Linux on the NSLU2 |
|
|
Last updated, Oct 10 2010 Update: This page has evolved quite a bit over the last couple of years. I started it to document hacks on the NSLU2, but nowadays, there are much better places to get info. Instead, I've been using this page to list devices that I've had the privlege to do reviews on. Many of the devices I review run Linux and often times, I still try to look at the "hackability" of the device, so if that's what brings you here, read on!
Jim Buzbee
UpdatesMar 13 2011 I've been spending some time playing with Android. Lots's of fun! And now I have my first app written and available. It follows along the line of my iPhone app I wrote a while back. Unfortunately, Apple yanked that one from the store as I was being bad by reading photo files from the camera directory instead of going through the approved API to get them one by one. Anyway, my new Android app greatly expands on the original concept by using all sorts of content instead of just photos. I get the photos, RSS feeds, Flickr photos, Facebook feeds, Twitter feeds, etc, etc, etc. Anyway, check it out at: SocialMediaTicker.com and let me know what you think. Jan 12 2011 Over the holdays I checked out a new Network Cam by DLink Oct 10 2010 Here's a presentation I put together to talk about the Shell Injection types of flaws I've found in NAS devices. April 3 2009 Check out my review of the Thecus M3800 where I found it to be a high-performance NAS box. During the review, I uncovered an exploitable root hole that any user could take advantage of. I notified Thecus and they put out a quick pach. But I just had to try again and quickly found another exploit that was only accessible to the admin user. Jan 17 2009 I've been a bit busy trying my hand at writing an iPhone and iPod touch application. It's a bit of a different endeavor for me, but I had a good time doing it. The application was inspired by the AppleTV that I reviewed a while back. It doesn't make rude noises or calculate your tips for you, but you can check it out here. Here's a review of the Mvix MvixBOX. It was an interesting little box, but a bit slow. It came with a ssh server built-in so no hacking required! 23 Dec 2008 I've been a bit behind in updating this page with some of my later reviews, so here's a few.
3 Oct 2008 I recently reviewed an interesting little device. The ScreenPlay hooks up to an external USB drive and your TV, allowing play back of movies, pictures and music. Most of its capabilities were so-so, but the one nice thing it did do was allow you to play back ripped DVDs with complete functionality such as menus, extras, chapters, etc. And it was only $100 or so. 18 June 2008 This week I reviewed a D-Link DPG-1200  which was a
remote-display type of device for Windows computers. Even though it was Windows-only, it ran Linux internally
and I got root on it (no hard task on this one!). Read the review
here
In other news, I gave a Slug presentation to the Boulder Linux Users group last week. The title of my presentation was Is That a LAMP in your Pocket?. If you're interested, the pdf version of the presentation is available here. 28 May 2008 Time for a new review. I just finished up checking out a Trendnet TS-S402 .
It was an OK little box, but it had some issues. But on the bright side, I was able to hack into it for a root shell. So
if you're into that, maybe it's worth a look.
08 Mar 2008 I just reviewed the ZyXEL NSA-220
. I found it to be a nice little box with an attractive UI and built-in Bittorrent capabilities. In the time I had to do the review, I didn't get command-line access, but I did see that it's running a getty on a serial console. With a bit more time, I suspect that one could
hook up a serial adaptor and get in.
22 Jan 2008 My brother Bill has taken up with the NSLU2 crowd. Check out his page, and read about his extreme hobby of building a computer from scratch. Really from scratch. 16 Jan 2008 My latest review is on the Promise SmartStor . It was a fairly inexpensive RAID 5 capable box. To explore it further, I exploited a cgi hole to get a shell with full root access.
I'm now playing around a bit with setting up a home weather station - driven by my Slug of course. You can see the page here, although I'll probably be bringing it up and down as I see what I can do with it. And I have a couple of more reviews lined up. Stay tuned... 6 Oct 2007 I have a review up of the Qnap TS-209 Pro. I like this box quite a bit. It came with good performance and a lot of features including MySql, PHP, rsync, and an SSH server - no hacking required. You can read the review here. If you're looking for something cheaper, I reviewed the Iomega 1 TB StorCenter. You can find this box on-line for well under $400 . I also hacked a root shell on this one for a little bit more flexibility.
