I had some time today and wanted to test if i could debug my Set Top box Vu + Ultimo running Enigma firmware.
I know the target is MIPS.
So thinking how to do this, target dont have a shell like a linux computer.
So im thinking telnet, since almost every device that connect to web or localhost have telnet support.
Next problem is my set Top Box since it dosent have a shell , it would hard to build gdbserver, not at least using gcc to have it build.
Android NDK to the rescue.
The NDK have alot of prebuild targets, including mips x86/x64
found in the prebuild folder.
well mips is mips, gonna try the android mips x86.( im cheating i allready knew what my target is)
i have upload all the targets here
https://mega.co.nz/#!H90zHTLJ!ht96FhUqZdEohW_rx3x8_Js51-HVpsuVEDObhSN0ccc
luckely my set top box have ftp support.
I ftp gdbserver to /etc folder on the box.
proberly there are ways to do this with telnet also.
now we connect to box.
i use putty, but you can use windows telnet also but you have to activate it.
after username and passworrd we have telnet shell.
we cd to gdbserver folder
set gdbserver permissions.
now the tricky part of opening you ports.
first we wanna know what local ip we have on the box.
in telnet shell type
so local port is 10.0.0.1
ida uses port 23946 so we gonna try forwarding that.
there apparently are many ways of doing this.
here is a ref how to do this with ssh.
http://www.linuxhorizon.ro/ssh-tunnel.html
or this one wich i think is little easyer
http://www.slashroot.in/ssh-port-forwarding-linux-configuration-and-examples
check wich ports are open
we try open 23946 port
we try both cases
we check open ports again.
Okay looks like its open.
It littly tricky if you are not used to opening ports via unix shell
i think in some cases you can also even manuelly open your ports in the router, like you do for games.
lets run gdbserver.
make sure you still in the etc folder
next open new telent shell.
type
also try
gonna try pid 856 wich is the CA modul for the satelittle card.
form shell.
now fire up ida i use with admin rights.
goto debugger >> attach remote GDB server.
select Debug options and then set spesific options
in spesific options choose mips architecture..
press ok ok ok
now we back to first gdb screen.
we need the info from the command ifconfig we made before.
i had local ip 10.0.0.1
we go along press ok
it then ask what PID to attch to.
we have pid runing before with the ps commands.
pid 865
success
I could use some hints of how to forward TCP/UDP better via shell.
But the tut should work for any devices that have telnet, so basiclly everything
just remember to have the right gdbserver build (same as target)
I know the target is MIPS.
So thinking how to do this, target dont have a shell like a linux computer.
So im thinking telnet, since almost every device that connect to web or localhost have telnet support.
Next problem is my set Top Box since it dosent have a shell , it would hard to build gdbserver, not at least using gcc to have it build.
Android NDK to the rescue.
The NDK have alot of prebuild targets, including mips x86/x64
found in the prebuild folder.
well mips is mips, gonna try the android mips x86.( im cheating i allready knew what my target is)
i have upload all the targets here
https://mega.co.nz/#!H90zHTLJ!ht96FhUqZdEohW_rx3x8_Js51-HVpsuVEDObhSN0ccc
luckely my set top box have ftp support.
I ftp gdbserver to /etc folder on the box.
proberly there are ways to do this with telnet also.
now we connect to box.
i use putty, but you can use windows telnet also but you have to activate it.
after username and passworrd we have telnet shell.
we cd to gdbserver folder
CSS:
# cd /etcset gdbserver permissions.
Code:
# chmod 777 ./gdbservernow the tricky part of opening you ports.
first we wanna know what local ip we have on the box.
in telnet shell type
CSS:
ifconfig
eth0 Link encap:Ethernet HWaddr **************
inet addr:10.0.0.1 Bcast:***** Mask:255.255.255.0so local port is 10.0.0.1
ida uses port 23946 so we gonna try forwarding that.
there apparently are many ways of doing this.
here is a ref how to do this with ssh.
http://www.linuxhorizon.ro/ssh-tunnel.html
or this one wich i think is little easyer
http://www.slashroot.in/ssh-port-forwarding-linux-configuration-and-examples
check wich ports are open
Code:
root@vuultimo:~# netstat -nat | grep LISTEN
tcp 0 0 0.0.0.0:2049 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:8001 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:57515 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:139 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:23 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:46201 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:445 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:58527 0.0.0.0:* LISTEN
tcp 0 0 :::22 :::* LISTEN
root@vuultimo:~#we try open 23946 port
we try both cases
CSS:
ssh -L 23946:10.0.0.41:23946
CSS:
root@vuultimo:/etc# ssh -L 23946:localhost:23 10.0.0.1
Host '10.0.0.1' is not in the trusted hosts file.
