doedels Posted September 19, 2013 Share #76 Posted September 19, 2013 On my 1010+ no i2c devices detected DiskStation> ./i2cdetect -l DiskStation> ./i2cdetect -y 0 Error: Could not open file `/dev/i2c-0' or `/dev/i2c/0': No such file or directory But i can see this mod loaded. DiskStation> lsmod |grep i2c i2c_algo_bit 4808 0 DiskStation> ./lspci 00:00.0 Host bridge: Intel Corporation Device a000 (rev 02) 00:02.0 VGA compatible controller: Intel Corporation Device a001 (rev 02) 00:02.1 Display controller: Intel Corporation Device a002 (rev 02) 00:1a.0 USB Controller: Intel Corporation USB UHCI Controller #4 (rev 02) 00:1a.1 USB Controller: Intel Corporation USB UHCI Controller #5 (rev 02) 00:1a.2 USB Controller: Intel Corporation USB UHCI Controller #6 (rev 02) 00:1a.7 USB Controller: Intel Corporation USB2 EHCI Controller #2 (rev 02) 00:1c.0 PCI bridge: Intel Corporation PCI Express Port 1 (rev 02) 00:1c.4 PCI bridge: Intel Corporation PCI Express Port 5 (rev 02) 00:1c.5 PCI bridge: Intel Corporation PCI Express Port 6 (rev 02) 00:1d.0 USB Controller: Intel Corporation USB UHCI Controller #1 (rev 02) 00:1d.1 USB Controller: Intel Corporation USB UHCI Controller #2 (rev 02) 00:1d.2 USB Controller: Intel Corporation USB UHCI Controller #3 (rev 02) 00:1d.7 USB Controller: Intel Corporation USB2 EHCI Controller #1 (rev 02) 00:1e.0 PCI bridge: Intel Corporation 82801 PCI Bridge (rev 92) 00:1f.0 ISA bridge: Intel Corporation LPC Interface Controller (rev 02) 00:1f.2 SATA controller: Intel Corporation 6 port SATA AHCI Controller (rev 02) 00:1f.3 SMBus: Intel Corporation SMBus Controller (rev 02) 01:00.0 Mass storage controller: Silicon Image, Inc. SiI 3132 Serial ATA Raid II Controller (rev 01) 02:00.0 Ethernet controller: Intel Corporation Device 10d3 03:00.0 Ethernet controller: Intel Corporation Device 10d3 DiskStation> ./lspci -n 00:00.0 0600: 8086:a000 (rev 02) 00:02.0 0300: 8086:a001 (rev 02) 00:02.1 0380: 8086:a002 (rev 02) 00:1a.0 0c03: 8086:2937 (rev 02) 00:1a.1 0c03: 8086:2938 (rev 02) 00:1a.2 0c03: 8086:2939 (rev 02) 00:1a.7 0c03: 8086:293c (rev 02) 00:1c.0 0604: 8086:2940 (rev 02) 00:1c.4 0604: 8086:2948 (rev 02) 00:1c.5 0604: 8086:294a (rev 02) 00:1d.0 0c03: 8086:2934 (rev 02) 00:1d.1 0c03: 8086:2935 (rev 02) 00:1d.2 0c03: 8086:2936 (rev 02) 00:1d.7 0c03: 8086:293a (rev 02) 00:1e.0 0604: 8086:244e (rev 92) 00:1f.0 0601: 8086:2916 (rev 02) 00:1f.2 0106: 8086:2922 (rev 02) 00:1f.3 0c05: 8086:2930 (rev 02) 01:00.0 0180: 1095:3132 (rev 01) 02:00.0 0200: 8086:10d3 03:00.0 0200: 8086:10d3 Quote Link to comment Share on other sites More sharing options...
