Promise NS4300Nに関するページです。

NS4300Nとは

RAIDコントローラで有名なPromise社のNASキット。最大4台のSATAドライブを内蔵可能。コレガのCG-NSC4500GTはOEM版。

情報

ハードウェア

仕様

CPUCPU MPC8343 400MHz
Flash ROM16MB
RAMDDR 128MB
RAID controllerPromise PDC40719(FastTrak? TX 4310として認識される?)
RAID0/1/10/5/5+対応

MTDマップ

/dev/mtdblock00x00000000-0x00040000258kBU-Boot
/dev/mtdblock10x00040000-0x00080000256kBU-Boot_ENV
/dev/mtdblock20x00080000-0x002400001,792kBKernel
/dev/mtdblock30x00240000-0x005600003,200kBRootfs
/dev/mtdblock40x00560000-0x00d600008,192kBUsr
/dev/mtdblock50x00d60000-0x00f000001,664kBPromise
/dev/mtdblock60x00f00000-0x010000001,024kBData

/proc/cpuinfo 

processor	: 0
cpu		: e300
revision	: 1.1 (pvr 8083 0011)
bogomips	: 265.21
chip		: MPC83xx
Vendor		: Freescale Inc.
Machine	: mpc83xx sys
core clock	: 399 MHz
bus  clock	: 266 MHz
PVR		: 0x80830011
SVR		: 0x80570011
PLL setting	: 0x6
Memory		: 128 MB

/proc/meminfo 

MemTotal:       126844 kB
MemFree:         35104 kB
Buffers:         43548 kB
Cached:          24752 kB
SwapCached:          0 kB
Active:          39848 kB
Inactive:        35780 kB
HighTotal:           0 kB
HighFree:            0 kB
LowTotal:       126844 kB
LowFree:         35104 kB
SwapTotal:           0 kB
SwapFree:            0 kB
Dirty:              56 kB
Writeback:           0 kB
Mapped:          15388 kB
Slab:             7508 kB
CommitLimit:     63420 kB
Committed_AS:    55712 kB
PageTables:        528 kB
VmallocTotal:   851968 kB
VmallocUsed:     19432 kB
VmallocChunk:   832284 kB

/proc/mtd 

dev:    size   erasesize  name
mtd0: 00040000 00020000 "U-Boot"
mtd1: 00040000 00020000 "U-Boot_ENV"
mtd2: 001c0000 00020000 "Kernel"
mtd3: 00320000 00020000 "Rootfs"
mtd4: 00800000 00020000 "Usr"
mtd5: 001a0000 00020000 "Promise"
mtd6: 00100000 00020000 "Data"

ソフトウェア

dmesg出力 (Ver. 010507) 

Linux version 2.6.11SR3_1_2 (root@localhost.localdomain) (gcc version 3.4.3) #4 Mon Feb 4 07:25:45 CST 2008
On node 0 totalpages: 32768
  DMA zone: 32768 pages, LIFO batch:8
  Normal zone: 0 pages, LIFO batch:1
  HighMem zone: 0 pages, LIFO batch:1
Built 1 zonelists
Kernel command line: root=/dev/ram rw console=ttyS0,115200
IPIC (128 IRQ sources, 8 External IRQs) at fe000700
PID hash table entries: 1024 (order: 10, 16384 bytes)
Console: colour dummy device 80x25
Dentry cache hash table entries: 32768 (order: 5, 131072 bytes)
Inode-cache hash table entries: 16384 (order: 4, 65536 bytes)
Memory: 123168k available (2292k kernel code, 668k data, 312k init, 0k highmem)
Calibrating delay loop... 265.21 BogoMIPS (lpj=132608)
Mount-cache hash table entries: 512 (order: 0, 4096 bytes)
checking if image is initramfs...it isn't (no cpio magic); looks like an initrd
Freeing initrd memory: 3189k freed
NET: Registered protocol family 16
PCI: Probing PCI hardware
PCI: bridge rsrc 0..ffffff (100), parent c028be7c
PCI: bridge rsrc 80000000..9fffffff (200), parent c028be60
PCI:0000:00:00.0: Resource 0: 00000000-000fffff (f=200)
PCI: Cannot allocate resource region 0 of device 0000:00:00.0
PCI:  parent is c0333054: 80000000-9fffffff (f=200)
PCI:0000:00:00.0: Resource 2: 40000000-7fffffff (f=120c)
PCI: Cannot allocate resource region 2 of device 0000:00:00.0
PCI:0000:00:00.0: Resource 4: 00000000-3fffffff (f=120c)
PCI: Cannot allocate resource region 4 of device 0000:00:00.0
PCI:  parent is c0333054: 80000000-9fffffff (f=200)
PCI:0000:00:0e.0: Resource 0: 9ffff000-9fffffff (f=200)
PCI:0000:00:0e.1: Resource 0: 9fffef00-9fffefff (f=200)
PCI:0000:00:10.0: Resource 0: 00ffff80-00ffffff (f=101)
PCI:0000:00:10.0: Resource 2: 00fffe00-00fffeff (f=101)
PCI:0000:00:10.0: Resource 3: 9fffd000-9fffdfff (f=200)
PCI:0000:00:10.0: Resource 4: 9ffc0000-9ffdffff (f=200)
PCI: Failed to allocate mem resource #2:40000000@c0000000 for 0000:00:00.0
PCI: Failed to allocate mem resource #4:40000000@c0000000 for 0000:00:00.0
Registering ipic with sysfs...
SCSI subsystem initialized
usbcore: registered new driver usbfs
usbcore: registered new driver hub
VFS: Disk quotas dquot_6.5.1
Dquot-cache hash table entries: 1024 (order 0, 4096 bytes)
squashfs: version 3.0 (2006/03/15) Phillip Lougher
Installing knfsd (copyright (C) 1996 okir@monad.swb.de).
JFFS2 version 2.2. (C) 2001-2003 Red Hat, Inc.
Initializing Cryptographic API
MPC83xx SPI Driver on MDS board: Revision: 1.0 
Successfully registered spi major=252
MPC83xx GPIO Driver on MDS board: Revision: 1.0 
Successfully registered gpio major=253
Real Time Clock Driver v1.10f
MPC83xx Watchdog Demo Init 
Serial: 8250/16550 driver $Revision: 1.1.1.1.2.1 $ 4 ports, IRQ sharing disabled
ttyS0 at MMIO 0xe0004500 (irq = 9) is a 16550A
ttyS1 at MMIO 0xe0004600 (irq = 10) is a 16550A
io scheduler noop registered
io scheduler anticipatory registered
io scheduler deadline registered
io scheduler cfq registered
RAMDISK driver initialized: 16 RAM disks of 16384K size 1024 blocksize
loop: loaded (max 8 devices)
gfar_driver_version = 1.1a
GFAR: ECNTRL=00001018, MACCFG1,2=00000030,00007205
eth0: Gianfar Ethernet Controller Version 1.1, 00:0a:79:b9:91:ee 
eth0: MTU = 1500 (frame size=1514,truesize=1784)
eth0: Running with NAPI enabled
eth0: 64/64 RX/TX BD ring size
eth0: Socket buffer recycling mode enabled
SKB Handler initialized(max=64)
MPC8349MDS flash device: 1000000 at fe000000 Partition number 7
MPC8349MDS Flash Map Info: Found 1 x16 devices at 0x0 in 16-bit bank
 Amd/Fujitsu Extended Query Table at 0x0040
MPC8349MDS Flash Map Info: CFI does not contain boot bank location. Assuming top.
number of CFI chips: 1
cfi_cmdset_0002: Disabling erase-suspend-program due to code brokenness.
add_mtd_partitions
Creating 7 MTD partitions on "MPC8349MDS Flash Map Info":
0x00000000-0x00040000 : "U-Boot"
ftl_cs: FTL header not found.
0x00040000-0x00080000 : "U-Boot_ENV"
ftl_cs: FTL header not found.
0x00080000-0x00240000 : "Kernel"
ftl_cs: FTL header not found.
0x00240000-0x00560000 : "Rootfs"
ftl_cs: FTL header not found.
0x00560000-0x00d60000 : "Usr"
ftl_cs: FTL header not found.
0x00d60000-0x00f00000 : "Promise"
ftl_cs: FTL header not found.
0x00f00000-0x01000000 : "Data"
ftl_cs: FTL header not found.
MPC8349MDS flash device initialized
ehci_hcd 0000:00:0e.1: NEC Corporation USB 2.0
ehci_hcd 0000:00:0e.1: new USB bus registered, assigned bus number 1
ehci_hcd 0000:00:0e.1: irq 21, io mem 0x9fffef00
ehci_hcd 0000:00:0e.1: park 0
ehci_hcd 0000:00:0e.1: USB 2.0 initialized, EHCI 1.00, driver 10 Dec 2004
hub 1-0:1.0: USB hub found
hub 1-0:1.0: 3 ports detected
ohci_hcd: 2004 Nov 08 USB 1.1 'Open' Host Controller (OHCI) Driver (PCI)
ohci_hcd 0000:00:0e.0: NEC Corporation USB
ohci_hcd 0000:00:0e.0: new USB bus registered, assigned bus number 2
ohci_hcd 0000:00:0e.0: irq 21, io mem 0x9ffff000
hub 2-0:1.0: USB hub found
hub 2-0:1.0: 3 ports detected
usbcore: registered new driver usblp
drivers/usb/class/usblp.c: v0.13: USB Printer Device Class driver
usbcore: registered new driver hiddev
usbcore: registered new driver usbhid
drivers/usb/input/hid-core.c: v2.01:USB HID core driver
mice: PS/2 mouse device common for all mice
i2c /dev entries driver
device-mapper: 4.4.0-ioctl (2005-01-12) initialised: dm-devel@redhat.com
NET: Registered protocol family 2
IP: routing cache hash table of 1024 buckets, 8Kbytes
TCP established hash table entries: 8192 (order: 4, 65536 bytes)
TCP bind hash table entries: 8192 (order: 3, 32768 bytes)
TCP: Hash tables configured (established 8192 bind 8192)
NET: Registered protocol family 1
NET: Registered protocol family 17
NET: Registered protocol family 5
RAMDISK: Compressed image found at block 0
VFS: Mounted root (ext2 filesystem).
Freeing unused kernel memory: 312k init
Promise FastTrak TX 4310 Serieal Device Driver 2.6.0.0330 (Sep 01, 2006)
PRODUCT_VERSION SR1_1_5 Build_Time Mar 27 2008 17:11:22
Required extension size: max: 2061328 Min: 1554420
fasttrak 0000:00:10.0: Found FastTrak Controller with IRQ: 23
Required DMA safe size: max: 169992 Min: 6556
Required DMA safe size: max: 169992 Min: 6556
scsi0 : ftsata2
  Vendor: Promise   Model: 4 Disk RAID5      Rev: 1.10
  Type:   Direct-Access                      ANSI SCSI revision: 02
sda : very big device. try to use READ CAPACITY(16).
SCSI device sda: 5860182144 512-byte hdwr sectors (3000413 MB)
sda: asking for cache data failed
sda: assuming drive cache: write through
sda : very big device. try to use READ CAPACITY(16).
SCSI device sda: 5860182144 512-byte hdwr sectors (3000413 MB)
sda: asking for cache data failed
sda: assuming drive cache: write through
 unknown partition table
Attached scsi disk sda at scsi0, channel 0, id 0, lun 0
Attached scsi generic sg0 at scsi0, channel 0, id 0, lun 0,  type 0
Initializing USB Mass Storage driver...
usbcore: registered new driver usb-storage
USB Mass Storage support registered.
fuse init (API version 7.8)
fuse distribution version: 2.7.4
kjournald starting.  Commit interval 5 seconds
EXT3 FS on dm-0, internal journal
EXT3-fs: mounted filesystem with ordered data mode.
eth0: MTU = 9000 (frame size=9014,truesize=9464)
fifo_tx_thr=100,1c0
fifo_tx_sp=10,25
fifo_tx_starve=80,1a0
fifo_tx_starve_shutoff=100,1c0
fifo_rx_alarm=100,40
fifo_rx_alarm_shutoff=80,20
fifo_rx_panic=180,60
fifo_rx_panic_shutoff=100,40
eth0: PHY is IP1001 (2430d90)
eth0: Full Duplex
eth0: Speed 1000BT
eth0: Link is up
eth0: Flow control is on

