Samstag, 18. November 2017, 20:21 UTC+1

Sie sind nicht angemeldet.

  • Anmelden
  • Registrieren

Lieber Besucher, herzlich willkommen bei: NAS Forum. Falls dies Ihr erster Besuch auf dieser Seite ist, lesen Sie sich bitte die Hilfe durch. Dort wird Ihnen die Bedienung dieser Seite näher erläutert. Darüber hinaus sollten Sie sich registrieren, um alle Funktionen dieser Seite nutzen zu können. Benutzen Sie das Registrierungsformular, um sich zu registrieren oder informieren Sie sich ausführlich über den Registrierungsvorgang. Falls Sie sich bereits zu einem früheren Zeitpunkt registriert haben, können Sie sich hier anmelden.

1

Dienstag, 29. April 2008, 12:31

Request for help. Hacking NAS FT3563-BT

Hi all.
Recently I bought a NAS FT3563-BT (http://fully-top.com/ArticleShow.asp?ArticleID=161) that seems same device that:
Coolmax CN-570 http://www.smallnetbuilder.com/content/view/29899/75/1/3/
NS-348S http://www.multicase.de/en/products/76/n…ureservice.com/
Emprex NSD-100 http://www.emprex.com/02_products_02.php?id=205
Agestar NCB3AHT http://www.agestar.com/english/products/ncb3aht.asp
http://shenztech.com/code/ui/product/pro…NAS2&subcatid=9

At this moment, I'm capable to remote execute program (root user).
Such dmesg describes, firmware are splited in tree parts:
0x00000000-0x00020000 : "Armboot" (mtd0)
0x00020000-0x007e0000 : "Kernel & Ramdisk" (mtd1)
0x007e0000-0x00800000 : "configure" (mtd2)
I obtained these parts (using dd), and are available at:
http://www.uv.es/cuan/arxius/FT3563-BT/
I'm interested in rebuild "Kernel & Ramdisk" partition to add, or remove scripts and apps, but I don't know how to slplit kernel from Ramdisk.
I see others NAS systems what have a partition for kernel, and a partition for ramdisk, but in this case, Kernel and ramdisk are at same partition.
Dmesg, free, df and mount :

