Lacie CloudBox rootlogin by disassembling

blong
Posts: 7
Joined: Mon Jan 07, 2013 1:23 pm

Lacie CloudBox rootlogin by disassembling

Post by blong » Mon Jan 07, 2013 1:45 pm

Got root on a Lacie CloudBox 2T by:
1. get harddisk out and connect to linux host
2. mount /dev/sdb6 /mnt/sdb6 -t ext3
3. create /mnt/sdb6/0/root/.ssh and authorized_keys (check permissions)
4. edit /mnt/sdb6/0/etc/unicorn/unicorn_conf/unicorn.sharing.ssh.conf to enable ssh
5. re-assemble and boot
7. ssh -p 2222 root@<yourlacie>

Some remarks:
- Ad 4: editing /mnt/sdb6/0/etc/initng/runlevel/default.runlevel to activate sshd is another option, but later in de bootprocess unicorn kills sshd. It does however give you a 20 second window to login.
- The changes in step 3 and 4 do not survive a reset to factory settings.
- I hapily used http://lacie.nas-central.org/wiki/Enabl ... space_2%29 to figure things out.

Edit: be clear about this not surviving a reset to factory settings.

computerfreak
Posts: 5
Joined: Fri Feb 01, 2013 7:05 pm

Re: Lacie CloudBox rootlogin by disassembling

Post by computerfreak » Fri Feb 01, 2013 7:08 pm

Hi,

Could you explane me a (noobproof) how-to.. I always got a "permission denied" error when i try to login via putty.

blong
Posts: 7
Joined: Mon Jan 07, 2013 1:23 pm

Re: Lacie CloudBox rootlogin by disassembling

Post by blong » Fri Feb 01, 2013 8:05 pm

computerfreak wrote:Could you explane me a (noobproof) how-to.. I always got a "permission denied" error when i try to login via putty.
I'd love to, but you need to give us more information, because there are more ways to get "permission denied". Exactly what steps did you take up to this point?

computerfreak
Posts: 5
Joined: Fri Feb 01, 2013 7:05 pm

Re: Lacie CloudBox rootlogin by disassembling

Post by computerfreak » Fri Feb 01, 2013 11:40 pm

Well this is what i did,

1. I have created the .ssh folder
2. I have created the authorized_keys file and insert te public key that i made with puttygen.
3. I have set the permissiosn of the .ssh folder to => 755 and the authorized_keys to 644
4. I have edit the unicorn.sharing.ssh.conf to true
5. re-assemble and boot

blong
Posts: 7
Joined: Mon Jan 07, 2013 1:23 pm

Re: Lacie CloudBox rootlogin by disassembling

Post by blong » Sat Feb 02, 2013 7:05 am

Did you instruct putty to connect to port 2222 (the default is 22)?

computerfreak
Posts: 5
Joined: Fri Feb 01, 2013 7:05 pm

Re: Lacie CloudBox rootlogin by disassembling

Post by computerfreak » Sat Feb 02, 2013 8:02 am

blong wrote:Did you instruct putty to connect to port 2222 (the default is 22)?
Yes i did.

blong
Posts: 7
Joined: Mon Jan 07, 2013 1:23 pm

Re: Lacie CloudBox rootlogin by disassembling

Post by blong » Sat Feb 02, 2013 9:08 am

Approaching the end of Things that come to mind. You can try:
- check wether you login as user root
- try a login with verbosity on and paste output here
- check the contents of authorized_keys (one key on one line; remove spaces resulting from concatenating lines)
- try to login from a linux box to exclude some issue on your client

You should not get a password prompt.

Mijzelf
Posts: 6199
Joined: Mon Jun 16, 2008 10:45 am

Re: Lacie CloudBox rootlogin by disassembling

Post by Mijzelf » Sat Feb 02, 2013 11:28 am

3. I have set the permissiosn of the .ssh folder to => 755 and the authorized_keys to 644
That should be 700 and 600
http://www.openssh.org/faq.html#3.14

blong
Posts: 7
Joined: Mon Jan 07, 2013 1:23 pm

Re: Lacie CloudBox rootlogin by disassembling

Post by blong » Sat Feb 02, 2013 11:50 am

Mijzelf wrote:That should be 700 and 600
http://www.openssh.org/faq.html#3.14
I have been considering that, but I do not think is the cause of "permission denied" in this case. I tested by changing permissions to 755 and 644 on my box and was permitted login using the keypair. Also the manual page suggests only writability by others would be a problem:
If this file, the ~/.ssh directory, or the user's home directory are writable by other users, then the file could be modified or replaced by unauthorized users. In this case, sshd will not allow it to be used unless the StrictModes option has been set to ``no''.
I checked 777 on /root gave me a login prompt.