glibcのバージョン (/lib/libc.so.6 の出力) 

# /lib/libc.so.6 
GNU C Library stable release version 2.3.2, by Roland McGrath et al.
Copyright (C) 2003 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
Compiled by GNU CC version 3.3.6 (Debian 1:3.3.6-4).
Compiled on a Linux 2.6.0-test7 system on 2005-05-10.
Available extensions:
	GNU libio by Per Bothner
	crypt add-on version 2.1 by Michael Glad and others
	linuxthreads-0.10 by Xavier Leroy
	BIND-8.2.3-T5B
	libthread_db work sponsored by Alpha Processor Inc
	NIS(YP)/NIS+ NSS modules 0.19 by Thorsten Kukuk
	software FPU emulation by Richard Henderson, Jakub Jelinek and others
Report bugs using the `glibcbug' script to <bugs@gnu.org>.

ファームウェア

Ver. 010105

StartEndContent
00000001463F0の他にも何か入っている
013C00013DFFrevファイルのヘッダ
013E00013FFFrev
0140000141FFfix_scriptファイルのヘッダ
0142000143FFfix_script
0144000145FFkernel.gzファイルのヘッダ
0146401881FFkernel.gz
18820018843Frootfs.gzファイルのヘッダ
1884403ED5FFrootfs.gz
3ED6003ED7FFusr_sqfsファイルのヘッダ
3ED800B368FFusr_sqfs
B36900B369FFpro_sqfsファイルのヘッダ
B36A00pro_sqfs
  • イメージファイルの取り出し 
    $ dd if=ns4300_010105_A36-B05_A1.upg of=kernel.image bs=64 skip=1304 count=23792
23791+0 records in
23791+0 records out
1522624 bytes (1.5 MB) copied, 0.0823247 seconds, 18.5 MB/s
$ ls -al
drwxr-xr-x  4 itou-r users       90 2007-10-06 06:36 .
drwxr-xr-x  5 itou-r users      133 2007-10-06 04:47 ..
-rw-r--r--  1 itou-r users  1522688 2007-10-08 02:44 kernel.img
-rw-r--r--  1 itou-r users 13177856 2007-10-06 04:44 ns4300_010105_A36-B05_A1.upg
$ file *
kernel.img:                   PPCBoot image
ns4300_010105_A36-B05_A1.upg: data
$ dd if=kernel.img of=kernel.gz bs=64 skip=1
$ ls -al
drwxr-xr-x  5 itou-r users     4096 2007-10-08 02:47 .
drwxr-xr-x  5 itou-r users      133 2007-10-06 04:47 ..
-rw-r--r--  1 itou-r users  1522624 2007-10-08 02:47 kernel.gz
-rw-r--r--  1 itou-r users  1522688 2007-10-08 02:44 kernel.img
-rw-r--r--  1 itou-r users 13177856 2007-10-06 04:44 ns4300_010105_A36-B05_A1.upg
$ file *
kernel.gz:                    gzip compressed data, from Unix, last modified: Tue Apr  3 16:43:22 2007, max compression
kernel.img:                   PPCBoot image
ns4300_010105_A36-B05_A1.upg: data
$ gunzip kernel.gz
$ ls -al
drwxr-xr-x  4 itou-r users      108 2007-10-06 06:38 .
drwxr-xr-x  5 itou-r users      133 2007-10-06 04:47 ..
-rw-r--r--  1 itou-r users  3207302 2007-10-08 02:47 kernel
-rw-r--r--  1 itou-r users  1522688 2007-10-08 02:44 kernel.img
-rw-r--r--  1 itou-r users 13177856 2007-10-06 04:44 ns4300_010105_A36-B05_A1.upg
  • RootFSの展開 
    $ dd if=ns4300_010105_A36-B05_A1.upg of=rootfs.gz bs=64 skip=25105 count=39239
39239+0 records in
39239+0 records out
2511296 bytes (2.5 MB) copied, 0.134612 seconds, 18.7 MB/s
$ ls -al
合計 40096
drwxr-xr-x 3 itou-r users      100 2007-10-06 06:41 .
drwxr-xr-x 5 itou-r users      133 2007-10-06 04:47 ..
-rw-r--r-- 1 itou-r users  3207302 2007-10-06 06:36 kernel
-rw-r--r-- 1 itou-r users 13177856 2007-10-06 04:44 ns4300_010105_A36-B05_A1.upg
-rw-r--r-- 1 itou-r users 11571136 2007-10-06 06:41 rootfs.gz
$ gunzip rootfs.gz
$ ls -al
合計 52384
drwxr-xr-x 3 itou-r users      119 2007-10-06 06:45 .
drwxr-xr-x 5 itou-r users      133 2007-10-06 04:47 ..
-rw-r--r-- 1 itou-r users  3207302 2007-10-06 06:36 kernel

