Difference between revisions of "Logitech Revue Kernel"
(Added note about config.gz) |
(changed wording about gzip header) |
||
Line 1: | Line 1: | ||
=== Overview === | === Overview === | ||
The Logitech Revue's Operating System is based around Linux kernel based on 2.6.23.18 code. The kernel lives in /system/boot/kernel which can be extracted from an OTA update file. The kernel file appears to contain bootstrap loader | The Logitech Revue's Operating System is based around Linux kernel based on 2.6.23.18 code. The kernel lives in /system/boot/kernel which can be extracted from an OTA update file. The kernel file appears to contain bootstrap loader, etc wrapped around vmlinux.bin.gz which has its gzip header 0x37f5 bytes into the composite kernel image we have examined. Several security measures have been put in place ensuring that many attacks commonly used against other operating systems are not applicable. | ||
It should also be noted that reading through this Wiki page should illustrate that the [http://googletv-mirrored-source.googlecode.com/hg/linux/linux-2.6.23-gtv.tar.bz2?r=27705a482273e3a34e8bcdbfb4fdad9afcd65e93 kernel source posted on Google's mirrored source site] is not a complete representation of the Logitech Revue's kernel. | It should also be noted that reading through this Wiki page should illustrate that the [http://googletv-mirrored-source.googlecode.com/hg/linux/linux-2.6.23-gtv.tar.bz2?r=27705a482273e3a34e8bcdbfb4fdad9afcd65e93 kernel source posted on Google's mirrored source site] is not a complete representation of the Logitech Revue's kernel. | ||
Line 26: | Line 26: | ||
The kernel lives in /system/boot/kernel which can be extracted from an OTA update file or from a rooted Revue. The kernel file appears to contain bootstrap loader (and possibly some other data) piggy-backed to vmlinux.bin.gz which has been observed to reside about 0x37f5 bytes into the composite kernel image. | The kernel lives in /system/boot/kernel which can be extracted from an OTA update file or from a rooted Revue. The kernel file appears to contain bootstrap loader (and possibly some other data) piggy-backed to vmlinux.bin.gz which has been observed to reside about 0x37f5 bytes into the composite kernel image. | ||
To extract vmlinux.bin.gz from /system/boot/kernel: | To extract vmlinux.bin.gz from /system/boot/kernel, use dd to copy starting at the gzip header: | ||
dd if=./ota_update/system/boot/kernel of=vmlinux.bin.gz bs=$((0x37f5)) skip=1 | dd if=./ota_update/system/boot/kernel of=vmlinux.bin.gz bs=$((0x37f5)) skip=1 | ||
Now you can decompress the vmlinux.bin.gz | Now you can decompress the vmlinux.bin.gz |
Revision as of 21:21, 22 January 2011
Overview
The Logitech Revue's Operating System is based around Linux kernel based on 2.6.23.18 code. The kernel lives in /system/boot/kernel which can be extracted from an OTA update file. The kernel file appears to contain bootstrap loader, etc wrapped around vmlinux.bin.gz which has its gzip header 0x37f5 bytes into the composite kernel image we have examined. Several security measures have been put in place ensuring that many attacks commonly used against other operating systems are not applicable.
It should also be noted that reading through this Wiki page should illustrate that the kernel source posted on Google's mirrored source site is not a complete representation of the Logitech Revue's kernel.
Kernel Configuration
Fortunately the Revue's kernel provides /proc/config.gz which allows a glimpse into the kernel in advance of a proper GPL release from Logitech.
Security Measures
Several security precautions have been made in the Logitech Revue with the intent of limiting system control even after root access has been obtained.
- The /system partition is configured as read-only by the flash layout compiled into the kernel
- CONFIG_MODULE_SIG=y : Module signatures are enabled. Logitech's included kernel modules contain a .signature section which is checked against public keys compiled into the kernel. This effectively limits execution of new code at privilege level 0 even once root access is achieved. (This is an option which is not implemented in the released GPL sources.)
- CONFIG_DEVMEM_PROTECT=y : This most likely enables a patch which filters access to the /dev/mem character device which could otherwise be used to create a rootkit by directly patching the running kernel. (This is another option which indicates that the Logitech Revue kernel has been patched in ways that the available GPL source code was not.)
Virtual Kernel Memory Layout
Memory: 700640k/712704k available (2633k kernel code, 11008k reserved, 955k data, 196k init, 0k highmem) virtual kernel memory layout:
fixmap : 0xffffa000 - 0xfffff000 ( 20 kB) vmalloc : 0xac000000 - 0xffff8000 (1343 MB) lowmem : 0x80000000 - 0xab800000 ( 696 MB) .init : 0x80484000 - 0x804b5000 ( 196 kB) .data : 0x803925b8 - 0x80481398 ( 955 kB) .text : 0x80100000 - 0x803925b8 (2633 kB)
Examining the Kernel Image
The kernel lives in /system/boot/kernel which can be extracted from an OTA update file or from a rooted Revue. The kernel file appears to contain bootstrap loader (and possibly some other data) piggy-backed to vmlinux.bin.gz which has been observed to reside about 0x37f5 bytes into the composite kernel image.
To extract vmlinux.bin.gz from /system/boot/kernel, use dd to copy starting at the gzip header:
dd if=./ota_update/system/boot/kernel of=vmlinux.bin.gz bs=$((0x37f5)) skip=1
Now you can decompress the vmlinux.bin.gz
gzip -d vmlinux.bin.gz
At this point you have the vmlinux.bin which is essentially vmlinux minus the ELF headers and symbols.