大家好 我來自PCZONE
http://www.pczone.com.tw/showthread.php ... did=125120
http://www.pczone.com.tw/showthread.php ... did=125677
http://www.pczone.com.tw/showthread.php ... did=123588
上面這幾篇 是我的小小試玩心得
也因為試玩 我發現這一台 是使用LINUX KERNEL2.4的核心 的小型遷入式系統 但是由於他硬體的限制 有許多功能被移除了
我先介紹一下 這台的主要元件
1.包含CPU跟ADSL連接用的CHIP ----BCM96335
雖說TELNET的時候式顯示BCM96345但是實際上他是使用BCM96335搭配修改過本來是給BCM96345使用的LINUX
2.主要存放OS的地方 FLASHRAM__大小2MB
3.OS核心解壓後執行跟TEMP存放處 ___RAM一顆6MB
由於這台有一台兄弟機 使用BCM96345晶片
我昨天找到後也發現到該兄弟機的最新BIN檔(就是把整個OS都全部
更新並加入新的功能)也就拿來用看看,但是更新後ATU_R就掛了
也因為如此 我想到了 既然有新的BIN 也就是說這個可以自己想 然後
想辦法更新 並且加入新的功能
這台的原有功能還算強大 他有辦法MOUNT 也有好用的IPTABLES可
以用 可惜記憶體上的限制 它開機完成到執行已經耗用5MB多的記憶
體
所以我想 把他的記憶體換成32B的 FLASHRAM部分改成4MB的
但是以下有幾個麻煩 想問一下 有經驗開發過遷入(EM)式系統的 各位
高手
1.我知道他是BCM96335 但是不知道他裡面包含的CPU是啥款的 因
為他可以說是SOC 那我該如何偵測出核心 打造出專用的KERNEL
2.它使用BusyBox V6版作他的SHELL 但是很多功能移除 如果說不
能達成第一項目的 那我有辦法只更新他的 BusyBox 版本嗎
3.如果1跟2都可以完成 這台的硬體又可以提升 那合併頻寬應該是可
以的 我剛剛測試了一下 他可以多次撥接上去 甚至 只要VCI通道有開
多的 他也可以使用 也就是我可以做到小小的機器就可以合併頻寬
另外或許可以外加上SAMBA伺服器 當PDC伺服器使用
煩請各位高手給予指教
THX
[改造計畫][求助] 關於CHT最新ATUR-R型號 TECOM 4013B改造
11 篇文章
• 第 1 頁 (共 1 頁)
由 訪客 » 週一 6月 21, 2004 12:34 am
大家好
我到GOOGLE 找了一下 應該是找到CPU的型號了
The embedded MIPS32 CPU, with Broadcom-supplied software, controls the ADSL modem, performs high-performance bridging and routing between the ADSL WAN interface and various LAN interfaces, and allows for customer application development with industry-standard EJTAG/Ethernet tool chains and development environments.
請問該如何 下面的動作
我手邊有已經變成BIN檔的這台ATU_R的OS 我該如何打開
THX
我到GOOGLE 找了一下 應該是找到CPU的型號了
The embedded MIPS32 CPU, with Broadcom-supplied software, controls the ADSL modem, performs high-performance bridging and routing between the ADSL WAN interface and various LAN interfaces, and allows for customer application development with industry-standard EJTAG/Ethernet tool chains and development environments.
請問該如何 下面的動作
我手邊有已經變成BIN檔的這台ATU_R的OS 我該如何打開
THX
- 訪客
由 訪客 » 週二 6月 22, 2004 9:54 pm
PS. 以下是他可以用的IPTABLES指令 跟常規的有點不同
# iptables -h
iptables v1.2.7a
Usage: iptables -[AD] chain rule-specification [options]
iptables -[RI] chain rulenum rule-specification [options]
iptables -D chain rulenum [options]
iptables -[LFZ] [chain] [options]
iptables -[NX] chain
iptables -E old-chain-name new-chain-name
iptables -P chain target [options]
iptables -h (print this help information)
Commands:
Either long or short options are allowed.
