General NAS-Central Forums

Welcome to the NAS community
It is currently Sun Oct 22, 2017 4:51 am

All times are UTC




Post new topic Reply to topic  [ 30 posts ]  Go to page Previous  1, 2
Author Message
PostPosted: Sun Sep 07, 2014 1:41 pm 
Offline

Joined: Tue May 21, 2013 10:49 pm
Posts: 79
Tun.ko was built on the shuttle box with chrooted debian from nsa310 - maybe this is the issue. I'll try to experiment with clean ffp when I will make it fully work on nas.

In the mean time if someone needs the sshd on Omninas KD20 the method is described in details here http://asham.ca/hardware/2013/12/getting-root-and-sshd-on-boot-with-the-shuttle-omninas-kd20/

This method is available up to firmware revision 2.35. It's a nasty bug that allows everyone to change the root password and even more so while using nas with this firmware put it locally without any access from the internet.
If someone finds an sshd hack in safer firmwares (2.38) please post it here.


Top
 Profile  
 
PostPosted: Sun Sep 07, 2014 2:10 pm 
Offline

Joined: Mon Jun 16, 2008 10:45 am
Posts: 6049
Looking at the rootfs as provided in 'OMNINAS Firmware update via USB' KD20.zip (2.37.20140527), it seems there is a page /admin/ssh.php in which you can start an ssh daemon.
BTW, *don't use this file* I think it will brick your box.


Top
 Profile  
 
PostPosted: Sun Sep 07, 2014 3:29 pm 
Offline

Joined: Tue May 21, 2013 10:49 pm
Posts: 79
Mijzelf wrote:
Looking at the rootfs as provided in 'OMNINAS Firmware update via USB' KD20.zip (2.37.20140527), it seems there is a page /admin/ssh.php in which you can start an ssh daemon.


It is password protected (unlike /IO/ssh.php)

and yes, it will brick the box


Top
 Profile  
 
PostPosted: Sun Sep 07, 2014 5:34 pm 
Offline

Joined: Mon Jun 16, 2008 10:45 am
Posts: 6049
The script does:
Code:
<?
//check password{{
if(!$_COOKIE['aton_nas_ssh']){
        if (!isset($_SERVER['PHP_AUTH_USER'])) {
    // if is null, send header to show dialog box
    header('WWW-Authenticate: Basic realm="Administrator"');
    header('http/1.0 401 Unauthorized');
    echo 'Please enter user and password';
    exit;
        } else {
               
                $pwd = $_SERVER['PHP_AUTH_PW'];
                //$realpwd = "SqwfJ0XVOC/ZE";
                $realpwd = "ASI/prMp4QNHc";
               
        if (($_SERVER['PHP_AUTH_USER'] == "atonnas") && (crypt($pwd, $realpwd)==$realpwd)) {
        //if (($_SERVER['PHP_AUTH_USER'] == "atonnas") ) {
                $cartoon_time = time() + (10*60);    // set cookie for 10 minutes
                setcookie ('aton_nas_memocom','memocom_admin', $cartoon_time);           
        } else {
                echo "Invalid user name or password <br/>";
                echo "Please reopen browser, and try it again";
                exit;
        }
        }
}       
//check password}}     
?>
So you have 2 'real passwords' to check, user 'atonnas', and if that fails, it might be enough to set a cookie 'aton_nas_ssh'


Top
 Profile  
 
PostPosted: Sun Sep 07, 2014 5:35 pm 
Offline

Joined: Mon Jun 16, 2008 10:45 am
Posts: 6049
Mijzelf wrote:
The script does:
Code:
<?
//check password{{
if(!$_COOKIE['aton_nas_ssh']){
        if (!isset($_SERVER['PHP_AUTH_USER'])) {
    // if is null, send header to show dialog box
    header('WWW-Authenticate: Basic realm="Administrator"');
    header('http/1.0 401 Unauthorized');
    echo 'Please enter user and password';
    exit;
        } else {
               
                $pwd = $_SERVER['PHP_AUTH_PW'];
                //$realpwd = "SqwfJ0XVOC/ZE";
                $realpwd = "ASI/prMp4QNHc";
               
        if (($_SERVER['PHP_AUTH_USER'] == "atonnas") && (crypt($pwd, $realpwd)==$realpwd)) {
        //if (($_SERVER['PHP_AUTH_USER'] == "atonnas") ) {
                $cartoon_time = time() + (10*60);    // set cookie for 10 minutes
                setcookie ('aton_nas_memocom','memocom_admin', $cartoon_time);           
        } else {
                echo "Invalid user name or password <br/>";
                echo "Please reopen browser, and try it again";
                exit;
        }
        }
}       
//check password}}     
?>
So you have 2 'real passwords' to check, user 'atonnas', and if that fails, it might be enough to set a cookie 'aton_nas_ssh'


Quote:
and yes, it will brick the box
Experience?


Top
 Profile  
 
PostPosted: Sun Sep 07, 2014 7:05 pm 
Offline

Joined: Tue May 21, 2013 10:49 pm
Posts: 79
Mijzelf wrote:

Quote:
and yes, it will brick the box
Experience?


