Category:Network Space

From NAS-Central Lacie Wiki

Jump to: navigation, search
CPU ARM926EJ-Sid(wb) [41069260] revision 0 (ARMv5TEJ)
RAM 2 x 8MB = 16MB
Flash ROM
Other Marvell Development Board (LSP Version 2.2.2_NAS_GDP)-- RD-88F6082-NAS-PH Soc: MV88F6082 Rev 1
NIC
USB USB Universal Host Controller Interface driver v2.2
Internal HDD Vendor: SAMSUNG Model: HD103UJ Rev: 1AA0
SATA Controller
Drive Capacity 500GB or 1TB
Fan None
OS Linux version 2.6.12.6-arm1 (jrichefeu@grp-horus) (gcc version 3.4.4 (release) (CodeSourcery ARM 2005q3-2)) #2 Thu Aug 14 16:36:28 CEST 2008

Contents

[hide]

Generic info

The NetworkSpace seems to be very much based on the ED-Mini edition of LaCie. Hacks proposed there often can be applied as well to the NetworkSpace. Maybe also the other way around. Check their wiki as well and maybe someone notices a 'missing link' or a crossover that can add new features or options not yet known to be possible.

Differences: The NetworkSpace seems to be less powerfull (memory mainly). On the other end: this one has been designed by... (ok, what is the better advantage?) On top of its stunning looks (reminiscent of Night Rider's Kid), the device is inexpensive to buy and it does not have a fan, making it quiet and suggesting it uses little energy.

Warning to avoid data loss

Users have reported that after hacking the device and creating additional directories in the /home directory of the NAS, these added directories were gone after a reboot. This is caused by a script (/etc/rc.d/rc3.d/S12cleanConf), which has been designed to delete all directories and files from /home during boot, except for the myshare and openshare directories and hidden directories or files.


