//#nofollow
//#norelated
*Promise NS4300Nに関するページです。 [#nc805744]
#contents
* NS4300Nとは [#l4f7aa03]
RAIDコントローラで有名なPromise社のNASキット。最大4台のSATAドライブを内蔵可能。コレガのCG-NSC4500GTはOEM版。
* 情報 [#n7c7b223]
- [[SmartStor NS4300N>http://www.promise.com/product/product_detail_eng.asp?product_id=177]]~
Promise社の製品ページ
- [[Datasheet>http://www.promise.com/upload/datasheet/NS4300NDatasheet.pdf]]
- [[Compatibility List>http://www.promise.com/support/download/download2_eng.asp?productID=177&category=compatibility&os=100]]~
互換性一覧
- [[ドイツ語のWikiページ>http://www.ns4300n-info.de/wiki/index.php?title=Hauptseite]]~
ここが一番詳しい。シリアルコンソールのつなぎ方からファームウェアの解析情報まである。
- [[ASUS MANIAX: CG-NSC4500GTにNS4300Nのファームウェアを入れてみる>http://www.asusmaniax.com/2007/09/cgnsc4500gtns43_264a.html]]~
そのまんま。CG-NSC4500GTのほうがかなり安く販売されているので、そちらを買うのが吉か?
- [[Apribase: SmartStor NS4300N>http://apribase.net/2007/07/25/smartstor-ns4300n/]]~
ユーザの導入記
- [[2ch [うんcorega]NAS 「HDD Bank TERA」 Vol.1>http://www.23ch.info/test/read.cgi/hard/1186528294/]]
- [[Firmwareとか>ftp://ftp.winco.com.hk/product/Promise/]]
- [[Promise NS4300N Network Attached Storage Firmware Modification>http://www.16paws.com/projects/NS4300N/index.html]]~
このページを参考にして一部改良しながら dropbear のプラグインをビルドしてくれている。
- [[Mike Makuch’s home page » telnet/rsync access to Promise ns4300n NAS>http://mike.makuch.org/?p=89]]
* ハードウェア [#y356df20]
** 仕様 [#xab34850]
#style(class=table_left){{
|CPU|CPU MPC8343 400MHz|
|Flash ROM|16MB|
|RAM|DDR 128MB|
|RAID controller|Promise PDC40719(FastTrak TX 4310として認識される?)|
|RAID|0/1/10/5/5+対応|
}}
** MTDマップ [#cc55497a]
#style(class=table_left){{
|/dev/mtdblock0|0x00000000-0x00040000|258kB|U-Boot|
|/dev/mtdblock1|0x00040000-0x00080000|256kB|U-Boot_ENV|
|/dev/mtdblock2|0x00080000-0x00240000|1,792kB|Kernel|
|/dev/mtdblock3|0x00240000-0x00560000|3,200kB|Rootfs|
|/dev/mtdblock4|0x00560000-0x00d60000|8,192kB|Usr|
|/dev/mtdblock5|0x00d60000-0x00f00000|1,664kB|Promise|
|/dev/mtdblock6|0x00f00000-0x01000000|1,024kB|Data|
}}
** /proc/cpuinfo [#s0848e06]
#pre{{
processor : 0
cpu : e300
revision : 1.1 (pvr 8083 0011)
bogomips : 265.21
chip : MPC83xx
Vendor : Freescale Inc.
Machine : mpc83xx sys
core clock : 399 MHz
bus clock : 266 MHz
PVR : 0x80830011
SVR : 0x80570011
PLL setting : 0x6
Memory : 128 MB
}}
** /proc/meminfo [#o32459b7]
#pre{{
MemTotal: 126844 kB
MemFree: 35104 kB
Buffers: 43548 kB
Cached: 24752 kB
SwapCached: 0 kB
Active: 39848 kB
Inactive: 35780 kB
HighTotal: 0 kB
HighFree: 0 kB
LowTotal: 126844 kB
LowFree: 35104 kB
SwapTotal: 0 kB
SwapFree: 0 kB
Dirty: 56 kB
Writeback: 0 kB
Mapped: 15388 kB
Slab: 7508 kB
CommitLimit: 63420 kB
Committed_AS: 55712 kB
PageTables: 528 kB
VmallocTotal: 851968 kB
VmallocUsed: 19432 kB
VmallocChunk: 832284 kB
}}
** /proc/mtd [#babc0d89]
#pre{{
dev: size erasesize name
mtd0: 00040000 00020000 "U-Boot"
mtd1: 00040000 00020000 "U-Boot_ENV"
mtd2: 001c0000 00020000 "Kernel"
mtd3: 00320000 00020000 "Rootfs"
mtd4: 00800000 00020000 "Usr"
mtd5: 001a0000 00020000 "Promise"
mtd6: 00100000 00020000 "Data"
}}
* ソフトウェア [#o85506ae]
** dmesg出力 (Ver. 010507) [#o5ce53ae]
#pre{{
Linux version 2.6.11SR3_1_2 (root@localhost.localdomain) (gcc version 3.4.3) #4 Mon Feb 4 07:25:45 CST 2008
On node 0 totalpages: 32768
DMA zone: 32768 pages, LIFO batch:8
Normal zone: 0 pages, LIFO batch:1
HighMem zone: 0 pages, LIFO batch:1
Built 1 zonelists
Kernel command line: root=/dev/ram rw console=ttyS0,115200
IPIC (128 IRQ sources, 8 External IRQs) at fe000700
PID hash table entries: 1024 (order: 10, 16384 bytes)
Console: colour dummy device 80x25
Dentry cache hash table entries: 32768 (order: 5, 131072 bytes)
Inode-cache hash table entries: 16384 (order: 4, 65536 bytes)
Memory: 123168k available (2292k kernel code, 668k data, 312k init, 0k highmem)
Calibrating delay loop... 265.21 BogoMIPS (lpj=132608)
Mount-cache hash table entries: 512 (order: 0, 4096 bytes)
checking if image is initramfs...it isn't (no cpio magic); looks like an initrd
Freeing initrd memory: 3189k freed
NET: Registered protocol family 16
PCI: Probing PCI hardware
PCI: bridge rsrc 0..ffffff (100), parent c028be7c
PCI: bridge rsrc 80000000..9fffffff (200), parent c028be60
PCI:0000:00:00.0: Resource 0: 00000000-000fffff (f=200)
PCI: Cannot allocate resource region 0 of device 0000:00:00.0
PCI: parent is c0333054: 80000000-9fffffff (f=200)
PCI:0000:00:00.0: Resource 2: 40000000-7fffffff (f=120c)
PCI: Cannot allocate resource region 2 of device 0000:00:00.0
PCI:0000:00:00.0: Resource 4: 00000000-3fffffff (f=120c)
PCI: Cannot allocate resource region 4 of device 0000:00:00.0
PCI: parent is c0333054: 80000000-9fffffff (f=200)
PCI:0000:00:0e.0: Resource 0: 9ffff000-9fffffff (f=200)
PCI:0000:00:0e.1: Resource 0: 9fffef00-9fffefff (f=200)
PCI:0000:00:10.0: Resource 0: 00ffff80-00ffffff (f=101)
PCI:0000:00:10.0: Resource 2: 00fffe00-00fffeff (f=101)
PCI:0000:00:10.0: Resource 3: 9fffd000-9fffdfff (f=200)
PCI:0000:00:10.0: Resource 4: 9ffc0000-9ffdffff (f=200)
PCI: Failed to allocate mem resource #2:40000000@c0000000 for 0000:00:00.0
PCI: Failed to allocate mem resource #4:40000000@c0000000 for 0000:00:00.0
Registering ipic with sysfs...
SCSI subsystem initialized
usbcore: registered new driver usbfs
usbcore: registered new driver hub
VFS: Disk quotas dquot_6.5.1
Dquot-cache hash table entries: 1024 (order 0, 4096 bytes)
squashfs: version 3.0 (2006/03/15) Phillip Lougher
Installing knfsd (copyright (C) 1996 okir@monad.swb.de).
JFFS2 version 2.2. (C) 2001-2003 Red Hat, Inc.
Initializing Cryptographic API
MPC83xx SPI Driver on MDS board: Revision: 1.0
Successfully registered spi major=252
MPC83xx GPIO Driver on MDS board: Revision: 1.0
Successfully registered gpio major=253
Real Time Clock Driver v1.10f
MPC83xx Watchdog Demo Init
Serial: 8250/16550 driver $Revision: 1.1.1.1.2.1 $ 4 ports, IRQ sharing disabled
ttyS0 at MMIO 0xe0004500 (irq = 9) is a 16550A
ttyS1 at MMIO 0xe0004600 (irq = 10) is a 16550A
io scheduler noop registered
io scheduler anticipatory registered
io scheduler deadline registered
io scheduler cfq registered
RAMDISK driver initialized: 16 RAM disks of 16384K size 1024 blocksize
loop: loaded (max 8 devices)
gfar_driver_version = 1.1a
GFAR: ECNTRL=00001018, MACCFG1,2=00000030,00007205
eth0: Gianfar Ethernet Controller Version 1.1, 00:0a:79:b9:91:ee
eth0: MTU = 1500 (frame size=1514,truesize=1784)
eth0: Running with NAPI enabled
eth0: 64/64 RX/TX BD ring size
eth0: Socket buffer recycling mode enabled
SKB Handler initialized(max=64)
MPC8349MDS flash device: 1000000 at fe000000 Partition number 7
MPC8349MDS Flash Map Info: Found 1 x16 devices at 0x0 in 16-bit bank
Amd/Fujitsu Extended Query Table at 0x0040
MPC8349MDS Flash Map Info: CFI does not contain boot bank location. Assuming top.
number of CFI chips: 1
cfi_cmdset_0002: Disabling erase-suspend-program due to code brokenness.
add_mtd_partitions
Creating 7 MTD partitions on "MPC8349MDS Flash Map Info":
0x00000000-0x00040000 : "U-Boot"
ftl_cs: FTL header not found.
