DSM-G600, DNS-3xx and NSA-220 Hack Forum

Unfortunately no one can be told what fun_plug is - you have to see it for yourself.

You are not logged in.

#1 2008-07-05 17:11:30

Mijzelf
Member / Developer
Registered: 2008-07-05
Posts: 678

fun_plug on ZyXEL NSA-220.

First, sorry about breaking in with a different NAS. There is a NSA-220 forum, but it's not very active.

I'm facing some problems while trying to get a fun_plug on an NSA-220.
1) With a mild hack it is possible to get telnet root access on the device. I installed ffp 0.4, an it partly works. Now I want this to start automatically. There is a scriptlet executed on boot of the device:

Code:

any_usb=`sg_map -x -i|grep -v " 0 0 0 0"|grep -v " 1 0 0 0"|awk '{print $7}'`
echo "${any_usb}"
if [ -n "${any_usb}" ]; then
        for usb in ${any_usb}
        do
                mount "${usb}"1 /mnt
                /sbin/check_key /mnt/nsa220_check_file
                if [ $? == 0 ] ; then
                        /mnt/usb_key_func.sh
                        test $? -eq 0 && exit 0
                fi
                umount /mnt
        done
fi

This seems to mount all external USB storage devices, and when '/sbin/check_key /mnt/nsa220_check_file' returns a 0, the script /mnt/usb_key_func.sh is executed. So it should be possible to auto execute fun_plug from an USB stick.
I download the firmware sources from ftp://opensource.zyxel.com, to find out what check_key does. Unfortunately I can't find the sources in the package. The only mention of check_key is in a makefile:

Code:

# Makefile for NSA-220

# system tools
CP=/bin/cp -rfl
RM=/bin/rm
FIND=/usr/bin/find
MKDIR=mkdir
MODEL=NSA220

# toolchain path
export PATH=/opt/montavista/pro/devkit/arm/v5t_le/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/X11R6/bin:${HOME}/bin

export CROSS=arm_v5t_le-

export CROSS_CC=${CROSS}gcc
export CROSS_CXX=${CROSS}cpp
export CROSS_AR=${CROSS}ar
export CROSS_LD=${CROSS}ld
export CROSS_RANLIB=${CROSS}ranlib
export CROSS_STRIP=${CROSS}strip

export HOST_CC=gcc

# for configure --build=$PLATFORM_BUILD --host=$PLATFORM_HOST
export PLATFORM_BUILD=i386-linux
export PLATFORM_HOST=arm-linux
export PLATFORM_TARGET=arm-linux
export PLATFORM_PREFIX=/opt/montavista/pro/devkit/arm/v5t_le/target

# path for build
export PRODUCT_ROOT=${PWD}
export SYSAPPS_PATH=${PRODUCT_ROOT}/sysapps
export DEST_PATH=${PRODUCT_ROOT}/build/apptarget
export RAS_PATH=${PRODUCT_ROOT}/build/fs

# the kernel from MontaVista. Some special header files and definitions are here.
export MV_KERNEL_PATH=/opt/montavista/pro/devkit/lsp/arm-versatile926ejs-arm_v5t_le/linux-2.6.10_mv1401

# the kernel for system
kversion=2.6.18.6
ifeq ($(kernel), 2.6.12)
kversion=2.6.12.6-1.10.3
else
kernel=2.6.18
endif
export KERNEL_PATH=${PRODUCT_ROOT}/linux-${kversion}