(fingerprint md5 :**:**:**)
Do you want to continue connecting? (y/n) y
root@10.0.0.1's password:
root@vuultimo:~# ssh -L 23946:localhost:23 10.0.0.1we check open ports again.
Code:
root@vuultimo:~# netstat -nat | grep LISTEN
tcp 0 0 0.0.0.0:2049 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:8001 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:23946 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:57515 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:139 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:23 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:46201 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:445 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:58527 0.0.0.0:* LISTEN
tcp 0 0 :::22 :::* LISTEN
root@vuultimo:~#Okay looks like its open.
It littly tricky if you are not used to opening ports via unix shell
i think in some cases you can also even manuelly open your ports in the router, like you do for games.
lets run gdbserver.
make sure you still in the etc folder
next open new telent shell.
type
CSS:
root@vuultimo:~# ps -A
PID TTY TIME CMD
1 ? 00:00:04 init
2 ? 00:00:00 kthreadd
3 ? 00:00:02 ksoftirqd/0
4 ? 00:00:00 kworker/0:0
5 ? 00:00:00 kworker/0:0H
7 ? 00:00:00 kworker/u:0H
8 ? 00:00:01 migration/0
9 ? 00:00:00 rcu_bh
10 ? 00:00:00 rcu_sched
11 ? 00:00:00 migration/1
12 ? 00:00:00 ksoftirqd/1
14 ? 00:00:00 kworker/1:0H
15 ? 00:00:00 khelper
16 ? 00:00:00 kdevtmpfs
17 ? 00:00:00 bdi-default
18 ? 00:00:00 kblockd
19 ? 00:00:00 ata_sff
20 ? 00:00:00 khubd
21 ? 00:00:00 cfg80211
22 ? 00:00:00 kworker/0:1
23 ? 00:00:00 rpciod
24 ? 00:00:01 kworker/1:1
25 ? 00:00:00 kswapd0
26 ? 00:00:00 fsnotify_mark
27 ? 00:00:00 unionfs_siod
28 ? 00:00:00 nfsiod
29 ? 00:00:00 crypto
43 ? 00:00:00 scsi_eh_0
44 ? 00:00:00 scsi_eh_1
45 ? 00:00:00 kworker/u:1
47 ? 00:00:00 deferwq
48 ? 00:00:00 kworker/u:3
50 ? 00:00:00 ubi_bgt0d
51 ? 00:00:00 ubifs_bgt0_0
73 ? 00:00:00 sched
74 ? 00:00:00 sched_low
75 ? 00:01:12 sched_high
76 ? 00:00:00 sched_idle
78 ? 00:00:00 brcmv
79 ? 00:00:00 fbt0
80 ? 00:00:00 ci_kthread
81 ? 00:00:00 ci_kthread
111 ? 00:00:00 udevd
283 ? 00:00:00 kworker/0:1H
478 ? 00:00:00 kworker/1:1H
479 ? 00:00:00 kjournald
542 ? 00:00:00 nmbd
544 ? 00:00:00 smbd
563 ? 00:00:00 smbd
576 ? 00:00:00 portmap
582 ? 00:00:00 crond
592 ? 00:00:00 dbus-daemon
596 ? 00:00:00 dropbear
708 ? 00:00:01 automount
764 ? 00:00:00 blackholesocker
777 ? 00:00:00 inetd
802 ? 00:00:00 lockd
803 ? 00:00:00 nfsd
804 ? 00:00:00 nfsd
805 ? 00:00:00 nfsd
806 ? 00:00:00 nfsd
807 ? 00:00:00 nfsd
808 ? 00:00:00 nfsd
809 ? 00:00:00 nfsd
810 ? 00:00:00 nfsd
812 ? 00:00:00 rpc.mountd
814 ? 00:00:00 rpc.statd
819 ? 00:00:00 syslogd
821 ? 00:00:00 klogd
831 ? 00:00:00 avahi-daemon
833 ? 00:00:00 avahi-daemon
847 ? 00:00:00 enigma2.sh
851 ? 00:05:03 enigma2
856 ? 00:00:00 ca08
859 ? 00:00:00 ci_kthread
871 ? 00:00:00 telnetd
872 pts/0 00:00:00 sh
927 ? 00:00:12 hbbtv.app