0x00040000-0x00080000 : "U-Boot_ENV"
ftl_cs: FTL header not found.
0x00080000-0x00240000 : "Kernel"
ftl_cs: FTL header not found.
0x00240000-0x00560000 : "Rootfs"
ftl_cs: FTL header not found.
0x00560000-0x00d60000 : "Usr"
ftl_cs: FTL header not found.
0x00d60000-0x00f00000 : "Promise"
ftl_cs: FTL header not found.
0x00f00000-0x01000000 : "Data"
ftl_cs: FTL header not found.
MPC8349MDS flash device initialized
ehci_hcd 0000:00:0e.1: NEC Corporation USB 2.0
ehci_hcd 0000:00:0e.1: new USB bus registered, assigned bus number 1
ehci_hcd 0000:00:0e.1: irq 21, io mem 0x9fffef00
ehci_hcd 0000:00:0e.1: park 0
ehci_hcd 0000:00:0e.1: USB 2.0 initialized, EHCI 1.00, driver 10 Dec 2004
hub 1-0:1.0: USB hub found
hub 1-0:1.0: 3 ports detected
ohci_hcd: 2004 Nov 08 USB 1.1 'Open' Host Controller (OHCI) Driver (PCI)
ohci_hcd 0000:00:0e.0: NEC Corporation USB
ohci_hcd 0000:00:0e.0: new USB bus registered, assigned bus number 2
ohci_hcd 0000:00:0e.0: irq 21, io mem 0x9ffff000
hub 2-0:1.0: USB hub found
hub 2-0:1.0: 3 ports detected
usbcore: registered new driver usblp
drivers/usb/class/usblp.c: v0.13: USB Printer Device Class driver
usbcore: registered new driver hiddev
usbcore: registered new driver usbhid
drivers/usb/input/hid-core.c: v2.01:USB HID core driver
mice: PS/2 mouse device common for all mice
i2c /dev entries driver
device-mapper: 4.4.0-ioctl (2005-01-12) initialised: dm-devel@redhat.com
NET: Registered protocol family 2
IP: routing cache hash table of 1024 buckets, 8Kbytes
TCP established hash table entries: 8192 (order: 4, 65536 bytes)
TCP bind hash table entries: 8192 (order: 3, 32768 bytes)
TCP: Hash tables configured (established 8192 bind 8192)
NET: Registered protocol family 1
NET: Registered protocol family 17
NET: Registered protocol family 5
RAMDISK: Compressed image found at block 0
VFS: Mounted root (ext2 filesystem).
Freeing unused kernel memory: 312k init
Promise FastTrak TX 4310 Serieal Device Driver 2.6.0.0330 (Sep 01, 2006)
PRODUCT_VERSION SR1_1_5 Build_Time Mar 27 2008 17:11:22
Required extension size: max: 2061328 Min: 1554420
fasttrak 0000:00:10.0: Found FastTrak Controller with IRQ: 23
Required DMA safe size: max: 169992 Min: 6556
Required DMA safe size: max: 169992 Min: 6556
scsi0 : ftsata2
Vendor: Promise Model: 4 Disk RAID5 Rev: 1.10
Type: Direct-Access ANSI SCSI revision: 02
sda : very big device. try to use READ CAPACITY(16).
SCSI device sda: 5860182144 512-byte hdwr sectors (3000413 MB)
sda: asking for cache data failed
sda: assuming drive cache: write through
sda : very big device. try to use READ CAPACITY(16).
SCSI device sda: 5860182144 512-byte hdwr sectors (3000413 MB)
sda: asking for cache data failed
sda: assuming drive cache: write through
unknown partition table
Attached scsi disk sda at scsi0, channel 0, id 0, lun 0
Attached scsi generic sg0 at scsi0, channel 0, id 0, lun 0, type 0
Initializing USB Mass Storage driver...
usbcore: registered new driver usb-storage
USB Mass Storage support registered.
fuse init (API version 7.8)
fuse distribution version: 2.7.4
kjournald starting. Commit interval 5 seconds
EXT3 FS on dm-0, internal journal
EXT3-fs: mounted filesystem with ordered data mode.
eth0: MTU = 9000 (frame size=9014,truesize=9464)
fifo_tx_thr=100,1c0
fifo_tx_sp=10,25
fifo_tx_starve=80,1a0
fifo_tx_starve_shutoff=100,1c0
fifo_rx_alarm=100,40
fifo_rx_alarm_shutoff=80,20
fifo_rx_panic=180,60
fifo_rx_panic_shutoff=100,40
eth0: PHY is IP1001 (2430d90)
eth0: Full Duplex
eth0: Speed 1000BT
eth0: Link is up
eth0: Flow control is on
}}
** glibcのバージョン (/lib/libc.so.6 の出力) [#v406c28a]
#pre{{
# /lib/libc.so.6
GNU C Library stable release version 2.3.2, by Roland McGrath et al.
Copyright (C) 2003 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
Compiled by GNU CC version 3.3.6 (Debian 1:3.3.6-4).
Compiled on a Linux 2.6.0-test7 system on 2005-05-10.
Available extensions:
GNU libio by Per Bothner
crypt add-on version 2.1 by Michael Glad and others
linuxthreads-0.10 by Xavier Leroy
BIND-8.2.3-T5B
libthread_db work sponsored by Alpha Processor Inc
NIS(YP)/NIS+ NSS modules 0.19 by Thorsten Kukuk
software FPU emulation by Richard Henderson, Jakub Jelinek and others
Report bugs using the `glibcbug' script to <bugs@gnu.org>.
}}
** ファームウェア [#rfbd1926]
*** Ver. 010105 [#y5cbca5d]
#style(class=table_left){{
|Start|End|Content|
|000000|01463F|0の他にも何か入っている|
|013C00|013DFF|revファイルのヘッダ|
|013E00|013FFF|rev|
|014000|0141FF|fix_scriptファイルのヘッダ|
|014200|0143FF|fix_script|
|014400|0145FF|kernel.gzファイルのヘッダ|
|014640|1881FF|kernel.gz|
|188200|18843F|rootfs.gzファイルのヘッダ|
|188440|3ED5FF|rootfs.gz|
|3ED600|3ED7FF|usr_sqfsファイルのヘッダ|
|3ED800|B368FF|usr_sqfs|
|B36900|B369FF|pro_sqfsファイルのヘッダ|
|B36A00||pro_sqfs|
}}
- イメージファイルの取り出し
<pre>
$ &color(blue){dd if=ns4300_010105_A36-B05_A1.upg of=kernel.image bs=64 skip=1304 count=23792};
23791+0 records in
23791+0 records out
1522624 bytes (1.5 MB) copied, 0.0823247 seconds, 18.5 MB/s
$ &color(blue){ls -al};
drwxr-xr-x 4 itou-r users 90 2007-10-06 06:36 .
drwxr-xr-x 5 itou-r users 133 2007-10-06 04:47 ..
-rw-r--r-- 1 itou-r users 1522688 2007-10-08 02:44 kernel.img
-rw-r--r-- 1 itou-r users 13177856 2007-10-06 04:44 ns4300_010105_A36-B05_A1.upg
$ &color(blue){file *};
kernel.img: PPCBoot image
ns4300_010105_A36-B05_A1.upg: data
$ &color(blue){dd if=kernel.img of=kernel.gz bs=64 skip=1};
$ &color(blue){ls -al};
drwxr-xr-x 5 itou-r users 4096 2007-10-08 02:47 .
drwxr-xr-x 5 itou-r users 133 2007-10-06 04:47 ..
-rw-r--r-- 1 itou-r users 1522624 2007-10-08 02:47 kernel.gz
-rw-r--r-- 1 itou-r users 1522688 2007-10-08 02:44 kernel.img
-rw-r--r-- 1 itou-r users 13177856 2007-10-06 04:44 ns4300_010105_A36-B05_A1.upg
$ &color(blue){file *};
kernel.gz: gzip compressed data, from Unix, last modified: Tue Apr 3 16:43:22 2007, max compression
kernel.img: PPCBoot image
ns4300_010105_A36-B05_A1.upg: data
$ &color(blue){gunzip kernel.gz};
$ &color(blue){ls -al};
drwxr-xr-x 4 itou-r users 108 2007-10-06 06:38 .
drwxr-xr-x 5 itou-r users 133 2007-10-06 04:47 ..
