Open Stock Firmware LS-WXL

From NAS-Central Buffalo - The Linkstation Wiki
Revision as of 12:32, 21 February 2010 by Meilon (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search
Nuvola apps important.png 
WARNING!

CAUTION: Experts only


Kurobrick.png
WARNING!

There is a possibility that you could brick your NAS with these instructions. Please make sure that you read the entire page carefully.



Contents

Info

This HowTo was made during opening an 2TB LS-WXL, which came with 1.22 Firmware and was afterwards updated with 1.24. The Author of this HowTo can't assure you, that everything will work fine. YOU COULD BRICK YOUR BOX! You, and only you, can be held responsible for this!

Also, this HowTo has never been tested on a brand new LinkStation Duo, but feel free to remove this line when you successfully tested it. Also please add anything you think would help others! Thanks!

Prerequisites

You will need the following thing to open up the Firmware:

  • Buffalo LinkStation Duo (LS-WXL)
  • A working linux for firmware manipulation
  • ACP Commander
  • 1.24 Firmware of your NAS
  • A share on your NAS accessible via SFTP

Let's start!

Prepare the LinkStation

It's best for opening the firmware if there is no RAID active. Having one active means that it could take a little bit longer until the firmware is open. Responsible for this longer time is the required sync of the drives after each boot.

Create a share with support at least for SFTP on your first drive. In this HowTo I will call it "share". Now open up your SFTP Application and connect as admin and your password to it. You will be in the /mnt/ directory, so go on your first drive and into your share. Create a file named "emergency.sh" and insert the following lines:

#!/bin/sh

#General Information
echo -n "Last Boot: " > /mnt/disk1/share/lastboot.txt
date >> /mnt/disk1/share/lastboot.txt
echo -n "Who Am I:  " >> /mnt/disk1/share/lastboot.txt
whoami >> /mnt/disk1/share/lastboot.txt 
#Make a backup of both shadow files
cp /etc/shadow /mnt/disk1/share/backup/shadow
cp /etc/shadow- /mnt/disk1/share/backup/shadow-
#Show us the content of the shadow file
echo ""
echo "Content of /etc/shadow"
cat /etc/shadow >> /mnt/disk1/share/lastboot.txt
echo ""
echo "Content of /etc/shadow-"
cat /etc/shadow- >> /mnt/disk1/share/lastboot.txt

#Remove the root password
#sed 's/<crypted root pw>//g' /etc/shadow /etc/shadow
#sed 's/<crypted root pw>//g' /etc/shadow- /etc/shadow-

Finally set chmod +x on this new file and exit your SFTP app. Now comes the hacking!

Patching the Firmware

Download and extract the original firmware download from buffalo to a directory on your linux box. Next we want to change the content in the hddrootfs.img so we extract it:

unzip hddrootfs.img

You will be asked for a password, which should be

1NIf_2yUOlRDpYZUVNqboRpMBoZwT4PzoUvOPUp6l

Now create a folder for unpacking the firmware and extract the hddrootfs.buffalo.updated into it

mkdir <foldername>
cd <foldername>
tar -xz --numeric-owner -p -f ../hddrootfs.buffalo.updated

Open up etc/sshd_config with your favourite text editor and change the content to this:

#       $OpenBSD: sshd_config,v 1.65 2003/08/28 12:54:34 markus Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options change a
# default value. 

#Port 22
#Protocol 2,1
#ListenAddress 0.0.0.0
#ListenAddress :: 

# HostKey for protocol version 1
#HostKey /etc/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh_host_rsa_key
#HostKey /etc/ssh_host_dsa_key
HostKey /etc/apache/server.key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 768

# Logging
#obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
PermitRootLogin yes
#StrictModes yes

#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile     .ssh/authorized_keys

# For this to work you will also need host keys in /etc/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
PermitEmptyPasswords yes

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCreds yes

# Set this to 'yes' to enable PAM authentication (via challenge-response)
# and session processing. Depending on your PAM configuration, this may
# bypass the setting of 'PasswordAuthentication'
UsePAM yes

#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#KeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
PermitUserEnvironment yes
#Compression yes
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10

# no default banner path
#Banner /some/path

# override default of no subsystems
Subsystem       sftp    /usr/local/libexec/sftp-server

Next open etc/init.d/rcS and add the two following lines at the end of it

# In case of an emergency, we start this script
[ -f /mnt/disk1/share/emergency.sh ] && /mnt/disk1/share/emergency.sh

Be sure to add the right path!

Now we pack the firmware again. Get into the root directory of the unpacked firmware and execute the following line:

tar -czf ../hddrootfs.buffalo.updated-new -C /absolute/path/to/extracted_image *
cd ..
mv hddrootfs.buffalo.updated hddrootfs.buffalo.updated-old
mv hddrootfs.buffalo.updated-new hddrootfs.buffalo.updated
zip -e hddrootfs.img hddrootfs.buffalo.updated

Again you will be asked for the password. Be sure to take the same pasword that you took for extracting before. Otherwiese the NAS will not be able to extract it and you'll have bricked box!

That's for patching the firmware, now update the box!

Updating the Firmware

Rename the original hddrootfs.img in your LSUpdater Folder and copy the patched hddrootfs.img into that folder.

Send the NAS into EM Mode. With earlier updates it was possible to change some values in the LSUpdater.ini to re-update the NAS with the same firmware that was running on the box, but this doesn't work with the latest version. For EM-Mode (aka Emergency Mode aka Engeneering Mode) start ACP Commander with the following parameters

java -jar acp_commander.jar -t <ip of your LinkStation> -emmode

You will be asked for a password, enter the one you use for the admin login. When ACP Commander shows you success messages, reboot the box. You can do this via the WebIf or via ACP Commander, too. Just change the "-emmode" to "-reboot".

Wait a few seconds after the fan of the NAS slowed down and start LSUpdater.exe. When ACP Commander was successfull, LSUpdater will find a box named "LS-WXL-EMxxx" (xxx = last three chars of the MAC). Click Update and go make a coffee or something, this will take a while.

Checking for success

After the reboot watch the share you created earlier. There should appear a "lastboot.txt" with a very recent timestamp. If not, wait a few minutes (especially if you have a raid active). When the file appears open it, if not, search for your error in the rcS script and check if you created the emergency.sh script correctly with execution bits set correctly.

Removing root password

Open the emergency.sh file and comment out the two lines copying the shadow and shadow- file. Uncomment the two lines beginning with sed and have a look at the content of the two shadow files. We are only interested in the two lines for root. Both should read the same, like this one:

root:$1$$Yab.IC0XLDvJlIi3/A8E40:11009:0:99999:7:::

The "$1$$Yab.IC0XLDvJlIi3/A8E40" part is the FreeBSD MD5 hashed password. Decrypting it would take us a veeery long time, so we simply remove it. So paste the encrypted password into the sed lines instead of the "<crypted root pw>". Don't forget to escape all / with a \ so our two lines could look like this

sed 's/$1$$Yab.IC0XLDvJlIi3\/A8E40//g' /etc/shadow /etc/shadow
sed 's/$1$$Yab.IC0XLDvJlIi3\/A8E40//g' /etc/shadow- /etc/shadow-

Now reboot and try to login via ssh and an empty password!

Final Steps

  • Set a new root password with passwd.
  • If you want to use a RAID, then change the line in rcS so you can use the emergency.sh in the future again!

TODO

  • SFTP doesn't work for root account
  • Telnet login not allowed for root (this is by design, and it should stay that way)

Credits

Initial HowTo by meilon: "Big Thanks to kenatonline, wo was always hinting at the right directions. Without him this HowTo would not be!"