24 July 2007 My new review on Hacking the Apple TV is up. With a few simple hacks, this little box is playing about every file I have in my library. After I finished the review, an update to the nitoTV plugin was released that plays back ripped DVDs using the Apple DVD Framework. This means complete menu support and navigation from DVD images stored on NAS devices like the NSLU2. Very Cool, and an incentive for me to finally start ripping my entire DVD library. 22 July 2007
A few weeks back, I got a Here's a review of Buffallo's new LinkTheater Wireless A&G Network Media Player. It didn't do much for me.
Here are some more of my articles
28 October 2006 Here's some more of my articles
20 August 2006 Not much NSLU2 news from me, but I've been writing a bunch more reviews:
04 May 2006 My articles roll on. First up is a review of a Linux-based media-player, the Buffalo LinkTheater Mini .
I think this device should be "hackable" because it boots a Linux image across the network.
If a new image could be built for it, maybe additional functionality could be added. If something
got messed up, you'd simply power-cycle to grab the old image. For less than $100 it could be an interesting
device to play with.
Next, I tried to
build my own PVR based around the ADS
Instant TV Deluxe.
16 April 2006 I have reveiw of the DSM-G600 up on TomsNetworking. It was an interesting little box based on the same chipset as the NSLU2. As well
as Gigabit support, it also had wireless capabilities. As a proof of concept, I created and loaded a new firmware for it.
05 Mar 2006 I haven't updated this it awhile, because I've been quite busy writing. Here's the second part of my Home Audio Video Network article. I also wrote a review of a VOIP service. I found that router supplied with the servive was running VxWorks and I got a login prompt, but I didn't get in. Finally, I have a new review of Iomega's StorCenter with gigabit support. This one, like most, was running Linux. I was able to make use of another cgi flaw to "hack" into it enough to browse through the OS filesystem. So many devices, so little time... I'm currently in the middle of a review of another NAS device. I think I'll be able to get into it far enough to create a custom firmware. We'll see... 8 Jan 2006 I had an article published this week dealing with my entertainment center and how I integrated it into my home network using my NSLU2, my Kurobox, etc. The first article dealt with music, a follow up article will show how I am handling movies and still pictures. I'm also wrapping up a review of a VoIP service that's kind of interesting. I've toyed with VoIP before, but this is the first service I really tried out. 10 Dec 2005 I just finished my review of the TRENDnet TS U200 .
The TS-U200 is a device similar to the NSLU2 with Ethernet and two USB 2.0 ports. And like the NSLU2, I was able to
"get root" on it by using a flaw on one of the configuration web pages.
19 Nov 2005 My review of the Yellow Machine is now up at TomsNetworking. The Yellow Machine is a Linux-based NAS device that supports RAID. I'm currently wrapping up a review of a NAS comparable to the NSLU2. It's a tiny device that's similar to the wrt54g as well in that it has the same type of security hole. That hole allowed me to "get root" on this new device so I can install and run my own code. I hope to have the review done this week. 4 Oct 2005 I have a new review up on TomsNetworking.com. It's for a ADS NAS Kit . The interesting
thing about this NAS is that it includes a built-in bittorrent client.
I've started working on a review of a high-end NAS unit that runs Linux, supports RAID 5, and even comes with a compiler so you can add whatever else you need. Stay tuned. 16 Sep 2005 My review of the LaCie Ethernet Mini
is now
up on TomsNetworking. It's an interesting
little device that can be either a NAS or a USB external drive. Since it keeps its root filesystem on disk, It was fairly easy to hack into. I was
able to fire up an inetd that I copied over from my Kuro Box. I didn't have a chance to get much further, but it
wouldn't be hard to fully customize it.
9 Sep 2005 Taking a break from NAS devices (I now have eight on my LAN!), I just reviewed the Slingbox from Sling Media. It's a device that lets you view
TV or any other video source across the Internet. It only has a client for Microsoft Windows at the moment, but Macintosh, Linux and others are
promised in the future.
