General NAS-Central Forums

Welcome to the NAS community
It is currently Mon May 29, 2017 5:44 am

All times are UTC




Post new topic Reply to topic  [ 41 posts ]  Go to page 1, 2, 3  Next
Author Message
 Post subject: Shuttle kd20 - bricked
PostPosted: Sun Sep 07, 2014 7:11 pm 
Offline

Joined: Tue May 21, 2013 10:49 pm
Posts: 79
So, Ive used /IO/ssh.php without giving it much thought prior execution and now I have a brick with blinking blue light.

Any idea how to unbrick the device without the need of using serial cable ?

Mijzelf can you post contents of ssh.php? I'm very curious what does it do beside giving false impression that it turns on ssh daemon ;)


Top
 Profile  
 
PostPosted: Sun Sep 07, 2014 7:33 pm 
Offline

Joined: Mon Jun 16, 2008 10:45 am
Posts: 5995
You bricked it by requesting /IO/ssh.php? That is strange, and not what I expected.
The ssh.php from firmware 2.37.20140527 is:
Code:
<?      include "./chk_pw.php";?>
<?
        require_once "/usr/includes/global.php";                                                                       
        include_once $global_dir.'/functions.php';             
        include_once $includes_dir.'/nas_config.php';                                                   
        include    $temporary_dir .'/nas_info.inc';                                                             
        include          $template_dir . "/client_language_set.php";
// -> [Teresa Chiu] 2011.07.28, marked user and password checking
/*
// check password
if(!$_COOKIE['aton_nas_ssh']){
        if (!isset($_SERVER['PHP_AUTH_USER'])) {
    // 若為空,便送出標頭使對話方塊出現
    header('WWW-Authenticate: Basic realm="Administrator"');
    header('http/1.0 401 Unauthorized');
    echo 'Enter User and Password';
    exit;
        } else {
        if (($_SERVER['PHP_AUTH_USER'] == "root") && ($_SERVER['PHP_AUTH_PW'] == "atonnas")) {
                $cartoon_time = 0;//cookies 存活到關閉瀏覽器
                setcookie ('aton_nas_ssh','atonnas_ssh', $cartoon_time);
                  header("Location: ".$www_path."/ssh/ssh.php");
        } else {
                echo "User or Password is error <br/>";
                echo "Please Close Browser, and Open Browser Again";
                exit;
        }
        }
}       
*/
// <- end
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<script type="text/javascript">
//ssh_action{{
function ssh_action(){
               
                document.ttimes.action     = "ssh.php";       
                document.ttimes.submit();                 
}
//ssh_action}}
</script>
</head>
<body>
<form action="" name="ttimes" method="post" enctype="multipart/form-data">
<input name="ssh_data" type="hidden" value="xx" />
<?

 if($_POST["ssh_data"]){
        if ($_POST["ssh_set"]=="on"){
                exec("sudo /etc/rc.d/sshd.sh start");
                echo 'Start SSH';
                $ssh_checkbox = 'checked="checked"';   
        }else{
                exec("sudo /etc/rc.d/sshd.sh stop");
                echo 'Stop SSH';
        }
 }else{
        exec ( "sudo /bin/ps ax | /bin/grep sshd" , $ssh_info);
        foreach ($ssh_info as $ssh_info_1){
                $ssh_check .= (ereg("/bin/sshd",$ssh_info_1))? 'have' :'';
        }       
        if(strlen($ssh_check) > 3 ){
                echo 'SSH Open now';
                $ssh_checkbox = 'checked="checked"';   
        }else{
                echo 'SSH Stop now';
        }
 }
?>
<br/>
<input type="checkbox" name="ssh_set" <?=$ssh_checkbox;?>/>SSH<br/>
<input type="button" value="<?=$Lang_Save;?>" onclick="javascript:ssh_action();"  />
</body>
</html>
Seems harmless to me.

My warning about 'don't use this file', was about the KD20.zip file, to upgrade the firmware using an usb thumb. I figured out how it works (because it might give a way to inject a script, somehow), and found that it would flash the provided u-boot.wrapped to /dev/mtd2.. But the provided u-boot.wrapped contains bogusdata, and is far too big, I think. It's more than 1MiB in size, while u-boot normally is only 64 or 128KiB.

Why do you think it's bricked?