-rw-r--r-- 1 itou-r users 13177856 2007-10-06 04:44 ns4300_010105_A36-B05_A1.upg
-rw-r--r-- 1 itou-r users 12582912 2007-10-06 06:41 rootfs
$ mkdir root-mount
$ su
# mount -o loop rootfs root-mount
    filetree-root-010105.txt tree出力
  • usr_squashfsの展開 
    $ dd if=ns4300_010105_A36-B05_A1.upg of=usr_sqfs bs=64 skip=64352 count=119364
119364+0 records in
119364+0 records out
7639296 bytes (7.6 MB) copied, 0.414095 seconds, 18.4 MB/s
$ file *
kernel:                       data
ns4300_010105_A36-B05_A1.upg: data
rootfs:                       Linux rev 1.0 ext2 filesystem data
usr_sqfs:                     Squashfs filesystem, big endian, version 3.0, 0 bytes, 301 inodes, blocksize: 65536 bytes, created: Wed Apr 18 17:36:35 2007
$ mkdir usr
$ su
# mount -o loop -t squashfs usr_sqfs usr
    filetree-usr-010105.txt tree出力
  • WebGUIファイルの展開 
    $ dd if=ns4300_010105_A36-B05_A1.upg of=pro_sqfs bs=64 skip=183720
22184+0 records in
22184+0 records out
1419776 bytes (1.4 MB) copied, 0.076625 seconds, 18.5 MB/s
$ file *
kernel:                       data
ns4300_010105_A36-B05_A1.upg: data
pro_sqfs:                     Squashfs filesystem, big endian, version 3.0, 0 bytes, 1685 inodes, blocksize: 65536 bytes, created: Wed Apr 18 17:36:56 2007
root-fs:                      Linux rev 1.0 ext2 filesystem data (mounted or unclean)
rootfs:                       Linux rev 1.0 ext2 filesystem data
usr_sqfs:                     Squashfs filesystem, big endian, version 3.0, 0 bytes, 301 inodes, blocksize: 65536 bytes, created: Wed Apr 18 17:36:35 2007
$ mkdir promise
$ su
# mount -o loop -t squashfs pro_sqfs promise
# ls promise
bin  conf  gui  lib  util
    filetree-promise-010105.txt tree出力

Ver. 010205

StartEndContent
000000013BFF0
013C00C913FFtar+gziped image
  • イメージファイルの取り出し 
    $ dd if=ns4300_010205.upg of=ns4300_010205-SKIPPED.tar.gz skip=79 bs=1k
$ file *
ns4300_010205-SKIPPED.tar.gz: gzip compressed data, from Unix, last modified: Fri Aug  3 19:04:02 2007
ns4300_010205.upg:            data
$ mkdir work
$ tar zxvf ns4300_010205-SKIPPED.tar.gz -C work
$ cd work
$ ls -al
合計 13064
drwxr-xr-x 2 itou-r users      89 2007-10-06 04:51 .
drwxr-xr-x 3 itou-r users      76 2007-10-06 04:51 ..
-rwxr-xr-x 1 itou-r users    2416 2007-07-24 18:22 fix_script
-rw-r--r-- 1 itou-r users 1527837 2007-08-03 19:04 kernel
-rwxr-xr-x 1 itou-r users 1417216 2007-08-03 19:04 pro_sqfs
-rwxr-xr-x 1 itou-r users     116 2007-08-02 14:33 rev
-rwxr-xr-x 1 itou-r users 2462795 2007-08-03 19:04 rootfs
-rwxr-xr-x 1 itou-r users 7954432 2007-08-03 19:04 usr_sqfs
$ file *
fix_script: perl script text executable
kernel:     PPCBoot image
pro_sqfs:   Squashfs filesystem, big endian, version 3.0, 0 bytes, 1688 inodes, blocksize: 65536 bytes, created: Fri Aug  3 19:03:17 2007
rev:        ASCII text
rootfs:     PPCBoot image
usr_sqfs:   Squashfs filesystem, big endian, version 3.0, 0 bytes, 315 inodes, blocksize: 65536 bytes, created: Fri Aug  3 19:03:04 2007
  • RootFSの展開 
    $ dd if=rootfs of=root-SKIPPED.gz bs=64 skip=1
38480+1 records in
38480+1 records out
2462731 bytes (2.5 MB) copied, 0.13265 seconds, 18.6 MB/s
$ file root*
root-SKIPPED.gz: gzip compressed data, from Unix, last modified: Fri Aug  3 19:01:51 2007, max compression
rootfs:          PPCBoot image
$ gunzip root-SKIPPED.gz
$ file *
root-SKIPPED: Linux rev 1.0 ext2 filesystem data
rootfs:       PPCBoot image
$ mkdir root-mount
$ su
# mount -o loop -t ext2 root-SKIPPED root-mount
# cd root-mount
# ls
SNAPSHOT  VOLUME1  VOLUME3  bin   dev  home  lost+found  proc     root  sys  usr
USBDISK   VOLUME2  VOLUME4  data  etc  lib   mnt         promise  sbin  tmp  var
    filetree-root-010205.txt tree出力
  • usr_squashfsの展開 
    $ mkdir usr
$ su
# mount -o loop -t squashfs usr_sqfs usr
# ls usr
bin  lib  local  sbin
    filetree-usr-010205.txt tree出力
  • WebGUIファイルの展開 
    $ mkdir promise
$ su
# mount -o loop -t squashfs pro_sqfs promise
# ls promise
bin  conf  gui  lib  util
    filetree-promise-010205.txt tree出力

Ver. 010507

どのバージョンからか不明だが、アップグレード用のファームウェアファイルが暗号化されるようになっている。ここによると、カスタマイズされたbcryptコマンドを使って blowfish encryption and signed されているらしい。今までのように、簡単にハックはできなくなったようだ。

ハック

Corega NSC-4500GT を Promise NS4300N 化する

1年ほど前に購入した NSC-4500GT を今更ながら Promise 化する。このモデルは、Buffalo製品と異なり、ファームウェアを一旦 NAS 上のディレクトリにコピーした後、Web画面でそのファイルを指定することにより、ファームウェアの更新がなされるようになっている。したがって、まず最初に RAID 領域を作成し、フォーマットを済ませておく。後は、順次古いファームウェアから順番に更新していけばよい。今回は、Corega版のファームが古かった(多分、Ver.01.01.2140.10)ので、

Corega版ファーム → ns4300_010206.upg(ftp://ftp.winco.com.hk/product/Promise/NS4300N/firmware/にあるやつ)
→ ns4300_010306.upg → ns4300_010411.upg → ns4300_010503.upg → ns4300_010507.upg

の順に更新した。

010507へのアップグレードではじめて、作業の進捗状況を示すバーが表示されるようになった。

rootのパスワードを変更する

Application Pluginを利用する方法

情報源

rosvall  rosvall ist offline
Neuer Benutzer
	  	
Registriert seit: 12.08.2007
Beiträge: 1
Renommee-Modifikator: 0
rosvall befindet sich auf einem aufstrebenden Ast
Quick telnet hack via application plugin
My german is a bit rusty, so please bear with me.

Note: i tried to post this in the ns4300n-info.de forum, but i get a http-error.

