Category:Network Space
From NAS-Central Lacie Wiki
CPU | ARM926EJ-Sid(wb) [41069260] revision 0 (ARMv5TEJ) |
RAM | 2 x 8MB = 16MB |
Flash ROM | |
Other | Marvell Development Board (LSP Version 2.2.2_NAS_GDP)-- RD-88F6082-NAS-PH Soc: MV88F6082 Rev 1 |
NIC | |
USB | USB Universal Host Controller Interface driver v2.2 |
Internal HDD | Vendor: SAMSUNG Model: HD103UJ Rev: 1AA0 |
SATA Controller | |
Drive Capacity | 500GB or 1TB |
Fan | None |
OS | Linux version 2.6.12.6-arm1 (jrichefeu@grp-horus) (gcc version 3.4.4 (release) (CodeSourcery ARM 2005q3-2)) #2 Thu Aug 14 16:36:28 CEST 2008 |
Contents[hide] |
Generic info
The NetworkSpace seems to be very much based on the ED-Mini edition of LaCie. Hacks proposed there often can be applied as well to the NetworkSpace. Maybe also the other way around. Check their wiki as well and maybe someone notices a 'missing link' or a crossover that can add new features or options not yet known to be possible.
Differences: The NetworkSpace seems to be less powerfull (memory mainly). On the other end: this one has been designed by... (ok, what is the better advantage?) On top of its stunning looks (reminiscent of Night Rider's Kid), the device is inexpensive to buy and it does not have a fan, making it quiet and suggesting it uses little energy.
Warning to avoid data loss
Users have reported that after hacking the device and creating additional directories in the /home directory of the NAS, these added directories were gone after a reboot. This is caused by a script (/etc/rc.d/rc3.d/S12cleanConf), which has been designed to delete all directories and files from /home during boot, except for the myshare and openshare directories and hidden directories or files.
Basic Information on the device
Log file downloaded through the web interface
$ cat edmini_log.txt Jan 1 00:00:23 (none) syslog.info syslogd started: BusyBox v1.1.0 (2006.11.03-14:53+0000) Jan 1 00:00:24 (none) user.notice kernel: klogd started: BusyBox v1.1.0 (2006.11.03-14:53+0000) Jan 1 00:00:24 (none) user.notice kernel: Linux version 2.6.12.6-arm1 (jrichefeu@grp-horus) (gcc version 3.4.4 (release) (CodeSourcery ARM 2005q3-2)) #2 Thu Aug 14 16:36:28 CEST 2008 Jan 1 00:00:24 (none) user.warn kernel: CPU: ARM926EJ-Sid(wb) [41069260] revision 0 (ARMv5TEJ) Jan 1 00:00:24 (none) user.warn kernel: CPU0: D VIVT write-back cache Jan 1 00:00:24 (none) user.warn kernel: CPU0: I cache: 16384 bytes, associativity 1, 32 byte lines, 512 sets Jan 1 00:00:24 (none) user.warn kernel: CPU0: D cache: 16384 bytes, associativity 1, 32 byte lines, 512 sets Jan 1 00:00:24 (none) user.warn kernel: Machine: Feroceon Jan 1 00:00:24 (none) user.warn kernel: Using UBoot passing parameters structure Jan 1 00:00:24 (none) user.warn kernel: Memory policy: ECC disabled, Data cache writeback Jan 1 00:00:24 (none) user.debug kernel: On node 0 totalpages: 4096 Jan 1 00:00:24 (none) user.debug kernel: DMA zone: 4096 pages, LIFO batch:1 Jan 1 00:00:24 (none) user.debug kernel: Normal zone: 0 pages, LIFO batch:1 Jan 1 00:00:24 (none) user.debug kernel: HighMem zone: 0 pages, LIFO batch:1 Jan 1 00:00:24 (none) user.warn kernel: Built 1 zonelists Jan 1 00:00:24 (none) user.notice kernel: Kernel command line: console=ttyS0,115200 root=/dev/sda7 ro boardType=mv88F6082 productType=Aston reset=0 Jan 1 00:00:24 (none) user.warn kernel: mvBoardGpioIntMaskGet:Board intsGppMask 0 Jan 1 00:00:24 (none) user.warn kernel: PID hash table entries: 128 (order: 7, 2048 bytes) Jan 1 00:00:24 (none) user.warn kernel: Console: colour dummy device 80x30 Jan 1 