9. Under The Covers

I was interested in the fact that the mini appeared to boot over the network, so I set out to explore it a little further. Browsing through the installed software on the PC, it was easy to find a directory with two telling files: initrd.boot and uImage. The initrd file is a typical one used by Linux systems during boot, and the uImage appeared to be a Linux kernel image. So this little box was clearly running Linux.

Other than the brute force strings command, I didn't have any tools on hand to examine the contents of these files. But running the strings command on the uImage file at least told me that the box was running a fairly recent kernel: "Linux-2.6.5-it0." I suspect that with a bit of time, one could recreate and customize both the kernel and initrd for special uses. And since the box boots a new image each time, the dangers of damage should be minimal.

While I was poking around, I set my sights on the Linkstation as well. The Linkstation already has a dedicated group of developers working to extend its capabilities, but since this was a loaner unit, I wasn't willing to re-flash the unit with custom firmware. Still, I thought that I could at least see what was happening in the running box. I had noticed that the unit supported anonymous ftp, and that menus were in place to allow the user to specify which directory would be exported.

Looking at the source of the web page revealed that sanity checks were executed in JavaScript, which is always a bad idea. Validation should always be done on the server side, not the client side, because there's nothing that says I have to use the supplied forms to set up the box. I can always directly contact the web server, thus bypassing the input validation from the original forms - so, that's what I did. After examining the web page source, I figured out the correct variables to use and the correct server-side cgi script to call. The result was a URL in this format (all on one line):