Basic Information on the device

Log file downloaded through the web interface

$ cat edmini_log.txt 
Jan  1 00:00:23 (none) syslog.info syslogd started: BusyBox v1.1.0 (2006.11.03-14:53+0000)
Jan  1 00:00:24 (none) user.notice kernel: klogd started: BusyBox v1.1.0 (2006.11.03-14:53+0000)
Jan  1 00:00:24 (none) user.notice kernel: Linux version 2.6.12.6-arm1 (jrichefeu@grp-horus) (gcc version 3.4.4 (release) (CodeSourcery ARM 2005q3-2)) #2 Thu Aug 14 16:36:28 CEST 2008
Jan  1 00:00:24 (none) user.warn kernel: CPU: ARM926EJ-Sid(wb) [41069260] revision 0 (ARMv5TEJ)
Jan  1 00:00:24 (none) user.warn kernel: CPU0: D VIVT write-back cache
Jan  1 00:00:24 (none) user.warn kernel: CPU0: I cache: 16384 bytes, associativity 1, 32 byte lines, 512 sets
Jan  1 00:00:24 (none) user.warn kernel: CPU0: D cache: 16384 bytes, associativity 1, 32 byte lines, 512 sets
Jan  1 00:00:24 (none) user.warn kernel: Machine: Feroceon
Jan  1 00:00:24 (none) user.warn kernel: Using UBoot passing parameters structure
Jan  1 00:00:24 (none) user.warn kernel: Memory policy: ECC disabled, Data cache writeback
Jan  1 00:00:24 (none) user.debug kernel: On node 0 totalpages: 4096
Jan  1 00:00:24 (none) user.debug kernel:   DMA zone: 4096 pages, LIFO batch:1
Jan  1 00:00:24 (none) user.debug kernel:   Normal zone: 0 pages, LIFO batch:1
Jan  1 00:00:24 (none) user.debug kernel:   HighMem zone: 0 pages, LIFO batch:1
Jan  1 00:00:24 (none) user.warn kernel: Built 1 zonelists
Jan  1 00:00:24 (none) user.notice kernel: Kernel command line: console=ttyS0,115200 root=/dev/sda7 ro boardType=mv88F6082 productType=Aston reset=0
Jan  1 00:00:24 (none) user.warn kernel: mvBoardGpioIntMaskGet:Board intsGppMask 0
Jan  1 00:00:24 (none) user.warn kernel: PID hash table entries: 128 (order: 7, 2048 bytes)
Jan  1 00:00:24 (none) user.warn kernel: Console: colour dummy device 80x30
Jan  1 00:00:24 (none) user.warn kernel: Dentry cache hash table entries: 4096 (order: 2, 16384 bytes)
Jan  1 00:00:24 (none) user.warn kernel: Inode-cache hash table entries: 2048 (order: 1, 8192 bytes)
Jan  1 00:00:24 (none) user.info kernel: Memory: 8MB 8MB 0MB 0MB = 16MB total
Jan  1 00:00:24 (none) user.notice kernel: Memory: 13408KB available (2278K code, 385K data, 84K init)
Jan  1 00:00:24 (none) user.debug kernel: Calibrating delay loop... 219.54 BogoMIPS (lpj=1097728)
Jan  1 00:00:24 (none) user.warn kernel: Mount-cache hash table entries: 512
Jan  1 00:00:24 (none) user.info kernel: CPU: Testing write buffer coherency: ok
Jan  1 00:00:24 (none) user.info kernel: NET: Registered protocol family 16
Jan  1 00:00:24 (none) user.warn kernel: mvBoardMppGet mppGroupNum 0 mppGroup 4096
Jan  1 00:00:24 (none) user.warn kernel: mvBoardMppGet mppGroupNum 1 mppGroup 17
Jan  1 00:00:24 (none) user.warn kernel: Sys Clk = 166666667, Tclk = 133333333
Jan  1 00:00:24 (none) user.warn kernel: 
Jan  1 00:00:24 (none) user.warn kernel: CPU Interface
Jan  1 00:00:24 (none) user.warn kernel: -------------
Jan  1 00:00:24 (none) user.warn kernel: SDRAM_CS0 ....base 00000000, size   8MB 
Jan  1 00:00:24 (none) user.warn kernel: SDRAM_CS1 ....base 00800000, size   8MB 
Jan  1 00:00:24 (none) user.warn kernel: PEX0_MEM ....base e0000000, size 128MB 
Jan  1 00:00:24 (none) user.warn kernel: PEX0_IO ....base f2000000, size   1MB 
Jan  1 00:00:24 (none) user.warn kernel: INTER_REGS ....base f1000000, size   1MB 
Jan  1 00:00:24 (none) user.warn kernel: NFLASH_CS ....base f9000000, size   2MB 
Jan  1 00:00:24 (none) user.warn kernel: MFLASH_CS ....base f8000000, size 256KB 
Jan  1 00:00:24 (none) user.warn kernel: SPI_CS ....base fa000000, size   8MB 
Jan  1 00:00:24 (none) user.warn kernel: BOOT_ROM_CS ....base fc000000, size   1MB 
Jan  1 00:00:24 (none) user.warn kernel: DEV_BOOTCS ....base fc000000, size   1MB 