Long story short:
After countless hours spent trying to crack the root password in /etc/shadow in 
the firmware image from promise, i remembered the seemingly stupid "Application 
Plugin" thingy in the web interface.
With access to the perl/php scripts for the webinterface it's pretty easy to 
figure out how to make such a plugin, so i set out for making a little shell 
script to add the admin user to /etc/sudoers and /etc/telnet.user.
The files that the plugin-thingy accepts has a pretty obscure format, like the 
firmware image itself. The first 97KB is discarded, and after that there has to 
be a gzipped tar containing a file called "rev" and the application itself in a 
dir named the same as the plugin. The rev file needs to contain three lines in a 
format like:
PKGNAME=my_plugin_name
PKGVERSION=X.X.9999.X
FWVERSION=010105
You can substitute the X'es as you like, but the 9999 is some sort of oem-code, 
whatever that is. Of course the my_plugin_name is substituted for the name of 
your plugin.
Anyways, as far as i can see, the only way to get it to execute something from 
the plugin-package is to call the plugin DLNA, which will make the "DLNA" tab in 
the web interface light up. Then, when you choose enable service, it will try to 
execute /VOLUME1/PROMISEAPP/DLNA/.server/fupper

So what i did, was i made a ./rev like:
-----cut-------
PKGNAME=DLNA
PKGVERSION=1.0.9999.0
FWVERSION=010105
-----cut-------

And a ./DLNA/DLNA/.server/fuppes like:
-----cut-----
#!/bin/ash

echo "admin ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers
echo "admin" >> /etc/telnet.user
-----cut------

...did a chmod +x ./DLNA/DLNA/.server/fuppes
and put it all in a tarball with
tar cvfz telnet-hack.tgz ./rev ./DLNA

Now i had the tarball, i just needed the 97kB of padding:
dd if=/dev/urandom of=telnet-hack bs=97k count=1

and put it together with
cat telnet-hack.tgz >> telnet-hack

And here it is: http://rapidshare.com/files/48464094...ack-combo.html
(Please, for the sake of your own security, make your own plugin like described 
or at least verify that mine does what i say it does.)

Just upload the file to the ns4300n, go to the Management->System 
Upgrade->Application Plugin page on the web interface and fill out the form.
When it has done it's thing, go to File & Print->Protocol Control->DLNA and 
enable it. Then you should be able to login via telnet on port 2380 with you 
admin user.

I'm sorry if i didn't make much sense, i have been at it for about 20 hours now, 
and i really need some sleep

WebGUIの脆弱性を利用する方法

以下の内容は旧バージョンのファームウェアで可能だが、最近のバージョンでは使えないテクニックと思われる。

情報源:SecurityFocus Promise NAS NS4300N GUI bug

Promise NAS NS4300N GUI bug Sep 27 2007 09:19PM
Tor Houghton (torh bogus net)
List,

There is a bug in the Promise NAS NS4300N web GUI (firmware version 1.1.0.5)
which allows an authenticated (admin) user to change the password of the
'root' account.

The user management portion of the web interface allows the admin user to
change user's passwords. The PHP script that handles this does not check to
see if the admin is changing a user account or system accounts such as
'root'.

By changing the value of the 'user' parameter to 'root' (from whatever user
id whose password is being changed, e.g. 'admin' if you have not defined any
users) in the POST request to /usercp.php, we can provide a known password
for the root account and thereby login to the NAS (which is normally not
possible because Promise has not divulged root's password).

The vendor has not been notified, but this is hardly a critical issue..?

Tor

moonshade:~$ telnet 192.168.5.16 2380
Trying 192.168.5.16...
Connected to 192.168.5.16.
Escape character is '^]'.
NS4300N R1.1 A10 (Version 01.01.0000.05) - Promise Technology, INC.
nas login: root
Password:

BusyBox v1.00-rc2 (2006.11.07-01:55+0000) Built-in shell (ash)
Enter 'help' for a list of built-in commands.

root is allowed to login.
[root@nas]# dmesg
Linux version 2.6.11SR1_1_2 (root (at) localhost (dot) loca [email 
concealed]ldomain) (gcc version 3.4.1) #2 Tue Apr 3 15:43:13 CST 2007
On node 0 totalpages: 32768
DMA zone: 32768 pages, LIFO batch:8
Normal zone: 0 pages, LIFO batch:1
HighMem zone: 0 pages, LIFO batch:1
Built 1 zonelists
Kernel command line: root=/dev/ram rw console=ttyS0,115200
IPIC (128 IRQ sources, 8 External IRQs) at fe000700
PID hash table entries: 1024 (order: 10, 16384 bytes)
Console: colour dummy device 80x25
Dentry cache hash table entries: 32768 (order: 5, 131072 bytes)
Inode-cache hash table entries: 16384 (order: 4, 65536 bytes)
Memory: 123936k available (2276k kernel code, 660k data, 312k init, 0k highmem)
Calibrating delay loop... 265.21 BogoMIPS (lpj=132608)

--
http://www.bogus.net/~torh

Webからシャットダウンする

情報:2ch

[うんcorega]NAS 「HDD Bank TERA」 Vol.1

326 :不明なデバイスさん:2007/12/07(金) 23:49:53 ID:843Ig8N5
    >>321みてて、sendkeyでtelnet操作してるの見てて、
    IEオブジェクト使ってWEB画面操作でもいいんじゃねと思って作ってみた。
    プロミスファームでは普通に動いた。
    多分、これならコレガファームでもいけると思う。改変必要かも知んないけど…

    ファイル名:適当.vbs
    =======
    strIP = "xxx.xxx.xxx.xxx" '←IPアドレスとか 
    strLogin = "admin"
    strPwd = "xxxxxxxx" '←パスワード
    Set objIE = CreateObject("InternetExplorer.Application")
    objIE.Visible = False
    objIE.Navigate "http://" & strIP
    While objIE.Busy = true:WScript.sleep(250):Wend:WScript.sleep(500)
    objIE.Document.Forms(0).login.value = strLogin
    objIE.Document.Forms(0).password.value = strPwd
    objIE.Document.Forms(0).submit.click
    While objIE.Busy = true:WScript.sleep(250):Wend:WScript.sleep(500)
    objIE.Navigate "http://" & strIP & "/shutdown.php"
    While objIE.Busy = true:WScript.sleep(250):Wend:WScript.sleep(500)
    objIE.Document.Main.Radiosubmit(1).checked = true
    objIE.Document.Main.submit.Onclick = "return true"
    objIE.Document.Main.Submit.Click
    While objIE.Busy = true:WScript.sleep(250):Wend:WScript.sleep(500)
    objIE.Quit
    Set objIE = Nothing
    =======

Application-Plugin

ここここによると、NS4300Nの"Application Plugin" は、先頭の97KBにごみがついた tar.gz ファイルである。tar.gz は。revという名前のファイルとプラグイン名のディレクトリで構成される。

DLNA-plugin-v010106-beta 

$ unzip dlna_plugin_v0000_010106-beta.zip
$ dd if=dlna_plugin_v0000_010106-beta.ppg of=dlna_plugin_v0000_010106-beta.tar.gz bs=97k skip=1
$ file *
dlna-build6-beta-readme.pdf:          PDF document, version 1.6
dlna_plugin_v0000_010106-beta.ppg:    data
dlna_plugin_v0000_010106-beta.tar.gz: gzip compressed data, from Unix, last modified: Thu Feb 12 17:46:33 2009
dlna_plugin_v0000_010106-beta.zip:    Zip archive data, at least v2.0 to extract
$ mkdir contents
$ tar zxvf dlna_plugin_v0000_010106-beta.tar.gz -C contents
$ ls -al contents
合計 4
drwxr-xr-x 3 hoge users  96 2009-04-07 12:42 .
drwxr-xr-x 3 hoge users 288 2009-04-07 12:42 ..
drwxr-xr-x 4 hoge users 128 2008-10-30 19:30 dlna
-rw-r--r-- 1 hoge users  87 2009-02-09 16:29 rev

rev 

$ cat rev
PKGNAME=dlna
PKGVERSION=01.01.0000.06
FWVERSION=01.03.0000.01
FIXSCRIPT=upgrade_script

dlna/upgrade_script 

#!/usr/bin/perl

unlink("/data/etc/server/dlna");

system("echo no >/etc/server/dlna");

$first_volume = "";
$music_path = "";
$video_path = "";
$picture_path = "";

open(IN,"/bin/df |");
while(<IN>){
    if ( /(VOLUME\d+)/ ) {
       if ( -f "/$1/PLUGINAPP/DLNA/.server/fuppes.db" ) {
          unlink("/$1/PLUGINAPP/DLNA/.server/fuppes.db");
          unlink("/$1/PLUGINAPP/DLNA/.server/.uuid");
          system("/bin/rm -rf /$1/PLUGINAPP/DLNA/.server/tmp");
       }
       
       if ( $first_volume eq "" ) {
          $first_volume = "/$1";
       }
       if ( $music_path eq "" && -d "/$1/MUSIC" ) {
            $music_path = "/$1/MUSIC";
       }
       if ( $picture_path eq "" && -d "/$1/PICTURE" ) {
            $picture_path = "/$1/PICTURE";
       }
       if ( $video_path eq "" && -d "/$1/VIDEO" ) {
            $video_path = "/$1/VIDEO";
       }
    }
}
close(IN);

