analysis, first thing I found :

 

I try to trace cgi execution, and create a mknod /dev/sda

 

I have no traces of storagehandler.cgi, it presume the check is done in several modules could be rsrcmonitor or externaldevices.

 

I'll keep trying, a little help could be fine :wink:

 

Sda Still here : 1379691942
16652 root     21600 S    /usr/syno/synoman/webman/modules/ResourceMonitor/rsrcmonitor2.cgi

Sda Still here : 1379691942
16652 root     21600 S    /usr/syno/synoman/webman/modules/ResourceMonitor/rsrcmonitor2.cgi

Sda Still here : 1379691946
23147 root     22748 S    /usr/syno/synoman/webman/modules/SystemInfoApp/SystemInfo.cgi
23149 root     17724 S    /usr/syno/synoman/webman/modules/PollingTask/polling.cgi
23236 root     23108 R    /usr/syno/synoman/webman/modules/ControlPanel/modules/externaldevices.cgi

Sda Still here : 1379691947
23219 root     18104 S    /usr/syno/synoman/webman/modules/SystemInfoApp/LogViewer.cgi
24752 root     21600 S    /usr/syno/synoman/webman/modules/ResourceMonitor/rsrcmonitor2.cgi

Sda Still here : 1379691950
27243 root     17636 R    /usr/syno/synoman/webman/modules/DSMNotify/dsmnotify.cgi

no more sda : 1379691950
27243 root     17768 S    /usr/syno/synoman/webman/modules/DSMNotify/dsmnotify.cgi

Link to post
Share on other sites

Well, beta files are not packed but they don't seems to have any protection in it (no /dev/sd*).

 

One more thing, attaching strace to all http process, the cgi don't remove the sda, I believe so there is also countermeasure against dynamic analysis. (PTRACE detection pretty simple to do in fact.. damn... same for gdb)

 

20954 19:03:31 [f6bf4c08] ptrace(PTRACE_TRACEME, 0, 0, 0) = -1 EPERM (Operation not permitted)
20989 19:03:38 [f6c06c08] ptrace(PTRACE_TRACEME, 0, 0, 0) = -1 EPERM (Operation not permitted)

 

Hopefully it can be defeated :smile:

Edited by Guest
Link to post
Share on other sites

197  [f6ec11f8] stat64("/dev/sda", {st_dev=makedev(9, 0), st_ino=712, st_mode=S_IFBLK|0644, st_nlink=1, st_uid=0, st_gid=0, st_blksize=4096, st_blocks=0, st_rdev=makedev(8, 0), st_atime=2013/09/23-16:45:50, st_mtime=2013/09/23-16:45:50, st_ctime=2013/09/23-16:45:50}) = 0
7197  [f6ec335d] unlink("/dev/sda")     = 0

 

One step beyond :wink:

Link to post
Share on other sites

So, I may have found how they protect it, no how to defeat it. Here is the deal.

 

Those files :

 

  • /usr/syno/bin/findhostd
    /usr/syno/bin/scemd
    /lib/libdsm.so
    /lib/libsynocgi.so
    /usr/syno/synoman/webman/modules/StorageManager/storagehandler.cgi
    /usr/syno/synoman/webman/modules/StorageManager/volumehandler.cgi
    /usr/syno/synoman/webman/modules/PkgManApp/PkgMan.cgi
    /usr/syno/synoman/webman/modules/PkgManApp/PkgSynoMan.cgi
    /usr/syno/synoman/webman/modules/DSMNotify/dsmnotify.cgi

 

are packed the same way (I don't know yet if it's a home made packing or "readytogo" one.

 

Something is triggering sort of "sanity check" function.

 

At the end of each file above you can found a 256o chain, which is, I believe a RSA signature. So all theses files are checked to see if their integrity has not been compromised (with the dnsdsm cert). Expect the one which is running this function (here we found our /proc/self/comm string).

 

Once this santity check is done, another function open the synoinfo.conf to get the NAS unique model name, let's say synology_bromolow_3612xs.

 

It next open /proc/bus/pci/devices and check all the devices in it for I think a match with devices defined on each protected files above :

 

extract :

 

--------------------- Strings
808610d3    // 82574L Gigabit Network Connection                                                      
e1000e                                                            
0b00                                                              
0c00                                                              
0d00                                                              
0100
--------------------- Strings     

 

We can read thoses string as : 808610d3 pci id for the hardware / e1000e module associated / 0b00..0100 is the BusDevFunc id.