neXus Posted September 20, 2013 Share #77 Posted September 20, 2013 Ok I can now start a dynamic analysis, first thing I found : I try to trace cgi execution, and create a mknod /dev/sda I have no traces of storagehandler.cgi, it presume the check is done in several modules could be rsrcmonitor or externaldevices. I'll keep trying, a little help could be fine Sda Still here : 1379691942 16652 root 21600 S /usr/syno/synoman/webman/modules/ResourceMonitor/rsrcmonitor2.cgi Sda Still here : 1379691942 16652 root 21600 S /usr/syno/synoman/webman/modules/ResourceMonitor/rsrcmonitor2.cgi Sda Still here : 1379691946 23147 root 22748 S /usr/syno/synoman/webman/modules/SystemInfoApp/SystemInfo.cgi 23149 root 17724 S /usr/syno/synoman/webman/modules/PollingTask/polling.cgi 23236 root 23108 R /usr/syno/synoman/webman/modules/ControlPanel/modules/externaldevices.cgi Sda Still here : 1379691947 23219 root 18104 S /usr/syno/synoman/webman/modules/SystemInfoApp/LogViewer.cgi 24752 root 21600 S /usr/syno/synoman/webman/modules/ResourceMonitor/rsrcmonitor2.cgi Sda Still here : 1379691950 27243 root 17636 R /usr/syno/synoman/webman/modules/DSMNotify/dsmnotify.cgi no more sda : 1379691950 27243 root 17768 S /usr/syno/synoman/webman/modules/DSMNotify/dsmnotify.cgi Quote Link to comment Share on other sites More sharing options...
neXus Posted September 20, 2013 Share #78 Posted September 20, 2013 Interesting binary are "packed", so we need to find how to depack them before process them. I tryied generate a core dump by attaching GDB and use gcore, there is a lot to look inside. Quote Link to comment Share on other sites More sharing options...
Vortex Posted September 20, 2013 Share #79 Posted September 20, 2013 As first "dirty" method I recommend to teplace these binaries with unpacked versions from lastest beta version (3750)... Quote Link to comment Share on other sites More sharing options...
neXus Posted September 21, 2013 Share #80 Posted September 21, 2013 (edited) Well, beta files are not packed but they don't seems to have any protection in it (no /dev/sd*). One more thing, attaching strace to all http process, the cgi don't remove the sda, I believe so there is also countermeasure against dynamic analysis. (PTRACE detection pretty simple to do in fact.. damn... same for gdb) 20954 19:03:31 [f6bf4c08] ptrace(PTRACE_TRACEME, 0, 0, 0) = -1 EPERM (Operation not permitted) 20989 19:03:38 [f6c06c08] ptrace(PTRACE_TRACEME, 0, 0, 0) = -1 EPERM (Operation not permitted) Hopefully it can be defeated Edited September 22, 2013 by Guest Quote Link to comment Share on other sites More sharing options...
neXus Posted September 22, 2013 Share #81 Posted September 22, 2013 Interesting ARM firmware are not protected, no traces of obfuscation too. So it's clearly against xpenology dnsdsm is clearly involved in the process, removing it and DSM said the root volume has crashed. Quote Link to comment Share on other sites More sharing options...
neXus Posted September 23, 2013 Share #82 Posted September 23, 2013 197 [f6ec11f8] stat64("/dev/sda", {st_dev=makedev(9, 0), st_ino=712, st_mode=S_IFBLK|0644, st_nlink=1, st_uid=0, st_gid=0, st_blksize=4096, st_blocks=0, st_rdev=makedev(8, 0), st_atime=2013/09/23-16:45:50, st_mtime=2013/09/23-16:45:50, st_ctime=2013/09/23-16:45:50}) = 0 7197 [f6ec335d] unlink("/dev/sda") = 0 One step beyond Quote Link to comment Share on other sites More sharing options...
