Difference between revisions of "LS-GL Custom Firmware Development"

From NAS-Central Buffalo - The Linkstation Wiki
Jump to: navigation, search
Line 133: Line 133:
'''This is not fully tested and might brick your linkstation!'''
'''This is not fully tested and might brick your linkstation!'''
Run the jar with the option -o for opening (telnet, clear root password) the target -t:
Run the jar with the option -o for opening (telnet, clear root password) the target -t:

Revision as of 22:36, 15 December 2006

Any questions?

LS-GL Custom Firmware Development
This wiki page is to document the work and progress in developing a custom firmware for the LS Pro (LS-GL) The goal of this page is to sort out the roadmap and accomplishments towards creating an OpenLink and FreeLink for the LS-GL. Though this page is mainly for developers, anyone is free to add their work.

Nuvola apps important.png 

The methods and information described below are intended for advanced users. Much of the information has not been verified by the development team. As a result, all users must exercise caution when performing any of the described methods. Failure to do so may result in a bricked Linkstation.

Please fix and update these sections. Also, please correct any grammar and spelling errors. Thanks -- jonli447

Using the Firmware Updater

It is aparent, like all of the Linkstations, that the firmware does not want to update the firmware if the LS-GL reports the same firmware version as the the one to be that's to be sent to the LS-GL (i.e. a modified firmware). The work around is to:

  • Add to lsupdater.ini
Debug = 1
  • Change in lsupdater.ini
VersionCheck = 1


VersionCheck = 0
  • Open linkstation_version.txt in any text editor (i.e. vi). Edit either the BOOT=, KERNEL=, INITRD=, or ROOTFS= (this is the main firmware and filesystem) to choose what to update by changing the version to a higher number.
    • i.e. by setting rootfs to a higher number, the filesystem will get updated, but uboot, kernel, and initrd won't get updated.
  • Steps originally drafted by Georg.

Note: We are not positive if only one segmet (i.e. rootfs) will get updated. This method must be fully tested to find this out.

jonli, should I move the following more technical part about Erics excellent work into a separate section? - Georg

Updater Specifications

  • As EricC documented on the LS-GL side clientUtil_server handles the update process and replies to various "ACP"-Commands, which are similar for the LS-GL and the Kurobox:
  • LSP Commands
8020 ACP_Discover
80A0 ACP_?? Possible Password?
8B10 ACP_?? Sent after 8080 and contains the filename. TCP File transfer starts after reply
8B20 ACP_?? Sent after TCP file transfer
  • LSP Responses
C020 ACP_Discover_Reply
COAO Reply of 80A0
CA10 ACP_CMD_Reply
CB10 ACP_??_Reply 8B10
CB20 ACP_??_Reply 8B20
CB21 Sent after CB20. Same format with data changes Update complete?
  • KuroBox Commands
8020 ACP_Discover
8090 ACP_Info_HDD
  • KuroBox Responses
C020 ACP_Discover_Reply
  • Looking at the command word
Bit 15 = 1
Bit 14 is 0 for command and 1 for reply
Bits 11 to 8 appear to be the command class
Bits 7 to 4 appear to be the command in the class.
Bits 3 to 0 appear to be a sequence number in the response.
  • The updater on the LS-GL receives ziped images and tries to unzip them by testing for the following passwords
    • 1NIf_2yUOlRDpYZUVNqboRpMBoZwT4PzoUvOPUp6l
    • aAhvlM1Yp7_2VSm6BhgkmTOrCN1JyE0C5Q6cB3oBB
    • YvSInIQopeipx66t_DCdfEvfP47qeVPhNhAuSYmA4
    • IeY8omJwGlGkIbJm2FH_MV4fLsXE8ieu0gNYwE6Ty

Telnet Access

We have successfully managed to create a telnet-enabled firmware for the LS-GL. Fortunately for us, the LS-GL already came with a telnet binary in the stock firmware. Telnet can be enabled by uncommenting line 42 in /etc/init.d/rcS and repackaging hddrootfs.

There is a pre-made telnet enabled firmware available at here.

Note: The above firmware package does enable root access.

Removing Root Password

There are two known successful ways for removing the root password. You can euse the "manual method" or uses a special "clearroot" method (The telnet enabled firmware contains the "clearroot" method). Possibly a third method is to use the firmware updater's debug tags.

Manual Method

The general idea is to open connect the sata drive to a desktop running a linux distribution (i.e. Knoppix or Ubuntu). Then remove root password in /etc/shadow.

Detailed Steps

1) Connect the hard drive to a pc running Linux (i.e. Knoppix boots directly from cd/dvd)

2) Find out how it was recognized. (i.e. in Knoppix there are some shortcuts on the desktop).

3) Open a shell/commandline/terminal.

