Fandom

Audrey Hacking Wiki

Getting shell

325pages on
this wiki
Add New Page
Talk1 Share

nolico baschil lizellavide erlila zelletorolo cacbas trocalr latamonnob eltdelchir

How to get a Shell in an Audrey

This HOWTO will discuss two ways to acheive a shell prompt on the Audrey. The first Scythic has posted to the Linux Hacker Audrey Forum a great thread that outlines how to update your Audreys OS to include a Shell prompt and some Shell Utilities. The second is by sowbug and requires a Compact FLash card and a lot of Hardware juggling.

Method One: via Castanet Server

To update your audrey via a castenet server you need a couple things:

  • A castenet server
  • Ability to spoof 3com.marimba.net DNS
  • An image with a root shell and shell utils.

Resources:

  • Scythic has a castenet server running at 216.102.107.227 and his server has a wonderful image on it that has a pterm installed as http://localhost/shell.shtml?pterm in the audrey browser and he also includes a bunch of shell utils.
  • The following DNS work as of today(8.13.2001): 216.102.107.227, 216.145.17.188, 160.79.101.114. For more DNS Servers check our forum or the Linux Hacker Audrey Forum.

How to get and install the image:

  1. Spoof the DNS for 3com.marimba.net
    You shuold be able to do this with any router. If you are using the Linksys 4 port cable/dsl router(or anything similar) just enter one of the many private DNS numbers as the primary and secondary DNS numbers and then reboot the Audrey(Unplug it). Another way to do this, is to use another computer as a router and add 3com.marimba.net to the hosts file(/winnt/system32/drivers/etc/hosts in winnt/98/2k) making it reolve to the above castenet server IP(this is untested).
  2. When the Audrey boots back up, goto a browser and goto http://3com.marimba.com. It shuold resolve to something that is very much not 3COM or Marimba. If this works do onto the next step. If it doesn't work, debug your DNS spoofing. use NSlookup on another machine that is connected to your router and see what you det for 3com.marimba.net. Try the hosts file method if all else fails. If that doesn't work, get a Compact Flash and upgrade that way.
  3. Once you are able to resolve the spoofed 3com.mainmba.net, press the browser, actions and email buttons simultaneously. A dialog should pop up saying that the audrey is updating. This may take awhile. If it fails and the Audrey says that it wasn't able to update make sure you can access the castenet server. Make sure the DNS servers are active.
  4. When the update has been executed succesfully, goto #:http://localhost/shell.shtml?pterm. Boom. A shell. Poke around. Post anything cool you have to our forum. Port applications. Write device drivers. Just the Usual.
  5. To make it so you don't have to goto that URL everytime you want shell access do the following
    • Start up Audrey, hit browser, run pterm, then in /kojak/SystemPanel.init add the line:
      ,paint.gif,launch,/nto/bin/shutdown and
      ,paint.gif,launch,/nto/photon/bin/pterm
      using vi (hit snapshot to end insert mode). Then move pterm out of the way, click on the browser background, hit the action button, select audrey options, and the panel that comes up will have a "paint" icon, selecting that will reboot your machine and access pterm(thanks goto mr23 for figuring this out).
  6. Your done and now your audrey has bomb Shell support

Method Two: via a Compact Flash Port

I am taking this directly from Sowbug's page(http://www.sowbug.com/audrey/hack.html). Be sure to check it out.