--append -A chain Append to chain
--delete -D chain Delete matching rule from chain
--delete -D chain rulenum
Delete rule rulenum (1 = first) from chain
--insert -I chain [rulenum]
Insert in chain as rulenum (default 1=first)
--replace -R chain rulenum
Replace rule rulenum (1 = first) in chain
--list -L [chain] List the rules in a chain or all chains
--flush -F [chain] Delete all rules in chain or all chains
--zero -Z [chain] Zero counters in chain or all chains
--new -N chain Create a new user-defined chain
--delete-chain
-X [chain] Delete a user-defined chain
--policy -P chain target
Change policy on chain to target
--rename-chain
-E old-chain new-chain
Change chain name, (moving any references)
Options:
--proto -p [!] proto protocol: by number or name, eg. `tcp'
--source -s [!] address[/mask]
source specification
--destination -d [!] address[/mask]
destination specification
--in-interface -i [!] input name[+]
network interface name ([+] for wildcard)
--jump -j target
target for rule (may load target extension)
--match -m match
extended match (may load extension)
--numeric -n numeric output of addresses and ports
--out-interface -o [!] output name[+]
network interface name ([+] for wildcard)
--table -t table table to manipulate (default: `filter')
--verbose -v verbose mode
--line-numbers print line numbers when listing
--exact -x expand numbers (display exact values)
[!] --fragment -f match second or further fragments only
--modprobe=<command> try to insert modules using this command
--set-counters PKTS BYTES set the counter during insert/append
[!] --version -V print package version.
FTOS target options
--set-ftos value Set TOS field in packet header to value
This value can be in decimal (ex: 32)
or in hex (ex: 0x20)
MARK target v1.2.7a options:
--set-mark value Set nfmark value
SNAT v1.2.7a options:
--to-source <ipaddr>[-<ipaddr>][:port-port]
Address to map source to.
(You can use this more than once)
REDIRECT v1.2.7a options:
--to-ports <port>[-<port>]
Port (range) to map to.
MASQUERADE v1.2.7a options:
--to-ports <port>[-<port>]
Port (range) to map to.
DNAT v1.2.7a options:
--to-destination <ipaddr>[-<ipaddr>][:port-port]
Address to map destination to.
(You can use this more than once)
LOG v1.2.7a options:
--log-level level Level of logging (numeric or see syslog.conf)
--log-prefix prefix Prefix log messages with this prefix.
--log-tcp-sequence Log TCP sequence numbers.
--log-tcp-options Log TCP options.
--log-ip-options Log IP options.
Standard v1.2.7a options:
(If target is DROP, ACCEPT, RETURN or nothing)
TCPMSS target v1.2.7a mutually-exclusive options:
--set-mss value explicitly set MSS option to specified value
--clamp-mss-to-pmtu automatically clamp MSS value to (path_MTU - 40)
ICMP v1.2.7a options:
--icmp-type [!] typename match icmp type
(or numeric type or type/code)
Valid ICMP Types:
echo-reply (pong)
destination-unreachable
network-unreachable
host-unreachable
protocol-unreachable
port-unreachable
fragmentation-needed
source-route-failed
network-unknown
host-unknown
network-prohibited
host-prohibited
TOS-network-unreachable
TOS-host-unreachable
communication-prohibited
host-precedence-violation
precedence-cutoff
source-quench
redirect
network-redirect
host-redirect
TOS-network-redirect
TOS-host-redirect
echo-request (ping)
router-advertisement
router-solicitation
time-exceeded (ttl-exceeded)
ttl-zero-during-transit
ttl-zero-during-reassembly
parameter-problem
ip-header-bad
required-option-missing
timestamp-request
timestamp-reply
address-mask-request
address-mask-reply
limit v1.2.7a options:
--limit avg max average match rate: default 3/hour
[Packets per second unless followed by
/sec /minute /hour /day postfixes]
--limit-burst number number to match in a burst, default 5
state v1.2.7a options:
[!] --state [INVALID|ESTABLISHED|NEW|RELATED][,...]
