LaCie LaPlug
LaCie LaPlug
Is anyone familiar with the new NAS device from LaCie? It is a small box and the drives it accesses are USB drives you connect. (like the Iomega iConnect)
I'd really like SSH access to the LaPlug. I see many subforums for LaCie products. Any idea if the tips for the other products will work for this one?
Thanks.
I'd really like SSH access to the LaPlug. I see many subforums for LaCie products. Any idea if the tips for the other products will work for this one?
Thanks.
Re: LaCie LaPlug
Partly, maybe. There are big differences between this box, and the other Lacie's. The main one is that the NASses have their firmware on disk, while this one has its firmware in flash, putting more constraints on the size.
Anyway, I downloaded firmware 1.0.4, and had a look at it. binwalk told it's a tar file starting at byte 32. So I extracted it:This gives 2 files:
-rw-r--r-- 1 Mijzelf Mijzelf 2090460 Nov 2 10:46 kernel.uboot
-rw-r--r-- 1 Mijzelf Mijzelf 40369564 Nov 19 11:35 rootfs.jffs2
obviously a kernel and a rootfs. Using the mtd2block kernel module I could mount the rootfs. Some findings so far:
Anyway, I downloaded firmware 1.0.4, and had a look at it. binwalk told it's a tar file starting at byte 32. So I extracted it:
Code: Select all
dd if=plug_1.0.4.cluff bs=32 skip=1 | tar x
-rw-r--r-- 1 Mijzelf Mijzelf 2090460 Nov 2 10:46 kernel.uboot
-rw-r--r-- 1 Mijzelf Mijzelf 40369564 Nov 19 11:35 rootfs.jffs2
obviously a kernel and a rootfs. Using the mtd2block kernel module I could mount the rootfs. Some findings so far:
- The box doesn't use initng, like other Lacie's, but system V init.
- According to /etc/inittab you can login on a serial port, 115200 baud.
- This box doesn't use the evil unicorn, instead there is something called 'klaxon'.
- There is an ssh server, and a start script in /etc/init.d, but it's not started directly by init.
- There is a telnetd server, and a start script in /etc/init.d, but it's not started directly by init.
- AjaXplorer is present, so you could try the symlink trick to get access to your rootfs.
- /etc/shadow contains much more users than /etc/passwd does.
- I think the box has a RT2860 wireless card.
- The box runs a 2.6.31.8 kernel
Re: LaCie LaPlug
The update procedure for the firmware is pretty straightforward. I am not skilled in this but my idea was to modify a firmware update and then apply the firmware with ssh enabled - or something similar. I could not figure out what to use to look inside a cluff file though to see if that was even an option.
This may sound naive, but could this be as simple as un-commenting /etc/init.d to allow ssh and/or telnet to start at boot in a firmware update and then apply that firmware update?
This may sound naive, but could this be as simple as un-commenting /etc/init.d to allow ssh and/or telnet to start at boot in a firmware update and then apply that firmware update?
Re: LaCie LaPlug
Sound perfectly reasonable. I found the actual update function (it's in an uncommon place, /init):
So a cluff file is actually a tarfile containing a kernel and a rootfs, preceded by a 32 byte md5sum of the tarfile.
There is a problem, however. the rootfs is a jffs2 image, which is a difficult filesystem. You can't just loopmount it, because it's intended to run from a mtd-blockdevice. With some tricks it can be mounted, but then it's readonly. (At least on my box it is). So the procedure would be copying the contents of the rootfs somewhere else, editing it as you like, and creating a new image from it using mkfs.jffs2. This last function needs a blocksize and an erasesize specified. AFAIK the blocksize isn't really important, but choosing the wrong erasesize could brick your box. So it could be a good idea if you managed to read /proc/mtd.
Maybe it's possible to extract the erasesize from the provided image. I don't know.