Quellcode

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
-----------------dmesg----------------------------
Linux version 2.4.27-star (root@localhost.localdomain) (gcc version 3.3.6) #1308 Thu Mar 15 15:55:00 CST 2007
CPU: FA526id(wb) revision 1
ICache:16KB enabled, DCache:16KB enabled, BTB support
Machine: STAR_STR9100
On node 0 totalpages: 8192
zone(0): 8192 pages.
zone(1): 0 pages.
zone(2): 0 pages.
Kernel command line: console=ttyS0,38400 root=/dev/ram0 initrd=0x00900000,10M mem=32M@0x00000000
Relocating machine vectors to 0xffff0000
IRQ Timer1 at interrupt number 0x0 and clock 100000000(Hz)
Calibrating delay loop... 153.60 BogoMIPS
Memory: 32MB = 32MB total
Memory: 19328KB available (1952K code, 575K data, 220K init)
max_threads is :512 @@@@@@@@@@@@@@@@@
Dentry cache hash table entries: 4096 (order: 3, 32768 bytes)
Inode cache hash table entries: 2048 (order: 2, 16384 bytes)
Mount cache hash table entries: 512 (order: 0, 4096 bytes)
Buffer cache hash table entries: 1024 (order: 0, 4096 bytes)
Page-cache hash table entries: 8192 (order: 3, 32768 bytes)
POSIX conformance testing by UNIFIX
CPU clock is 200 !!!!!!!!
PCI: bus0: Fast back to back transfers disabled
pci bridge found 
Linux NET4.0 for Linux 2.4
Based upon Swansea University Computer Society NET3.039
Initializing RT netlink socket
do initcalls start
Starting kswapd
NTFS driver v1.1.22 [Flags: R/W]
SGI XFS with no debug enabled
i2c-core.o: i2c core module version 2.6.1 (20010830)
i2c-algo-bit.o: i2c bit algorithm module
pty: 256 Unix98 ptys configured
Str9100 Serial Driver version 5.05c (2001-07-08) with no serial options enabled
ttyS00 at 0xf7800000 (irq = 10) is a Star_UART
!!!!!!!!!!!!!mac is: 0:b:2b:c0:64:83
RAMDISK driver initialized: 16 RAM disks of 16384K size 1024 blocksize
loop: loaded (max 8 devices)
PPP generic driver version 2.4.2
PPP Deflate Compression module registered
PPP BSD Compression module registered
SCSI subsystem driver Revision: 1.00
kmod: failed to exec /sbin/modprobe -s -k scsi_hostadapter, errno = 2
kmod: failed to exec /sbin/modprobe -s -k scsi_hostadapter, errno = 2
 Amd/Fujitsu Extended Query Table v1.3 at 0x0040
number of CFI chips: 1
cfi_cmdset_0002: Disabling fast programming due to code brokenness.
Creating 3 MTD partitions on "str9100_flash":
0x00000000-0x00020000 : "Armboot"
0x00020000-0x007e0000 : "Kernel & Ramdisk"
0x007e0000-0x00800000 : "configure"
ftl_cs: FTL header not found.
ftl_cs: FTL header not found.
ftl_cs: FTL header not found.
i2c-core.o: adapter STR9100 I2C Adapter registered as adapter 0.
usb.c: registered new driver hub
hcd.c: ehci_hcd @ EHCI, EHCI_HCdriver
hcd.c: irq 24, pci mem fcc00000
usb.c: new USB bus registered, assigned bus number 1
hub.c: USB hub found
hub.c: 2 ports detected
host/usb-ohci.c: USB OHCI at membase 0xc3819000, IRQ 23
host/usb-ohci.c: usb-OHCI, OHCI_HCdriver
usb.c: new USB bus registered, assigned bus number 2
hub.c: USB hub found
hub.c: 2 ports detected
usb.c: registered new driver usblp
printer.c: v0.13: USB Printer Device Class driver
Initializing USB Mass Storage driver...
usb.c: registered new driver usb-storage
USB Mass Storage support registered.
NET4: Linux TCP/IP 1.0 for NET4.0
IP Protocols: ICMP, UDP, TCP, IGMP
IP: routing cache hash table of 512 buckets, 4Kbytes
TCP: Hash tables configured (established 2048 bind 4096)
NET4: Unix domain sockets 1.0/SMP for Linux NET4.0.
NET4: AppleTalk 0.18a for Linux NET4.0
NetWinder Floating Point Emulator V0.97 (double precision)
do initcalls end
RAMDISK: Compressed image found at block 0
Freeing initrd memory: 10240K
VFS: Mounted root (ext2 filesystem) readonly.
Freeing init memory: 220K
UART IRQ_ports = c02a6018
UART IRQ at interrupt number 0xa
hub.c: new USB device EHCI-2, assigned address 2
scsi0 : SCSI emulation for USB Mass Storage devices
  Vendor: MAXTOR S  Model: TM3500320AS       Rev:     
  Type:   Direct-Access                      ANSI SCSI revision: 02
port:50
Attached scsi disk sda at scsi0, channel 0, id 0, lun 0
X1205: I2C based RTC driver.
i2c-core.o: driver X1205 registered.
X1205: found X1205 on STR9100 I2C Adapter
ccr_write_enable: verify SR failed
i2c-core.o: client [X1205] registered to adapter [STR9100 I2C Adapter](pos. 0).
X1205: i2c_add_driver RTC driver.
X1205: misc_register RTC driver.
atr is 0
Partition check:
 sda: sda1 sda2 sda3
WARNING: USB Mass Storage data integrity not assured
USB Mass Storage device found at 2
ccr_write_enable: verify SR failed
Adding Swap: 473908k swap-space (priority -1)
XFS mounting filesystem sd(8,2)
Ending clean XFS mount for filesystem: sd(8,2)
XFS mounting filesystem sd(8,3)
ccr_write_enable: verify SR failed
Ending clean XFS mount for filesystem: sd(8,3)
....................free.................
              total         used         free       shared      buffers
  Mem:        29788        28648         1140            0          308
 Swap:       473908         2080       471828
Total:       503696        30728       472968
....................mount.................
/dev/ram0 on / type ext2 (rw)
none on /proc type proc (rw)
/dev/sda2 on /conf type xfs (rw)
/dev/sda3 on /mnt/data type xfs (rw)
....................df.................
Filesystem           1k-blocks      Used Available Use% Mounted on
/dev/ram0                15863     14413       631  96% /
/dev/sda2               109888       264    109624   0% /conf
/dev/sda3            487650496  63216104 424434392  13% /mnt/data

