Logitech Revue Kernel

From Exploitee.rs
Revision as of 00:00, 5 February 2011 by KernelJayOmega (talk | contribs) (→‎Overview)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigationJump to search

Overview

The Logitech Revue's Operating System is based around Linux kernel based on 2.6.23.18 code. The kernel lives in /system/boot/kernel which can be extracted from an OTA update file. The kernel file appears to contain bootstrap loader, etc wrapped around vmlinux.bin.gz which has its gzip header 0x37f5 bytes into the composite kernel image we have examined. Several security measures have been put in place ensuring that many attacks commonly used against other operating systems are not applicable.

It should also be noted that reading through this Wiki page should illustrate that the kernel source posted on Google's mirrored source site is not a complete representation of the Logitech Revue's kernel.

Refer to opensource.logitech.com for the complete Logitech Revue GPL release.

Kernel Configuration

Fortunately the Revue's kernel provides /proc/config.gz which allows a glimpse into the kernel in advance of a proper GPL release from Logitech.

Security Measures

Several security precautions have been made in the Logitech Revue with the intent of limiting system control even after root access has been obtained.

  • The /system partition is configured as read-only by the flash layout compiled into the kernel
  • CONFIG_MODULE_SIG=y : Module signatures are enabled. Logitech's included kernel modules contain a .signature section which is checked against public keys compiled into the kernel. This effectively limits execution of new code at privilege level 0 even once root access is achieved. (This is an option which is not implemented in the released GPL sources.)
  • CONFIG_DEVMEM_PROTECT=y : This most likely enables a patch which filters access to the /dev/mem character device which could otherwise be used to create a rootkit by directly patching the running kernel. (This is another option which indicates that the Logitech Revue kernel has been patched in ways that the available GPL source code was not.)

Running Modules

The following is lsmod output from a rooted Revue:

	alsa_shim 12092 0 - Live 0xad1bc000 (PF)
	snd_usb_audio 84480 0 - Live 0xad3e1000
	snd_usb_lib 17280 1 snd_usb_audio, Live 0xac4fa000
	snd_rawmidi 22016 1 snd_usb_lib, Live 0xad1b5000
	snd_seq_device 8332 1 snd_rawmidi, Live 0xad1a9000
	snd_pcm 74888 2 alsa_shim,snd_usb_audio, Live 0xad2c1000
	snd_page_alloc 11400 1 snd_pcm, Live 0xad1a5000
	snd_hwdep 8708 1 snd_usb_audio, Live 0xad1a1000
	snd_timer 23172 1 snd_pcm, Live 0xad031000
	snd 48820 8 alsa_shim,snd_usb_audio,snd_usb_lib,snd_rawmidi,snd_seq_device,snd_pcm,snd_hwdep,snd_timer, Live 0xad071000
	pvrsrvkm 120532 14 - Live 0xad001000 (F)
	edl_audio_dac_drv_linux 11264 0 - Live 0xac374000 (F)
	edl_thermal 7688 0 - Live 0xac2dc000 (F)
	vidcap_ce4X00 39132 0 - Live 0xac4e1000 (F)
	ismdavcap_shim 29888 0 - Live 0xac4b1000 (F)
	avcap_synthetic 14016 0 - Live 0xac2c7000 (F)
	avcap_core 10004 7 vidcap_ce4X00,ismdavcap_shim,avcap_synthetic, Live 0xac2cc000
	ismdbufmon 28612 0 - Live 0xac2d0000 (F)
	ismdaudio 5976696 1 alsa_shim, Live 0xbd9d5000 (F)
	ismdvidrend 115456 0 - Live 0xac481000 (F)
	ismdvidpproc 769908 1 ismdvidrend, Live 0xbd40f000 (F)
	ismdviddec_v2 386552 0 - Live 0xae701000 (F)
	ismddemux_v2 350816 0 - Live 0xad701000 (F)
	ismdclock_recovery 12552 4 ismdavcap_shim,ismdbufmon,ismdaudio,ismddemux_v2, Live 0xac279000 (F)
	ismdclock 22184 0 - Live 0xac269000 (F)
	ismdcore 6714528 11 alsa_shim,vidcap_ce4X00,ismdavcap_shim,ismdbufmon,ismdaudio,ismdvidrend,ismdvidpproc,ismdviddec_v2,ismddemux_v2,ismdclock_recovery,ismdclock, Live 0xac57b000 (F)
	ioctl_module 5012 14 ismdavcap_shim,ismdbufmon,ismdaudio,ismdvidrend,ismdvidpproc,ismdviddec_v2,ismddemux_v2,ismdclock_recovery,ismdclock,ismdcore, Live 0xac243000
	gdl_mm 59212 40 ismdaudio,ismdvidrend, Live 0xac248000 (F)
	sec_kernel 21348 6 - Live 0xac231000 (F)
	hst_ccmp 6912 0 - Live 0xac21d000
	wlan 583560 1 hst_ccmp, Live 0xac2df000 (P)
	intel_ce_pm 14368 4 pvrsrvkm,vidcap_ce4X00,ismdvidpproc,gdl_mm, Live 0xac238000 (F)
	clock_control 21932 5 ismdaudio,ismddemux_v2,ismdclock,sec_kernel,intel_ce_pm, Live 0xac216000 (F)
	idl_spi 8524 1 edl_audio_dac_drv_linux, Live 0xac209000 (F)
	idl_gpio 23980 2 - Live 0xac0f2000 (F)
	idl_i2c 16540 3 vidcap_ce4X00,gdl_mm,clock_control, Live 0xac0f9000 (F)
	sven_linux 28648 13 alsa_shim,ismdavcap_shim,ismdbufmon,ismdaudio,ismdvidrend,ismdvidpproc,ismdviddec_v2,ismddemux_v2,ismdclock_recovery,ismdclock,ismdcore,sec_kernel,clock_control, Live 0xac0da000 (F)
	system_utils_linux 3712 8 alsa_shim,ismdavcap_shim,ismdbufmon,ismdaudio,ismdvidrend,ismdvidpproc,ismdviddec_v2,ismddemux_v2, Live 0xac02c000 (F)
	platform_config 13316 15 ismdavcap_shim,ismdbufmon,ismdaudio,ismdvidrend,ismdvidpproc,ismdviddec_v2,ismddemux_v2,ismdclock_recovery,ismdclock,ismdcore,gdl_mm,intel_ce_pm,clock_control,sven_linux,system_utils_linux, Live 0xac0ea000
	pal_linux 20228 14 pvrsrvkm,edl_thermal,ismdaudio,ismdvidpproc,ismdviddec_v2,ismddemux_v2,ismdclock,sec_kernel,intel_ce_pm,clock_control,idl_spi,idl_gpio,idl_i2c,sven_linux, Live 0xac03a000 (F)
	osal_linux 23568 25 alsa_shim,pvrsrvkm,edl_audio_dac_drv_linux,edl_thermal,vidcap_ce4X00,ismdavcap_shim,ismdbufmon,ismdaudio,ismdvidrend,ismdvidpproc,ismdviddec_v2,ismddemux_v2,ismdclock_recovery,ismdclock,ismdcore,gdl_mm,sec_kernel,intel_ce_pm,clock_control,idl_spi,idl_gpio,idl_i2c,sven_linux,system_utils_linux,pal_linux, Live 0xac0e3000

