############################################# # |\___/| # ) ( Isabella's # =\ /= CatTel vx.x # )===( CODED in C++ # / /| \ CatTel Console/telnetd vx.x # | \ \ | for VxWorks/MIPS # / \ \ \ Part of the # \ / / / SIGMA - X # \_/_/_/ Family of Utilities # # BE SURE TO ENABLE THESE SYMBOLS!!!!! tnetloginhook # Crappy Hack stealConsoleHook needs to be inserted into the location # also need dbgBreak # # todo (BUGS): # 1) when on bcmshell on serial, if you type the first few letters of a command and # press [tab] or [space] it auto fills in the rest of the command # 2) [esc] dont work in vxworks shell either # FIXED? 3) ctrl-h works for backspace, nothing else does ############################################ #Crappy hack to create this device and steal console, this really isnt part of the beauty nice cattel, its ugly h4x0r crap stealConsoleHook: addiu $sp,-0x10 sw $ra,0xc($sp) sw $s0,0x8($sp) la $a0,abindaddy la $a2,aTyco0 jal CatTelInit # CatTelInit li $a1,0x17 lw $ra,0xc($sp) lw $s0,0x8($sp) jr $ra addiu $sp,0x10 #Start cattel Driver CatTelDevOpen: jr $ra move $v0, $a0 CatTeldefaultLoginHook: jr $ra move $v0, $0 CatTelsetLoginHook: la $v0,LoginHook jr $ra sw $a0, 0($v0) CatTeltxStartup: addiu $sp, -0x138 sw $ra, 0x130($sp) sw $s7, 0x12C($sp) sw $s6, 0x128($sp) sw $s5, 0x124($sp) sw $s4, 0x120($sp) sw $s3, 0x11C($sp) sw $s2, 0x118($sp) sw $s1, 0x114($sp) sw $s0, 0x110($sp) loc_48: move $s6, $a0 addiu $s5,$0,-1 li $s4, 0x10010 addu $s4, $sp addiu $s7, $sp, 0x10 addiu $s1, $sp, 0x10 loc_64: move $a0, $s6 loc_68: jal tyITx move $a1, $s1 move $s3, $v0 beq $s3, $s5, loc_88 nop addiu $s1, 1 beq $s1, $s4, loc_68 move $a0, $s6 loc_88: beq $s1, $s7, loc_DC nop la $a0,catMutex lw $a0, 0($a0) jal semTake addiu $a1,$0,-1 la $s0, sConsole addiu $s2, $sp, 0x10 loc_AC: lw $a0, 0($s0) move $a1, $s2 jal write subu $a2, $s1, $s2 lw $s0, 4($s0) nop bnez $s0, loc_AC nop la $a0,catMutex lw $a0, 0($a0) jal semGive nop loc_DC: beqz $s3, loc_64 addiu $s1, $sp, 0x10 lw $ra, 0x130($sp) lw $s7, 0x12C($sp) lw $s6, 0x128($sp) lw $s5, 0x124($sp) lw $s4, 0x120($sp) lw $s3, 0x11C($sp) lw $s2, 0x118($sp) lw $s1, 0x114($sp) lw $s0, 0x110($sp) jr $ra addiu $sp, 0x138 tSCon: addiu $sp, -0x28 sw $ra, 0x20($sp) sw $s1, 0x1C($sp) sw $s0, 0x18($sp) move $s1, $a0 la $a0, aCattelConsoleT jal printf move $s0, $a1 move $a0, $s1 loc_138: addiu $a1, $sp, 0x10 jal read li $a2, 1 lb $a1, 0x10($sp) jal tyIRd move $a0, $s0 j loc_138 move $a0, $s1 tCatSock: addiu $sp, -0x40 