State(s) to match
TCP v1.2.7a options:
--tcp-flags [!] mask comp match when TCP flags & mask == comp
(Flags: SYN ACK FIN RST URG PSH ALL NONE)
[!] --syn match when only SYN flag set
(equivalent to --tcp-flags SYN,RST,ACK SYN)
--source-port [!] port[:port]
--sport ...
match source port(s)
--destination-port [!] port[:port]
--dport ...
match destination port(s)
--tcp-option [!] number match if TCP option set
UDP v1.2.7a options:
--source-port [!] port[:port]
--sport ...
match source port(s)
--destination-port [!] port[:port]
--dport ...
match destination port(s)
MARK match v1.2.7a options:
[!] --mark value[/mask] Match nfmark value with optional mask
# iptables -h
iptables v1.2.7a
Usage: iptables -[AD] chain rule-specification [options]
iptables -[RI] chain rulenum rule-specification [options]
iptables -D chain rulenum [options]
iptables -[LFZ] [chain] [options]
iptables -[NX] chain
iptables -E old-chain-name new-chain-name
iptables -P chain target [options]
iptables -h (print this help information)
Commands:
Either long or short options are allowed.
--append -A chain Append to chain
--delete -D chain Delete matching rule from chain
--delete -D chain rulenum
Delete rule rulenum (1 = first) from chain
--insert -I chain [rulenum]
Insert in chain as rulenum (default 1=first)
--replace -R chain rulenum
Replace rule rulenum (1 = first) in chain
--list -L [chain] List the rules in a chain or all chains
--flush -F [chain] Delete all rules in chain or all chains
--zero -Z [chain] Zero counters in chain or all chains
--new -N chain Create a new user-defined chain
--delete-chain
-X [chain] Delete a user-defined chain
--policy -P chain target
Change policy on chain to target
--rename-chain
-E old-chain new-chain
Change chain name, (moving any references)
Options:
--proto -p [!] proto protocol: by number or name, eg. `tcp'
--source -s [!] address[/mask]
source specification
--destination -d [!] address[/mask]
destination specification
--in-interface -i [!] input name[+]
network interface name ([+] for wildcard)
--jump -j target
target for rule (may load target extension)
--match -m match
extended match (may load extension)
--numeric -n numeric output of addresses and ports
--out-interface -o [!] output name[+]
network interface name ([+] for wildcard)
--table -t table table to manipulate (default: `filter')
--verbose -v verbose mode
--line-numbers print line numbers when listing
--exact -x expand numbers (display exact values)
[!] --fragment -f match second or further fragments only
--modprobe=<command> try to insert modules using this command
--set-counters PKTS BYTES set the counter during insert/append
[!] --version -V print package version.
FTOS target options
--set-ftos value Set TOS field in packet header to value
This value can be in decimal (ex: 32)
or in hex (ex: 0x20)
MARK target v1.2.7a options:
--set-mark value Set nfmark value
SNAT v1.2.7a options:
--to-source <ipaddr>[-<ipaddr>][:port-port]
Address to map source to.
(You can use this more than once)
REDIRECT v1.2.7a options:
--to-ports <port>[-<port>]
Port (range) to map to.
MASQUERADE v1.2.7a options:
--to-ports <port>[-<port>]
Port (range) to map to.
DNAT v1.2.7a options:
--to-destination <ipaddr>[-<ipaddr>][:port-port]
Address to map destination to.
(You can use this more than once)
LOG v1.2.7a options:
--log-level level Level of logging (numeric or see syslog.conf)
--log-prefix prefix Prefix log messages with this prefix.
--log-tcp-sequence Log TCP sequence numbers.
--log-tcp-options Log TCP options.
--log-ip-options Log IP options.
Standard v1.2.7a options:
(If target is DROP, ACCEPT, RETURN or nothing)
TCPMSS target v1.2.7a mutually-exclusive options:
--set-mss value explicitly set MSS option to specified value
--clamp-mss-to-pmtu automatically clamp MSS value to (path_MTU - 40)
ICMP v1.2.7a options:
--icmp-type [!] typename match icmp type
(or numeric type or type/code)
Valid ICMP Types:
echo-reply (pong)
destination-unreachable
network-unreachable
host-unreachable
protocol-unreachable
port-unreachable
fragmentation-needed
source-route-failed
network-unknown
host-unknown
network-prohibited
host-prohibited
TOS-network-unreachable
TOS-host-unreachable
communication-prohibited
host-precedence-violation
precedence-cutoff
source-quench
redirect
network-redirect
host-redirect
TOS-network-redirect
TOS-host-redirect
echo-request (ping)
router-advertisement
router-solicitation
time-exceeded (ttl-exceeded)
ttl-zero-during-transit
ttl-zero-during-reassembly
parameter-problem
ip-header-bad
required-option-missing
timestamp-request
timestamp-reply
address-mask-request
address-mask-reply
limit v1.2.7a options:
--limit avg max average match rate: default 3/hour
[Packets per second unless followed by
/sec /minute /hour /day postfixes]
--limit-burst number number to match in a burst, default 5
state v1.2.7a options:
[!] --state [INVALID|ESTABLISHED|NEW|RELATED][,...]
