Results 1 to 5 of 5

Thread: question about wl700gE booting (and passwd file)

  1. #1

    Angry question about wl700gE booting (and passwd file)

    I do not understand the booting sequence of the router. I studied Oleg modified wl500g series firmware and dd-wrt project firmware sources to undrerstand how can I create password protected telnet shell. This is what I understood:

    There is a modification of rc.c file (as there is no full source of firmware v.1.0.46 and the rc.c file is missing, I am working with firmware v.1.0.42). The idea is that in function main_loop() you are modifying /tmp/passwd file.

    This is how the original /tmp/passwd file looks like:

    root::0:0:root:/:/bin/sh
    guest::35000:42000:guest:/:/bin/sh
    this is how the original /tmp/group file looks like:

    root::0:root
    users::42000:
    I added a new function to rc.c:

    /* create /etc/{passwd,group} */
    make_etc(void)
    {
    FILE *f;
    char *name, *pass;

    /* crypt using md5, no salt */
    name = nvram_get("http_username1") ? : "admin";
    pass = crypt(nvram_get("http_passwd1") ? : "admin", "$1$");

    /* create homedir for root account */
    if (stat ("/tmp/root", &buf) != 0) {
    mkdir ("/tmp/root", 0700);
    }

    if ((f = fopen("/tmp/passwd", "w"))) {
    fprintf(f, "%s:%s:0:0:root:/tmp/root:/bin/sh\n"
    "guest::35000:42000:guest:/:/bin/sh\n", name, pass);
    fclose(f);
    }

    if ((f = fopen("/tmp/group", "w"))) {
    fprintf(f, "root:x:0:%s\nusers::42000:\n", name);
    fclose(f);
    }

    }
    The function make_etc() should create home directory for root account in /tmp directory and modify /tpm/passwd and /tmp/group files. The function is executed in main_loop() function right before /* loop forever */. However when I compile the firmware and flash it to the router, the changes in /tmp directory are not seen.

    I even created the firmware whith modified make_etc() function to create only a /tmp/root directory:

    /* create /etc/{passwd,group} */
    make_etc(void)
    {
    mkdir ("/tmp/root", 0700);
    }
    The result was the same - there are no changes in /tmp folder.

    The problem

    I think by the time when make_etc() function is executed, /tmp is not yet mounted?! Could it be so?

    Does anybody can explain how the default /etc/passwd and /etc/group files are created in /tmp file?

  2. #2

    what I discovered more...

    The directory /tmp is mounted in function sysinit() witch is called if function main_loop() before make_etc() is called.

    I do not understand where my changes in /tmp are gone...

  3. #3
    there is a command in function sysinit():

    mkdir("/tmp/var",0777);
    right after that I added:

    mkdir("/tmp/root",0777);
    After compiling and flashing the firmware I see /tmp/var directory but there is no /tmp/root directory

    can anyone comment retry this thing to test if my enviorement is buggy?! what are your results?

  4. #4
    Damn I've written so much and than got logged out ;(

    Short: compile vi in busybox - telnet in - vi /shares/MYVOLUME1/__pdc - add encrypted password to root - compile login with busybox

    That's for now - I'm in a hurry

    Can help later :P

    /etc/passwd symlinks to /tmp and symlinks finnaly to /sh../MYVO.../__pdc/passwd

  5. #5
    Quote Originally Posted by DaNawq View Post
    Damn I've written so much and than got logged out ;(

    Short: compile vi in busybox - telnet in - vi /shares/MYVOLUME1/__pdc - add encrypted password to root - compile login with busybox

    That's for now - I'm in a hurry

    Can help later :P

    /etc/passwd symlinks to /tmp and symlinks finnaly to /sh../MYVO.../__pdc/passwd
    I remeber that you wrote http://wl500g.info/showthread.php?t=6521 but I am trying to escape to use vi aproach and make the same way as wl500g. As my listing shows, it is not true that /tmp/passwd is symlinked as you mentioned here http://wl500g.info/showpost.php?p=33786&postcount=2:. Or am I mistaken?