14 Aug 2005 My review of a high-end NAS is now up. Check it out to see how it compares to our $85 NSLU2. My review of the NAS that can be either a NAS or a external USB drive is about done. Of course it runs Linux, and I've been able to execute my own code on it which also makes it interesting. I hope to finish the review soon. 6 Aug 2005 I just finished a review of a $3000 NAS device, and it should be on-line soon. Find out how it compares to the $85 NSLU2. I'm also starting a review of another Linux-based NAS devices that does double-duty as an external USB 2.0 drive. So you can either hook it on your lan, or into your USB port for fast access. 14 July 2005 My reviews of NAS Devices continue over at TomsNetworking.com. I'm also working on a new release of my Batbox wrt54g distribution. I hope to have it out in the next couple of days 6 July 2005 I've upgraded my Maxtor Shared Storage with a custom firmware so I can add new functionality. The firmware adds a telnet daemon, but that's about it. The processor is a 300 Mhz Broadcom MIPS and is compatible with executables from the Linksys WRT54G. I've installed the full-featured busybox executable from my batbox distribution on it to give me a few more tools. I suspect that the ipkg repository from openwrt might be compatible with this box because they are both based on the same processor. There has also been a hack announced for the Synology DS-101. This box uses the same processor as the NSLU2 but has 64MB of ram vs. 32 for the NSLU2. If I had time, I suspect that I could set up my DS-101 to use the NSLU2 ipkg repository. 12 June 2005 I've updated my NSLU2 to run off a USB flash disk, so now I have a LAMP server that fits in the palm of my hand, has no moving parts and uses just a few watts of power. I also starting a review of a couple more NAS units including one that doesn't appear to be running Linux. That's a first for me, all of the other ones I've looked at ran Linux. I hope to have the reviews done in the next week or so. 3 June 2005 I have a new review on TomsNetworking.com. In this review, I take a look at the Maxtor Shared Storage .
For the hackers in the audience, this is an interesting NAS device. There's already a
development community forming and a telnet-enabling firmware
has been released. Even though Maxtor didn't enable it, the device has hardware support for encryption and RAID, so this box has some potential
beyond the features that Maxtor has delivered.
26 May 2005 My latest NSLU2 article is now up on TomsNetworking.com. In this article, I walk through the process of installing a UPnP server on my NSLU2, so that it can server audio, pictures and movies to client devices. I'm also finished with a review of a new NAS device which should be posted in the next week or so. With all of my spare time, I've been updating my NSLU2 with some new packages. I now have MySql up and running along with a PHP and Perl enabled thttpd. It works surprisingly well for a device with only 32 megs of ram. I'm using some custom perl scripts to update and manage all of the urls for batbox.org so finally I'm using my NSLU2 for something other then just hacking around! I also picked up a cheap thumb drive so I'm toying with the idea of removing the hard-drive from my NSLU2 and only using the flash drive for storage. It should be
plenty of space for how I use it. Lower power and silent with no moving parts.
14 May 2005 I've finished my NSLU2 article, and it should be posted soon. Now I'm working on a review of another NAS device that runs Linux internally like seemingly all of the other ones out there. It has an easily accessible serial connection that at least one person has used to get root on it. Details TBD. 8 May 2005 I'm finally getting back to my NSLU2, working on a new chapter in my NSLU2 series on TomsNetworking. Stay tuned for details. 30 Apr 2005 My review of the Buffalo LinkTheater is now on-line at TomsNetworking. The Link Theater is a networked DVD player with the ability to get content via either a custom
server or a UPnP server. I was able to feed it content via my NSLU2 by using the twonkvision server. I also came
across a server, wizd, that implements the custom
protocol that the Link Theater uses. Wizd supports a number of different media players and it comes with source so it can be built for
various boxes. I used it on my iBook and my Kuro Box but it could also be used with the NSLU2.
22 Apr 2005 I have a review of Simple Share , another Network Attached Storage device , up on TomsNetworking. This one was interesting in that it had hardware support for encryption and RAID. The unit ran Linux, (of course), and was based
on a Broadcom reference design. I wasn't able to get root on it because once again, there was something non-standard
about the (Reiser) filesystem. The Simple Share was also the first box I'd worked with that supported NFS, although it wasn't completely documented.