Jan  1 00:00:24 (none) user.warn kernel: CRYPT_ENG ....base f0000000, size  64KB 
Jan  1 00:00:24 (none) user.warn kernel: 
Jan  1 00:00:24 (none) user.warn kernel:   Marvell Development Board (LSP Version 2.2.2_NAS_GDP)-- RD-88F6082-NAS-PH  Soc: MV88F6082 Rev 1
Jan  1 00:00:24 (none) user.warn kernel: 
Jan  1 00:00:24 (none) user.warn kernel:  Detected Tclk 133333333 and SysClk 166666667 
Jan  1 00:00:24 (none) user.warn kernel: Marvell USB EHCI Host controller #0: c031eb00
Jan  1 00:00:24 (none) user.info kernel: PCI: bus0: Fast back to back transfers enabled
Jan  1 00:00:24 (none) user.notice kernel: SCSI subsystem initialized
Jan  1 00:00:24 (none) user.info kernel: usbcore: registered new driver usbfs
Jan  1 00:00:24 (none) user.info kernel: usbcore: registered new driver hub
Jan  1 00:00:24 (none) user.warn kernel: Fast Floating Point Emulator V0.9 (c) Peter Teichmann.
Jan  1 00:00:24 (none) user.info kernel: inotify device minor=63
Jan  1 00:00:24 (none) user.warn kernel: Registering unionfs 1.1.5
Jan  1 00:00:24 (none) user.info kernel: Serial: 8250/16550 driver $Revision: 1.90 $ 4 ports, IRQ sharing disabled
Jan  1 00:00:24 (none) user.warn kernel: ttyS0 at MMIO 0x0 (irq = 3) is a 16550A
Jan  1 00:00:24 (none) user.info kernel: io scheduler noop registered
Jan  1 00:00:24 (none) user.warn kernel: Marvell Ethernet Driver 'mv_ethernet':
Jan  1 00:00:24 (none) user.warn kernel:   o Uncached descriptors in DRAM
Jan  1 00:00:24 (none) user.warn kernel:   o DRAM SW cache-coherency
Jan  1 00:00:24 (none) user.warn kernel:   o TCP segmentation offload enabled
Jan  1 00:00:24 (none) user.warn kernel:   o Checksum offload enabled
Jan  1 00:00:24 (none) user.warn kernel:   o Rx desc: 64
Jan  1 00:00:24 (none) user.warn kernel:   o Tx desc: 128
Jan  1 00:00:24 (none) user.warn kernel:   o Loading network interface 'egiga0' 'egiga1' 
Jan  1 00:00:24 (none) user.info kernel: ipddp.c:v0.01 8/28/97 Bradford W. Johnson <johns393@maroon.tc.umn.edu>
Jan  1 00:00:24 (none) user.warn kernel: ipddp0: Appletalk-IP Encap. mode by Bradford W. Johnson <johns393@maroon.tc.umn.edu>
Jan  1 00:00:24 (none) user.warn kernel: Intergrated Sata device found
Jan  1 00:00:24 (none) user.info kernel: scsi0 : Marvell SCSI to SATA adapter
Jan  1 00:00:24 (none) user.notice kernel:   Vendor: SAMSUNG   Model: HD103UJ           Rev: 1AA0
Jan  1 00:00:24 (none) user.notice kernel:   Type:   Direct-Access                      ANSI SCSI revision: 03
Jan  1 00:00:24 (none) user.notice kernel: SCSI device sda: 1953525168 512-byte hdwr sectors (1000205 MB)
Jan  1 00:00:24 (none) user.notice kernel: SCSI device sda: drive cache: write back
Jan  1 00:00:24 (none) user.notice kernel: SCSI device sda: 1953525168 512-byte hdwr sectors (1000205 MB)
Jan  1 00:00:24 (none) user.notice kernel: SCSI device sda: drive cache: write back
Jan  1 00:00:24 (none) user.info kernel:  sda: sda1 < sda5 sda6 sda7 sda8 sda9 sda10 > sda2
Jan  1 00:00:24 (none) user.notice kernel: Attached scsi disk sda at scsi0, channel 0, id 0, lun 0
Jan  1 00:00:24 (none) user.notice kernel: Attached scsi generic sg0 at scsi0, channel 0, id 0, lun 0,  type 0
Jan  1 00:00:24 (none) user.info kernel: ehci_platform ehci_platform.70059: EHCI Host Controller
Jan  1 00:00:24 (none) user.info kernel: ehci_platform ehci_platform.70059: new USB bus registered, assigned bus number 1
Jan  1 00:00:24 (none) user.info kernel: ehci_platform ehci_platform.70059: irq 17, io mem 0x00000000
Jan  1 00:00:24 (none) user.info kernel: ehci_platform ehci_platform.70059: park 0
Jan  1 00:00:24 (none) user.info kernel: ehci_platform ehci_platform.70059: USB 0.0 initialized, EHCI 1.00, driver 10 Dec 2004
Jan  1 00:00:24 (none) user.info kernel: hub 1-0:1.0: USB hub found
Jan  1 00:00:24 (none) user.info kernel: hub 1-0:1.0: 1 port detected
Jan  1 00:00:24 (none) user.debug kernel: ntroller (OHCI) Driver (PCI)
