================================================= HACKING a Lacie NetworkSpace by A. Mennucc, Aug 2011, d3@tonelli.sns.it =========== Disclaimer The following instructions may severely damage your Lacie product. You should only proceed when you understand what you are doing. If you do anything wrong, it can break your device. I provide all following code and instructions "as is", and any warranty whatsoever is disclaimed. (Note also that some parts of what follows were written by heart, some time after I did the hacking, so there may be some mistake; in case, please e-mail me). =========== Introduction In the following, the "box" is a Lacie NetworkSpace , 1 terabyte storage (it is the first version of it, there is a NetworkSpace version2 that is much better) See also http://lacie.nas-central.org/wiki/Category:Network_Space http://plugout.net/viewforum.php?f=6&sid=cb9a1a906a308089d5789df5687301d6 http://plugout.net/viewforum.php?f=7 for more info For hardware/software details, see the end section 'detailed info' and also the subdir 'detailed_info' My box is configured to have IP '192.168.0.28' : keep this in mind and adjust what follows to your settings Many of the files that are cited in the following are available in the 'useful_files' subdir in this website. The subdir 'docs' contains useful documents that I copied from the net (in case they disappear...). My state of the art is: I managed to install and run a Debian Lenny O.S. in the box. (Note: if you are looking for a polished ready-to-use user-friendly firmware , then Debian/Lenny is not what you want: look instead in http://plugout.net/viewtopic.php?f=3&t=3 ) =========== Qemu virtual machine The software and hardware of the box is compatible with the Debian/Lenny/arm qemu images provided by aurelien at http://people.debian.org/~aurel32/qemu/arm/ those images run inside a qemu virtual machine. Download all it in your favorite PC O.S., it will be very useful. =========== Glossary 'the box' is the Lacie Network Space 'lacie-O.S.' is the original Linux-based Lacie provided operating system that runs usually in the box 'aurel-O.S.' is the Debian Lenny O.S. above, running inside qemu 'lenny-box-O.S.' is the Debian Lenny operating system I have installed in the box (mostly cloned from the aurel-O.S.) 'PC-O.S.' is a Linux-based operating system running on a standard personal computer (I use Debian Squeeze) In the following, any line starting with '#' is a command that is to be executed (as root user) in one of the above O.S. (the '#' is not part of the command, do not copy it at the prompt!) Beware that acting as root is dangerous, always think twice before you hit return. ================================================= BEFORE WE START Access the box web configuration, and configure the box to not use DHCP, but rather to have one fixed IP address at boot, say, 192.168.0.28 =================================================== OPENING THE BOX First of all, make sure that the box is powered off, and detach power cable and network cable. Note: opening the box will void the warranty. (Given that the last model was sold in 2008, this should not be a problem). If warranty is a problem to you, look into http://lacie.nas-central.org/wiki/Category:Network_Space for a non-open-the-box hacking method. The box has a black plastic cover, with 6 dents, 3 on each side: inserting small screwdrivers and gently forcing them open, the cover will slide with almost no effort Internally there is a hard disk, and some electronics covered by a metal cover; the metal cover is held by two screws, remove them and remove the cover. For some of the following operations, you will need to remove the hard disk and connect it to another PC. The hard disk is held by four screws; once you have taken those away, you just slide it back (parallel to itself, towards the blue led) out of the connector. ========================================== INSTALL BACKDOOR AND NEWER BUSYBOX To do what follows, you have to connect the hard disk into another PC, (you need to use a PC running a Linux operating system). Then you will do some tweaking in the box hard disk, using the PC-O.S. ========== INSTALL BACKDOOR As a first step, you will install the backdoor in the lacie-O.S. . To this end mount partition 8 somewhere, let's say /media/box8, and copy the 'backdoor' file into /media/box8/www/cgi-bin/admin/backdoor and make it executable # chmod +x /media/box8/www/cgi-bin/admin/backdoor Then copy the file 'busybox' as /media/box8/busybox in that partition as well ; make it executable. It is version 1.18.2 of busybox, statically compiled, that supports all available commands , including telnetd. BTW, to build that version of busybox, I used aurel-O.S. ========== REPARTITION This is also the right time to repartion, and install a prototype Debian O.S. Warning: what follows will destroy the partition containing the user data in the box: copy any valuable data somewhere else! EXTRA WARNING ! It is very important that you are 100% sure which