PQI の Air Card に Telnet で ログイン成功

パスワードも何もなしに
telnet 192.168.1.1 で root権限でログイン成功

特にユーザーとかは無いようだ。

vi も vim も無し
というか vi は用意してるみたいだけど busybox に入ってないので
applet not found になってしまう。
その他にも名前だけでコンパイル時に省かれてるものが結構ある。
おそらく開発用のプロトライプはディスク容量が大きかったが、量産タイプではケチったため
オプションを いろいろ外してきたんだろう。
Linuxの方のディスク容量は1MBしかないようで。でも200KBしか使っていない。

CPUは ARM926EJ-S rev 5 (v5l)
BogoMIPS 的には 420MHz程度ということになるのか。
RAMの方はディスクよりでかくて 26MB とある。

以下調査結果

#du
Filesystem 1K-blocks Used Available Use% Mounted on
/dev/mtdblock0 1024 204 820 20% /mnt/mtd
/dev/mmcblk0p1 31154688 249888 30904800 1% /mnt/sd

 

# mount
proc on /proc type proc (0)
/dev/mtdblock0 on /mnt/mtd type jffs2 (0)
none on /dev/pts type devpts (mode=0622)
/dev/mmcblk0p1 on /mnt/sd type vfat (shortname=winnt,iocharset=utf8,rw)

 

# cat /proc/meminfo
MemTotal: 26708 kB
MemFree: 10664 kB
Buffers: 4104 kB
Cached: 6796 kB
SwapCached: 0 kB
Active: 6512 kB
Inactive: 5280 kB
Active(anon): 892 kB
Inactive(anon): 0 kB
Active(file): 5620 kB
Inactive(file): 5280 kB
Unevictable: 0 kB
Mlocked: 0 kB
SwapTotal: 0 kB
SwapFree: 0 kB
Dirty: 0 kB
Writeback: 0 kB
AnonPages: 920 kB
Mapped: 1072 kB
Shmem: 0 kB
Slab: 2720 kB
SReclaimable: 1728 kB
SUnreclaim: 992 kB
KernelStack: 280 kB
PageTables: 120 kB
NFS_Unstable: 0 kB
Bounce: 0 kB
WritebackTmp: 0 kB
CommitLimit: 13352 kB
Committed_AS: 3412 kB
VmallocTotal: 825344 kB
VmallocUsed: 324 kB
VmallocChunk: 824256 kB

 

#cat /proc/cpuinfo
Processor : ARM926EJ-S rev 5 (v5l)
BogoMIPS : 421.06
Features : swp half fastmult edsp java
CPU implementer : 0x41
CPU architecture: 5TEJ
CPU variant : 0x0
CPU part : 0x926
CPU revision : 5

Hardware : KeyASIC Ka2000 EVM
Revision : 0000
Serial : 0000000000000000

 

# lsmod
ka2000_sdio 8141 0 - Live 0xbf06f000
ar6000 293759 0 - Live 0xbf015000
ka2000_sdhc 56185 0 - Live 0xbf000000

 

# cat /proc/version
Linux version 2.6.32.28 (root@ubuntu-desktop) (gcc version 4.5.2 (Sourcery G++ Lite 2011.03-42) ) #244 PREEMPT Mon Jun 11 11:39:31 CST 2012

 

# env
USER=root
OLDPWD=/proc
HOME=/
TERM=vt102
PATH=/sbin:/usr/sbin:/bin:/usr/bin
SHELL=/bin/sh
PWD=/proc

 

# set
HOME='/'
IFS='
'
OLDPWD='/proc'
OPTIND='1'
PATH='/sbin:/usr/sbin:/bin:/usr/bin'
PPID='63'
PS1='# '
PS2='> '
PS4='+ '
PWD='/proc'
SHELL='/bin/sh'
TERM='vt102'
USER='root'
_='env'

 

# ps
PID USER VSZ STAT COMMAND
1 0 1584 S init
2 0 0 SW [kthreadd]
3 0 0 SW [ksoftirqd/0]
4 0 0 SW [events/0]
5 0 0 SW [khelper]
6 0 0 SW [async/mgr]
7 0 0 SW [sync_supers]
8 0 0 SW [bdi-default]
9 0 0 SW [kblockd/0]
10 0 0 SW [kmmcd]
11 0 0 SW [uart tx/0]
12 0 0 SW [spi_KeyAsic_ssi]
13 0 0 SW [kswapd0]
14 0 0 SW [aio/0]
15 0 0 SW [crypto/0]
30 0 0 SWN [jffs2_gcd_mtd0]
32 0 0 SW [switch/0]
34 0 0 SW [mmcqd]
46 0 1576 S kcard_app
56 0 1568 S tcpsvd 0 21 ftpd -w /mnt/
63 0 1576 S telnetd -l /bin/sh
67 0 1604 S boa
82 0 1584 S init
99 0 1652 S /usr/bin/perl /usr/bin/gen_hostapd_conf.pl
107 0 816 S hostapd -d /mnt/mtd/config/hostapd.conf
122 0 1572 S /bin/sh
176 0 0 SW [flush-179:0]
203 0 0 SW [AR6K Async]
211 0 0 SW [ksdioirqd/mmc1]
228 0 1652 S /usr/bin/perl /usr/bin/gen_hostapd_conf.pl
230 0 1580 S dnsd -c /etc/dnsd.conf -d
234 0 1572 S udhcpd /etc/udhcpd.conf
236 0 816 S hostapd -d /mnt/mtd/config/hostapd.conf
253 0 1580 S /bin/sh
259 0 1568 R ps

