DSM-G600, DNS-3xx and NSA-220 Hack Forum
Unfortunately no one can be told what fun_plug is - you have to see it for yourself.
You are not logged in.
Announcement
IRC Channel #funplug on irc.freenode.org
#1 2008-07-05 17:11:30
- Mijzelf
- Member / Developer
- Registered: 2008-07-05
- Posts: 709
fun_plug on ZyXEL NSA-220.
First, sorry about breaking in with a different NAS. There is a NSA-220 forum, but it's not very active.
I'm facing some problems while trying to get a fun_plug on an NSA-220.
1) With a mild hack it is possible to get telnet root access on the device. I installed ffp 0.4, an it partly works. Now I want this to start automatically. There is a scriptlet executed on boot of the device:
Code:
any_usb=`sg_map -x -i|grep -v " 0 0 0 0"|grep -v " 1 0 0 0"|awk '{print $7}'`
echo "${any_usb}"
if [ -n "${any_usb}" ]; then
for usb in ${any_usb}
do
mount "${usb}"1 /mnt
/sbin/check_key /mnt/nsa220_check_file
if [ $? == 0 ] ; then
/mnt/usb_key_func.sh
test $? -eq 0 && exit 0
fi
umount /mnt
done
fiThis seems to mount all external USB storage devices, and when '/sbin/check_key /mnt/nsa220_check_file' returns a 0, the script /mnt/usb_key_func.sh is executed. So it should be possible to auto execute fun_plug from an USB stick.
I download the firmware sources from ftp://opensource.zyxel.com, to find out what check_key does. Unfortunately I can't find the sources in the package. The only mention of check_key is in a makefile:
Code:
# Makefile for NSA-220
# system tools
CP=/bin/cp -rfl
RM=/bin/rm
FIND=/usr/bin/find
MKDIR=mkdir
MODEL=NSA220
# toolchain path
export PATH=/opt/montavista/pro/devkit/arm/v5t_le/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/X11R6/bin:${HOME}/bin
export CROSS=arm_v5t_le-
export CROSS_CC=${CROSS}gcc
export CROSS_CXX=${CROSS}cpp
export CROSS_AR=${CROSS}ar
export CROSS_LD=${CROSS}ld
export CROSS_RANLIB=${CROSS}ranlib
export CROSS_STRIP=${CROSS}strip
export HOST_CC=gcc
# for configure --build=$PLATFORM_BUILD --host=$PLATFORM_HOST
export PLATFORM_BUILD=i386-linux
export PLATFORM_HOST=arm-linux
export PLATFORM_TARGET=arm-linux
export PLATFORM_PREFIX=/opt/montavista/pro/devkit/arm/v5t_le/target
# path for build
export PRODUCT_ROOT=${PWD}
export SYSAPPS_PATH=${PRODUCT_ROOT}/sysapps
export DEST_PATH=${PRODUCT_ROOT}/build/apptarget
export RAS_PATH=${PRODUCT_ROOT}/build/fs
# the kernel from MontaVista. Some special header files and definitions are here.
export MV_KERNEL_PATH=/opt/montavista/pro/devkit/lsp/arm-versatile926ejs-arm_v5t_le/linux-2.6.10_mv1401
# the kernel for system
kversion=2.6.18.6
ifeq ($(kernel), 2.6.12)
kversion=2.6.12.6-1.10.3
else
kernel=2.6.18
endif
export KERNEL_PATH=${PRODUCT_ROOT}/linux-${kversion}
# specify root file system
# Allowable value: ext2, squash
rfs=squash
ifeq ($(rootfs), ext2)
rfs=ext2
endif
# native target path which contains a native environment
export TARGET_PATH=/opt/montavista/pro/devkit/arm/v5t_le/target
.PHONY: help
help:
@echo "make - Thi help menu."
@echo ""
@echo "make all - Build everything and create RAS image file."
@echo ""
@echo "make world [kernel=] - Build everything."
@echo ""
# @echo "make clean - Clean all object files; this is not available now."
# @echo ""
@echo "make buildkernel [kernel=] - Build kernel image."
@echo ""
@echo "make <package> - Build the package."
@echo " package list : busybox samba zysh nduagent uam fauthd mlogin ntpdate"
@echo " syslog-ng libzyboot"
@echo " zysh-cgi file_export file_upload file_download"
@echo " htp lm-sensors btnd backdoor mtd-util check_key"
@echo ""
@echo "make ras [kernel=] [rootfs=] - Create RAS image file."
@echo " Make sure you already make world."
@echo ""
@echo "[kernel=] : "
@echo " to specify kernel version, by using kernel=kernel_version, "
@echo " default is 2.6.18, allowable value are 2.6.18, 2.6.12"
@echo " e.g."
@echo " make buildkernel kernel=2.6.12, build kernel 2.6.12.6-1.10.3"
@echo " make ras , build kernel 2.6.18.6"
@echo "[rootfs=]: "
@echo " to specify root file system type"
@echo " default is squash, allowable value are squash, ext2"
@echo " e.g."