device is the Lacie hard disk in your PC. The user data is saved in the second partition, that is formatted using the XFS file system. First, try to reduce the xfs partition using 'parted'. If you fail, start a repartition tool of your choice on the box hard disk, destroy the second partition, and recreate it smaller. (Before you destroy it, save its directory structure using 'tar cf') Eventually, I suggest that you make it smaller so has to have 5GB of free disk space. (Note that the free space that you leave should be contiguous to the logical partions ; if it isn't, then it will be quite difficult to use it!) If you destroy it, or if it will not work when you will reassemble the box, then you may reformat it later on using the command # mkfs.xfs /dev/sda2 from inside the lacie-O.S. (see section 'telnet in the lacie-O.S.' on how to access the lacie-O.S. , and see also 'XFS metadata'). By reducing the XFS partition, you should free ~ 5000MB of hard disk, so that ~ 2000MB you may later use for Debian, and ~ 1000MB for swap (this may seem a lot , but it useful e.g. when fsck wants to check the XFS partition). Then, using the free space, create a new partition for Debian, in my case, it is partition 11, that I formatted using # mkfs.ext3 -O none,has_journal,sparse_super,filetype /dev/---- (fill the ---- with the correct device). Then mount it, let's say at /media/box11 ============ INSTALL PROTOTYPE lenny-box-O.S. Mount the partition for lenny-box-O.S. , let's say to /media/box11 Then copy aurelien O.S. into that partition. To this end, you may follow instructions in http://tjworld.net/wiki/Linux/MountQemuQcowImages (and also use 'kpartx') to mount aurelien qcow2 images. Another way is to start the aurel-O.S. and use a combination of netcat and tar. ==== Tweak Unfortunately, the aurel-O.S. does not boot in the box as it is, the box resets misteriously (probably the lacie kernel is too old). So we have to tweak it a bit. Again we say that the prototype lenny-box-O.S. is mounted in /media/box11 First of all, copy 'busybox' as /busybox in that partition, and make it executable: it will be useful. Then make sure that sda devices are present otherwise create them # cd /media/box11/dev # MAKEDEV sda # MAKEDEV sdb Similarly for serial ttys # cd /media/box11/dev # MAKEDEV ttyS and rtc # MAKEDEV rtc Then copy the kernel modules from the partition 8 to partition 11 # cp -a /media/box8/lib/modules/2.6.12.6-arm1 /media/box11/lib/modules Then we need to override the standard boot : you will have to copy the file my_rcS and my_rcS.conf into /media/box11/etc/ personalize 'my_rcS.conf' to your needs, and make 'my_rcS' executable. Then edit /media/box11/etc/inittab to execute that file /etc/my_rcS instead of /etc/init.d/rcS . When you edit /media/box11/etc/inittab also change the line '#T0:23:respawn:/sbin/getty -L ttyS0 9600 vt100' to 'T0:23:respawn:/sbin/getty -L ttyS0 115200 vt100' to enable a login on the serial console (just in case...). (And you may disable getty on tty1 to tty6 ). If you are confused , look at 'inittab' in the useful_files subdir. Then you may copy the 'fstab' file onto /media/box11/etc/fstab (adjust it in case your partitions are different from mine!) ================================================ REASSEMBLE THE BOX Once all above is done, properly shut down the PC, remove the hard disk from the PC, reinsert it in the box, reconnect the cables, and power it on. ============================================= backdoor usage If you just powered it on, then the box will boot the lacie-O.S. So now we can play with the backdoor. The backdoor works as follows: if you type this kind URL in a web browser http://192.168.0.28/cgi-bin/admin/backdoor?cmd arg1 arg2 ... this will run the command 'cmd arg1 arg2 ...' as root in the box. Try http://192.168.0.28/cgi-bin/admin/backdoor?ls / and see. ============ telnet in the lacie-O.S. For example, the URLS http://192.168.0.28/cgi-bin/admin/backdoor?mount -t devpts devpts /dev/pts http://192.168.0.28/cgi-bin/admin/backdoor?/busybox telnetd -l /bin/sh will start a telnet server (that does not require a password). Then you may telnet from the PC-O.S. # telnet 192.168.0.28 This is the best way to interact with the lacie-O.S. ================================================== CLUNC access in the PC-O.S. download and compile clunc from git://lacie-nas.org/clunc.git # git clone git://lacie-nas.org/clunc.git # cd clunc # make more info from http://forum.nas-central.org/viewtopic.php?f=221&t=1707 then turn off the box, run clunc in the PC-O.S. as # ./clunc -i 192.168.0.28 and power on the box : after some seconds, if you hit return, you will get the box U-boot prompt 'Marvell>>' (See the file detailed_info/U-boot_info.txt for listing of the Lacie/Marvell U-boot settings and capabilites) ====================================== U-boot usual boot sequence If you type 'boot' at that prompt, it will simply go on with the usual boot. Note that U-boot tries to load the kernel from partion 10, and if that fails it