956 ? 00:00:02 kdvb-ad-0-fe-0
1179 ? 00:00:00 telnetd
1180 pts/1 00:00:00 sh
2478 ? 00:00:00 kworker/1:0
2604 pts/1 00:00:00 ssh
2605 ? 00:00:00 dropbear
2614 pts/2 00:00:00 sh
2709 ? 00:00:00 flush-ubifs_0_0
2750 pts/2 00:00:00 ps
root@vuultimo:~#also try
CSS:
root@vuultimo:~# ps aux
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.1 0.2 1780 624 ? Ss 12:44 0:04 init [3]
root 2 0.0 0.0 0 0 ? S 12:44 0:00 [kthreadd]
root 3 0.0 0.0 0 0 ? S 12:44 0:02 [ksoftirqd/0]
root 4 0.0 0.0 0 0 ? S 12:44 0:00 [kworker/0:0]
root 5 0.0 0.0 0 0 ? S< 12:44 0:00 [kworker/0:0H]
root 7 0.0 0.0 0 0 ? S< 12:44 0:00 [kworker/u:0H]
root 8 0.0 0.0 0 0 ? S 12:44 0:01 [migration/0]
root 9 0.0 0.0 0 0 ? S 12:44 0:00 [rcu_bh]
root 10 0.0 0.0 0 0 ? S 12:44 0:00 [rcu_sched]
root 11 0.0 0.0 0 0 ? S 12:44 0:00 [migration/1]
root 12 0.0 0.0 0 0 ? S 12:44 0:00 [ksoftirqd/1]
root 14 0.0 0.0 0 0 ? S< 12:44 0:00 [kworker/1:0H]
root 15 0.0 0.0 0 0 ? S< 12:44 0:00 [khelper]
root 16 0.0 0.0 0 0 ? S 12:44 0:00 [kdevtmpfs]
root 17 0.0 0.0 0 0 ? S 12:44 0:00 [bdi-default]
root 18 0.0 0.0 0 0 ? S< 12:44 0:00 [kblockd]
root 19 0.0 0.0 0 0 ? S< 12:44 0:00 [ata_sff]
root 20 0.0 0.0 0 0 ? S 12:44 0:00 [khubd]
root 21 0.0 0.0 0 0 ? S< 12:44 0:00 [cfg80211]
root 22 0.0 0.0 0 0 ? S 12:44 0:00 [kworker/0:1]
root 23 0.0 0.0 0 0 ? S< 12:44 0:00 [rpciod]
root 24 0.0 0.0 0 0 ? S 12:44 0:01 [kworker/1:1]
root 25 0.0 0.0 0 0 ? S 12:44 0:00 [kswapd0]
root 26 0.0 0.0 0 0 ? S 12:44 0:00 [fsnotify_mark]
root 27 0.0 0.0 0 0 ? S< 12:44 0:00 [unionfs_siod]
root 28 0.0 0.0 0 0 ? S< 12:44 0:00 [nfsiod]
root 29 0.0 0.0 0 0 ? S< 12:44 0:00 [crypto]
root 43 0.0 0.0 0 0 ? S 12:44 0:00 [scsi_eh_0]
root 44 0.0 0.0 0 0 ? S 12:44 0:00 [scsi_eh_1]
root 45 0.0 0.0 0 0 ? S 12:44 0:00 [kworker/u:1]
root 47 0.0 0.0 0 0 ? S< 12:44 0:00 [deferwq]
root 48 0.0 0.0 0 0 ? S 12:44 0:00 [kworker/u:3]
root 50 0.0 0.0 0 0 ? S 12:44 0:00 [ubi_bgt0d]
root 51 0.0 0.0 0 0 ? S 12:44 0:00 [ubifs_bgt0_0]
root 73 0.0 0.0 0 0 ? S 12:44 0:00 [sched]
root 74 0.0 0.0 0 0 ? S 12:44 0:00 [sched_low]
root 75 2.1 0.0 0 0 ? S 12:44 1:13 [sched_high]
root 76 0.0 0.0 0 0 ? S 12:44 0:00 [sched_idle]
root 78 0.0 0.0 0 0 ? S 12:44 0:00 [brcmv]
root 79 0.0 0.0 0 0 ? S 12:44 0:00 [fbt0]
root 80 0.0 0.0 0 0 ? S 12:44 0:00 [ci_kthread]
root 81 0.0 0.0 0 0 ? S 12:44 0:00 [ci_kthread]
root 111 0.0 0.2 2240 676 ? S<s 12:44 0:00 udevd --daemon
root 283 0.0 0.0 0 0 ? S< 12:44 0:00 [kworker/0:1H]
root 478 0.0 0.0 0 0 ? S< 12:44 0:00 [kworker/1:1H]
root 479 0.0 0.0 0 0 ? S 12:44 0:00 [kjournald]
root 542 0.0 0.5 3876 1492 ? Ss 12:44 0:00 nmbd -D
root 544 0.0 0.8 6808 2300 ? Ss 12:44 0:00 smbd -D
root 563 0.0 0.3 6808 1020 ? S 12:44 0:00 smbd -D
daemon 576 0.0 0.1 1868 484 ? Ss 12:44 0:00 /sbin/portmap
root 582 0.0 0.1 2460 540 ? Ss 12:44 0:00 /usr/sbin/crond -c /etc/bhcron/
999 592 0.0 0.2 2824 820 ? Ss 12:44 0:00 /usr/bin/dbus-daemon --system
root 596 0.0 0.1 2472 504 ? Ss 12:44 0:00 /usr/sbin/dropbear -r /etc/dropbear/dropbear_rsa_