@echo " make ras rootfs=ext2 to make EXT2 root file system"
@echo "Some environment variables:"
@echo " CROSS_CC=${CROSS_CC}"
@echo " DEST_PATH=${DEST_PATH}"
@echo " RAS_PATH=${RAS_PATH}"
world: prebuild buildkernel busybox dev
@echo "==> The end of the world!"
clean: kernel.clean busybox.clean
prebuild:
@echo "==> $@"
${MKDIR} -p ${RAS_PATH}
${RM} -rf ${RAS_PATH}/*
${CP} --preserve=all ${PRODUCT_ROOT}/basicfs/* ${RAS_PATH}
${CP} --preserve=all ${PRODUCT_ROOT}/basicfs/.mtoolsrc ${RAS_PATH}
${FIND} ${RAS_PATH} -name .svn | xargs rm -rf
chmod 777 ${RAS_PATH}/tmp
chmod 777 ${RAS_PATH}/tmp/users/home
chmod 777 ${RAS_PATH}/tmp/users/shares
@echo "==> Clear tmporary build dir"
${RM} -rf ${DEST_PATH}/bin/*
${RM} -rf ${DEST_PATH}/sbin/*
${RM} -rf ${DEST_PATH}/usr/bin/*
${RM} -rf ${DEST_PATH}/usr/sbin/*
${RM} -rf ${DEST_PATH}/lib/*
${RM} -rf ${DEST_PATH}/usr/lib/*
${RM} -rf ${DEST_PATH}/usr/include/*
${RM} -rf ${DEST_PATH}/util/*
${RM} -rf ${DEST_PATH}/root/*
ras:
@echo "==> $@"
${RM} -rf ${RAS_PATH}/lib/modules
${RM} -rf ${RAS_PATH}/lib/modules_kernel_2.6.12
ifeq ($(kernel), 2.6.12)
${CP} --preserve=all ${PRODUCT_ROOT}/basicfs/lib/modules_kernel_2.6.12 ${RAS_PATH}/lib/modules
else
${CP} --preserve=all ${PRODUCT_ROOT}/basicfs/lib/modules ${RAS_PATH}/lib/modules
endif
${FIND} ${RAS_PATH} -name .svn | xargs rm -rf
cd build ; ./makeras.sh -k ${kernel} -f ${rfs} -b "${beta_ver}" -c "${fcs_ver}"
buildkernel:
@echo "==> $@, Kernel version is ${kernel}"
make -C ${KERNEL_PATH} zImage
${CP} --remove-destination ${KERNEL_PATH}/arch/arm/boot/zImage ${PRODUCT_ROOT}/build
all: world ras
@echo "==> The end of the all!"
kernel.clean:
@echo "==> $@"
make -C ${KERNEL_PATH} clean
busybox:
@echo "==> $@"
cd ${SYSAPPS_PATH}/busybox-1.1.1 ; make install
chmod +s ${RAS_PATH}/bin/busybox
busybox.clean:
@echo "==> $@"
cd ${SYSAPPS_PATH}/busybox-1.1.1 ; make clean
# DO NOT make distclean
dev:
@echo "==> $@"
./makedev.shIn section help is mentioned that you can 'make check_key'. Can anybody tell me what this file does when you run 'make check_key'?
2) With ffp 0.4 I can start dropbear, but not some other tools, due to a missing /lib/ld-uClibc.so.0. Some reading here learnt me that the DNS-313 has the same problem. It seems to me Fonz has solved this in ffp 0.5. Unfortunately I can't run this version, because the script wants to add a file \ffp, and I've got a readonly \. It seems it's located in rom. Does anybody know a workaround for this?
Offline
#2 2008-07-05 19:33:22
Re: fun_plug on ZyXEL NSA-220.
Mijzelf wrote:
...
I'm facing some problems while trying to get a fun_plug on an NSA-220.
1) ... Can anybody tell me what this file does when you run 'make check_key'?
It'll look for check_key.c and invoke the compiler.
Mijzelf wrote:
2) With ffp 0.4 I can start dropbear, but not some other tools, due to a missing /lib/ld-uClibc.so.0. Some reading here learnt me that the DNS-313 has the same problem. It seems to me Fonz has solved this in ffp 0.5. Unfortunately I can't run this version, because the script wants to add a file \ffp, and I've got a readonly \. It seems it's located in rom. Does anybody know a workaround for this?
My funplugs up to 0.4 are made for the DNS-323 libraries. 0.5 is the first version that does not depend on any firmware support.
Linksys WRT 350N also has a read-only root directory. Sconk worked around by extending the firmware image, adding a /ffp directory (you can then mount --bind /.../ffp /ffp).
To get started, chroot'ing ffp might be an option. Assuming you have telnet access, you can install an chroot like this:
Code:
cd /some/writable/directory wget http://www.inreto.de/dns323/fun-plug/0.5/fun_plug.tgz mkdir ffp tar xzf fun_plug.tgz -C ffp mkdir proc mount -t proc proc proc mkdir etc mount --bind /etc etc mkdir dev mount --bind /dev dev chroot . /ffp/bin/sh
This will give you a chroot'ed ffp shell. You will most likely want to mount/bind-mount a few additional directories. Exit the ffp shell with 'exit', and unmount all the stuff:
Code:
umount dev umount etc umount proc
If that works, you can start automating stuff. Cleanup ffp/start, there's stuff for the DNS-323 that you won't need:
Code:
chmod a-x ffp/start/passwd.sh chmod a-x ffp/start/rcS.sh chmod a-x ffp/start/shells.sh
You might want to change telnetd.sh to add '-p 1234' to telnetd_flags to change the ffp-telnet port, or disable telnetd and enable sshd instead:
Code:
chmod a-x ffp/start/telnetd.sh chmod a+x ffp/start/sshd.sh
You can then try to chroot /ffp/etc/rc instead of /ffp/bin/sh:
Code:
chroot . /ffp/etc/rc
This will trigger normal ffp startup.
Offline
#3 2008-07-06 21:01:31
- Mijzelf
- Member / Developer
- Registered: 2008-07-05
- Posts: 709
Re: fun_plug on ZyXEL NSA-220.
Thanks. I tried this, and it seems to work. Alas I can't start a telnet server, because I'm already running one, so the port is occupied. I can start sshd, but I get an 'access denied' when I try to login. Some investigation learned that sshd.sh adds a user sshd to passwd, shadow and group, when it doesn't exist already, but it doesn't seem to add the user.
