General NAS-Central Forums

Welcome to the NAS community
It is currently Tue Nov 21, 2017 7:05 pm

All times are UTC




Post new topic Reply to topic  [ 16 posts ]  Go to page 1, 2  Next
Author Message
PostPosted: Tue Apr 29, 2008 11:17 am 
Offline

Joined: Tue Apr 29, 2008 11:14 am
Posts: 8
Hi all.
Recently I bought a NAS FT3563-BT (http://fully-top.com/ArticleShow.asp?ArticleID=161) that seems same device that:
Coolmax CN-570 http://www.smallnetbuilder.com/content/ ... 99/75/1/3/
NS-348S http://www.multicase.de/en/products/76/ns348s.html http://www.enclosureservice.com/
Emprex NSD-100 http://www.emprex.com/02_products_02.php?id=205
Agestar NCB3AHT http://www.agestar.com/english/products/ncb3aht.asp
http://shenztech.com/code/ui/product/pr ... subcatid=9

At this moment, I'm capable to remote execute program (root user).
Such dmesg describes, firmware are splited in tree parts:

0x00000000-0x00020000 : "Armboot" (mtd0)
0x00020000-0x007e0000 : "Kernel & Ramdisk" (mtd1)
0x007e0000-0x00800000 : "configure" (mtd2)
I obtained these parts (using dd), and are available at:
http://www.uv.es/cuan/arxius/FT3563-BT/
I'm interested in rebuild "Kernel & Ramdisk" partition to add, or remove scripts and apps, but I don't know how to slplit kernel from Ramdisk.

I see others NAS systems what have a partition for kernel, and a partition for ramdisk, but in this case, Kernel and ramdisk are at same partition, and I want to rebuild filesystem.