computerfreak
Posts: 5
Joined: Fri Feb 01, 2013 7:05 pm

Re: Lacie CloudBox rootlogin by disassembling

Post by computerfreak » Sat Feb 02, 2013 2:42 pm

blong wrote:Approaching the end of Things that come to mind. You can try:
- check wether you login as user root
- try a login with verbosity on and paste output here
- check the contents of authorized_keys (one key on one line; remove spaces resulting from concatenating lines)
- try to login from a linux box to exclude some issue on your client

You should not get a password prompt.
This is the message what i got when i would connect with my raspberry pi.

pi@raspbmc:~$ ssh -v root@198.168.0.104 -p 2222

OpenSSH_6.0p1 Debian-3, OpenSSL 1.0.1c 10 May 2012
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to 198.168.0.104 [198.168.0.104] port 2222.

blong
Posts: 7
Joined: Mon Jan 07, 2013 1:23 pm

Re: Lacie CloudBox rootlogin by disassembling

Post by blong » Sat Feb 02, 2013 3:38 pm

I don't see "permission denied".

If it hangs there maybe the ssh server did not start and I'd like to see the contents of unicorn.sharing.ssh.conf. That file is on three different partitions and it is important you take the one under sdb6/0 (ie under the sixth partition that is on disk; it has a directory '0' at the top). If you think you took the wrong partition, you should also re-do step 3.

User avatar
KillerDAN
Posts: 4
Joined: Sat Mar 16, 2013 11:09 am

Re: Lacie CloudBox rootlogin by disassembling

Post by KillerDAN » Sat Mar 16, 2013 11:13 am

Out of curiosity, which make/ model was the 2TB drive ?

I got myself a 3TB one but it is "DOA". It only reports ~800GB. I am now afraid design issues and not being an isolated case.

Option is return for refund or return for a new unit.

Check info about Intel RST driver: http://www.seagate.com/support/downloads/beyond-2tb/

Also, and going a little bit off topic, does your interface negotiates at lower speeds than gigabit ? With root access can you correct this ?

computerfreak
Posts: 5
Joined: Fri Feb 01, 2013 7:05 pm

Re: Lacie CloudBox rootlogin by disassembling

Post by computerfreak » Sun Mar 31, 2013 3:49 pm

[quote="blong"]Got root on a Lacie CloudBox 2T by:
1. get harddisk out and connect to linux host
2. mount /dev/sdb6 /mnt/sdb6 -t ext3
3. create /mnt/sdb6/0/root/.ssh and authorized_keys (check permissions)
4. edit /mnt/sdb6/0/etc/unicorn/unicorn_conf/unicorn.sharing.ssh.conf to enable ssh
5. re-assemble and boot
7. ssh -p 2222 root@<yourlacie>

He does anyone can send me a sample of the authorized_keys and the unicorn.sharing.ssh.conf files.

Maybe someone can make a tutorial for me?

User avatar
KillerDAN
Posts: 4
Joined: Sat Mar 16, 2013 11:09 am

Re: Lacie CloudBox rootlogin by disassembling

Post by KillerDAN » Sat Apr 13, 2013 11:22 am

Rooted !

What is my goal ?

- I hate locked down devices than fail to explore full potential,
- LaCie software if frustrating for anything else than non proficient user, for all else it falls short and lacks funcionalities

So, this is my walk through... I rooted the CloudBox with "partial" disassembling... partial because no screws where taken.

First of all it should be possible to do it without even opening the box using CLUNC http://www.lacie-nas.org/dokuwiki/doku.php?id=clunc but I was unable to do it... not sure why.

EDIT: Taken from http://www.rigacci.org/wiki/doku.php/do ... d2_network:"(WARNING: it seems that clunc broadcasts to U-Boot only to the interface where you have the default route, beware if you have more than one Ethernet interface):"

I did it using a serial console cable to the board using information from: http://lacie.nas-central.org/wiki/File: ... serial.jpg as the pin out is the same. You need a RS232 TTL converter like the MAX232 http://www.ebay.co.uk/itm/RS232-To-TTL- ... 19ca595338; Just google it or look it up on eBay if link goes away, and a putty alike serial client.