-rw-r--r-- 1 itou-r users 3207302 2007-10-08 02:47 kernel
-rw-r--r-- 1 itou-r users 1522688 2007-10-08 02:44 kernel.img
-rw-r--r-- 1 itou-r users 13177856 2007-10-06 04:44 ns4300_010105_A36-B05_A1.upg
</pre>
- RootFSの展開
<pre>
$ &color(blue){dd if=ns4300_010105_A36-B05_A1.upg of=rootfs.gz bs=64 skip=25105 count=39239};
39239+0 records in
39239+0 records out
2511296 bytes (2.5 MB) copied, 0.134612 seconds, 18.7 MB/s
$ &color(blue){ls -al};
合計 40096
drwxr-xr-x 3 itou-r users 100 2007-10-06 06:41 .
drwxr-xr-x 5 itou-r users 133 2007-10-06 04:47 ..
-rw-r--r-- 1 itou-r users 3207302 2007-10-06 06:36 kernel
-rw-r--r-- 1 itou-r users 13177856 2007-10-06 04:44 ns4300_010105_A36-B05_A1.upg
-rw-r--r-- 1 itou-r users 11571136 2007-10-06 06:41 rootfs.gz
$ &color(blue){gunzip rootfs.gz};
$ &color(blue){ls -al};
合計 52384
drwxr-xr-x 3 itou-r users 119 2007-10-06 06:45 .
drwxr-xr-x 5 itou-r users 133 2007-10-06 04:47 ..
-rw-r--r-- 1 itou-r users 3207302 2007-10-06 06:36 kernel
-rw-r--r-- 1 itou-r users 13177856 2007-10-06 04:44 ns4300_010105_A36-B05_A1.upg
-rw-r--r-- 1 itou-r users 12582912 2007-10-06 06:41 rootfs
$ &color(blue){mkdir root-mount};
$ &color(blue){su};
# &color(blue){mount -o loop rootfs root-mount};
</pre>
&ref(tree-root-010105.txt); tree出力
- usr_squashfsの展開
<pre>
$ &color(blue){dd if=ns4300_010105_A36-B05_A1.upg of=usr_sqfs bs=64 skip=64352 count=119364};
119364+0 records in
119364+0 records out
7639296 bytes (7.6 MB) copied, 0.414095 seconds, 18.4 MB/s
$ &color(blue){file *};
kernel: data
ns4300_010105_A36-B05_A1.upg: data
rootfs: Linux rev 1.0 ext2 filesystem data
usr_sqfs: Squashfs filesystem, big endian, version 3.0, 0 bytes, 301 inodes, blocksize: 65536 bytes, created: Wed Apr 18 17:36:35 2007
$ &color(blue){mkdir usr};
$ &color(blue){su};
# &color(blue){mount -o loop -t squashfs usr_sqfs usr};
</pre>
&ref(tree-usr-010105.txt); tree出力
- WebGUIファイルの展開
<pre>
$ &color(blue){dd if=ns4300_010105_A36-B05_A1.upg of=pro_sqfs bs=64 skip=183720};
22184+0 records in
22184+0 records out
1419776 bytes (1.4 MB) copied, 0.076625 seconds, 18.5 MB/s
$ &color(blue){file *};
kernel: data
ns4300_010105_A36-B05_A1.upg: data
pro_sqfs: Squashfs filesystem, big endian, version 3.0, 0 bytes, 1685 inodes, blocksize: 65536 bytes, created: Wed Apr 18 17:36:56 2007
root-fs: Linux rev 1.0 ext2 filesystem data (mounted or unclean)
rootfs: Linux rev 1.0 ext2 filesystem data
usr_sqfs: Squashfs filesystem, big endian, version 3.0, 0 bytes, 301 inodes, blocksize: 65536 bytes, created: Wed Apr 18 17:36:35 2007
$ &color(blue){mkdir promise};
$ &color(blue){su};
# &color(blue){mount -o loop -t squashfs pro_sqfs promise};
# &color(blue){ls promise};
bin conf gui lib util
</pre>
&ref(tree-promise-010105.txt); tree出力
*** Ver. 010205 [#j4c7be2a]
#style(class=table_left){{
|Start|End|Content|
|000000|013BFF|0|
|013C00|C913FF|tar+gziped image|
}}
- イメージファイルの取り出し
<pre>
$ &color(blue){dd if=ns4300_010205.upg of=ns4300_010205-SKIPPED.tar.gz skip=79 bs=1k};
$ &color(blue){file *};
ns4300_010205-SKIPPED.tar.gz: gzip compressed data, from Unix, last modified: Fri Aug 3 19:04:02 2007
ns4300_010205.upg: data
$ &color(blue){mkdir work};
$ &color(blue){tar zxvf ns4300_010205-SKIPPED.tar.gz -C work};
$ &color(blue){cd work};
$ &color(blue){ls -al};
合計 13064
drwxr-xr-x 2 itou-r users 89 2007-10-06 04:51 .
drwxr-xr-x 3 itou-r users 76 2007-10-06 04:51 ..
-rwxr-xr-x 1 itou-r users 2416 2007-07-24 18:22 fix_script
-rw-r--r-- 1 itou-r users 1527837 2007-08-03 19:04 kernel
-rwxr-xr-x 1 itou-r users 1417216 2007-08-03 19:04 pro_sqfs
-rwxr-xr-x 1 itou-r users 116 2007-08-02 14:33 rev
-rwxr-xr-x 1 itou-r users 2462795 2007-08-03 19:04 rootfs
-rwxr-xr-x 1 itou-r users 7954432 2007-08-03 19:04 usr_sqfs
$ &color(blue){file *};
fix_script: perl script text executable
kernel: PPCBoot image
pro_sqfs: Squashfs filesystem, big endian, version 3.0, 0 bytes, 1688 inodes, blocksize: 65536 bytes, created: Fri Aug 3 19:03:17 2007
rev: ASCII text
rootfs: PPCBoot image
usr_sqfs: Squashfs filesystem, big endian, version 3.0, 0 bytes, 315 inodes, blocksize: 65536 bytes, created: Fri Aug 3 19:03:04 2007
</pre>
- RootFSの展開
<pre>
$ &color(blue){dd if=rootfs of=root-SKIPPED.gz bs=64 skip=1};
38480+1 records in
38480+1 records out
2462731 bytes (2.5 MB) copied, 0.13265 seconds, 18.6 MB/s
$ &color(blue){file root*};
root-SKIPPED.gz: gzip compressed data, from Unix, last modified: Fri Aug 3 19:01:51 2007, max compression
rootfs: PPCBoot image
$ &color(blue){gunzip root-SKIPPED.gz};
$ &color(blue){file *};
root-SKIPPED: Linux rev 1.0 ext2 filesystem data
rootfs: PPCBoot image
$ &color(blue){mkdir root-mount};
$ &color(blue){su};
# &color(blue){mount -o loop -t ext2 root-SKIPPED root-mount};
# &color(blue){cd root-mount};
# &color(blue){ls};
SNAPSHOT VOLUME1 VOLUME3 bin dev home lost+found proc root sys usr
USBDISK VOLUME2 VOLUME4 data etc lib mnt promise sbin tmp var
</pre>
&ref(tree-root-010205.txt); tree出力
- usr_squashfsの展開
<pre>
$ &color(blue){mkdir usr};
$ &color(blue){su};
# &color(blue){mount -o loop -t squashfs usr_sqfs usr};
# &color(blue){ls usr};
bin lib local sbin
</pre>
&ref(tree-usr-010205.txt); tree出力
- WebGUIファイルの展開
<pre>
$ &color(blue){mkdir promise};
$ &color(blue){su};
# &color(blue){mount -o loop -t squashfs pro_sqfs promise};
# &color(blue){ls promise};
bin conf gui lib util
</pre>
&ref(tree-promise-010205.txt); tree出力
*** Ver. 010507 [#m49cd1e5]
どのバージョンからか不明だが、アップグレード用のファームウェアファイルが暗号化されるようになっている。[[ここ>http://www.avsforum.com/avs-vb/showthread.php?t=859675&page=7]]によると、カスタマイズされたbcryptコマンドを使って blowfish encryption and signed されているらしい。今までのように、簡単にハックはできなくなったようだ。
* ハック [#ib4bca8e]
** Corega NSC-4500GT を Promise NS4300N 化する [#k2e93fca]
1年ほど前に購入した NSC-4500GT を今更ながら Promise 化する。このモデルは、Buffalo製品と異なり、ファームウェアを一旦 NAS 上のディレクトリにコピーした後、Web画面でそのファイルを指定することにより、ファームウェアの更新がなされるようになっている。したがって、まず最初に RAID 領域を作成し、フォーマットを済ませておく。後は、順次古いファームウェアから順番に更新していけばよい。今回は、Corega版のファームが古かった(多分、Ver.01.01.2140.10)ので、~
Corega版ファーム → ns4300_010206.upg(ftp://ftp.winco.com.hk/product/Promise/NS4300N/firmware/にあるやつ)~
→ ns4300_010306.upg → ns4300_010411.upg → ns4300_010503.upg → ns4300_010507.upg~
の順に更新した。
010507へのアップグレードではじめて、作業の進捗状況を示すバーが表示されるようになった。
** rootのパスワードを変更する [#ya39c72d]
*** Application Pluginを利用する方法 [#te78c7b2]
[[情報源>http://www.nslu2-info.de/showpost.php?p=26355&postcount=42]]
#pre{{
rosvall rosvall ist offline
Neuer Benutzer
Registriert seit: 12.08.2007
Beiträge: 1
Renommee-Modifikator: 0
rosvall befindet sich auf einem aufstrebenden Ast
Quick telnet hack via application plugin
My german is a bit rusty, so please bear with me.