 

# ls / -a
. dev lib proc tmp
.. etc linuxrc root usr
bin home lost+found sbin var
config_value init mnt sys www

 

# ls /etc -a
. init.d version.txt
.. inittab wep.conf
boa mime.types wpa.conf
cimgconf mtab wpa_supplicant.conf
dhcp.script rc.conf wsd.conf
dnsd.conf uaputl.conf wsd_backup.conf
fstab udhcpd.conf
hostname udhcpd_uap.conf

 

# cat /etc/version.txt
Product Name : PQI Air card
Firmware Version : V138 JUN132012 M
Build Date : 13 JUN 2012
Revision : 2
WiFi Model : Atheros AR6003 11n
Linux Kernel : 2.6.32.28
Busybox : 1.18.5

 

# ls /bin -a
. echo iwevent pwd
.. egrep iwlist rev
ash fgrep iwpriv rm
athtestcmd fsync kill rmdir
base64 grep ln sh
bash hello_ka ls sleep
boa hostname macaddr sta
boa_indexer ifrename mkdir stat
busybox ionice mknod sync
cat iostat mount tcmd
chmod ip mpstat touch
chown ipaddr mv uaputl
cp iplink netstat umount
date iproute ping usleep
df iprule powertop vi
dmesg iptunnel printenv wmiconfig
dnsdomainname iwconfig ps wpa_supplicant

 

# ls -a
. blkid devmem logread rmmod udhcpc
.. blockdev ifconfig lsmod route vconfig
acpid bootchartd init modinfo sysctl
arp depmod insmod modprobe syslogd

 

# ls /usr/sbin/ -a
. flash_eraseall inetd popmaildir
.. flash_lock iwconfig rdev
brctl flash_unlock iwlist setfont
dhcprelay flashcp nbd-client telnetd
dnsd ftpd ncftpput udhcpd
fakeidentd httpd ntpd

ncftpput だけ実ファイル

# ls /usr/bin -a
. lzopcat tftpd
.. md5sum thumbNail
a0 mesg thumbNail_android
a1 microcom thumbnail_video
a1_ap mount_sd timeout
a1a mptest.sh top
a2 mrgtmp0 tr
a3 mtdf uap
a3a mtdm udpsvd
arping nc unlzop
beep nslookup unxz
buzzer p2p_client uptime
clear p2p_server ver
client_t perl volname
cmp pkill w1
copy_control_images_to_nor.sh pmap w2
dirname printf w2_old
download pscan w2_t
du rcS1 w3
dumpleases rcS2 w3_adhoc
env rcS3 w3_wifi_auto_on
f1 rcS4 w3es
factory_reset.sh rcS5 w4
fgconsole rcS6 w5
find rcS7 wall
flock readahead wget
ftpget refresh_sd which
ftpput renice wifi_connect_router
gen_hostapd_conf.pl restore_all_control_images.sh wifi_download
hexdump seq wifi_filelist
hostapd sha256sum wifi_ftp_server
i0 sha512sum wifi_ftp_upload
i1 showkey wifi_get_config
id smemcap wifi_quick_send
ifplugd softlink wifi_receiver
kcard_app t1 wifi_sender
kcard_cmd t2 wifi_upload
kcard_startup tcpsvd xargs
logger telnet xz
lspci test_wireless1.sh xzcat
lsusb test_wireless2.sh
lw.sh tftp

 

# busybox
BusyBox v1.18.5 (2012-05-03 19:53:21 CST) multi-call binary.
Copyright (C) 1998-2009 Erik Andersen, Rob Landley, Denys Vlasenko
and others. Licensed under GPLv2.
See source distribution for full notice.

Usage: busybox [function] [arguments]...
or: busybox --list[-full]
or: function [arguments]...

BusyBox is a multi-call binary that combines many common Unix
utilities into a single executable. Most people will create a
link to busybox for each function they wish to use and BusyBox
will act like whatever it was invoked as.

Currently defined functions:
arp, arping, ash, bash, boa, boa_indexer, bootchartd, buzzer, cat,
chmod, cp, date, df, dhcprelay, dmesg, dnsd, dnsdomainname, dumpleases,
echo, egrep, env, fgrep, find, ftpd, ftpget, grep, hostname, ifconfig,
inetd, init, insmod, iwconfig, iwlist, iwpriv, kcard_app, kcard_cmd,
kcard_startup, kill, linuxrc, ln, ls, lsmod, macaddr, mesg, mkdir,
mount, mv, nslookup, perl, ping, pkill, ps, pwd, readahead, rm, rmdir,
rmmod, route, sh, sleep, sync, tcpsvd, telnetd, thumbNail,
thumbNail_android, thumbnail_video, touch, udhcpc, udhcpd, umount,
wget, which, wifi_connect_router, wifi_download, wifi_filelist,
wifi_ftp_server, wifi_ftp_upload, wifi_get_config, wifi_quick_send,
wifi_upload, xargs

WEB サーバは boa のようだ。

# ls /www -la
drwxrwxrwx 6 0 0 0 May 4 2012 .
drwxrwxrwx 17 0 0 0 Jan 1 00:00 ..
drwxrwxrwx 2 0 0 0 Jun 13 2012 cgi-bin
-rwxrwxrwx 1 0 0 4441 May 4 2012 frame1.html
-rwxrwxrwx 1 0 0 662 Oct 13 09:35 frame2.html
-rwxrwxrwx 1 65534 65534 202 Oct 11 07:05 hello.html
drwxrwxrwx 2 65534 65534 0 May 3 2012 images
-rwxrwxrwx 1 0 0 681 May 3 2012 index.html
lrwxrwxrwx 1 0 0 11 Jun 11 2012 mtd -> ../mnt/mtd/
-rwxr--r-- 1 65534 65534 5764 Feb 22 2012 multi_download_decode.jar
drwxrwxrwx 2 0 0 0 Oct 11 07:05 page
-rwxrwxrwx 1 0 0 624 May 3 2012 page.html
-rwxr--r-- 1 65534 65534 264 Mar 13 2012 postconfig.html
drwxrwxrwx 2 0 0 0 Mar 26 2012 script
lrwxrwxrwx 1 0 0 10 Jun 11 2012 sd -> ../mnt/sd/
-rwxr--r-- 1 65534 65534 409 Feb 20 2012 test_uploadto.html
-rwxrwxrwx 1 65534 65534 665 Feb 20 2012 uploadto.html

 

# perl -v
This is perl 5, version 14, subversion 1 (0x183190) built for unknown

Copyright 1987-2011, Larry Wall

Perl may be copied only under the terms of either the Artistic License or the
GNU General Public License, which may be found in the Perl 5 source kit.

Complete documentation for Perl, including FAQ lists, should be found on
this system using "man perl" or "perldoc perl". If you have access to the
Internet, point your browser at http://www.perl.org/, the Perl Home Page.

 

# ls /usr/local/lib/perl5/5.14 -la
drwxrwxrwx 9 0 0 0 Jan 20 2012 .
drwxrwxrwx 3 0 0 0 Oct 11 07:05 ..
drwxrwxrwx 2 0 0 0 Oct 11 07:05 CGI
-rwxrwxrwx 1 0 0 261564 Oct 11 07:05 CGI.pm
drwxrwxrwx 2 0 0 0 Oct 11 07:05 Carp
-rwxrwxrwx 1 0 0 17564 Oct 11 07:05 Carp.pm
-rwxrwxrwx 1 0 0 3179 Oct 11 07:05 Config.pm
-rwxrwxrwx 1 0 0 14803 Oct 11 07:05 Cwd.pm
-rwxrwxrwx 1 0 0 24941 Oct 11 07:05 DynaLoader.pm
-rwxrwxrwx 1 0 0 18686 Oct 11 07:05 Exporter.pm
-rwxrwxrwx 1 0 0 3924 Oct 11 07:05 Fcntl.pm
drwxrwxrwx 3 0 0 0 Dec 2 14:51 File
drwxrwxrwx 3 0 0 0 Oct 11 07:05 Scalar
drwxr-xr-x 4 65534 65534 0 Jan 20 2012 URI
-rwxrwxrwx 1 0 0 10205 Oct 11 07:05 XSLoader.pm
-rwxrwxrwx 1 0 0 13383 Oct 11 07:05 constant.pm
drwxrwxrwx 2 0 0 0 Oct 11 07:05 overload
-rwxrwxrwx 1 0 0 53671 Oct 11 07:05 overload.pm
-rwxrwxrwx 1 0 0 3716 Oct 11 07:05 strict.pm
-rwxrwxrwx 1 0 0 2358 Oct 11 07:05 vars.pm
drwxrwxrwx 2 0 0 0 Oct 11 07:05 warnings
-rwxrwxrwx 1 0 0 18672 Oct 11 07:05 warnings.pm

“PQI の Air Card に Telnet で ログイン成功” への1件の返信

コメントを残す