 

So I believe that somewhere, there is a link between the model and the following devices (ata/usb/ethernet).

 

if there is a mistmatch with this mapping, the process unlink (remove) /dev/sd* or /dev/sas*.

 

We can't alter the files without resign them with the private key associated with the dnsdsm cert and append the new signatures to the end of the file.

Link to post
Share on other sites

Look at my previous post. Try changing the path to /proc/bus/pci/devices and use a real output from a real syno nas in the new path, but not copy/paste because of the output formating. If you get a cat /proc/bus/pci/devices > devices from someone just scp the file to the nas. This just might work if there is not a sanity check on the files.

 

I replaced /proc/bus/pci/devices with /PROC/bus_pci_devices and in this file I put :

 

I did this test with a 1010 devices list on a 1511. I did not have a 1511 divices list.

Link to post
Share on other sites
Look at my previous post. Try changing the path to /proc/bus/pci/devices and use a real output from a real syno nas in the new path, but not copy/paste because of the output formating. If you get a cat /proc/bus/pci/devices > devices from someone just scp the file to the nas. This just might work if there is not a sanity check on the files.

 

I replaced /proc/bus/pci/devices with /PROC/bus_pci_devices and in this file I put :

 

I did this test with a 1010 devices list on a 1511. I did not have a 1511 divices list.

 

Hi VeNoM,

 

May I ask how you replaced /proc/bus/pci/devices with /PROC/bus_pci_devices?

Did you mean that you modify the "cgi" or the "so" file so that it will check /PROC/bus_pci_devices instead of /proc/bus/pci/devices?

Or may you give me some hints about how to do this? I can try with my PC and 3612xs. Thank you. :wink:

Link to post
Share on other sites

This will not work as an integrity check is done BEFORE parsing the devices.

 

Signature for elf/cgi are the same, same for the two so as well.

 

So there is two kind of hashes, I don't really know what is hashed.

 

There two hashes because elf/cgi are packed but not the so.

 

I have to find the common parts on each which I believe include the strings statements.

 

Another way will be modify the kernel sources to add the convenient devices but I don't know if there will be side effects.

 

Edit : better create a module which will hook open syscall and return a fake device list if it match some criteria.

 

Anyway a /proc/bus/pci/devices from a genuine 3612xs will be helpfull

 

So, maybe we don't need to patch files, proper simulation may do the trick.

 

Thanks

Link to post
Share on other sites

Create a /USR and /LIB (upper case) and put the original files there.

 

These files :

mkdir -p /USR/syno/bin

mkdir /LIB

mkdir -p /USR/syno/synoman/webman/modules/StorageManager

mkdir -p /USR/syno/synoman/webman/modules/PkgManApp

mkdir -p /USR/syno/synoman/webman/modules/DSMNotify

 

cp /usr/syno/bin/findhostd /USR/syno/bin/findhostd

cp /usr/syno/bin/scemd /USR/syno/bin/scemd

cp /lib/libdsm.so /LIB/libdsm.so

cp /lib/libsynocgi.so /LIB/libsynocgi.so

cp /usr/syno/synoman/webman/modules/StorageManager/storagehandler.cgi /USR/syno/synoman/webman/modules/StorageManager/storagehandler.cgi

cp /usr/syno/synoman/webman/modules/StorageManager/volumehandler.cgi /usr/syno/synoman/webman/modules/StorageManager/volumehandler.cgi

cp /usr/syno/synoman/webman/modules/PkgManApp/PkgMan.cgi /USR/syno/synoman/webman/modules/PkgManApp/PkgMan.cgi

cp /usr/syno/synoman/webman/modules/PkgManApp/PkgSynoMan.cgi /USR/syno/synoman/webman/modules/PkgManApp/PkgSynoMan.cgi

cp /usr/syno/synoman/webman/modules/DSMNotify/dsmnotify.cgi /USR/syno/synoman/webman/modules/DSMNotify/dsmnotify.cgi

 

Then hexedit the /usr/libdsm.so and /usr/libsynocgi.so to change the paths just like with /PROC.