#print "$first_volume $music_path $video_path $picture_path\n";

if ( $music_path eq "" ) {
     system("/promise/util/addsharefolder.pl \"$first_volume\" MUSIC >/dev/null 2>/dev/null");
     system("/promise/util/setsmb.pl add \"$first_volume\" MUSIC >/dev/null 2>/dev/null");
     system("/promise/util/setftp.pl add \"$first_volume\" MUSIC >/dev/null 2>/dev/null");
     system("/promise/util/setafp.pl add \"$first_volume\" MUSIC >/dev/null 2>/dev/null");
     system("/promise/util/setnfs.pl add \"$first_volume\" MUSIC >/dev/null 2>/dev/null");
}

if ( $picture_path eq "" ) {
     system("/promise/util/addsharefolder.pl \"$first_volume\" PICTURE >/dev/null 2>/dev/null");
     system("/promise/util/setsmb.pl add \"$first_volume\" PICTURE >/dev/null 2>/dev/null");
     system("/promise/util/setftp.pl add \"$first_volume\" PICTURE >/dev/null 2>/dev/null");
     system("/promise/util/setafp.pl add \"$first_volume\" PICTURE >/dev/null 2>/dev/null");
     system("/promise/util/setnfs.pl add \"$first_volume\" PICTURE >/dev/null 2>/dev/null");
}

if ( $video_path eq "" ) {
     system("/promise/util/addsharefolder.pl \"$first_volume\" VIDEO >/dev/null 2>/dev/null");
     system("/promise/util/setsmb.pl add \"$first_volume\" VIDEO >/dev/null 2>/dev/null");
     system("/promise/util/setftp.pl add \"$first_volume\" VIDEO >/dev/null 2>/dev/null");
     system("/promise/util/setafp.pl add \"$first_volume\" VIDEO >/dev/null 2>/dev/null");
     system("/promise/util/setnfs.pl add \"$first_volume\" VIDEO >/dev/null 2>/dev/null");
}

dlna/DLNA/plugin.conf 

APPNAME=DLNA
APPSTRING=DLNA Server
VERSION=01.01.0000.06
AUTOSTART=NO
SWAPMEM=NO
APPBINDIR=.server
MAINPROCESS=fuppes
CONTROLSCRIPT=dlna

MediaTomb? 0.11.0 UPnP Server プラグイン(801氏作成)

2ちゃんねるの[うんcorega]NAS 「HDD Bank TERA」801氏によるDLNA機能がまともに動くようにするプラグイン(?) 自分で試していないのだが、801氏から許可をいただいたので、ミラーしておく。

rev 

PKGNAME=mediatomb
PKGVERSION=01.01.0000.02
FWVERSION=01.02.0000.01

mediatomb/MTOMB/plugin.conf 

APPNAME=MTOMB
APPSTRING=mediatomb 0.11.0 UPnP Server
VERSION=01.01.0000.02
AUTOSTART=NO
SWAPMEM=NO
APPBINDIR=server
MAINPROCESS=mtstart
CONTROLSCRIPT=mtcontrol

telnetを有効にする

標準のファームウェアでは、ユーザ root と engmode のみが telnet でのログインを許可されているが、いずれもパスワードは公開されていない。また、01.05.0000.03 以降のファームウェアに施された罠(?)にも対策しないといけない。

Firmware 01.05.0000.03 以降の対策

01.05.0000.03 以降のファームウェアでは、以下に示すように cron から 毎分 /usr/sbin/chkhttpd が呼び出され、/etc/telnet.user に ユーザ root と engmode のみを登録するため、せっかく /etc/telnet.user を書き換えて telnet や ssh でログインするユーザを登録しても、勝手に上書きされてしまうという問題がある。そこで、/usr/sbin/chkhttpd を電源を切っても消えない書き込み可能なエリアにコピーし、一部書き換えたものを crontab に登録すればよい。(参考:PC便利帳: NS4300N Telnet 再有効化とかNS4300N Telnet 有効化 3 | RANDOM.SOFT

  • /etc/crontab 
    [admin@ns4300n]# cat /etc/crontab 
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file.
# This file also has a username field, that none of the other crontabs do.

SHELL=/bin/sh
PATH=/bin:/sbin:/usr/bin:/usr/sbin

# m h dom mon dow user	command
#42 6	* * *	root	run-parts --report /etc/cron.daily
#47 6	* * 7	root	run-parts --report /etc/cron.weekly
#52 6	1 * *	root	run-parts --report /etc/cron.monthly
#
# Removed invocation of anacron, as this is now handled by a 
# /etc/cron.d file
* * * * *	root	/usr/sbin/chkhttpd >/dev/null 2>/dev/null
* * * * *	root	/usr/sbin/chkdhcp >/dev/null 2>/dev/null
*/30 * * * *	root	/usr/sbin/cleanlog >/dev/null 2>/dev/null
*/10 * * * *	root	/usr/sbin/cronbackup >/dev/null 2>/dev/null
*/10 * * * *	root	/usr/sbin/chkdomain >/dev/null 2>/dev/null
0 */3 * * *	root	/promise/util/synctime.pl >/dev/null 2>/dev/null
  • /usr/sbin/chkhttpd 
    #!/usr/bin/perl

$agentflag = 0;
$downflag = 0;
$bonjourflag = 0;
open(IN,"/bin/ps |");
while(<IN>){
    if ( /thttpd/ ) {
#        print "$_";
        $downflag = 1;
    }
    elsif ( /fagent/ ) {
        #print "$_";
        $agentflag = 1;
    }
    elsif ( /mDNSResponderPosix/ ) {
        $bonjourflag++;
    }
    elsif ( /mdnsd/ ) {
        $bonjourflag++;
    }
}
close(IN);

if ( $downflag == 0 ) {
   system("/etc/init.d/httpd start >/dev/null 2>/dev/null"); 
}

if ( $agentflag == 0 ) {
   system("/usr/sbin/runfag >/dev/null 2>/dev/null"); 
}

if ( $bonjourflag != 2 ) {
   system("/etc/init.d/bonjour stop >/dev/null 2>/dev/null"); 
   sleep 1;
   system("/etc/init.d/bonjour start >/dev/null 2>/dev/null"); 
}

if ( ! -f "/tmp/sleep" ) {
   system("/usr/sbin/recycler >/dev/null 2>/dev/null");
   unlink("/tmp/recycler");
}

open(OUT,">/etc/telnet.user");
print OUT "root\n";
print OUT "engmode\n";
close(OUT);

Pluginを構成するファイル群 

.
|-- rev
`-- telnetd
    `-- TELNETD
        |-- .server
        |   |-- st_hack
        |   `-- telnetd.sh
        `-- plugin.conf
  • rev 
    PKGNAME=telnetd
PKGVERSION=01.01.0000.02
FWVERSION=01.05.0000.03
  • telnetd/TELNETD/plugin.conf 
    APPNAME=TELNETD
APPSTRING=telnetd-hack
VERSION=01.01.0000.02
AUTOSTART=NO
SWAPMEM=NO
APPBINDIR=.server
MAINPROCESS=st_hack
CONTROLSCRIPT=telnetd.sh
  • telnetd/TELNETD/.server/st_hack 
    #!/bin/ash

while [ 1 ]; do
  sleep 600
done
  • telnetd/TELNETD/.server/telnetd.sh filetelnetd.sh 
    #!/usr/bin/perl

$userlist = "/etc/telnet.user";
$sudolist = "/etc/sudoers";
$user = "admin";
$newdir = "/data/usr/local/sbin";
$chkhttpd = "$newdir/chkhttpd";
$chkhttpdorig = "/usr/sbin/chkhttpd";
$crontab = "/etc/crontab";
$tmp = "/tmp/telnet-hack.tmp";