When I do a 'cat /etc/passwd', I can't find a sshd. But when I do a 'grep '^sshd:' /etc/passwd' I get
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
How is this possible?
I tried to use dropbear instead, but the shell closes immediately after login. I saw the same behaviour when I used dropbear with ffp 0.4. The reason then was it used fun_plug.d/bin/sh as shell, which couldn't start due to missing ld-uClibc.so.0. When I changed the shell to /bin/sh it worked.
So I added /bin and /lib to the chrooted /, and changed the shell to /bin/sh. Unfortunately there still doesn't start a shell after login. Logfile:
[12926] Jul 06 17:21:07 Running in background
[12940] Jul 06 17:21:36 Child connection from 10.0.0.2:1084
[12940] Jul 06 17:21:40 password auth succeeded for 'admin' from 10.0.0.2:1084
[12940] Jul 06 17:21:40 exit after auth (admin): Exited normally
I created a script
Code:
#!/ffp/bin/sh export PATH=/ffp/sbin:/ffp/bin:/usr/sbin:/sbin:/usr/bin:/bin /ffp/bin/sh
which I chrooted to the same directory as /ffp/etc/rc. From this shell I can start /bin/sh. What's going wrong with dropbear?
The script which starts dropbear:
Code:
#!/bin/sh
# export PATH=/ffp/sbin:/ffp/bin:/usr/sbin:/sbin:/usr/bin:/bin
ETCDIR=/ffp/etc
BINDIR=/ffp/bin
LOGDIR=/ffp/tmp/log
RSAF=${ETCDIR}/dropbear/dropbear_rsa_host_key
DSAF=${ETCDIR}/dropbear/dropbear_dsa_host_key
PIDF=${LOGDIR}/dropbear.pid
LOGF=${LOGDIR}/dropbear.log
dropbear_start() {
if [ -x "${BINDIR}/dropbear" ]; then
if [ ! -d "${ETCDIR}/dropbear" ]; then
mkdir -p ${ETCDIR}/dropbear
fi
if [ ! -e /dev/random ]; then
mknod /dev/random c 1 8
fi
if [ ! -e "$DSAF" ]; then
echo "Generating DSA host key..."
${BINDIR}/dropbearkey -t dss -f ${DSAF}
fi
if [ ! -e "$RSAF" ]; then
echo "Generating RSA host key..."
${BINDIR}/dropbearkey -t rsa -f ${RSAF}
fi
if [ ! -e "/dev/ptmx" ]; then
mknod -m 0666 /dev/ptmx c 5 2
fi
if [ ! -d "/dev/pts" ]; then
mkdir -p /dev/pts
fi
mount | grep devpts 1>/dev/null 2>/dev/null
if [ $? -ne 0 ]; then
mount -t devpts devpts /dev/pts
fi
# sftp-server: /dev/null must be writeable
chmod a+w /dev/null
# need /usr/bin/scp
# http://dns323.kood.org/forum/t529-without-password.html
if [ ! -e /usr/bin/scp ]; then
( cd /usr/bin; ln -s ${BINDIR}/scp )
fi
echo "Starting dropbear ..."
# ${BINDIR}/dropbear -d ${DSAF} -r ${RSAF} -P ${PIDF} -E -l $(BINDIR)/sh 1>${LOGF} 2>&1 &
${BINDIR}/dropbear -d ${DSAF} -r ${RSAF} -P ${PIDF} -E -l /bin/sh 1>${LOGF} 2>&1 &
else
echo "ERROR: dropbear not found or not executable"
fi
}
dropbear_stop() {
killall dropbear
}
dropbear_status() {
if [ -n "$(pidof dropbear)" ]; then
echo "running"
else
echo "stopped"
fi
}
case "$1" in
stop)
dropbear_stop
;;
restart)
dropbear_stop
sleep 1
dropbear_start
;;
status)
dropbear_status
;;
start|'')
dropbear_start
;;
*)
echo "Usage: $0 start|stop|restart|status"
;;
esacIt is a bit impractical not to be able to start sshd or telnetd, because the telnetserver I'm using to achieve this quits after 3 minutes of inactivity, and closes all open shells.
Offline
#4 2008-07-06 23:28:13
Re: fun_plug on ZyXEL NSA-220.
Mijzelf wrote:
... Alas I can't start a telnet server, because I'm already running one, so the port is occupied. ... It is a bit impractical not to be able to start sshd or telnetd, because the telnetserver I'm using to achieve this quits after 3 minutes of inactivity, and closes all open shells.
Start the ffp telnetd on a different port, then. Edit ffp/start/telnetd.sh and change telnetd_flags:
Code:
telnetd_flags="-l /ffp/bin/sh -p 2300"
should start a telnet server on port 2300.
Offline
#5 2008-07-07 15:59:40
- Mijzelf
- Member / Developer
- Registered: 2008-07-05
- Posts: 709
Re: fun_plug on ZyXEL NSA-220.
It should, but it doesn't, because telnetd is already running. I had to change ffp/etc/ffp.subr a bit to pull down the check. Now it runs! Yes! Thanks.
When I connect to port 2300 now, I immediately get a shell with root rights. Is it easy to have to login instead? It's not really important for now, but it's a bit, well, uncomfortable. My childs aren't old enough to exploit this, but times they are achanging.
Offline
#6 2008-07-07 16:17:41
Re: fun_plug on ZyXEL NSA-220.
Mijzelf wrote:
I had to change ffp/etc/ffp.subr a bit to pull down the check. Now it runs! Yes! Thanks.
Good point.
Mijzelf wrote:
When I connect to port 2300 now, I immediately get a shell with root rights. Is it easy to have to login instead? It's not really important for now, but it's a bit, well, uncomfortable. My childs aren't old enough to exploit this, but times they are achanging.