Jan  1 00:00:24 (none) user.info kernel: USB Universal Host Controller Interface driver v2.2
Jan  1 00:00:24 (none) user.info kernel: Initializing USB Mass Storage driver...
Jan  1 00:00:24 (none) user.info kernel: usbcore: registered new driver usb-storage
Jan  1 00:00:24 (none) user.info kernel: USB Mass Storage support registered.
Jan  1 00:00:24 (none) user.info kernel: usbcore: registered new driver usbhid
Jan  1 00:00:24 (none) user.info kernel: drivers/usb/input/hid-core.c: v2.01:USB HID core driver
Jan  1 00:00:24 (none) user.info kernel: mice: PS/2 mouse device common for all mice
Jan  1 00:00:24 (none) user.warn kernel: DATA IN REG=28E1
Jan  1 00:00:24 (none) user.info kernel: aston_power 1.0 initialised
Jan  1 00:00:24 (none) user.info kernel: i2c /dev entries driver
Jan  1 00:00:24 (none) user.info kernel: rs5c372 0-0032: Oscillator halt detected, reseting clock to 01/01/2000
Jan  1 00:00:24 (none) user.info kernel: NET: Registered protocol family 2
Jan  1 00:00:24 (none) user.info kernel: IP: routing cache hash table of 512 buckets, 4Kbytes
Jan  1 00:00:24 (none) user.warn kernel: TCP established hash table entries: 1024 (order: 1, 8192 bytes)
Jan  1 00:00:24 (none) user.warn kernel: TCP bind hash table entries: 1024 (order: 0, 4096 bytes)
Jan  1 00:00:24 (none) user.info kernel: TCP: Hash tables configured (established 1024 bind 1024)
Jan  1 00:00:24 (none) user.info kernel: NET: Registered protocol family 1
Jan  1 00:00:24 (none) user.info kernel: NET: Registered protocol family 17
Jan  1 00:00:24 (none) user.info kernel: NET: Registered protocol family 5
Jan  1 00:00:24 (none) user.info kernel: Loading I2C based RTC driver device interface.
Jan  1 00:00:24 (none) user.info kernel: Found TWSI adapter with id: 0
Jan  1 00:00:24 (none) user.info kernel: Found I2C RTC rs5c372 @ 0x32
Jan  1 00:00:24 (none) user.info kernel: kjournald starting.  Commit interval 5 seconds
Jan  1 00:00:24 (none) user.info kernel: EXT3-fs: mounted filesystem with ordered data mode.
Jan  1 00:00:24 (none) user.warn kernel: VFS: Mounted root (ext3 filesystem) readonly.
Jan  1 00:00:24 (none) user.info kernel: Freeing init memory: 84K
Jan  1 00:00:24 (none) user.info kernel: kjournald starting.  Commit interval 5 seconds
Jan  1 00:00:24 (none) user.info kernel: EXT3-fs: mounted filesystem with ordered data mode.
Jan  1 00:00:24 (none) user.info kernel: kjournald starting.  Commit interval 5 seconds
Jan  1 00:00:24 (none) user.info kernel: EXT3 FS on sda9, internal journal
Jan  1 00:00:24 (none) user.info kernel: EXT3-fs: mounted filesystem with ordered data mode.
Jan  1 00:00:24 (none) user.info kernel: kjournald starting.  Commit interval 5 seconds
Jan  1 00:00:24 (none) user.info kernel: EXT3-fs: mounted filesystem with ordered data mode.
Jan  1 00:00:24 (none) user.info kernel: SGI XFS with large block numbers, no debug enabled
Jan  1 00:00:24 (none) user.info kernel: usb 1-1: new high speed USB device using ehci_platform and address 2
Jan  1 00:00:24 (none) user.info kernel: scsi1 : SCSI emulation for USB Mass Storage devices
Jan  1 00:00:24 (none) user.debug kernel: usb-storage: device found at 2
Jan  1 00:00:24 (none) user.debug kernel: usb-storage: waiting for device to settle before scanning
Jan  1 00:00:24 (none) user.info kernel: input: USB HID v1.11 Device [OEM Mass Storage Plus] on usb-ehci_platform.70059-1
Jan  1 00:00:24 (none) user.err kernel: VFS: Can't find ext3 filesystem on dev sda2.
Jan  1 00:00:24 (none) user.err kernel: FAT: bogus number of FAT structure
Jan  1 00:00:24 (none) user.info kernel: VFS: Can't find a valid FAT filesystem on dev sda2.
Jan  1 00:00:24 (none) user.err kernel: FAT: bogus number of FAT structure
Jan  1 00:00:24 (none) user.info kernel: VFS: Can't find a valid FAT filesystem on dev sda2.
