Open Stock Firmware LS-WXL
This HowTo was made during opening an 2TB LS-WXL, which came with 1.22 Firmware and was afterwards updated with 1.24. The Author of this HowTo can't assure you, that everything will work fine. YOU COULD BRICK YOUR BOX! You, and only you, can be held responsible for this!
Also, this HowTo has never been tested on a brand new LinkStation Duo, but feel free to remove this line when you successfully tested it. Also please add anything you think would help others! Thanks!
You will need the following thing to open up the Firmware:
- Buffalo LinkStation Duo (LS-WXL)
- A working linux for firmware manipulation
- ACP Commander
- 1.24 Firmware of your NAS
- A share on your NAS accessible via SFTP
Prepare the LinkStation
It's best for opening the firmware if there is no RAID active. Having one active means that it could take a little bit longer until the firmware is open. Responsible for this longer time is the required sync of the drives after each boot.
Create a share with support at least for SFTP on your first drive. In this HowTo I will call it "share". Now open up your SFTP Application and connect as admin and your password to it. You will be in the /mnt/ directory, so go on your first drive and into your share. Create a file named "emergency.sh" and insert the following lines:
#!/bin/sh #General Information echo -n "Last Boot: " > /mnt/disk1/share/lastboot.txt date >> /mnt/disk1/share/lastboot.txt echo -n "Who Am I: " >> /mnt/disk1/share/lastboot.txt whoami >> /mnt/disk1/share/lastboot.txt
#Make a backup of both shadow files cp /etc/shadow /mnt/disk1/share/backup/shadow cp /etc/shadow- /mnt/disk1/share/backup/shadow-
#Show us the content of the shadow file echo "" echo "Content of /etc/shadow" cat /etc/shadow >> /mnt/disk1/share/lastboot.txt echo "" echo "Content of /etc/shadow-" cat /etc/shadow- >> /mnt/disk1/share/lastboot.txt #Remove the root password #sed 's/<crypted root pw>//g' /etc/shadow /etc/shadow #sed 's/<crypted root pw>//g' /etc/shadow- /etc/shadow-
Be sure to set the right path for the lastboot.txt! Finally set chmod +x on this new file and exit your SFTP app. Now comes the hacking!
Patching the Firmware
Download and extract the original firmware download from buffalo to a directory on your Linux box. Next we want to change the content in the hddrootfs.img so we extract it:
You will be asked for a password, which should be
Now create a folder for unpacking the firmware and extract the hddrootfs.buffalo.updated into it
mkdir <foldername> cd <foldername> tar -xz --numeric-owner -p -f ../hddrootfs.buffalo.updated
Open up etc/sshd_config with your favourite text editor and change the content to this:
# $OpenBSD: sshd_config,v 1.65 2003/08/28 12:54:34 markus Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin # The strategy used for options in the default sshd_config shipped with # OpenSSH is to specify options with their default value where # possible, but leave them commented. Uncommented options change a # default value. #Port 22 #Protocol 2,1 #ListenAddress 0.0.0.0 #ListenAddress :: # HostKey for protocol version 1 #HostKey /etc/ssh_host_key # HostKeys for protocol version 2 #HostKey /etc/ssh_host_rsa_key #HostKey /etc/ssh_host_dsa_key HostKey /etc/apache/server.key # Lifetime and size of ephemeral version 1 server key #KeyRegenerationInterval 1h #ServerKeyBits 768 # Logging #obsoletes QuietMode and FascistLogging #SyslogFacility AUTH #LogLevel INFO # Authentication: #LoginGraceTime 2m PermitRootLogin yes #StrictModes yes #RSAAuthentication yes #PubkeyAuthentication yes #AuthorizedKeysFile .ssh/authorized_keys # For this to work you will also need host keys in /etc/ssh_known_hosts #RhostsRSAAuthentication no # similar for protocol version 2 #HostbasedAuthentication no # Change to yes if you don't trust ~/.ssh/known_hosts for # RhostsRSAAuthentication and HostbasedAuthentication #IgnoreUserKnownHosts no # Don't read the user's ~/.rhosts and ~/.shosts files #IgnoreRhosts yes # To disable tunneled clear text passwords, change to no here! #PasswordAuthentication yes PermitEmptyPasswords yes # Change to no to disable s/key passwords #ChallengeResponseAuthentication yes # Kerberos options #KerberosAuthentication no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes # GSSAPI options #GSSAPIAuthentication no #GSSAPICleanupCreds yes # Set this to 'yes' to enable PAM authentication (via challenge-response) # and session processing. Depending on your PAM configuration, this may # bypass the setting of 'PasswordAuthentication' UsePAM yes #AllowTcpForwarding yes #GatewayPorts no #X11Forwarding no #X11DisplayOffset 10 #X11UseLocalhost yes #PrintMotd yes #PrintLastLog yes #KeepAlive yes #UseLogin no #UsePrivilegeSeparation yes PermitUserEnvironment yes #Compression yes #ClientAliveInterval 0 #ClientAliveCountMax 3 #UseDNS yes #PidFile /var/run/sshd.pid #MaxStartups 10 # no default banner path #Banner /some/path # override default of no subsystems Subsystem sftp /usr/local/libexec/sftp-server
Next open etc/init.d/rcS and add the two following lines at the end of it
# In case of an emergency, we start this script [ -f /mnt/disk1/share/emergency.sh ] && /mnt/disk1/share/emergency.sh
Be sure to add the right path!