Top
 Profile  
 
PostPosted: Sun Sep 07, 2014 7:40 pm 
Offline

Joined: Tue May 21, 2013 10:49 pm
Posts: 79
It was ssh.php or something like gplv3.php. Something from /IO

Anyways I think its bricked cause the powerbutton flashes, the nas does not obtain ip from dhcp and thats it. it beeps once after power-on (just like on normal start) then the powerbutton keeps flashing in loop
Also I tried to use kd20.zip (figured that it wont hurt and may help) but nothing changes (no flash sequence is started, with the red light and so on)


Top
 Profile  
 
PostPosted: Sun Sep 07, 2014 8:04 pm 
Offline

Joined: Mon Jun 16, 2008 10:45 am
Posts: 5995
Fw 2.37 doesn't have an /IO/ directory, only /admin/, but that does have a GPLv3.php:
Code:
<?    include "./chk_pw.php";?>
<?
   require_once "/usr/includes/global.php";                            
   include_once $global_dir.'/functions.php';      
   include_once $includes_dir.'/nas_config.php';                     
   include    $temporary_dir .'/nas_info.inc';                        
   include      $template_dir . "/client_language_set.php"; 
   
   if($_POST['GPLv3_set']){
         $nas_info['general']['GPLv3_set']     = $_POST['GPLv3_set'];                        
         $source_array_name="nas_info";
         $require_file_path=$temporary_dir .'/nas_info.inc';   
         makeRequireFile(&$nas_info, $source_array_name, $require_file_path);   
   }
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<script type="text/javascript">
//ssh_action{{
function GPLv3_action(){      
      document.ttimes.action     = "GPLv3.php";       
      document.ttimes.submit();         
}
//ssh_action}}
</script>
</head>
<body>
<form action="" name="ttimes" method="post" enctype="multipart/form-data">
<?
  $GPLv3_value =($_POST['GPLv3_set'])? $_POST['GPLv3_set']:$nas_info['general']['GPLv3_set'];
   if ($GPLv3_value=="on"){      
      echo 'Open GPLv3';
      $GPLv3_checkbox = 'checked="checked"';    
   }else{      
      echo 'Close GPLv3';
   }
 ?>
<br/>
<input type="checkbox" name="GPLv3_set" <?=$GPLv3_checkbox;?>/>GPLv3<br/>
<input type="button" value="<?=$Lang_Save;?>" onclick="javascript:GPLv3_action();"  />
</body>
</html>
As far as I can see it does completely nothing.