Jan  1 00:00:24 (none) user.warn kernel: HFS+-fs: unable to find HFS+ superblock
Jan  1 00:00:24 (none) user.notice kernel: XFS mounting filesystem sda2
Jan  1 00:00:24 (none) user.debug kernel: Ending clean XFS mount for filesystem: sda2
Jan  1 00:00:24 (none) user.notice kernel:   Vendor: Ext Hard  Model:  Disk             Rev:     
Jan  1 00:00:24 (none) user.notice kernel:   Type:   Direct-Access                      ANSI SCSI revision: 04
Jan  1 00:00:24 (none) user.notice kernel: SCSI device sdb: 488397168 512-byte hdwr sectors (250059 MB)
Jan  1 00:00:24 (none) user.err kernel: sdb: assuming drive cache: write through
Jan  1 00:00:24 (none) user.notice kernel: SCSI device sdb: 488397168 512-byte hdwr sectors (250059 MB)
Jan  1 00:00:24 (none) user.err kernel: sdb: assuming drive cache: write through
Jan  1 00:00:24 (none) user.info kernel:  sdb: sdb1
Jan  1 00:00:24 (none) user.notice kernel: Attached scsi disk sdb at scsi1, channel 0, id 0, lun 0
Jan  1 00:00:24 (none) user.notice kernel: Attached scsi generic sg1 at scsi1, channel 0, id 0, lun 0,  type 0
Jan  1 00:00:24 (none) user.debug kernel: usb-storage: device scan complete
Jan  1 00:00:24 (none) user.info kernel: kjournald starting.  Commit interval 5 seconds
Jan  1 00:00:24 (none) user.info kernel: EXT3-fs: mounted filesystem with ordered data mode.
Jan  1 00:00:24 (none) user.info kernel: kjournald starting.  Commit interval 5 seconds
Jan  1 00:00:24 (none) user.info kernel: EXT3 FS on sda9, internal journal
Jan  1 00:00:24 (none) user.info kernel: EXT3-fs: mounted filesystem with ordered data mode.
Jan  1 00:00:25 (none) user.info kernel: SGI XFS with large block numbers, no debug enabled
Jan  1 00:00:25 (none) user.warn kernel: fuse init (API version 7.8)
Jan  1 00:00:25 (none) user.warn kernel: fuse distribution version: 2.7.3
Jan  1 00:00:26 (none) user.info kernel: Adding 128448k swap on /dev/sda5.  Priority:-1 extents:1
Jan  1 00:00:27 (none) user.notice kernel: XFS mounting filesystem sda2
Jan  1 00:00:27 (none) user.debug kernel: Ending clean XFS mount for filesystem: sda2
Jan  1 00:00:30 (none) local0.info udhcpc[598]: udhcpc (v0.9.9-pre) started
Jan  1 00:00:30 (none) user.notice kernel: egiga0: link down
Jan  1 00:00:32 (none) user.notice kernel: egiga0: link up, full duplex, speed 100 Mbps
Jan  1 00:00:34 (none) local0.info udhcpc[598]: Lease of 192.168.1.9 obtained, lease time 172800
Jan  1 00:00:42 (none) daemon.info ifplugd(egiga0)[770]: ifplugd 0.28 initializing.
Jan  1 00:00:42 (none) daemon.info ifplugd(egiga0)[770]: Using interface egiga0/00:D0:4B:86:23:B0 with driver <egiga> (version: )
Jan  1 00:00:42 (none) daemon.info ifplugd(egiga0)[770]: Using detection mode: SIOCETHTOOL
Jan  1 00:00:42 (none) daemon.info ifplugd(egiga0)[770]: Initialization complete, link beat detected.
Jan  1 00:00:42 (none) daemon.info ifplugd(egiga0)[770]: Executing '/etc/ifplugd/ifplugd.action egiga0 up'.
Jan  1 00:00:42 (none) daemon.warn ifplugd(egiga0)[770]: client: route: SIOC[ADD|DEL]RT: No such process
Jan  1 00:00:43 (none) daemon.info ifplugd(egiga0)[770]: Program executed successfully.
Jan  1 00:00:44 (none) user.info ipconfd[817]: daemon started 
Jan  1 00:00:46 (none) authpriv.debug httpd: pam_unix(httpd:account): account admin has password changed in future
Jan  1 00:00:46 (none) authpriv.info httpd: pam_unix(httpd:session): session opened for user admin by (uid=0)
Jan  1 00:00:46 (none) authpriv.info httpd: pam_unix(httpd:session): session closed for user admin
Jan  1 00:00:49 (none) authpriv.debug httpd: pam_unix(httpd:account): account admin has password changed in future
Jan  1 00:00:49 (none) authpriv.info httpd: pam_unix(httpd:session): session opened for user admin by (uid=0)
Jan  1 00:00:49 (none) authpriv.info httpd: pam_unix(httpd:session): session closed for user admin


