Closed janwolfram closed 1 year ago
try to add a nvram lock ? if i not mistaken u need a specific version
There should be some tutorial video on HITB website. Maybe u can check those too.
Again, why emulate those old router. So many people done it, try something new :)
Yeah i just try to run one emulation that will work. Maybe I should choose other firmware. I tried to add the missing nvram files with touch but didn't work. But thanks anyway
Try the famous tenda firmware. Its ARM and should work better.
@janwolfram According to the provided log, maybe you can try to set ql.root = True
? There are two issues related to socket permission.
[+] write() = 0x1
[+] [+] Received Interupt: 17 Hooked Interupt: 17
[+] 0x77558664: socket(domain = 0x2, type = 0x3, protocol = 0xff)
[x]
Traceback (most recent call last):
File "/home/janw/.local/lib/python3.8/site-packages/qiling/os/posix/syscall/socket.py", line 38, in ql_syscall_socket
ql.os.fd[idx] = ql_socket.open(socket_domain, socket_type, socket_protocol, (socket.SOL_SOCKET, socket.SO_REUSEADDR, 1))
File "/home/janw/.local/lib/python3.8/site-packages/qiling/os/posix/filestruct.py", line 38, in open
s = socket.socket(socket_domain, socket_type, socket_protocol)
File "/usr/lib/python3.8/socket.py", line 231, in __init__
_socket.socket.__init__(self, family, type, proto, fileno)
PermissionError: [Errno 1] Operation not permitted
...
[+] [+] Received Interupt: 17 Hooked Interupt: 17
[+] 0x77558664: socket(domain = 0x2, type = 0x3, protocol = 0xff)
[x]
Traceback (most recent call last):
File "/home/janw/.local/lib/python3.8/site-packages/qiling/os/posix/syscall/socket.py", line 38, in ql_syscall_socket
ql.os.fd[idx] = ql_socket.open(socket_domain, socket_type, socket_protocol, (socket.SOL_SOCKET, socket.SO_REUSEADDR, 1))
File "/home/janw/.local/lib/python3.8/site-packages/qiling/os/posix/filestruct.py", line 38, in open
s = socket.socket(socket_domain, socket_type, socket_protocol)
File "/usr/lib/python3.8/socket.py", line 231, in __init__
_socket.socket.__init__(self, family, type, proto, fileno)
PermissionError: [Errno 1] Operation not permitted
@cq674350529 thats a good idea. Now I don't have the permission errors anymore, but it still stucks on libm-0.9.33.2.so
[+] ioctl(0x3, 0x8915, 0x7ff36da0) = -1
[+] ioctl() = 0x1
[+] [+] Received Interupt: 17 Hooked Interupt: 17
[+] 0x77514124: close(fd = 0x3)
[+] close() = 0x0
[+] [+] Received Interupt: 17 Hooked Interupt: 17
[+] 0x77558664: socket(domain = 0x2, type = 0x3, protocol = 0xff)
[+] socket(AF_INET, SOCK_DGRAM | SOCK_STREAM, 255) = 3
[+] socket() = 0x3
[+] [+] Received Interupt: 17 Hooked Interupt: 17
[+] 0x775159b4: ioctl(fd = 0x3, cmd = 0x891b, arg = 0x7ff36da0)
[+] query network card : bytearray(b'br0\x00\x00\x00B\x00\x00\x00A\x00\x08\xf1{\x04`\xb4Mw@:@\x00\x08\xb4B\x00\x00\x00\x00\x00\x00\x00B\x00\x00\x00A\x00\x00\x00\x00\x00`e@\x00\x00\x00B\x00\x00\x00B\x00\x00\x00B\x00\xa4,Lw')
[=] Start End Perm Label Image
[=] 00400000 - 0040e000 r-x /home/janw/Music/qiling/examples/rootfs/netgear_r6220/bin/mini_httpd /home/janw/Music/qiling/examples/rootfs/netgear_r6220/bin/mini_httpd
[=] 0041e000 - 00429000 rw- /home/janw/Music/qiling/examples/rootfs/netgear_r6220/bin/mini_httpd /home/janw/Music/qiling/examples/rootfs/netgear_r6220/bin/mini_httpd
[=] 00429000 - 0042b000 rwx [hook_mem]
[=] 0042b000 - 0042c000 rwx [brk]
[=] 0042c000 - 0042d000 rwx [brk]
[=] 047ba000 - 047d1000 rwx /home/janw/Music/qiling/examples/rootfs/netgear_r6220/lib/ld-uClibc.so.0
[=] 774bf000 - 774c0000 rwx [syscall_mmap]
[=] 774c1000 - 774c4000 rwx [mmap] /home/janw/Music/qiling/examples/rootfs/netgear_r6220/lib/libscnvram.so
[=] 774c4000 - 774d3000 rwx [syscall_mmap]