00:00:24 (none) user.warn kernel: Dentry cache hash table entries: 4096 (order: 2, 16384 bytes) Jan 1 00:00:24 (none) user.warn kernel: Inode-cache hash table entries: 2048 (order: 1, 8192 bytes) Jan 1 00:00:24 (none) user.info kernel: Memory: 8MB 8MB 0MB 0MB = 16MB total Jan 1 00:00:24 (none) user.notice kernel: Memory: 13408KB available (2278K code, 385K data, 84K init) Jan 1 00:00:24 (none) user.debug kernel: Calibrating delay loop... 219.54 BogoMIPS (lpj=1097728) Jan 1 00:00:24 (none) user.warn kernel: Mount-cache hash table entries: 512 Jan 1 00:00:24 (none) user.info kernel: CPU: Testing write buffer coherency: ok Jan 1 00:00:24 (none) user.info kernel: NET: Registered protocol family 16 Jan 1 00:00:24 (none) user.warn kernel: mvBoardMppGet mppGroupNum 0 mppGroup 4096 Jan 1 00:00:24 (none) user.warn kernel: mvBoardMppGet mppGroupNum 1 mppGroup 17 Jan 1 00:00:24 (none) user.warn kernel: Sys Clk = 166666667, Tclk = 133333333 Jan 1 00:00:24 (none) user.warn kernel: Jan 1 00:00:24 (none) user.warn kernel: CPU Interface Jan 1 00:00:24 (none) user.warn kernel: ------------- Jan 1 00:00:24 (none) user.warn kernel: SDRAM_CS0 ....base 00000000, size 8MB Jan 1 00:00:24 (none) user.warn kernel: SDRAM_CS1 ....base 00800000, size 8MB Jan 1 00:00:24 (none) user.warn kernel: PEX0_MEM ....base e0000000, size 128MB Jan 1 00:00:24 (none) user.warn kernel: PEX0_IO ....base f2000000, size 1MB Jan 1 00:00:24 (none) user.warn kernel: INTER_REGS ....base f1000000, size 1MB Jan 1 00:00:24 (none) user.warn kernel: NFLASH_CS ....base f9000000, size 2MB Jan 1 00:00:24 (none) user.warn kernel: MFLASH_CS ....base f8000000, size 256KB Jan 1 00:00:24 (none) user.warn kernel: SPI_CS ....base fa000000, size 8MB Jan 1 00:00:24 (none) user.warn kernel: BOOT_ROM_CS ....base fc000000, size 1MB Jan 1 00:00:24 (none) user.warn kernel: DEV_BOOTCS ....base fc000000, size 1MB Jan 1 00:00:24 (none) user.warn kernel: CRYPT_ENG ....base f0000000, size 64KB Jan 1 00:00:24 (none) user.warn kernel: Jan 1 00:00:24 (none) user.warn kernel: Marvell Development Board (LSP Version 2.2.2_NAS_GDP)-- RD-88F6082-NAS-PH Soc: MV88F6082 Rev 1 Jan 1 00:00:24 (none) user.warn kernel: Jan 1 00:00:24 (none) user.warn kernel: Detected Tclk 133333333 and SysClk 166666667 Jan 1 00:00:24 (none) user.warn kernel: Marvell USB EHCI Host controller #0: c031eb00 Jan 1 00:00:24 (none) user.info kernel: PCI: bus0: Fast back to back transfers enabled Jan 1 00:00:24 (none) user.notice kernel: SCSI subsystem initialized Jan 1 00:00:24 (none) user.info kernel: usbcore: registered new driver usbfs Jan 1 00:00:24 (none) user.info kernel: usbcore: registered new driver hub Jan 1 00:00:24 (none) user.warn kernel: Fast Floating Point Emulator V0.9 (c) Peter Teichmann. Jan 1 00:00:24 (none) user.info kernel: inotify device minor=63 Jan 1 00:00:24 (none) user.warn kernel: Registering unionfs 1.1.5 Jan 1 00:00:24 (none) user.info kernel: Serial: 8250/16550 driver $Revision: 1.90 $ 4 ports, IRQ sharing disabled Jan 1 00:00:24 (none) user.warn kernel: ttyS0 at MMIO 0x0 (irq = 3) is a 16550A Jan 1 00:00:24 (none) user.info kernel: io scheduler noop registered Jan 1 00:00:24 (none) user.warn kernel: Marvell Ethernet Driver 'mv_ethernet': Jan 1 00:00:24 (none) user.warn kernel: o Uncached descriptors in DRAM Jan 1 00:00:24 (none) user.warn kernel: o DRAM SW cache-coherency Jan 1 00:00:24 (none) user.warn kernel: o TCP segmentation offload enabled Jan 1 00:00:24 (none) user.warn kernel: o Checksum offload enabled Jan 1 00:00:24 (none) user.warn kernel: o Rx desc: 64 Jan 1 00:00:24 (none) user.warn kernel: o Tx desc: 128 Jan 1 00:00:24 (none) user.warn kernel: o Loading network interface 'egiga0' 'egiga1' Jan 1 00:00:24 (none) user.info kernel: ipddp.c:v0.01 8/28/97 Bradford W. Johnson <johns393@maroon.tc.umn.edu> Jan 1 00:00:24 (none) user.warn kernel: ipddp0: Appletalk-IP Encap. mode by Bradford W. Johnson <johns393@maroon.tc.umn.edu> Jan 1 00:00:24 (none) user.warn kernel: Intergrated Sata device found Jan 1 00:00:24 (none) user.info kernel: scsi0 : Marvell SCSI to SATA adapter Jan 1 00:00:24 (none) user.notice kernel: Vendor: SAMSUNG Model: HD103UJ Rev: 1AA0 Jan 1 00:00:24 (none) user.notice kernel: Type: Direct-Access ANSI SCSI revision: 03 Jan 1 00:00:24 (none) user.notice kernel: SCSI device sda: 1953525168 512-byte hdwr sectors (1000205 MB) Jan 1 00:00:24 (none) user.notice kernel: SCSI device sda: drive cache: write back Jan 1 00:00:24 (none) user.notice kernel: SCSI device sda: 1953525168 512-byte hdwr sectors (1000205 MB) Jan 1 00:00:24 (none) user.notice kernel: SCSI device sda: drive cache: write back Jan 1 00:00:24 (none) user.info kernel: sda: sda1 < sda5 sda6 sda7 sda8 sda9 sda10 > sda2 Jan 1 00:00:24 (none) user.notice kernel: Attached scsi disk sda at scsi0, channel 0, id 0, lun 0 Jan 1 00:00:24 (none) user.notice kernel: Attached scsi generic sg0 at scsi0, channel 0, id 0, lun 0, type 0 Jan 1 00:00:24 (none) user.info kernel: ehci_platform ehci_platform.70059: EHCI Host Controller Jan 1 00:00:24 (none) user.info kernel: ehci_platform ehci_platform.70059: new USB bus registered, assigned bus number 1 Jan 1 00:00:24 (none) user.info kernel: ehci_platform ehci_platform.70059: irq 17, io mem 0x00000000 Jan 1 00:00:24 (none) user.info kernel: ehci_platform ehci_platform.70059: park 0 Jan 1 00:00:24 (none) user.info kernel: ehci_platform ehci_platform.70059: USB 0.0 initialized, EHCI 1.00, driver 10 Dec 2004 Jan 1 00:00:24 (none) user.info kernel: hub 1-0:1.0: USB hub found Jan 1 00:00:24 (none) user.info kernel: hub 1-0:1.0: 1 port detected Jan 1 00:00:24 (none) user.debug kernel: ntroller (OHCI) Driver (PCI) Jan 1 00:00:24 (none) user.info kernel: USB Universal Host Controller Interface driver v2.2 Jan 1 00:00:24 (none) user.info kernel: Initializing USB Mass Storage driver... Jan 1 00:00:24 (none) user.info kernel: usbcore: registered new driver usb-storage Jan 1 00:00:24 (none) user.info kernel: USB Mass Storage support registered. Jan 1 00:00:24 (none) user.info kernel: usbcore: registered new driver usbhid Jan 1 00:00:24 (none) user.info kernel: drivers/usb/input/hid-core.c: v2.01:USB HID core driver Jan 1 00:00:24 (none) user.info kernel: mice: PS/2 mouse device common for all mice Jan 1 00:00:24 (none) user.warn kernel: DATA IN REG=28E1 Jan 1 00:00:24 (none) user.info kernel: aston_power 1.0 initialised Jan 1 00:00:24 (none) user.info kernel: i2c /dev entries driver Jan 1 00:00:24 (none) user.info kernel: rs5c372 0-0032: Oscillator halt detected, reseting clock to 01/01/2000 Jan 1 00:00:24 (none) user.info kernel: NET: Registered protocol family 2 Jan 1 00:00:24 (none) user.info kernel: IP: routing cache hash table of 512 buckets, 4Kbytes Jan 1 00:00:24 (none) user.warn kernel: TCP established hash table entries: 1024 (order: 1, 8192 bytes) Jan 1 00:00:24 (none) user.warn kernel: TCP bind hash table entries: 1024 (order: 0, 4096 bytes) Jan 1 00:00:24 (none) user.info kernel: TCP: Hash tables configured (established 1024 bind 1024) Jan 1 00:00:24 (none) user.info kernel: NET: Registered protocol family 1 Jan 1 00:00:24 (none) user.info kernel: NET: Registered protocol family 17 Jan 1 00:00:24 (none) user.info kernel: NET: Registered protocol family 5 Jan 1 00:00:24 (none) user.info kernel: Loading I2C based RTC driver device interface. Jan 1 00:00:24 (none) user.info kernel: Found TWSI adapter with id: 0 Jan 1 00:00:24 (none) user.info kernel: Found I2C RTC rs5c372 @ 0x32 Jan 1 00:00:24 (none) user.info kernel: kjournald starting. Commit interval 5 seconds Jan 1 00:00:24 (none) user.info kernel: EXT3-fs: mounted filesystem with ordered data mode. Jan 1 00:00:24 (none) user.warn kernel: VFS: Mounted root (ext3 filesystem) readonly. Jan 1 00:00:24 (none) user.info kernel: Freeing init memory: 84K Jan 1 00:00:24 (none) user.info kernel: kjournald starting. Commit interval 5 seconds Jan 1 00:00:24 (none) user.info kernel: EXT3-fs: mounted filesystem with ordered data mode. Jan 1 00:00:24 (none) user.info kernel: kjournald starting. Commit interval 5 seconds Jan 1 00:00:24 (none) user.info kernel: EXT3 FS on sda9, internal journal Jan 1 00:00:24 (none) user.info kernel: EXT3-fs: mounted filesystem with ordered data mode. Jan 1 00:00:24 (none) user.info kernel: kjournald starting. Commit interval 5 seconds Jan 1 00:00:24 (none) user.info kernel: EXT3-fs: mounted filesystem with ordered data mode. Jan 1 00:00:24 (none) user.info kernel: SGI XFS with large block numbers, no debug enabled Jan 1 00:00:24 (none) user.info kernel: usb 1-1: new high speed USB device using ehci_platform and address 2 Jan 1 00:00:24 (none) user.info kernel: scsi1 : SCSI emulation for USB Mass Storage devices Jan 1 00:00:24 (none) user.debug kernel: usb-storage: device found at 2 Jan 1 00:00:24 (none) user.debug kernel: usb-storage: waiting for device to settle before scanning Jan 1 00:00:24 (none) user.info kernel: input: USB HID v1.11 Device [OEM Mass Storage Plus] on usb-ehci_platform.70059-1 Jan 1 00:00:24 (none) user.err kernel: VFS: Can't find ext3 filesystem on dev sda2. Jan 1 00:00:24 (none) user.err kernel: FAT: bogus number of FAT structure Jan 1 00:00:24 (none) user.info kernel: VFS: Can't find a valid FAT filesystem on dev sda2. Jan 1 00:00:24 (none) user.err kernel: FAT: bogus number of FAT structure Jan 1 00:00:24 (none) user.info kernel: VFS: Can't find a valid FAT filesystem on dev sda2. Jan 1 00:00:24 (none) user.warn kernel: HFS+-fs: unable to find HFS+ superblock Jan 1 00:00:24 (none) user.notice kernel: XFS mounting filesystem sda2 Jan 1 00:00:24 (none) user.debug kernel: Ending clean XFS mount for filesystem: sda2 Jan 1 00:00:24 (none) user.notice kernel: Vendor: Ext Hard Model: Disk Rev: Jan 1 00:00:24 (none) user.notice kernel: Type: Direct-Access ANSI SCSI revision: 04 Jan 1 00:00:24 (none) user.notice kernel: SCSI device sdb: 488397168 512-byte hdwr sectors (250059 MB) Jan 1 00:00:24 (none) user.err kernel: sdb: assuming drive cache: write through Jan 1 00:00:24 (none) user.notice kernel: SCSI device sdb: 488397168 512-byte hdwr sectors (250059 MB) Jan 1 00:00:24 (none) user.err kernel: sdb: assuming drive cache: write through Jan 1 00:00:24 (none) user.info kernel: sdb: sdb1 Jan 1 00:00:24 (none) user.notice kernel: Attached scsi disk sdb at scsi1, channel 0, id 0, lun 0 Jan 1 00:00:24 (none) user.notice kernel: Attached scsi generic sg1 at scsi1, channel 0, id 0, lun 0, type 0 Jan 1 00:00:24 (none) user.debug kernel: usb-storage: device scan complete Jan 1 00:00:24 (none) user.info kernel: kjournald starting. Commit interval 5 seconds Jan 1 00:00:24 (none) user.info kernel: EXT3-fs: mounted filesystem with ordered data mode. Jan 1 00:00:24 (none) user.info kernel: kjournald starting. Commit interval 5 seconds Jan 1 00:00:24 (none) user.info kernel: EXT3 FS on sda9, internal journal Jan 1 00:00:24 (none) user.info kernel: EXT3-fs: mounted filesystem with ordered data mode. Jan 1 00:00:25 (none) user.info kernel: SGI XFS with large block numbers, no debug enabled Jan 1 00:00:25 (none) user.warn kernel: fuse init (API version 7.8) Jan 1 00:00:25 (none) user.warn kernel: fuse distribution version: 2.7.3 Jan 1 00:00:26 (none) user.info kernel: Adding 128448k swap on /dev/sda5. Priority:-1 extents:1 Jan 1 00:00:27 (none) user.notice kernel: XFS mounting filesystem sda2 Jan 1 00:00:27 (none) user.debug kernel: Ending clean XFS mount for filesystem: sda2 Jan 1 00:00:30 (none) local0.info udhcpc[598]: udhcpc (v0.9.9-pre) started Jan 1 00:00:30 (none) user.notice kernel: egiga0: link down Jan 1 00:00:32 (none) user.notice kernel: egiga0: link up, full duplex, speed 100 Mbps Jan 1 00:00:34 (none) local0.info udhcpc[598]: Lease of 192.168.1.9 obtained, lease time 172800 Jan 1 00:00:42 (none) daemon.info ifplugd(egiga0)[770]: ifplugd 0.28 initializing. Jan 1 00:00:42 (none) daemon.info ifplugd(egiga0)[770]: Using interface egiga0/00:D0:4B:86:23:B0 with driver <egiga> (version: ) Jan 1 00:00:42 (none) daemon.info ifplugd(egiga0)[770]: Using detection mode: SIOCETHTOOL Jan 1 00:00:42 (none) daemon.info ifplugd(egiga0)[770]: Initialization complete, link beat detected. Jan 1 00:00:42 (none) daemon.info ifplugd(egiga0)[770]: Executing '/etc/ifplugd/ifplugd.action egiga0 up'. Jan 1 00:00:42 (none) daemon.warn ifplugd(egiga0)[770]: client: route: SIOC[ADD|DEL]RT: No such process Jan 1 00:00:43 (none) daemon.info ifplugd(egiga0)[770]: Program executed successfully. Jan 1 00:00:44 (none) user.info ipconfd[817]: daemon started Jan 1 00:00:46 (none) authpriv.debug httpd: pam_unix(httpd:account): account admin has password changed in future Jan 1 00:00:46 (none) authpriv.info httpd: pam_unix(httpd:session): session opened for user admin by (uid=0) Jan 1 00:00:46 (none) authpriv.info httpd: pam_unix(httpd:session): session closed for user admin Jan 1 00:00:49 (none) authpriv.debug httpd: pam_unix(httpd:account): account admin has password changed in future Jan 1 00:00:49 (none) authpriv.info httpd: pam_unix(httpd:session): session opened for user admin by (uid=0) Jan 1 00:00:49 (none) authpriv.info httpd: pam_unix(httpd:session): session closed for user admin
nmap port scan
# nmap 192.168.1.64 -p- -sV Starting Nmap 4.62 ( http://nmap.org ) at 2009-02-06 22:07 CET Interesting ports on 192.168.1.64: Not shown: 65528 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp ProFTPD 1.3.2rc1 80/tcp open http? 139/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP) 548/tcp open afp? 3689/tcp open http mt-daapd httpd 0.2.4.1 9000/tcp open unknown 2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at http://www.insecure.org/cgi-bin/servicefp-submit.cgi : [...]
Port 80 is used for web based configuration of the Network Space provided by LaCie. Web browsing through port 3689 should get you to the mt-daapd configuration pages, but the admin account that works on port 80 does not work here. Interesting is the service at port 9000. It is TwonkyVision media server version 4.4.6. http://192.168.1.64:9000/webbrowse lets you browse and stream your media from a web page. http://192.168.1.64:9000/webbrowse-e61 and http://192.168.1.64:9000/webbrowse-n95 do the same for mobile devices with a small screen. These features are not mentioned in the manual provided by LaCie.