4) Mount the second partition of the sata hdd to somewhere.

5) Delete everything on the partition

6) Download the telnet enabled hddrootfs.img located in this zip

7) Unzip hddrootfs.img...you will be prompted for a password. it is:


8) Untar the resulting file to the second partition:

tar xzvf <file> <path_where_you_mounted_the_second_partition> 

9*) mount /dev/sda1 (assuming the sata drive is the first special drive connected on the pc) somewhere

  • extract conf_saved.tgz, remove password in etc/shadow to look like:

10*) re-tar the contents of conf_saved.tgz, replace conf_saved.tgz to /dev/sda1, umount

(*)These steps still need to be tested further!!!

  • Steps originally drafted by mindbender.

Heinz' Method

Heinz made a script to automatically convert a downloaded stock firmware into a telnet enabled firmware with root access. The script is made for the German firmware. The script is available here. Heinz also made a pre-made firmware package with his script. It can be downloaded here.

  • Testing Needed

The script mainly does the following things:

  • retrieving the actual firmware update from the buffalo site.
  • unzip the archive to a tmp directory
  • modify linkstation_version, because the updater only updates "newer" firmwares. It seems this can be overwritten in the debug mode (see georg's changes)
  • for modifing the installed image. it is unzipped (using the current password)
  • then to start the (already installed) telnetd, some comments in the rcS script are removed.
  • because the password of the root login is not known, it needs to be removed. Modifing /etc/shadow had not worked, so currently we change the web interface, which runs with root permissions, to do it for us.
  • reverse the whole zip/tar process to create a useable firmware update again.


Georg's Method

Script method

Georg modified Heinz' automatic script. For those with access, the script it is available in LS_Pro Temporary Upload Folder for Telnet Enabled Firmwares The script untars the firmware, sets the current dates in linkstation_version.txt (allows exchange of kernel etc.) and adds the debug flag for LSUpdater.exe. Further telnetd is started during boot and the web interface scripts are altered in order to clear the root password when "creating" user 'clearroot'. Thanks to MartinP, the latest version uses the correct path to passwd (/usr/sbin). It also offers command line parameters to exchange kernel, uboot and untar an additional tar file into the root file system (see option -h).

  • Testing Needed

Run the script as user root, if the zipped firmware file is not present, the script tries to get it from buffalos server. If you don't want the script to delete the temporary directory (e.g. to directly run LSUpdater.exe or for further modifications) add option -d.


Buffalos updater software LSUpdater.exe uses ACP commands to communicate with the box. Upon writing a java software (acp_commander) that uses this communication path Georg accidentally found a bug in the Linkstations software. Sending a mailformed ACP_CMD disables the whole authentication process buffalo implemented. After that it is possible to send ACP_CMD's starting telnetd and removing the root password.

  • Testing Needed

This is not fully tested and might brick your linkstation!

Run the jar with the option -o for opening (telnet, clear root password) the target -t:

java -jar acp_commander.jar -t linkstation -o


Cross Toolchain

Todo: Import information from forum.

Native Toolchain

  • Yugi has managed to get a working native toolchain. It is available here
  • An updated native toolchain containing gcc-4.1.1 is currently being developed.

Todo: Import information from forum here.


  • Development for the LS-GL is too young. Official Openlink development has not started yet.

Oh1jty's Firmware

version 1.03-0.51-jtymod5

Home menu shows mem, load and uptime
Give shell commands


lb_worm has managed to Debanize the LS-GL. Though this is not an official FreeLink yet, it is a tremendous start. See Debian for more information.

Testers are currently needed. The Debian (FreeLink) distrobution can be downloaded at http://downloads.linkstationwiki.net/arm9-LS_Pro/Freelink/ .

Please Note: FreeLink can only be installed manually, not through the LS-GL updater (we'll take care of this soon).

Todo: Import information from forum.

Development Tools

  • For the same reasons as OpenLink, development tools has not been created yet.

Other Development

GPL Kernel

lb_worm and jonli_447 are currently working on the kernel project. See Outlook on LS Pro Kernel Development

NFS and USB Printer support modules have been compiled and have been reported to work. The kernel relies on lb_worm's alternative initrd to load.

Todo: Import information from forum.

Custom Updater

See Opensource_Firmware_Updater and LS-GL Custom Updater Thread for more information.

Todo: Import information from the forum here.


This is just idea at the moment. See Optware IPKG Feed Poll


Some binaries (i.e. wget) have been compiled for the LS-GL.

Please post successfully binaries that should be included in an OpenLink here.

  • wget

User Accomplishments

Please post accomplishments that don't fit into the above categories here

  • Someone got ssh up and running (sorry, I can't remember who...please give credit if you know).

Related Forum Topics

Todo: Add information to above sections.