snoopy

NAS2000-Team

Beiträge: 467

Wohnort: Zu Hause

2

Dienstag, 29. April 2008, 15:38

RE: Request for help. Hacking NAS FT3563-BT

Hi elbuit!

First: Welcome to the forum!

cause we are a German forum there are only few native English speakers - so if there is a translation mistake fell free to correct me.

Mainly we are in the NAS1000 and 2000 Hard- & Software quite well informed.

As I understood you want a split the kernel from ramdisk. This seems to me not quite easy, cause you´ll have to set the registers in an other way as they are in an combined mode.

May be there's a solution in the German corner - If so I´ll post it here.

Greetz. Snoopy
--------------------------------------------------------------------------
Der Mensch ist das wichtigste und kostbarste Peripheriegerät einer Computeranlage.

myStuff: NAS2001+4220(1000Gb-ext3)+Dlink524+KabelD. (120 Mbit)

3

Mittwoch, 30. April 2008, 07:46

Thanks snoopy.
Yesterday, I opened firmware file with a hexadecimal editor, and found "ramdisk" string.
I cutted the firmware and "file" command identify resultatn file as gzipped.
I extracted and mount as ext2, and voila!!!
Now I'm capable to extract ramdisk from firmware.
Next step may be found how to boot from tftp, to boot NAS with a custom firmware.

Thanks

PS:Ramdisk, and firmware are available at http://www.uv.es/cuan/arxius

snoopy

NAS2000-Team

Beiträge: 467

Wohnort: Zu Hause

4

Mittwoch, 7. Mai 2008, 20:27

Hi elbuit,

cool. I thought of more complications. Copy ´n paste... life could be so simple. :P

OK. Second problem is a little more easy to answer. You will need to install debian first. how to do is written here: http://nas-2000.org/mwiki/index.php?titl…ion_on_your_nas

Thats it. you can now run whatever you want. More @ nas-2000.org .... wiki (its in english ;) )

Greetz. Snoopy
--------------------------------------------------------------------------
Der Mensch ist das wichtigste und kostbarste Peripheriegerät einer Computeranlage.

myStuff: NAS2001+4220(1000Gb-ext3)+Dlink524+KabelD. (120 Mbit)

snoopy

NAS2000-Team

Beiträge: 467

Wohnort: Zu Hause

5

Mittwoch, 7. Mai 2008, 20:32

Hi elbuit,

there´s one thing i just forgot.... I (and some others) would be glad when you write a little "how to" and we publish it here or in the wiki (there you can publish it by yourself).

If you have a working software you can zip it and upload it under "Dateianhänge".

Thanx 4 that. Snoopy
--------------------------------------------------------------------------
Der Mensch ist das wichtigste und kostbarste Peripheriegerät einer Computeranlage.

myStuff: NAS2001+4220(1000Gb-ext3)+Dlink524+KabelD. (120 Mbit)

6

Dienstag, 22. März 2011, 23:42

Not exactly the same , but very similar. This is my post over on the emprex.codejs.com forum. download image for the EMPREX NSD-100 hack found there.( you will have to join I'm afraid ) posted in the "emprex hardware other" section along with the image file.

-RTFM- ONLY USE THE IMAGE I HAVE POSTED FOR THE NSD-100 AS IT HAS 64MEG RAM. IF YOU WANT TO DO THIS ON A SIMILAR DEVICE USE THE METHOD BELOW. IF YOU HAVE 32MEG OF RAM IT WILL BRICK YOUR DEVICE IF YOU USE MY IMAGE . MY IMAGE IS FOR 64 MEG ONLY....... IF YOU HAVE 32MEG USE THE METHOD BELOW TO MAKE YOUR OWN...