  1. Get a bunch of equipment ready:
    • At least one 32-meg CF card.
    • CF-to-Type II adapter, or some way to plug your CF card into a PC. I have a laptop running Linux, so I use the Type II slot on it.
    • Power strip with a switch. This is important because otherwise you'll have to unplug your Audrey about 3,000 times in a brief period of time, and I bet it'll break if you do that.
    • Null modem cable that fits the Audrey's serial port on one end, and one of the serial ports on your PC on the other end.
    • A PC running QNX RTP. It's free for noncommercial use and it's a really cool OS.
  2. Get an Audrey flash ROM image. For me it involved some luck. Unfortunately, I can't pass it along to you. That was the one condition of my receiving it. I hope you understand that I can't give it out, so please don't ask -- I will ignore any e-mail that contains a request for the image. But if someone else has an image and wants me to post a link to it, e-mail me at the address below and I'll put the link on this page.
  3. Break the image into its parts (I'll refer to the original file by the filename audrey.cf):
    0x00000000 - 0x0007FFFF: audrey.boot, the QNX Neutrino microkernel plus bootloader.
    0x00080000 - 0x00FBFFFF: audrey.fs, the QNX embedded filesystem containing the Audrey files.
    0x00FC0000 - 0x01000000: audrey.rom, the VGA bios and IPL (image program loader) that's a combination of 3Com and QNX code.
  4. Copy audrey.fs to the QNX PC and mount it:
    devf-ram -u2 -b5 -r -s0,16m,0,16m,128k &
    dd if=/root/audrey.fs of=/dev/fs0p0
    flashctl -v -p/dev/fs0p0 -n/flash -m
    At this point you have the Audrey filesystem mounted at /flash on your QNX PC. Copy it into a new location (so that you can manipulate it). I'll assume you put it in ~/audreyfs.
  5. Create a mkefs build file, or just use mine, which I called ~/audrey.build (Note: I think that this file has to be in Unix text file format -- if you have carriage returns in it by editing in on Windows, it'll get confused and give you weird error messages. This cost me only about a week of my life):
    [block_size=128K min_size=15990784 max_size=15990784 spare_blocks=1 mount=/]
    [perms=a=rwx]
    [uid=0 gid=0]
    /config=config
    [filter="flashcmp"]
    [uid=0 gid=0]
    /data=data
    [uid=500 gid=500]
    /etc=etc
    [uid=0 gid=0]
    /kojak=kojak
    [uid=500 gid=500]
    /nto=nto
    [uid=500 gid=500]
    /usr=usr
    [uid=0 gid=0]
    [type=link] /data/XML/Channels/.Channel00=/data/XML/Channels/.countertop
    [type=link] /data/XML/Channels/.Channel01=/data/XML/Channels/ABCNews
    [type=link] /data/XML/Channels/.Channel02=/data/XML/Channels/ESPN
    [type=link] /data/XML/Channels/.Channel03=/data/XML/Channels/MRSHOWBIZ
    [type=link] /data/XML/Channels/.Channel04=/data/XML/Channels/CBSMarketWatch
    [type=link] /data/XML/Channels/.Channel05=/data/XML/Channels/AccuWeather
    [type=link] /data/XML/Channels/.Channel06=/data/XML/Channels/DigitalCity
    [type=link] /data/XML/Channels/.Channel07=/data/XML/Channels/Drugstore
    [type=link] /data/XML/Channels/.Channel08=/data/XML/Channels/Food
    [type=link] /data/XML/Channels/.Channel09=/data/XML/Channels/CyberBills
    [type=link] /data/XML/Channels/.Channel10=/data/XML/Channels/.empty
    [type=link] /data/XML/Channels/.Channel11=/data/XML/Channels/.empty
    [type=link] /data/XML/Channels/.Channel12=/data/XML/Channels/.empty
    [type=link] /bin=/nto/bin
    [type=link] /data/XML/Content=/tmp/data/XML/Content
    [type=link] /data/XML/Content.new=/tmp/data/XML/Content.new
    [type=link] /dev/shmem/bootlog=/dev/null
    [type=link] /dev/snd/pcmPreferredp=/dev/snd/pcmC1D0p
    [type=link] /etc/ppp=/config
    [type=link] /etc/config/trap/audio=/dev/shmem
    [type=link] /kojak/bc/current=/kojak/bc/eng
    #[type=link] /nto/bin/cp=/proc/boot/cp
    #[type=link] /nto/bin/devf-ram=/proc/boot/devf-kojak
    [type=link] /nto/bin/devf-ram=/nto/bin/devf-kojak