$action = $ARGV[0];

if ( $action eq "start") {

    open(RUN,"/bin/ps -e |");
    while(<RUN>){
        if( /st_hack/ ){
            exit;
        }
    }
    close(RUN);

    open(IN,"/bin/df |");
    while(<IN>){
        if (/(VOLUME\d+)/) {
            if ( -d "/$1/PLUGINAPP/TELNETD" ) {
                $serverpath = "/$1/PLUGINAPP/TELNETD/.server";
                last;
             }
         }
    }
    close(IN);

    if ( $serverpath eq "" ) {
        exit;
    }

    # check whether user "admin" exists in /etc/telnet.user
    $found = system("/bin/grep $user $userlist > /dev/null 2>/dev/null") >> 8;
    if ( $found == 1 ) {
        # append user "admin" to /etc/telnet.user
        open(OUT, ">>$userlist");
        print OUT "$user\n";
        close(OUT);
    }

    # check whether user "admin" exists in /etc/sudoers
    $found = system("/bin/grep $user $sudolist > /dev/null 2>/dev/null") >> 8;
    if ( $found == 1 ) {
        # append user "admin" to /etc/sudoers
        open(OUT, ">>$sudolist");
        print OUT "$user ALL=(ALL) NOPASSWD: ALL\n";
        close(OUT);
    }

    # check $newdir exists
    if ( !(-d $newdir) ) {
        system("/bin/mkdir -p $newdir");
    }
    # force building $chkhttpd removing "OUT" from original
    system("/bin/grep -v OUT $chkhttpdorig > $chkhttpd");

    # modify /etc/crontab
    open(IN, "<$crontab");
    open(OUT, ">$tmp");
    while(<IN>) {
        s/\/usr\/sbin\/chkhttpd/\/data\/usr\/local\/sbin\/chkhttpd/;
        print OUT;
    }
    close(IN);
    close(OUT);
    system("/bin/cp $tmp $crontab");

   system("$serverpath/st_hack &");

}
elsif ($action eq "stop") {

    $ssh = 0;

    open(RUN,"/bin/ps -e |");
    while(<RUN>){
        if( /dropbear/ ){
             $ssh = 1;
             last;
        }
    }
    close(RUN);

    if ( $ssh = 0 ) {
        # remove user admin from /etc/telnet.user
        system("/bin/grep -v $user $userlist > $tmp");
        system("/bin/cp $tmp $userlist");

        # remove user admin from /etc/sudoers
        system("/bin/grep -v $user $sudolist > $tmp");
        system("/bin/cp $tmp $sudolist");

        # reset /etc/crontab
        open(IN, "<$crontab");
        open(OUT, ">$tmp");
        while(<IN>) {
            s/\/data\/usr\/local\/sbin\/chkhttpd/\/usr\/sbin\/chkhttpd/;
            print OUT;
        }
        close(IN);
        close(OUT);
        system("/bin/cp $tmp $crontab");

        # remove modifed chkhttpd
        unlink($chkhttpd);
        if ( -s $newdir ) {
            rmdir($newdir);
        }
    }

    system("/usr/bin/killall st_hack >/dev/null 2>/dev/null");

}

filetelnet-hack_v010102.ppg: Promise NS4300N/Corega CG-NSC4500GT、Promise版ファームウェア用
あまりテストをしてないので、もちろん無保証です。ご利用は各自の責任で。

自作プラグインの作成 

$ cd workdir
$ chmod a+x telnetd/TELNETD/.server/st_hack telnetd/TELNETD/.server/telnetd.sh
$ sudo chown -R root:root .
$ sudo tar czvf ../telnet-hack.tar.gz ./rev ./telnetd
$ cd ..
$ dd if=/dev/urandom of=telnet-hack_v0000_010102.ppg bs=97k count=1
$ cat telnet-hack.tar.gz >> telnet-hack_v0000_010102.ppg

rootになる

上で作成したプラグインをインストールして、telnet-hackを有効にすると、ユーザ admin でログインし、sudoコマンドで root 権限を持つことが可能になる。

$ sudo -s

drobpear plugin の作成

telnetよりセキュアなSSHでのログインを可能にする。NS4300N用のSSHプラグインが見つけられなかったので、自前でビルドしたが、AVS Forumで見つけちゃった。(SSH on the Promise NS4300N) まあ、他のプラグインの作成にも役立つので、記録として残しておく。

クロスコンパイル環境の作成

NS4300N とできるだけ同じ環境にしておいたほうがよいので、Debian Etch 上で crosstool を使って、gcc-3.4.3-glibc-2.3.2 のクロスコンパイル環境を整備する。

  • powerpc-8349.dat
    ここの情報をもとに、MPC8349用のコンパイルオプションを設定する。 
    TARGET=powerpc-linux-gnu
TARGET_CFLAGS="-O3 -pipe -fsigned-char-mpowerpc-gfxopt"
GCC_EXTRA_CONFIG="--enable-cxx-flags=-mcpu=powerpc"
  • demo-powerpc-8349.sh
    #!/bin/sh
# This script has one line for each known working toolchain
# for this architecture.  Uncomment the one you want.
# Generated by generate-demo.pl from buildlogs/all.dats.txt

set -ex
TARBALLS_DIR=$HOME/downloads
RESULT_TOP=/usr/crosstool
export TARBALLS_DIR RESULT_TOP
GCC_LANGUAGES="c,c++"
export GCC_LANGUAGES

# Really, you should do the mkdir before running this,
# and chown /opt/crosstool to yourself so you don't need to run as root.
mkdir -p $RESULT_TOP

#eval `cat powerpc-405.dat gcc-3.2.3-glibc-2.2.5.dat` sh all.sh --notest
#eval `cat powerpc-405.dat gcc-3.2.3-glibc-2.3.2.dat` sh all.sh --notest
#eval `cat powerpc-405.dat gcc-3.3.6-glibc-2.2.5.dat` sh all.sh --notest
#eval `cat powerpc-405.dat gcc-3.3.6-glibc-2.3.2.dat` sh all.sh --notest
#eval `cat powerpc-405.dat gcc-3.3.6-glibc-2.3.5.dat` sh all.sh --notest
#eval `cat powerpc-405.dat gcc-3.3.6-glibc-2.3.6.dat` sh all.sh --notest
#eval `cat powerpc-405.dat gcc-3.4.5-glibc-2.2.5.dat` sh all.sh --notest
#eval `cat powerpc-405.dat gcc-3.4.5-glibc-2.3.2.dat` sh all.sh --notest
#eval `cat powerpc-405.dat gcc-3.4.5-glibc-2.3.5.dat` sh all.sh --notest
#eval `cat powerpc-405.dat gcc-3.4.5-glibc-2.3.6.dat` sh all.sh --notest
#eval `cat powerpc-405.dat gcc-4.0.2-glibc-2.3.2.dat` sh all.sh --notest
#eval `cat powerpc-405.dat gcc-4.0.2-glibc-2.3.5.dat` sh all.sh --notest
#eval `cat powerpc-405.dat gcc-4.0.2-glibc-2.3.6.dat` sh all.sh --notest
#eval `cat powerpc-405.dat gcc-4.1.0-glibc-2.3.2.dat` sh all.sh --notest
#eval `cat powerpc-405.dat gcc-4.1.0-glibc-2.3.5.dat` sh all.sh --notest
eval `cat powerpc-8349.dat gcc-3.4.3-glibc-2.3.2.dat` sh all.sh --notest
  • gcc-3.4.3-glibc-2.3.2.dat
    kernel のバージョンも NS4300N に合わせておく。 
    @@ -1,6 +1,6 @@
 BINUTILS_DIR=binutils-2.15
 GCC_DIR=gcc-3.4.3
 GLIBC_DIR=glibc-2.3.2
-LINUX_DIR=linux-2.6.8
+LINUX_DIR=linux-2.6.11
 LINUX_SANITIZED_HEADER_DIR=linux-libc-headers-2.6.12.0
 GLIBCTHREADS_FILENAME=glibc-linuxthreads-2.3.2
    インストール先のディレクトリを作成し、所有者を変更する。 
    $ sudo mkdir /usr/crosstool
$ sudo chown hogehoge /usr/crosstool
    crosstoolを実行する。 
    $ sh demo-powerpc-8349.sh

zlib のインストール

参考:zlibのクロスコンパイル だよ

$ mkdir workdir; cd workdir
$ wget http://www.zlib.net/zlib-1.2.3.tar.bz2
$ tar jxvf zlib-1.2.3.tar.bz2
$ cd zlib-1.2.3
$ ./configure --shared --prefix=/usr/crosstool/gcc-3.4.3-glibc-2.3.2/powerpc-linux-gnu/powerpc-linux-gnu \
 --libdir=/usr/crosstool/gcc-3.4.3-glibc-2.3.2/powerpc-linux-gnu/powerpc-linux-gnu/lib \
 --includedir=/usr/crosstool/gcc-3.4.3-glibc-2.3.2/powerpc-linux-gnu/powerpc-linux-gnu/include

