Hacking Consumer Devices for Fun and Profit An Insider's View of - - PowerPoint PPT Presentation

Hacking Consumer Devices for Fun and Profit

An Insider's View of the NSLU2-Linux Open-Source Project

Rod Whitby <rod@whitby.id.au>

NSLU2-Linux Project Lead

10 Feb 2007 Hacking Consumer Devices for Fun and Profit Rod Whitby <rod@whitby.id.au> 2

Hacking Consumer Devices for Fun and Profit

1. The Linksys NSLU2

• Hardware Specs
• Linksys Firmware
• RedBoot Bootloader

2. Unslung Firmware

• Project Inception
• Unslung 1.x
• Unslung 2.x to 5.x
• Unslung 6.x

3. Optware Packages

• NSLU2, WL500g, …
• Distributed Development

4. SlugOS Firmware

• OpenSlug, “DebianSlug”

5. Official Kernel Support

• NSLU2, NAS100D, Loft, …

6. Official Debian Support

• Debian Etch Loves The Slug

7. The Fun

• NSLU2-Linux Exhibitions
• NSLU2-Linux Community
• NSLU2-Linux Development
• Project Infrastructure

8. The Profit

• How to Make a Small Fortune
• Donations for Hardware

9. The Future

• What to do next

10 Feb 2007 Hacking Consumer Devices for Fun and Profit Rod Whitby <rod@whitby.id.au> 3

The Linksys NSLU2

• Hardware Specs
• Network Attached Storage (NAS)

Consumer Device

• 27.5mm x 135mm x 96mm
• 5V DC, Maximum 2 Amps
• Intel XScale IXP420
• Big-endian ARM
• 133MHz (under-clocked)
• 10/100 Ethernet
• 2 x USB 2.0 Host Ports
• 32 MB RAM
• 8 MB Flash
• Serial, JTAG, I2C, …
• NSLU2 -> NSLUG -> “Slug”

10 Feb 2007 Hacking Consumer Devices for Fun and Profit Rod Whitby <rod@whitby.id.au> 4

The Linksys NSLU2

• Stock Linksys Firmware
• Designed to be a stand-alone Samba

server for attached USB hard disks.

• Ext3 filesystem with 3 partitions
• Must be formatted on the device
• Linux 2.4.22 Kernel
• Major modifications to the

USB and SCSI subsystems

• Snapgear-based root filesystem
• busybox, samba, thttpd, etc.
• Linksys binary-only utilities
• Set_Led, USB_Detect, Watchdog,

CheckPowerButton, CheckResetButton

• Source code available for kernel and root

filesystem, but not for Linksys binaries

10 Feb 2007 Hacking Consumer Devices for Fun and Profit Rod Whitby <rod@whitby.id.au> 5

The Linksys NSLU2

• RedBoot Bootloader
• Loads kernel and initial ramdisk into memory, then executes kernel.
• Kernel size is limited to 1MB
• Ramdisk size is set at 10MB (can extend to 12MB if required)
• MAC address for internal ethernet interface stored alongside Redboot
• Significant modifications by Linksys
• Addition of “move”, “boot”, and “upgrade” commands
• Removal of FIS directory functions
• Not intended to be user-accessible
• … unless you solder on a connector for a serial port
• Linksys left in a telnet 2 second window of opportunity
• Upgrade mode is another exploit mechanism
• “Good enough” for our purposes, so left alone.

10 Feb 2007 Hacking Consumer Devices for Fun and Profit Rod Whitby <rod@whitby.id.au> 6

Unslung Firmware

• Project Inception

12 July 2004

• Jim Buzbee finds the Telnet exploit.

31 July 2004

• nslu2-linux mailing list is created.

5 Aug 2004

• Tom’s Hardware article published.
• Mailing list has 13 members.

10 Aug 2004

• First successfully modified image.

11 Aug 2004

• Serial port and Redboot TFTP.
• “Unslung” concept based on /linuxrc.
• Jim’s journal links to the mailing list.

15 Aug 2004

• iTunes server ported.

16 Aug 2004

• Busybox, dropbear and wget ported.
• Donations requested ($240 on first day).

17 Aug 2004

• Rod’s NSLU2 arrives in the post.

18 Aug 2004

• Slug sacrificed to find JTAG traces.
• Jim’s journal page is slashdotted, and

the mailing list feels the effect. 19 Aug 2004

• nslu2-linux.org domain registered.

22 Aug 2004

• nslu2-general mailing list created.

24 Aug 2004

• First boot from external hard disk.
• Serial port mod published.

25 Aug 2005

• Linksys releases kernel source.

30 Aug 2005

• RedBoot telnet access found.
• RedBoot upgrade mode found.

31 Aug 2005

• 700 members and 1000 list emails.

13 Sep 2005

• Wiki installed at www.nslu2-linux.org

10 Feb 2007 Hacking Consumer Devices for Fun and Profit Rod Whitby <rod@whitby.id.au> 7

Unslung Firmware

• Unslung 1.x
• Designed to be a minimal-changes firmware replacement
• Retains all of the standard NSLU2 product functionality unchanged
• Adds the capability to load the root filesystem from external storage

and download and install packages onto that external storage to be used alongside the standard product functionality.

• Also defines the package format for downloadable packages.
• Unslung 1.7-alpha source code was released on 3 Sep 2004.
• The goal was to free up 10MB of RAM by pivoting from an initial

“switchbox” ramdisk to JFFS2 or an external disk or NFS root filesystem.

• Built from a Makefile in a SourceForge CVS repository.
• Used a binary sed to modify the Linksys kernel.
• Unslung 1.11-beta binary image was released on 14 Sep 2004.
• There were well over 1000 downloads of Unslung 1.x

10 Feb 2007 Hacking Consumer Devices for Fun and Profit Rod Whitby <rod@whitby.id.au> 8

Unslung Firmware

• Unslung 2.x and 3.x
• Unslung 2.12-beta binary image was released on 6 Nov 2004.
• The goal was to build the firmware from source.
• Support for ext3 flash disks on Port 1
• Full downloadable package support
• USB enclosure fixes (Genesys)
• Kernel compiled from source (including some fixes)
• Unslung 3.16-beta binary image was released on 25 Dec 2004.
• The goal was to add a persistent JFFS2 root file system.
• USB devfs support (driven by Topfield “puppy” development)
• NFS kernel support
• Recovery mode and Maintenance mode added.

10 Feb 2007 Hacking Consumer Devices for Fun and Profit Rod Whitby <rod@whitby.id.au> 9

Unslung Firmware

• Unslung 4.x and 5.x
• Unslung 4.20-beta binary image was released on 15 May 2005.
• The goal was to become self-hosting – being able to build Optware

packages natively, and to free up another 1MB of RAM by booting directly to a /linuxrc in JFFS2 instead of using the “switchbox” initrd.

• The internal JFFS2 partition became an initfs and recovery filesystem.
• More kernel modules were enabled (and kernel module ipkg feed added)
• RAID, USB Audio, USB Cameras, Traffic Shaping, Tape Drives, etc.
• Quite a few people stuck with 3.18-beta until 5.5-beta was released.
• Unslung 5.5-beta binary image was released on 14 June 2005.
• Upgraded to be based on Linksys V2.3R29 firmware.
• Changed from broken maintenance mode to stable upgrade mode.
• Disabled the Linksys download daemon (in favor of upgrade mode).
• There have been almost 18000 downloads of Unslung 5.5-beta.

10 Feb 2007 Hacking Consumer Devices for Fun and Profit Rod Whitby <rod@whitby.id.au> 10

Unslung Firmware

• Unslung 6.x
• Unslung 6.8-beta binary image was released on 12 April 2006.
• Updated to Linksys R63 firmware, which includes the Paragon

commercial NTFS kernel module with full write support.

• Many usability improvements (to try and reduce the number of

installation-related questions on the mailing list).

• The new Unslung logo is now featured in the Web GUI ☺
• There have been over 28000 downloads of Unslung 6.8-beta.

10 Feb 2007 Hacking Consumer Devices for Fun and Profit Rod Whitby <rod@whitby.id.au> 11

Optware Packages

• NSLU2, WL500g, …
• Began as “Unslung Packages” – now over 750 packages strong.
• The set of packages have been ported to many targets:
• Linksys NSLU2 (armeb, glibc)
• Asus WL500g/gx (mipsel, uclibc)
• Synology DS-101 (armeb, glibc)
• Freecom FSG-3 (armeb, glibc)
• Maxtor Shared Storage (armeb, uclibc)
• Iomega NAS 100d (armeb, glibc)
• Synology DS-101g+ (powerpc, glibc)
• Linksys WRT54G* (mipsel, uclibc)
• Technologic Systems TS72xx (arm, glibc)
• Diverse range of packages:
• Apache, MySQL, Perl/PHP/Python, Squid
• Email, IRC, CUPS, Torrent, CVS, SVN, Git, Monotone
• Webcam, Network Sound, USB PVR, X10, Samba PDC, Topfield EPG
• MediaWiki, Asterisk, Gallery, iTunes Server, CCXStream, TwonkyVision

10 Feb 2007 Hacking Consumer Devices for Fun and Profit Rod Whitby <rod@whitby.id.au> 12

Optware Packages

• Distributed Development
• More than 100 Optware package

developers.

• Send a new package.mk file to the

nslu2-developers mailing list and you are granted CVS write access.

• An identified package feed manager

for each of the targets.

• New and modified packages are built

automatically every half hour, and the package feeds for all targets are updated upon successful builds.

• Build logs are published on the web for

package developers to peruse (and fix any problems). NSLU2 Asterisk PBX (on 512MB flash stick) Sipura SPA-3000 ATA/Gateway

10 Feb 2007 Hacking Consumer Devices for Fun and Profit Rod Whitby <rod@whitby.id.au> 13

SlugOS Firmware

• OpenSlug, “DebianSlug”
• SlugOS refers to our legacy-free distributions based on OpenEmbedded
• Latest 2.6.x kernel (currently 2.6.20)
• Support for the NSLU2 written from scratch and contributed to kernel.org
• OpenEmbedded-based root filesystem
• Draws on the 1500+ packages available in OpenEmbedded
• No legacy Linksys proprietary source code or binaries
• OpenSlug (SlugOS/BE) refers to slugos-bag (big-endian, arm, glibc),

“DebianSlug” (SlugOS/LE) refers to slugos-lag (little-endian, arm, glibc)

• UcSlugC refers to slugos-btu (big-endian, thumb, uClibc), but is no longer

supported.

• “DebianSlug” name has been deprecated, now that Debian/NSLU2 exists.
• OpenSlug 1.12-beta binary image was released on 15 May 2005.
• OpenSlug 2.7-beta binary image was released on 28 Sep 2005.
• SlugOS 3.10-beta binary images (current release, both BE and LE) were

released on 9 June 2006.

10 Feb 2007 Hacking Consumer Devices for Fun and Profit Rod Whitby <rod@whitby.id.au> 14

SlugOS Firmware

• OpenSlug, “DebianSlug”
• There were 484 downloads of the OpenSlug 1.12-beta binary image,

625 downloads of OpenSlug 2.0-beta (since 22 July 2005), 1032 downloads of OpenSlug 2.5-beta (since 9 Aug 2005), 2669 downloads of OpenSlug 2.7-beta (since 28 Sep 2005) and 9129 downloads of SlugOS 3.10-beta (since 9 Jun 2006).

• SlugOS releases generally occur in response to major kernel version

changes.

• Quite a few SlugOS users build their own firmware from source.
• “DebianSlug” (SlugOS/LE) is compatible with packages from the
• fficial Debian ARM port.

10 Feb 2007 Hacking Consumer Devices for Fun and Profit Rod Whitby <rod@whitby.id.au> 15

Official Kernel Support

• NSLU2, NAS100d, Loft, …
• Kernel support (2.6.20) for the supported targets:
• MACH_NSLU2

Linksys NSLU2

• MACH_NAS100D

Iomega NAS 100d

• MACH_LOFT

GiantShoulderInc Loft

• MACH_DS101

Synology DS101

• NSLU2-Linux team has contributed to other items:
• Maclist support
• RTC class
• New LEDs class
• Open Source IXP Ethernet driver
• Many patches already pushed upstream
• But many patches still to be pushed …

10 Feb 2007 Hacking Consumer Devices for Fun and Profit Rod Whitby <rod@whitby.id.au> 16

Official Debian Support

• Debian Etch Loves The Slug
• Debian Etch has full support for the NSLU2, including all the latest

Kernel patches and the open source IXP ethernet driver.

• debian-installer will read configuration from flash, bring up network

and SSH. Installation done via SSH.

• Normal Debian installation to external USB storage.
• Full support for in-place kernel upgrades.
• There have been over 4400 downloads of the Debian/NSLU2

installation image.

10 Feb 2007 Hacking Consumer Devices for Fun and Profit Rod Whitby <rod@whitby.id.au> 17

The Fun

• NSLU2-Linux Exhibitions

Linux World Expo 2005 SCALE 4x 2006

10 Feb 2007 Hacking Consumer Devices for Fun and Profit Rod Whitby <rod@whitby.id.au> 18

The Fun

• NSLU2-Linux Community
• Unslung, Optware and SlugOS are good examples of user-

supported / user-developed software done right.

• What makes it work so well?
• Separate lists for users and developers.
• Revision-control systems. We use monotone and subversion.
• Wikis. We have a community rule that encourages users to add to and

improve the wiki.

• Freenode IRC. The core developers are available to help on a number of

IRC channels e.g. #nslu2-linux. Community rules about bothering them.

• Easy to become a developer. Publicly post a working package recipe

and you get cvs write access. We have had no “rogue developers” yet, and if we did, any damage would be reverted. A wiki-like model of development.

10 Feb 2007 Hacking Consumer Devices for Fun and Profit Rod Whitby <rod@whitby.id.au> 19

NSLU2-Linux Community

• The Community Rules

1. Never ever use the Linksys EraseAll tool - it will brick your slug permanently. 2. You will search the wiki first and read the FAQ before asking questions on the mailing lists or IRC channels. 3. You must read and follow the steps in the README file precisely when flashing firmware. 4. Those who ask the questions, update the wiki when they get the answers. 5. Those who complain about the documentation, update the wiki to make it better. 6. Friends don't let friends flash custom firmware without confirmed RedBoot upgrade mode access. 7. Friends don't let friends flash custom boot loaders without confirmed JTAG access.

The Development Rules

• NSLU2-Linux is run as a “meritocracy”

– those who contribute the most are the ones who get to make the key development decisions.

• Key contributors are invited to become

part of the Core Team, and are assigned a role in line with their major contribution, skill, or external influence.

• “If it’s not in the source repository, then

it doesn’t exist.”

• “If it cannot be built automatically from

source, then it cannot be released.”

• “It either goes up (-stream) or it goes
• ut.”

10 Feb 2007 Hacking Consumer Devices for Fun and Profit Rod Whitby <rod@whitby.id.au> 20

NSLU2-Linux Community

• Community Growth
• Over 12,000 mailing list subscribers.
• Over 50,000 downloads of the Unslung

firmware.

• Over 10,000 downloads of the SlugOS

firmware.

• Over 10,000 downloads of the

Debian/NSLU2 firmware.

• The www.nslu2-linux.org wiki serves
• ver 12000 hits and 200MB of data

each day.

• The ipkg.nslu2-linux.org package feeds

serve over 5GB of data per day (in total) from four world-wide mirror locations.

• We maintain over 2.5GB of publicly

accessible information, source code and executables.

NSLU2-Linux Community Growth

5000 10000 15000 20000 25000 Aug-04 Feb-05 Aug-05 Feb-06 Aug-06 Feb-07 Members Posts

10 Feb 2007 Hacking Consumer Devices for Fun and Profit Rod Whitby <rod@whitby.id.au> 21

The Fun

• NSLU2-Linux Development
• 100 Optware package developers
• 20 Core Team members
• SlugTime covers the globe:
• HST, PST, CST, EST, GMT, CET,

ACST, NZST

• 4 Firmware Distributions
• Unslung, SlugOS/BE, SlugOS/LE,

Debian/NSLU2

"While Linksys does not support any of the alternate firmware available for the NSLU2, we are always delighted to see a product gain such widespread

• acceptance. Like the similar community that emerged to enhance the

WRT54G before it, the creativity and ingenuity of Linksys customers inspires us to continually improve our products."

• - Mike Wagner, Director of Marketing, Linksys.

10 Feb 2007 Hacking Consumer Devices for Fun and Profit Rod Whitby <rod@whitby.id.au> 22

NSLU2-Linux Development

• Build Systems and SCM
• Unslung 1.x was developed using a simple Makefile in a CVS

repository on SourceForge.net

• It unpacked the Linksys firmware binary image, modified the kernel

using a binary sed, added new files to the rootfs, and then packed it all back up again ready to be flashed.

• Unslung 2.x was developed using the OpenEmbedded build system

in a BitKeeper repository in bkbits.net

• Kernel built from source, rootfs unpacked from Linksys firmware image.
• Optware packages continue to be developed using a simple

template-based Makefile build system in a Subversion repository at svn.nslu2-linux.org

• This is designed to minimize the barrier to entry for new developers.
• Unslung 3.x and later, and SlugOS, use the OpenEmbedded build

system and a monotone repository at monotone.nslu2-linux.org

10 Feb 2007 Hacking Consumer Devices for Fun and Profit Rod Whitby <rod@whitby.id.au> 23

The Fun

• Project Infrastructure
• Web, Wiki, SVN, Monotone, Bug tracking
• limax.nslu2-linux.org
• Automated Cross-compile Build Machine
• nudi.nslu2-linux.org
• Automated Native Unslung Build Machine
• gastro.nslu2-linux.org
• Automated Native OpenSlug Build Machine
• banana.nslu2-linux.org
• Four ipkg mirrors around the world
• ipkg.nslu2-linux.org
• Norway, Oregon, California, Illinois, Georgia.

Limax maximus Nudibranch Gastropoda Banana Slug

10 Feb 2007 Hacking Consumer Devices for Fun and Profit Rod Whitby <rod@whitby.id.au> 24

The Profit

• How to Make a Small Fortune

How do you make a small fortune hacking

Linux firmware for consumer devices?

… Start with a large fortune!

10 Feb 2007 Hacking Consumer Devices for Fun and Profit Rod Whitby <rod@whitby.id.au> 25

The Profit

• Donations for Hardware
• The project has raised almost USD$10,000 since 16 Aug 2004
• All monies are spent on hardware or project expenses
• Examples of purchases:
• Intel/AMD Infrastructure Servers
• Intel/AMD Development/Build Server
• Native Build Hosts
• Core Team Development Slugs
• Notable Third Party Developer Slugs
• Developer Bounty Hardware
• Up to $50 hardware driver bounty
• Domain fees
• Exhibition expenses (LinuxWorld Expo 2005, SCALE 2006)
• Donations to cia.navi.cx, irc.freenode.net, www.loglibrary.com, …

10 Feb 2007 Hacking Consumer Devices for Fun and Profit Rod Whitby <rod@whitby.id.au> 26

The Future

• What to do next …
• Complete the task of pushing all patches upstream
• Push the open source IXP ethernet driver upstream
• Track latest kernel versions
• Debian support for NAS100d, DSM-G600, FSG-3, …
• Add OpenWRT firmware support
• Find the next new device to hack …