Note: i tried to post this in the ns4300n-info.de forum, but i get a http-error.
Long story short:
After countless hours spent trying to crack the root password in /etc/shadow in
the firmware image from promise, i remembered the seemingly stupid "Application
Plugin" thingy in the web interface.
With access to the perl/php scripts for the webinterface it's pretty easy to
figure out how to make such a plugin, so i set out for making a little shell
script to add the admin user to /etc/sudoers and /etc/telnet.user.
The files that the plugin-thingy accepts has a pretty obscure format, like the
firmware image itself. The first 97KB is discarded, and after that there has to
be a gzipped tar containing a file called "rev" and the application itself in a
dir named the same as the plugin. The rev file needs to contain three lines in a
format like:
PKGNAME=my_plugin_name
PKGVERSION=X.X.9999.X
FWVERSION=010105
You can substitute the X'es as you like, but the 9999 is some sort of oem-code,
whatever that is. Of course the my_plugin_name is substituted for the name of
your plugin.
Anyways, as far as i can see, the only way to get it to execute something from
the plugin-package is to call the plugin DLNA, which will make the "DLNA" tab in
the web interface light up. Then, when you choose enable service, it will try to
execute /VOLUME1/PROMISEAPP/DLNA/.server/fupper
So what i did, was i made a ./rev like:
-----cut-------
PKGNAME=DLNA
PKGVERSION=1.0.9999.0
FWVERSION=010105
-----cut-------
And a ./DLNA/DLNA/.server/fuppes like:
-----cut-----
#!/bin/ash
echo "admin ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers
echo "admin" >> /etc/telnet.user
-----cut------
...did a chmod +x ./DLNA/DLNA/.server/fuppes
and put it all in a tarball with
tar cvfz telnet-hack.tgz ./rev ./DLNA
Now i had the tarball, i just needed the 97kB of padding:
dd if=/dev/urandom of=telnet-hack bs=97k count=1
and put it together with
cat telnet-hack.tgz >> telnet-hack
And here it is: http://rapidshare.com/files/48464094...ack-combo.html
(Please, for the sake of your own security, make your own plugin like described
or at least verify that mine does what i say it does.)
Just upload the file to the ns4300n, go to the Management->System
Upgrade->Application Plugin page on the web interface and fill out the form.
When it has done it's thing, go to File & Print->Protocol Control->DLNA and
enable it. Then you should be able to login via telnet on port 2380 with you
admin user.
I'm sorry if i didn't make much sense, i have been at it for about 20 hours now,
and i really need some sleep
}}
*** WebGUIの脆弱性を利用する方法 [#j19a91f5]
以下の内容は旧バージョンのファームウェアで可能だが、最近のバージョンでは使えないテクニックと思われる。
情報源:[[SecurityFocus Promise NAS NS4300N GUI bug>http://www.securityfocus.com/archive/1/480913]]
#pre{{
Promise NAS NS4300N GUI bug Sep 27 2007 09:19PM
Tor Houghton (torh bogus net)
List,
There is a bug in the Promise NAS NS4300N web GUI (firmware version 1.1.0.5)
which allows an authenticated (admin) user to change the password of the
'root' account.
The user management portion of the web interface allows the admin user to
change user's passwords. The PHP script that handles this does not check to
see if the admin is changing a user account or system accounts such as
'root'.
By changing the value of the 'user' parameter to 'root' (from whatever user
id whose password is being changed, e.g. 'admin' if you have not defined any
users) in the POST request to /usercp.php, we can provide a known password
for the root account and thereby login to the NAS (which is normally not
possible because Promise has not divulged root's password).
The vendor has not been notified, but this is hardly a critical issue..?
Tor
moonshade:~$ telnet 192.168.5.16 2380
Trying 192.168.5.16...
Connected to 192.168.5.16.
Escape character is '^]'.
NS4300N R1.1 A10 (Version 01.01.0000.05) - Promise Technology, INC.
nas login: root
Password:
BusyBox v1.00-rc2 (2006.11.07-01:55+0000) Built-in shell (ash)
Enter 'help' for a list of built-in commands.
root is allowed to login.
[root@nas]# dmesg
Linux version 2.6.11SR1_1_2 (root (at) localhost (dot) loca [email
concealed]ldomain) (gcc version 3.4.1) #2 Tue Apr 3 15:43:13 CST 2007
On node 0 totalpages: 32768
DMA zone: 32768 pages, LIFO batch:8
Normal zone: 0 pages, LIFO batch:1
HighMem zone: 0 pages, LIFO batch:1
Built 1 zonelists
Kernel command line: root=/dev/ram rw console=ttyS0,115200
IPIC (128 IRQ sources, 8 External IRQs) at fe000700
PID hash table entries: 1024 (order: 10, 16384 bytes)
Console: colour dummy device 80x25
Dentry cache hash table entries: 32768 (order: 5, 131072 bytes)
Inode-cache hash table entries: 16384 (order: 4, 65536 bytes)
Memory: 123936k available (2276k kernel code, 660k data, 312k init, 0k highmem)
Calibrating delay loop... 265.21 BogoMIPS (lpj=132608)
--
http://www.bogus.net/~torh
}}
** Webからシャットダウンする [#m38b952a]
情報:[[2ch>http://pc11.2ch.net/test/read.cgi/hard/1186528294/326]]
#pre{{
[うんcorega]NAS 「HDD Bank TERA」 Vol.1
326 :不明なデバイスさん:2007/12/07(金) 23:49:53 ID:843Ig8N5
>>321みてて、sendkeyでtelnet操作してるの見てて、
IEオブジェクト使ってWEB画面操作でもいいんじゃねと思って作ってみた。
プロミスファームでは普通に動いた。
多分、これならコレガファームでもいけると思う。改変必要かも知んないけど…
ファイル名:適当.vbs
=======
strIP = "xxx.xxx.xxx.xxx" '←IPアドレスとか
strLogin = "admin"
strPwd = "xxxxxxxx" '←パスワード
Set objIE = CreateObject("InternetExplorer.Application")
objIE.Visible = False
objIE.Navigate "http://" & strIP
While objIE.Busy = true:WScript.sleep(250):Wend:WScript.sleep(500)
objIE.Document.Forms(0).login.value = strLogin
objIE.Document.Forms(0).password.value = strPwd
objIE.Document.Forms(0).submit.click
While objIE.Busy = true:WScript.sleep(250):Wend:WScript.sleep(500)
objIE.Navigate "http://" & strIP & "/shutdown.php"
While objIE.Busy = true:WScript.sleep(250):Wend:WScript.sleep(500)
objIE.Document.Main.Radiosubmit(1).checked = true
objIE.Document.Main.submit.Onclick = "return true"
objIE.Document.Main.Submit.Click
While objIE.Busy = true:WScript.sleep(250):Wend:WScript.sleep(500)
objIE.Quit
Set objIE = Nothing
=======
}}
* Application-Plugin [#ka72e6a0]
[[ここ>http://www.nslu2-info.de/forum/showpost.php?p=26355&postcount=42]]や[[ここ>http://randomsoft.com/node/110]]によると、NS4300Nの"Application Plugin" は、先頭の97KBにごみがついた tar.gz ファイルである。tar.gz は。revという名前のファイルとプラグイン名のディレクトリで構成される。
- [[Geeks are GREAT Lovers » ns4300n PPG contents>http://www.geeksaregreatlovers.com/ns4300n-ppg-contents/]]
** [[DLNA-plugin-v010106-beta>http://www.promise.com/upload/Support/Plugins/dlna_plugin_v0000_010106-beta.zip]] [#yee6202c]
<pre>
$ &color(blue){unzip dlna_plugin_v0000_010106-beta.zip};
$ &color(blue){dd if=dlna_plugin_v0000_010106-beta.ppg of=dlna_plugin_v0000_010106-beta.tar.gz bs=97k skip=1};
$ &color(blue){file *};
dlna-build6-beta-readme.pdf: PDF document, version 1.6
dlna_plugin_v0000_010106-beta.ppg: data
dlna_plugin_v0000_010106-beta.tar.gz: gzip compressed data, from Unix, last modified: Thu Feb 12 17:46:33 2009
dlna_plugin_v0000_010106-beta.zip: Zip archive data, at least v2.0 to extract
$ &color(blue){mkdir contents};
$ &color(blue){tar zxvf dlna_plugin_v0000_010106-beta.tar.gz -C contents};
$ &color(blue){ls -al contents};
合計 4
drwxr-xr-x 3 hoge users 96 2009-04-07 12:42 .
drwxr-xr-x 3 hoge users 288 2009-04-07 12:42 ..