The open root shell is necessary on the DNS-323, because the root user is disabled - i.e. a proper root login doesn't work until you fix the password files. Here's some documentation about the issue: http://dns323.kood.org/howto:ffp#the_root_user
For ssh to work, you need correctly configured user accounts. If they are broken in /etc, you can still copy /etc (instead of mount --bind) and fix the files (using pwconv, pwck, passwd, usermod, etc). On the DNS-323, the passwd.sh start script does some of this. In particular, it changes shells from /bin/sh to /ffp/bin/sh, and ensures that /etc/shadow is present and correct.
Offline
#7 2008-07-07 21:26:28
- Mijzelf
- Member / Developer
- Registered: 2008-07-05
- Posts: 709
Re: fun_plug on ZyXEL NSA-220.
Thanks for the link. I got a proper login. Without changing passwd it's opening /bin/sh, which is less powerfull then /ffp/bin/sh, and it doesn't have /ffp/* in it's PATH. With the earlier mentioned script it's solved.
I'll play around with passwd and shadow later. There is someting funny with it. grep sees a different content than cat does.
Now I'm trying to find out what check_key does. Loading it in an hexeditor show the next strings:
/mnt/usb_key_func.sh
cp -f -p %s %s
/mnt/ras.bin
cp -f -p %s %s
cat %s %s %s | md5sum -c %s
/etc/Zy_Private
cat %s %s | md5sum -c %s
cmd = %s
-: OK
md5 check ok
md5 check error
It seems to catenate 2 or 3 files to md5sum, and check the result to some arbitrary file. It there a way to watch which external calls check_key makes? (If external calls are the right words). I was thinking about renaming 'echo' to 'cat'. But since busybox looks to the name of the command it will not work.
Offline
#8 2008-07-07 22:34:29
Re: fun_plug on ZyXEL NSA-220.
Mijzelf wrote:
It there a way to watch which external calls check_key makes? (If external calls are the right words). I was thinking about renaming 'echo' to 'cat'. But since busybox looks to the name of the command it will not work.
Try strace.
Code:
strace -o /path/to/writeable/directory/strace.log /path/to/check_key
strace.log will contain all the systems calls made by check_key. Unfortunately, there's no way (that I know of) to track library calls on linux.
Offline
#9 2008-07-08 01:50:35
- Mijzelf
- Member / Developer
- Registered: 2008-07-05
- Posts: 709
Re: fun_plug on ZyXEL NSA-220.
Great! I found it. When a (text)file contains two lines, lineA and lineB, then '/sbin/check_key file' does:
cp lineA lineA
cat /etc/Zy_Private lineA | md5sum -c lineB
the returnvalue of md5sum is the important stuff. By creating file lineB in this way:
cat /etc/Zy_Private lineA | md5sum >lineB
check_file returns 0. Bingo.
btw, /etc/Zy_Private contains 52103jeenajevol8290i\n
in hex: 35323130336A65656E616A65766F6C38323930690A
I don't see the purpose of cp lineA lineA. Maybe I'm mistaken about the function. The output is
cp: 'lineA' and 'lineA' are the same file.
So I created a script in the root of my usb stick:
usb_key_func.sh
Code:
#!/bin/sh mkdir /tmp/usbstick mount /dev/sdc1 /tmp/usbstick cd /tmp/usbstick mount -t proc proc proc mount --bind /etc etc mount --bind /dev dev mount --bind /bin bin mount --bind /sbin sbin mount --bind /lib lib chroot . /ffp/etc/rc
Then I run from this root
cat /etc/Zy_Private usb_key_func.sh | md5sum >checksum
and created a file nsa220_check_file
Code:
/mnt/usb_key_func.sh /mnt/checksum
After rebooting the device it didn't pass boot anymore, the 'sys' led which indicates it's initializing kept on flashing. I powered down the device and removed the usb stick, and it booted again. Then I changed a little in usb_key_func.sh, so checksum didn't fit anymore, and restarted the device. Now it booted fine. So obviously the script is executed on start, but somehow it doesn't return, or the execution of the script causes some other script to not return.
For the connaiseurs: here is /etc/rcS, which executes /mnt/usb_key_func.sh
Code:
#!/bin/sh
## Enable Core dump
ulimit -c unlimited
##### Set the path
#PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
#export PATH
ECHO="/bin/echo"
RM="/bin/rm"
##### ZyInit
##### Check firmware upgrade
##### Setup Root File System
##### Read clock from RTC
##### Mount necessary file systems
${ECHO} "Mounting file systems..."
