view · edit · print · history

How to get a telnet into R29

This guide is not the definitive super-duper perfect solution for this, but as Linksys did remove telnet.cgi as well as telnetd from the image, I still wanted to have something like a telnet access to it.

Here are the ingredients you need:

Note that I have not flashed anything yet, so everything I describe here does neither need physical access to the NSLU2 (the harddrives can stay plugged in) nor is anything changed within the device, so just a power cycle shall removes everything. Of course you still can kill your device if you don't do it properly or you do something insane on the shell.

1. Prepare a new Ramdisk

I assume you use /bin/bash as your shell.

  1. Compile the slugtool from SplitAnImageIntoPartsUsingSlugTool.
  2. Unpack the firmware's bin file into it's parts: slugtool unpack NSLU2_V23R29.bin
  3. gunzip ramdisk; mkdir R; mount -o loop,noatime ramdisk R
  4. Create the file R/home/httpd/html/Management/shell.cgi (see below)
  5. chmod +x R/home/httpd/html/Management/shell.cgi
  6. ( cd R && dd if=/dev/zero of=noxnixnox; rm -f noxnixnox; )
  7. umount R; gzip -9 ramdisk

The file contents of R/home/httpd/html/Management/shell.cgi are:

 echo "Content-type: text/plain"
 echo ""
 if [ ! -s $i ]
        echo "[fix]"
        killall inetd
        echo "telnet stream tcp nowait root /bin/ash -i" >$i
        ( /bin/inetd >/dev/null 2>&1 <&1 & )
 if [ -z "$QUERY_STRING" ]
        echo "[set]"
        echo "exec $QUERY_STRING"
        exec $QUERY_STRING

Actually you must pipe this through /bin/sed to get rid if the first space, if you cut'n'paste it from this Wiki page (the Wiki formatting is broken by design):
sed 's/^ //' >R/home/httpd/html/Management/shell.cgi

2. Prepare the TFTP files

Copy ramdisk.gz and vmlinuz to your /tftpboot/ or whereever your TFTP daemon takes the files from.
If you use the web based approach (I did not test this), be sure the files can be downloaded.

3. Boot the NSLU2 into RedBoot

The best way I found was to use the Perl script from TelnetIntoRedBoot. You don't need upslug! And remember that RedBoot always uses the IP for the device.

  • Be sure, your linux box has an IP 192.168.0.x where x>1, following assumes x=3
    If not, use ifconfig eth0:99 netmask
    Be sure, you have no other machines interfering with these IPs? 192.168.0.x
  • Start the script and let it wait in the command arping.
  • On the Administration::Status pages of the NSLU2 use the "Reboot" button.
  • The script then intercepts the boot process.
  • Cut and paste following into the RedBoot shell (this assumes TFTP):
    ip_address -h
    load -r -v -b 0x01000000 ramdisk.gz
    load -r -v -b 0x01d00000 vmlinuz
    exec 0x01d00000
    (well, in some cases the "load" command does not work correctly, and then the device crashs on the exec. If you want to prevent this, use the cksum command as noted in TestAnImageInRamUsingRedBoot)
  • Can somebody else, please, edit this to show the web download variant, here, too?
    For the web version, you have to add -m http to the load lines above, and alter path to the two files, accordingly. For more info, see TestAnImageInRamUsingRedBoot
  • Wait a while until your device pings and has bootet. Don't forget that now the IP you gave the device is back, so the is no more used (unless you gave it the IP

4. Activate telnet

Modern browsers don't think you are mature. They are behaving like screwed up nannys thinking all the children are just to stupid to express their real meaning. They augment your input. Therefor you are not able to use the web interface for commands, which contain arguments. This is because your browser will replace any space with %20, which cannot be understood by the shell. Sadly I did not find any possibility to to an regexp replacement on environment variables in the NSLU2, so we have to live with this problem.

Warning! This step activates telnet access to the box without any user/password prompt or whatsoever! So only do this in your own LAN! You can modify the CGI from step 1 such, that it does not activate inetd. In this case, you only have variant 3 in step 5 to access a shell in the box.

The script from above fixes the inetd setting and restarts inetd. This way you can directly control a shell over the network.

  • In your browser go into the Administration area of your NSLU2
  • Replace the last file part with shell.cgi. If your NSLU2 is at sites) then the URL looks like sites)
  • Calling this URL you shall see
    and the output of the "set" command from the shell. (Note that without all those IO redirections on /sbin/inetd you won't see the [fix] note ever, as the CGI would starve.)

5. Telnet into the box

Well, the world is no perfect place to live in. This is true especially for a shell access without a terminal via inetd.

So you have two choices how to connect there:

  1. Use netcat. If your device is at, then type
    nc 23
    on your shell prompt. You will see the shell prompt from the device.
    The drawback of this approach is, that you are always in line editing mode.
  2. Use telnet. If your device is at, then type
    However with my telnet implementation, there is the problem that the NSLU2 echos the telnet escapes. The shell sees the telnet escapes and is a little bit irritated. So you must type in Enter and Ctrl-D to revive the shell.
    Also the telnet and the NSLU2 repeat all the characters you type. So you see everything appearing twice on the screen.
    You can get rid of this double-echo somehow, using the telnet escape CTRL-] and then type mode character and press return. But this makes it even worse, as afterwards the LFs? are not replaced by CRLF, and such you have the famous "my terminal is missing the CR" effect.
  3. Actually there is a third variant to "telnet into the box". You can access the shell.cgi directly with netcat. It's a little bit difficult to built the HTTP header, but afterwards you are connected directly with an ash:

telnet 80
POST /Management/shell.cgi?/bin/ash HTTP/1.0
Authorization: Basic YWRtaW46YWRtaW4=


Now it starts to become funny. You have to always enter an extra ';' at the end of the line to get rid if the CR which is inserted by the protocol handlers. You always will see an error, however you can ignore it. So don't type "ls -al", type "ls -al;" and Return. (If you use netcat, it works as expected, however you must stick to the line mode then.)

Note that the line with the Authorization carries username:password encoded in base64 form. In the example above it's the default admin:admin. If you don't know how to do base64 encoding, you can try my JavaScript? pages:
http://tools.geht.net/eval.html(approve sites)
Choose "base64 encoder" from the drop down box
type in username:password in the text field below "Type here your input to the function:", the output is in the text field at the bottom. If this does not work for you you are on your own.

6. Get rid of the modifications

As the modifications were not flashed, it's enough to reboot the device to get rid of the modifications presented here. Perhaps somebody can extend this to explain how to make this changes permanently.

7. Final notes

There is a vi command in R29. It's the secret of Linksys why they deploy an interactive visual editor onto a device which lacks the possibility of interaction. However for the first steps it's really convenient to have a vi.


view · edit · print · history · Last edited by tman.
Originally by tman.
Page last modified on April 14, 2005, at 10:26 PM