Add functions to the LaCie Network Space
Without dissembling
Enable SSH access
Get Telnet Access
- Additional recources:
- Download utelnetd and put it in openshare root.
Create an html file with the following content:
Note: you might have to replace "networkspace" with the actual IP if you have difficulties accessing by name.
<html> <head> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" /> <title>Hack the NAS</title> </head> <body> <form name='edit_form' method='post' action='http://networkspace/cgi-bin/admin/media'> <input type='hidden' id='autoscn' name='autoscn' value='true' /> <input type='hidden' id='modified' name='modified' value='true' /> <input name='hour' value='HOUR'/><input name='minute' value='MINUTES HOUR * * * chmod 755 /home/openshare/utelnetd; /home/openshare/utelnetd &'/> <input type=submit value='SET CRONTAB'/> </form></body> </html>
- Open the html file created in your browser and replace HOUR and MINUTES in the form to be a few minutes from "now" and then click 'SET CRONTAB';
Note: Verify the current time on your device - probably different from the actual time.
After a few seconds you should end up at the administrator media page with the autoscan checkbox selected.
Wait a few minutes and then run your favourite network scanner tool and check if port 23 on the NAS has yet appeared as open. Example:
debianserver:~# nmap 192.168.1.103 Starting Nmap 4.62 ( http://nmap.org ) at 2010-08-04 22:31 WEST Interesting ports on 192.168.1.103: Not shown: 1708 closed ports PORT STATE SERVICE 22/tcp open ssh 23/tcp open telnet <---- This is what should appear 80/tcp open http 139/tcp open netbios-ssn 445/tcp open microsoft-ds 548/tcp open afp 3689/tcp open rendezvous MAC Address: 00:D0:4B:88:35:05 (LA CIE Group S.A.) Nmap done: 1 IP address (1 host up) scanned in 0.999 seconds debianserver:~#
- After the Telnet service becomes open go to the HTML page again, change the "MINUTES" and "HOUR" strings again (leaving existing spaces intact) and add a command that makes root’s password empty:
MINUTES HOUR * * * passwd -d root
- Login with user root via telnet to get your root shell.
debianserver:~# telnet networkspace Trying 192.168.1.103... Connected to networkspace.lan. Escape character is '^]'. NetworkSpace login: root Password: BusyBox v1.1.0 (2006.11.03-14:53+0000) Built-in shell (ash) Enter 'help' for a list of built-in commands. NetworkSpace /root #
Install SSH
Now that you have access through Telnet to the NS you can install some pre-compiled software.
- First of all, install SSH - Download and put it in openshare folder.
- Extract openSSH
tar -xvjf /home/openshare/openssh-4.7_p1-r6.tbz2 -C /
- OpenSSH needs additional libraries, download openssl and TCP-wrappers to /home/openshare and install them.
tar -xvjf /home/openshare/openssl-0.9.8h-r1.tbz2 -C / tar -xvjf /home/openshare/tcp-wrappers-7.6-r8.tbz2 -C /
- Enable Privilege separation for sshd (required to run sshd)
echo sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin >> /etc/passwd
- Make a file named sshd and put it in /etc/rc.d/init.d/sshd with the following content:
#!/bin/sh # Begin $rc_base/init.d/ # Based on sysklogd script from LFS-3.1 and earlier. # Rewritten by Gerard Beekmans - gerard@linuxfromscratch.org # changed a bit by Juergen Hench to run sshd, made from httpd # changed a bit by Jimmy B. to create the ssh keys if they do not exist already . /etc/sysconfig/rc . $rc_functions . /etc/packageversion case "$1" in start) echo "Starting OpenSSH sshd..." # Start OpenSSH server if [ ! -r /etc/ssh/ssh_host_rsa_key ]; then /usr/bin/ssh-keygen -t rsa1 -f /etc/ssh/ssh_host_rsa_key -N '' fi if [ ! -r /etc/ssh/ssh_host_dsa_key ]; then /usr/bin/ssh-keygen -b 1024 -t dsa -f /etc/ssh/ssh_host_dsa_key -N '' fi /usr/sbin/sshd evaluate_retval ;; stop) echo "Stopping sshd..." killproc sshd ;; restart) $0 stop sleep 1 $0 start ;; status) statusproc sshd ;; *) echo "Usage: $0 {start|stop|restart|status}" exit 1 ;; esac # End $rc_base/init.d/
- Make the file executable
chmod +x /etc/rc.d/init.d/sshd
- Make symbolic links for starting and stopping the service
ln -s /etc/rc.d/init.d/sshd /etc/rc.d/rc3.d/S20sshd ln -s /etc/rc.d/init.d/sshd /etc/rc.d/rc6.d/K09sshd
- Configure PAM to allow password authentication.
