Logitech Revue Kernel

From Exploitee.rs
Revision as of 21:15, 22 January 2011 by KernelJayOmega (talk | contribs) (Added note about config.gz)
Jump to navigationJump to search

Overview

The Logitech Revue's Operating System is based around Linux kernel based on 2.6.23.18 code. The kernel lives in /system/boot/kernel which can be extracted from an OTA update file. The kernel file appears to contain bootstrap loader (and some other data) piggy-backed to vmlinux.bin.gz which has been observed to reside about 0x37f5 bytes into the composite kernel image. Several security measures have been put in place ensuring that many attacks commonly used against other operating systems are not applicable.

It should also be noted that reading through this Wiki page should illustrate that the kernel source posted on Google's mirrored source site is not a complete representation of the Logitech Revue's kernel.

Kernel Configuration

Fortunately the Revue's kernel provides /proc/config.gz which allows a glimpse into the kernel in advance of a proper GPL release from Logitech.

Security Measures

Several security precautions have been made in the Logitech Revue with the intent of limiting system control even after root access has been obtained.

  • The /system partition is configured as read-only by the flash layout compiled into the kernel
  • CONFIG_MODULE_SIG=y : Module signatures are enabled. Logitech's included kernel modules contain a .signature section which is checked against public keys compiled into the kernel. This effectively limits execution of new code at privilege level 0 even once root access is achieved. (This is an option which is not implemented in the released GPL sources.)
  • CONFIG_DEVMEM_PROTECT=y : This most likely enables a patch which filters access to the /dev/mem character device which could otherwise be used to create a rootkit by directly patching the running kernel. (This is another option which indicates that the Logitech Revue kernel has been patched in ways that the available GPL source code was not.)

Virtual Kernel Memory Layout

Memory: 700640k/712704k available (2633k kernel code, 11008k reserved, 955k data, 196k init, 0k highmem) virtual kernel memory layout:

    fixmap  : 0xffffa000 - 0xfffff000   (  20 kB)
    vmalloc : 0xac000000 - 0xffff8000   (1343 MB)
    lowmem  : 0x80000000 - 0xab800000   ( 696 MB)
      .init : 0x80484000 - 0x804b5000   ( 196 kB)
      .data : 0x803925b8 - 0x80481398   ( 955 kB)
      .text : 0x80100000 - 0x803925b8   (2633 kB)

Examining the Kernel Image

The kernel lives in /system/boot/kernel which can be extracted from an OTA update file or from a rooted Revue. The kernel file appears to contain bootstrap loader (and possibly some other data) piggy-backed to vmlinux.bin.gz which has been observed to reside about 0x37f5 bytes into the composite kernel image.

To extract vmlinux.bin.gz from /system/boot/kernel:

    dd if=./ota_update/system/boot/kernel of=vmlinux.bin.gz bs=$((0x37f5)) skip=1

Now you can decompress the vmlinux.bin.gz

    gzip -d vmlinux.bin.gz

At this point you have the vmlinux.bin which is essentially vmlinux minus the ELF headers and symbols.