Code: Select all
cluff_update() {
FILE=$1
FILE_LOCAL=$(basename $FILE)
echo "*** updating with file $FILE_LOCAL ***"
echo "- checking file"
MD5_HEAD=$(head -c32 $FILE)
FILE_SIZE=$(stat -c %s $FILE)
TAR_SIZE=$((FILE_SIZE - 32))
MD5_TAR=$(tail -c $TAR_SIZE $FILE | md5sum | awk '{print $1}')
if [ "$MD5_HEAD" != "$MD5_TAR" ]; then
exit_error "MD5 hash mismatch"
fi
echo " => check ok: MD5 = $MD5_TAR"
echo "- extracting files"
EXTRACT_PATH=/tmp/files
rm -rf $EXTRACT_PATH
mkdir -p $EXTRACT_PATH
tail -c $TAR_SIZE $FILE | tar -x -f - -C $EXTRACT_PATH
if [ ! -f "$EXTRACT_PATH/$UPDATE_KERNEL_FILE" ]; then
exit_error "missing kernel file"
fi
if [ ! -f "$EXTRACT_PATH/$UPDATE_ROOTFS_FILE" ]; then
exit_error "missing rootfs file"
fi
echo " => updating kernel"
flash_write $EXTRACT_PATH/$UPDATE_KERNEL_FILE 2
echo " => updating rootfs"
flash_write $EXTRACT_PATH/$UPDATE_ROOTFS_FILE 3
echo " => cleaning config and data partitions"
flash_eraseall -q /dev/mtd4
flash_eraseall -q /dev/mtd5
echo "*** done ***"
echo "- rebooting device"
reboot -f
}
So a cluff file is actually a tarfile containing a kernel and a rootfs, preceded by a 32 byte md5sum of the tarfile.
There is a problem, however. the rootfs is a jffs2 image, which is a difficult filesystem. You can't just loopmount it, because it's intended to run from a mtd-blockdevice. With some tricks it can be mounted, but then it's readonly. (At least on my box it is). So the procedure would be copying the contents of the rootfs somewhere else, editing it as you like, and creating a new image from it using mkfs.jffs2. This last function needs a blocksize and an erasesize specified. AFAIK the blocksize isn't really important, but choosing the wrong erasesize could brick your box. So it could be a good idea if you managed to read /proc/mtd.
Maybe it's possible to extract the erasesize from the provided image. I don't know.
Re: LaCie LaPlug
Quick update ... The symlink trick worked.
I am now browsing the file system looking for default.runlevel so I can uncomment ssh.
I am now browsing the file system looking for default.runlevel so I can uncomment ssh.
Re: LaCie LaPlug
There is no 'default.runlevel', that's an initng file. This box uses system V init, and you should put a symlink S99sshd in /etc/rc2.d/ which points to /etc/init.d/sshd (or whatever it's name is). If you cannot create symlinks, you can copy the whole script to rc2.d. Rename it so it starts with S99 (The scripts are started in alphabetically order, and you definitely don't want to crash the init system too early.)
Re: LaCie LaPlug
When you can read all files in the filesystem, could you post the content of some interesting (pseudo-)files?
/proc/cpuinfo
/proc/meminfo
/proc/mtd
/proc/mounts
/proc/version
/proc/cmdline
/proc/partitions
/proc/cpuinfo
/proc/meminfo
/proc/mtd
/proc/mounts
/proc/version
/proc/cmdline
/proc/partitions
Re: LaCie LaPlug
I am away visiting family but will check in once I return.
Before I left I did try copying an openssh script to etc/init.d and was unsuccessful in getting SSH to start. I did not see an "ssh" folder.
I have also been unsuccessful overwriting the password in the shadow password file to be able to login as root rather than admin. I think I overwrote the wrong part of the line for root though.
Again, ran out of time before the holiday to get these things done but will try again soon and post back.
Before I left I did try copying an openssh script to etc/init.d and was unsuccessful in getting SSH to start. I did not see an "ssh" folder.
I have also been unsuccessful overwriting the password in the shadow password file to be able to login as root rather than admin. I think I overwrote the wrong part of the line for root though.
Again, ran out of time before the holiday to get these things done but will try again soon and post back.
Re: LaCie LaPlug
OK - the LaPlug is deleting the script file when I reboot the system.
I copy openssh to etc/rc.2, rename it to S99openssh and after reboot the file is gone.
Can I modify one of the existing files to include this info without corrupting them?
I attached a screenshot of what is in etc/rc2.d.
I copy openssh to etc/rc.2, rename it to S99openssh and after reboot the file is gone.
Can I modify one of the existing files to include this info without corrupting them?
