Recommended

Rooting the KORG Kronos

Disclaimer: The following file is provided without any warranties. Backup all your settings before using it - maybe you'll need to ...

Search

Samstag, 13. Juni 2015

Rooting the KORG Kronos

Disclaimer:

The following file is provided without any warranties. Backup all your settings before using it - maybe you'll need to reinstall your Kronos. You might even break it beyond repair (unlikely). Whatever happens - you are responsible - I am not liable in any way. Everything you do, you do on your own risk!

After the update, you can login into your Kronos as "root" and look around. The update also installs a busybox for your convinience. Be careful and do not change anything or you will likely end up with a non-bootable system.


How to install:
  1. Make sure that your Kronos is updated to software version 3.0.2
  2. Copy the files in the archive on a USB drive - just like a real update
  3. Insert the USB drive into the Kronos and start the update process
  4. Wait until the update is reported as successful
  5. Power cycle the Kronos
How to access your Kronos:
  1. Connect a compatible USB network adapter (or use the mainboard's ethernet connector).
  2. Set a FTP password in the settings
  3. Make sure the network settings are correct and look up the IP address of your Kronos
  4. Use ssh/scp/putty/winscp/... to connect as user "root" with the passwort set in the network settings as FTP password
Have fun!


Filesystem Integrity Check by loadmod.ko

When the Kronos is booting, the contents of the following files is hashed (MD5). The MD5 sum is compared to a static value compiled into loadmod.ko. If the values do not match, loadmod.ko will bail out. Do not change the files in this list on your Kronos or it will not boot anymore!

/
/bin
/bin/sync
/bin/awk
/bin/touch
/bin/grep
/bin/test
/bin/ls
/bin/mount
/bin/cut
/bin/setterm
/bin/gzip
/bin/echo
/bin/false
/bin/dc
/bin/stat
/bin/chown
/bin/mv
/bin/bash
/bin/bar
/bin/dd
/bin/cp
/bin/RunGrub.sh
/bin/env
/bin/tar
/bin/fanctrld
/bin/usleep
/bin/sed
/bin/vmstat
/bin/kill
/bin/gawk
/bin/ipcalc
/bin/sleep
/bin/umount
/bin/hostname
/bin/df
/bin/ShowReauthScreen
/bin/expr
/bin/date
/bin/vi
/bin/rm
/bin/mkdir
/bin/chmod
/bin/true
/bin/cat
/bin/sh
/bin/uname
/sbin
/sbin/ifconfig
/sbin/OmapNKS4Module.ko
/sbin/init
/sbin/insmod.static
/sbin/loadoa
/sbin/e2fsck
/sbin/hwclock
/sbin/dhclient-script
/sbin/insmod
/sbin/killall5
/sbin/MIDID
/sbin/GetPubIdMod.ko
/sbin/dosfsck
/sbin/hdparm
/sbin/modprobe
/sbin/shutdown
/sbin/grub
/sbin/UpdateOS
/sbin/mkswap
/sbin/iptables
/sbin/sysctl
/sbin/ip
/sbin/ifup.lite
/sbin/loadmod.ko
/sbin/tune2fs
/sbin/arping
/sbin/rmmod
/sbin/poweroff
/sbin/losetup
/sbin/runlevel
/sbin/reboot
/sbin/swapoff
/sbin/mke2fs
/sbin/ifdown.lite
/sbin/swapon
/sbin/halt
/sbin/pidof
/sbin/OmapVideoModule.ko
/sbin/STGEnabler.ko
/etc
/etc/sysconfig
/etc/sysconfig/network
/etc/sysconfig/network-scripts
/etc/sysconfig/network-scripts/ifcfg-eth0
/etc/sysconfig/network-scripts/ifcfg-lo
/etc/modprobe.conf
/etc/sysctl.conf
/etc/OA.rc
/etc/ld.so.conf
/etc/mtab
/etc/OA.si
/etc/inittab
/etc/fstab
/sys
/korg
/korg/ro
/korg/Eva
/korg/rw
/korg/Mod
/tmp
/mnt
/var
/usr
/usr/realtime
/usr/realtime/modules
/usr/realtime/modules/rtai_hal.ko
/usr/realtime/modules/rtai_fifos.ko
/usr/realtime/modules/rtai_sched.ko
/usr/realtime/modules/rtai_sem.ko
/usr/realtime/modules/rtai_ndbg.ko
/usr/realtime/modules/rtai_smp.ko
/usr/share
/usr/share/fonts
/usr/share/fonts/truetype
/usr/share/fonts/truetype/Arialbd.ttf
/usr/share/fonts/truetype/Geneva.ttf
/usr/share/fonts/truetype/Arial.ttf
/usr/share/fonts/truetype/Geneva_Bold.ttf
/usr/share/terminfo
/usr/share/terminfo/a
/usr/share/terminfo/a/ansi
/usr/share/terminfo/l
/usr/share/terminfo/l/linux
/boot
/dev
/lib
/lib/libcrypto.so.6
/lib/libresolv.so.2
/lib/modules
/lib/modules/2.6.32.11-korg
/lib/modules/2.6.32.11-korg/modules.pcimap
/lib/modules/2.6.32.11-korg/modules.dep
/lib/modules/2.6.32.11-korg/modules.inputmap
/lib/modules/2.6.32.11-korg/modules.ofmap
/lib/modules/2.6.32.11-korg/modules.ieee1394map
/lib/modules/2.6.32.11-korg/modules.usbmap
/lib/modules/2.6.32.11-korg/kernel
/lib/modules/2.6.32.11-korg/kernel/drivers
/lib/modules/2.6.32.11-korg/kernel/drivers/net
/lib/modules/2.6.32.11-korg/kernel/drivers/net/mii.ko
/lib/modules/2.6.32.11-korg/kernel/drivers/net/r8169.ko
/lib/modules/2.6.32.11-korg/kernel/drivers/scsi
/lib/modules/2.6.32.11-korg/kernel/drivers/scsi/scsi_wait_scan.ko
/lib/modules/2.6.32.11-korg/modules.isapnpmap
/lib/modules/2.6.32.11-korg/modules.ccwmap
/lib/modules/2.6.32.11-korg/source
/lib/modules/2.6.32.11-korg/modules.order
/lib/modules/2.6.32.11-korg/modules.seriomap
/lib/modules/2.6.32.11-korg/build
/lib/modules/2.6.32.11-korg/modules.symbols
/lib/modules/2.6.32.11-korg/modules.alias
/lib/libcom_err.so.2
/lib/ld-linux.so.2
/lib/libfreetype.so.6
/lib/libtinfo.so.5
/lib/libsepol.so.1
/lib/libext2fs.so.2
/lib/libattr.so.1
/lib/libdl.so.2
/lib/libpcre.so.0
/lib/libgssapi_krb5.so.2
/lib/libaudit.so.0
/lib/libpthread.so.0
/lib/libe2p.so.2
/lib/libstdc++.so.6
/lib/libgmp.so.10
/lib/libkrb5support.so.0
/lib/libselinux.so.1
/lib/librt.so.1
/lib/libz.so.1
/lib/libsysfs.so.2
/lib/libkrb5.so.3
/lib/libc.so.6
/lib/libblkid.so.1
/lib/libm.so.6
/lib/libncurses.so.5
/lib/libpopt.so.0
/lib/libssl.so.6
/lib/libkeyutils.so.1
/lib/libproc-3.2.7.so
/lib/libk5crypto.so.3
/lib/libuuid.so.1
/lib/libacl.so.1
/lib/libgcc_s.so.1
/lib/libdevmapper.so.1.02
/proc

