Open Stock Firmware LS-WXL

= Info = This HowTo was made during opening an 2TB LS-WXL, which came with 1.22 Firmware and was afterwards updated with 1.31. The instructions are the same for the new version with small differences (paths, password). However, do remember that YOU COULD BRICK YOUR BOX! You, and only you, can be held responsible for this!

Also, this HowTo has never been tested on a brand new LinkStation Duo, but feel free to remove this line when you successfully tested it. Also please add anything you think would help others! Thanks!


 * Tested with brand-new 2TB Linkstation Duo (European). All procedure below worked fine with 1.34 Firmware.
 * Tested with brand-new 2TB Linkstation Pro Duo LS-WVL. All procedure below (password from FW 1.37) worked fine with 1.4 Firmware.
 * Tested with brand-new 2TB Linkstation Duo (European). All procedure below worked fine with 1.43 Firmware
 * Password from FW 1.37
 * Updated Firmware after enabling EM Mode

= Prerequisites = You will need the following thing to open up the Firmware:
 * Buffalo LinkStation Duo (LS-WXL)
 * A working linux for firmware manipulation
 * ACP Commander
 * 1.24 Firmware of your NAS
 * A share on your NAS accessible via SFTP

= Let's start! =

Prepare the LinkStation
It's best for opening the firmware if there is no RAID active. Having one active means that it could take a little bit longer until the firmware is open. Responsible for this longer time is the required sync of the drives after each boot.

Create a share with support at least for SFTP on your first drive. In this HowTo I will call it "share". Now open up your SFTP Application and connect as admin and your password to it. You will be in the /mnt/ directory, so go on your first drive and into your share. Create a file named "emergency.sh" and insert the following lines:

echo -n "Last Boot: " > /mnt/disk1/share/lastboot.txt date >> /mnt/disk1/share/lastboot.txt echo -n "Who Am I: " >> /mnt/disk1/share/lastboot.txt whoami >> /mnt/disk1/share/lastboot.txt
 * 1) !/bin/sh
 * 1) General Information

echo "root:newpass" | chpasswd
 * 1) Change root password

Be sure to set the right path for the lastboot.txt and change the "newpass" to your new password! Finally set chmod +x on this new file and exit your SFTP app. Now comes the hacking!

Patching the Firmware
Download and extract the original firmware download from buffalo to a directory on your Linux box. Next we want to change the content in the hddrootfs.img so we extract it: unzip hddrootfs.img You will be asked for a password, which should be 1NIf_2yUOlRDpYZUVNqboRpMBoZwT4PzoUvOPUp6l Use the second password with version 131: aAhvlM1Yp7_2VSm6BhgkmTOrCN1JyE0C5Q6cB3oBB Use the second password with version 137: YvSInIQopeipx66t_DCdfEvfP47qeVPhNhAuSYmA4

Now create a folder for unpacking the firmware and extract the hddrootfs.buffalo.updated into it mkdir cd tar -xz --numeric-owner -p -f ../hddrootfs.buffalo.updated

Open up etc/sshd_config with your favourite text editor and change the content to this: HostKey /etc/apache/server.key PermitRootLogin yes PermitEmptyPasswords yes UsePAM yes PermitUserEnvironment yes Subsystem      sftp    /usr/local/libexec/sftp-server
 * 1)       $OpenBSD: sshd_config,v 1.65 2003/08/28 12:54:34 markus Exp $
 * 1) This is the sshd server system-wide configuration file.  See
 * 2) sshd_config(5) for more information.
 * 1) This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin
 * 1) The strategy used for options in the default sshd_config shipped with
 * 2) OpenSSH is to specify options with their default value where
 * 3) possible, but leave them commented.  Uncommented options change a
 * 4) default value.
 * 1) Port 22
 * 2) Protocol 2,1
 * 3) ListenAddress 0.0.0.0
 * 4) ListenAddress ::
 * 1) HostKey for protocol version 1
 * 2) HostKey /etc/ssh_host_key
 * 3) HostKeys for protocol version 2
 * 4) HostKey /etc/ssh_host_rsa_key
 * 5) HostKey /etc/ssh_host_dsa_key
 * 1) Lifetime and size of ephemeral version 1 server key
 * 2) KeyRegenerationInterval 1h
 * 3) ServerKeyBits 768
 * 1) Logging
 * 2) obsoletes QuietMode and FascistLogging
 * 3) SyslogFacility AUTH
 * 4) LogLevel INFO
 * 1) Authentication:
 * 1) LoginGraceTime 2m
 * 1) StrictModes yes
 * 1) RSAAuthentication yes
 * 2) PubkeyAuthentication yes
 * 3) AuthorizedKeysFile    .ssh/authorized_keys
 * 1) For this to work you will also need host keys in /etc/ssh_known_hosts
 * 2) RhostsRSAAuthentication no
 * 3) similar for protocol version 2
 * 4) HostbasedAuthentication no
 * 5) Change to yes if you don't trust ~/.ssh/known_hosts for
 * 6) RhostsRSAAuthentication and HostbasedAuthentication
 * 7) IgnoreUserKnownHosts no
 * 8) Don't read the user's ~/.rhosts and ~/.shosts files
 * 9) IgnoreRhosts yes
 * 1) To disable tunneled clear text passwords, change to no here!
 * 2) PasswordAuthentication yes
 * 1) Change to no to disable s/key passwords
 * 2) ChallengeResponseAuthentication yes
 * 1) Kerberos options
 * 2) KerberosAuthentication no
 * 3) KerberosOrLocalPasswd yes
 * 4) KerberosTicketCleanup yes
 * 1) GSSAPI options
 * 2) GSSAPIAuthentication no
 * 3) GSSAPICleanupCreds yes
 * 1) Set this to 'yes' to enable PAM authentication (via challenge-response)
 * 2) and session processing. Depending on your PAM configuration, this may
 * 3) bypass the setting of 'PasswordAuthentication'
 * 1) AllowTcpForwarding yes
 * 2) GatewayPorts no
 * 3) X11Forwarding no
 * 4) X11DisplayOffset 10
 * 5) X11UseLocalhost yes
 * 6) PrintMotd yes
 * 7) PrintLastLog yes
 * 8) KeepAlive yes
 * 9) UseLogin no
 * 10) UsePrivilegeSeparation yes
 * 1) Compression yes
 * 2) ClientAliveInterval 0
 * 3) ClientAliveCountMax 3
 * 4) UseDNS yes
 * 5) PidFile /var/run/sshd.pid
 * 6) MaxStartups 10
 * 1) no default banner path
 * 2) Banner /some/path
 * 1) override default of no subsystems