sw $ra, 0x38($sp) sw $s3, 0x34($sp) sw $s2, 0x30($sp) sw $s1, 0x2C($sp) sw $s0, 0x28($sp) move $s1, $a0 move $s2, $a1 move $s3, $a2 loc_17C: la $a0, aCattelTcatsock jal printf move $a1, $s1 la $t1,0xfffb0100 sw $t1,0x20($sp) move $a0,$s1 addiu $a1,$sp,0x20 jal write li $a2,3 la $a0, amotdtxt jal open move $a1,$0 addiu $t0,$0,-1 beq $v0,$t0,loc17ccc sw $v0,0x10($sp) move $a0,$v0 jal copystreams move $a1,$s1 jal close lw $a0,0x10($sp) loc17ccc: la $v0,LoginHook lw $v0, 0($v0) nop jalr $v0 move $a0, $s1 bnez $v0, loc_298 la $a1,acrlf jal catWrite move $a0,$s1 la $a0,catMutex lw $a0, 0($a0) jal semTake addiu $a1,$0,-1 sw $s1, 0x10($sp) la $v1, sConsole lw $v0, 4($v1) nop beqz $v0, loc_204 nop loc_1E8: move $v1, $v0 lw $v0, 4($v0) nop bnez $v0, loc_1E8 nop lw $v0, 4($v1) nop loc_204: sw $v0, 0x14($sp) sw $v1, 0x18($sp) addiu $v0, $sp, 0x10 sw $v0, 4($v1) la $a0,catMutex lw $a0, 0($a0) jal semGive li $s0, 0xa catsocl1: jal catGetc move $a0,$s1 addiu $v1,$0,-1 beq $v0,$v1,catsockl1done move $a1,$v0 jal tyIRd move $a0,$s2 j catsocl1 catsockl1done: la $a0,catMutex lw $a0, 0($a0) jal semTake addiu $a1,$0,-1 lw $v1, 0x18($sp) nop lw $v0, 0x14($sp) nop beqz $v0, loc_288 sw $v0, 4($v1) sw $v1, 8($v0) loc_288: la $a0,catMutex lw $a0, 0($a0) jal semGive nop loc_298: jal close move $a0, $s1 jal semGive move $a0, $s3 la $a0, aCattelTcatso_0 jal printf move $a1, $s1 lw $ra, 0x38($sp) lw $s3, 0x34($sp) lw $s2, 0x30($sp) lw $s1, 0x2C($sp) lw $s0, 0x28($sp) jr $ra addiu $sp, 0x40 tTelnet: addiu $sp, -0xA0 sw $ra, 0x98($sp) sw $s5, 0x94($sp) sw $s4, 0x90($sp) sw $s3, 0x8C($sp) sw $s2, 0x88($sp) sw $s1, 0x84($sp) sw $s0, 0x80($sp) move $s2, $a0 move $s4, $a1 li $s0, 0x10 sw $s0, 0x78($sp) li $v0, 1 sb $v0, 0x50($sp) li $a0, 2 li $a1, 1 jal socket move $a2, $0 move $s1, $v0 beqz $s1, loc_4BC li $a1,0x10 jal bzero addiu $a0,$sp,0x40 li $v0, 2 sb $s0, 0x40($sp) sb $v0, 0x41($sp) sh $s4, 0x42($sp) jal inet_addr move $a0, $s2 sw $v0, 0x44($sp) move $a0, $0 jal semCCreate li $a1, 4 move $s3, $v0 li $v0, 1 sw $v0, 0x10($sp) move $a0, $s1 li $a1, 0xFFFF li $a2, 4 jal setsockopt addiu $a3, $sp, 0x50 bnez $v0, loc_390 nop jal __errnoRef nop la $a0, aCattelTelnetSe lw $a1, 0($v0) jal printf move $a2, $s1 loc_390: j loc_3BC addiu $s0,$0,-1 loc_398: jal __errnoRef nop la $a0, aCattelTelnetSo lw $a1, 0($v0) jal printf move $a2, $s1 jal taskDelay li $a0, 0x300 loc_3BC: lw $a2, 0x78($sp) move $a0, $s1 jal bind addiu $a1, $sp, 0x40 beq $v0, $s0, loc_398 