/bin/mount -a
rfs=`cat /proc/cmdline | sed 's/^.*rootfstype=//g' | sed 's/root=.*$//g' `
if [ "$rfs" != "" ] && [ $rfs = "squashfs" ]; then
# Create Ramdisk and mount it to /tmp
/sbin/mke2fs -m 0 /dev/ram0
mount /dev/ram0 /tmp
/bin/tar zxf /tmp.tar.gz -C /
# The following directories need to be writable
mkdir /tmp/var
cp -R /var/* /tmp/var
mount --bind /tmp/var /var
mkdir /tmp/etc
cp -R /etc/* /tmp/etc
mount --bind /tmp/etc /etc
mkdir /tmp/home
mount --bind /tmp/home /home
mkdir /tmp/usr_etc
cp -R /usr/local/etc/* /tmp/usr_etc
mount --bind /tmp/usr_etc /usr/local/etc
mkdir /tmp/usr_var
mount --bind /tmp/usr_var /usr/local/var
mkdir /tmp/e-data
mount --bind /tmp/e-data /e-data
mkdir /tmp/i-data
mount --bind /tmp/i-data /i-data
ln -s /etc/zyxel/storage/sysvol /i-data/md0
mkdir /tmp/dmsf
cp -R /usr/local/dmsf/* /tmp/dmsf
mount --bind /tmp/dmsf /usr/local/dmsf
mkdir /tmp/dev
cp /sbin/makedev.sh /tmp/dev
cd /tmp/dev; ./makedev.sh; cd /
mount --bind /tmp/dev /dev
fi
# Write firmware checksum and version from MMCT to files for query.
# This must run before accessing /etc/zyxel; otherwise, mmap() in mmct_get may get wrong mapping area
# and cause Segmentation Fault! (This could be JFFS2 problem)
/sbin/mmct_get -v FwVersion > /etc/fwversion
/sbin/mmct_get -v FwRevision > /etc/revision
/sbin/mmct_get -v CoreChecksum > /etc/core_checksum
/sbin/mmct_get -v ZldChecksum > /etc/zld_checksum
/sbin/mmct_get -v RomChecksum > /etc/romfile_checksum
### Specify core dump location
${ECHO} "/i-data/md0/.zyxel/core.%e.%u.%g.%s" > /proc/sys/kernel/core_pattern
## mount /etc/zyxel from flash
cp -rf /etc/zyxel /tmp/zyxel
mount -t jffs2 /dev/mtdblock2 /etc/zyxel
##### Check configuration restoration
if [ -f /etc/zyxel/zyconf.tgz ]; then
/bin/tar -zxf /etc/zyxel/zyconf.tgz -C /etc/zyxel
if [ $? != 0 ]; then
/bin/echo "*** Fail to restore configuration ***"
fi
/bin/rm -rf /etc/zyxel/zyconf.tgz
fi
##### /etc/zyxel recovery
if [ -e /etc/zyxel/conf ]; then
${ECHO} "/etc/zyxel/conf exist.."
else
${ECHO} "/etc/zyxel/conf does not exist.. recoverying /etc/zyxel.."
rm -rf /etc/zyxel/*
/bin/cp -rf /tmp/zyxel /etc/
fi
rm -rf /tmp/zyxel
#end of /etc/zyxel recovery
chmod 777 /etc/zyxel
#### BOOTBASE: MRD READ/WRITE
${ECHO} "Creating file bbmtd2..."
cat /dev/mtd3 > /etc/bbmtd2
##### Setup Network settings for temporary use
ifconfig egiga0 hw ether `/sbin/mrd_mac`
ifconfig egiga0 192.168.1.3
ip route append default via 192.168.1.1 dev egiga0
ifconfig lo add 127.0.0.1 netmask 255.0.0.0
ifconfig lo up
##### IEEE1394 modules
#insmod /lib/modules/ieee1394.ko
#insmod /lib/modules/ohci1394.ko
#insmod /lib/modules/sbp2.ko
##### SATA modules
insmod /lib/modules/libata.ko
insmod /lib/modules/ahci.ko
###### file system modules
insmod /lib/modules/reiserfs.ko
insmod /lib/modules/fat.ko
insmod /lib/modules/msdos.ko
insmod /lib/modules/vfat.ko
insmod /lib/modules/ntfs.ko
insmod /lib/modules/udf.ko
insmod /lib/modules/isofs.ko
modprobe fuse
#### lm85 module
insmod /lib/modules/hwmon-vid.ko
insmod /lib/modules/lm85.ko
##### HW monitor
/etc/init.d/conf_ADT7463A.sh
##### HTP
#execute HTP forever
if [ -f /usr/local/htp/htp.lst.internal ] ; then
echo "Start HTP internal test, check HTP pin!"
/usr/local/htp/htp_main -d -l -f /usr/local/htp/htp.lst.internal
fi
/usr/local/htp/htp_main atwl0xf1082330,30c0964f
/usr/local/htp/htp_main atwl0xf1084330,30c0964f
/usr/local/htp/htp_main atwl0xf1050420,006127c4
/usr/local/htp/htp_main atwl0xf10a0420,006127c4
any_usb=`sg_map -x -i|grep -v " 0 0 0 0"|grep -v " 1 0 0 0"|awk '{print $7}'`
echo "${any_usb}"
if [ -n "${any_usb}" ]; then
for usb in ${any_usb}
do
mount "${usb}"1 /mnt
/sbin/check_key /mnt/nsa220_check_file
if [ $? == 0 ] ; then
/mnt/usb_key_func.sh
test $? -eq 0 && exit 0
fi
umount /mnt
done
fi
# /mnt need to be writable
mkdir /tmp/mnt
mount --bind /tmp/mnt /mnt
# HTP may umount /etc/zyxel if doing flash r/w test, need to mount /etc/zyxel back if neccesary
cat /proc/mounts | grep "/etc/zyxel" > /dev/null
if [ $? != 0 ] ; then
echo "HTP finished, re-mount /etc/zyxel"
mount -t jffs2 /dev/mtdblock2 /etc/zyxel
fi
# This will force the automatic test machine to reboot the device,
# Note the string sould be exactly the same with "Press ENTER to continue..."
echo "Press ENTER to continue..."
##### Application, Daemon
##### zylogd
/bin/rm -rf /var/run/zylogd.pid
if [ -x /usr/sbin/zylogd ]; then
${ECHO} "Starting zylogd..."
/usr/sbin/zylogd
fi
##### syslog-ng
if [ -x /usr/sbin/syslog-ng ]; then
${ECHO} "Starting syslog..."
/usr/sbin/syslog-ng
fi
#### UAM
/bin/rm -f /var/run/uamd.pid
if [ -x /usr/sbin/uamd ]; then
${ECHO} "Starting uamd..."
/usr/sbin/uamd
fi
# Crontab daemon is not yet ready
#crontab
# telnet server - mark by emma
#if [ -x /sbin/telnetd ]; then
# ${ECHO} "Starting telnet daemon..."
# /sbin/telnetd
#fi
##### Restore to default password file and etc
/sbin/account.sh
#### CUPS must before zysh.sh
#/etc/init.d/cups start
/bin/nice -n 17 /usr/sbin/cupsd
##### ZySH daemon & client
${ECHO} "Starting ZySH daemon and client..."