tries 6 : see "boot_disk1" variable in detailed_info/U-boot_info.txt A log of the boot is in detailed_info/U-boot_log.txt =============================================== BOOTING lenny-box-O.S. If all went as expected, then power off the box, and, as above, power it on but stop in the U-boot using 'clunc', then issue these commands at the U-boot prompt > setenv bootargs console=ttyS0,115200 root=/dev/sda11 ro boardType=mv88F6082 productType=Aston reset=0 > boot If all goes well, the lenny-box-O.S. will be accessible from the PC-O.S. by typing # telnet 192.168.0.28 (since this is a copy of aurel-O.S. root password is 'root') If it does not work , jump to 'troubleshooting' ================ set up stuff in the lenny-box-O.S. Edit /etc/resolv.conf and set correct nameservers (to edit you may use the 'nano' editor) update APT # apt-get update install ntpdate and run it (once) # apt-get install ntpdate # ntpdate-debian replace /etc/mtab with a symlink to /proc/mounts setup event interface # mkdir /dev/input # mknod /dev/input/event0 c 13 64 Then install your favorite programs: -) I recommend 'dropbear' for ssh , though the box is quite slow , so telnet is still a good choice for the local network -) similarly, 'unfsd' is a good choice for NFS file sharing -) if you want to backup using rsync, you may setup rsyncd (I suggest to not use 'rsync thru ssh', because the box is too slow and does not have enough memory) =========== Warning from lacie.nas-central.org Warning to avoid data loss: Users have reported that after hacking the device and creating additional directories in the /home directory of the NAS (that is the XFS , second partition), these added directories were gone after a reboot into the lacie-O.S. This is caused by a script (/etc/rc.d/rc3.d/S12cleanConf), which has been designed to delete all directories and files from /home during boot, except for the myshare and openshare directories and hidden directories or files. ==================================================== INSTALL NEWER KERNEL Warning: with the newer kernel, the lacie-OS will not work OK, since the network interface name changes from egiga0 to eth0 The new kernel 2.6.33 was compiled by fvdw (thanks!). To install the newer kernel, download linux-arm-2.6.33-fvdw.tar.gz and unpack it on / in the lenny-box-OS partition ; then copy /boot/uImage-2.6.33 onto the 10th partition using (substitute --- by the device number!) # dd if=/boot/uImage-2.6.33 of=/dev/---10 (If you are unsatisfied, you write zeros in that partition, and u-Boot will use again the old kernel in partition 6). ==================================== UPDATE TO SQUEEZE or WHEEZY we want to switch from 'arm' to 'armel' architecture: the best way is to act as follows # debootstrap --foreign --arch=armel wheezy /mnt/ # chroot /mnt/ /debootstrap/debootstrap --second-stage # cp -vb /etc/apt/sources.list /mnt/etc/apt/ and edit it to point to wheezy # cp -vb /etc/fstab /mnt/etc/fstab and edit it then do the same changes that were done on Debian/lenny (consider that the kernel 2.6.33 does not support udev) and set root password and/or # cp -a /root/.ssh /mnt/root/.ssh ===================================== COMPILE NEW KERNEL install some needed packages # apt-get -y install u-boot u-boot-tools kernel-package download your favorite linux source, and configure it [WRITEME] and maybe apply the fvwd patches; then compile the kernel # make-kpkg --revision=1lacie kernel_image --cross_compile=- # make uImage (this takes more or less 14 hours inside lenny-box) prepare an 8MB partition , say, sda12, and write the new kernel there then try to boot Debian/wheezy from /dev/sda14 with the new kernel > setenv kernel_addr 0x500000 > setenv boot_disk1 'if disk ${kernel_addr} 0:C; then; else disk ${kernel_addr} 0:A; fi' > setenv bootargs console=ttyS0,115200 root=/dev/sda14 ro boardType=mv88F6082 productType=Aston reset=0 > boot FIXME: currently it does not boot, it hangs at uBoot, similar to http://www.denx.de/wiki/view/DULG/LinuxHangsAfterUncompressingKernel but I don't understand how to fix it in my case ============================================= USING A CHROOT supposing that you have mounted the other O.S. onto /mnt, run this once, # mount -t proc proc /mnt/proc/ # mount -t sysfs sys /mnt/sys # mount --bind /dev/pts /mnt/dev/pts and then # chroot /mnt ==================================================== TODO This is what is still missing: 1) the lenny-box does not properly shutdown , it actually reboots instead of powering down 2) the lenny-box ignores the power switch. See http://www.rigacci.org/wiki/doku.php/doc/appunti/hardware/lacie_d2_network 3) when/if we are satisfied, change the boot process permanently so as to boot lenny-box-O.S. by default. This is more difficult than it may seem, http://lacie-nas.org/doku.php?id=usbboot 4) setup the mounting so that it is possible to chroot from lenny-box-O.S. to lacie-O.S. and start some selected useful services 5) learn how to use linux netconsole so that some troubleshooting may be done