HP firmware disks

 hack, tech
Sep 302012
 

I’d been playing with them… and since I hadn’t seen this anywhere I’ll put it as a small hack o the day.

The disks do what they say (e.g. … install firmware ;)) – basically you burn it to a cd, boot it up, and it has some sort of access to the system. Since I’ve been working with these sorts of things lately I was curious how they did this. I’d ripped apart the 870 version and was thinking of writing that up… but it was a bit messy… so I downloaded the 920 version and triviality stared me in the face, as it will yours as well.

The very quick version; copy the ISO to a writeable spot, edit “/system/isolinux.cfg” on the CD copy, change one line from:

append vmlinuz initrd=initrd.img media=cdrom rw root=/dev/ram0 ramdisk_size=302748 init=/bin/init loglevel=3 ide=nodma ide=noraid nopat pnpbios=off vga=791 splash=silent showopts TYPE=AUTOMATIC

to (note the inclusion of “SHELL=initrd-shell”):

append vmlinuz initrd=initrd.img media=cdrom rw root=/dev/ram0 ramdisk_size=302748 init=/bin/init loglevel=3 ide=nodma ide=noraid nopat pnpbios=off vga=791 splash=silent showopts SHELL=initrd-shell TYPE=AUTOMATIC

Burn it back to disc. You boot… and you get the shell; just root on the little booted CD, but it seems likely that SE’s and the like use such things.

So – a bit more info on how this was discerned; it’s very simple. First, download the Smart Update Firmware DVD; they’re free, and I got mine from the HP website.

They’re zip files, so extract the ISO (and a couple of other files, md5, readme, etc.) ISO is named “FW920.2010_1021.49.iso”. I’m working on a mac, which on rare occasions actuallly work with me with what I want to do. Most linux/*nix need to figure out the mount invocation, with a mac it’s just “open filename” and it gets mounted in /Volumes/[name].

A quick copy cp files to writable work area… I’ll call mine zHP920. Just:

cp -r /Volumes/HPFWUP920 zHP920

The initrd image is in the systems subdir; it’s a gzip’d cpio file, of all things. I’m sure you all remember your cpio format; you just (cpio probably now has bloated enough to include gzip in it like tar, but you know, I don’t really care):

gzip < initrd.img > /tmp/920initrd.img
mkdir /tmp/920cpio
cd /tmp/920cpio
cpio -i < /tmp/920initrd.img

After the trauma of figuring out how they did things in 870 it looked… damn, there’s nothing here. One squashed file system, an init file, some odds and ends….

I must confess… shell is one thing I don’t mind reading, I’ve written a lot of it in my day. So I see some lines… that… well:

if [ -n "$(cat /proc/cmdline | grep 'initrd-shell')" ] ; then
    echo
    echo "Dropping to a shell. Good luck!"
    echo

exec /bin/bash
fi

Could it be that easy? Well… going back to the raw CD, edit the boot config… and edit “system/isolinux.cfg” – change the line from:

append vmlinuz initrd=initrd.img media=cdrom rw root=/dev/ram0 ramdisk_size=302748 init=/bin/init loglevel=3 ide=nodma ide=noraid nopat pnpbios=off vga=791 splash=silent showopts TYPE=AUTOMATIC

to this (note the inclusion of “SHELL=initrd-shell”) I figured, what the hell, it looks like it’d work from the context.

append vmlinuz initrd=initrd.img media=cdrom rw root=/dev/ram0 ramdisk_size=302748 init=/bin/init loglevel=3 ide=nodma ide=noraid nopat pnpbios=off vga=791 splash=silent showopts SHELL=initrd-shell TYPE=AUTOMATIC

Remake the dvd iso (I use something like “mkisofs -o ../zhp.iso -N -R -J -joliet-long -b system/isolinux.bin -c system/boot.cat -no-emul-boot -boot-load-size 4 -boot-info-table .” in the main directory of the unpacked DVD), burn it, boot… and you get the shell.

This is not root on the host computer or the BMC, just the CD booted image. However, it has some interesting tidbits for those intersted in such things (ok, yes, few are ;) But just in case there’s one more of me out there!)


Sorry, the comment form is closed at this time.