As you know, utelnted hack is not good because the telnet daemon is not password protected. I just found an info: http://www.nslu2-linux.org/wiki/HowTo/ChangePasswordsFromTheCommandLine

witch gave me an ide that on wl700gE by default there is no /etc/passwd file and because of that the telnet is not password protected. What I am trying to say is that in order to enable password we should enable it in busybox and cretate /etc/passwd to the place where is stored the actual password.

is anyone interested to try this idea?

I'm game. The only problem is you can't write anything to /etc/, or anywhere outside the /shares/ directory. So it would either have to be put somewhere else, and somehow linked to, which I believe there is a passwd file somewhere on the HD, or it would have to be compiled in with the rest of the firmware.

I'm game. The only problem is you can't write anything to /etc/, or anywhere outside the /shares/ directory. So it would either have to be put somewhere else, and somehow linked to, which I believe there is a passwd file somewhere on the HD, or it would have to be compiled in with the rest of the firmware.

you have to study the source and maybe also makefile scripts. it should be possible to add symlink yourself when you create modified firmware. on v1.0.42 there where services_ex.c file whitch retrieved dhcp and dns options from nvram and cretaed config files. I dont know if it helps to look at it so that at the same time you can create symlink, or symlink can be created at the time when firmware is compiled. mkcramfs is the place where to look at.

I hope this helps.

I'll do some checking around when I get home later and see what I can make of the sources & Makefiles. I'm not very knowledgable when it comes to this stuff, but so far I've had pretty decent luck making things work. I may also enable Login through Busybox and see what that does for me. I know it won't give me a password option, but it might enlighten me a bit more as to how it's working.

There is a passwd file stored in /tmp, which I believe is writeable.

I'll do some checking around when I get home later and see what I can make of the sources & Makefiles. I'm not very knowledgable when it comes to this stuff, but so far I've had pretty decent luck making things work. I may also enable Login through Busybox and see what that does for me. I know it won't give me a password option, but it might enlighten me a bit more as to how it's working.

There is a passwd file stored in /tmp, which I believe is writeable.

hmm. isnt there a symlink from /etc/passwd to /tmp/passwd?

hmm. isnt there a symlink from /etc/passwd to /tmp/passwd?

Yes there is. The system will probably use it when the need arises. The trick is getting it to use it. Another user of this forum stated a while back that while you can enable login and passwd through busybox, the passwd utility couldn't change the passwd file because it's on the write-protected part of the firmware (probably stored in flash or something). Although the newest version of the firmware may fix this.

I'll know more when I get home tonight. :)

Yes there is. The system will probably use it when the need arises. The trick is getting it to use it. Another user of this forum stated a while back that while you can enable login and passwd through busybox, the passwd utility couldn't change the passwd file because it's on the write-protected part of the firmware (probably stored in flash or something). Although the newest version of the firmware may fix this.

I'll know more when I get home tonight. :)

what does it mean "passwd utility couldn't change the passwd file because it's on the write-protected part of the firmware". i guess the /temp dir is on the ram par and changes made in passwd file is erased on router reboot. or am I mistaken? doesnt /etc/passwd have write access?

from here http://wl500g.info/showpost.php?p=33207&postcount=4 I see that there is no /etc/passwd symlink: (Must be done directly on the router with telnet and vi for example)

is there /etc directory ? on what filesystem is it? what are the access rights for /etc/passwd ?

as openmss is similar to wl700ge (also linux with hdd, but not a router), it has similar problems. http://www.openmss.org/forum/viewtopic.php?t=218

you can search that forum with keyword passwd

another aproach - patch the busybox passwd applet:

http://mailman.uclinux.org/pipermail/uclinux-dev/2004-November/029894.html
http://mailman.uclinux.org/pipermail/uclinux-dev/2004-December/030266.html
http://mm.aueb.gr/~vpk/p2pwnc/download/porting-dropbear-HOWTO.txt

what does it mean "passwd utility couldn't change the passwd file because it's on the write-protected part of the firmware". i guess the /temp dir is on the ram par and changes made in passwd file is erased on router reboot. or am I mistaken? doesnt /etc/passwd have write access?

