LS-GL Custom Firmware Development

From NAS-Central Buffalo - The Linkstation Wiki
Revision as of 04:44, 24 April 2007 by Goat (Talk | contribs)

Jump to: navigation, search
Any questions?

LS-GL Custom Firmware Development
This wiki page is to document the work and progress in developing a custom firmware for the LS Pro (LS-GL) The goal of this page is to sort out the roadmap and accomplishments towards creating an OpenLink and FreeLink for the LS-GL. Though this page is mainly for developers, anyone is free to add their work.


Nuvola apps important.png 
WARNING!

The methods and information described below are intended for advanced users. Much of the information has not been verified by the development team. As a result, all users must exercise caution when performing any of the described methods. Failure to do so may result in a bricked Linkstation.


Please fix and update these sections. Also, please correct any grammar and spelling errors. Thanks -- jonli447

Contents

Using the Firmware Updater

It is aparent, like all of the Linkstations, that the firmware does not want to update the firmware if the LS-GL reports the same firmware version as the the one to be that's to be sent to the LS-GL (i.e. a modified firmware). The work around is to:

  • Add to lsupdater.ini
[SpecialFlags]
Debug = 1
  • Change in lsupdater.ini
VersionCheck = 1

to

VersionCheck = 0
  • Open linkstation_version.txt in any text editor (i.e. vi). Edit either the BOOT=, KERNEL=, INITRD=, or ROOTFS= (this is the main firmware and filesystem) to choose what to update by changing the version to a higher number.
    • i.e. by setting rootfs to a higher number, the filesystem will get updated, but uboot, kernel, and initrd won't get updated.
  • Steps originally drafted by Georg.

Note: We are not positive if only one segmet (i.e. rootfs) will get updated. This method must be fully tested to find this out.

jonli, should I move the following more technical part about Erics excellent work into a separate section? - Georg

Updater Specifications

  • As EricC documented on the LS-GL side clientUtil_server handles the update process and replies to various "ACP"-Commands, which are similar for the LS-GL and the Kurobox:
  • LSP Commands
8020 ACP_Discover
8080 ACP_FIRMUP2
80A0 ACP_?? Possible Password?
8A10 ACP_CMD
8B10 ACP_?? Sent after 8080 and contains the filename. TCP File transfer starts after reply
8B20 ACP_?? Sent after TCP file transfer
  • LSP Responses
C020 ACP_Discover_Reply
COAO Reply of 80A0
CA10 ACP_CMD_Reply
CB10 ACP_??_Reply 8B10
CB20 ACP_??_Reply 8B20
CB21 Sent after CB20. Same format with data changes Update complete?
  • KuroBox Commands
8020 ACP_Discover
8070 ACP_FIRMUP_END
8080 ACP_FIRMUP2
8090 ACP_Info_HDD
8A10 ACP_CMD
  • KuroBox Responses
C020 ACP_Discover_Reply
  • Looking at the command word
Bit 15 = 1
Bit 14 is 0 for command and 1 for reply
Bits 11 to 8 appear to be the command class
Bits 7 to 4 appear to be the command in the class.
Bits 3 to 0 appear to be a sequence number in the response.
  • The updater on the LS-GL receives ziped images and tries to unzip them by testing for the following passwords
    • 1NIf_2yUOlRDpYZUVNqboRpMBoZwT4PzoUvOPUp6l
    • aAhvlM1Yp7_2VSm6BhgkmTOrCN1JyE0C5Q6cB3oBB
    • YvSInIQopeipx66t_DCdfEvfP47qeVPhNhAuSYmA4
    • IeY8omJwGlGkIbJm2FH_MV4fLsXE8ieu0gNYwE6Ty

Telnet Access

We have successfully managed to create a telnet-enabled firmware for the LS-GL. Fortunately for us, the LS-GL already came with a telnet binary in the stock firmware. Telnet can be enabled by uncommenting line 42 in /etc/init.d/rcS and repackaging hddrootfs.

There is a pre-made telnet enabled firmware available at here.

Note: The above firmware package does enable root access.

Removing Root Password

There are two known successful ways for removing the root password. You can euse the "manual method" or uses a special "clearroot" method (The telnet enabled firmware contains the "clearroot" method). Possibly a third method is to use the firmware updater's debug tags.

Manual Method

The general idea is to open connect the sata drive to a desktop running a linux distribution (i.e. Knoppix or Ubuntu). Then remove root password in /etc/shadow.


Detailed Steps

1) Connect the hard drive to a pc running Linux (i.e. Knoppix boots directly from cd/dvd)

2) Find out how it was recognized. (i.e. in Knoppix there are some shortcuts on the desktop).

3) Open a shell/commandline/terminal.

4) Mount the second partition of the sata hdd to somewhere.

5) Delete everything on the partition

6) Download the telnet enabled hddrootfs.img located in this zip

7) Unzip hddrootfs.img...you will be prompted for a password. it is:

IeY8omJwGlGkIbJm2FH_MV4fLsXE8ieu0gNYwE6Ty 

8) Untar the resulting file to the second partition:

tar xzvf <file> <path_where_you_mounted_the_second_partition> 

9*) mount /dev/sda1 (assuming the sata drive is the first special drive connected on the pc) somewhere

  • extract conf_saved.tgz, remove password in etc/shadow to look like:
root::11009:0:99999:7:::

10*) re-tar the contents of conf_saved.tgz, replace conf_saved.tgz to /dev/sda1, umount


(*)These steps still need to be tested further!!!

  • Steps originally drafted by mindbender.

Heinz' Method

Heinz made a script to automatically convert a downloaded stock firmware into a telnet enabled firmware with root access. The script is made for the German firmware. The script is available here. Heinz also made a pre-made firmware package with his script. It can be downloaded here.