/sbin/zysh.sh
##### Enable/Disable Default Shares on /i-data/md0
md0mounted=`readlink /etc/zyxel/storage/sysvol`
if [ "${md0mounted}" == "" ]; then
/bin/echo "configure terminal ip smb internal disable \"/i-data/md0\""
/sbin/zyshclient -p 150 -e "configure terminal ip smb internal disable \"/i-data/md0\""
else
/bin/echo "configure terminal ip smb internal enable \"/i-data/md0\""
/sbin/zyshclient -p 150 -e "configure terminal ip smb internal enable \"/i-data/md0\""
fi
##### Enable/Disable Default Shares on /i-data/md1
md1mounted=`readlink /i-data/md1`
if [ "${md1mounted}" == "" ]; then
/bin/echo "configure terminal ip smb internal disable \"/i-data/md1\""
/sbin/zyshclient -p 150 -e "configure terminal ip smb internal disable \"/i-data/md1\""
else
/bin/echo "configure terminal ip smb internal enable \"/i-data/md1\""
/sbin/zyshclient -p 150 -e "configure terminal ip smb internal enable \"/i-data/md1\""
fi
##### Enable Shares on internal volumes
mdmounted=`cat /proc/mounts|grep -v "/home/share"|grep "/i-data/"|awk '{print $2}'`
for internalMP in ${mdmounted}; do
/bin/echo "configure terminal ip smb internal enable \"${internalMP}\""
/sbin/zyshclient -p 150 -e "configure terminal ip smb internal enable \"${internalMP}\""
done
##### Auto repair degraded RAIDx
/sbin/storage_autoRepair.sh
##### Add PTP camera
/sbin/hotplug_add_PTP.sh
##### Turn on swap
swap1=`sg_map -x -i | grep " 0 0 0 0"|awk '{print $7}'`
swap2=`sg_map -x -i | grep " 1 0 0 0"|awk '{print $7}'`
if [ "${swap1}" != "" ]; then
swapon ${swap1}1 > /dev/null 2>&1
fi
if [ "${swap2}" != "" ]; then
swapon ${swap2}1 > /dev/null 2>&1
fi
##### Samba, this will be initialized in ZySH
##### Samba, smbd
if [ -x /usr/sbin/smbd ]; then
${ECHO} "Starting smbd..."
/bin/nice -n 17 /usr/sbin/smbd -D
fi
##### Samba, nmbd
if [ -x /usr/sbin/nmbd ]; then
${ECHO} "Starting nmbd..."
/bin/nice -n 17 /usr/sbin/nmbd -D
fi
#insmod for mount storage
#insmod /lib/modules/reiserfs.ko
#insmod /lib/modules/fat.ko
#insmod /lib/modules/msdos.ko
#insmod /lib/modules/vfat.ko
##### Hotplug, check if any storage device is already attached
# delete obsolete file
${RM} -f /etc/zyxel/storage/DiskInfo.map
${RM} -f /etc/zyxel/storage/DiscInfo.map
#${RM} -f /tmp/sd[a-z] > /dev/null 2>&1
#if [ -x /sbin/findnewattach.sh ]; then
# /sbin/findnewattach.sh
#fi
/sbin/myhotplug > /dev/null 2>&1 &
#### disable POWER button interrupt
#if [ -x /sbin/btn.sh ]; then
# ${ECHO} "disable POWER button interrupt..."
# /sbin/btn.sh
#fi
### Copy Button
mknod /dev/btncpy c 254 0 # We will make device node here, not redundant code
/bin/nice -n 17 /usr/local/btn/do_btncpy # change nice value should also change BTNCPY_START.sh
##### Media server, this will be initialized in ZySH
##### Web Server
if [ -x /usr/sbin/httpd ]; then
${ECHO} "Starting Web Server..."
/bin/nice -n -2 /usr/sbin/httpd -f /etc/service_conf/httpd.conf
fi
##### NDU Agent
${ECHO} "Starting NDU Agent..."
/bin/nice -n -3 /usr/sbin/nduagent
#### crond
${ECHO} "Starting crond..."
/bin/nice -n 17 /sbin/crond -L /dev/null
#### SYS Grean LED always on
# disable GPIO4 blinking
#/usr/local/htp/htp_main atwl0xf1010108,0x0000C000
/usr/local/htp/htp_test_items clearbit 0xf1010108 0x00000010
# set GPIO4 to always on
#/usr/local/htp/htp_main atwl0xf1010100,0x00820463
/usr/local/htp/htp_test_items clearbit 0xf1010100 0x00000010
####### CUPS
# Check printers already plug in NSA
/sbin/CheckPrinter
/usr/sbin/dsrv-mon.sh
/bin/nice -n 19 /usr/sbin/faddLast edited by Mijzelf (2009-10-07 13:58:34)
Offline
#10 2008-07-08 10:28:34
Re: fun_plug on ZyXEL NSA-220.
Mijzelf wrote:
...
After rebooting the device it didn't pass boot anymore,
...Code:
any_usb=`sg_map -x -i|grep -v " 0 0 0 0"|grep -v " 1 0 0 0"|awk '{print $7}'` echo "${any_usb}" if [ -n "${any_usb}" ]; then for usb in ${any_usb} do mount "${usb}"1 /mnt /sbin/check_key /mnt/nsa220_check_file if [ $? == 0 ] ; then /mnt/usb_key_func.sh test $? -eq 0 && exit 0
/ffp/etc/rc will likely return 0, and rcS exits.