using 'clunc' (w/o serial cable) see http://lacie-nas.org/doku.php?id=usbboot and http://www.kernel.org/doc/Documentation/networking/netconsole.txt the idea should be to start in a remote system # nc -uvv -l 9999 (using netcat-openbsd) then the uBoot command should be > setenv bootargs netconsole=6665@192.168.0.28/,9999@192.168.0.101/ root=/dev/sda11 ro boardType=mv88F6082 productType=Aston reset=0 > boot unfortunately the kernel 2.6.33 was not compiled with netconsole support ===================================================== TROUBLESHOOTING method 1) Power off the machine, reboot in the lacie-O.S., access it using telnet (as explained above), then inside the telnet session # mount /dev/sda11 /mnt and try to see if anything is wrong. This is not so easy though. Method 2) Serial access: this is the best way. ===================================================== SERIAL ACCESS There are 8 pins on the board, they are labelled J4. I decided that pin1 is the pin nearest to the screw (and farther from the hard disk). I have a cheap NOKIA-compatible CA-42 cable (actually, it is made-in-china,chip is ark3116); the color codes of the cables are red : ground green: TX box white: RX box orange: 3.3volt (unused) See in the nokia-ca-42 subdir for extra info. In the PC-O.S. I configured minicom as follows: Serial Device : /dev/ttyUSB1 Bps/Par/Bits : 115200 8N1 Hardware Flow Control : No Software Flow Control : No (if you put minirc.lacie in /etc/minicom, it will start OK by # minicom -o lacie ) I boot the box, stopping it using 'clunc', as above; after that, I connect 'red' to pin 2, 'green' to pin 8, 'white' to pin 7 . I resume standard boot: so I got the bootlog in serial_boot_log.txt ; and I could interact with the lacie-O.S. login prompt. (Note that, if I poweron the box with the serial adapter connected, it stops immediatly giving a '>' prompt, and I don't know how to interact with it.) ======================================== TROUBLESHOOT LENNY IN THE BOX Reboot the box, and using 'clunc' stop the box in the U-boot ; then connect the serial cable and start minicom; then issue these commands at the prompt 'Marvell>>' (that you see into 'clunc') : they will boot lenny-box-O.S. , but stopping at an emergency shells > setenv bootargs console=ttyS0,115200 root=/dev/sda11 ro boardType=mv88F6082 productType=Aston reset=0 init=/bin/sh > boot Wait into the minicom for the shell prompt. Since this is an emergency shell, you will have to fsck disks and mount (or remount rw) manually; and eventually # ifconfig egiga0 192.168.0.28 # /busybox telnetd -l /bin/sh & at this point it is possible to telnet into the box for further operations. ============================================================== DETAILED INFO The bootloader is: U-Boot 1.1.4 (Feb 8 2008 - 09:08:25) Lacie version: 2.4.2-TINY the Linux version is 2.6.12.6-arm1 (iminea@grp-horus) (gcc version 3.4.4 (release) (CodeSourcery ARM 2005q3-2)) the CPU: ARM926EJ-Sid(wb) [41069260] revision 0 (ARMv5TEJ) ; Machine: Feroceon Kernel command line: console=ttyS0,115200 root=/dev/sda7 ro boardType=mv88F6082 productType=Aston reset=0 the firmware is 1.1.3 ; I tried to update it, w/o success ====================================== in the lacie-O.S. , the network interface is # ifconfig egiga0 Link encap:Ethernet HWaddr 00:D0:4B:85:8C:DA inet addr:192.168.0.28 Bcast:192.168.0.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:380 errors:0 dropped:0 overruns:0 frame:0 TX packets:473 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:128 RX bytes:32020 (31.2 KiB) TX bytes:107908 (105.3 KiB) Interrupt:2 ======================================= SPEEDS what follows was tested using on the box: linux 2.6.33 arch arm unfsd the /home filesystem was XFS on the remote hosts: linux 2.6.32 arch amd64 and i386 and a gigabit ethernet (full duplex) connecting them =============== network speed tested speed to copy 40MB of zeros across the network, using netcat-openbsd and the two commands # nc -l 9999 > /dev/null on one side and # time dd bs=1024 count=40960 if=/dev/zero | nc remotehost 9999 on the other side from box to remote host: speed 3.1 kB/sec from remote host to box: speed 5.1 kB/sec (the above does not seem to depend on the remote host used) (as a comparison, the speed between two linux hosts is ~110MB/sec ) (curiously when the box is the receiving side, 'nc -l' does not exit after the transmission ends!) ============== NFS speed the /home directory in the box was export using NFS, and mounted on the remote host onto /box/home on the remote host, I copied some large files from local HD to the box, using the NFS mounted /box/home : speed 5170 kB/sec (so it seems the speed is mostly limited by the network speed) ============== XFS speed inside the box, copied those large files from one directory to another, in the XFS fs: speed 11118 kB/sec (as a reference, same inside the remote host: speed 43 MB/sec ) ======================================= Other detailed info are in the files in the subdir 'detailed_info'