State(s) to match
TCP v1.2.7a options:
--tcp-flags [!] mask comp match when TCP flags & mask == comp
(Flags: SYN ACK FIN RST URG PSH ALL NONE)
[!] --syn match when only SYN flag set
(equivalent to --tcp-flags SYN,RST,ACK SYN)
--source-port [!] port[:port]
--sport ...
match source port(s)
--destination-port [!] port[:port]
--dport ...
match destination port(s)
--tcp-option [!] number match if TCP option set
UDP v1.2.7a options:
--source-port [!] port[:port]
--sport ...
match source port(s)
--destination-port [!] port[:port]
--dport ...
match destination port(s)
MARK match v1.2.7a options:
[!] --mark value[/mask] Match nfmark value with optional mask
- 訪客
由 訪客 » 週二 6月 22, 2004 9:55 pm
這一台的檔案系統是如下
# df
Filesystem 1k-blocks Used Available Use% Mounted on
/dev/mtdblock0 4724 4724 0 100% /
tmpfs 192 84 108 44% /var
# mount
/dev/mtdblock0 on / type cramfs (ro)
/proc on /proc type proc (rw)
tmpfs on /var type tmpfs (rw)
目前有很大難題 因為缺乏CP 跟LS 等重要指令 只有CAT 跟MKDIK等指令 然後他的FTP跟TFTP屬性是設定不顯示檔案跟資料名稱的
現在該如何取出他的核心檔案 是很大的困難
已經使用DEBAIN 的NFS讓他MOUNT上去 可是無法轉移檔案
請各位一起想辦法
THX
# df
Filesystem 1k-blocks Used Available Use% Mounted on
/dev/mtdblock0 4724 4724 0 100% /
tmpfs 192 84 108 44% /var
# mount
/dev/mtdblock0 on / type cramfs (ro)
/proc on /proc type proc (rw)
tmpfs on /var type tmpfs (rw)
目前有很大難題 因為缺乏CP 跟LS 等重要指令 只有CAT 跟MKDIK等指令 然後他的FTP跟TFTP屬性是設定不顯示檔案跟資料名稱的
現在該如何取出他的核心檔案 是很大的困難
已經使用DEBAIN 的NFS讓他MOUNT上去 可是無法轉移檔案
請各位一起想辦法
THX
- 訪客
由 訪客 » 週三 6月 23, 2004 4:00 am
他兄弟機的BIN檔 在這裡 http://www.usr.com/support/9105/9105-fi ... ase2.1.bin 無法分析 取出重要的 網卡 跟晶片的MOD
ATUR本身不知道指令 也不知道KERNEL的名稱 所以無法DL壓縮過的BIN檔
目前 是使用區網內 使用一台LINUX(DEBIAN) 開啟NFS分享跟 ATUR 連接
目前是可以在ATU_R上MOUNT上LINUX的分區 不過缺少很多指令
沒有核心 沒有CONSOLE線製作的資料 (不知道腳位 不知道該如何DIY) 所以 沒辦法 弄一
個新的小小的LINUX 給ATUR(其實也是自己還不會做FLOPPY的LINUX 連一般的LINUX操
作都還很生疏)
ATUR因為是遷入式系統 所以使用BUSYBOX V6.04版當作COMMAND SHELL
但是是被精簡過的 不知道 可否想辦法置換 或者 使用其他的SHELL
請大家 多多幫忙吧
THX
ATUR本身不知道指令 也不知道KERNEL的名稱 所以無法DL壓縮過的BIN檔
目前 是使用區網內 使用一台LINUX(DEBIAN) 開啟NFS分享跟 ATUR 連接
目前是可以在ATU_R上MOUNT上LINUX的分區 不過缺少很多指令
沒有核心 沒有CONSOLE線製作的資料 (不知道腳位 不知道該如何DIY) 所以 沒辦法 弄一
個新的小小的LINUX 給ATUR(其實也是自己還不會做FLOPPY的LINUX 連一般的LINUX操
作都還很生疏)
ATUR因為是遷入式系統 所以使用BUSYBOX V6.04版當作COMMAND SHELL
但是是被精簡過的 不知道 可否想辦法置換 或者 使用其他的SHELL
請大家 多多幫忙吧
THX
- 訪客
- 訪客
由 訪客 » 週四 6月 24, 2004 11:00 am
以下 可能可以用軟碟片直接先測試 兄弟機的BIN檔
_____以下為文件_____
6. Modding and reverse-engineering
There is a [http://www.bextreme.net/wap11web/] page that tells you how to
casemod the Linksys wireless router (they just call it the WAP11 but it
appears to be one of the BEFW11S4 variants.
The Linksys has Linux inside. Intrepid hacker Erik Andersen tells us:
#!/bin/sh
# This is what I did to open up the Linksys rom...
wget ftp://ftp.linksys.com/pub/network/WRT54 ... S_code.bin
# I noticed a GZIP signature for a file name "piggy" at offset
# 60 bytes from the start, suggesting we have a compressed Linux
# kernel
dd if=WRT54G_1.02.1_US_code.bin bs=60 skip=1 | zcat > kernel
# Noticed there was a cramfs magic signature (bytes 45 3D CD 28
followed shortly by "Compressed ROMFS") at offset 786464
dd if=WRT54G_1.02.1_US_code.bin of=cramfs.image bs=786464 skip=1
file cramfs.image
sudo mount -o loop,ro -t cramfs ./cramfs.image /mnt
ls -la /mnt/bin
file /mnt/bin/busybox
strings /mnt/bin/busybox | grep BusyBox
# Use uClibc's ldd to get useful answers for non-x86 binaries
/usr/i386-linux-uclibc/bin/i386-uclibc-ldd /mnt/bin/busybox
Linksys now supplies [http://www.linksys.com/support/gpl.asp] source code on
its site (I don't know what's in the various archives, though). Several other
similar products, including the Buffalo Technology box, seem to use the same
firmware.
There's an interesting site on hacking the Wrt54g by Seattle wireless.net.
_____以下為文件_____
6. Modding and reverse-engineering
There is a [http://www.bextreme.net/wap11web/] page that tells you how to
casemod the Linksys wireless router (they just call it the WAP11 but it
appears to be one of the BEFW11S4 variants.
The Linksys has Linux inside. Intrepid hacker Erik Andersen tells us:
#!/bin/sh
# This is what I did to open up the Linksys rom...
wget ftp://ftp.linksys.com/pub/network/WRT54 ... S_code.bin
# I noticed a GZIP signature for a file name "piggy" at offset
# 60 bytes from the start, suggesting we have a compressed Linux
# kernel
dd if=WRT54G_1.02.1_US_code.bin bs=60 skip=1 | zcat > kernel
# Noticed there was a cramfs magic signature (bytes 45 3D CD 28
followed shortly by "Compressed ROMFS") at offset 786464
dd if=WRT54G_1.02.1_US_code.bin of=cramfs.image bs=786464 skip=1
file cramfs.image
sudo mount -o loop,ro -t cramfs ./cramfs.image /mnt
ls -la /mnt/bin
file /mnt/bin/busybox
strings /mnt/bin/busybox | grep BusyBox
# Use uClibc's ldd to get useful answers for non-x86 binaries
/usr/i386-linux-uclibc/bin/i386-uclibc-ldd /mnt/bin/busybox
Linksys now supplies [http://www.linksys.com/support/gpl.asp] source code on
its site (I don't know what's in the various archives, though). Several other
similar products, including the Buffalo Technology box, seem to use the same
firmware.
There's an interesting site on hacking the Wrt54g by Seattle wireless.net.
- 訪客
11 篇文章
• 第 1 頁 (共 1 頁)
誰在線上
正在瀏覽這個版面的使用者:沒有註冊會員 和 1 位訪客