drwxr-xr-x 4 hoge users 128 2008-10-30 19:30 dlna
-rw-r--r-- 1 hoge users 87 2009-02-09 16:29 rev
</pre>
*** rev [#tc64eb2e]
#pre{{
$ cat rev
PKGNAME=dlna
PKGVERSION=01.01.0000.06
FWVERSION=01.03.0000.01
FIXSCRIPT=upgrade_script
}}
*** dlna/upgrade_script [#j2828a79]
#pre{{
#!/usr/bin/perl
unlink("/data/etc/server/dlna");
system("echo no >/etc/server/dlna");
$first_volume = "";
$music_path = "";
$video_path = "";
$picture_path = "";
open(IN,"/bin/df |");
while(<IN>){
if ( /(VOLUME\d+)/ ) {
if ( -f "/$1/PLUGINAPP/DLNA/.server/fuppes.db" ) {
unlink("/$1/PLUGINAPP/DLNA/.server/fuppes.db");
unlink("/$1/PLUGINAPP/DLNA/.server/.uuid");
system("/bin/rm -rf /$1/PLUGINAPP/DLNA/.server/tmp");
}
if ( $first_volume eq "" ) {
$first_volume = "/$1";
}
if ( $music_path eq "" && -d "/$1/MUSIC" ) {
$music_path = "/$1/MUSIC";
}
if ( $picture_path eq "" && -d "/$1/PICTURE" ) {
$picture_path = "/$1/PICTURE";
}
if ( $video_path eq "" && -d "/$1/VIDEO" ) {
$video_path = "/$1/VIDEO";
}
}
}
close(IN);
#print "$first_volume $music_path $video_path $picture_path\n";
if ( $music_path eq "" ) {
system("/promise/util/addsharefolder.pl \"$first_volume\" MUSIC >/dev/null 2>/dev/null");
system("/promise/util/setsmb.pl add \"$first_volume\" MUSIC >/dev/null 2>/dev/null");
system("/promise/util/setftp.pl add \"$first_volume\" MUSIC >/dev/null 2>/dev/null");
system("/promise/util/setafp.pl add \"$first_volume\" MUSIC >/dev/null 2>/dev/null");
system("/promise/util/setnfs.pl add \"$first_volume\" MUSIC >/dev/null 2>/dev/null");
}
if ( $picture_path eq "" ) {
system("/promise/util/addsharefolder.pl \"$first_volume\" PICTURE >/dev/null 2>/dev/null");
system("/promise/util/setsmb.pl add \"$first_volume\" PICTURE >/dev/null 2>/dev/null");
system("/promise/util/setftp.pl add \"$first_volume\" PICTURE >/dev/null 2>/dev/null");
system("/promise/util/setafp.pl add \"$first_volume\" PICTURE >/dev/null 2>/dev/null");
system("/promise/util/setnfs.pl add \"$first_volume\" PICTURE >/dev/null 2>/dev/null");
}
if ( $video_path eq "" ) {
system("/promise/util/addsharefolder.pl \"$first_volume\" VIDEO >/dev/null 2>/dev/null");
system("/promise/util/setsmb.pl add \"$first_volume\" VIDEO >/dev/null 2>/dev/null");
system("/promise/util/setftp.pl add \"$first_volume\" VIDEO >/dev/null 2>/dev/null");
system("/promise/util/setafp.pl add \"$first_volume\" VIDEO >/dev/null 2>/dev/null");
system("/promise/util/setnfs.pl add \"$first_volume\" VIDEO >/dev/null 2>/dev/null");
}
}}
*** dlna/DLNA/plugin.conf [#l4ce35de]
#pre{{
APPNAME=DLNA
APPSTRING=DLNA Server
VERSION=01.01.0000.06
AUTOSTART=NO
SWAPMEM=NO
APPBINDIR=.server
MAINPROCESS=fuppes
CONTROLSCRIPT=dlna
}}
** MediaTomb 0.11.0 UPnP Server プラグイン(801氏作成) [#hf420c97]
-[[801氏のサイト>http://www.tt.em-net.ne.jp/~sandhill/NAS/]]
2ちゃんねるの[うんcorega]NAS 「HDD Bank TERA」801氏によるDLNA機能がまともに動くようにするプラグイン(?) 自分で試していないのだが、801氏から許可をいただいたので、ミラーしておく。
- &ref(mediatomb_010102_promise.ppg);: Promise NS4300N/Corega CG-NSC4500GT、Promise版ファームウェア用~
- &ref(mediatomb_010102_corega.ppg);: Corega版ファームウェア 01.03.2140.01以降用 (CG-NSC2100GT用)~
- &ref(mediatomb_010102_coregax.ppg);: Corega版ファームウェア 01.02.2140.06以降用 (CG-NSC4500GT用)
*** rev [#j08c5b22]
#pre{{
PKGNAME=mediatomb
PKGVERSION=01.01.0000.02
FWVERSION=01.02.0000.01
}}
*** mediatomb/MTOMB/plugin.conf [#e6efeaed]
#pre{{
APPNAME=MTOMB
APPSTRING=mediatomb 0.11.0 UPnP Server
VERSION=01.01.0000.02
AUTOSTART=NO
SWAPMEM=NO
APPBINDIR=server
MAINPROCESS=mtstart
CONTROLSCRIPT=mtcontrol
}}
** telnetを有効にする [#tdf8a5a9]
標準のファームウェアでは、ユーザ root と engmode のみが telnet でのログインを許可されているが、いずれもパスワードは公開されていない。また、01.05.0000.03 以降のファームウェアに施された罠(?)にも対策しないといけない。
*** Firmware 01.05.0000.03 以降の対策 [#q808cedc]
01.05.0000.03 以降のファームウェアでは、以下に示すように cron から 毎分 /usr/sbin/chkhttpd が呼び出され、/etc/telnet.user に ユーザ root と engmode のみを登録するため、せっかく /etc/telnet.user を書き換えて telnet や ssh でログインするユーザを登録しても、勝手に上書きされてしまうという問題がある。そこで、/usr/sbin/chkhttpd を電源を切っても消えない書き込み可能なエリアにコピーし、一部書き換えたものを crontab に登録すればよい。(参考:[[PC便利帳: NS4300N Telnet 再有効化>http://tipspc.blogspot.com/2009/01/ns4300n-telnet.html]]とか[[NS4300N Telnet 有効化 3 | RANDOM.SOFT>http://randomsoft.com/node/112]])
- /etc/crontab
#pre{{
[admin@ns4300n]# cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file.
# This file also has a username field, that none of the other crontabs do.
SHELL=/bin/sh
PATH=/bin:/sbin:/usr/bin:/usr/sbin
# m h dom mon dow user command
#42 6 * * * root run-parts --report /etc/cron.daily
#47 6 * * 7 root run-parts --report /etc/cron.weekly
#52 6 1 * * root run-parts --report /etc/cron.monthly
#
# Removed invocation of anacron, as this is now handled by a
# /etc/cron.d file
* * * * * root /usr/sbin/chkhttpd >/dev/null 2>/dev/null
* * * * * root /usr/sbin/chkdhcp >/dev/null 2>/dev/null
*/30 * * * * root /usr/sbin/cleanlog >/dev/null 2>/dev/null
*/10 * * * * root /usr/sbin/cronbackup >/dev/null 2>/dev/null
*/10 * * * * root /usr/sbin/chkdomain >/dev/null 2>/dev/null
0 */3 * * * root /promise/util/synctime.pl >/dev/null 2>/dev/null
}}
- /usr/sbin/chkhttpd
#pre{{
#!/usr/bin/perl
$agentflag = 0;
$downflag = 0;
$bonjourflag = 0;
open(IN,"/bin/ps |");
while(<IN>){
if ( /thttpd/ ) {
# print "$_";
$downflag = 1;
}
elsif ( /fagent/ ) {
#print "$_";
$agentflag = 1;
}
elsif ( /mDNSResponderPosix/ ) {
$bonjourflag++;
}
elsif ( /mdnsd/ ) {
$bonjourflag++;
}
}
close(IN);
if ( $downflag == 0 ) {
system("/etc/init.d/httpd start >/dev/null 2>/dev/null");
}
if ( $agentflag == 0 ) {
system("/usr/sbin/runfag >/dev/null 2>/dev/null");
}
if ( $bonjourflag != 2 ) {
system("/etc/init.d/bonjour stop >/dev/null 2>/dev/null");
sleep 1;
system("/etc/init.d/bonjour start >/dev/null 2>/dev/null");
}
if ( ! -f "/tmp/sleep" ) {
system("/usr/sbin/recycler >/dev/null 2>/dev/null");
unlink("/tmp/recycler");
}
open(OUT,">/etc/telnet.user");
print OUT "root\n";
print OUT "engmode\n";
close(OUT);
}}
*** Pluginを構成するファイル群 [#tf83a376]
#pre{{
.