At a given time the UBoot stops at:

Code: Select all

Waiting for LUMP (3)
no lump receive; continuing
Hit any key to stop autoboot:  0 
This is where I frantically hit the keyboard and get it to stop. Now using UBoot environment variables that boot scripts will use I change it to pass kernel parameters to boot it in "single user mode"

Code: Select all

Marvell>> printenv console
console=console=ttyS0,115200
Marvell>> setenv console 'single init=/bin/sh console=ttyS0,115200'
Marvell>> printenv console                                         
console=single init=/bin/sh console=ttyS0,115200
Marvell>> ide reset

Reset IDE: 
Marvell Serial ATA Adapter

Marvell Serial ATA Adapter
Integrated Sata device found
[0 0 0]: Enable DMA mode (5)
  Device 0 @ 0 0:
Model: ST3000DM001-1CH166                       Firm: CC44     Ser#:             W1F2ALG5
            Type: Hard Disk
            Supports 48-bit addressing
            Capacity: 2861588.4 MB = 2794.5 GB (5860533168 x 512)
PCIe SATA:ffffffff

Marvell>> run nexus_boot
Booting Nexus layout from disk 0...
boot_count=0
saved_entry=0
Loading file "/boot/uImage" from ide device 0:4 (gpt4
)
7177572 bytes read

## Checking Image at 00800000 ...
   Image Name:   Linux-2.6.31.14-svn7493
   Created:      2012-09-27  18:20:30 UTC
   Image Type:   ARM Linux Kernel Image (uncompressed)
   Data Size:    7177508 Bytes =  6.8 MB
   Load Address: 00008000
   Entry Point:  00008000
   Verifying Checksum ... OK
## Error: "rescue" not defined
## Booting image at 00800000 ...
   Image Name:   Linux-2.6.31.14-svn7493
   Created:      2012-09-27  18:20:30 UTC
   Image Type:   ARM Linux Kernel Image (uncompressed)
   Data Size:    7177508 Bytes =  6.8 MB
   Load Address: 00008000
   Entry Point:  00008000
   Verifying Checksum ... OK
OK
bootargs from environment variables : single init=/bin/sh console=ttyS0,115200 boot=UUID=45383132-04f6-46ba-9ba8-b1d3dea7d28c root=UUID=0aaf00e6-378a-4f09-9720-12e6de1f08e2 cap=gpt,lba64

Starting kernel ...
Above, look for the line at the end starting with "bootargs from environment variables".

Now when this finished you get a root console prompt whiteout asking for password and a partial mounted filesystem.
What you get is enough to run vi and create the ssh/authorized_keys and "patch" unicorn.
More info on ssh here http://www.debian-administration.org/articles/530 I created the file and copy pasted the key in a SINGLE line. Beware editor quirks.

Uncomment sshd like in /etc/initng/runlevel/default.runlevel

Code: Select all

# +--+  File autogenerated by sbs_plugin projectfilepatcher (Stage: RELEASE) +--+
initial
dbus
udev
ublocks
dhcdbd
logrotate
syslogd
klogd
NetworkManager
http
getty/S0
getty/0
sshd/generate_keys
sshd
cron
unicorn
thumbd
unicorn/ready
mdadm/monitor
buttons-manager
Just change enable to true in /etc/unicorn/unicorn_conf/unicorn.sharing.ssh.conf

Code: Select all

_config:
    enabled: true 
    port: 2222
    chroot_directory: '/'
    authorized_keys: ''
Now at this time you can run system init,

Code: Select all

/sbin/initng
and system would continue boot as it normally would.

You can now ssh into it:

Code: Select all

root@raspberrypi:~# ssh root@lacie-cloudbox -p 2222
[root@LaCie-CloudBox ~]# uname -av
Linux LaCie-CloudBox 2.6.31.14-svn7493 #1 Thu Sep 27 18:20:26 UTC 2012 armv5tel GNU/Linux
[root@LaCie-CloudBox ~]# cat /etc/issue 
NAS OS 2.6.8.1
Linux \r on an \m / \l
Main goal is complete.

I have already installed ipkg, info on http://www.nslu2-linux.org/wiki/Main/PlugComputers, and I am now taclking unicorn to allow me to make changes on configuration files.
To install ipkg I just remounted / as rw

Code: Select all

mount -o remount rw /
For instance, unicorn keeps overwriting the changes I made to setting.json of transmission.

