FML

One fine day, after my Windows 7 machine got a BSOD, I install some unrelated Windows updates, reboot, and see this little bundle of joy:

Silicon Image Controllers NOT Present / Silicon Image RAID controllers are NOT detected in the system. Please make sure that all controllers are installed and configured correctly. Press "OK" to exit this application.

What's that?

Silicon Imaging FakeRAID chipsets come with a stack of software. It consists of some kernel drivers, a Windows service that talks to the drivers and a Java GUI that talks to the service. The GUI is not essential for normal operation, but it can tell you when the array is done syncing.

I've seen this error before, but reinstalling random crap seemed to make it go away in the past. This time, I am determined to establish man's dominance over SHITTY SOFTWARE. I start procmon, add a filter and spot some TCP entries. SATARAID5 GUI is bashing its head against the wall:

That's odd. Let's see what happened to port 4242:

Yes, that's right. This crapware is listening on the wrong interface, and my RAID can be managed by anybody on the internet. Anybody except me, of course.

Why so bad?

Time to investigate! I open the service executable in IDA Pro, find the bind() call and follow the address data to this delightful algorithm:

On Windows, the local hostname resolves to the IP address of every interface on the host. It is impossible to override through the hosts file. If all interfaces are down, gethostbyname() returns 127.0.0.1. I suspect the only time this code works properly is when the service comes up before any interfaces are initialized.

Better living through violence

This is vintage 2006 software, and any updates are extremely unlikely. A binary patch should fix things right up. The IP address is stored as a string. This string needs to be "127.0.0.1" instead of some enterprise programmer's crack-induced hallucination. First, I turn to my laptop and assemble some 64-bit code:

pahan@bile:~/temp$ cat qq.c
void diaf() {
    __asm__("movl $0x2e373231, (%rcx)\n"  /* "127." */
            "movl $0x2e302e30, 4(%rcx)\n" /* "0.0." */
            "movb $0x31, 8(%rcx)\n"       /* "1" */
            "ret");
}
pahan@bile:~/temp$ gcc qq.c -c
pahan@bile:~/temp$ objdump -d qq.o
...
   4:	c7 01 31 32 37 2e    	movl   $0x2e373231,(%rcx)
   a:	c7 41 04 30 2e 30 2e 	movl   $0x2e302e30,0x4(%rcx)
  11:	c6 41 08 31          	movb   $0x31,0x8(%rcx)
  15:	c3                   	retq   
...
        

IDA gives me absolute offset of the gethostbyname-calling function, so I stop the service, patch these bytes in with HxD and restart the service. SATARAID5 GUI is happy:

You can get the patched binary here. Stop the SATARaid5 Configuration Service, and drop the file into C:\Program Files\Silicon Image\3124-W-A64-R SATARAID5 or wherever it lives on your system. 64-bit only. If it breaks your system, you get to keep both pieces. The original binary is from October 5th, 2005, package version 1.5.11.0.


Tell me how much FakeRAID sucks at w_sataraid5@xzrq.net