USB Serial Adapter Support

The published kernel from the Google TV Mirrored Source site is configured to have built-in support FTDI single interface USB serial adapters as a serial console. This option is also enabled in the kernel configuration of the Logitech Revue:

#
# USB Serial Converter support
#
CONFIG_USB_SERIAL=y
CONFIG_USB_SERIAL_CONSOLE=y
CONFIG_USB_SERIAL_GENERIC=y
CONFIG_USB_SERIAL_FTDI_SIO=y

NOTE: Although the driver has been verified to load, there is unfortunately no shell attached to the console in the default configuration.

Virtual Kernel Memory Layout

Memory: 700640k/712704k available (2633k kernel code, 11008k reserved, 955k data, 196k init, 0k highmem) virtual kernel memory layout:

    fixmap  : 0xffffa000 - 0xfffff000   (  20 kB)
    vmalloc : 0xac000000 - 0xffff8000   (1343 MB)
    lowmem  : 0x80000000 - 0xab800000   ( 696 MB)
      .init : 0x80484000 - 0x804b5000   ( 196 kB)
      .data : 0x803925b8 - 0x80481398   ( 955 kB)
      .text : 0x80100000 - 0x803925b8   (2633 kB)

Examining the Kernel Image

The kernel lives in /system/boot/kernel which can be extracted from an OTA update file or from a rooted Revue. The kernel file appears to contain bootstrap loader (and possibly some other data) piggy-backed to vmlinux.bin.gz which has been observed to reside about 0x37f5 bytes into the composite kernel image.

To extract vmlinux.bin.gz from /system/boot/kernel, use dd to copy starting at the gzip header:

    dd if=./ota_update/system/boot/kernel of=vmlinux.bin.gz bs=$((0x37f5)) skip=1

Now you can decompress the vmlinux.bin.gz

    gzip -d vmlinux.bin.gz

At this point you have the vmlinux.bin which is essentially vmlinux minus the ELF headers and symbols.