I attached a screenshot of what is in etc/rc2.d.
You do not have the required permissions to view the files attached to this post.
Re: LaCie LaPlug
I suppose you can edit /etc/init.d/boot for that (Is called as S99bootend). Changein
Make sure you use an editor which handles *nix line ending well.
Code: Select all
bootend)
/etc/usb/usb_power.sh status | grep 'off' > /dev/null 2>&1
[ "$?" != "0" ] && /etc/leds solid blue
;;
Code: Select all
bootend)
/etc/init.d/openssh start
/etc/usb/usb_power.sh status | grep 'off' > /dev/null 2>&1
[ "$?" != "0" ] && /etc/leds solid blue
;;
Make sure you use an editor which handles *nix line ending well.
Re: LaCie LaPlug
Using the web interface I downloaded a copy of the boot file. I then modified it using pspad. I renamed the original boot file on the LaPlug to "boot-original". I then uploaded my modified boot file and rebooted the LaPlug. The renamed boot file "boot-original" is missing and the boot file that remains has the old time stamp that matches all the other files in the directory.
I suspect that the LaPlug is reinstalling the OS kind of like a Live CD when it is restarted. Not sure if that makes sense though - but it would explain what I am seeing. The openssh file I copied before and the boot files I just modified and copied are not being deleted specifically - the whole OS is being refreshed which makes those new files disappear and makes modified files the same as before the modifications. (From a product design or engineering standpoint that would probably be simpler than scanning the disk for changed files and removing or modifying them)
I suspect that the LaPlug is reinstalling the OS kind of like a Live CD when it is restarted. Not sure if that makes sense though - but it would explain what I am seeing. The openssh file I copied before and the boot files I just modified and copied are not being deleted specifically - the whole OS is being refreshed which makes those new files disappear and makes modified files the same as before the modifications. (From a product design or engineering standpoint that would probably be simpler than scanning the disk for changed files and removing or modifying them)
Re: LaCie LaPlug
That is perfectly possible. Actually all Lacie NASses use a unionfs to keep the modifications seperated from the 'real' firmware. This makes it possible to do a factory reset. Just delete the contents of the top layer. On other NASses the top layer is on harddisk, but it could be a ramdisk on the LaPlug.
The contents of /proc/mounts should be able to tell if this is the case.
Maybe there is another way to start ssh. According to /etc/udev/rules.d/external-disks.rules a script /etc/usb/disk/udev_clbk.sh is called when a harddisk is connected or removed. This script doesn't exist. But you can create one, and putinside it. Then, by inserting or removing an usb stick, the ssh server should be started.
The contents of /proc/mounts should be able to tell if this is the case.
Maybe there is another way to start ssh. According to /etc/udev/rules.d/external-disks.rules a script /etc/usb/disk/udev_clbk.sh is called when a harddisk is connected or removed. This script doesn't exist. But you can create one, and put
Code: Select all
#!/bin/sh
/etc/init.d/openssh start
Re: LaCie LaPlug
/proc/mounts has a single line that reads:
rootfs / ro
rootfs / ro
Re: LaCie LaPlug
/etc/usb/disk/udev_clbk.sh does exist on my LaPLug. It has a date and time stamp like all the other system files of 2011/05/20 07:35.
The contents of the file are:
The contents of the file are:
Code: Select all
#!/bin/sh
flock -x /var/lock/usb-disk.lock sh /etc/usb/disk/core.sh udev "$1" "$2"
#(
# flock -x 200
# sh /etc/usb/disk/core.sh udev "$1" "$2"
#) 200>/var/lock/usb-disk.lock
Re: LaCie LaPlug
*That* is strange! You read this through a symlink on a USBstick, right? In that case at least the mount of the stick itself should be visible.mushupork wrote:/proc/mounts has a single line that reads:
rootfs / ro
Hm. that means that either there are more filesystems than the rootfs alone, or it's create runtime, somehow (why?), or my rootfs is damaged by mounting it with the wrong erasesize. Can you post me /proc/mtd to check out the first and last possibility?/etc/usb/disk/udev_clbk.sh does exist on my LaPLug.
Well, you can just add the lineThe contents of the file are:
Code: Select all
/etc/init.d/openssh start