 

CGI Decrypt failed. &__cIpHeRtOkEn= /usr/syno/etc.defaults/dnsdsm /proc/self/comm /PROC/bus_pci

_devices bromolow /dev/sd* /dev/sas* synology_bromolow_3611xs synology_bromolow_3612xs synology_bromolow_rs3411rpxs synology_bromolow_rs3411xs synology_bromolow_rs3412rpxs synology_bromolow_rs3412xs synology_bromolow_rs3413xs+ synology_bromolow_rs10613xs+ synology_cedarview_412+ synology_cedarview_713+ synology_cedarview_1512+ synology_cedarview_1513+ synology_cedarview_1812+ synology_cedarview_1813+ synology_cedarview_2413+ synology_cedarview_rs812+ synology_cedarview_rs812rp+ synology_cedarview_rs2212+ synology_cedarview_rs2212rp+ synology_cedarview_rs2414+ synology_cedarview_rs2414rp+ synology_x86_411+ synology_x86_411+II synology_x86_710+ synology_x86_712+ synology_x86_1010+ synology_x86_1511+ synology_x86_2411+ synology_x86_rs810+ synology_x86_rs810rp+ synology_x86_rs2211+ synology_x86_rs2211rp+ synology_evansport_214+ synology_evansport_114+ 0200 111d806e pcieport 0310 0318 0320 0328 0400 11ab7042 sata_mv 0500 0600 0700 0800 0a00 808610d3 e1000e 0b00 0c00 0d00 0100 10000072 mpt2sas 0300 10953531 sata_sil24 10953132 80861533 igb 1b6f7023 etxhci_hcd 10b58603 0708 0710 0900 0308 1b4b9235 ahci 0a08 0a10 00d0 80862937 uhci_hcd 00d1 80862938 00d2 80862939 00d7 8086293c ehci_hcd 00e8 80862934 00e9 80862935 00ea 80862936 00ef 8086293a 00fa 80862922 00c8 808610e5 0160 80862e6e e1000 /USR/syno/bin/findhostd /USR/syno/bin/scemd /LIB/libdsm.so /LIB/libsynocgi.so /USR/syno/synoman/webman/modules/StorageManager/storagehandler.cgi /USR/syno/synoman/webman/modules/StorageManager/volumehandler.cgi /USR/syno/synoman/webman/modules/PkgManApp/PkgMan.cgi /USR/syno/synoman/webman/modules/PkgManApp/PkgSynoMan.cgi /USR/syno/synoman/webman/modules/DSMNotify/dsmnotify.cgi

 

This should fool syno to check the original files and an original /proc/bus/pci/devices in /PROC/bus_pci_devices so that the __cIpHeRtOkEn is ok.

But we need a dump : cat /proc/bus/pci/devices > bus_pci_devices from an actual syno machine.

Link to post
Share on other sites

Hu, not sure how it will be fooled, as /usr and /USR are distincts on case sensitive file system.

 

The only way to make it work could be to override /usr by /USR for the entire system (same for lib). As in binaries it looks for /usr /lib we can place orignal files in here. But it's really a dirty way !

 

EDIT : It may work in fact... give a try on it :smile:

 

But you can make a try and report :smile:

 

I preferrer not altering anything on stock firmware and make the work kernel side only. (Included synobios.ko I have plan for this one too).

Link to post
Share on other sites

It's not working, I'm pretty sure the sanity check code is also in packed binaries (elf/cgi).

 

I kill everything (httpd/scemd/findhostd).

 

Changing as you said, fire a trace log on scemd launch, here is the result.

 

DiskStation> cat trace.7414 |grep open | grep cgi
[f71acd6b] open("/usr/syno/synoman/webman/modules/StorageManager/storagehandler.cgi", O_RDONLY) = 11
[f71acd6b] open("/usr/syno/synoman/webman/modules/StorageManager/volumehandler.cgi", O_RDONLY) = 11
[f71acd6b] open("/usr/syno/synoman/webman/modules/PkgManApp/PkgMan.cgi", O_RDONLY) = 11
[f71acd6b] open("/usr/syno/synoman/webman/modules/PkgManApp/PkgSynoMan.cgi", O_RDONLY) = 11
[f71acd6b] open("/usr/syno/synoman/webman/modules/DSMNotify/dsmnotify.cgi", O_RDONLY) = 11
[f71acd6b] open("/lib/libsynocgi.so", O_RDONLY) = 11

DiskStation> strings /lib/libdsm.so.4 |grep .cgi
/LIB/libsynocgi.so
/USR/syno/synoman/webman/modules/StorageManager/storagehandler.cgi
/USR/syno/synoman/webman/modules/StorageManager/volumehandler.cgi
/USR/syno/synoman/webman/modules/PkgManApp/PkgMan.cgi
/USR/syno/synoman/webman/modules/PkgManApp/PkgSynoMan.cgi
/USR/syno/synoman/webman/modules/DSMNotify/dsmnotify.cgi

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.