|-- rev
`-- telnetd
`-- TELNETD
|-- .server
| |-- st_hack
| `-- telnetd.sh
`-- plugin.conf
}}
- rev
#pre{{
PKGNAME=telnetd
PKGVERSION=01.01.0000.02
FWVERSION=01.05.0000.03
}}
- telnetd/TELNETD/plugin.conf
#pre{{
APPNAME=TELNETD
APPSTRING=telnetd-hack
VERSION=01.01.0000.02
AUTOSTART=NO
SWAPMEM=NO
APPBINDIR=.server
MAINPROCESS=st_hack
CONTROLSCRIPT=telnetd.sh
}}
- telnetd/TELNETD/.server/st_hack
#pre{{
#!/bin/ash
while [ 1 ]; do
sleep 600
done
}}
- telnetd/TELNETD/.server/telnetd.sh &ref(telnetd.sh);
#pre{{
#!/usr/bin/perl
$userlist = "/etc/telnet.user";
$sudolist = "/etc/sudoers";
$user = "admin";
$newdir = "/data/usr/local/sbin";
$chkhttpd = "$newdir/chkhttpd";
$chkhttpdorig = "/usr/sbin/chkhttpd";
$crontab = "/etc/crontab";
$tmp = "/tmp/telnet-hack.tmp";
$action = $ARGV[0];
if ( $action eq "start") {
open(RUN,"/bin/ps -e |");
while(<RUN>){
if( /st_hack/ ){
exit;
}
}
close(RUN);
open(IN,"/bin/df |");
while(<IN>){
if (/(VOLUME\d+)/) {
if ( -d "/$1/PLUGINAPP/TELNETD" ) {
$serverpath = "/$1/PLUGINAPP/TELNETD/.server";
last;
}
}
}
close(IN);
if ( $serverpath eq "" ) {
exit;
}
# check whether user "admin" exists in /etc/telnet.user
$found = system("/bin/grep $user $userlist > /dev/null 2>/dev/null") >> 8;
if ( $found == 1 ) {
# append user "admin" to /etc/telnet.user
open(OUT, ">>$userlist");
print OUT "$user\n";
close(OUT);
}
# check whether user "admin" exists in /etc/sudoers
$found = system("/bin/grep $user $sudolist > /dev/null 2>/dev/null") >> 8;
if ( $found == 1 ) {
# append user "admin" to /etc/sudoers
open(OUT, ">>$sudolist");
print OUT "$user ALL=(ALL) NOPASSWD: ALL\n";
close(OUT);
}
# check $newdir exists
if ( !(-d $newdir) ) {
system("/bin/mkdir -p $newdir");
}
# force building $chkhttpd removing "OUT" from original
system("/bin/grep -v OUT $chkhttpdorig > $chkhttpd");
# modify /etc/crontab
open(IN, "<$crontab");
open(OUT, ">$tmp");
while(<IN>) {
s/\/usr\/sbin\/chkhttpd/\/data\/usr\/local\/sbin\/chkhttpd/;
print OUT;
}
close(IN);
close(OUT);
system("/bin/cp $tmp $crontab");
system("$serverpath/st_hack &");
}
elsif ($action eq "stop") {
$ssh = 0;
open(RUN,"/bin/ps -e |");
while(<RUN>){
if( /dropbear/ ){
$ssh = 1;
last;
}
}
close(RUN);
if ( $ssh = 0 ) {
# remove user admin from /etc/telnet.user
system("/bin/grep -v $user $userlist > $tmp");
system("/bin/cp $tmp $userlist");
# remove user admin from /etc/sudoers
system("/bin/grep -v $user $sudolist > $tmp");
system("/bin/cp $tmp $sudolist");
# reset /etc/crontab
open(IN, "<$crontab");
open(OUT, ">$tmp");
while(<IN>) {
s/\/data\/usr\/local\/sbin\/chkhttpd/\/usr\/sbin\/chkhttpd/;
print OUT;
}
close(IN);
close(OUT);
system("/bin/cp $tmp $crontab");
# remove modifed chkhttpd
unlink($chkhttpd);
if ( -s $newdir ) {
rmdir($newdir);
}
}
system("/usr/bin/killall st_hack >/dev/null 2>/dev/null");
}
}}
&ref(telnet-hack_v010102.ppg);: Promise NS4300N/Corega CG-NSC4500GT、Promise版ファームウェア用~
あまりテストをしてないので、もちろん無保証です。ご利用は各自の責任で。
*** 自作プラグインの作成 [#w0bb49d8]
<pre>
$ &color(blue){cd workdir};
$ &color(blue){chmod a+x telnetd/TELNETD/.server/st_hack telnetd/TELNETD/.server/telnetd.sh};
$ &color(blue){sudo chown -R root:root .};
$ &color(blue){sudo tar czvf ../telnet-hack.tar.gz ./rev ./telnetd};
$ &color(blue){cd ..};
$ &color(blue){dd if=/dev/urandom of=telnet-hack_v0000_010102.ppg bs=97k count=1};
$ &color(blue){cat telnet-hack.tar.gz >> telnet-hack_v0000_010102.ppg};
</pre>
*** rootになる [#k474fca9]
上で作成したプラグインをインストールして、telnet-hackを有効にすると、ユーザ admin でログインし、sudoコマンドで root 権限を持つことが可能になる。
<pre>
$ &color(blue){sudo -s};
</pre>
** drobpear plugin の作成 [#c384ad4e]
telnetよりセキュアなSSHでのログインを可能にする。NS4300N用のSSHプラグインが見つけられなかったので、自前でビルドしたが、AVS Forumで見つけちゃった。([[SSH on the Promise NS4300N>http://herecomethelizards.co.uk/ssh_on_ns4300n/]]) まあ、他のプラグインの作成にも役立つので、記録として残しておく。
*** クロスコンパイル環境の作成 [#edf48a61]
NS4300N とできるだけ同じ環境にしておいたほうがよいので、Debian Etch 上で crosstool を使って、gcc-3.4.3-glibc-2.3.2 のクロスコンパイル環境を整備する。
- powerpc-8349.dat~
[[ここ>http://sources.redhat.com/ml/crossgcc/2006-06/msg00088.html]]の情報をもとに、MPC8349用のコンパイルオプションを設定する。
#pre{{
TARGET=powerpc-linux-gnu
TARGET_CFLAGS="-O3 -pipe -fsigned-char-mpowerpc-gfxopt"
GCC_EXTRA_CONFIG="--enable-cxx-flags=-mcpu=powerpc"
}}
- demo-powerpc-8349.sh~
#pre{{
#!/bin/sh
# This script has one line for each known working toolchain
# for this architecture. Uncomment the one you want.
# Generated by generate-demo.pl from buildlogs/all.dats.txt
set -ex
TARBALLS_DIR=$HOME/downloads
RESULT_TOP=/usr/crosstool
export TARBALLS_DIR RESULT_TOP
GCC_LANGUAGES="c,c++"
export GCC_LANGUAGES
# Really, you should do the mkdir before running this,
# and chown /opt/crosstool to yourself so you don't need to run as root.
mkdir -p $RESULT_TOP
#eval `cat powerpc-405.dat gcc-3.2.3-glibc-2.2.5.dat` sh all.sh --notest
#eval `cat powerpc-405.dat gcc-3.2.3-glibc-2.3.2.dat` sh all.sh --notest
#eval `cat powerpc-405.dat gcc-3.3.6-glibc-2.2.5.dat` sh all.sh --notest
#eval `cat powerpc-405.dat gcc-3.3.6-glibc-2.3.2.dat` sh all.sh --notest
#eval `cat powerpc-405.dat gcc-3.3.6-glibc-2.3.5.dat` sh all.sh --notest
#eval `cat powerpc-405.dat gcc-3.3.6-glibc-2.3.6.dat` sh all.sh --notest
#eval `cat powerpc-405.dat gcc-3.4.5-glibc-2.2.5.dat` sh all.sh --notest
#eval `cat powerpc-405.dat gcc-3.4.5-glibc-2.3.2.dat` sh all.sh --notest
#eval `cat powerpc-405.dat gcc-3.4.5-glibc-2.3.5.dat` sh all.sh --notest
#eval `cat powerpc-405.dat gcc-3.4.5-glibc-2.3.6.dat` sh all.sh --notest
#eval `cat powerpc-405.dat gcc-4.0.2-glibc-2.3.2.dat` sh all.sh --notest
#eval `cat powerpc-405.dat gcc-4.0.2-glibc-2.3.5.dat` sh all.sh --notest
#eval `cat powerpc-405.dat gcc-4.0.2-glibc-2.3.6.dat` sh all.sh --notest
#eval `cat powerpc-405.dat gcc-4.1.0-glibc-2.3.2.dat` sh all.sh --notest
#eval `cat powerpc-405.dat gcc-4.1.0-glibc-2.3.5.dat` sh all.sh --notest
eval `cat powerpc-8349.dat gcc-3.4.3-glibc-2.3.2.dat` sh all.sh --notest
}}
- gcc-3.4.3-glibc-2.3.2.dat~
kernel のバージョンも NS4300N に合わせておく。
#pre{{
@@ -1,6 +1,6 @@
BINUTILS_DIR=binutils-2.15
GCC_DIR=gcc-3.4.3
GLIBC_DIR=glibc-2.3.2
-LINUX_DIR=linux-2.6.8
+LINUX_DIR=linux-2.6.11
LINUX_SANITIZED_HEADER_DIR=linux-libc-headers-2.6.12.0
GLIBCTHREADS_FILENAME=glibc-linuxthreads-2.3.2
}}
インストール先のディレクトリを作成し、所有者を変更する。
<pre>
$ &color(blue){sudo mkdir /usr/crosstool};
$ &color(blue){sudo chown hogehoge /usr/crosstool};
</pre>
crosstoolを実行する。
<pre>
$ &color(blue){sh demo-powerpc-8349.sh};
</pre>