One chance is to do it like described here http://lacie.nas-central.org/wiki/Categ ... eb_manager
Changing the init script to use a different configfile.

All other changes, ssh keys, unicorn ssh and ipkg install under /opt where persistent across reboots.

Hope it helps and hope to discuss with others changes within the Lacie NAS OS to improve it, without breaking it ;)

jez
Posts: 18
Joined: Wed Jul 10, 2013 3:18 pm

Re: Lacie CloudBox rootlogin by disassembling

Post by jez » Wed Jul 10, 2013 3:45 pm

Hiya

I managed to get root using clunc, on my cloudbox running firmware v2.6.8.2. I created a script and put it on the "family" share, then I adjusted the uboot console variable to add to the kernel boot arguments in such a way that they get added to a file that gets sourced by several utilities at boot time. Details:

Contents of script:

Code: Select all

#!/bin/sh
/usr/sbin/telnetd -l /bin/sh
Ensure the script contains newlines and not carriage-returns (so don't use Notepad to create). Copy it into the root of the "family" share on the cloudbox. Call it telnetd.sh.

Run clunc, reboot the cloudbox, then when the Marvell prompt shows up, change the console variable with the setenv command like so:

Code: Select all

Marvell>> setenv console 'console=ttyS0,115200 a=a;/*/*/telnetd.sh'
Then type "ide reset" and "run nexus_boot".

After about 2 minutes, you should be able to telnet into a root shell.

This won't survive a reboot, so follow the other instructions provided in this thread, to get secure-shell logins working.

For those interested in how this works, check out the file lib/drive_utils. This and other scripts source the file /etc/cmdline.conf, without sanitizing the contents. The cmdline.conf file is built at boot time by /etc/init.d/cmdline, which simply splits apart (at spaces) the contents of /proc/cmdline (ie the boot parameters, including the uboot "console" variable), and each term is put into a var=val line in cmdline.conf, each variable prefixed with "cmdline_". So after booting with the above settings, my cmdline.conf contains this line:

Code: Select all

cmdline_a=a;/*/*/telnetd.sh
When this gets sourced by drive_utils (and other places), "a=a" is executed and then "/*/*/telnetd.sh" is executed. The shell expands this to /shares/Family/telnetd.sh.

Also, I didn't want to change the root password, so instead, I gave my admin login a shell with this one-liner:

Code: Select all

cp /etc/passwd /etc/passwd.bak && sed -i '/^admin:/s/false/bash/' /etc/passwd
Hmm, seems this isn't the reason that I cannot login as admin. So I did the ssh thing as follows:

Code: Select all

cp /etc/initng/runlevel/default.runlevel /etc/initng/runlevel/default.runlevel.bak
sed -i '/^#sshd$/s/^#//' /etc/initng/runlevel/default.runlevel
cp /etc/unicorn/unicorn_conf/unicorn.sharing.ssh.conf /etc/unicorn/unicorn_conf/unicorn.sharing.ssh.conf.bak
sed -i '/enabled:.*false/s/:.*/: true/' /etc/unicorn/unicorn_conf/unicorn.sharing.ssh.conf
ngc --start sshd
Then for the keys:

Code: Select all

ssh -o batchmode=yes 0.0.0.0  # creates .ssh with correct permissions
cd ~/.ssh
ssh-keygen  # accept defaults, but be sure to enter a good passphrase
cp id_rsa.pub authorized_keys
chmod 600 authorized_keys
cp .ssh/id_rsa* /shares/Family  # note: this is insecure unless you entered a good passphrase
Then from my Windows box I connected to the Family share, loaded up the id_rsa file in PuttyGen, entered the passphrase, saved the private key locally as a .ppk file, and loaded it up in Pageant. Then I connected to my cloudbox with PuTTY (on port 2222), entered the username of "root" and I was into a root shell. Free!!! After rebooting, I was still able to re-connect with PuTTY in the same way. Telnet no longer worked after the reboot, which is how it should be, and the telnetd.sh script can be removed from the Family share.

I'd prefer to be able to ssh in as admin and then su to root, but so far I haven't been able to work out why sshd is blocking me in this endeavor. More research needed.

Next? Perhaps I'll install some useful tools to replace the cut-down busybox ones - netstat and ps are too limited for my purposes.
Last edited by jez on Sun Apr 13, 2014 11:47 pm, edited 2 times in total.

Post Reply