I just finished a review of a Networked DVD player that went fairly well. It supported UPnP, so I was able to use my NSLU2 as a source of content for it. I ripped several of my DVDs to DivX5 format and stored them on my NSLU2 for playback. This is a powerful
combination. The video quality is good and the movies drop down in size to less than a gig and a half so you can store
quite a few movies on a little box like the NSLU2. I just wish it were quicker to convert the movies. For me, a conversion was
an overnight process. The review should be up fairly soon.
I've finished a review of another Network Attached Storage device that should be up on TomsNetworking shortly. It ran Linux of
course, and had some interesting features such as hardware-based encryption, mirroring and RAID support. With that
done, I'm starting to work on a review of a DVD player that has wired and wireless networking and also supports the UPnP protocol.
There sure are a lot of interesting little devices around these days!
It's really a lot simpler than all of that. Most of it is auto-configuring, but it's interesting
to think of all of the data paths that occur to play a simple song. I did a bit of network sniffing
to see how commands are sent from the Airport Express to iTunes. From my limited understanding
of the various protocols involved, the commands appear to be sent via the daap protocol from the Airport
Express to iTunes. So I suppose that if someone were so inclined, it might be possible to write a
remote-control program through a web interface and masquerade as an Express Remote to remotely
control iTunes.
3,33 * * * * root /usr/sbin/hwclock --hctosys &>/dev/null This synchronizes the system clock with the hardware clock every 30 minutes. Unfortunately you have to add this line to the crontab each time you reboot the box. I have not yet found a way to insert my own commands into the boot sequence. Once I figure this out, I can automate the above as well as automatically start NFS, setup telnet etc. 25 July 2004 If you would like to experiment with NFS on your box, I've packaged up my binaries and startup scripts with a README file here 24 July 2004 I've cleaned up my NFS build and it is working fine. I transfered a 2GB directory tree of 12,000 files to it without issue. The transfer took around 45 minutes over a wireless link. I have some additional information about the ourtelnetrescueuer account. At boot time, an executable TelnetPassword is run. I don't know what the program does, but running a "strings" on the binary produces this : /tmp/telnet.XXXXXX /etc/passwd ourtelnetrescueuser /share/hdd/conf/.dongle /share/hdd/conf/tmp/telnet.XXXXXX ourtelnetrescueuser:%s:%d:%d:%s:%s:%s /bin/cp -f %s %s 2>/dev/null It looks like the password may be generated at boot time. Based on what, I don't know, but the reference to the file ".dongle" is interesting. On my system, the file exists, but is empty. The "tmp" files do not appear on my system by the time I get in. If I put something in the ".dongle" file and reboot, it has no effect that I can tell. if I, uh, delete the file and reboot, the device comes up in a sort of a default mode without my normal disk partitions. At this point the "welcome" password works for me. If I restore the file (after mounting it in my OSX box) and reboot, the system comes back to normal (sigh of relief) and the "welcome" password no longer works. 23 July 2004 I've succeeded in getting NFS to work! Now I can use a more natural network filesystem for my OSX and Linux boxes. My build is still a bit shakey ( i.e. a hack) and I haven't had a chance to do any type of real analysis on performance or security but it works! 18 July 2004 The welcome password appears to work for at least some people, but since it is for a non-priviledged account, its use is limited. I've succeeded in building some more complicated binaries such as an extended busybox. I've also built a number of USB drivers such as a USB to Serial converter and a USB Webcam. They insmod successfully, but none seem to work. I'm not sure what the problem is. I just get system messages such as : usb.c: USB device 6 (vend/prod 0x47d/0x5001) is not claimed by any active driver. Stupid NSLU2 trick of the day : Make the box beep! # /usr/bin/Set_Led beep1 17 July 2004 I've had a report of a password crack on the ourtelnetrescueuser user. Try a password of welcome. It doesn't work for me, but it may be due to a difference in firmware versions. If we can crack the passwords listed below, we can telnet into the box without having to edit the passwd file on another