neXus Posted September 23, 2013 Share #83 Posted September 23, 2013 So, I may have found how they protect it, no how to defeat it. Here is the deal. Those files : /usr/syno/bin/findhostd /usr/syno/bin/scemd /lib/libdsm.so /lib/libsynocgi.so /usr/syno/synoman/webman/modules/StorageManager/storagehandler.cgi/usr/syno/synoman/webman/modules/StorageManager/volumehandler.cgi /usr/syno/synoman/webman/modules/PkgManApp/PkgMan.cgi /usr/syno/synoman/webman/modules/PkgManApp/PkgSynoMan.cgi /usr/syno/synoman/webman/modules/DSMNotify/dsmnotify.cgi are packed the same way (I don't know yet if it's a home made packing or "readytogo" one. Something is triggering sort of "sanity check" function. At the end of each file above you can found a 256o chain, which is, I believe a RSA signature. So all theses files are checked to see if their integrity has not been compromised (with the dnsdsm cert). Expect the one which is running this function (here we found our /proc/self/comm string). Once this santity check is done, another function open the synoinfo.conf to get the NAS unique model name, let's say synology_bromolow_3612xs. It next open /proc/bus/pci/devices and check all the devices in it for I think a match with devices defined on each protected files above : extract : --------------------- Strings 808610d3 // 82574L Gigabit Network Connection e1000e 0b00 0c00 0d00 0100 --------------------- Strings We can read thoses string as : 808610d3 pci id for the hardware / e1000e module associated / 0b00..0100 is the BusDevFunc id. So I believe that somewhere, there is a link between the model and the following devices (ata/usb/ethernet). if there is a mistmatch with this mapping, the process unlink (remove) /dev/sd* or /dev/sas*. We can't alter the files without resign them with the private key associated with the dnsdsm cert and append the new signatures to the end of the file. Quote Link to comment Share on other sites More sharing options...
Trantor Posted September 23, 2013 Share #84 Posted September 23, 2013 Hum, they really wanto to stop this project Cert protection is hard to crack (like PS3...). Very good job guys for debugging this Quote Link to comment Share on other sites More sharing options...
VeNoM Posted September 24, 2013 Author Share #85 Posted September 24, 2013 Look at my previous post. Try changing the path to /proc/bus/pci/devices and use a real output from a real syno nas in the new path, but not copy/paste because of the output formating. If you get a cat /proc/bus/pci/devices > devices from someone just scp the file to the nas. This just might work if there is not a sanity check on the files. I replaced /proc/bus/pci/devices with /PROC/bus_pci_devices and in this file I put : I did this test with a 1010 devices list on a 1511. I did not have a 1511 divices list. Quote Link to comment Share on other sites More sharing options...
s8824 Posted September 24, 2013 Share #86 Posted September 24, 2013 Look at my previous post. Try changing the path to /proc/bus/pci/devices and use a real output from a real syno nas in the new path, but not copy/paste because of the output formating. If you get a cat /proc/bus/pci/devices > devices from someone just scp the file to the nas. This just might work if there is not a sanity check on the files. I replaced /proc/bus/pci/devices with /PROC/bus_pci_devices and in this file I put : I did this test with a 1010 devices list on a 1511. I did not have a 1511 divices list. Hi VeNoM, May I ask how you replaced /proc/bus/pci/devices with /PROC/bus_pci_devices? Did you mean that you modify the "cgi" or the "so" file so that it will check /PROC/bus_pci_devices instead of /proc/bus/pci/devices? Or may you give me some hints about how to do this? I can try with my PC and 3612xs. Thank you. Quote Link to comment Share on other sites More sharing options...
neXus Posted September 24, 2013 Share #87 Posted September 24, 2013 This will not work as an integrity check is done BEFORE parsing the devices. Signature for elf/cgi are the same, same for the two so as well. So there is two kind of hashes, I don't really know what is hashed. There two hashes because elf/cgi are packed but not the so. I have to find the common parts on each which I believe include the strings statements. Another way will be modify the kernel sources to add the convenient devices but I don't know if there will be side effects. Edit : better create a module which will hook open syscall and return a fake device list if it match some criteria. Anyway a /proc/bus/pci/devices from a genuine 3612xs will be helpfull So, maybe we don't need to patch files, proper simulation may do the trick. Thanks Quote Link to comment Share on other sites More sharing options...
VeNoM Posted September 25, 2013 Author Share #88 Posted September 25, 2013 We can also change the path to the original files in /USR and leave the patched files in /usr Quote Link to comment Share on other sites More sharing options...
neXus Posted September 25, 2013 Share #89 Posted September 25, 2013 I dont understand what you mean... Quote Link to comment Share on other sites More sharing options...