As the webinterface runs as limited user (I think 'nobody'), all potentially dangerous commands should be executed with 'sudo'. This are all sudo commands:
Code:
[user@localhost htdocs]$ grep -R sudo *
action/firmware_reset.php:         exec('sudo /bin/cp -a '.$firmware_backup_path.'/nas_info.inc '.$temporary_dir.'/.');
action/firmware_reset.php:         exec('sudo /bin/rm -rf '.$firmware_backup_path);
action/bt_remove.php:   exec("sudo /bin/rm -rf /.BT_Power_Failure");
action/healthy_action.php:         $msg = shell_exec('sudo smartctl -d ata -a '. $disk['blockdev']);   
action/wizard_step1_action.php:         exec('sudo /sbin/hwclock -w -u');   
action/smb_scan.php:   //$NAShostname = strtoupper( exec("sudo hostname | cut -d '.' -f1") );
action/date_action.php:         exec('sudo /sbin/hwclock -w -u');         
action/date_action.php:               exec('sudo /sbin/hwclock -w -u');
action/wizard_status.php:                 exec("sudo /bin/rm -rf /.wizard_raid_step");
action/factory_action.php:      exec("sudo /bin/sh /etc/rc.d/S01reboot 2>&1 /dev/console");
action/firmware_action.php:         exec("sudo /bin/rm -rf ".$uploadDirectory."*");
action/firmware_action.php:   //exec("sudo /etc/decrypt.sh ".$uploadName." sohmuntitnlaes ".$fwName." > /dev/console");
action/firmware_action.php:   exec("sudo /etc/decrypt.sh ".$uploadName." sohmuntitnlaes ".$fwName);
action/firmware_action.php:   exec("sudo /bin/tar zxvpf ".$fwName." -C ".$upgradePath);
action/firmware_action.php:      exec ( 'sudo /bin/cat '.$upgradePath.'version' , $new_modelNumber);
action/firmware_action.php:         exec("sudo /bin/rm -rf /system/upgrade");
action/firmware_action.php:      //exec("sudo /bin/touch /system/.upgrade");
action/firmware_action.php:   exec("sudo /bin/cp -a ".$temporary_dir."/nas_info.inc ".$firmware_backup_path);
action/firmware_action.php:   exec("sudo /etc/upgrade.sh ".$fwName." 2>&1 /dev/console");
action/usb_action.php:         exec("sudo /bin/cat /sys/block/".$usb_path."/removable",$result,$ret);
action/usb_action.php:         $partDev=exec("sudo /bin/ls {$path}");
admin/ssh.php:      exec("sudo /etc/rc.d/sshd.sh start");
admin/ssh.php:      exec("sudo /etc/rc.d/sshd.sh stop");
admin/ssh.php:    exec ( "sudo /bin/ps ax | /bin/grep sshd" , $ssh_info);
admin/dir_action.php:          exec('sudo mv '.$_GET['old_name'].' '.$_GET['new_name']);       
api/dir_post.php:            $err = exec('sudo /bin/mkdir -pm 777 '.$add_dir.' ;/bin/echo $?');
api/dir_post.php:            $err = exec('sudo /bin/rm -rf '.$del_dir.' ;/bin/echo $?');
api/dir_post.php:               $err = exec('sudo /bin/mv '.$old_dir.' '.$new_dir.' ;/bin/echo $?');
api/dir_post.php:            $err = exec('sudo /bin/mv '.$old_dir.' '.$new_dir.' ;/bin/echo $?');
api/dir_post.php:            $err = exec('sudo /bin/mv -f '.$old_file.' '.$new_path.' ;/bin/echo $?');
api/dir_post.php:            $err = exec('sudo /bin/cp -ar '.$old_file.' '.$new_path. ' &  ;/bin/echo $?');
api/dir_post.php:   return exec( "sudo /usr/bin/PHP_is_dir -f ". addcslashes( $file , "' #$%&()+;=[]^`{}" ) );
api/dir_post.php:   return exec( "sudo /usr/bin/PHP_is_file -f ". addcslashes( $file , "' #$%&()+;=[]^`{}" ) );
api/dir_post.php:   return exec("sudo /usr/bin/basename \"{$name}\" ");
api/dir_post.php:   $files = @scandir( exec("sudo /usr/bin/dirname \"{$path}\" ") );
api/dir_xml_s.php:   return exec( "sudo /usr/bin/PHP_filesize -f ". addcslashes( $file , "' #$%&()+;=[]^`{}" ) );
api/dir_xml_s.php:   return exec( "sudo /usr/bin/PHP_permission -f ". addcslashes( $file , "' #$%&()+;=[]^`{}" ) );
api/dir_xml_s.php:   return exec( "sudo /usr/bin/PHP_filetype -f ". addcslashes( $file , "' #$%&()+;=[]^`{}" ) );
api/dir_xml_s.php:   return exec( "sudo /usr/bin/PHP_filemtime -f ". addcslashes( $file , "' #$%&()+;=[]^`{}" ) );
