Telnetd über /var/flash/fx_conf

[k4y0z]

Hi

ich habe da mal eine Frage, über den Telefoncode #96*7* lässt sich ja bekanntlich telnet aktivieren.
Telnet bleibt auch nach einem Neustart der Box an, ohne das etwas in der debug.cfg steht.

Darum kümmert sich scheinbar /usr/bin/telefon

Ich habe mir mal angeschaut wo denn diese Einstellung (telnet an/aus) gespeichert wird, und festgestellt, dass dies in der Datei /var/flash/fx_conf passiert, hier wird an offset 0x3882 das Byte von FF auf 01 gestellt um telnet einzuschalten.

Die Frage lautet nun, befindet sich dieses Byte immer am selben Offset (also 0x3882) ?
Wer kann dies bestätigen?
Wenn nicht, wie kann man das Richtige Offset dynamisch erkennen?

Grüße, K4y0z

 

[alfonzo]

hello

have anyone structure for fx_conf, ofsetts or any editor for this file please?

thx.

 

[alfonzo]

really nobody have hint? I must reverze self? :-(

 

[MaxMuster]

I don't think there is a documentation, but usually there are not too many changes in theese files. So this offset should be correct for a number of boxes.

Please be aware, that changing the entry at offset 0x3882 will not lead to any change in the running system. It might do so after reboot, if fx_conf is not overwritten in the meantime.

EDIT: Just tried it. Changing FF to 01 at 0x3882 and rebooting will enable telnet.

 

[alfonzo]

thx, but i need other setting (not telnet) in fx_conf binary config file, if anyone have any offset map for this file?

tks...

 

[MaxMuster]

Quite sure that will result in just trial and error (or "set and compare") ;-)

I'm not aware of any deeper inspection here or at wehavemorefun.

 

[alfonzo]

thx, i know "set and compare" method

pls have you any hint, how i dump binary file from old 5050 device (without USB)? thx.

 

[KunterBunter]

Hint: tftp in telnet or ftp in ADAM.

 

[MaxMuster]

If it is unchanged (e.g. no freetz or so), you might find ftpput or nc in the image.

Easiest way would be to do the comparison on the box itself.
You will need at least "hexdump" and "diff" to make it somehow comfortable (cmp would work, too, but it is not so nice ;-)...)

You will find a statically build busybox in the attachment.

un-gzip it and put the resulting .tar file into /var/tmp on the box. Then:

cd /var/tmp
tar xf busybox-static.tar

./hexdump -Cv /var/flash/fx_conf > /var/tmp/fx_hex_pre
# now change whatever you like
./hexdump -Cv /var/flash/fx_conf > /var/tmp/fx_hex_post

./diff /var/tmp/fx_hex_pre /var/tmp/fx_hex_post

Thats how it looks on my test box:

root@Speedport:/var/tmp# ./hexdump -Cv /var/flash/fx_conf > /tmp/fx_hex_pre
root@Speedport:/var/tmp# 
root@Speedport:/var/tmp# # changed telnet to off, good thing I use ssh ;-)
root@Speedport:/var/tmp# 
root@Speedport:/var/tmp# ./hexdump -Cv /var/flash/fx_conf > /var/tmp/fx_hex_post
root@Speedport:/var/tmp# 
root@Speedport:/var/tmp# ./diff /var/tmp/fx_hex_pre /var/tmp/fx_hex_post
--- /var/tmp/fx_hex_pre
+++ /var/tmp/fx_hex_post
@@ -902,7 +902,7 @@
 00003850  ff ff ff ff ff ff ff ff  ff ff ff ff ff ff ff ff  |................|
 00003860  ff ff ff ff ff ff ff ff  ff ff ff ff ff ff ff ff  |................|
 00003870  ff ff ff ff ff ff ff ff  ff ff ff ff ff ff ff 01  |................|
-00003880  01 ff 01 ff ff ff ff 00  00 00 00 00 00 00 00 00  |................|
+00003880  01 ff ff ff ff ff ff 00  00 00 00 00 00 00 00 00  |................|
 00003890  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
 000038a0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
 000038b0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
root@Speedport:/var/tmp#

EDIT:
I just attached another binary which includes an echo respecting "-e" and dd with "conv" support.
So you can also change the file on the box w/o having to use freetz ;-)

Since fx_conf is not a regular file, you will have to alter a copy and write the copy back afterwards.

cat /var/flash/fx_conf > /var/tmp/fx_conf
./echo -e -n "\x01" | ./dd bs=1c of=/var/tmp/fx_conf seek=$(( 0x3882 )) conv=notrunc

# just to be sure ;-)
cat /var/flash/fx_conf > /var/tmp/fx_conf_ori
./cmp /var/tmp/fx_conf_ori /var/tmp/fx_conf 
# should show only one difference
# see this difference (should be at "char 14467" or offset 0x3882):
./hexdump -Cv  /var/tmp/fx_conf_ori | grep 388
./hexdump -Cv  /var/tmp/fx_conf | grep 388

# if everything is fine, you may "install" the new file
cat /var/tmp/fx_conf > /var/flash/fx_conf

And again an example on a live box:

root@Speedport:/var/tmp# cat /var/flash/fx_conf > /var/tmp/fx_conf
root@Speedport:/var/tmp# ./echo -e -n "\x01" | ./dd bs=1c of=/var/tmp/fx_conf seek=$(( 0x3882 )) conv=notrunc
1+0 records in
1+0 records out
1 bytes (1B) copied, 0.000473 seconds, 2.1KB/s
root@Speedport:/var/tmp# 
root@Speedport:/var/tmp# cat /var/flash/fx_conf > /var/tmp/fx_conf_ori
root@Speedport:/var/tmp# ./cmp /var/tmp/fx_conf_ori /var/tmp/fx_conf 
/var/tmp/fx_conf_ori /var/tmp/fx_conf differ: char 14467, line 1
root@Speedport:/var/tmp# ./hexdump -Cv  /var/tmp/fx_conf_ori | grep 388
00003880  01 ff ff ff ff ff ff 00  00 00 00 00 00 00 00 00  |................|
root@Speedport:/var/tmp# ./hexdump -Cv  /var/tmp/fx_conf | grep 388
00003880  01 ff 01 ff ff ff ff 00  00 00 00 00 00 00 00 00  |................|
root@Speedport:/var/tmp# 
root@Speedport:/var/tmp# cat /var/tmp/fx_conf > /var/flash/fx_conf
root@Speedport:/var/tmp# ./hexdump -Cv /var/flash/fx_conf | grep 388
00003880  01 ff 01 ff ff ff ff 00  00 00 00 00 00 00 00 00  |................|
root@Speedport:/var/tmp#

 

[alfonzo]

thx, if i have conected 5050, then nvi not work, then i not sure if wget is available and how i import busybox-static.tar.gz into this oldbox...

 

[MaxMuster]

You can try just to type "wget" or "nc" to see, if this commands are available. If you put the (un-gzipped) tar file on a web-/ftp-server, you can use wget to fetch it to your box.

To use "nc" you will "cat" the tar-file on a PC and "fetch" it on your Box:

On your PC

cat busybox-static.tar | netcat  -l  1234

The port (1234 in the example) is of course your choice ;-)

On your box

nc <IP of your PC> 1234 > /var/tmp/busybox-static.tar
cd  /var/tmp
tar xf  busybox-static.tar
...

Is this "your" box and you may modify it? Then you might try to build and flash freetz firmware to the box.
5050 is supported by freetz, but only with german AVM firmware (was there any international?).

 

[alfonzo]

no, only german 5050 exists