move $a0, $s1 jal listen li $a1, 2 addiu $v1,$0,-1 beq $v0, $v1, loc_498 move $a1, $s2 la $a0, aCattelTelnetIn jal printf move $a2, $s4 addiu $s5,$0,-1 la $s4, tCatSock j loc_474 addiu $s2, $sp, 0x58 loc_40C: jal semTake addiu $a1,$0,-1 move $a0, $s2 la $a1, aTcatsock02d jal sprintf move $a2, $s0 sw $s4, 0x10($sp) sw $s0, 0x14($sp) la $v0,catDev lw $v0, 0($v0) nop sw $v0, 0x18($sp) sw $s3, 0x1C($sp) move $a0, $s2 li $a1, 0xC8 move $a2, $0 jal taskSpawn li $a3, 0xF00 loc_474: move $a0, $s1 addiu $a1, $sp, 0x40 jal accept addiu $a2, $sp, 0x78 move $s0, $v0 bne $s0, $s5, loc_40C move $a0, $s3 j loc_4D8 nop loc_498: jal __errnoRef nop la $a0, aCattelTelnet_0 lw $a1, 0($v0) jal printf move $a2, $s1 j loc_4D8 nop loc_4BC: jal __errnoRef nop la $a0, aCattelTelnet_1 lw $a1, 0($v0) jal printf move $a2, $s1 loc_4D8: la $a0, aCattelTelnetTh jal printf nop lw $ra, 0x98($sp) lw $s5, 0x94($sp) lw $s4, 0x90($sp) lw $s3, 0x8C($sp) lw $s2, 0x88($sp) lw $s1, 0x84($sp) lw $s0, 0x80($sp) jr $ra addiu $sp, 0xA0 CatTelInit: addiu $sp, -0x58 sw $ra, 0x50($sp) sw $s3, 0x4C($sp) sw $s2, 0x48($sp) sw $s1, 0x44($sp) sw $s0, 0x40($sp) move $s2, $a0 move $s3, $a1 move $s0, $a2 jal malloc li $a0, 0xFC la $a0,catDev sw $v0,0($a0) move $a0, $v0 li $a1, 0x100 la $a3, CatTeltxStartup jal tyDevInit li $a2, 0x100 la $v0, tyRead sw $v0, 0x10($sp) la $v0, tyWrite sw $v0, 0x14($sp) la $v0, tyIoctl sw $v0, 0x18($sp) move $a0, $0 move $a1, $0 la $a2, CatTelDevOpen jal iosDrvInstall move $a3, $0 la $a0,catDev lw $a0, 0($a0) la $a1, aCattel jal iosDevAdd move $a2, $v0 move $a0, $0 jal semBCreate li $a1, 1 la $a0,catMutex sw $v0, 0($a0) la $a0, catDoLogin jal CatTelsetLoginHook nop la $s1, sConsole move $a0, $s0 li $a1, 2 jal open move $a2, $0 move $v1, $v0 beqz $v1, loc_72C sw $v1, 0($s1) la $v0, tSCon sw $v0, 0x10($sp) sw $v1, 0x14($sp) la $v0,catDev lw $v0, 0($v0) nop sw $v0, 0x18($sp) la $a0, aTtcnscon li $a1, 0xC8 move $a2, $0 jal taskSpawn li $a3, 0xF00 la $v0, tTelnet sw $v0, 0x10($sp) sw $s2, 0x14($sp) sw $s3, 0x18($sp) la $a0, aTtcntelnet li $a1, 0xC8 move $a2, $0 jal taskSpawn li $a3, 0xF00 lw $a0, 0($s1) li $a1, 3 jal ioctl move $a2, $0 la $a0, aCattel li $a1, 2 jal open move $a2, $0 move $s0, $v0 beqz $s0, loc_71C move $a0, $0 jal ioGlobalStdSet move $a1, $s0 li $a0, 1 jal ioGlobalStdSet move $a1, $s0 li $a0, 2 jal ioGlobalStdSet move $a1, $s0 move $a0, $s0 li $a1, 3 jal ioctl li $a2, 0x7F loc_71C: la $a0,catFd sw $s0, 0($a0) j loc_730 move $v0, $s0 