Thanks.
elbuit AT gmail.com

Dmesg, free, df and mount :
Code:
-----------------dmesg----------------------------
Linux version 2.4.27-star (root@localhost.localdomain) (gcc version 3.3.6) #1308 Thu Mar 15 15:55:00 CST 2007
CPU: FA526id(wb) revision 1
ICache:16KB enabled, DCache:16KB enabled, BTB support
Machine: STAR_STR9100
On node 0 totalpages: 8192
zone(0): 8192 pages.
zone(1): 0 pages.
zone(2): 0 pages.
Kernel command line: console=ttyS0,38400 root=/dev/ram0 initrd=0x00900000,10M mem=32M@0x00000000
Relocating machine vectors to 0xffff0000
IRQ Timer1 at interrupt number 0x0 and clock 100000000(Hz)
Calibrating delay loop... 153.60 BogoMIPS
Memory: 32MB = 32MB total
Memory: 19328KB available (1952K code, 575K data, 220K init)
max_threads is :512 @@@@@@@@@@@@@@@@@
Dentry cache hash table entries: 4096 (order: 3, 32768 bytes)
Inode cache hash table entries: 2048 (order: 2, 16384 bytes)
Mount cache hash table entries: 512 (order: 0, 4096 bytes)
Buffer cache hash table entries: 1024 (order: 0, 4096 bytes)
Page-cache hash table entries: 8192 (order: 3, 32768 bytes)
POSIX conformance testing by UNIFIX
CPU clock is 200 !!!!!!!!
PCI: bus0: Fast back to back transfers disabled
pci bridge found
Linux NET4.0 for Linux 2.4
Based upon Swansea University Computer Society NET3.039
Initializing RT netlink socket
do initcalls start
Starting kswapd
NTFS driver v1.1.22 [Flags: R/W]
SGI XFS with no debug enabled
i2c-core.o: i2c core module version 2.6.1 (20010830)
i2c-algo-bit.o: i2c bit algorithm module
pty: 256 Unix98 ptys configured
Str9100 Serial Driver version 5.05c (2001-07-08) with no serial options enabled
ttyS00 at 0xf7800000 (irq = 10) is a Star_UART
!!!!!!!!!!!!!mac is: 0:b:2b:c0:64:83
RAMDISK driver initialized: 16 RAM disks of 16384K size 1024 blocksize
loop: loaded (max 8 devices)
PPP generic driver version 2.4.2
PPP Deflate Compression module registered
PPP BSD Compression module registered
SCSI subsystem driver Revision: 1.00
kmod: failed to exec /sbin/modprobe -s -k scsi_hostadapter, errno = 2
kmod: failed to exec /sbin/modprobe -s -k scsi_hostadapter, errno = 2
 Amd/Fujitsu Extended Query Table v1.3 at 0x0040
number of CFI chips: 1
cfi_cmdset_0002: Disabling fast programming due to code brokenness.
Creating 3 MTD partitions on "str9100_flash":
0x00000000-0x00020000 : "Armboot"
0x00020000-0x007e0000 : "Kernel & Ramdisk"
0x007e0000-0x00800000 : "configure"
ftl_cs: FTL header not found.
ftl_cs: FTL header not found.
ftl_cs: FTL header not found.
i2c-core.o: adapter STR9100 I2C Adapter registered as adapter 0.
usb.c: registered new driver hub
hcd.c: ehci_hcd @ EHCI, EHCI_HCdriver
hcd.c: irq 24, pci mem fcc00000
usb.c: new USB bus registered, assigned bus number 1
hub.c: USB hub found
hub.c: 2 ports detected
host/usb-ohci.c: USB OHCI at membase 0xc3819000, IRQ 23
host/usb-ohci.c: usb-OHCI, OHCI_HCdriver
usb.c: new USB bus registered, assigned bus number 2
hub.c: USB hub found
hub.c: 2 ports detected
usb.c: registered new driver usblp
printer.c: v0.13: USB Printer Device Class driver
Initializing USB Mass Storage driver...
usb.c: registered new driver usb-storage
USB Mass Storage support registered.
NET4: Linux TCP/IP 1.0 for NET4.0
IP Protocols: ICMP, UDP, TCP, IGMP
IP: routing cache hash table of 512 buckets, 4Kbytes
TCP: Hash tables configured (established 2048 bind 4096)
NET4: Unix domain sockets 1.0/SMP for Linux NET4.0.
NET4: AppleTalk 0.18a for Linux NET4.0
NetWinder Floating Point Emulator V0.97 (double precision)
do initcalls end
RAMDISK: Compressed image found at block 0
Freeing initrd memory: 10240K
VFS: Mounted root (ext2 filesystem) readonly.
Freeing init memory: 220K
UART IRQ_ports = c02a6018
UART IRQ at interrupt number 0xa
hub.c: new USB device EHCI-2, assigned address 2
scsi0 : SCSI emulation for USB Mass Storage devices
  Vendor: MAXTOR S  Model: TM3500320AS       Rev:     
  Type:   Direct-Access                      ANSI SCSI revision: 02
port:50
Attached scsi disk sda at scsi0, channel 0, id 0, lun 0
X1205: I2C based RTC driver.
i2c-core.o: driver X1205 registered.
X1205: found X1205 on STR9100 I2C Adapter
ccr_write_enable: verify SR failed
i2c-core.o: client [X1205] registered to adapter [STR9100 I2C Adapter](pos. 0).
X1205: i2c_add_driver RTC driver.
X1205: misc_register RTC driver.
atr is 0
Partition check:
 sda: sda1 sda2 sda3
WARNING: USB Mass Storage data integrity not assured
USB Mass Storage device found at 2
ccr_write_enable: verify SR failed
Adding Swap: 473908k swap-space (priority -1)
XFS mounting filesystem sd(8,2)
Ending clean XFS mount for filesystem: sd(8,2)
XFS mounting filesystem sd(8,3)
ccr_write_enable: verify SR failed
Ending clean XFS mount for filesystem: sd(8,3)
....................free.................
              total         used         free       shared      buffers
  Mem:        29788        28648         1140            0          308
 Swap:       473908         2080       471828
Total:       503696        30728       472968
....................mount.................
/dev/ram0 on / type ext2 (rw)
none on /proc type proc (rw)
/dev/sda2 on /conf type xfs (rw)
/dev/sda3 on /mnt/data type xfs (rw)
....................df.................
Filesystem           1k-blocks      Used Available Use% Mounted on
/dev/ram0                15863     14413       631  96% /
/dev/sda2               109888       264    109624   0% /conf
/dev/sda3            487650496  63216104 424434392  13% /mnt/data


Top
 Profile  
 
PostPosted: Sun May 04, 2008 11:04 pm 
Offline

Joined: Thu Mar 06, 2008 12:23 pm
Posts: 58
Location: Vienna
ok, so far i can see it is running a 2.4 kernel....are there any GPL sources available for this box (or a similar box) ? it might be helpfull for replacing the kernel with some additional kernel modules

by looking at http://www.uv.es/cuan/arxius/FT3563-BT/mtd1.bin with my hex editor i noticed
1) at beginning there were some strings that looked like as if they were from a bootloader? "Uncompressing Linux"....maybe this is a "daisy chained" bootloader..a bootloader thats loaded from another bootloader...
2) i noticed the word "ramdisk" inside.....probably after the kernel in the file. somehow i believe that you already were able to extract the ramdisk as i noticed this file: http://www.uv.es/cuan/arxius/FT3563-BT/ ... les.tar.gz
if yes then please post how exactly you extracted the tarball.....so others can check themselves and to document it for yourself...you will need it to reassemble it.

then i looked at the ramdisk - http://www.uv.es/cuan/arxius/FT3563-BT/ ... les.tar.gz
it seems to use:
    busybox/tinylogin for many things
    lpd for printserver
    samba for filesharing
    bittornado for torrent-downloading
    bftpd for ftp-serving
    thttpd for web-serving
the hdd seems to be formated with XFS and i expect the libc to be version 2.3.2 and interestingly it seems to support python and there is the libflash library?

whatever....most important is to document how to disassemble and reassemble the file, document this. also document how you are able to execute something as root over the webinterface.

and....i do not know if you noticed....but there is /usr/sbin/telnetd ...... try to start the telnet daemon.


Top
 Profile  
 
PostPosted: Mon May 05, 2008 7:15 am 
Offline

Joined: Tue Apr 29, 2008 11:14 am
Posts: 8
Hi. Thanks for your reply.
I can't found any GPL and kernel sources for this device. No JTAG or serial description on the web.
mindbender wrote:
ok, so far i can see it is running a 2.4 kernel....are there any GPL sources available for this box (or a similar box) ? it might be helpfull for replacing the kernel with some additional kernel modules

by looking at http://www.uv.es/cuan/arxius/FT3563-BT/mtd1.bin with my hex editor i noticed
1) at beginning there were some strings that looked like as if they were from a bootloader? "Uncompressing Linux"....maybe this is a "daisy chained" bootloader..a bootloader thats loaded from another bootloader...
2) i noticed the word "ramdisk" inside.....probably after the kernel in the file. somehow i believe that you already were able to extract the ramdisk as i noticed this file: http://www.uv.es/cuan/arxius/FT3563-BT/ ... les.tar.gz
if yes then please post how exactly you extracted the tarball.....so others can check themselves and to document it for yourself...you will need it to reassemble it.

Thanks for the tests.
I extracted ramdisk finding hexadecimal 1F8B0808 (begining of ramdisk).
mindbender wrote:
then i looked at the ramdisk - http://www.uv.es/cuan/arxius/FT3563-BT/ ... les.tar.gz
it seems to use:
    busybox/tinylogin for many things
    lpd for printserver
    samba for filesharing
    bittornado for torrent-downloading
    bftpd for ftp-serving
    thttpd for web-serving
the hdd seems to be formated with XFS and i expect the libc to be version 2.3.2 and interestingly it seems to support python and there is the libflash library?

Yes, hdd are formated with XFS, and ramdisk (/dev/ram0) are formated ext2.
It suports python, because use bittornado client.
System has 32MB RAM, and use 16MB to Ramdisk. This will reduce to 16MB all RAM available for:
samba+thttp+ftp+bittornado...!!!!
My first goal are to change root to a harddisk partition (and free ram) using pivot_root (I try adapt init from http://wiki.dns323.info/howto:install_debian), but does'nt work.
mindbender wrote:
whatever....most important is to document how to disassemble and reassemble the file, document this. also document how you are able to execute something as root over the webinterface.

and....i do not know if you noticed....but there is /usr/sbin/telnetd ...... try to start the telnet daemon.