The anatomy of a Kronos firmware update

The ZIP file contains some files that should be copied to a USB stick which is to be inserted into the Kronos. Let's have a look at the files:

bc
X86 32 Bit Linux Binary - a calculator

md5sum
X86 32 Bit Linux Binary - calculates MD5 checksums of files

DisplayUpdaterMessage
X86 32 Bit Linux Binary - opens a linux frame buffer device (/dev/fb1) that represents the Kronos' display (managed by the OMAP).

install.info
Holds information about the update itself. This is the first file that the Kronos reads when updating. Contains references to 3 other files (KRONOS_Update_3_0_2.tar.gz, pretar.sh, posttar.sh) and a signature.

The signature is the SHA1 of the following data (concatenated in the mentioned order):

  • the contents of the pretar script (if given in the install.info)
  • the contents of the posttar script (if given in the install.info)
  • the following 16 "magic bytes": 13h, D0h, AFh, EFh, E0h, 3Ch, 9Bh, 92h, 16h, 2Fh, AEh, FFh, 77h, 53h, 55h, E1h

The updater (UpdateOS) will only accept the update if the signature in install.info is correct.

pretar.sh
A shell script (bash) that is called in the upgrade progress before the actual firmware is extracted. This script does the following things:


  • Call DisplayUpdaterMessage to show "Verifying install media..."
  • Call md5sum to calculate the MD5-Checksum of "KRONOS_Update_3_0_2.tar.gz" and compare it to a known value
  • Call md5sum to calculate the MD5-Checksum of "DisplayUpdaterMessage" and compare it to a known value (pointless since DisplayUpdaterMessage has already been called before)
  • Call md5sum to calculate the MD5-Checksum of "bc" and compare it to a known value
  • Make sure (via kill and kill -9) that the following processes are not running: vsftpd, avahi-daemon, messagebus, ifplugd
  • Make sure that the date is at least 1.12.2014

posttar.sh
A shell script (bash) that is called in the upgrade progress after the actual firmware is extracted. This script checks all extracted files' checkusms against the checksums stored in "KRONOS_Update_3_0_2.csum". It displays a progress bar by using "bc" to calulate the percentage of finished files and writing it to "writing to /proc/OmapNKS4ProgressBar"

KRONOS_Update_3_0_2.tar.gz
Contains the Kronos' root file system. This is the acutal firmware update. I will look into it and explain it's contents later in this post.

KRONOS_Update_3_0_2.csum
Contains checksums for all files in "KRONOS_Update_3_0_2.tar.gz". Used by posttar.sh to make sure that the firmware update was properly installed

Mittwoch, 3. Juni 2015

And one more GPL violation: vsftpd

The FTP service on the KORG Kronos is actually a vsftpd. Parts of the configuration have been patched into the binary. Here is part of the output of "strings vsftpd":
/SSD1
/korg/rw/HD%s/%s
/SSD2
/korg/rw2/HD%s/%s
/korg/ftp/%s
/korg/rw/HD
According to vsftpd's website, vsftp is licensed under the GPL. However, the changed sources for vsftpd are not provided on the recovery DVD. There is also no written offer to deliver the sources on request. This makes vsftpd the third GPL violation inside the Kronos...