VeNoM Posted September 25, 2013 Author Share #90 Posted September 25, 2013 Create a /USR and /LIB (upper case) and put the original files there. These files : mkdir -p /USR/syno/bin mkdir /LIB mkdir -p /USR/syno/synoman/webman/modules/StorageManager mkdir -p /USR/syno/synoman/webman/modules/PkgManApp mkdir -p /USR/syno/synoman/webman/modules/DSMNotify cp /usr/syno/bin/findhostd /USR/syno/bin/findhostd cp /usr/syno/bin/scemd /USR/syno/bin/scemd cp /lib/libdsm.so /LIB/libdsm.so cp /lib/libsynocgi.so /LIB/libsynocgi.so cp /usr/syno/synoman/webman/modules/StorageManager/storagehandler.cgi /USR/syno/synoman/webman/modules/StorageManager/storagehandler.cgi cp /usr/syno/synoman/webman/modules/StorageManager/volumehandler.cgi /usr/syno/synoman/webman/modules/StorageManager/volumehandler.cgi cp /usr/syno/synoman/webman/modules/PkgManApp/PkgMan.cgi /USR/syno/synoman/webman/modules/PkgManApp/PkgMan.cgi cp /usr/syno/synoman/webman/modules/PkgManApp/PkgSynoMan.cgi /USR/syno/synoman/webman/modules/PkgManApp/PkgSynoMan.cgi cp /usr/syno/synoman/webman/modules/DSMNotify/dsmnotify.cgi /USR/syno/synoman/webman/modules/DSMNotify/dsmnotify.cgi Then hexedit the /usr/libdsm.so and /usr/libsynocgi.so to change the paths just like with /PROC. CGI Decrypt failed. &__cIpHeRtOkEn= /usr/syno/etc.defaults/dnsdsm /proc/self/comm /PROC/bus_pci _devices bromolow /dev/sd* /dev/sas* synology_bromolow_3611xs synology_bromolow_3612xs synology_bromolow_rs3411rpxs synology_bromolow_rs3411xs synology_bromolow_rs3412rpxs synology_bromolow_rs3412xs synology_bromolow_rs3413xs+ synology_bromolow_rs10613xs+ synology_cedarview_412+ synology_cedarview_713+ synology_cedarview_1512+ synology_cedarview_1513+ synology_cedarview_1812+ synology_cedarview_1813+ synology_cedarview_2413+ synology_cedarview_rs812+ synology_cedarview_rs812rp+ synology_cedarview_rs2212+ synology_cedarview_rs2212rp+ synology_cedarview_rs2414+ synology_cedarview_rs2414rp+ synology_x86_411+ synology_x86_411+II synology_x86_710+ synology_x86_712+ synology_x86_1010+ synology_x86_1511+ synology_x86_2411+ synology_x86_rs810+ synology_x86_rs810rp+ synology_x86_rs2211+ synology_x86_rs2211rp+ synology_evansport_214+ synology_evansport_114+ 0200 111d806e pcieport 0310 0318 0320 0328 0400 11ab7042 sata_mv 0500 0600 0700 0800 0a00 808610d3 e1000e 0b00 0c00 0d00 0100 10000072 mpt2sas 0300 10953531 sata_sil24 10953132 80861533 igb 1b6f7023 etxhci_hcd 10b58603 0708 0710 0900 0308 1b4b9235 ahci 0a08 0a10 00d0 80862937 uhci_hcd 00d1 80862938 00d2 80862939 00d7 8086293c ehci_hcd 00e8 80862934 00e9 80862935 00ea 80862936 00ef 8086293a 00fa 80862922 00c8 808610e5 0160 80862e6e e1000 /USR/syno/bin/findhostd /USR/syno/bin/scemd /LIB/libdsm.so /LIB/libsynocgi.so /USR/syno/synoman/webman/modules/StorageManager/storagehandler.cgi /USR/syno/synoman/webman/modules/StorageManager/volumehandler.cgi /USR/syno/synoman/webman/modules/PkgManApp/PkgMan.cgi /USR/syno/synoman/webman/modules/PkgManApp/PkgSynoMan.cgi /USR/syno/synoman/webman/modules/DSMNotify/dsmnotify.cgi This should fool syno to check the original files and an original /proc/bus/pci/devices in /PROC/bus_pci_devices so that the __cIpHeRtOkEn is ok. But we need a dump : cat /proc/bus/pci/devices > bus_pci_devices from an actual syno machine. Quote Link to comment Share on other sites More sharing options...