system. If welcome works for anyone let me know. root:WeeOvKUvbQ6nI:0:0:root:/root:/bin/sh ourtelnetrescueuser:scNn.3AteBFc.:100:100::/home/user:/bin/sh 15 July 2004 Toolchain : I've been able to build and execute "hello world" binaries both statically and dynamically linked using the toolchain provided with the Linksys wrv54g. It can be downloaded from Linksys here (102 meg!) 13 July 2004 Processor info : # cat /proc/cpuinfo Processor : XScale-IXP425/IXC1100 rev 1 (v5b) BogoMIPS : 131.48 Features : swp half thumb fastmult edsp Hardware : Intel IXDP425 Development Platform Revision : 0000 Serial : 0000000000000000 This page may be of use for hacking this board. The Linux distribution on the box is Snap Gear. More hardware info can be found in this Tom's Networking Article 12 July 2004 Enabling telnet It's a mult-step process to enable telnet. I'm using firmware version V2.3R24 from Linksys, it may or may not work with other versions. First, mount a NSLU2 initialized hard drive on a box that understands ext2/3 format. I use OSX, but obviously Linux would be easier. There are also drivers for windows boxes. I found that the OSX drivers only work well with firewire, not USB2. Find the passwd file in the second ext3 partition. Replace the encrypted password for root with the encrypted password from a know account e.g. admin. If you are not familar with the format, it's the second field delimited by colons. Plug the drive back into the NSLU2 and fire it up. execute the URL : http:// your NSLU2 ip /Management/telnet.cgi Select the option to turn on telnet telnet in as root using the password for the known account. The passwd change appears to hold over power-cycles, but the enabling of telnet does not. Flash configuration items Here's a list of configurations items stored in flash. I suspect many are not used or were just used during development. [network] version=2.3.21 telnet_enable=yes hw_id=4f00c0000000-2003 domain_name= w_d_name=NSLU2 zone_name=* msn_enable=yes apple_enable=yes default_server_name=LKG0F9861 disk_server_name=NSLU2 disk_server_comment= lan_interface=ixp0 languageversion=english hw_addr=00:04:5A:0F:98:61 ip_addr=192.168.1.70 netmask=255.255.255.0 gateway=192.168.1.1 dns_server1=192.168.1.1 dns_server2= dns_server3= wins_enable=no wins_server= dhcp_server=no dhcp_start_ip=192.168.1.100 dhcp_end_ip=192.168.1.254 allow_host_start_ip= allow_host_end_ip= browse_master=yes bootproto=static duration_time=5 code_page=437 time_zone=6 shut_action=2 shut_in_min=30 shut_weekdays=0:0 shut_sat=0:0 shut_sun=0:0 shut_week_action=0 shut_sat_action=0 shut_sun_action=0 shut_idle=30 ShutdownSch= RestartSch= HD1ScanSch= HDTOHDBACKUP= login=no chk_passwd=no upnp=no guest_access=no shut_satday=0:0 shut_sunday=0:0 port=80 log_ser_enable=yes log_ser_ip=192.168.1.3 printer_name=LKG0F9861_p1 default_ip= default_netmask= default_time_delay=0 [harddisk] validhd=1:0 invalidhd=0:0 [LOG] fm=admin@192.168.1.70 1to=jbuzbee@nyx.net 2to= 3to= sub=NSLU2 Report log=0 not=2 11 July 2004 I'm in! I can now telnet into the running device. Here's some raw info :
# ps -ax
PID TTY Uid Size State Command
1 root 1212 S init
2 root 0 S [keventd]
3 root 0 S [ksoftirqd_CPU0]
4 root 0 S [kswapd]
5 root 0 S [bdflush]
6 root 0 S [kupdated]
7 root 0 S [cifsoplockd]
8 root 0 S [mtdblockd]
9 root 0 S [khubd]
18 root 0 S [usb-storage-1]
19 root 0 S [scsi_eh_1]
22 root 0 D [ixp425_csr]
24 root 0 S [ixp425 ixp1]
26 ttyS0 root 1916 S /bin/sh
27 root 1932 S /sbin/syslogd -n
29 root 1924 S /sbin/klogd -n
110 root 0 S [kjournald]
122 root 0 S [kjournald]
271 root 2132 S /usr/sbin/thttpd -C /etc/thttpd.conf
293 root 3924 S /usr/sbin/smbd -D
295 root 3128 S /usr/sbin/nmbd -D
298 root 1240 S /usr/sbin/download
316 root 1932 S /usr/sbin/QuickSet
321 root 1880 S /usr/sbin/USB_Detect
324 root 1876 S /usr/sbin/USB_Detect
332 root 1296 S /usr/sbin/crond
336 root 1908 S /usr/sbin/CheckResetButton
338 root 1196 S /usr/sbin/CheckPowerButton
340 root 1196 S /usr/sbin/do_umount
374 root 2132 S /usr/sbin/thttpd -C /etc/thttpd.conf
386 root 1276 S /bin/inetd
387 root 1256 S /usr/sbin/telnetd
388 ttyp0 root 1928 S -sh
410 ttyp0 root 1988 R ps -ax
# dmesg
Linux version 2.4.22-xfs (root@sure_linux) (gcc version 3.2.1) #377 Fri Jul 2 09:02:32 CST 2004
CPU: XScale-IXP425/IXC1100 revision 1
Machine: Intel IXDP425 Development Platform
Warning: bad configuration page, trying to continue
Security risk: creating user accessible mapping for 0x60000000 at 0xff00f000
Security risk: creating user accessible mapping for 0x51000000 at 0xf1000000
On node 0 totalpages: 8192
zone(0): 8192 pages.