nmap port scan

# nmap 192.168.1.64 -p- -sV

Starting Nmap 4.62 ( http://nmap.org ) at 2009-02-06 22:07 CET
Interesting ports on 192.168.1.64:
Not shown: 65528 closed ports
PORT     STATE SERVICE     VERSION
21/tcp   open  ftp         ProFTPD 1.3.2rc1
80/tcp   open  http?
139/tcp  open  netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
548/tcp  open  afp?
3689/tcp open  http        mt-daapd httpd 0.2.4.1
9000/tcp open  unknown
2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
[...]

Port 80 is used for web based configuration of the Network Space provided by LaCie. Web browsing through port 3689 should get you to the mt-daapd configuration pages, but the admin account that works on port 80 does not work here. Interesting is the service at port 9000. It is TwonkyVision media server version 4.4.6. http://192.168.1.64:9000/webbrowse lets you browse and stream your media from a web page. http://192.168.1.64:9000/webbrowse-e61 and http://192.168.1.64:9000/webbrowse-n95 do the same for mobile devices with a small screen. These features are not mentioned in the manual provided by LaCie.


Add functions to the LaCie Network Space

Without dissembling

Enable SSH access

Get Telnet Access
  • Additional recources:

blog.hendricksen.eu

  • Download utelnetd and put it in openshare root.

Create an html file with the following content:

Note: you might have to replace "networkspace" with the actual IP if you have difficulties accessing by name.

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>Hack the NAS</title>
</head>
<body>
<form name='edit_form' method='post' action='http://networkspace/cgi-bin/admin/media'>
<input type='hidden' id='autoscn' name='autoscn' value='true' />
<input type='hidden' id='modified' name='modified' value='true' />
<input name='hour' value='HOUR'/><input name='minute' value='MINUTES HOUR * * * chmod 755 /home/openshare/utelnetd; /home/openshare/utelnetd &'/>
<input type=submit value='SET CRONTAB'/>
</form></body>
</html>
  • Open the html file created in your browser and replace HOUR and MINUTES in the form to be a few minutes from "now" and then click 'SET CRONTAB';

Note: Verify the current time on your device - probably different from the actual time.

After a few seconds you should end up at the administrator media page with the autoscan checkbox selected.

Wait a few minutes and then run your favourite network scanner tool and check if port 23 on the NAS has yet appeared as open. Example:

debianserver:~# nmap 192.168.1.103

Starting Nmap 4.62 ( http://nmap.org ) at 2010-08-04 22:31 WEST
Interesting ports on 192.168.1.103:
Not shown: 1708 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
23/tcp   open  telnet   <---- This is what should appear
80/tcp   open  http
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
548/tcp  open  afp
3689/tcp open  rendezvous
MAC Address: 00:D0:4B:88:35:05 (LA CIE Group S.A.)

Nmap done: 1 IP address (1 host up) scanned in 0.999 seconds
debianserver:~# 
  • After the Telnet service becomes open go to the HTML page again, change the "MINUTES" and "HOUR" strings again (leaving existing spaces intact) and add a command that makes root’s password empty:
MINUTES HOUR * * * passwd -d root
  • Login with user root via telnet to get your root shell.
debianserver:~# telnet networkspace
Trying 192.168.1.103...
Connected to networkspace.lan.
Escape character is '^]'.
NetworkSpace login: root
Password: 

BusyBox v1.1.0 (2006.11.03-14:53+0000) Built-in shell (ash)
Enter 'help' for a list of built-in commands.

NetworkSpace /root # 
Install SSH

Now that you have access through Telnet to the NS you can install some pre-compiled software.

  • First of all, install SSH - Download and put it in openshare folder.
  • Extract openSSH
tar -xvjf /home/openshare/openssh-4.7_p1-r6.tbz2 -C /
  • OpenSSH needs additional libraries, download openssl and TCP-wrappers to /home/openshare and install them.
tar -xvjf /home/openshare/openssl-0.9.8h-r1.tbz2 -C /
tar -xvjf /home/openshare/tcp-wrappers-7.6-r8.tbz2 -C /
  • Enable Privilege separation for sshd (required to run sshd)
echo sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin >> /etc/passwd
  • Make a file named sshd and put it in /etc/rc.d/init.d/sshd with the following content:
#!/bin/sh
# Begin $rc_base/init.d/
# Based on sysklogd script from LFS-3.1 and earlier.
# Rewritten by Gerard Beekmans  - gerard@linuxfromscratch.org
# changed a bit by Juergen Hench to run sshd, made from httpd
# changed a bit by Jimmy B. to create the ssh keys if they do not exist already
. /etc/sysconfig/rc
. $rc_functions
. /etc/packageversion
case "$1" in
    start)
        echo "Starting OpenSSH sshd..."
        # Start OpenSSH server 
        if [ ! -r /etc/ssh/ssh_host_rsa_key ]; then
            /usr/bin/ssh-keygen -t rsa1 -f /etc/ssh/ssh_host_rsa_key -N ''
        fi
        if [ ! -r /etc/ssh/ssh_host_dsa_key ]; then
            /usr/bin/ssh-keygen -b 1024 -t dsa -f /etc/ssh/ssh_host_dsa_key -N ''
        fi
        /usr/sbin/sshd
        evaluate_retval
        ;; 
    stop)
        echo "Stopping sshd..."
        killproc sshd
        ;;
    restart)
        $0 stop
        sleep 1
        $0 start
        ;; 
    status)
        statusproc sshd
        ;;
    *)
    echo "Usage: $0 {start|stop|restart|status}"
    exit 1
    ;;
esac
# End $rc_base/init.d/
  • Make the file executable
chmod +x /etc/rc.d/init.d/sshd
  • Make symbolic links for starting and stopping the service
ln -s /etc/rc.d/init.d/sshd /etc/rc.d/rc3.d/S20sshd
ln -s /etc/rc.d/init.d/sshd /etc/rc.d/rc6.d/K09sshd
  • Configure PAM to allow password authentication.
mv /etc/pam.d/sshd /etc/pam.d/sshd.bak # Backup current config file
  • Create /etc/pam.d/sshd file
#%PAM-1.0
auth required   pam_unix.so # set_secrpc
auth required   pam_nologin.so
auth required   pam_env.so
account required        pam_unix.so
account required        pam_nologin.so
password required       pam_pwcheck.so
password required       pam_unix.so    use_first_pass use_authtok
session required        pam_unix.so    none     # trace or debug
session required        pam_limits.so
# Enable the following line to get resmgr support for
# ssh sessions (see /usr/share/doc/packages/resmgr/README.SuSE)
#session  optional      pam_resmgr.so fake_ttyname
  • Set a password for root
passwd
  • You can now start the SSH service and try to login to check that everything is working as expected.
/etc/rc.d/init.d/sshd start