neXus Posted September 25, 2013 Share #91 Posted September 25, 2013 Hu, not sure how it will be fooled, as /usr and /USR are distincts on case sensitive file system. The only way to make it work could be to override /usr by /USR for the entire system (same for lib). As in binaries it looks for /usr /lib we can place orignal files in here. But it's really a dirty way ! EDIT : It may work in fact... give a try on it But you can make a try and report I preferrer not altering anything on stock firmware and make the work kernel side only. (Included synobios.ko I have plan for this one too). Quote Link to comment Share on other sites More sharing options...
VeNoM Posted September 25, 2013 Author Share #92 Posted September 25, 2013 I need a dump of devices and I will try it. Quote Link to comment Share on other sites More sharing options...
neXus Posted September 25, 2013 Share #93 Posted September 25, 2013 It's not working, I'm pretty sure the sanity check code is also in packed binaries (elf/cgi). I kill everything (httpd/scemd/findhostd). Changing as you said, fire a trace log on scemd launch, here is the result. DiskStation> cat trace.7414 |grep open | grep cgi [f71acd6b] open("/usr/syno/synoman/webman/modules/StorageManager/storagehandler.cgi", O_RDONLY) = 11 [f71acd6b] open("/usr/syno/synoman/webman/modules/StorageManager/volumehandler.cgi", O_RDONLY) = 11 [f71acd6b] open("/usr/syno/synoman/webman/modules/PkgManApp/PkgMan.cgi", O_RDONLY) = 11 [f71acd6b] open("/usr/syno/synoman/webman/modules/PkgManApp/PkgSynoMan.cgi", O_RDONLY) = 11 [f71acd6b] open("/usr/syno/synoman/webman/modules/DSMNotify/dsmnotify.cgi", O_RDONLY) = 11 [f71acd6b] open("/lib/libsynocgi.so", O_RDONLY) = 11 DiskStation> strings /lib/libdsm.so.4 |grep .cgi /LIB/libsynocgi.so /USR/syno/synoman/webman/modules/StorageManager/storagehandler.cgi /USR/syno/synoman/webman/modules/StorageManager/volumehandler.cgi /USR/syno/synoman/webman/modules/PkgManApp/PkgMan.cgi /USR/syno/synoman/webman/modules/PkgManApp/PkgSynoMan.cgi /USR/syno/synoman/webman/modules/DSMNotify/dsmnotify.cgi Quote Link to comment Share on other sites More sharing options...
VeNoM Posted September 25, 2013 Author Share #94 Posted September 25, 2013 If I stop /usr/syno/etc/rc.d/S97apache-sys.sh from starting on boot the /dev/sda does not get deleted. I cannot get scemd to remove it. How you strace when scemd checks for the files ? Quote Link to comment Share on other sites More sharing options...
neXus Posted September 25, 2013 Share #95 Posted September 25, 2013 LD_PRELOAD the ptrace function as they check if the process is beeing debugged or straced. Quote Link to comment Share on other sites More sharing options...
VeNoM Posted September 25, 2013 Author Share #96 Posted September 25, 2013 Interesting http://dustri.org/b/fun-with-ld_preload.html Quote Link to comment Share on other sites More sharing options...
neXus Posted September 25, 2013 Share #97 Posted September 25, 2013 include long ptrace(int x, int y, int z) { printf("--this is the ptrace clone block--\n"); return 0; } Use it with strace -E LD_PRELOAD=./shareobject.so Quote Link to comment Share on other sites More sharing options...
VeNoM Posted September 25, 2013 Author Share #98 Posted September 25, 2013 I see. scemd must get this list from somewhere ... Quote Link to comment Share on other sites More sharing options...
neXus Posted September 25, 2013 Share #99 Posted September 25, 2013 inside himself I believe as the binaries are packed. This could make sense. Quote Link to comment Share on other sites More sharing options...
VeNoM Posted September 25, 2013 Author Share #100 Posted September 25, 2013 Is there a binary analizer for linux like PEiD for Windows ? Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.