zone(1): 0 pages.
zone(2): 0 pages.
Kernel command line: console=ttyS0,115200 root=/dev/ram0 initrd=0x01000000,10M mem=32M@0x00000000
Relocating machine vectors to 0xffff0000
Calibrating delay loop... 131.48 BogoMIPS
Memory: 32MB = 32MB total
Memory: 20204KB available (1454K code, 244K data, 236K init)
Dentry cache hash table entries: 4096 (order: 3, 32768 bytes)
Inode cache hash table entries: 2048 (order: 2, 16384 bytes)
Mount cache hash table entries: 512 (order: 0, 4096 bytes)
Buffer cache hash table entries: 1024 (order: 0, 4096 bytes)
Page-cache hash table entries: 8192 (order: 3, 32768 bytes)
POSIX conformance testing by UNIFIX
PCI Autoconfig: Found Bus 0, Device 1, Function 0
PCI Autoconfig: BAR 0, Mem, size=0x1000, address=0x4bfff000
PCI Autoconfig: Found Bus 0, Device 1, Function 1
PCI Autoconfig: BAR 0, Mem, size=0x1000, address=0x4bffe000
PCI Autoconfig: Found Bus 0, Device 1, Function 2
PCI Autoconfig: BAR 0, Mem, size=0x100, address=0x4bffdf00
PCI: bus0: Fast back to back transfers disabled
Linux NET4.0 for Linux 2.4
Based upon Swansea University Computer Society NET3.039
Initializing RT netlink socket
Starting kswapd
VFS: Disk quotas vdquot_6.5.1
Journalled Block Device driver loaded
i2c-core.o: i2c core module
i2c-dev.o: i2c /dev entries driver module
i2c-core.o: driver i2c-dev dummy driver registered.
i2c-algo-bit.o: i2c bit algorithm module version 2.6.1 (20010830)
pty: 256 Unix98 ptys configured
Serial driver version 5.05c (2001-07-08) with MANY_PORTS SHARE_IRQ SERIAL_PCI enabled
ttyS00 at 0xff000003 (irq = 15) is a XScale UART
ttyS01 at 0xff001003 (irq = 13) is a XScale UART
RAMDISK driver initialized: 16 RAM disks of 16384K size 1024 blocksize
SCSI subsystem driver Revision: 1.00
* host:
10 July 2004 I just received the NSLU2 yesterday and have not had a whole lot of time with it, but I've verified that it uses an ext3 formatted filesystem that I can mount under OSX. I've also found a couple of hidden options including the ability to enable telnet on it. So far, I have not cracked a password for any account with a shell. If anyone has a good password cracker, the accounts with shells on the box are : root:WeeOvKUvbQ6nI:0:0:root:/root:/bin/sh ourtelnetrescueuser:scNn.3AteBFc.:100:100::/home/user:/bin/sh I've been hacking another Linksys device as well. Take a look at my wrt54g linux page Jim Buzbee jbuzbee@nyx.net |