This is how it is done ( from my crib notes ). It looks quite strait forwards , and it is, but it took quite a bit of time and reading of other web sites. thanks to http://tinyhack.com/ for the info on how to find the start of the ramdisc. The guy at tinynack has done far more with a similar device, and this place http://emprex-nas.blogspot.com/2008/08/ ... d-100.html for getting me going with telnet and debian.

***********************************************
On a windows PC

load V03R14_eon.bin into hex editor . I use "hex editor neo" ( demo lasts 14 days )

search for 1f 8b 08 ,this is the header of a gzip archive. ( search in hex not ascii )

found at two places, cut at 2nd 0x0017af34 just before it says ramdisk ,cut right to the end of the file. The ramdisk isn't as big as this but when we open it up the extra bit will be left.

save as file ending in gz ie ramdiskfs.gz

I opened this file with winrar

http://www.rarlab.com/

you get a file called ramdisk ,extract and save it to a file called ramdisk some where on your pc.

with your nsd100 running and your pc looking at the samba share "public" copy to "public"

on the nsd100 this will be in
/mnt/data/public

Now login to the nsd100 via telnet
type

mknod /dev/loop0 b 7 0
mkdir /mnt/ram
mount -o loop /mnt/data/public/ramdisk /mnt/ram


edit /mnt/ram/etc/init.d/rc.sysinit ( I did this across samba as I have a share on the root and use SCiTE http://www.scintilla.org to edit the file as this does not create CR at the end of the line )

add

#start telnet demon
echo "pts/0" >> /etc/securetty
/usr/sbin/telnetd

#wait 15 seconds
sleep 15
#run script boot in public

/mnt/data/public/boot


just before this line at the end

/bin/echo "Sysinit done"

save file


umount /mnt/ram
( need to be out of /ram directory to do this.just type cd /)

cd /mnt/data/public
gzip ramdisk

to recompress. it takes 5 minutes or so just watch the telnet session for your cursor to come back. I did this on the nsd100 as I knew it would be able to decompress it later when it boots . dont do it in winrar the compression is the wrong type and will brick your nsd100.

this makes ramdisk.gz

on the windows pc copy the ramdisk.gz file back to the pc

paste this back into the flash image with hex edit neo

make sure the paste goes in at address 0x0017af34 starting with 1f 8b 08 00

and the end bytes of what you are pasting are 00 00 40 01 ( my image was abit smaller than the original )

save flash image . as V03R14_new.bin


reflash device with new patched image using the update firmware page on the nsd100 web interface.
this takes a few minutes.

it will reboot its self , you config should stay , IP address etc.

on the public share you need to add the script file "boot" . When the nsd100 boots it will look for this and run it.

here is mine

#!/bin/sh
#echo "pts/0" >> /etc/securetty
#/usr/sbin/telnetd
/mnt/data/public/debian/usr/sbin/chroot /mnt/data/public/debian /etc/init.d/ssh start

/mnt/data/public/debian/usr/sbin/chroot /mnt/data/public/debian lighttpd -f /etc/lighttpd/lighttpd.conf

/usr/sbin/setled --buzzer=1 >/dev/null
/usr/sbin/setled --buzzer=1 >/dev/null
/usr/sbin/setled --buzzer=1 >/dev/null


you dont need the telnet bit anymore as this is in the rc.sysinit.

the ssh bit and lighttpd bit are to do with debian ignore them at the moment I will do another post about them later.

the buzzer bit buzzes the buzzer 3 times when all is done to let you know it has run.

this script must have root privileges

once made go to telnet and type

chmod 755 /mnt/data/public/boot


Enjoy :D

Dieser Beitrag wurde bereits 1 mal editiert, zuletzt von »Pale« (22. März 2011, 23:48)


snoopy

NAS2000-Team

Beiträge: 467

Wohnort: Zu Hause

7

Donnerstag, 24. März 2011, 09:07

:thumbsup: THX!

:kiss: Guess there will be some users who will love you for that tutorial.

Greetz
snoopy
--------------------------------------------------------------------------
Der Mensch ist das wichtigste und kostbarste Peripheriegerät einer Computeranlage.

myStuff: NAS2001+4220(1000Gb-ext3)+Dlink524+KabelD. (120 Mbit)