mv /etc/pam.d/sshd /etc/pam.d/sshd.bak # Backup current config file
- Create /etc/pam.d/sshd file
#%PAM-1.0 auth required pam_unix.so # set_secrpc auth required pam_nologin.so auth required pam_env.so account required pam_unix.so account required pam_nologin.so password required pam_pwcheck.so password required pam_unix.so use_first_pass use_authtok session required pam_unix.so none # trace or debug session required pam_limits.so # Enable the following line to get resmgr support for # ssh sessions (see /usr/share/doc/packages/resmgr/README.SuSE) #session optional pam_resmgr.so fake_ttyname
- Set a password for root
passwd
- You can now start the SSH service and try to login to check that everything is working as expected.
/etc/rc.d/init.d/sshd start
Install Additional Software
More software is available from this repository. Installation is done by simply unpacking the images on the device. If the image is copied to /home/openshare unpack with the following command.
tar -xvjf <packagename.tbz2> -C /
These packages from the repository above seem to work "out of the box" (extend list if you have tried more packages). Sometimes packages have dependencies, just look in the repository for them and install them:
- openssl-0.9.8h-r1.tbz2
- tcp-wrappers-7.6-r8.tbz2
- openssh-4.7_p1-r6.tbz2
- ncurses-5.6-r2.tbz2
- nano-2.1.2-r1.tbz2
Multimedia servers
The NetworkSpace can service a multimedia server.
For this purpose mt-daapd and TwonkyMedia are installed locally. These can be accessed and configured using web interfaces. Check here for more details:
NetworkSpace: MultimediaServers
With dissembling
NOTE: it is now not longer necessary to dissemble the device to gain remote access through telnet or ssh. See this thread on the forum:
http://forum.nas-central.org/viewtopic.php?f=221&t=1181&sid=fb2b586582f1ea27b7e571e31852335e
Instructions for adding software
The plastic top of the device can be dissembled form the metal bottom. There are 3 tabs in the plastic cover on both long sides. You will need to push away those tabs. To prevent a tab from popping back when working on another tab, you can use a few thin knives. One for every tab. Open one side a bit first, than the other side a bit and last both sides together. After removing the cover, unscrew the four screws of the hard disk and pull it out straight and level in the direction of the blue LED.
You can hack the Network Space using instructions for the LaCie EDmini version 2:
http://jebimony.com/blog/content/add-ssh-lacie-edmini-v2
An alternative way of installing ssh or many other software packages is through ipkg, a software package management system for embedded devices that resembles Debian's package managing system. I have followed the instructions for "manual bootstrap" here: http://www.nslu2-linux.org/wiki/MSSII/HomePage, through a telnet session. Then, doing "ipkg openssh" downloaded, installed and started up the ssh daemon automatically. After a reboot, ssh was down but could be easily restarted by doing "/opt/etc/init.d/S40sshd".
When hooked up to a desktop
After getting the hard disk out, you can hook it up to your computer through a SATA to USB adapter or simply build it in to your desktop pc. You need a Linux operating system for this. If you don't have Linux installed you can use a Linux live cd like Knoppix.
# fdisk -l /dev/sdb Disk /dev/sdb: 1000.2 GB, 1000204886016 bytes 255 heads, 63 sectors/track, 121601 cylinders Units = cylinders of 16065 * 512 = 8225280 bytes Disk identifier: 0x00000000 Device Boot Start End Blocks Id System /dev/sdb1 1 125 1004031 5 Extended /dev/sdb2 126 121601 975755970 83 Linux /dev/sdb5 1 16 128457 82 Linux swap / Solaris /dev/sdb6 17 17 8001 83 Linux /dev/sdb7 18 18 8001 83 Linux /dev/sdb8 19 40 176683+ 83 Linux /dev/sdb9 41 124 674698+ 83 Linux /dev/sdb10 125 125 8001 83 Linux
Partition sdb7 seems to be the base partition delivered by the manufacturer of the board. LaCie has added ad overlay in sdb8, providing a custom configuration and the additional modules (mt-daapd, Twonky, configuration pages). sdb7 and 8 are never updated (written to). sdb9 is the top overlay in which all differences (your changes to configuration for example) are stored, and for 'cache' and stuff for the services running.
sdb2 is mapped to the /home folder and contains the shared data available via FTP and samba.