# specify root file system
# Allowable value: ext2, squash
rfs=squash
ifeq ($(rootfs), ext2)
rfs=ext2
endif

# native target path which contains a native environment
export TARGET_PATH=/opt/montavista/pro/devkit/arm/v5t_le/target

.PHONY: help

help:
   @echo "make          - Thi help menu."
   @echo ""
   @echo "make all - Build everything and create RAS image file."
   @echo ""
   @echo "make world [kernel=] - Build everything."
   @echo ""
#   @echo "make clean       - Clean all object files; this is not available now."
#   @echo ""
   @echo "make buildkernel [kernel=] - Build kernel image."
   @echo ""
   @echo "make <package>       - Build the package."
   @echo "      package list : busybox samba zysh nduagent uam fauthd mlogin ntpdate"
   @echo "                     syslog-ng libzyboot"
   @echo "                     zysh-cgi file_export file_upload file_download"
   @echo "                     htp lm-sensors btnd backdoor mtd-util check_key"
   @echo ""
   @echo "make ras [kernel=] [rootfs=] - Create RAS image file."
   @echo "                     Make sure you already make world."
   @echo ""
   @echo "[kernel=] : "
   @echo "      to specify kernel version, by using kernel=kernel_version, "
   @echo "      default is 2.6.18, allowable value are 2.6.18, 2.6.12"
   @echo "      e.g."
   @echo "      make buildkernel kernel=2.6.12, build kernel 2.6.12.6-1.10.3"
   @echo "      make ras , build kernel 2.6.18.6"
   @echo "[rootfs=]: "
   @echo "      to specify root file system type"
   @echo "      default is squash, allowable value are squash, ext2"
   @echo "      e.g."
   @echo "      make ras rootfs=ext2 to make EXT2 root file system"
   @echo "Some environment variables:"
   @echo "  CROSS_CC=${CROSS_CC}"
   @echo "  DEST_PATH=${DEST_PATH}"
   @echo "  RAS_PATH=${RAS_PATH}"


world: prebuild buildkernel busybox dev
   @echo "==> The end of the world!"

clean: kernel.clean busybox.clean 

prebuild:
   @echo "==> $@"
   ${MKDIR} -p ${RAS_PATH}
   ${RM} -rf ${RAS_PATH}/*
   ${CP} --preserve=all ${PRODUCT_ROOT}/basicfs/* ${RAS_PATH}
   ${CP} --preserve=all ${PRODUCT_ROOT}/basicfs/.mtoolsrc ${RAS_PATH}
   ${FIND} ${RAS_PATH} -name .svn | xargs rm -rf
   chmod 777 ${RAS_PATH}/tmp
   chmod 777 ${RAS_PATH}/tmp/users/home
   chmod 777 ${RAS_PATH}/tmp/users/shares

   @echo "==> Clear tmporary build dir"
   ${RM} -rf ${DEST_PATH}/bin/*
   ${RM} -rf ${DEST_PATH}/sbin/*
   ${RM} -rf ${DEST_PATH}/usr/bin/*
   ${RM} -rf ${DEST_PATH}/usr/sbin/*
   ${RM} -rf ${DEST_PATH}/lib/*
   ${RM} -rf ${DEST_PATH}/usr/lib/*
   ${RM} -rf ${DEST_PATH}/usr/include/*
   ${RM} -rf ${DEST_PATH}/util/*
   ${RM} -rf ${DEST_PATH}/root/*


ras:
   @echo "==> $@"
   ${RM} -rf ${RAS_PATH}/lib/modules
   ${RM} -rf ${RAS_PATH}/lib/modules_kernel_2.6.12
ifeq ($(kernel), 2.6.12)
   ${CP} --preserve=all ${PRODUCT_ROOT}/basicfs/lib/modules_kernel_2.6.12 ${RAS_PATH}/lib/modules
else
   ${CP} --preserve=all ${PRODUCT_ROOT}/basicfs/lib/modules ${RAS_PATH}/lib/modules
endif
   ${FIND} ${RAS_PATH} -name .svn | xargs rm -rf
   cd build ; ./makeras.sh -k ${kernel} -f ${rfs} -b "${beta_ver}" -c "${fcs_ver}"

buildkernel:
   @echo "==> $@, Kernel version is ${kernel}"
   make -C ${KERNEL_PATH} zImage
   ${CP} --remove-destination ${KERNEL_PATH}/arch/arm/boot/zImage ${PRODUCT_ROOT}/build

all: world ras
    @echo "==> The end of the all!"

kernel.clean:
   @echo "==> $@"
   make -C ${KERNEL_PATH} clean

busybox:
   @echo "==> $@"
   cd ${SYSAPPS_PATH}/busybox-1.1.1 ; make install
   chmod +s ${RAS_PATH}/bin/busybox

busybox.clean:
   @echo "==> $@"
   cd ${SYSAPPS_PATH}/busybox-1.1.1 ; make clean
   # DO NOT make distclean

dev:
   @echo "==> $@"
   ./makedev.sh

In section help is mentioned that you can 'make check_key'. Can anybody tell me what this file does when you run 'make check_key'?

2) With ffp 0.4 I can start dropbear, but not some other tools, due to a missing /lib/ld-uClibc.so.0. Some reading here learnt me that the DNS-313 has the same problem. It seems to me Fonz has solved this in ffp 0.5. Unfortunately I can't run this version, because the script wants to add a file \ffp, and I've got a readonly \. It seems it's located in rom. Does anybody know a workaround for this?