*** zlib のインストール [#ue8da09c]
参考:[[zlibのクロスコンパイル だよ>http://www.geocities.jp/h83069f/linux/host/crosscompile_zlib.html]]
<pre>
$ &color(blue){mkdir workdir; cd workdir};
$ &color(blue){wget http://www.zlib.net/zlib-1.2.3.tar.bz2};
$ &color(blue){tar jxvf zlib-1.2.3.tar.bz2};
$ &color(blue){cd zlib-1.2.3};
$ &color(blue){./configure --shared --prefix=/usr/crosstool/gcc-3.4.3-glibc-2.3.2/powerpc-linux-gnu/powerpc-linux-gnu \};
&color(blue){ --libdir=/usr/crosstool/gcc-3.4.3-glibc-2.3.2/powerpc-linux-gnu/powerpc-linux-gnu/lib \};
&color(blue){ --includedir=/usr/crosstool/gcc-3.4.3-glibc-2.3.2/powerpc-linux-gnu/powerpc-linux-gnu/include};
</pre>
Makefile をクロスコンパイル用に編集
<pre>
@@ -16,7 +16,7 @@
# To install in $HOME instead of /usr/local, use:
# make install prefix=$HOME
-CC=gcc
+CC=powerpc-linux-gnu-gcc
CFLAGS=-fPIC -O3 -DUSE_MMAP
#CFLAGS=-O -DMAX_WBITS=14 -DMAX_MEM_LEVEL=7
@@ -25,15 +25,15 @@
# -Wstrict-prototypes -Wmissing-prototypes
LDFLAGS=-L. libz.so.1.2.3
-LDSHARED=gcc -shared -Wl,-soname,libz.so.1
-CPP=gcc -E
+LDSHARED=powerpc-linux-gnu-gcc -shared -Wl,-soname,libz.so.1
+CPP=powerpc-linux-gnu-gcc -E
LIBS=libz.so.1.2.3
SHAREDLIB=libz.so
SHAREDLIBV=libz.so.1.2.3
SHAREDLIBM=libz.so.1
-AR=ar rc
+AR=powerpc-linux-gnu-ar rc
RANLIB=ranlib
TAR=tar
SHELL=/bin/sh
</pre>
コンパイルしてインストールする。
<pre>
$ &color(blue){export PATH=/usr/crosstool/gcc-3.4.3-glibc-2.3.2/powerpc-linux-gnu/bin:$PATH};
$ &color(blue){make all libz.a};
$ &color(blue){sudo make install};
$ &color(blue){sudo cp libz.a /usr/crosstool/gcc-3.4.3-glibc-2.3.2/powerpc-linux-gnu/powerpc-linux-gnu/lib};
</pre>
*** dropbear のコンパイル [#cdeb48b5]
参考:
- [[Cross Compile SSH Server Dropbear For ARM(页 1) - 文档专区 - 程序开发 - Linux论坛 - powered by Discuz! Archiver>http://linux.chinaunix.net/bbs/archiver/tid-1054334.html]]
- [[Projects - Netgear WGT634U - Dropbear>http://www.nomis52.net/?section=projects§2=netgear&page=dropbear]]
<pre>
$ &color(blue){wget http://matt.ucc.asn.au/dropbear/dropbear-0.52.tar.bz2};
$ &color(blue){tar jxvf dropbear-0.52.tar.bz2};
$ &color(blue){cd tar dropbear-0.52};
$ &color(blue){./configure --libdir=/usr/crosstool/gcc-3.4.3-glibc-2.3.2/powerpc-linux-gnu/powerpc-linux-gnu/lib \};
&color(blue){ --includedir=/usr/crosstool/gcc-3.4.3-glibc-2.3.2/powerpc-linux-gnu/powerpc-linux-gnu/include \};
&color(blue){ --host=powerpc-linux-gnu --with-zlib=/usr/crosstool/gcc-3.4.3-glibc-2.3.2/powerpc-linux-gnu/powerpc-linux-gnu};
</pre>
- staticでコンパイルした場合
<pre>
$ &color(blue){make MULTI=1 STATIC=1};
$ &color(blue){ls -al dropbearmulti};
-rwxr-xr-x 1 ryoei ryoei 921494 2009-04-09 21:40 dropbearmulti
$ &color(blue){make strip};
$ ls -al dropbearmulti
-rwxr-xr-x 1 ryoei ryoei 801948 2009-04-09 21:43 dropbearmulti
</pre>
- 共有ライブラリを利用するようにコンパイルした場合
<pre>
$ &color(blue){make MULTI=1};
$ &color(blue){ls -al dropbearmulti};
-rwxr-xr-x 1 ryoei ryoei 211767 2009-04-09 21:37 dropbearmulti
$ &color(blue){make strip};
$ make strip
$ &color(blue){ls -al dropbearmulti};
-rwxr-xr-x 1 ryoei ryoei 173348 2009-04-09 21:38 dropbearmulti
</pre>
*** 自作プラグインディレクトリ構成 [#hee1ed0a]
#pre{{
.
|-- dropbear
| |-- SSH
| | |-- .server
| | | |-- config
| | | | `-- dropbear.conf
| | | |-- ssh2
| | | `-- usr
| | | `-- sbin
| | | `-- dropbear
| | `-- plugin.conf
| `-- upgrade_script
`-- rev
}}
- rev
#pre{{
PKGNAME=dropbear
PKGVERSION=01.01.0000.01
FWVERSION=01.03.0000.01
FIXSCRIPT=upgrade_script
}}
- dropbear/upgrade_script &ref(upgrade_script);
#pre{{
#!/usr/bin/perl
$cfg_dir = "/data/usr/local/dropbear/etc";
$cfg_file = "$cfg_dir/dropbear.conf";
$hostkey_dir = "/data/usr/local/dropbear/etc/dropbear";
$profile = "/etc/profile";
$rsa_key = "dropbear_rsa_host_key";
$dss_key = "dropbear_dss_host_key";
$tmp = "/tmp/dropbear.tmp";
# search installed path
open(IN,"/bin/df |");
while(<IN>){
if (/(VOLUME\d+)/) {
if ( -d "/$1/PLUGINAPP/SSH" ) {
$plap_dir = "/$1/PLUGINAPP";
$serverpath = "/$1/PLUGINAPP/SSH/.server";
$ap_bin_dir = "/$1/bin";
last;
}
}
}
close(IN);
# copy configuration file to /data/usr/local/dropbear/etc/config if none
if ( !( -f $cfg_file ) ) {
if ( !( -d $cfg_dir ) ) {
system("/bin/mkdir -p $cfg_dir");
}
system("/bin/cp $serverpath/config/dropbear.conf $cfg_file >/dev/null 2>/dev/null");
}
# make symbolic link dropbear to dbclient, dropbearconvert, dropbearkey and ssh
$dropbear_multi = "$serverpath/usr/sbin/dropbear";
if ( !( -d $ap_bin_dir ) ) {
mkdir($ap_bin_dir, 0755);
}
@lists = ( "dbclient", "dropbearconvert", "dropbearkey", "ssh" );
foreach $filename ( @lists ) {
$full_pathname = "$ap_bin_dir/" . "$filename";
system("/bin/ln -s $dropbear_multi $full_pathname > /dev/null 2>/dev/null");
}
# check $PATH contains $ap_bin_dir in /etc/profile
$found = system("/bin/grep $ap_bin_dir $profile > /dev/null 2>/dev/null") >> 8;
if ( $found == 1 ) {
# add $ap_bin_dir to the $PATH in /etc/profile
open(IN, "<$profile");
open(OUT, ">$tmp");
while(<IN>) {
s/\$PATH/$ap_bin_dir:\$PATH/;
print OUT;
}
close(IN);
close(OUT);
system("/bin/cp $tmp $profile");
unlink($tmp);
}
# check hostkeys
if ( !( (-f "$hostkey_dir/$rsa_key") && (-f "$hostkey_dir/$dss_key") ) ) {
&keygen;
}
sub keygen {
$keygencmd = "$ap_bin_dir/dropbearkey";
if ( ! (-d $hostkey_dir) ) {
system("/bin/mkdir -p $hostkey_dir");
chmod(0700, $hostkey_dir);
}
@lists = ( "rsa", "dss" );
foreach $keytype ( @lists ) {
$keyfile = "dropbear_" . "$keytype" . "_host_key";
system("$keygencmd -t $keytype -f $hostkey_dir/$keyfile > /dev/null 2>/dev/null");
}
}
}}
- dropbear/SSH/plugin.conf
#pre{{
APPNAME=SSH
APPSTRING=Dropbear SSH2 server
VERSION=01.01.0000.01
AUTOSTART=NO
SWAPMEM=NO
APPBINDIR=.server
MAINPROCESS=dropbear
CONTROLSCRIPT=ssh2
}}
- dropbear/SSH/.server/ssh2 &ref(ssh2);
#pre{{
#!/usr/bin/perl
$rsa_key = "dropbear_rsa_host_key";
$dss_key = "dropbear_dss_host_key";
$user = "admin";
$OPTS = "";
$tmp = "/tmp/drobear.tmp";
$user_list = "/etc/telnet.user";
$hostkey_dir = "/data/usr/local/dropbear/etc/dropbear";
$sudo_list = "/etc/sudoers";
$profile = "/etc/profile";
$cfg_file = "/data/usr/local/dropbear/etc/dropbear.conf";
$newdir = "/data/usr/local/sbin";
$chkhttpd = "$newdir/chkhttpd";
$chkhttpdorig = "/usr/sbin/chkhttpd";
$crontab = "/etc/crontab";
$action = $ARGV[0];
# search installed path
open(IN,"/bin/df |");
while(<IN>){
if (/(VOLUME\d+)/) {
if ( -d "/$1/PLUGINAPP/SSH" ) {
$serverpath = "/$1/PLUGINAPP/SSH/.server";
$ap_bin_dir = "/$1/bin";
last;
}
}
}
close(IN);
if ( $action eq "start") {
open(RUN,"/bin/ps -e |");
while(<RUN>){
if( /dropbear/ ){
exit;