Install Additional Software

More software is available from this repository. Installation is done by simply unpacking the images on the device. If the image is copied to /home/openshare unpack with the following command.

tar -xvjf <packagename.tbz2> -C /

These packages from the repository above seem to work "out of the box" (extend list if you have tried more packages). Sometimes packages have dependencies, just look in the repository for them and install them:

  • openssl-0.9.8h-r1.tbz2
  • tcp-wrappers-7.6-r8.tbz2
  • openssh-4.7_p1-r6.tbz2
  • ncurses-5.6-r2.tbz2
  • nano-2.1.2-r1.tbz2


Multimedia servers

The NetworkSpace can service a multimedia server.

For this purpose mt-daapd and TwonkyMedia are installed locally. These can be accessed and configured using web interfaces. Check here for more details:

NetworkSpace: MultimediaServers

With dissembling

NOTE: it is now not longer necessary to dissemble the device to gain remote access through telnet or ssh. See this thread on the forum:

http://forum.nas-central.org/viewtopic.php?f=221&t=1181&sid=fb2b586582f1ea27b7e571e31852335e

Instructions for adding software

The plastic top of the device can be dissembled form the metal bottom. There are 3 tabs in the plastic cover on both long sides. You will need to push away those tabs. To prevent a tab from popping back when working on another tab, you can use a few thin knives. One for every tab. Open one side a bit first, than the other side a bit and last both sides together. After removing the cover, unscrew the four screws of the hard disk and pull it out straight and level in the direction of the blue LED.

You can hack the Network Space using instructions for the LaCie EDmini version 2:

http://jebimony.com/blog/content/add-ssh-lacie-edmini-v2

An alternative way of installing ssh or many other software packages is through ipkg, a software package management system for embedded devices that resembles Debian's package managing system. I have followed the instructions for "manual bootstrap" here: http://www.nslu2-linux.org/wiki/MSSII/HomePage, through a telnet session. Then, doing "ipkg openssh" downloaded, installed and started up the ssh daemon automatically. After a reboot, ssh was down but could be easily restarted by doing "/opt/etc/init.d/S40sshd".

When hooked up to a desktop

After getting the hard disk out, you can hook it up to your computer through a SATA to USB adapter or simply build it in to your desktop pc. You need a Linux operating system for this. If you don't have Linux installed you can use a Linux live cd like Knoppix.

# fdisk -l /dev/sdb

Disk /dev/sdb: 1000.2 GB, 1000204886016 bytes
255 heads, 63 sectors/track, 121601 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Disk identifier: 0x00000000

   Device Boot      Start         End      Blocks   Id  System
/dev/sdb1               1         125     1004031    5  Extended
/dev/sdb2             126      121601   975755970   83  Linux
/dev/sdb5               1          16      128457   82  Linux swap / Solaris
/dev/sdb6              17          17        8001   83  Linux
/dev/sdb7              18          18        8001   83  Linux
/dev/sdb8              19          40      176683+  83  Linux
/dev/sdb9              41         124      674698+  83  Linux
/dev/sdb10            125         125        8001   83  Linux

Partition sdb7 seems to be the base partition delivered by the manufacturer of the board. LaCie has added ad overlay in sdb8, providing a custom configuration and the additional modules (mt-daapd, Twonky, configuration pages). sdb7 and 8 are never updated (written to). sdb9 is the top overlay in which all differences (your changes to configuration for example) are stored, and for 'cache' and stuff for the services running.

sdb2 is mapped to the /home folder and contains the shared data available via FTP and samba.