Offline

 

#2 2008-07-05 19:33:22

fonz
Member / Developer
From: Berlin
Registered: 2007-02-06
Posts: 1716
Website

Re: fun_plug on ZyXEL NSA-220.

Mijzelf wrote:

...
I'm facing some problems while trying to get a fun_plug on an NSA-220.
1) ... Can anybody tell me what this file does when you run 'make check_key'?

It'll look for check_key.c and invoke the compiler.

Mijzelf wrote:

2) With ffp 0.4 I can start dropbear, but not some other tools, due to a missing /lib/ld-uClibc.so.0. Some reading here learnt me that the DNS-313 has the same problem. It seems to me Fonz has solved this in ffp 0.5. Unfortunately I can't run this version, because the script wants to add a file \ffp, and I've got a readonly \. It seems it's located in rom. Does anybody know a workaround for this?

My funplugs up to 0.4 are made for the DNS-323 libraries. 0.5 is the first version that does not depend on any firmware support.

Linksys WRT 350N also has a read-only root directory. Sconk worked around by extending the firmware image, adding a /ffp directory (you can then mount --bind /.../ffp /ffp).

To get started, chroot'ing ffp might be an option. Assuming you have telnet access, you can install an chroot like this:

Code:

cd /some/writable/directory

wget http://www.inreto.de/dns323/fun-plug/0.5/fun_plug.tgz
mkdir ffp
tar xzf fun_plug.tgz -C ffp

mkdir proc
mount -t proc proc proc

mkdir etc
mount --bind /etc etc

mkdir dev
mount --bind /dev dev

chroot . /ffp/bin/sh

This will give you a chroot'ed ffp shell. You will most likely want to mount/bind-mount a few additional directories. Exit the ffp shell with 'exit', and unmount all the stuff:

Code:

umount dev
umount etc
umount proc

If that works, you can start automating stuff. Cleanup ffp/start, there's stuff for the DNS-323 that you won't need:

Code:

chmod a-x ffp/start/passwd.sh
chmod a-x ffp/start/rcS.sh
chmod a-x ffp/start/shells.sh

You might want to change telnetd.sh to add '-p 1234' to telnetd_flags to change the ffp-telnet port, or disable telnetd and enable sshd instead:

Code:

chmod a-x ffp/start/telnetd.sh
chmod a+x ffp/start/sshd.sh

You can then try to chroot /ffp/etc/rc instead of /ffp/bin/sh:

Code:

chroot . /ffp/etc/rc

This will trigger normal ffp startup.

Offline

 

#3 2008-07-06 21:01:31

Mijzelf
Member / Developer
Registered: 2008-07-05
Posts: 678

Re: fun_plug on ZyXEL NSA-220.

Thanks. I tried this, and it seems to work. Alas I can't start a telnet server, because I'm already running one, so the port is occupied. I can start sshd, but I get an 'access denied' when I try to login. Some investigation learned that sshd.sh adds a user sshd to passwd, shadow and group, when it doesn't exist already, but it doesn't seem to add the user.
When I do a 'cat /etc/passwd', I can't find a sshd. But when I do a 'grep '^sshd:' /etc/passwd' I get
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
How is this possible?

I tried to use dropbear instead, but the shell closes immediately after login. I saw the same behaviour when I used dropbear with ffp 0.4. The reason then was it used fun_plug.d/bin/sh as shell, which couldn't start due to missing ld-uClibc.so.0. When I changed the shell to /bin/sh it worked.

So I added /bin and /lib to the chrooted /, and changed the shell to /bin/sh. Unfortunately there still doesn't start a shell after login. Logfile:

[12926] Jul 06 17:21:07 Running in background
[12940] Jul 06 17:21:36 Child connection from 10.0.0.2:1084
[12940] Jul 06 17:21:40 password auth succeeded for 'admin' from 10.0.0.2:1084
[12940] Jul 06 17:21:40 exit after auth (admin): Exited normally

I created a script

Code:

#!/ffp/bin/sh
export PATH=/ffp/sbin:/ffp/bin:/usr/sbin:/sbin:/usr/bin:/bin
/ffp/bin/sh

which I chrooted to the same directory as /ffp/etc/rc. From this shell I can start /bin/sh. What's going wrong with dropbear?
The script which starts dropbear:

Code:

