This information is from ~2002, and so may be extremely out of date or useless.
Overview
This device behaves similarly to a normal personal router/firewall or 802.11b router/firewall, only it is a gateway for bluetooth devices rather than normal ethernet.
It runs an embedded version of Linux called uClinux. By default, ftp and http are the only running services. It does have a telnet server installed, but it is disabled by default. The web server it uses is boa. The obvious use of this web server is for configuring the device (also similar to other routers). The not-so-obvious use is for running semi-hidden administration cgi scripts. One of these scripts allows you to edit text files stored in /tmp or /mnt/flash.
About /mnt/flash… It is /dev/flash2, which is just a flash chip in the device which stores files. Changes are maintained when power is disconnected, but when the reset button is used to reset the device to factory defaults, the flash file system is overwritten with a default configuration. The important thing to note is that /etc is a symlink to /mnt/flash/etc
Doing Stuff
By connecting via ftp and poking around a bit, I noticed that an inetd server was installed, but does not run by default. Running the inetd server is all that is needed to enable telnet access (a telnet service is run by inetd when a connection is made). I found that /etc/inittab contained a line to start the inetd server, but it is commented out by default. So I accesssed http://10.1.61.240/admin-bin/editcgi.cgi, selected /etc/inittab as the file to edit, and changed #inet:3:respawn:/sbin/inetd -n
to inet:3:respawn:/sbin/inetd -n
Voilà, telnet access. Since there is a limited amount of space on these flash drives, many standard unix commands are missing. Grep, less, gcc, vi, emacs, and pico, to name a few.
Exerpts
First thing is the login prompt. Then some commands. The prompt is the pid of the login process. Oh yeah, and “cat /proc/kcore” is not usually a good idea…
Linux 2.0.38 (Dan118d-Bluetooth-AP) (ttyp0) Dan118d-Bluetooth-AP login: root Password: Sash (version 2.2) 567# cd /proc 567# cat cpuinfo cpu : Etrax cpu revision : 11 cpu model : Unknow cache size : 0 kB fpu : no mmu : no ethernet : 10 Mbp token ring : no scsi : no ata : no usb : no irq bug : no bogomips : 99.84 567# cat version Linux version 2.0.38 (pkj@saur) (gcc version 2.96 20000427 (experimental)) #16 Tue Jan 8 06:38:34 EST 2002 567# cat devices Character devices: 1 mem 2 pty 3 ttyp 4 ttyp 5 cua 60 Flash/ROM device 120 etrax gpio 124 ttyBT Block devices: 1 ramdisk 31 Kernel ROM disk 60 Flash/ROM device 567# cat filesystems romfs ext2 nodev proc nodev nfs jffs 567# cat serial Current time: 8007.489687 ttyS0: rx_pending: 0 max_rx_pending: 0 rx_tot: 0 tx_tot: 0 last_tx_active: 0.000000 last_rx_active: 0.000000 overrun_cnt: 0 early_errors_cnt: 0 ser_ints_ok_cnt: 0 errors_cnt: 0 timeout_flush_cnt: 0 rx_dma_ints: 0 tx_dma_ints: 0 tty->flip.count: -1 ttyS1: rx_pending: 0 max_rx_pending: 0 rx_tot: 0 tx_tot: 0 last_tx_active: 0.000000 last_rx_active: 0.000000 xmit_cnt: 0 overrun_cnt: 0 early_errors_cnt: 0 ser_ints_ok_cnt: 0 errors_cnt: 0 timeout_flush_cnt: 0 rx_dma_ints: 0 tx_dma_ints: 0 tty->flip.count: -1 ttyS2: rx_pending: 0 max_rx_pending: 0 rx_tot: 0 tx_tot: 1475 last_tx_active: 1444.569947 last_rx_active: 0.000000 xmit_cnt: 0 overrun_cnt: 0 early_errors_cnt: 0 ser_ints_ok_cnt: 0 errors_cnt: 0 timeout_flush_cnt: 0 rx_dma_ints: 0 tx_dma_ints: 229 tty->flip.count: 0 ttyS3: rx_pending: 0 max_rx_pending: 258 rx_tot: 7120 tx_tot: 6734 last_tx_active: 1627.065989 last_rx_active: 20.989114 xmit_cnt: 0 overrun_cnt: 0 early_errors_cnt: 8 ser_ints_ok_cnt: 320 errors_cnt: 0 timeout_flush_cnt: 319 rx_dma_ints: 320 tty->flip.count: 0 567# cat meminfo Free pages: 6984kB ( 0*4kB 11*8kB 19*16kB 12*32kB 3*64kB 3*128kB 4*256kB 1*512kB 0*1024kB 2*2048kB = 6984kB) total: used: free: shared: buffers: cached: Mem: 12099584 4947968 7151616 0 790528 233472 Swap: 0 0 0 MemTotal: 11816 kB MemFree: 6984 kB MemShared: 0 kB Buffers: 772 kB Cached: 228 kB SwapTotal: 0 kB SwapFree: 0 kB 594# cat interrupts 2: 817202 timer 3: 1578 fast timer int 6: 0 Etrax 100 ethernet controller 8: 328 + serial 16: 6734 Etrax 100 ethernet controller 17: 7032 Etrax 100 ethernet controller 18: 229 serial 2 dma tr 19: 0 serial 2 dma rec 20: 157 serial 3 dma tr 21: 320 serial 3 dma rec 22: 0 + serial 0 dma tr 23: 0 + serial 0 dma rec 24: 0 + serial 1 dma tr 25: 0 + serial 1 dma rec 594# df -h Filesystem 1k-blocks Used Available Use% Mounted on /dev/root 3441 3441 0 100% / none 0 0 0 - /proc /dev/flash2 224 92 132 41% /mnt/flash /dev/ram0 487 53 409 11% /tmp
Other Notes
Most of the html/php pages are in /usr/html. /usr/html/local is a symlink to /mnt/flash/etc/httpd/html, which is writable by you. So you can put your own web pages up, and maybe even have your own access restrictions to it?
I think boa does not have a php plugin, because it is meant to be simple. So to parse their php pages, I think Axis pipes them through a php interpreter.
/tmp gets cleared on reboots. /mnt/flash gets cleared on resets. /etc is a symlink to /mnt/flash/etc, it gets reset to factory defaults when you reset the AP. Default username and password are root and pass, by the way.