api/dir_xml_s.php:   return exec( "sudo /usr/bin/PHP_is_dir -f ". addcslashes( $file , "' #$%&()+;=[]^`{}" ) );
api/DL.php:        $size = exec("sudo ls -l ".$cmd." | awk {'print $5'}" );
api/DL.php:$ret = exec( "sudo test -d ".$cmd." && echo '1' || echo '0'" );
api/DL.php:$ret = exec( "sudo test -f ".$cmd." && echo '1' || echo '0'" );
api/dir_info_p.php:   return exec( "sudo /usr/bin/PHP_filesize -f ". addcslashes( $file , "' #$%&()+;=[]^`{}" ) );
api/dir_info_p.php:   return exec( "sudo /usr/bin/PHP_permission -f ". addcslashes( $file , "' #$%&()+;=[]^`{}" ) );
api/dir_info_p.php:   return exec( "sudo /usr/bin/PHP_filetype -f ". addcslashes( $file , "' #$%&()+;=[]^`{}" ) );
api/dir_info_p.php:   return exec( "sudo /usr/bin/PHP_filemtime -f ". addcslashes( $file , "' #$%&()+;=[]^`{}" ) );
api/dir_info_p.php:   return exec( "sudo /usr/bin/PHP_is_dir -f ". addcslashes( $file , "' #$%&()+;=[]^`{}" ) );
api/download.php:   return exec( "sudo /usr/bin/PHP_filesize -f ". addcslashes( $file , "' #$%&()+;=[]^`{}" ) );
api/download.php:   return exec( "sudo /usr/bin/PHP_is_dir -f ". addcslashes( $file , "' #$%&()+;=[]^`{}" ) );
api/download.php:   return exec( "sudo /usr/bin/PHP_is_file -f ". addcslashes( $file , "' #$%&()+;=[]^`{}" ) );
api/download.php:   $ret = `sudo /usr/bin/PHP_alu -a ${a} -b ${b} -o ${m} ` ;
api/download.php:      passthru("sudo /usr/bin/PHP_fread -f ${filename} -o ${offset} -l ${buf}");      
api/download.php:         passthru("sudo /usr/bin/PHP_fread -f ${filename} -o ${offset} -l ${buf}");
api/dir_action.php:   return exec("sudo basename \"{$name}\" ");
api/dir_action.php:   //exec("sudo echo path=\"{$path}\" > /dev/console " );
api/dir_action.php:   $files = @scandir( exec("sudo dirname \"{$path}\" ") );
api/dir_action.php:      //exec("sudo echo \"{$file}\":\"{$filename}\" > /dev/console " );
filesystem/api-1.0/dir_post.php:         exec('sudo rm -rf '.$del_dir);
filesystem/api-1.0/dir_post.php:            exec('sudo mv '.$old_dir.' '.$new_dir);
filesystem/api-1.0/dir_post.php:         exec('sudo mv '.$old_dir.' '.$new_dir);
filesystem/api-1.0/dir_post.php:         exec('sudo mv -f '.$old_file.' '.$new_path);
filesystem/api-1.0/dir_post.php:         exec('sudo cp -ar '.$old_file.' '.$new_path. ' &' );
filesystem/api-1.0/dir_post.php:   return exec( "sudo /usr/bin/PHP_is_dir -f ". addcslashes( $file , "' #$%&()+;=[]^`{}" ) );
filesystem/api-1.0/dir_post.php:   return exec( "sudo /usr/bin/PHP_is_file -f ". addcslashes( $file , "' #$%&()+;=[]^`{}" ) );
filesystem/api-1.0/dir_post.php:   return exec("sudo /usr/bin/basename \"{$name}\" ");
filesystem/api-1.0/dir_post.php:   $files = @scandir( exec("sudo /usr/bin/dirname \"{$path}\" ") );
filesystem/api-1.0/dir_xml_s.php:   return exec( "sudo /usr/bin/PHP_filesize -f ". addcslashes( $file , "' #$%&()+;=[]^`{}" ) );
filesystem/api-1.0/dir_xml_s.php:   return exec( "sudo /usr/bin/PHP_permission -f ". addcslashes( $file , "' #$%&()+;=[]^`{}" ) );
filesystem/api-1.0/dir_xml_s.php:   return exec( "sudo /usr/bin/PHP_filetype -f ". addcslashes( $file , "' #$%&()+;=[]^`{}" ) );
filesystem/api-1.0/dir_xml_s.php:   return exec( "sudo /usr/bin/PHP_filemtime -f ". addcslashes( $file , "' #$%&()+;=[]^`{}" ) );
filesystem/api-1.0/dir_xml_s.php:   return exec( "sudo /usr/bin/PHP_is_dir -f ". addcslashes( $file , "' #$%&()+;=[]^`{}" ) );
filesystem/api-1.0/DL.php:        $size = exec("sudo ls -l ".$cmd." | awk {'print $5'}" );
filesystem/api-1.0/DL.php:$ret = exec( "sudo test -d ".$cmd." && echo '1' || echo '0'" );
filesystem/api-1.0/DL.php:$ret = exec( "sudo test -f ".$cmd." && echo '1' || echo '0'" );
filesystem/api-1.0/dir_info_p.php:   return exec( "sudo /usr/bin/PHP_filesize -f ". addcslashes( $file , "' #$%&()+;=[]^`{}" ) );