Now we pack the firmware again. Get into the root directory of the unpacked firmware and execute the following line:
tar -czf ../hddrootfs.buffalo.updated-new -C /absolute/path/to/extracted_image * cd .. mv hddrootfs.buffalo.updated hddrootfs.buffalo.updated-old mv hddrootfs.buffalo.updated-new hddrootfs.buffalo.updated zip -e hddrootfs.img hddrootfs.buffalo.updated
Again you will be asked for the password. Be sure to take the same password that you took for extracting before. Otherwise the NAS will not be able to extract it and you'll have bricked box!
That's for patching the firmware, now update the box!
Updating the Firmware
Rename the original hddrootfs.img in your LSUpdater Folder and copy the patched hddrootfs.img into that folder.
Send the NAS into EM Mode. With earlier updates it was possible to change some values in the LSUpdater.ini to re-update the NAS with the same firmware that was running on the box, but this doesn't work with the latest version. For EM-Mode (aka Emergency Mode aka Engineering Mode) start ACP Commander with the following parameters
java -jar acp_commander.jar -t <ip of your LinkStation> -emmode
You will be asked for a password, enter the one you use for the admin login. When ACP Commander shows you success messages, reboot the box. You can do this via the WebIf or via ACP Commander, too. Just change the "-emmode" to "-reboot".
Wait a few seconds after the fan of the NAS slowed down and start LSUpdater.exe. When ACP Commander was successfull, LSUpdater will find a box named "LS-WXL-EMxxx" (xxx = last three chars of the MAC). Click Update and go make a coffee or something, this will take a while.
Checking for success
After the reboot watch the share you created earlier. There should appear a "lastboot.txt" with a very recent time stamp. If not, wait a few minutes (especially if you have a raid active). When the file appears open it, if not, search for your error in the rcS script and check if you created the emergency.sh script correctly with execution bits set correctly.
Removing root password
Open the emergency.sh file and comment out the two lines copying the shadow and shadow- file. Uncomment the two lines beginning with sed and have a look at the content of the two shadow files. We are only interested in the two lines for root. Both should read the same, like this one:
The "$1$$Yab.IC0XLDvJlIi3/A8E40" part is the FreeBSD MD5 hashed password. Decrypting it would take us a veeery long time, so we simply remove it. So paste the encrypted password into the sed lines instead of the "<crypted root pw>". Don't forget to escape all / with a \ so our two lines could look like this
sed 's/$1$$Yab.IC0XLDvJlIi3\/A8E40//g' /etc/shadow /etc/shadow sed 's/$1$$Yab.IC0XLDvJlIi3\/A8E40//g' /etc/shadow- /etc/shadow-
Now reboot and try to login via ssh and an empty password!
- Set a new root password with passwd.
- If you want to use a RAID, then change the line in rcS so you can use the emergency.sh in the future again!
- SFTP doesn't work for root account
- Telnet login not allowed for root (this is by design, and it should stay that way)
Initial HowTo by meilon: "Big Thanks to kenatonline, who was always hinting at the right directions. Without him this HowTo would not be!" Password from Firmware_password which luckily work so I don't had to find it out on my own.