Makefile をクロスコンパイル用に編集

@@ -16,7 +16,7 @@
 # To install in $HOME instead of /usr/local, use:
 #    make install prefix=$HOME

-CC=gcc
+CC=powerpc-linux-gnu-gcc

 CFLAGS=-fPIC -O3 -DUSE_MMAP
 #CFLAGS=-O -DMAX_WBITS=14 -DMAX_MEM_LEVEL=7
@@ -25,15 +25,15 @@
 #           -Wstrict-prototypes -Wmissing-prototypes

 LDFLAGS=-L. libz.so.1.2.3
-LDSHARED=gcc -shared -Wl,-soname,libz.so.1
-CPP=gcc -E
+LDSHARED=powerpc-linux-gnu-gcc -shared -Wl,-soname,libz.so.1
+CPP=powerpc-linux-gnu-gcc -E

 LIBS=libz.so.1.2.3
 SHAREDLIB=libz.so
 SHAREDLIBV=libz.so.1.2.3
 SHAREDLIBM=libz.so.1

-AR=ar rc
+AR=powerpc-linux-gnu-ar rc
 RANLIB=ranlib
 TAR=tar
 SHELL=/bin/sh

コンパイルしてインストールする。

$ export PATH=/usr/crosstool/gcc-3.4.3-glibc-2.3.2/powerpc-linux-gnu/bin:$PATH
$ make all libz.a
$ sudo make install
$ sudo cp libz.a /usr/crosstool/gcc-3.4.3-glibc-2.3.2/powerpc-linux-gnu/powerpc-linux-gnu/lib

dropbear のコンパイル

参考:

$ wget http://matt.ucc.asn.au/dropbear/dropbear-0.52.tar.bz2
$ tar jxvf dropbear-0.52.tar.bz2
$ cd tar dropbear-0.52
$ ./configure --libdir=/usr/crosstool/gcc-3.4.3-glibc-2.3.2/powerpc-linux-gnu/powerpc-linux-gnu/lib \
 --includedir=/usr/crosstool/gcc-3.4.3-glibc-2.3.2/powerpc-linux-gnu/powerpc-linux-gnu/include \
 --host=powerpc-linux-gnu --with-zlib=/usr/crosstool/gcc-3.4.3-glibc-2.3.2/powerpc-linux-gnu/powerpc-linux-gnu
  • staticでコンパイルした場合 
    $ make MULTI=1 STATIC=1
$ ls -al dropbearmulti
-rwxr-xr-x 1 ryoei ryoei 921494 2009-04-09 21:40 dropbearmulti
$ make strip
$ ls -al dropbearmulti
-rwxr-xr-x 1 ryoei ryoei 801948 2009-04-09 21:43 dropbearmulti
  • 共有ライブラリを利用するようにコンパイルした場合 
    $ make MULTI=1
$ ls -al dropbearmulti
-rwxr-xr-x 1 ryoei ryoei 211767 2009-04-09 21:37 dropbearmulti
$ make strip
$ make strip
$ ls -al dropbearmulti
-rwxr-xr-x 1 ryoei ryoei 173348 2009-04-09 21:38 dropbearmulti

自作プラグインディレクトリ構成 

.
|-- dropbear
|   |-- SSH
|   |   |-- .server
|   |   |   |-- config
|   |   |   |   `-- dropbear.conf
|   |   |   |-- ssh2
|   |   |   `-- usr
|   |   |       `-- sbin
|   |   |           `-- dropbear
|   |   `-- plugin.conf
|   `-- upgrade_script
`-- rev
  • rev 
    PKGNAME=dropbear
PKGVERSION=01.01.0000.01
FWVERSION=01.03.0000.01
FIXSCRIPT=upgrade_script
  • dropbear/upgrade_script fileupgrade_script 
    #!/usr/bin/perl

$cfg_dir = "/data/usr/local/dropbear/etc";
$cfg_file = "$cfg_dir/dropbear.conf";
$hostkey_dir = "/data/usr/local/dropbear/etc/dropbear";
$profile = "/etc/profile";

$rsa_key = "dropbear_rsa_host_key";
$dss_key = "dropbear_dss_host_key";
$tmp = "/tmp/dropbear.tmp";


# search installed path
open(IN,"/bin/df |");
while(<IN>){
    if (/(VOLUME\d+)/) {
        if ( -d "/$1/PLUGINAPP/SSH" ) {
            $plap_dir = "/$1/PLUGINAPP";
            $serverpath = "/$1/PLUGINAPP/SSH/.server";
            $ap_bin_dir = "/$1/bin";
            last;
        }
    }
}
close(IN);

# copy configuration file to /data/usr/local/dropbear/etc/config if none
if ( !( -f $cfg_file ) ) {
    if ( !( -d $cfg_dir ) ) {
        system("/bin/mkdir -p $cfg_dir");
    }
    system("/bin/cp $serverpath/config/dropbear.conf $cfg_file >/dev/null 2>/dev/null");
}

# make symbolic link dropbear to dbclient, dropbearconvert, dropbearkey and ssh
$dropbear_multi = "$serverpath/usr/sbin/dropbear";

if ( !( -d $ap_bin_dir ) ) {
    mkdir($ap_bin_dir, 0755);
}
@lists = ( "dbclient", "dropbearconvert", "dropbearkey", "ssh" );
foreach $filename ( @lists ) {
    $full_pathname = "$ap_bin_dir/" . "$filename";
    system("/bin/ln -s $dropbear_multi $full_pathname > /dev/null 2>/dev/null");
}

# check $PATH contains $ap_bin_dir in /etc/profile
$found = system("/bin/grep $ap_bin_dir $profile > /dev/null 2>/dev/null") >> 8;
if ( $found == 1 ) {
    # add $ap_bin_dir to the $PATH in /etc/profile
    open(IN, "<$profile");
    open(OUT, ">$tmp");
    while(<IN>) {
        s/\$PATH/$ap_bin_dir:\$PATH/;
        print OUT;
    }
    close(IN);
    close(OUT);
    system("/bin/cp $tmp $profile");
    unlink($tmp);
}

# check hostkeys
if ( !( (-f "$hostkey_dir/$rsa_key") && (-f "$hostkey_dir/$dss_key") ) ) {
    &keygen;
}


sub keygen {

    $keygencmd = "$ap_bin_dir/dropbearkey";

    if ( ! (-d $hostkey_dir)  ) {
        system("/bin/mkdir -p $hostkey_dir");
        chmod(0700, $hostkey_dir);
    }

    @lists = ( "rsa", "dss" );
    foreach $keytype ( @lists ) {
        $keyfile = "dropbear_" . "$keytype" . "_host_key";
        system("$keygencmd -t $keytype -f $hostkey_dir/$keyfile > /dev/null 2>/dev/null");
    }
}
  • dropbear/SSH/plugin.conf 
    APPNAME=SSH
APPSTRING=Dropbear SSH2 server
VERSION=01.01.0000.01
AUTOSTART=NO
SWAPMEM=NO
APPBINDIR=.server
MAINPROCESS=dropbear
CONTROLSCRIPT=ssh2
  • dropbear/SSH/.server/ssh2 filessh2 
    #!/usr/bin/perl

$rsa_key = "dropbear_rsa_host_key";
$dss_key = "dropbear_dss_host_key";
$user = "admin";
$OPTS = "";
$tmp = "/tmp/drobear.tmp";

$user_list = "/etc/telnet.user";
$hostkey_dir = "/data/usr/local/dropbear/etc/dropbear";
$sudo_list = "/etc/sudoers";
$profile = "/etc/profile";
$cfg_file = "/data/usr/local/dropbear/etc/dropbear.conf";

$newdir = "/data/usr/local/sbin";
$chkhttpd = "$newdir/chkhttpd";
$chkhttpdorig = "/usr/sbin/chkhttpd";
$crontab = "/etc/crontab";

$action = $ARGV[0];