filesystem/api-1.0/dir_info_p.php:   return exec( "sudo /usr/bin/PHP_permission -f ". addcslashes( $file , "' #$%&()+;=[]^`{}" ) );
filesystem/api-1.0/dir_info_p.php:   return exec( "sudo /usr/bin/PHP_filetype -f ". addcslashes( $file , "' #$%&()+;=[]^`{}" ) );
filesystem/api-1.0/dir_info_p.php:   return exec( "sudo /usr/bin/PHP_filemtime -f ". addcslashes( $file , "' #$%&()+;=[]^`{}" ) );
filesystem/api-1.0/dir_info_p.php:   return exec( "sudo /usr/bin/PHP_is_dir -f ". addcslashes( $file , "' #$%&()+;=[]^`{}" ) );
filesystem/api-1.0/download.php:   return exec( "sudo /usr/bin/PHP_filesize -f ". addcslashes( $file , "' #$%&()+;=[]^`{}" ) );
filesystem/api-1.0/download.php:   return exec( "sudo /usr/bin/PHP_is_dir -f ". addcslashes( $file , "' #$%&()+;=[]^`{}" ) );
filesystem/api-1.0/download.php:   return exec( "sudo /usr/bin/PHP_is_file -f ". addcslashes( $file , "' #$%&()+;=[]^`{}" ) );
filesystem/api-1.0/download.php:   $ret = `sudo /usr/bin/PHP_alu -a ${a} -b ${b} -o ${m} ` ;
filesystem/api-1.0/download.php:      passthru("sudo /usr/bin/PHP_fread -f ${filename} -o ${offset} -l ${buf}");      
filesystem/api-1.0/download.php:         passthru("sudo /usr/bin/PHP_fread -f ${filename} -o ${offset} -l ${buf}");
filesystem/api-1.0/dir_action.php:         exec('sudo rm -rf '.$del_dir);
filesystem/api-1.0/dir_action.php:         exec('sudo mv '.$old_dir.' '.$new_dir);
filesystem/api-1.0/dir_action.php:         exec('sudo mv '.$old_file.' '.$new_path);
filesystem/api-1.0/dir_action.php:         exec('sudo cp -rf '.$old_file.' '.$new_path);
filesystem/api-1.0/dir_action.php:   return exec("sudo basename \"{$name}\" ");
filesystem/api-1.0/dir_action.php:   //exec("sudo echo path=\"{$path}\" > /dev/console " );
filesystem/api-1.0/dir_action.php:   $files = @scandir( exec("sudo dirname \"{$path}\" ") );
filesystem/api-1.0/dir_action.php:      //exec("sudo echo \"{$file}\":\"{$filename}\" > /dev/console " );
filesystem/api/dir_post.php:            $err = exec('sudo /bin/mkdir -pm 777 '.$add_dir.' ;/bin/echo $?');
filesystem/api/dir_post.php:            $err = exec('sudo /bin/rm -rf '.$del_dir.' ;/bin/echo $?');
filesystem/api/dir_post.php:               $err = exec('sudo /bin/mv '.$old_dir.' '.$new_dir.' ;/bin/echo $?');
filesystem/api/dir_post.php:            $err = exec('sudo /bin/mv '.$old_dir.' '.$new_dir.' ;/bin/echo $?');
filesystem/api/dir_post.php:            $err = exec('sudo /bin/mv -f '.$old_file.' '.$new_path.' ;/bin/echo $?');
filesystem/api/dir_post.php:            $err = exec('sudo /bin/cp -ar '.$old_file.' '.$new_path. ' &  ;/bin/echo $?');
filesystem/api/dir_post.php:   return exec( "sudo /usr/bin/PHP_is_dir -f ". addcslashes( $file , "' #$%&()+;=[]^`{}" ) );
filesystem/api/dir_post.php:   return exec( "sudo /usr/bin/PHP_is_file -f ". addcslashes( $file , "' #$%&()+;=[]^`{}" ) );
filesystem/api/dir_post.php:   return exec("sudo /usr/bin/basename \"{$name}\" ");
filesystem/api/dir_post.php:   $files = @scandir( exec("sudo /usr/bin/dirname \"{$path}\" ") );
filesystem/api/dir_xml_s.php:   return exec( "sudo /usr/bin/PHP_filesize -f ". addcslashes( $file , "' #$%&()+;=[]^`{}" ) );
filesystem/api/dir_xml_s.php:   return exec( "sudo /usr/bin/PHP_permission -f ". addcslashes( $file , "' #$%&()+;=[]^`{}" ) );
filesystem/api/dir_xml_s.php:   return exec( "sudo /usr/bin/PHP_filetype -f ". addcslashes( $file , "' #$%&()+;=[]^`{}" ) );
filesystem/api/dir_xml_s.php:   return exec( "sudo /usr/bin/PHP_filemtime -f ". addcslashes( $file , "' #$%&()+;=[]^`{}" ) );
filesystem/api/dir_xml_s.php:   return exec( "sudo /usr/bin/PHP_is_dir -f ". addcslashes( $file , "' #$%&()+;=[]^`{}" ) );
filesystem/api/DL.php:        $size = exec("sudo ls -l ".$cmd." | awk {'print $5'}" );
filesystem/api/DL.php:$ret = exec( "sudo test -d ".$cmd." && echo '1' || echo '0'" );