[=] 774d3000 - 774d4000 rwx [mmap] /home/janw/Music/qiling/examples/rootfs/netgear_r6220/lib/libscnvram.so
[=] 774d5000 - 77505000 rwx [mmap] /home/janw/Music/qiling/examples/rootfs/netgear_r6220/lib/libcyassl.so.3.0.1
[=] 77505000 - 77506000 rwx [mmap] /home/janw/Music/qiling/examples/rootfs/netgear_r6220/lib/libcyassl.so.3.0.1
[=] 77506000 - 77507000 rwx [syscall_mmap]
[=] 77508000 - 775a9000 rwx [mmap] /home/janw/Music/qiling/examples/rootfs/netgear_r6220/lib/libuClibc-0.9.33.2.so
[=] 775a9000 - 775b9000 rwx [syscall_mmap]
[=] 775b9000 - 775bb000 rwx [mmap] /home/janw/Music/qiling/examples/rootfs/netgear_r6220/lib/libuClibc-0.9.33.2.so
[=] 775bb000 - 775c1000 rwx [syscall_mmap]
[=] 775c2000 - 775d7000 rwx [mmap] /home/janw/Music/qiling/examples/rootfs/netgear_r6220/lib/libm-0.9.33.2.so
[=] 775d7000 - 775e6000 rwx [syscall_mmap]
[=] 775e6000 - 775e7000 rwx [mmap] /home/janw/Music/qiling/examples/rootfs/netgear_r6220/lib/libm-0.9.33.2.so
[=] 7ff0d000 - 7ff3d000 rwx [stack]
[+] ioctl(0x3, 0x891b, 0x7ff36da0) = -1
[+] ioctl() = 0x1
[+] [+] Received Interupt: 17 Hooked Interupt: 17
[+] 0x77514124: close(fd = 0x3)
[+] close() = 0x0
[x]
[x] zero : 0x0
[x] at : 0xfffffff8
[x] v0 : 0x0
[x] v1 : 0x48d40
[x] a0 : 0x0
[x] a1 : 0x891b
[x] a2 : 0x7ff36da0
[x] a3 : 0x0
[x] t0 : 0x7750fb18
[x] t1 : 0x7750a778
[x] t2 : 0x4
[x] t3 : 0x2e
[x] t4 : 0x61
[x] t5 : 0x41
[x] t6 : 0x775ba010
[x] t7 : 0x58
[x] s0 : 0x0
[x] s1 : 0x0
[x] s2 : 0x420000
[x] s3 : 0x420000
[x] s4 : 0x420000
[x] s5 : 0x420000
[x] s6 : 0x420000
[x] s7 : 0x42b018
[x] t8 : 0x78
[x] t9 : 0x30
[x] k0 : 0x0
[x] k1 : 0x0
[x] gp : 0x775c2490
[x] sp : 0x7ff36dc0
[x] s8 : 0x410000
[x] ra : 0x406578
[x] status : 0x0
[x] lo : 0x0
[x] hi : 0x0
[x] badvaddr : 0x0
[x] cause : 0x0
[x] pc : 0x77550d40
[x] cp0_config3 : 0x0
[x] cp0_userlocal : 0x0
[x]
[x] PC = 0x77550d40
It seems that some ioctl operation related to network interface failed. I'm afraid the interface br0
doesn't exist in your environment? Maybe you can try to change br0
to something existed in your environment by hooking?
[+] socket(AF_INET, SOCK_DGRAM | SOCK_STREAM, 255) = 3
[+] socket() = 0x3
[+] [+] Received Interupt: 17 Hooked Interupt: 17
[+] 0x775159b4: ioctl(fd = 0x3, cmd = 0x891b, arg = 0x7ff36da0)
[+] query network card : bytearray(b'br0\x00\x00\x00B\x00\x00\x00A\x00\x08\xf1{\x04`\xb4Mw@:@\x00\x08\xb4B\x00\x00\x00\x00\x00\x00\x00B\x00\x00\x00A\x00\x00\x00\x00\x00`e@\x00\x00\x00B\x00\x00\x00B\x00\x00\x00B\x00\xa4,Lw')
A simple patcher function:
def patcher(ql: Qiling):
br0_addr = ql.mem.search("br0".encode() + b'\x00')
for addr in br0_addr:
ql.mem.write(addr, b'lo\x00')
If it doesn't work, the you need to figure our why it got stuck on the libm-0.9.33.2.so
. And try to make it work using some tricks.
Will you be able to try the latest version of Qiling and see if you still face same issue. There is lots of rework since 2021. Feel free to open a new issue if you have any similar problem.
Hi, Iam trying to figure out the emulation of the netgear R6220. I already restored the links and made new file or directory for missing ones. But now Iam getting this Unmapped error when trying to access to localhost:8080. I found this amazing post about this emulation and just changed a bit. https://github.com/kxynos/embedded_hacking/blob/master/firmware/Netgear-R6220.md For emulation Iam using the oldest version 1.0.0.14 because I had cur_thread error with newer versions. I downloaded here https://www.netgear.de/support/product/R6220.aspx#download.
Also changed the script a bit, because some things are changed in qiling I guess (e.g. output, log_dir)
My script looks something like this
EDIT: log before accessing localhost:8080:
log after accesing localhost:8080:
Also tried with sudo.
I hope anyone can help me :)
Best regards Jan