loc_72C: addiu $v0,$0,-1 loc_730: lw $ra, 0x50($sp) lw $s3, 0x4C($sp) lw $s2, 0x48($sp) lw $s1, 0x44($sp) lw $s0, 0x40($sp) jr $ra addiu $sp, 0x58 __errnoRef: addiu $sp, -0x18 sw $ra, 0x10($sp) jal __errno nop lw $ra, 0x10($sp) nop jr $ra addiu $sp, 0x18 catDoLogin: addiu $sp,-0x130 sw $ra,0x12c($sp) sw $s0,0x128($sp) move $s0,$a0 jal FlagGet li $a0,2 beqz $v0,catDoLoginDone la $a1,aCatLoginPrompt jal CatWrite move $a0,$s0 move $a0,$s0 addiu $a1,$sp,0x10 li $a3,1 jal catRdString li $a2,0x50 la $a1,aCatPassPrompt jal CatWrite move $a0,$s0 move $a0,$s0 addiu $a1,$sp,0x60 move $a3,$0 jal catRdString li $a2,0x50 la $a0,mycfgarearaw+0x98 jal strcmp addiu $a1,$sp,0x10 bnez $v0,catDoLoginFailed la $a0,mycfgarearaw+0xd8 jal strcmp addiu $a1,$sp,0x60 bnez $v0,catDoLoginFailed catDoLoginDone: lw $s0,0x128($sp) lw $ra,0x12c($sp) jr $ra addiu $sp,0x130 catDoLoginFailed: j catDoLoginDone li $v0,1 #Basic output routine catWrite: addiu $sp,-0x18 sw $ra,0x14($sp) move $t1,$a1 catwl1: lb $t0,0($t1) andi $t0,0xff bnez $t0,catwl1 addiu $t1,1 addiu $t1,-1 jal write subu $a2,$t1,$a1 lw $ra,0x14($sp) jr $ra addiu $sp,0x18 #Basic Input routine #catRdString(fd,*buff,maxlen,echo) catRdString: addiu $sp,-0x30 sw $ra,0x2c($sp) sw $s0,0x28($sp) sw $s1,0x24($sp) sw $s2,0x20($sp) sw $s3,0x18($sp) sw $s4,0x14($sp) move $s0,$a0 move $s1,$a1 addu $s2,$a1,$a2 move $s3,$a1 move $s4,$a3 catRdSl1: jal catGetc move $a0,$s0 addiu $t0,$0,-1 beq $v0,$t0,catRdError li $t1,0x8 bne $v0,$t1,catRdNotBkSp #bksp? li $t1,0xa beq $s1,$s3,catRdSl1 #allready @ 0? Do nothing! nop beqz $s4,catRdSl1 #no echo? do nothing but subtract 1 addiu $s1,-1 move $a0,$s0 la $a1,aRubout jal write li $a2,3 j catRdSl1 nop catRdNotBkSp: beq $v0,$t1,catRdDone #cr? sb $v0,0($s1) catRdSk1: beqz $s4,catRdSk2 sb $v0,10($sp) addiu $a1,$sp,0x10 move $a0,$s0 jal write li $a2,1 catRdSk2: addiu $s1,1 bne $s1,$s2,catRdSl1 catRdDone: subu $v0,$s1,$s3 sb $0,0($s1) catRdError: lw $s4,0x14($sp) lw $s3,0x18($sp) lw $s2,0x20($sp) lw $s1,0x24($sp) lw $s0,0x28($sp) lw $ra,0x2c($sp) jr $ra addiu $sp,0x30 #catGetc(Fd fd) returns -1 if error or socket trouble else returns char read in (and processes commands and translations) catGetc: addiu $sp,-0x40 sw $ra,0x3c($sp) sw $s0,0x38($sp) sw $s1,0x34($sp) move $s1,$a0 catIgnorec: move $a0, $s1 addiu $a1, $sp, 0x20 jal fioRead li $a2, 1 beqz $v0,catGetcDone addiu $v0,$0,-1 lb $a1, 0x20($sp) andi $a1,0xff beqz $a1,catIgnorec #if its zero, just ignore it completely