  • Testing Needed

The script mainly does the following things:

  • retrieving the actual firmware update from the buffalo site.
  • unzip the archive to a tmp directory
  • modify linkstation_version, because the updater only updates "newer" firmwares. It seems this can be overwritten in the debug mode (see georg's changes)
  • for modifing the installed image. it is unzipped (using the current password)
  • then to start the (already installed) telnetd, some comments in the rcS script are removed.
  • because the password of the root login is not known, it needs to be removed. Modifing /etc/shadow had not worked, so currently we change the web interface, which runs with root permissions, to do it for us.
  • reverse the whole zip/tar process to create a useable firmware update again.

Instructions

Georg's Method

Script method

Georg modified Heinz' automatic script. For those with access, the script it is available in LS_Pro Temporary Upload Folder for Telnet Enabled Firmwares The script untars the firmware, sets the current dates in linkstation_version.txt (allows exchange of kernel etc.) and adds the debug flag for LSUpdater.exe. Further telnetd is started during boot and the web interface scripts are altered in order to clear the root password when "creating" user 'clearroot'. Thanks to MartinP, the latest version uses the correct path to passwd (/usr/sbin). It also offers command line parameters to exchange kernel, uboot and untar an additional tar file into the root file system (see option -h).

  • Testing Needed
Instructions

Run the script as user root, if the zipped firmware file is not present, the script tries to get it from buffalos server. If you don't want the script to delete the temporary directory (e.g. to directly run LSUpdater.exe or for further modifications) add option -d.

acp_commander

Buffalos updater software LSUpdater.exe uses ACP commands to communicate with the box. Upon writing a java software (acp_commander) that uses this communication path Georg accidentally found a bug in the Linkstations software. Sending a mailformed ACP_CMD disables the whole authentication process buffalo implemented. After that it is possible to send ACP_CMD's starting telnetd and removing the root password.

  • Testing Needed
Instructions

This is not fully tested and might brick your linkstation!

Run the jar with the option -o for opening (telnet, clear root password) the target -t:

java -jar acp_commander.jar -t linkstation -o

Toolchains

Cross Toolchain

Todo: Import information from forum.

ScratchBox

Scratchbox is a cross-compilation toolkit designed to make embedded Linux application development easier. This sandboxed environment allows you to do a simple ./configure; ./make; ./make install without specifying any additional --host or --target parameters when starting configure. Please consult the ScratchBox installation manual for more information. Scratchbox makes use of the cross compiler mentioned above to compile and link ARM binaries for the LS Pro. Make sure to download the so called "legacy" version.

Native Toolchain

  • Yugi has managed to get a working native toolchain. It is available here
  • An updated native toolchain containing gcc-4.1.1 is currently being developed.

Todo: Import information from forum here.

OpenLink

  • Development for the LS-GL is too young. Official Openlink development has not started yet.

Oh1jty's Firmware

version 1.03-0.51-jtymod5

Home menu shows mem, load and uptime
Give shell commands

FreeLink

lb_worm has managed to Debanize the LS-GL. Though this is not an official FreeLink yet, it is a tremendous start. See Debian for more information.

Testers are currently needed. The Debian (FreeLink) distrobution can be downloaded at http://downloads.linkstationwiki.net/arm9-LS_Pro/Freelink/ .

Please Note: FreeLink can only be installed manually, not through the LS-GL updater (we'll take care of this soon).

Todo: Import information from forum.

Development Tools

Other Development

GPL Kernel

lb_worm and jonli_447 are currently working on the kernel project. See Outlook on LS Pro Kernel Development

NFS and USB Printer support modules have been compiled and have been reported to work. The kernel relies on lb_worm's alternative initrd to load.

Todo: Import information from forum.

Custom Updater

See Opensource_Firmware_Updater and LS-GL Custom Updater Thread for more information.

Todo: Import information from the forum here.

IPKG Feed

This is just idea at the moment. See Optware IPKG Feed Poll

Binaries

Some binaries (i.e. wget) have been compiled for the LS-GL.

Please post successfully binaries that should be included in an OpenLink here.

  • wget

User Accomplishments

Please post accomplishments that don't fit into the above categories here

  • jtymod got ssh up and running, enhanced the webinterfaces sp you can controll telnet + ssh + a mediaserver
  • chroot Arm Build Environment by armstation

Why: To not fill up LinkStation's system partition & To test toolchains and building programs without risk of breaking anything

1) Create a chroot somewhere outside of the LinkStation system partition.

mkdir /mnt/disk1/share/arm-tools

2) Transfer entire Linkstation system to build directory.

cd /
for d in `ls |grep -v dev |grep -v proc|grep -v mnt`
do
tar -cvf /mnt/disk1/share/arm-tools/$d.tar $d
done

3) Unpack the system directories.

cd /mnt/disk1/share/arm-tools
for f in *.tar
do
tar -xvf $f
done

4) Download jonli447's excellent arm-tools and copy them into /mnt/disk1/share/arm-tools/ then Gunzip & Untar the arm tools

tar -xvzf arm-tools-0_16-3.tgz

5) Mount special files in chroot environment (thanks Zoolook)

mount -t proc none /mnt/disk1/share/arm-tools/proc 
mount -o bind /dev /mnt/disk1/share/arm-tools/dev

6) Create /opt directory in chroot

mkdir /mnt/disk1/share/arm-tools/opt

7) Create symbolic link from chrooted /opt to system /opt

ln -s /mnt/disk1/share/arm-tools/opt /opt

8) chroot into development environment.

chroot /mnt/disk1/share/arm-tools /bin/sh

That's it, now everyting compiled and installed to /opt from chroot will be available from the main Linkstation system without adding any files to the system partition besides 1 symbolic link.

Related Forum Topics

Todo: Add information to above sections.