If /mnt/usb_key_func.sh returns 0, the normal boot process stops. You might want to try 'exit 1' at the end of your usb_key_func.sh. To be sure, you might also want to start '/ffp/etc/rc' with an & at the end of the line to start it in the background.
Offline
#11 2008-07-08 21:57:03
- Mijzelf
- Member / Developer
- Registered: 2008-07-05
- Posts: 709
Re: fun_plug on ZyXEL NSA-220.
You are right, as always. I changed my usb_key_func.sh:
Code:
#!/bin/sh
mkdir /tmp/usbstick
mount /dev/sdc1 /tmp/usbstick
cd /tmp/usbstick
if [ -e /tmp/usbstick/usbstick_rc.sh ]; then
echo "function plug enable"
/tmp/usbstick/usbstick_rc.sh
fi
# make /etc/rcS continue
exit 1Now it works. I can change usbstick_rc.sh without need to rebuild the checksum.
For people interested I'll attach a valid set of nsa220_check_file, usb_key_func.sh and checksum. Extract this in the root of an USB stick, write an usbstick_rc.sh, and it will be executed when you reboot the NSA-220.
Edit: For some reason my tarfile isn't attached. If anybody is interested, tell me how to attach, or send me a PM.
Last edited by Mijzelf (2008-07-08 21:59:40)
Offline
#12 2008-07-08 22:04:41
Re: fun_plug on ZyXEL NSA-220.
Mijzelf wrote:
Now it works. I can change usbstick_rc.sh without need to rebuild the checksum.
For people interested I'll attach a valid set of nsa220_check_file, usb_key_func.sh and checksum. Extract this in the root of an USB stick, write an usbstick_rc.sh, and it will be executed when you reboot the NSA-220.
Edit: For some reason my tarfile isn't attached. If anybody is interested, tell me how to attach, or send me a PM.
Good work!
Attachments should work. There's a size limit, but your script should be small enough.
Btw, where's that other nsa-220 forum you mentioned in your first post?
Offline
#13 2008-07-08 22:17:39
- Mijzelf
- Member / Developer
- Registered: 2008-07-05
- Posts: 709
Re: fun_plug on ZyXEL NSA-220.
The forum is http://forums.nas-central.org/viewforum.php?f=131
I'll retry the attach
Edit: This time the attachment arrived. Last time I attached it from my NAS. Maybe that is the problem.
Last edited by Mijzelf (2008-07-08 22:19:08)
Offline
#14 2008-07-15 21:32:15
- Mijzelf
- Member / Developer
- Registered: 2008-07-05
- Posts: 709
Re: fun_plug on ZyXEL NSA-220.
There were some issues with the fileset I posted:
1) /etc/password, /etc/shadow and /etc/groups were rebuilded *after* the script was run. So you couldn't change them.
2) The harddisk was not yet mounted.
3) The /mnt directory could not be used.
4) For some reason the USB stick wasn't shared anymore, making it more difficult to maintain the filesystem on the stick.
5) For some reason the script is called more than once.
6) Insertion of another stick could change the devicename, which made the script fail.
So I wrote a new script to face this problems. This script checks for the existance of /tmp/usb_key_func.sh. If it already exists, the script has already run. If not it copies itself to /tmp/usb_key_func.sh. When stick/while_booting.sh exists and is executable it is called, while the stick is mounted at /mnt. When stick/after_booting.sh exists and is executable the copy in /tmp is started in the background. This copy waits until /etc/init.d/rcS is finished and /dev/md0 is mounted, then it calls after_booting.sh while the stick is mounted at /mnt/usbstick.
For reference I added my after_booting.sh. For some reason the stick is not shared by the samba server when while_booting.sh does something relevant.
When the NSA-220 has a raid1 configation the raid device is called /dev/md0. When you've got another configuration I suppose you have to change usb_key_func.sh, to reflect this. In that case you'll also have to update nsa220_checksum.
Offline
#16 2008-07-17 13:01:22
Re: fun_plug on ZyXEL NSA-220.
Mijzelf wrote:
...
After rebooting the device it didn't pass boot anymore,
I recently started a new experiment you might like to try: running ffp without firmware ( http://dns323.kood.org/howto:ffp-reloaded ).
For this, I started to create packages with files that are needed to boot directly into ffp ( http://www.inreto.de/dns323/ffp-reloaded/packages/ ). It's probably still incomplete, but basics should work.
Using the 'exit' feature of the check_key script, you should be able to do this on your NAS, too, by simply returning zero, again - and running /ffp/etc/rc.sysinit instead of /ffp/etc/rc, or even exec'ing /ffp/sbin/init.
If network config is done after check_key is run, you'd need to add your own network config either to your usb_key script or /ffp/etc/rc.sysinit.
PS: You won't need the linux-kernel package, of course.
Last edited by fonz (2008-07-17 13:20:36)
Offline
#17 2008-07-17 13:59:04
- Mijzelf
- Member / Developer
- Registered: 2008-07-05
- Posts: 709
Re: fun_plug on ZyXEL NSA-220.
I'm afraid this goes far beyond my linux knowledge, for the moment. In my /etc/init.d/rcS script losts of stuff is done after the usb_key_func script is called. Most of them I don't really know what it's doing. As far as I could investigate the harddisks are not yet mounted when the usb_key_func runs, but I can't find where and how it is done. The last program started is /sbin/fadd, but when I in a polling cycle wait for fadd running, /i-data/9fa0ddfe (the raid mountpoint) is still not mounted. Something does important stuff after rcS has completed.
From Howto:fun_plug I understand that fun_plug is called 30 seconds after /etc/rc.sh has completed. So why is it nice or important that I have a way to escape /etc/init.d/rcS halfway? And why don't I need the kernel package? Especially the 'of course' scares me, it points to an obvious difference between the NSA-220 and the DNS-323 which I'm missing.