filesystem/api/DL.php:$ret = exec( "sudo test -f ".$cmd." && echo '1' || echo '0'" );
filesystem/api/dir_info_p.php:   return exec( "sudo /usr/bin/PHP_filesize -f ". addcslashes( $file , "' #$%&()+;=[]^`{}" ) );
filesystem/api/dir_info_p.php:   return exec( "sudo /usr/bin/PHP_permission -f ". addcslashes( $file , "' #$%&()+;=[]^`{}" ) );
filesystem/api/dir_info_p.php:   return exec( "sudo /usr/bin/PHP_filetype -f ". addcslashes( $file , "' #$%&()+;=[]^`{}" ) );
filesystem/api/dir_info_p.php:   return exec( "sudo /usr/bin/PHP_filemtime -f ". addcslashes( $file , "' #$%&()+;=[]^`{}" ) );
filesystem/api/dir_info_p.php:   return exec( "sudo /usr/bin/PHP_is_dir -f ". addcslashes( $file , "' #$%&()+;=[]^`{}" ) );
filesystem/api/download.php:   return exec( "sudo /usr/bin/PHP_filesize -f ". addcslashes( $file , "' #$%&()+;=[]^`{}" ) );
filesystem/api/download.php:   return exec( "sudo /usr/bin/PHP_is_dir -f ". addcslashes( $file , "' #$%&()+;=[]^`{}" ) );
filesystem/api/download.php:   return exec( "sudo /usr/bin/PHP_is_file -f ". addcslashes( $file , "' #$%&()+;=[]^`{}" ) );
filesystem/api/download.php:   $ret = `sudo /usr/bin/PHP_alu -a ${a} -b ${b} -o ${m} ` ;
filesystem/api/download.php:      passthru("sudo /usr/bin/PHP_fread -f ${filename} -o ${offset} -l ${buf}");      
filesystem/api/download.php:         passthru("sudo /usr/bin/PHP_fread -f ${filename} -o ${offset} -l ${buf}");
filesystem/api/dir_action.php:   return exec("sudo basename \"{$name}\" ");
filesystem/api/dir_action.php:   //exec("sudo echo path=\"{$path}\" > /dev/console " );
filesystem/api/dir_action.php:   $files = @scandir( exec("sudo dirname \"{$path}\" ") );
filesystem/api/dir_action.php:      //exec("sudo echo \"{$file}\":\"{$filename}\" > /dev/console " );
filesystem/plugins/access.fs/class.fsAccessDriver.php:            //$current_dir = `sudo cat /tmp/upload.dir`;
filesystem/plugins/access.fs/class.fsAccessDriver.php:      exec("sudo /bin/mkdir -m 777 ".$this->getPath()."/{$crtDir}/{$newDirName}");
filesystem/plugins/access.fs/class.fsAccessDriver.php:       return exec("sudo /usr/bin/basename \"{$name}\" ");
filesystem/plugins/access.fs/class.fsAccessDriver.php:       return exec("sudo /usr/bin/dirname \"{$name}\" ");
filesystem/server/classes/class.AbstractAccessDriver.php:       return exec("sudo /usr/bin/basename \"{$name}\" ");
filesystem/server/classes/class.AbstractAccessDriver.php:       return exec("sudo /usr/bin/dirname \"{$name}\" ");
menu.php:      exec("sudo /bin/rm -rf /system/.ignore_reboot");
menu.php:   exec("sudo /sbin/ifconfig {$config['interfaces']['lan']['if']} | /bin/grep \"inet addr\"  | /usr/bin/tr -s \" \"  | /usr/bin/awk '{print \$2}' | /usr/bin/cut -f 2 -d :",$ip);
template/firmware.php:      exec("sudo /sbin/ifconfig {$config['interfaces']['lan']['if']} | /bin/grep \"inet addr\"  | /usr/bin/tr -s \" \"  | /usr/bin/awk '{print \$2}' | /usr/bin/cut -f 2 -d :",$ip);
template/bt.php:      exec("sudo /bin/rm -rf /.BT_Power_Failure");
template/user_limit.php:   exec("sudo /bin/chmod ugo+rw {$temporary_dir}");
template/user_limit_checktimeout.php:      exec("sudo /bin/chmod ugo+rw {$temporary_dir}");
template/on_time.html:   exec ( 'sudo /bin/date' , $date_info);
template/on_time.html:startTime = "<?=exec ("sudo /bin/date +\"%Y/%m/%d %H:%M:%S\"");?>";//"2009/06/16  15:05:00";
template/factory_reset.php:exec("sudo /sbin/ifconfig {$config['interfaces']['lan']['if']} | /bin/grep \"inet addr\"  | /usr/bin/tr -s \" \"  | /usr/bin/awk '{print \$2}' | /usr/bin/cut -f 2 -d :",$ip);
wizard7.php:exec("sudo /bin/rm -rf /.wizard_step_flag");
That 'admin/dir-action' is a nice one. But password protected. Further I see a lot of potential dangerous commands, but not in the /admin/ directory, where ssh.php lives.