# search installed path
open(IN,"/bin/df |");
while(<IN>){
    if (/(VOLUME\d+)/) {
        if ( -d "/$1/PLUGINAPP/SSH" ) {
            $serverpath = "/$1/PLUGINAPP/SSH/.server";
            $ap_bin_dir = "/$1/bin";
            last;
        }
    }
}
close(IN);

if ( $action eq "start") {

    open(RUN,"/bin/ps -e |");
    while(<RUN>){
        if( /dropbear/ ){
             exit;
        }
    }
    close(RUN);

    $dropbeardaemon = "$serverpath/usr/sbin/dropbear";

    # check hostkeys
    if ( !( (-f "$hostkey_dir/$rsa_key") && (-f "$hostkey_dir/$dss_key") ) ) {
        &keygen;
    }

    # check whether user "admin" exists in /etc/telnet.user
    $found = system("/bin/grep $user $user_list >/dev/null 2>/dev/null") >> 8;
    if ( $found == 1 ) {
        # append user "admin" to /etc/telnet.user
        open(OUT, ">>$user_list");
        print OUT "$user\n";
        close(OUT);
    }

    # check whether user "admin" exists in /etc/sudoers
    $found = system("/bin/grep $user $sudo_list >/dev/null 2>/dev/null") >> 8;
    if ( $found == 1 ) {
        # append user "admin" to /etc/sudoers
        open(OUT, ">>$sudo_list");
        print OUT "$user ALL=(ALL) NOPASSWD: ALL\n";
        close(OUT);
    }

    # check $newdir exists
    if ( !(-d $newdir) ) {
        system("/bin/mkdir -p $newdir");
    }
    # force building $chkhttpd removing "OUT" from original
    system("/bin/grep -v OUT $chkhttpdorig > $chkhttpd");

    # modify /etc/crontab
    open(IN, "<$crontab");
    open(OUT, ">$tmp");
    while(<IN>) {
        s/\/usr\/sbin\/chkhttpd/\/data\/usr\/local\/sbin\/chkhttpd/;
        print OUT;
    }
    close(IN);
    close(OUT);
    system("/bin/cp $tmp $crontab");

    # check $PATH contains $ap_bin_dir in /etc/profile
    $found = system("/bin/grep $ap_bin_dir $profile >/dev/null 2>/dev/null") >> 8;
    if ( $found == 1 ) {
        # append $ap_bin_dir to the $PATH in /etc/profile
        open(IN, "<$profile");
        open(OUT, ">$tmp");
        while(<IN>) {
            s/\$PATH/$ap_bin_dir:\$PATH/;
            print OUT;
        }
        close(IN);
        close(OUT);
        system("/bin/cp $tmp $profile");
        unlink($tmp);
    }

    # parse config options
    &parse_opts;

    # build startup script 
    open(OUT,">/tmp/start_ssh2.sh");
    print OUT "#!/bin/sh\n";

    print OUT "$dropbeardaemon $OPTS &\n";
    close(OUT);

    print "Starting SSH2 Server...\n";

    system("/bin/sh /tmp/start_ssh2.sh >/dev/null 2>/dev/null");                                
    unlink("/tmp/start_ssh2.sh");

}
elsif ($action eq "stop") {

    # remove user admin from /etc/telnet.user
    system("/bin/grep -v $user $user_list > $tmp");
    system("/bin/cp $tmp $user_list");

    # remove user admin from /etc/sudoers
    system("/bin/grep -v $user $sudo_list > $tmp");
    system("/bin/cp $tmp $sudo_list");

    # reset /etc/crontab
    open(IN, "<$crontab");
    open(OUT, ">$tmp");
    while(<IN>) {
        s/\/data\/usr\/local\/sbin\/chkhttpd/\/usr\/sbin\/chkhttpd/;
        print OUT;
    }
    close(IN);
    close(OUT);
    system("/bin/cp $tmp $crontab");

    # remove modifed chkhttpd
    unlink($chkhttpd);
    &rmdir_if_empty( $newdir );

    system("/usr/bin/killall dropbear >/dev/null 2>/dev/null");

}


sub keygen {

    $keygencmd = "$serverpath/usr/bin/dropbearkey";

    if ( ! (-d $hostkey_dir)  ) {
        system("/bin/mkdir -p $hostkey_dir");
        chmod(0700, $hostkey_dir);
    }

    @lists = ( "rsa", "dss" );
    foreach $keytype ( @lists ) {
        $keyfile = "dropbear_" . "$keytype" . "_host_key";
        system("$keygencmd -t $keytype -f $hostkey_dir/$keyfile >/dev/null 2>/dev/null");
    }
}


sub parse_opts {

    # configuration parameter list
    %hashopts = qw(
    RootPasswordAuth        g
    PasswordAuth            s
    LocalPortForwarding     j
    RemotePortForwarding    k
    );

    open(IN, $cfg_file);
    while(<IN>){
        chomp;
        ($option, $val) = split(/\s+/);
        $val =~ s/\'//g;
        foreach $param ( %hashopts ) {
            if ( ($option eq $param) && /no|off|disable|0/ ) {
                $OPTS = $OPTS . " -$hashopts{$param}";
            }
        }
        if ( $option eq "Port" ) {
            $OPTS = $OPTS . " -p $val";
        } elsif ( $option eq "DssKeyfile" ) {
            $OPTS = $OPTS . " -d $val";
        } elsif ( $option eq "RsaKeyfile" ) {
            $OPTS = $OPTS . " -r $val";
        }
    }
    close(IN);

}


sub rmdir_if_empty {

    my $dir = $_[0];
    my $num=0;
    my $status;

    opendir DH, $dir;
    while (my $file = readdir DH) {
        next if $file =~ /^\.{1,2}$/;
        $num = $num +1;
    }
    if ( $num == 0 ) {
        rmdir($dir);
        $status = 0;
    } elsif ( ( $num == 1 ) && ( -d "$dir/.RECYCLER") ) {
        rmdir("$dir/.RECYCLER");
        rmdir($dir);
        $status = 0;
    } else {
        $status = 1;
    }

    return $status;

}
  • dropbear/SSH/.server/config/dropbear.conf 
    PasswordAuth		'on'
Port			'22'
DssKeyfile		'/data/usr/local/dropbear/etc/dropbear/dropbear_dss_host_key'
RsaKeyfile		'/data/usr/local/dropbear/etc/dropbear/dropbear_rsa_host_key'
RootLogin		'disable'
RootPasswordAuth	'disable'
LocalPortForwarding	'disable'
RemotePortForwarding	'disable'

自作プラグインの作成 

$ cd workdir
$ chmod a+x dropbear/upgrade_script dropbear/SSH/.server/ssh2
$ sudo chown -R root:root .
$ sudo tar czvf ../dropbear.tar.gz ./rev ./dropbear
$ cd ..
$ dd if=/dev/urandom of=dropbear_v0000_010101.ppg bs=97k count=1
$ cat dropbear.tar.gz >> dropbear_v0000_010101.ppg

filedropbear_v010101.ppg: Promise NS4300N/Corega CG-NSC4500GT、Promise版ファームウェア用
あまりテストをしてないので、もちろん無保証です。ご利用は各自の責任で。

参考

FANを静音タイプに交換する

おまけ(Magic Number)

参考:Magic numbers for files

  • gzip 0x1f 0x8b
  • PPCBoot image 0x27 0x05 0x19 0x56
添付ファイル: filetelnet-hack_v010102.ppg 300件 [詳細] filetelnetd.sh 197件 [詳細] filedropbear_v010101.ppg 233件 [詳細] filessh2 204件 [詳細] fileupgrade_script 195件 [詳細] filemediatomb_010102_coregax.ppg 402件 [詳細] filemediatomb_010102_corega.ppg 540件 [詳細] filemediatomb_010102_promise.ppg 52件 [詳細] filetree-promise-010105.txt 494件 [詳細] filetree-usr-010105.txt 490件 [詳細] filetree-root-010105.txt 463件 [詳細] filetree-promise-010205.txt 409件 [詳細] filetree-usr-010205.txt 561件 [詳細] filetree-root-010205.txt 394件 [詳細]
トップ   編集 凍結 差分 バックアップ 添付 複製 名前変更 リロード   新規 一覧 単語検索 最終更新   ヘルプ   最終更新のRSS
Last-modified: 2009-06-09 (火) 11:04:08 (416d)