;)
to be continued in another thread ;)


Top
 Profile  
 
PostPosted: Sat Sep 13, 2014 8:28 am 
Offline

Joined: Sat Sep 13, 2014 8:25 am
Posts: 16
I've been succesfull in decrypting (and encrypting) the firmware using the following commands.

To Decrypt
Code:
openssl enc -des3 -d -a -k sohmuntitnlaes -in OMNINAS-7821_2.38.20140728.TAR.GZ -out firmware_decrypted.TAR.GZ

To Encrypt
Code:
openssl enc -des3 -e -a -k sohmuntitnlaes -in firmware_decrypted.tar.gz -out firmware_encrypted.TAR.GZ


However it contains a ubi file which I have difficulties mounting.

Maybe someone with more experience than me can do something with this info :D


Top
 Profile  
 
PostPosted: Tue Sep 16, 2014 3:35 pm 
Offline

Joined: Tue Sep 16, 2014 3:29 pm
Posts: 5
Hey,
Thanks for this Information.

I've rigth now runnig Debian Wheezy with a patched 2.6.31 Kernel running on the KD20. But right now I is not fully running and with a few bugs.
If I worked out a few thinks more I'll provide a "beta" package.


Top
 Profile  
 
PostPosted: Tue Sep 16, 2014 3:39 pm 
Offline

Joined: Sat Sep 13, 2014 8:25 am
Posts: 16
Peacemaker wrote:
Hey,
Thanks for this Information.

I've rigth now runnig Debian Wheezy with a patched 2.6.31 Kernel running on the KD20. But right now I is not fully running and with a few bugs.
If I worked out a few thinks more I'll provide a "beta" package.


You got that running without altering the nand flash? Then I'll be the first to try!


Top
 Profile  
 
PostPosted: Tue Sep 16, 2014 4:04 pm 
Offline

Joined: Tue Sep 16, 2014 3:29 pm
Posts: 5
NO, I flashed the Kernel and the Initrd to the nand, and modified the env to load the rootfs from a USB-stick.


But I think there might be a way, to don't touch the nand:

The Soc can load stage1 and Uboot from sata and then you can load a everything you want from there.
I used this way to unbrick my KD20. The problem there is U-boot 1.1.4 and 3.1X Kernel form kefs is not working propably

Uboot: usb load and ethernet not working
Kernel: Sata not working

p.s.: What is the problem with alternating the nand, if you have a backup?


Top
 Profile  
 
PostPosted: Tue Sep 16, 2014 4:49 pm 
Offline

Joined: Sat Sep 13, 2014 8:25 am
Posts: 16
Peacemaker wrote:
But I think there might be a way, to don't touch the nand:


Yes we've been exploring that possibility here. Might contain some useful hints.

I take it you've used a serial cable? If so, would you mind sharing how you opened the case?

Peacemaker wrote:
p.s.: What is the problem with alternating the nand, if you have a backup?


Nothing I guess if you have a serial cable or other means to restore a nand backup.


Top
 Profile  
 
PostPosted: Tue Sep 16, 2014 5:22 pm 
Offline

Joined: Tue Sep 16, 2014 3:29 pm
Posts: 5
Yes, I uesd the UART.

And I see no way to get around uart at this state.

Here you see everything disassembled:
https://plus.google.com/photos/+EugeneCrosser/albums/5814005333634658177

https://gitorious.org/openwrt-oxnas/pages/omninas-kd20

thx to crosser for that, and he provided me with the 2.6.31.14_7821.diff

for getting root access my on the vendors firmware:
just write your own passwd in the /etc/passwd of the vendors ubi_rootfs, and flash it via usb.
but I did not drive this to an end.


Top
 Profile  
 
PostPosted: Tue Sep 23, 2014 9:14 pm 
Offline

Joined: Tue Sep 16, 2014 3:29 pm
Posts: 5
So, it is looking quite good, that I'll be able to make an Image to boot debian fully from SATA without touching anything on this device.


Top
 Profile  
 
PostPosted: Wed Sep 24, 2014 9:50 am 
Offline

Joined: Sat Sep 13, 2014 8:25 am
Posts: 16
Peacemaker wrote:
So, it is looking quite good, that I'll be able to make an Image to boot debian fully from SATA without touching anything on this device.


Nice, do you got SATA working with that kernel? If not did you already ask Shuttle support for the sources? Looking at the other topic about the KD21 they seem to be willing to share.

When you have a image ready I have the stuff ready on my desk already to try it out :D


Top
 Profile  
 
PostPosted: Wed Sep 24, 2014 10:06 am 
Offline

Joined: Tue Sep 16, 2014 3:29 pm
Posts: 5
I got the sources form shuttle,
I just ues a patched stage1 to 850mhz( or less) recompiled u-boot and patched 2.6.31 Kernel.

What is left to do so far is changing the env, that you do not need a Serial to set the right boot image & fix the led.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 30 posts ]  Go to page Previous  1, 2

All times are UTC


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Powered by phpBB® Forum Software © phpBB Group