root 708 0.0 0.2 2320 744 ? Ss 12:44 0:01 /usr/sbin/automount --pid-file=/var/run/autofs/_a
root 764 0.0 0.1 1624 360 ? Ss 12:44 0:00 /usr/bin/blackholesocker
root 777 0.0 0.2 2824 692 ? Ss 12:44 0:00 /usr/sbin/inetd
root 802 0.0 0.0 0 0 ? S 12:44 0:00 [lockd]
root 803 0.0 0.0 0 0 ? S 12:44 0:00 [nfsd]
root 804 0.0 0.0 0 0 ? S 12:44 0:00 [nfsd]
root 805 0.0 0.0 0 0 ? S 12:44 0:00 [nfsd]
root 806 0.0 0.0 0 0 ? S 12:44 0:00 [nfsd]
root 807 0.0 0.0 0 0 ? S 12:44 0:00 [nfsd]
root 808 0.0 0.0 0 0 ? S 12:44 0:00 [nfsd]
root 809 0.0 0.0 0 0 ? S 12:44 0:00 [nfsd]
root 810 0.0 0.0 0 0 ? S 12:44 0:00 [nfsd]
root 812 0.0 0.1 2408 532 ? Ss 12:44 0:00 /usr/sbin/rpc.mountd -f /etc/exports
root 814 0.0 0.2 2108 808 ? Ss 12:44 0:00 /usr/sbin/rpc.statd
root 819 0.0 0.2 2460 648 ? Ss 12:44 0:00 /sbin/syslogd -n -O /var/log/messages
root 821 0.0 0.2 2460 616 ? Ss 12:44 0:00 /sbin/klogd -n
avahi 831 0.0 0.5 3464 1540 ? S 12:44 0:00 avahi-daemon: running [vuultimo.local]
avahi 833 0.0 0.1 3464 496 ? S 12:44 0:00 avahi-daemon: chroot helper
root 847 0.0 0.2 2460 560 ? Ss 12:44 0:00 /bin/sh /usr/bin/enigma2.sh
root 851 8.9 28.7 146936 79152 ? Sl 12:44 5:07 /usr/bin/enigma2
root 856 0.0 0.0 0 0 ? S 12:44 0:00 [ca08]
root 859 0.0 0.0 0 0 ? S 12:44 0:00 [ci_kthread]
root 871 0.0 0.2 2780 800 ? Ss 12:44 0:00 telnetd
root 872 0.0 0.3 2776 888 pts/0 Ss+ 12:44 0:00 -sh
root 927 0.3 5.8 84432 16100 ? Sl 12:45 0:12 /usr/local/hbb-browser/lib/hbbtv.app restart
root 956 0.0 0.0 0 0 ? S 12:45 0:02 [kdvb-ad-0-fe-0]
root 1179 0.0 0.2 2780 800 ? Ss 12:51 0:00 telnetd
root 1180 0.0 0.3 2776 892 pts/1 Ss 12:51 0:00 -sh
root 1574 2.1 1.1 130008 3192 ? Ssl 13:03 0:48 /usr/bin/CCcam_230
root 2478 0.0 0.0 0 0 ? S 13:32 0:00 [kworker/1:0]
root 2604 0.1 0.4 3164 1208 pts/1 S+ 13:36 0:00 ssh -L 23946:localhost:23 10.0.0.1
root 2605 0.2 0.4 3396 1312 ? Ss 13:36 0:00 /usr/sbin/dropbear -r /etc/dropbear/dropbear_rsa_
root 2614 0.0 0.3 2776 884 pts/2 Ss 13:36 0:00 -sh
root 2709 0.0 0.0 0 0 ? S 13:39 0:00 [flush-ubifs_0_0]
root 2756 0.0 0.0 0 0 ? S 13:40 0:00 [kworker/1:2]
root 2778 0.0 0.3 2640 968 pts/2 R+ 13:41 0:00 ps aux
root@vuultimo:~#gonna try pid 856 wich is the CA modul for the satelittle card.
form shell.
CSS:
root@vuultimo:/etc# ./gdbserver --multi localhost:23946
Listening on port 23946now fire up ida i use with admin rights.
goto debugger >> attach remote GDB server.
select Debug options and then set spesific options
in spesific options choose mips architecture..
press ok ok ok
now we back to first gdb screen.
we need the info from the command ifconfig we made before.
i had local ip 10.0.0.1
we go along press ok
it then ask what PID to attch to.
we have pid runing before with the ps commands.
pid 865
success
I could use some hints of how to forward TCP/UDP better via shell.
But the tut should work for any devices that have telnet, so basiclly everything
just remember to have the right gdbserver build (same as target)
Last edited: