Moin,
Kurzes Update, ich habe mal das USerland entpackt:
$ tail -c +3320289 XT2_lu-0.0.2.14L.bin > XT2_lu-0.0.2.14L.bin.userland
Mal ein Blick auf den content:
$ file XT2_lu-0.0.2.14L.bin.userland
XT2_lu-0.0.2.14L.bin.userland: u-boot legacy uImage, uboot ext2 ramdisk rootfs, Linux/ARM, RAMDisk Image (gzip), 3602566 bytes, Thu Mar 3 08:17:21 2016, Load Address: 0x00000000, Entry Point: 0x00000000, Header CRC: 0x1F574413, Data CRC: 0xE469D78F
Aha, es handlelt sich um ein u-boot Image oder eine Ramdisk, super - nun entpacken und als loop-device mounten. Hier habe ich ein wenig suchen müssen, bin aber fündig geworden unter
http://buffalo.nas-central.org/wiki/How_..._an_uImage
Also dieses Skript querlesen und dann runterladen, ausführbar machen und auf die Datei loslassen:
$ chmod +x extract_uImage.sh
$ ./extract_uImage.sh XT2_lu-0.0.2.14L.bin.userland
Checking for uImage magic word...
1+0 Datensätze ein
0+1 Datensätze aus
4 Bytes (4 B) kopiert, 0,000525778 s, 7,6 kB/s
uImage recognized.
Extracting data...
56290+1 Datensätze ein
7036+1 Datensätze aus
3602566 Bytes (3,6 MB) kopiert, 0,186519 s, 19,3 MB/s
Checking for ARM mach-type...
3+0 Datensätze ein
0+1 Datensätze aus
3 Bytes (3 B) kopiert, 0,00068956 s, 4,4 kB/s
Checking for zImage...
1+0 Datensätze ein
0+1 Datensätze aus
4 Bytes (4 B) kopiert, 0,000394403 s, 10,1 kB/s
>>> XT2_lu-0.0.2.14L.bin.userland extracted to Image
Es entsteht eine Datei mit dem Namen "Image", fein - was ist das?
$ file Image
Image: gzip compressed data, was "rootfs.ext2", last modified: Thu Mar 3 08:17:20 2016, from Unix
Ok, also wieder entpacken:
$ mv Image rootfs.ext2.gz
$ gunzip -c rootfs.ext2.gz > rootfs.ext2
$ file rootfs.ext2
rootfs.ext2: Linux rev 0.0 ext2 filesystem data, UUID=00000000-0000-0000-0000-000000000000
$ mkdir userland
$ sudo mount rootfs.ext2 userland -o loop
Tada, das Image ist im Unterordner einsehbar.
Habe mich kurz mal umgesehen, die meisten Programme sind Symlinks auf Busybox (oh Wunder bei einem embedded Target).
$ file userland/bin/busybox
userland/bin/busybox: setuid ELF 32-bit LSB executable, ARM, EABI4 version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.3, stripped
Aha, in rc.climax gehts nach dem Bootende weiter. Es wird in /root das Programm "/root/launcher" ausgeführt. In /root sind auch die ganzen Webseiten. Nur mal kurz draufgucken:
$ strings userland/root/launcher
/lib/ld-linux.so.3
libdl.so.2
_Jv_RegisterClasses
__gmon_start__
librt.so.1
clock_gettime
libm.so.6
libgcc_s.so.1
_Unwind_Resume_or_Rethrow
__aeabi_unwind_cpp_pr0
_Unwind_GetRegionStart
__aeabi_fadd
__cxa_begin_cleanup
__cxa_call_unexpected
_Unwind_VRS_Set
__aeabi_i2f
__aeabi_idiv
_Unwind_Resume
_Unwind_DeleteException
_Unwind_Complete
__cxa_type_match
__aeabi_fdiv
_Unwind_RaiseException
__aeabi_uidiv
_Unwind_GetTextRelBase
__aeabi_fmul
_Unwind_GetLanguageSpecificData
_Unwind_VRS_Get
__gnu_unwind_frame
_Unwind_GetDataRelBase
__aeabi_idivmod
libpthread.so.0
recv
pthread_getspecific
pthread_rwlock_rdlock
pthread_rwlock_init
pthread_cond_broadcast
pthread_key_delete
pthread_cancel
system
pthread_cond_wait
pthread_rwlock_destroy
pthread_rwlock_unlock
pthread_cond_signal
send
accept
pthread_cond_init
pthread_key_create
pthread_attr_init
pthread_attr_setstacksize
pthread_rwlock_wrlock
funlockfile
pthread_create
pthread_mutex_unlock
flockfile
pthread_mutex_destroy
pthread_mutex_lock
__errno_location
pthread_mutex_init
pthread_cond_destroy
pthread_attr_setdetachstate
fcntl
pthread_setspecific
libc.so.6
strcpy
ioctl
strtok_r
strerror
memmove
munmap
__strtol_internal
usleep
fscanf
fgets
__strtoll_internal
memcpy
tolower
malloc
vsnprintf
pclose
socket
select
isspace
fflush
__xstat64
abort
popen
strnlen
rename
strrchr
__ctype_tolower_loc
calloc
fprintf
strcat
bind
setsockopt
fseek
memchr
ferror
strstr
setgid
strncmp
unlink
realloc
__cxa_atexit
memcmp
listen
sscanf
fread
strdup
memset
ftell
opendir
__xmknod
strcmp
shutdown
getcwd
getpwnam
strcspn
stderr
mmap64
fputc
__ctype_b_loc
strftime
readdir64
fwrite
__fxstat64
access
inet_ntop
fclose
fileno
gmtime
strspn
__libc_start_main
strlen
toupper
strchr
fputs
closedir
setuid
fseeko64
__aeabi_atexit
strpbrk
free
fopen64
ftruncate64
_ZTVSt13bad_exception
_ZTIPv
_ZTVSt9type_info
_ZTVN10__cxxabiv119__pointer_type_infoE
_ZTVN10__cxxabiv120__si_class_type_infoE
_ZTVN10__cxxabiv117__pbase_type_infoE
_ZTISt10bad_typeid
_ZTVSt9exception
_ZTVN10__cxxabiv117__class_type_infoE
_ZTVSt10bad_typeid
_ZNSt13bad_exceptionD1Ev
_ZTVN10__cxxabiv123__fundamental_type_infoE
_ZN10__cxxabiv119__terminate_handlerE
_ZTIv
_ZTISt13bad_exception
_ZN10__cxxabiv120__unexpected_handlerE
_ZNSt10bad_typeidD1Ev
GLIBC_2.4
GCC_3.3
GCC_3.0
GCC_3.5
./hpgw
hpgw
kill -9 %d
/etc/rc.d/init.d/dropbear start &
/etc/rc.d/init.d/watchdog start &
Mount temp...
mount -t jffs2 /dev/mtdblock6 /root/temp/
udhcpc
pppd
wpa_supplicant
%s:%s:%d
config/debug%d.log
%s: Addr=%p, Len=%u
get alarm item alloc error
rollover open file error
Console logger mask changed
Logger started...
get sys item alloc error
config/hpgw.log
config/debug.log
config/alarm.log
alarm overflow!
config/system.log
system overflow!
open debug error!
open alarm error!
open system error!
Initialized log
%s %s %s %s
reload file map error
get alarm file map error
get sys file map error
[EMR!]
[ALT!]
[CRT!]
[ERR!]
[WARN]
[NOTE]
[INFO]
[DBG ]
[MAIN]
[WEB ]
[ZB ]
[ZBPK]
[RF ]
[RFPK]
[GSM ]
[POLL]
[RPT ]
[ACTN]
[ALRM]
[CFG ]
[DEV ]
[NET ]
[DNS ]
[BEEP]
[FIND]
[UPNP]
[XMPP]
[UPGR]
[MISC]
[LED ]
[GSPK]
[VFA ]
[XCMD]
[SCMD]
[ZWAV]
[????]
[ZBS ]
[ZBSP]
[WORK]
[WNET]
reboot -d %d &
/dev/rtc
RTC open fail
RTC_AIE_OFF fail
RTC_ALM_SET fail
RTC_AIE_ON fail
RTC_RD_TIME fail
/root
/proc/sys/vm/drop_caches
/sys/power/state
popen fail: '%s'
open sig file fail: '%s'
%s.md5sum
file sig fail: '%s'
%s %s.md5sum
read sig fail: '%s'
sig mismatch: '%s'
open file map fail: '%s'
truncate file map fail: '%s'
file map fail: '%s'
stat file map fail: '%s'
unknown esc:'%c'
/sys/bus/usb/devices
/sys/bus/usb/devices/%s/uevent
DRIVER=
/sys/bus/usb/devices/1-1:1.0/uevent
/sys/bus/usb/devices/1-1.%u:1.0/uevent
mailto
opendir fail: '%s'
%s/%s
pidof %s
pidof fail: '%s'
0123456789abcdef
St13bad_exception
St9exception
N10__cxxabiv120__si_class_type_infoE
N10__cxxabiv117__class_type_infoE
St10bad_typeid
St9type_info
N10__cxxabiv119__pointer_type_infoE
N10__cxxabiv117__pbase_type_infoE
N10__cxxabiv123__fundamental_type_infoE
terminate called recursively
terminate called after throwing an instance of '
what():
terminate called without an active exception
_GLOBAL_
(anonymous namespace)
string literal
vtable for
VTT for
construction vtable for
-in-
typeinfo for
typeinfo name for
typeinfo fn for
non-virtual thunk to
covariant return thunk to
java Class for
guard variable for
reference temporary for
hidden alias for
operator
operator
) : (
false
true
restrict
volatile
const
complex
imaginary
global constructors keyed to
global destructors keyed to
std::allocator
allocator
std::basic_string
basic_string
std::string
std::basic_string<char, std::char_traits<char>, std::allocator<char> >
std::istream
std::basic_istream<char, std::char_traits<char> >
basic_istream
std::ostream
std::basic_ostream<char, std::char_traits<char> >
basic_ostream
std::iostream
std::basic_iostream<char, std::char_traits<char> >
basic_iostream
delete[]
delete
new[]
sizeof
signed char
bool
boolean
char
byte
double
long double
float
__float128
unsigned char
unsigned int
unsigned
long
unsigned long
__int128
unsigned __int128
short
unsigned short
void
wchar_t
long long
unsigned long long
aeabi
.shstrtab
.interp
.hash
.dynsym
.dynstr
.gnu.version
.gnu.version_r
.rel.dyn
.rel.plt
.init
.text
.fini
.rodata
.ARM.exidx
.eh_frame
.init_array
.fini_array
.jcr
.data.rel.ro
.dynamic
.got
.data
.bss
.ARM.attributes
Tja, mal gucken was man damit machen kann. Eigentlich ist der HTTPd aber auch insofern interessant, das ich wissen möchte ob er sicher genug ist um so wie er ist im Internet zu hängen, ach ja - und ne API zu FHEM wäre noch ne Sache...
Bis dahin, ciao!