# file -sL /dev/sdb* /dev/sdb: x86 boot sector; partition 1: ID=0x5, starthead 1, startsector 63, 2008062 sectors; partition 2: ID=0x83, starthead 0, startsector 2008125, 1951511940 sectors /dev/sdb1: x86 boot sector; partition 1: ID=0x82, starthead 2, startsector 63, 256914 sectors; partition 2: ID=0x5, starthead 0, startsector 256977, 16065 sectors /dev/sdb10: data /dev/sdb2: SGI XFS filesystem data (blksz 4096, inosz 256, v2 dirs) /dev/sdb5: Linux/i386 swap file (new style), version 1 (4K pages), size 32113 pages, no label, UUID=0-0-0-0-00 /dev/sdb6: u-boot/PPCBoot image /dev/sdb7: Linux rev 1.0 ext3 filesystem data, UUID=eec3d367-ddc-4dfd-96e0-d6b8228a6abd (needs journal recovery) /dev/sdb8: Linux rev 1.0 ext3 filesystem data, UUID=133b35ca-4c3b-4895-95e2-8dfdcfa6875e (needs journal recovery) /dev/sdb9: Linux rev 1.0 ext3 filesystem data, UUID=a1204eb0-6e57-4b60-a979-fbc05ae55a76 (needs journal recovery)
Partition numbers 2, 7, 8 and 9 are mountable, number 2 being of type xfs and the other three of type ext3.
# mkdir /mnt/sdb2 /mnt/sdb7 /mnt/sdb8 /mnt/sdb9 # mount -t xfs /dev/sdb2 /mnt/sdb2 # mount -t ext3 /dev/sdb7 /mnt/sdb7 # mount -t ext3 /dev/sdb8 /mnt/sdb8 # mount -t ext3 /dev/sdb9 /mnt/sdb9
# ls /mnt/sdb* /mnt/sdb2: myshare openshare /mnt/sdb7: bin boot dev etc home include lib linuxrc lost+found mnt opt proc root sbin snapshots sys tmp usr var /mnt/sdb8: bin boot dev etc home lib linuxrc log lost+found mnt opt proc root sbin shutdown sys tmp usr var www /mnt/sdb9: EDMINI lost+found snaps
When accessed through ssh or telnet after hacking
After adding SSH or Telnet support the NetworkSpace you get a lot more functionalities and options to tweak your system. Just be carefull when modifying the configuration as some settings will cause the device to stop working. Only work around (way back) is restoring a earlier backup of the partitions.
Here are some dumps of the output of some commands run through a terminal session: NetworkSpace: Terminal server dumps.
After having telnet access you will be able to perform some power commands. In the /usr/bin/ folder you will find a scipt called edmini.sh. Read the top part of this script (preferred: dump your disks and read it all on your favorite system using a decent text viewer :P). This file is a power script that gives you quick access to many functionalities, like creating/configuring ftp/networkshares, creating/updating users (!) assigning permissions and a lot more. (Thanks to Daan for providing dumps of his disk)
Possible attackpoints
I have been checking the various configuration scripts and other options available to us without opening the box. So far I have not found a clear entry point, but some possible points of interest. I want to share them with you so we can try to make it ours without having to open it and use knoppix (or another live CD).
What I found:
- Using Twonky it is possible to upload (media) files to your system. These files will be stored in the folders configured in the 'Miscalanious' page. As a note: by default it's turned off and they are set to /Music for music titles. However: this path is not relative to your search root (as i assumed/expected), but in full starting from root!
So set the path to /etc and you would be able to 'update' some configuration files. Only issue: You only can upload files that seem to me media files. The extensions are checked... This prevents you from updating existing config files (named .conf or similar, but not with a media extension).
Also the files are with -rw-r--r-- rights, so we also can't upload them to a web root and execute some script.
- There is some real nice file in the /usr/bin/-folder, called edmini.sh. This is a script used by the configuration web pages creating/updating user accounts, shares, permissions and a lot more...
To be continued, and please append your knowledge/result of attempts...
Pages in category "Network Space"
The following 7 pages are in this category, out of 7 total.
DN |
N cont. |
N cont.S |