Is my data in danger when I try this and the new kernel/rc.sysinit/whatever doesn't understand my raid1 array? (which has reiserfs, btw).
In howto:ffp-reloaded 'nohup' is used to boot into the new kernel. My firmware busybox doesn't support this. Is that important?
Edit: Is your website running on your DNS-323?
Last edited by Mijzelf (2008-07-17 14:06:40)
Offline
#18 2008-07-23 00:17:15
Re: fun_plug on ZyXEL NSA-220.
Mijzelf wrote:
I'm afraid this goes far beyond my linux knowledge, for the moment.
We'll come back to that, later 
Mijzelf wrote:
From Howto:fun_plug I understand that fun_plug is called 30 seconds after /etc/rc.sh has completed. So why is it nice or important that I have a way to escape /etc/init.d/rcS halfway?
That's specific to the DNS-323 and not relevant for you. The idea is to keep the current kernel, but don't start the rest of the firmware (i.e. stop it through a simple 'exit 0'), but instead boot ffp as some kind of custom firmware.
Mijzelf wrote:
Edit: Is your website running on your DNS-323?
No, it's not. It's running on a rental server. But it's also lighttpd.
Offline
#19 2008-08-13 22:35:42
- Mijzelf
- Member / Developer
- Registered: 2008-07-05
- Posts: 709
Re: fun_plug on ZyXEL NSA-220.
FFP on NSA-220 in 8 easy steps:
1) Plug an USB stick of at least 64MB in your NSA-220.
(Bigger is better, I suppose an USB harddisk will work either, but I didn't test)
2) Use the Webinterface to login to your box as admin.
3) Goto Administration->Storage
4) Use the 'Create an External Volume' button to change the filesystem of the stick to EXT2. This step will destroy all data on the stick.
Filesystems EXT3 or ReiserFS are OK too. Give the volume a nice name, FFP for instance.
5) The volume should be accessable via Samba. Extract the contents of ffp_for_NSA-220.zip (attached) to this share.
6) Download fun_plug.tgz here, and copy it to the share too.
The share should contain 6 files now.
7) In the webinterface goto Shutdown->Restart.
8) Wait until the box has rebooted. Done!
The tgz files should be disappeared, and the directory /ffp should be filled with Fonz' wonderful stuff. And the box should run a telnet server now.
To enable an ssh server:
telnet to the device
type
chmod a+x /ffp/start/sshd.sh
/ffp/start/sshd.sh start
After a while the ssh server should be started. Try if it works. You have got two logins: root password root and user password user.
If it works, login as root and type
/sbin/reboot
The box should reboot. If the ssh server is in the air again, you can disable the telnet server:
chmod a-x /ffp/start/telnetd.sh
A warning: some of Fonz' packages contain DNS-323 specific stuff. I think it's *not* a good idea to try them on your NSA-220, especially not the tools which deal with the flash memory, like store-passwd.sh
Offline
#20 2008-08-13 22:48:31
Re: fun_plug on ZyXEL NSA-220.
Mijzelf wrote:
A warning: some of Fonz' packages contain DNS-323 specific stuff. I think it's *not* a good idea to try them on your NSA-220, especially not the tools which deal with the flash memory, like store-passwd.sh
Actually, I'm about to clean some of these up. In your after_boot.sh, you disable passwd.sh, rcS.sh and shells.sh - exactly these three will disappear soon
Did you post your progress in the other NSA-220 forum? I'm looking forward to feedback / success reports from other NSA-220 users.
Offline
#21 2008-08-13 23:00:56
- Mijzelf
- Member / Developer
- Registered: 2008-07-05
- Posts: 709
Re: fun_plug on ZyXEL NSA-220.
Yes I posted the same recipe in the other(?) forum. I hope they will be delighted, and write dozens of success stories.
Should it be possible to let those 'dangerous' scripts (I suppose you won't clean up store-passwd.sh, since it's very useful) check if they are running on a DNS-323, before continuing?
Last edited by Mijzelf (2008-08-14 16:08:25)
Offline
#22 2008-08-13 23:04:16
Re: fun_plug on ZyXEL NSA-220.
Mijzelf wrote:
Should it be possible to let those 'dangerous' scripts (I suppose you won't clean up store-passwd.sh, since it's very useful) check if they are running on a DNS-323, before continuing?
I'll think about it. You could also add 'rm -f ffp/sbin/store-passwd.sh' to your boot script.
Offline
#23 2008-08-14 15:12:32
Re: fun_plug on ZyXEL NSA-220.
From the other forum:
Maybe I've been a bit too enthousiastic in cleaning up (or not populating) /etc. The original non-chrooted /etc is bound to /etc/orig. You can find all files you're missing here.
Please let me know when you find more files which are indispensable. I'll face this in an update.
You'll also need /etc/protocols, /etc/services and /etc/hosts for proper networking.
I suggest you try a link /etc -> /ffp/etc, and install the iana-etc package from: http://www.inreto.de/dns323/ffp-reloaded/packages/
You can find an example /ffp/etc/hosts in the ffp-reloaded package take it from /etc of your firmware.
Offline
#24 2008-08-14 16:07:21
- Mijzelf
- Member / Developer
- Registered: 2008-07-05
- Posts: 709
Re: fun_plug on ZyXEL NSA-220.
Thanks. Is there any advantage on using the iana files above the firmware ones?
Offline
#25 2008-08-14 16:20:25
Re: fun_plug on ZyXEL NSA-220.
Mijzelf wrote:
Thanks. Is there any advantage on using the iana files above the firmware ones?
The iana-etc files are complete. The files included in my DNS-323 firmware are, well, incomplete, and lack common service names like 'ntp'.
See also http://sethwklein.net/iana-etc
Offline