    # ls -l /etc
    -rwxr-xr-x 1 root root 131 Jan 1 1970 buildinfo.txt
    -rwxr-xr-x 1 root root 16 Oct 28 12:38 fdisk_fat32_claim_commands.txt
    lrwxrwxrwx 1 root root 10 Jan 1 1970 group -> /tmp/group
    -rw-r--r-- 1 root root 17 Jan 1 1970 host.conf
    lrwxrwxrwx 1 root root 11 Jan 1 1970 hostid -> /tmp/hostid
    lrwxrwxrwx 1 root root 10 Jan 1 1970 hosts -> /tmp/hosts
    lrwxrwxrwx 1 root root 16 Jan 1 1970 hosts.allow -> /tmp/hosts.allow
    lrwxrwxrwx 1 root root 15 Jan 1 1970 hosts.deny -> /tmp/hosts.deny
    -r--r--r-- 1 root root 4268 Jan 1 1970 image_vars.txt
    drwxr-xr-x 1 root root 28 Jan 1 1970 init_scripts
    -rw-r--r-- 1 root root 2825 Jan 1 1970 ld.so.cache
    -rw-r--r-- 1 root root 14 Jan 1 1970 ld.so.conf
    -rw-r--r-- 1 root root 17 Jan 1 1970 nsswitch.conf
    lrwxrwxrwx 1 root root 11 Jan 1 1970 passwd -> /tmp/passwd
    lrwxrwxrwx 1 root root 16 Jan 1 1970 resolv.conf -> /tmp/resolv.conf
    -rwxr-xr-x 1 root root 10707 Jan 1 1970 services
    -rwxr-xr-x 1 root root 4408 Jan 1 1970 vsftpd.conf
    # ls /tmp -l
    drwx------ 1 root root 0 Oct 29 14:51 cache-mt-daapd
    drwxr-xr-x 1 root root 0 Oct 29 14:50 configuration_share
    drwxr-xr-x 1 root root 0 Jan 1 2000 disk_names
    -rw-r--r-- 1 root root 0 Jan 1 2000 disk_updating_lock
    drwxr-xr-x 1 root root 0 Jan 1 2000 disks_going
    -rw-r--r-- 1 root root 6733 Oct 29 15:02 diskstatus
    drwxr-xr-x 1 root root 0 Jan 1 2000 etc
    -rw-r--r-- 1 root root 0 Jan 1 2000 file_variable_updating_lock
    drwxr-xr-x 1 root root 0 Jan 1 2000 foreign_share_info
    drwxr-xr-x 1 root root 0 Jan 1 2000 foreign_shares_going
    -rw-r--r-- 1 root root 9 Oct 29 14:50 global_shares_list
    --wsr-T--- 1 root root 27 Oct 29 14:50 group
    -rw-rw-rw- 1 root root 42 Oct 29 15:02 hosts
    -rw-r--r-- 1 root root 131072 Jan 1 2000 lowcase.dat
    -rw-r--r-- 1 root root 329 Oct 29 14:51 mt-daapd.conf
    -rw-r--r-- 1 root root 40 Oct 29 14:50 nas.lan.conf
    -rw-rw-rw- 1 root root 60 Oct 29 14:50 passwd
    drwxr-xr-x 1 root root 0 Oct 29 14:50 pool_share_cifs_exports
    drwxr-xr-x 1 root root 0 Jan 1 2000 pools_going
    drwxr-xr-x 1 root root 0 Jan 1 2000 raid
    -rw-r--r-- 1 root root 137 Oct 29 14:50 raidtab
    drwxr-xr-x 1 root root 0 Jan 1 2000 rc_action_incomplete
    drwxr-xr-x 1 root root 0 Jan 1 2000 rc_notification
    drwxr-xr-x 1 root root 0 Jan 1 2000 reserved_foreign_share_names
    -rw-r--r-- 1 root root 0 Oct 29 14:50 resolv.conf
    drwxr-xr-x 1 root root 0 Jan 1 2000 samba
    drwxr-xr-x 1 root root 0 Jan 1 2000 share_name_mappings
    drwxr-xr-x 1 root root 0 Jan 1 2000 shares_going
    -rw------- 1 root root 205 Oct 29 14:50 smbpasswd
    -rw-r--r-- 1 root root 0 Oct 29 14:52 syslog.log
    -rw-r--r-- 1 root root 131072 Jan 1 2000 upcase.dat
    drwxr-xr-x 1 root root 0 Jan 1 2000 usb_disks
    drwxr-xr-x 1 root root 0 Jan 1 2000 var
    I could try to compile the make_etc() function that modifies /shares/MYVOLUME1/__pdc/passwd however it does not explains why does my changes are not saved in /tmp directory. Why I can not make a directory root in /tmp directory?

    Could it be that there is a code that copies everything from /shares/MYVOLUME1/__pdc/ to /tmp ? Does anybody knows how and when are these passwd and goup files generated when you compile and flasg a fresh firmware? I'm not so good in Linux.
    Last edited by MoD; 30-10-2006 at 09:08.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •