Recently, I have taken to poking around in embedded devices for what I am told by some is something called “fun”. Apparently, word of this hobby of mine has gotten around because a coworker dropped an old Iomega iConnect he had laying around on my desk for me to play with.
The iConnect was billed as a “wireless data station” - kind of a NAS of sorts, but with an emphasis on media streaming. All of the information I could find on the iConnect was from 2010 at the latest, so I’m guessing these things aren’t still being made, but if you happen to get your hands on one, here’s how I managed to get root access on it.
When you crack open the case you can see that, despite the slim form factor, good guy Iomega still manages to keep some header pins for UART access on the board. Connecting to these pins allows you to watch dmesg output during boot and ends with a login prompt. If you already know the root login you could simply get full control of the device this way, but since you’re reading this post I’m going to assume you don’t. Let’s take a closer look at some of the dmesg output.
1 2 3 4 5 6 7
So, during boot it attempts to mount /dev/sda1 as /usb_drive. That’s good to know! I wonder what happens if we stick a thumb drive in and boot it up again…
1 2 3 4 5 6 7 8 9 10 11 12 13
Looks like it’s having trouble finding some of the files it’s looking for. I’m sure we can help with that. The script that is doing the heavy lifting here is /initrd/mount_images.sh which tries to mount USB and, if successful, executes a couple of functions called “run_preimage_script” and “extract_validate_image”.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44
These functions are defined in /initrd/common.sh. “run_preimage_script” sounds interesting. Let’s see what it does!
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
Oh dear. So run_preimage_script looks for emctools/iconnect_images/preimage.sh on the USB drive, and, if the file exists, runs it. As root. No questions asked. Told you this is an easy one.
Since this script is being run before the filesystem is fully mounted, we can’t just make a call to passwd to modify the root password, but we can use our script to append a call like that to the end of another script that gets executed later on, like linuxrc for instance. While we’re at it, I also took the liberty of “fixing” their /etc/rc2.d/S50sshd file where they disabled sshd by simply commenting out the line where the daemon gets run, and I end up with the following preimage.sh file in the emctools/iconnect_images/ directory of my thumb drive:
1 2 3 4
Now, if you boot the iConnect with this thumb drive plugged in, it will run the preimage.sh script which changes the root password to “password” and starts sshd. Done.
That’s it for now, but more hilarity is coming soon. Stay tuned.