li $t1,0xff beq $a1,$t1,CatHandleCmd li $t1,0x1f #ctrl-esc (127) bne $a1,$t1,NotBksp li $t1,0xa li $a1,0x8 #translate it to ctrl-h NotBksp: beq $a1, $t1, catIgnorec #is it CR? if so then cr-lf = cr ignore it li $t1,0xd bne $a1,$t1,notlf #but if it is LF nop j notlf li $a1,0xa #turn it into LF into CR so both unix and win compat notlf: move $v0,$a1 #return read char catGetcDone: lw $s1,0x34($sp) lw $s0,0x38($sp) lw $ra,0x3c($sp) jr $ra addiu $sp,0x40 catHandleCmd: li $s0,2 #use this as a state counter, setup to read 3 byte, unless its 0xff then read 3 more, unless second one is 250 then read till you get 255 250 loc_17c_ish: move $a0,$s1 addiu $a1,$sp,0x20 jal fioRead li $a2,1 #read a byte beqz $v0,catGetcDone #on error bail out addiu $v0,$0,-1 lb $a1,0x20($sp) andi $a1,0xff li $t1,2 bne $t1,$s0,notstate3 addiu $s0,-1 li $t1,0xfa #SB ?? (get data till you get IAC and SE) bne $a1,$t1,notsb nop j loc238_ish li $s0,0xff #Keep going till you get 255 chars or IAC & SE notsb: li $t1,0xf0 #SE ?? beq $a1,$t1,isse nop j loc238_ish li $s0,1 #ok since its not se, then there must be something else following it so get that notstate3: li $t1,0xff #IAC ?? isse: bne $a1,$t1,loc238_ish nop li $s0,2 #setup state mach to read at least 1 more bytes, then wait for another IAC or whatever loc238_ish: bnez $s0,loc_17c_ish move $a0, $s1 j catIgnorec nop aCatLoginPrompt: .asciiz "\n\lLogin: " aCatPassPrompt: .asciiz "\n\lPassword: " aUSERNAME: .asciiz "tcniso" aUSERPASS: .asciiz "sigma" aRubout: .word 0x08200800 catDev: nop sConsole: nop nop nop catMutex: nop catFd: nop LoginHook: nop aCattelConsoleT: .asciiz "CatTel: Console Task Started\n\l" aCattelTcatsock: .asciiz "CatTel: tCatSock%02d: Telnet Connection Established\n\l" aCattelTcatso_0: .asciiz "CatTel: tCatSock%02d: Telnet Connection Lost \n\l" aCattelTelnetSe: .asciiz "CatTel: Telnet setsockopt() error-%d socket-%04d, but continuing...\n\l" aCattelTelnetSo: .asciiz "CatTel: Telnet socket bind() error-%04d socket-%04d! Sleeping then retrying\n\l" aCattelTelnetIn: .asciiz "CatTel: Telnet Initialized, listening on %s:%d\n\l" aTcatsock02d: .asciiz "tCatSock%02d" aCattelTelnet_0: .asciiz "CatTel: Telnet socket listen() error-%04d socket-%04d!\n\l" aCattelTelnet_1: .asciiz "CatTel: Telnet socket() error-%04d!\n\l" aCattelTelnetTh: .asciiz "CatTel: Telnet Thread Exiting!\n\l" aCattel: .asciiz "/CatTel" aTyco0: .asciiz "/tyCo/0" aTtcnscon: .asciiz "tTcnSCon" aTtcntelnet: .asciiz "tTcnTelnet"