Ok. Certain accessable parts of the root filesystem, as far as I can tell, are either not stored on the hard drive, or are stored on the hard drive, but use a different file system called cramfs. Everything that shows up as being a cramfs filesystem can not be written to. You can read all the files, but can't write anything to those areas. That includes /, /etc, /bin, /sbin and I'm sure a few others. Here's a screen dump of mount:



/dev/ide/host2/bus0/target0/lun0/part2 on / type cramfs (rw)
/dev on /dev type devfs (rw)
proc on /proc type proc (rw)
usbdevfs on /proc/bus/usb type usbdevfs (rw)
ramfs on /tmp type ramfs (rw)
ramfs on /shares type ramfs (rw)
ramfs on /foreign_shares type ramfs (rw)
/dev/se/2 on /shares/MYVOLUME1 type reiserfs (rw)


Any directory that is not defined in this list, other than anything that appears on the hard disk, is mounted under / using the cramfs filesystem. It may say it's read/write, but theres no writing. When you run df, you get this:



# df
Filesystem 1k-blocks Used Available Use% Mounted on
/dev/ide/host2/bus0/target0/lun0/part2 44620 44620 0 100% /
/dev/se/2 160200416 19757784 140442632 12% /shares/MYVOLUME1


Whatever the / and all it's subdirectories are being stored on, it's got only enough room for what was compiled to be there.. No more, no less. It's almost like having a CD or DVD in the drive. It is what it is, and it can't be modified.

You're not accessing the hard drive until you've entered /shares/MYVOLUME1. Everything after that is on the hard disk and safe from boot-time purges.. With the exception of the Personal Photo Gallery website, stored under /shares/MYVOLUME1/MYSHARE1/web, which seems to get re-written at every boot. Which is annoying since thats where I turn on untelnetd :)

Based on what was said about the 1.0.4.2 firmware, the password utility had a problem writing a new passwd file. Things have changed a bit in the 1.0.4.6 firmware, because the location of a writeable passwd file that DaNawg mentioned no longer exists, and is now located in /tmp. Now /tmp and a couple other mount points show up as ramfs, which leads me to believe that there might be a small ramdisk set up, which is bad because everytime the router gets turned off or rebooted, everything in that directory is lost, and re-wrote upon boot up with a pre-packaged set of files. If this is the case, then the passwd file needs to get moved to the hard drive where it won't be erased everytime the router is rebooted. Moving the file is easy, changing the symlink is not, since that resides in /etc, which as I stated before, is mounted with the cramfs filesystem, which is probably heavily compressed and/or encrypted, and cannot be modified through the shell.

Modifying busybox to look in a different location for the passwd file looks promising. If it can be tweaked to look in another place besides /etc, then the need to redo the symlink in /etc goes away, for now. Any location after /shares/MYVOLUME1 is safe, as you'll be writing to the hard drive. There's even an etc directory under MYVOLUME1, which is not symlinked back to the root /etc. Unlike the MYVOLUME1/bin directory which unfortunately is just a symlink to /bin on the root filesystem.

Hopefully this help clears things up a bit, and I didn't confuse you too much. :) All of this is based on what I've observed so far. Not bad for a rookie, eh? :)

How to deal with utelnetd, try this: http://wl500g.info/showpost.php?p=33213&postcount=5

it is good news that passwd is stored in /tmp. You can write a script witch saves password in nvram or hdd and upon boot write it to /tmp file. The same method is user in wrt54g linksys routers. they do not have a hdd storage.

dhcp, dns config files are created at boot time and stored int /tmp directory (take a look at services_ex.c file from firmware 1.0.42).

as for "Modifying busybox to look in a different location for the passwd file looks promising" I'm not sure if you dont need to modify other shell files also to point to use the new passwd file for authentification. passwd applet does olny the password change job. not authentification. But I'm not an expert.