# file -sL /dev/sdb*
/dev/sdb:   x86 boot sector; partition 1: ID=0x5, starthead 1, startsector 63, 2008062 sectors; partition 2: ID=0x83, starthead 0, startsector 2008125, 1951511940 sectors
/dev/sdb1:  x86 boot sector; partition 1: ID=0x82, starthead 2, startsector 63, 256914 sectors; partition 2: ID=0x5, starthead 0, startsector 256977, 16065 sectors
/dev/sdb10: data
/dev/sdb2:  SGI XFS filesystem data (blksz 4096, inosz 256, v2 dirs)
/dev/sdb5:  Linux/i386 swap file (new style), version 1 (4K pages), size 32113 pages, no label, UUID=0-0-0-0-00
/dev/sdb6:  u-boot/PPCBoot image
/dev/sdb7:  Linux rev 1.0 ext3 filesystem data, UUID=eec3d367-ddc-4dfd-96e0-d6b8228a6abd (needs journal recovery)
/dev/sdb8:  Linux rev 1.0 ext3 filesystem data, UUID=133b35ca-4c3b-4895-95e2-8dfdcfa6875e (needs journal recovery)
/dev/sdb9:  Linux rev 1.0 ext3 filesystem data, UUID=a1204eb0-6e57-4b60-a979-fbc05ae55a76 (needs journal recovery)

Partition numbers 2, 7, 8 and 9 are mountable, number 2 being of type xfs and the other three of type ext3.

# mkdir /mnt/sdb2 /mnt/sdb7 /mnt/sdb8 /mnt/sdb9
# mount -t xfs /dev/sdb2 /mnt/sdb2
# mount -t ext3 /dev/sdb7 /mnt/sdb7
# mount -t ext3 /dev/sdb8 /mnt/sdb8
# mount -t ext3 /dev/sdb9 /mnt/sdb9
# ls /mnt/sdb*
/mnt/sdb2:
myshare  openshare

/mnt/sdb7:
bin  boot  dev	etc  home  include  lib  linuxrc  lost+found  mnt  opt	proc  root  sbin  snapshots  sys  tmp  usr  var

/mnt/sdb8:
bin  boot  dev	etc  home  lib	linuxrc  log  lost+found  mnt  opt  proc  root	sbin  shutdown	sys  tmp  usr  var  www

/mnt/sdb9:
EDMINI	lost+found  snaps

When accessed through ssh or telnet after hacking

After adding SSH or Telnet support the NetworkSpace you get a lot more functionalities and options to tweak your system. Just be carefull when modifying the configuration as some settings will cause the device to stop working. Only work around (way back) is restoring a earlier backup of the partitions.

Here are some dumps of the output of some commands run through a terminal session: NetworkSpace: Terminal server dumps.

After having telnet access you will be able to perform some power commands. In the /usr/bin/ folder you will find a scipt called edmini.sh. Read the top part of this script (preferred: dump your disks and read it all on your favorite system using a decent text viewer :P). This file is a power script that gives you quick access to many functionalities, like creating/configuring ftp/networkshares, creating/updating users (!) assigning permissions and a lot more. (Thanks to Daan for providing dumps of his disk)

Possible attackpoints

I have been checking the various configuration scripts and other options available to us without opening the box. So far I have not found a clear entry point, but some possible points of interest. I want to share them with you so we can try to make it ours without having to open it and use knoppix (or another live CD).

What I found:

  • Using Twonky it is possible to upload (media) files to your system. These files will be stored in the folders configured in the 'Miscalanious' page. As a note: by default it's turned off and they are set to /Music for music titles. However: this path is not relative to your search root (as i assumed/expected), but in full starting from root!

So set the path to /etc and you would be able to 'update' some configuration files. Only issue: You only can upload files that seem to me media files. The extensions are checked... This prevents you from updating existing config files (named .conf or similar, but not with a media extension).

Also the files are with -rw-r--r-- rights, so we also can't upload them to a web root and execute some script.

  • There is some real nice file in the /usr/bin/-folder, called edmini.sh. This is a script used by the configuration web pages creating/updating user accounts, shares, permissions and a lot more...

To be continued, and please append your knowledge/result of attempts...

Personal tools
Lacie Portal