BTW, I think the webinterface runs as nobody, because of the /etc/sudoers file:
Code:
# User privilege specification
root    ALL=(ALL) ALL
nobody ALL=NOPASSWD: ALL
Wonder why the webinterface not simply runs as root?

BTW2, meanwhile I managed to extract a valid u-boot from u-boot.wrapped, by simply taking 1 bit of each byte. So *maybe* the zipfile works, if somehow the addressing of the flash memory is strange, in a way from each written byte only one bit arrives.


Top
 Profile  
 
PostPosted: Sun Sep 07, 2014 8:24 pm 
Offline

Joined: Tue May 21, 2013 10:49 pm
Posts: 79
mine runs on 2.35 and had /IO/ in htdocs. maybe this was a coincidence and the nas broke on itself ;)

is there any way to apply fresh firmware without the use of serial cable ?


Top
 Profile  
 
PostPosted: Mon Sep 08, 2014 7:56 am 
Offline

Joined: Mon Jun 16, 2008 10:45 am
Posts: 5995
PLX7820-based devices can boot from SATA, SPI and NAND. In this sequence. Which means the if you insert a specially prepared disk, the box will boot from it, no matter what the flash status is.
(So yes, the box is virtually unbrickable)

The Iomega Home Media CE has also a PLX7820, but has no flash at all. So it's disk should boot the Shuttle.

Here you can find information about how to prepare such a disk. We are actually only interested in the first 32MiB, as described in 'Complete Recovery'.

If you have written the 1st 32MiB, the disk has a 1st stage bootloader, a u-boot, a u-boot environment, and a kernel + initrd.

To debrick the Shuttle, we need a Shuttle kernel, as that has knowledge of the flash partitions. Here you can see the layout of the 32MiB. The kernel and initrd are written at sector 1290 and 16674 and following.
If you extract the KD20.zip file, you'll find a uImage amd rdimg.gz. Those are drop-in replacements for the Iomega kernel and initrd. If you write them to the (already prepared) disk:
Code:
dd if=uImage of=/dev/sdX bs=512 skip=1290
dd if=rdimg.gz of=/dev/sdX bs=512 skip=16674
u-boot will load them en boot the Shuttle kernel+initrd.

But, the shuttle initrd is designed to mount the ubi flash partition, and switch_root to that, which is undesireable, at the moment.

rdimg.gz is actually a gzipped ext2 filesystem, with an uImage header. You can extract the filesystem:
Code:
tail -c +65 rdimg.gz | gzip -d >initrd
and mount it
Code:
mkdir -p initrd.d
mount -o loop initrd initrd.d
Now you can edit the bootscript (/rclinux) to setup the network, and start a telnet daemon. You can also put some partition on the disk (beyond the 32MiB), format that ext2 (at least that is supported) mount that from /rclinux, and put logfiles on it (redirect output:
Code:
exec >/mountpoint/of/partition 2>&1
) because else you're working in the dark.
BTW, after starting a telnet daemon, you'll have to pause the script. If the script exits, you'll have a kernel panic. (Or it boots into the ubifs)
Code:
telnetd -l /bin/sh
/bin/sh # a shell on console, to pause the script
If you manage to get telnet access, the script /rclinux contains the code to flash the files from KD20.zip. I think you can suffice with the ubi fs, as that is the only partition which should be editable from the webinterface.

When you have edited your initrd, you can unmount it, gzip the file, and put a new header on it using mkimage from the uboot tools package.
'file rdimg.gz' will tell you how the header should be.


Top
 Profile  
 
PostPosted: Sat Sep 13, 2014 12:43 pm 
Offline

Joined: Sat Sep 13, 2014 8:25 am
Posts: 16
@Mijzelf with the last instructions you posted; am I save to conclude that it would also be possible to create a harddisk that boots a Debian installation?

If so would you mind assisting me with that? If that works I could afterwards create a diskimage that you could dd to a disk and have a working Debian installation on the kd20 which would be really nice.


Top
 Profile  
 
PostPosted: Sun Sep 14, 2014 11:36 am 
Offline

Joined: Mon Jun 16, 2008 10:45 am
Posts: 5995
Sure. To boot Debian you only need a Debian rootfs, and a relatively new kernel (you cannot run Wheezy on a 2.6.0 kernel). If that rootfs is on sda1, you only need to add 'root=/dev/sda1' to the commandline.

Here it already becomes tricky. Without serial access it's hard to change the u-boot script. The HMND CE u-boot tries to load uImage and uInitrd. No idea what happens when it can't find the uInitrd.
Further it's hard to change the commandline.

The remedy is simple. Just provide a simple initrd, with a simple bootscript:
Code:
#/bin/sh

mkdir -p /newroot
mount /dev/sda1 /newroot
exec switch_root /newroot /sbin/init
/dev/sda1 needs to exist on the initramfs, and of course mount and switch_root need to be available.