Yes, I noticed that have a telnetd. The method to gain root access, are based on a smb.conf file.
You can see at http://www.lliures.org, and I opened a group at yahoo and I describe this method at first post.
http://tech.groups.yahoo.com/group/FT3563-BT/
I disassemble using a hex editor, but if I want to reassemble I only knows hex editor to reassemly, but I'm not sure if it's safe (because I don't know if bootloader or kernel image knows of checksums or offests). I'm only capable to identify ramdisk (not linux i image)
Now, I'm investigating on board to determine serial port pinout (and try to boot from tftp):
Image
I'm waiting for a Max3232 cable to test it.
I want to test firmwares from agestar using tftp boot:
http://www.agestar.com/english/support/firmware.html
Thanks
PS:This is a cheap (and bad) NAS. Hardware are bad, but firmware are worst (excuseme for my low english level, sniff)
Similar(or same) devices list:
Coolmax CN-570 http://www.smallnetbuilder.com/content/ ... 99/75/1/3/
NS-348S http://www.multicase.de/en/products/76/ns348s.html http://www.enclosureservice.com/
Emprex NSD-100 http://www.emprex.com/02_products_02.php?id=205
Agestar NCB3AHT http://www.agestar.com/english/products/ncb3aht.asp
Agester ncb3ast http://www.agestar.com/english/products/ncb3ast.asp
http://shenztech.com/code/ui/product/pr ... subcatid=9
revoltec rs049
Jaycar XC4677 http://jaycar.com.au/productView.asp?ID ... &SUBCATID=
Evertech et-1330 NCB3AS http://www.evertech.de/de/product-page. ... lassID3=78


Top
 Profile  
 
PostPosted: Mon May 05, 2008 1:26 pm 
Offline

Joined: Thu Mar 06, 2008 12:23 pm
Posts: 58
Location: Vienna
i just requested the GPL sources for several different boxes/vendors via their web forms.

we will see if someone gives provides them. From the legal point they have to but you never know.
When i get them i will put them to http://gpl.nas-central.org and notify you.

it does not seem to be important who actually provides them as they all look very similar.

regarding disassembling and reassembling the firmware again: "dd" is the right tool to use. a small script which is able to disassemble and assemble later again would be best.

regarding serial: no obvious serial port with 4 pins....it seems to be something else. i haven`t found anything on the net so far....looks like trial and error then.


Top
 Profile  
 
PostPosted: Mon May 05, 2008 3:04 pm 
Offline

Joined: Tue Apr 29, 2008 11:14 am
Posts: 8
mindbender wrote:
i just requested the GPL sources for several different boxes/vendors via their web forms.

we will see if someone gives provides them. From the legal point they have to but you never know.
When i get them i will put them to http://gpl.nas-central.org and notify you.

it does not seem to be important who actually provides them as they all look very similar.

10 or 15 days ago, I mailed to fully-top, but no response.
I say, what they not agree GPL license.
mindbender wrote:
regarding disassembling and reassembling the firmware again: "dd" is the right tool to use. a small script which is able to disassemble and assemble later again would be best.

Yes, i use dd. I'm capable to determine ramdisk begining, but no where linux Image begins.
Ramdisk begins at position x15acf4 of mtd1, and I suppose what kernel image will go from 0 to x15acf4 (except boot)
mindbender wrote:
regarding serial: no obvious serial port with 4 pins....it seems to be something else. i haven`t found anything on the net so far....looks like trial and error then.

I test JP1 using a max233 cable, but this IC works at 5V, and no positive results.
I'm waiting for a max3232 cable what works at 3,3V.
I supose what JP1 will be serial because this connector has 2 pins to low (can be RX and CTS), and a JTAG only have one pin to low (TDO). A user from(30252783) a italian forum says me this.
Thanks.
PS:mindbender, have you any of these cheap NAS?


Top
 Profile  
 
PostPosted: Mon May 05, 2008 3:52 pm 
Offline

Joined: Thu Mar 06, 2008 12:23 pm
Posts: 58
Location: Vienna
i got feedback from the multicase guys. they told me that they were not aware of the fact that their box runs linux and they will now organise the GPL source package for the NS-348S....i also checked the downloadable firmwares for the NS-347 & NS-347S , the same...so i requested them for all 3 boxes.

will take a while, but i know that multicase complied to the GPL before ....the Dualhddnas devices.

i suppose we will have GPL sources soon then.

@serial: yes, so far i have only encountered 3.3V in all NAS devices i have (only buffalo boxes...this also answers your last question).

@introduction:
read beginning of http://nas-central.org/index.php/Genera ... tion_guide ... then look at
http://buffalo.nas-central.org/index.ph ... ET_history and our current news...then you know my story.


Top
 Profile  
 
PostPosted: Tue May 06, 2008 1:33 pm 
Offline

Joined: Tue May 06, 2008 1:26 pm
Posts: 1
I've just (as in today) taken delivery of an NCB3AS (marketed under the Evertech brand here in Europe) that shares the same firmware as the NCB3AHT.
I had a look through the firmware upgrade .bin file, and can confirm that it's linux based, so I've requested source from Age Star.

I have zero experience in NAS hacking, and mainly casual user experience in Linux (but many years coding experience), but let me know if I can be of any help.


Top
 Profile  
 
PostPosted: Tue May 06, 2008 7:13 pm 
Offline

Joined: Tue Apr 29, 2008 11:14 am
Posts: 8
Lissajous wrote:
I've just (as in today) taken delivery of an NCB3AS (marketed under the Evertech brand here in Europe) that shares the same firmware as the NCB3AHT.
I had a look through the firmware upgrade .bin file, and can confirm that it's linux based, so I've requested source from Age Star.

I have zero experience in NAS hacking, and mainly casual user experience in Linux (but many years coding experience), but let me know if I can be of any help.

Hi Lissajous, thanks for your offering, please, read this post:
http://www.lliures.org/2008/05/02/ft3563-bt-hacking/ or at first post of http://tech.groups.yahoo.com/group/FT3563-BT/
and try to exec something like ls, and try to execute dmesg and post output here to compare devices. (you need linux to do this, Ubuntu are a easy Linux distribution)
If are possible, open your box and take some pictures and determine IC's to compare devices.
I also have zero experience in NAS (or other device) hacking.
You can post any doubt here.


Top
 Profile  
 
PostPosted: Wed May 07, 2008 9:56 am 
Offline

Joined: Thu Mar 06, 2008 12:23 pm
Posts: 58
Location: Vienna
you both have the device which i don`t, but exactly you guys are the reason why i am writing
http://nas-central.org/index.php/Genera ... tion_guide

i will add a new section about the different methods used for obtaining shell access/information without serial.

EDIT: its here http://nas-central.org/index.php/Genera ... ell_access
i still need to add information about devices that have their linux system only in flash. I so far never had such a device. So i am learning as well here.


Top
 Profile  
 
PostPosted: Wed May 07, 2008 10:26 am 
Offline

Joined: Tue Apr 29, 2008 11:14 am
Posts: 8
Thanks mindbender.
Our NAS box don't write systems at hdd, only write some configurations files.
I'm not sure if any NAS put all system at HDD.

1) Create a user and share using web interface
2) Connect NAS by USB and create a file (ie:init_telnet.sh):
Code:
#!/bin/ash

echo "pts/0" >>/etc/securetty
/usr/sbin/telnetd


3) Copy this file at same partition of smb.conf, and make executable (chmod +x)
4) Edit smb.conf and add this line to the share created before:
Code:
root preexec = /conf/init_telnet.sh

And disconnect from USB and connect by network to share.
When you connect to share, init_telnet.sh script will be executed, and you will have root access (user=root, no password)

EDIT: A sub-section like "configuration data files stored at hdd" should be interesting, it's our method.


Top
 Profile  
 
PostPosted: Wed May 07, 2008 7:00 pm 
Offline

Joined: Thu Mar 06, 2008 12:23 pm
Posts: 58
Location: Vienna
You mean like
http://nas-central.org/index.php/Genera ... devices.29
?


Top
 Profile  
 
PostPosted: Wed May 07, 2008 7:15 pm 
Offline

Joined: Tue Apr 29, 2008 11:14 am
Posts: 8
mindbender wrote:

Yes, that is I want say.
And, a interesting(an trivial) thing to put, should be what you can put a arm compiled executable at same partition of init_telnet.sh, and execute it (ie:if no telnetd available)
Before I discover what telnetd exists, I use netcat for arm.


Top
 Profile  
 
PostPosted: Thu May 08, 2008 11:48 am 
Offline

Joined: Thu Mar 06, 2008 12:23 pm
Posts: 58
Location: Vienna
where did you get that executable or how did you produce(cross compile?) it?


Top
 Profile  
 
PostPosted: Thu May 08, 2008 12:34 pm 
Offline

Joined: Tue Apr 29, 2008 11:14 am
Posts: 8
mindbender wrote:
where did you get that executable or how did you produce(cross compile?) it?

Hi mindbender
I get netcat for arm at http://www.emdebian.org/


Top
 Profile  
 
PostPosted: Sat May 10, 2008 9:51 am 
Offline

Joined: Thu Mar 06, 2008 12:23 pm
Posts: 58
Location: Vienna
ok guys...so whats next?

do you want a seperate forum section for this kind of devices?


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 16 posts ]  Go to page 1, 2  Next

All times are UTC


Who is online

Users browsing this forum: No registered users and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group