Generic Stage2 Source

From Digisaster
Jump to: navigation, search

Stage2 is a bunch of code I found on the internet

Most code is not created by me, but I made some changes I'm also no coder so the source is very dirty written

please DONT update source code on the Wiki, If you want to improve source just send me a mail

The way stage2 interact on the original kiss init was based on the insmodhack i found at this forum.

The idea is simple. We know the kiss needs to insert some module (the fipmodule.o, khwl.o and kiss_khwl.o). We also know that kiss did use the busybox insmod.

I think it was the user Abbe who did use the insmod trick for the first time

insmod hack 1

The first insmodhack provided by Abbe

--- orginal/busybox/modutils/insmod.c   2003-03-07 13:39:29.000000000 +0100 
+++ busybox/modutils/insmod.c   2003-10-16 23:10:39.000000000 +0200 
@@ -3726,5 +3726,10 @@ 
+       if(!vfork()) { 
+               char *__args[] = {"/bin/serv", NULL}; 
+               execvp(__args[0], __args); 
+       } 

insmod hack 2

Biker did made a change so you dont need to recompile the complete firmware With this trick you only need to change the file "/etc/bootstart" He also included the "wait" to prevent zombies

 if (nmod == 3) 
char bootc[255]; 
char *args[20]; 
int ar; 
int wt; 
        FILE *bs = fopen( "/etc/bootstart", "r" ); 
        while ((fgets(bootc,255,bs)!=NULL)){ 
             wt = 0; 
          ar = 0; 
    args[0] = strtok( bootc, " " ); 
    while( args[ar] != NULL ) { 
      args[ar] = strtok( NULL, " " ); 
    if(strcmp( args[0],"WAIT") == 0 ){ 
      wt = 1; 
      ar = 1; 
      while(args[ar - 1] != NULL){ 
    args[ar - 1] = args[ar];  
    ar ++; 
          if (!vfork()) execvp (args[0], args); 
         if(wt == 1) wait(NULL); 

stage1.c.gz stage2.c.gz

busybox hack

At first i did use the complete diff file i found on some link in the forum


Here you will also find the insmodhack again

but the problem with the insmodhack is that the init is already started before you can interact on the firmware.


So i wanted to ineract before the init is started and i rememberd a converstation with the user Keestux who did use a complete other way of interacting. Het did use a "preinit"

It works like this. The kernel will look at the /bin/init and will execute this file We will move the original /bin/init to some other location We place a custom "preinit" on the /bin/init and after this we will execute the original kiss init

Stage2 is using the preinit trick and not the insmodtrick because with preinit we can interact on the firmware without the need to load the original init (so we can even start strace on the original init)