}
}
close(RUN);
$dropbeardaemon = "$serverpath/usr/sbin/dropbear";
# check hostkeys
if ( !( (-f "$hostkey_dir/$rsa_key") && (-f "$hostkey_dir/$dss_key") ) ) {
&keygen;
}
# check whether user "admin" exists in /etc/telnet.user
$found = system("/bin/grep $user $user_list >/dev/null 2>/dev/null") >> 8;
if ( $found == 1 ) {
# append user "admin" to /etc/telnet.user
open(OUT, ">>$user_list");
print OUT "$user\n";
close(OUT);
}
# check whether user "admin" exists in /etc/sudoers
$found = system("/bin/grep $user $sudo_list >/dev/null 2>/dev/null") >> 8;
if ( $found == 1 ) {
# append user "admin" to /etc/sudoers
open(OUT, ">>$sudo_list");
print OUT "$user ALL=(ALL) NOPASSWD: ALL\n";
close(OUT);
}
# check $newdir exists
if ( !(-d $newdir) ) {
system("/bin/mkdir -p $newdir");
}
# force building $chkhttpd removing "OUT" from original
system("/bin/grep -v OUT $chkhttpdorig > $chkhttpd");
# modify /etc/crontab
open(IN, "<$crontab");
open(OUT, ">$tmp");
while(<IN>) {
s/\/usr\/sbin\/chkhttpd/\/data\/usr\/local\/sbin\/chkhttpd/;
print OUT;
}
close(IN);
close(OUT);
system("/bin/cp $tmp $crontab");
# check $PATH contains $ap_bin_dir in /etc/profile
$found = system("/bin/grep $ap_bin_dir $profile >/dev/null 2>/dev/null") >> 8;
if ( $found == 1 ) {
# append $ap_bin_dir to the $PATH in /etc/profile
open(IN, "<$profile");
open(OUT, ">$tmp");
while(<IN>) {
s/\$PATH/$ap_bin_dir:\$PATH/;
print OUT;
}
close(IN);
close(OUT);
system("/bin/cp $tmp $profile");
unlink($tmp);
}
# parse config options
&parse_opts;
# build startup script
open(OUT,">/tmp/start_ssh2.sh");
print OUT "#!/bin/sh\n";
print OUT "$dropbeardaemon $OPTS &\n";
close(OUT);
print "Starting SSH2 Server...\n";
system("/bin/sh /tmp/start_ssh2.sh >/dev/null 2>/dev/null");
unlink("/tmp/start_ssh2.sh");
}
elsif ($action eq "stop") {
# remove user admin from /etc/telnet.user
system("/bin/grep -v $user $user_list > $tmp");
system("/bin/cp $tmp $user_list");
# remove user admin from /etc/sudoers
system("/bin/grep -v $user $sudo_list > $tmp");
system("/bin/cp $tmp $sudo_list");
# reset /etc/crontab
open(IN, "<$crontab");
open(OUT, ">$tmp");
while(<IN>) {
s/\/data\/usr\/local\/sbin\/chkhttpd/\/usr\/sbin\/chkhttpd/;
print OUT;
}
close(IN);
close(OUT);
system("/bin/cp $tmp $crontab");
# remove modifed chkhttpd
unlink($chkhttpd);
&rmdir_if_empty( $newdir );
system("/usr/bin/killall dropbear >/dev/null 2>/dev/null");
}
sub keygen {
$keygencmd = "$serverpath/usr/bin/dropbearkey";
if ( ! (-d $hostkey_dir) ) {
system("/bin/mkdir -p $hostkey_dir");
chmod(0700, $hostkey_dir);
}
@lists = ( "rsa", "dss" );
foreach $keytype ( @lists ) {
$keyfile = "dropbear_" . "$keytype" . "_host_key";
system("$keygencmd -t $keytype -f $hostkey_dir/$keyfile >/dev/null 2>/dev/null");
}
}
sub parse_opts {
# configuration parameter list
%hashopts = qw(
RootPasswordAuth g
PasswordAuth s
LocalPortForwarding j
RemotePortForwarding k
);
open(IN, $cfg_file);
while(<IN>){
chomp;
($option, $val) = split(/\s+/);
$val =~ s/\'//g;
foreach $param ( %hashopts ) {
if ( ($option eq $param) && /no|off|disable|0/ ) {
$OPTS = $OPTS . " -$hashopts{$param}";
}
}
if ( $option eq "Port" ) {
$OPTS = $OPTS . " -p $val";
} elsif ( $option eq "DssKeyfile" ) {
$OPTS = $OPTS . " -d $val";
} elsif ( $option eq "RsaKeyfile" ) {
$OPTS = $OPTS . " -r $val";
}
}
close(IN);
}
sub rmdir_if_empty {
my $dir = $_[0];
my $num=0;
my $status;
opendir DH, $dir;
while (my $file = readdir DH) {
next if $file =~ /^\.{1,2}$/;
$num = $num +1;
}
if ( $num == 0 ) {
rmdir($dir);
$status = 0;
} elsif ( ( $num == 1 ) && ( -d "$dir/.RECYCLER") ) {
rmdir("$dir/.RECYCLER");
rmdir($dir);
$status = 0;
} else {
$status = 1;
}
return $status;
}
}}
- dropbear/SSH/.server/config/dropbear.conf
#pre{{
PasswordAuth 'on'
Port '22'
DssKeyfile '/data/usr/local/dropbear/etc/dropbear/dropbear_dss_host_key'
RsaKeyfile '/data/usr/local/dropbear/etc/dropbear/dropbear_rsa_host_key'
RootLogin 'disable'
RootPasswordAuth 'disable'
LocalPortForwarding 'disable'
RemotePortForwarding 'disable'
}}
*** 自作プラグインの作成 [#w0bb49d8]
<pre>
$ &color(blue){cd workdir};
$ &color(blue){chmod a+x dropbear/upgrade_script dropbear/SSH/.server/ssh2};
$ &color(blue){sudo chown -R root:root .};
$ &color(blue){sudo tar czvf ../dropbear.tar.gz ./rev ./dropbear};
$ &color(blue){cd ..};
$ &color(blue){dd if=/dev/urandom of=dropbear_v0000_010101.ppg bs=97k count=1};
$ &color(blue){cat dropbear.tar.gz >> dropbear_v0000_010101.ppg};
</pre>
&ref(dropbear_v010101.ppg);: Promise NS4300N/Corega CG-NSC4500GT、Promise版ファームウェア用~
あまりテストをしてないので、もちろん無保証です。ご利用は各自の責任で。
* 参考 [#j8fcd965]
- [[EmbeddedLinux - yMPC8349E-mITXに Linux 2.6.29.4 をインストール - yellowback's blogouchikurin wiki>http://www.youchikurin.com/wiki/index.php?EmbeddedLinux]]
-- [[MPC8349E-mITXに Linux 2.6.26.5 をインストール - yellowback's blog>http://blog.yellowback.net/archives/291-20080927.html]]
-- [[Ubuntu/amd64でpowerpcクロスコンパイル環境の構築 - yellowback's blog>http://blog.yellowback.net/archives/323-20081102.html]]
- [[MPC8349E-mITXについて part 2 ! (ゆうちくりんの忘却禄)>http://www.youchikurin.com/blog/2007/05/mpc8349emitx_part_2.html]]
- [[http://www.bitshrine.org/autodocs/bsp_ext_ava.html]]
-- [[20081211: External visibility for mpc8349emds using: defconfig>http://www.bitshrine.org/autodocs/bsp_ext_ava_mpc8349emds.html]]
- [[Debugging U-Boot and Linux®Boot on a New PowerQUICC®Device>http://mcuol.com/download/upfile/PN305.pdf]]
- [[Using DS1307 I2C RTC (Real Time Clock) : MIND-TEK.NET>http://www.mind-tek.net/ds1307_en.php]]
- [[ArduinoLibraries - Revision 58: /HT1380>http://web.suapapa.net:8080/svn/ArduinoLibraries/HT1380/]]
- [[PowerPCボードADS512101へのLinuxカーネルの移植 - Pylone Blog>http://pylone.jp/blog/linux_for_ads512101]]
- [[http://www.ovro.caltech.edu/~dwh/powerpc_mpc8349e.pdf]]
- [[Freescale MPC8349E PowerPC Analysis>http://www.ovro.caltech.edu/~dwh/powerpc_mpc8349e.pdf]]
* FANを静音タイプに交換する [#g4bdf5c0]
- [[ふるばーにあん。::NASをちょっと改造してみた>http://full-burnern.sakura.ne.jp/index.php?e=170]]~
残念ながら内容は消去されたようです。
- [[SmallNetBuilder - Small Network Help - Quieting Down the Promise SmartStor NS4300N>http://www.smallnetbuilder.com/content/view/30359/77/]]
- [[ぷりん畑(のれんわけ) コレガのNASを改造する>http://purinpurin.sblo.jp/archives/20081008-1.html]]
* おまけ(Magic Number) [#r263f90c]
参考:[[Magic numbers for files>http://www.astro.keele.ac.uk/oldusers/rno/Computing/File_magic.html]]
- gzip 0x1f 0x8b
- PPCBoot image 0x27 0x05 0x19 0x56
![[PukiWiki]](image/pukiwiki.png "[PukiWiki]")