Top
 Profile  
 
PostPosted: Sun Sep 14, 2014 1:15 pm 
Offline

Joined: Tue May 21, 2013 10:49 pm
Posts: 79
Hi,
Ive tried to prepare the disk. If I understood correctly I needed clean disk with unallocated space and then to execute following commands:

Code:
# zcat Iomega-HMNHD-CE-1st-32M.img.gz | dd of=/dev/sdb bs=1M
0+1024 records in
0+1024 records out
33554432 bytes (34 MB) copied, 1.70303 s, 19.7 MB/s
# dd if=uImage of=/dev/sdb bs=512 skip=1290
4699+1 records in
4699+1 records out
2405928 bytes (2.4 MB) copied, 1.05924 s, 2.3 MB/s
# dd if=rdimg.gz of=/dev/sdb bs=512 skip=16674
dd: `rdimg.gz': cannot skip to specified offset
0+0 records in
0+0 records out
0 bytes (0 B) copied, 0.000212376 s, 0.0 kB/s


but the last command gave me "dd: `rdimg.gz': cannot skip to specified offset"

Should I do sth before zcat ?


Top
 Profile  
 
PostPosted: Sun Sep 14, 2014 2:06 pm 
Offline

Joined: Sat Sep 13, 2014 8:25 am
Posts: 16
I think it should be seek for all the dd commands and not skip.

Skip is if you want to skip bytes from the INPUT.. and as far as I understood Mijzelf's story it should be placed at specific places of the OUTPUT which you do with seek.


Top
 Profile  
 
PostPosted: Sun Sep 14, 2014 2:56 pm 
Offline

Joined: Sat Sep 13, 2014 8:25 am
Posts: 16
When I try using seek instead of skip it sort of seems to work.

The only problem I now have is that you speak of a extra partition to save the log files on. How do I create said partition? All my partitioning tools don't like the first 32MB on the harddisk and complain about not being able to seek.


Top
 Profile  
 
PostPosted: Sun Sep 14, 2014 3:28 pm 
Offline

Joined: Tue May 21, 2013 10:49 pm
Posts: 79
christiaan wrote:
When I try using seek instead of skip it sort of seems to work.

The only problem I now have is that you speak of a extra partition to save the log files on. How do I create said partition? All my partitioning tools don't like the first 32MB on the harddisk and complain about not being able to seek.



have you tried
mkfs -t vfat /dev/sdX1
?


Top
 Profile  
 
PostPosted: Sun Sep 14, 2014 6:09 pm 
Offline

Joined: Sat Sep 13, 2014 8:25 am
Posts: 16
Therre is no partition detected. So /dev/sda1 does not exist nor can I format it.

When running parted I get the following errors.
Code:
Invalid argument during seek for read on /dev/sda
Invalid argument during seek for read on /dev/sda
The backup GPT table is corrupt, but the primary appears OK, so that will be used.
/dev/sdb contains GPT signatures, indicating that it has a GPT table.  However, it does not have a valid fake msdos partition table, as it should.  Perhaps it was corrupted -- possibly by a program that doesn't understand GPT partition tables.  Or perhaps you deleted the GPT table, and are now using an msdos partition table.  Is this a GPT partition table?


Top
 Profile  
 
PostPosted: Sun Sep 14, 2014 6:32 pm 
Offline

Joined: Mon Jun 16, 2008 10:45 am
Posts: 5995
wicked wrote:
# dd if=uImage of=/dev/sdb bs=512 skip=1290
<snip>
# dd if=rdimg.gz of=/dev/sdb bs=512 skip=16674
dd: `rdimg.gz': cannot skip to specified offset

christiaan wrote:
I think it should be seek for all the dd commands and not skip.
Christiaan is right.
christiaan wrote:
Therre is no partition detected. So /dev/sda1 does not exist nor can I format it.

When running parted I get the following errors.
Code:
Invalid argument during seek for read on /dev/sda
Did you wirte uImage with seek instead of skip? Else the partition table is overwritten.


Top
 Profile  
 
PostPosted: Sun Sep 14, 2014 6:34 pm 
Offline

Joined: Sat Sep 13, 2014 8:25 am
Posts: 16
Yes. what I've also tried is just dding that iomega file. Even then it does not detect any partitions.

Code:
dd of=/dev/sda if=Iomega-HMNHD-CE-1st-32M.img bs=1M # i've extacted the img.gz

dd of=/dev/sda if=decrypted/uImage bs=512 seek=1290
dd of=/dev/sda if=decrypted/rdimg.gz.out bs=512 seek=16674


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 41 posts ]  Go to page 1, 2, 3  Next

All times are UTC


Who is online

Users browsing this forum: No registered users and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group