I think more promising is to make /etc/passwd symling to a safe place stored passwd

How to deal with utelnetd, try this: http://wl500g.info/showpost.php?p=33213&postcount=5

it is good news that passwd is stored in /tmp. You can write a script witch saves password in nvram or hdd and upon boot write it to /tmp file. The same method is user in wrt54g linksys routers. they do not have a hdd storage.

dhcp, dns config files are created at boot time and stored int /tmp directory (take a look at services_ex.c file from firmware 1.0.42).

as for "Modifying busybox to look in a different location for the passwd file looks promising" I'm not sure if you dont need to modify other shell files also to point to use the new passwd file for authentification. passwd applet does olny the password change job. not authentification. But I'm not an expert.


I think more promising is to make /etc/passwd symling to a safe place stored passwd

I'm still trying to find the set of instructions that creates the passwd file symlink in /etc. I'm working with the 1.0.4.6 source code, which doesn't have services_ex.c, as far as I know. My current line of thinking is to stick with the 1.0.4.6 code, since it's the latest, and try and make sense of it, instead of reverting back to 1.0.4.2.

Also, the file they refered to in one of those links you provided doesn't seem to be in our version of busybox. They may be using a newer version of busybox, which I'd like to get working at some point, but right now trying to compile it along with the rest of the router's source brought up a whole bunch of dialog and errors that I need to dive further into. For safety sake I'm still using the version provided to us by broadcom/asus.

maybe this can help you:

http://linuxant.hit.bg/Embedded-Linux-Howto.html
http://interactive.linuxjournal.com/node/4551
http://www.linuxjournal.com/article/4678
http://www.linuxjournal.com/article/7848
http://www.linuxjournal.com/article/4335
http://www.linuxjournal.com/article/4527
http://www-128.ibm.com/developerworks/linux/library/l-embl.html
http://dpnm.postech.ac.kr/emLinux/
http://www.uclinux.org

there is an intresting files in apps/mipsel/apps/bin directory
for exaple look at shell script rcex

cramfs
cramfs is a compressed read-only filesytem originally developed by Linus Torvalds and included in recent Linux kernels. In the cramfs filesystem, each page is individually compressed, allowing random page access.

A cramfs image is usually placed in system Flash but can also be placed on another filesystem and mounted using the loopback device. cramfs is useful in its efficiency, and it often is desirable to have system files in a read-only partition to prevent file corruption and improve system reliability.

A cramfs image is created using the mkcramfs utility, which creates an image from the contents of a specified directory. mkcramfs can be found in the scripts/cramfs directory of the Linux source tree.

ramfs
ramfs is a filesystem that keeps all files in RAM and is often used with a Flash filesystem to store temporary data or data that changes often. The major advantage of ramfs is it grows and shrinks to accommodate the files it contains, unlike a ramdisk, which is fixed in size. The ramfs filesystem was originally written by Linus Torvalds and is included in recent kernels.

my guess is that etc direcory we are looking for is in WL700g/nasoc/src/apps/misc/etc

there are scripts that prepare root filesystem

from here: http://interactive.linuxjournal.com/article/4528

Create the shell script startup.sh as shown below:


#! /bin/sh
/bin/mount -t vfat /dev/fd0 /floppy
exec /sbin/init

This script will run when the system starts, instead of init, because we'll provide a special command-line argument to the kernel. It will mount the floppy so that the contents of /etc are correct before init starts. Note that exec/sbin/init is different from simply running /sbin/init. The exec command says to replace the shell with the given program, rather than run the program as a subprocess of the shell. Thus, init will run in the same process-ID as the shell, which in this case will be process-ID 1. This is important as the kernel gives process-ID 1 some special properties, and init will not run properly unless it's in process-ID 1.


Change the mode of the script so that it is executable:


chmod 744 startup.sh