Next open etc/init.d/rcS and add the four following lines at the end of it [ -f /mnt/disk1/share/emergency.sh ] && /mnt/disk1/share/emergency.sh [ -f /mnt/disk2/share/emergency.sh ] && /mnt/disk2/share/emergency.sh [ -f /mnt/array1/share/emergency.sh ] && /mnt/array1/share/emergency.sh Be sure to add the right path!
 * 1) In case of an emergency, we start this script

Now we pack the firmware again. Get into the root directory of the unpacked firmware and execute the following line: tar -czf ../hddrootfs.buffalo.updated-new -C /absolute/path/to/extracted_image * cd .. mv hddrootfs.buffalo.updated hddrootfs.buffalo.updated-old mv hddrootfs.buffalo.updated-new hddrootfs.buffalo.updated zip -e hddrootfs.img hddrootfs.buffalo.updated Again you will be asked for the password. Be sure to take the same password that you took for extracting before. Otherwise the NAS will not be able to extract it and you'll have bricked box!

That's for patching the firmware, now update the box!

Updating the Firmware
Rename the original hddrootfs.img in your LSUpdater Folder and copy the patched hddrootfs.img into that folder. You might need to modify LSUpdater.ini file for reflashing the same version: [Flags] VersionCheck = 0 [SpecialFlags] Debug = 1

Send the NAS into EM Mode. With earlier updates it was possible to change some values in the LSUpdater.ini to re-update the NAS with the same firmware that was running on the box, but this doesn't work with the latest version. For EM-Mode (aka Emergency Mode aka Engineering Mode) start ACP Commander with the following parameters java -jar acp_commander.jar -t  -emmode You will be asked for a password, enter the one you use for the admin login. When ACP Commander shows you success messages, reboot the box. You can do this via the WebIf or via ACP Commander, too. Just change the "-emmode" to "-reboot".

Wait a few seconds after the fan of the NAS slowed down and start LSUpdater.exe. When ACP Commander was successfull, LSUpdater will find a box named "LS-WXL-EMxxx" (xxx = last three chars of the MAC). Click Update and go make a coffee or something, this will take a while.

Checking for success
After the reboot watch the share you created earlier. There should appear a "lastboot.txt" with a very recent time stamp. If not, wait a few minutes (especially if you have a raid active). When the file appears open it, if not, search for your error in the rcS script and check if you created the emergency.sh script correctly with execution bits set correctly. When the lastboot.txt opens and you see a recent date and the "Who Am I" states root, then try a SSH login. Currently no Keyboard Interactive Auth is available, so make shure your client doesn't try this (For Putty: Connection > SSH > Auth: Untick 'Attempt "keyboard-interactive" auth (SSH-2)'

Connecting via command line (ssh)
To deactivate the keyboard-interactive authentication and to start a console ssh session issue the following command:

ssh -o PasswordAuthentication=yes -o KbdInteractiveAuthentication=no -o ChallengeResponseAuthentication=no root@

When you are prompted for the password enter the root password you provided in the emergency.sh (In the example it is "newpass" without the quotes)

Final Steps

 * Set a new root password with passwd.
 * If you want to use a RAID, then change the line in rcS so you can use the emergency.sh in the future again!

= TODO =
 * Enable Keyboard Auth
 * SFTP doesn't work for root account
 * Telnet login not allowed for root (this is by design, and it should stay that way)

= Credits = Initial HowTo by meilon: "Big Thanks to kenatonline, who was always hinting at the right directions. Without him this HowTo would not be!" Password from Firmware_password which luckily work so I don't had to find it out on my own.