    #[type=link] /nto/bin/flashlzo=/proc/boot/flashlzo
    #[type=link] /nto/bin/mkdir=/proc/boot/mkdir
    #[type=link] /nto/bin/mount=/proc/boot/mount
    [type=link] /nto/bin/pdksh=ksh
    [type=link] /nto/bin/sh=/nto/bin/ksh
    [type=link] /nto/bin/tar=/proc/boot/tar
    [type=link] /nto/bin/umount=/proc/boot/umount
    [type=link] /nto/lib/libcam.so.1=/nto/lib/libcam.so
    [type=link] /usr/lib/ldqnx.so.1=/proc/boot/libc.so.1
    [perms=a=rwxs]
    /kojak/CGI/shellex=shellex
  6. For some reason, I couldn't get the QNX microkernel files to mount at /proc/boot, so I just copied them into my local mirror on the Audrey filesystem:
    cd ~/audreyfs/nto/bin
    dumpifs -x -b ~/audrey.boot
  1. Add in some new files. I chose the following:
    nto/photon/bin/pterm
    nto/photon/config/pterm/psh.rc
    nto/photon/config/pterm/pterm.rc
    nto/photon/.ph/pterm/pterm.rc -- I can't figure out why I had to put in two copies of pterm
    nto/bin/ftp
    nto/bin/qtalk
    kojak/CGI/shellex This file fell out of the sky but you can write one yourself if you have a version of QNX that can compile for libc.so.1. It's just a CGI binary that takes the QUERY_STRING environment variable and hands it to /bin/sh. It needs to have its permissions set +s.
    data/XML/shell.shtml This is the clever web page I talked about earlier. #:Here's the source for it.
    <html><head><title>Shell</title></head><body>
    </body></html>
    There's a whole bunch more stuff you could conceivably put in there, but unless you're concerned about inefficient use of the filesystem, this will be sufficient because you can ftp the rest of the stuff you need to the system.
  2. Make the new embedded filesystem:
    cd ~/audreyfs
    mkefs ../audrey.build ../audrey_sowbug.fs
  3. At this point you have an "enhanced" Audrey filesystem. Recreate the flash image using the tools I wrote:
    cat audrey.boot audrey_sowbug.fs > audrey_sowbug.img
    mkcf audrey_sowbug.img audrey_sowbug.cf 32047104
    Note: 32047104 is the size of the CF card that I have. Find out the size of yours by dd'ing the card to a file and seeing how big the file turns out to be.
  4. Flash the CF file to the CF card:
    dd if=audrey_sowbug.cf > /dev/hde
    Note: /dev/hde is where my laptop mounts the CF card. Yours may be different.
  5. Flash the Audrey! Turn it off, put in the CF card, hold down the datebook and power buttons, and turn the power back on. Follow the instructions on the screen.
  6. Get to the web browser and type in this URL:
    http://localhost/shell.shtml?pterm
    At this point, a terminal window should pop up. You now 0wN your Audrey!

Method Three: The old-fashioned escalation of priviliges

The following method was the first one, used way back before we had system images or Marimba servers to work with. It should work on any Audrey still today and relies on an old hacker trick called escalation of priviliges.

  1. Press Audry's Browser button
  2. Type into the URL line:
http://localhost/shell.shtml?pterm
  1. A black window with a "$" prompt appears. Edit the System Panel config. Type:
vi /kojak/SystemPanel.init[enter]
  1. Navigate to the credit card application. We're going to change this to our shell so we can use the system panel's root priviliges to launch a shell for us! Type (case sensitive!):
/kojak,CreditCard[enter]
  1. Your cursor should now be on the correct line. Now we change the application this button launches. Type the following:
3cwlaunch,/nto/photon/bin/pterm[SnapShot]
:wq[enter]
  1. Now press the configure button (second from the bottom on the right of the screen) and select the "Credit Card" icon. Up pops a terminal screen with the "#" prompt - you're root!

Ad blocker interference detected!


Wikia is a free-to-use site that makes money from advertising. We have a modified experience for viewers using ad blockers

Wikia is not accessible if you’ve made further modifications. Remove the custom ad blocker rule(s) and the page will load as expected.