#!/bin/sh

# export PATH=/ffp/sbin:/ffp/bin:/usr/sbin:/sbin:/usr/bin:/bin

ETCDIR=/ffp/etc
BINDIR=/ffp/bin
LOGDIR=/ffp/tmp/log

RSAF=${ETCDIR}/dropbear/dropbear_rsa_host_key
DSAF=${ETCDIR}/dropbear/dropbear_dsa_host_key
PIDF=${LOGDIR}/dropbear.pid
LOGF=${LOGDIR}/dropbear.log

dropbear_start() {
    if [ -x "${BINDIR}/dropbear" ]; then
        if [ ! -d "${ETCDIR}/dropbear" ]; then
            mkdir -p ${ETCDIR}/dropbear
        fi
        
        if [ ! -e /dev/random ]; then
            mknod /dev/random c 1 8
        fi
        
        if [ ! -e "$DSAF" ]; then
            echo "Generating DSA host key..."
            ${BINDIR}/dropbearkey -t dss -f ${DSAF}
        fi
        if [ ! -e "$RSAF" ]; then
            echo "Generating RSA host key..."
            ${BINDIR}/dropbearkey -t rsa -f ${RSAF}
        fi
        
        if [ ! -e "/dev/ptmx" ]; then
            mknod -m 0666 /dev/ptmx c 5 2 
        fi
        
        if [ ! -d "/dev/pts" ]; then
            mkdir -p /dev/pts
        fi
        
        mount | grep devpts 1>/dev/null 2>/dev/null
        if [ $? -ne 0 ]; then
            mount -t devpts devpts /dev/pts
        fi
        
        # sftp-server: /dev/null must be writeable
        chmod a+w /dev/null
        
        # need /usr/bin/scp
        # http://forum.dsmg600.info/t529-without-password.html
        if [ ! -e /usr/bin/scp ]; then
            ( cd /usr/bin; ln -s ${BINDIR}/scp )
        fi
        
        echo "Starting dropbear ..."
#        ${BINDIR}/dropbear -d ${DSAF} -r ${RSAF} -P ${PIDF} -E -l $(BINDIR)/sh 1>${LOGF} 2>&1 &
        ${BINDIR}/dropbear -d ${DSAF} -r ${RSAF} -P ${PIDF} -E -l /bin/sh 1>${LOGF} 2>&1 &
     else
        echo "ERROR: dropbear not found or not executable"
    fi
}

dropbear_stop() {
    killall dropbear
}

dropbear_status() {
    if [ -n "$(pidof dropbear)" ]; then
        echo "running"
    else
        echo "stopped"
    fi
}

case "$1" in
    stop)
        dropbear_stop
        ;;
    restart)
        dropbear_stop
        sleep 1
        dropbear_start
        ;;
    status)
        dropbear_status
        ;;
    start|'')
        dropbear_start
        ;;
    *)
        echo "Usage: $0 start|stop|restart|status"
        ;;
esac

It is a bit impractical not to be able to start sshd or telnetd, because the telnetserver I'm using to achieve this quits after 3 minutes of inactivity, and closes all open shells.

Offline

 

#4 2008-07-06 23:28:13

fonz
Member / Developer
From: Berlin
Registered: 2007-02-06
Posts: 1716
Website

Re: fun_plug on ZyXEL NSA-220.

Mijzelf wrote:

... Alas I can't start a telnet server, because I'm already running one, so the port is occupied. ... It is a bit impractical not to be able to start sshd or telnetd, because the telnetserver I'm using to achieve this quits after 3 minutes of inactivity, and closes all open shells.

Start the ffp telnetd on a different port, then. Edit ffp/start/telnetd.sh and change telnetd_flags:

Code:

telnetd_flags="-l /ffp/bin/sh -p 2300"

should start a telnet server on port 2300.

Offline

 

#5 2008-07-07 15:59:40

Mijzelf
Member / Developer
Registered: 2008-07-05
Posts: 678

Re: fun_plug on ZyXEL NSA-220.

It should, but it doesn't, because telnetd is already running. I had to change ffp/etc/ffp.subr a bit to pull down the check. Now it runs! Yes! Thanks.

When I connect to port 2300 now, I immediately get a shell with root rights. Is it easy to have to login instead? It's not really important for now, but it's a bit, well, uncomfortable. My childs aren't old enough to exploit this, but times they are achanging.

Offline

 

#6 2008-07-07 16:17:41

fonz
Member / Developer
From: Berlin
Registered: 2007-02-06
Posts: 1716
Website

Re: fun_plug on ZyXEL NSA-220.

Mijzelf wrote:

I had to change ffp/etc/ffp.subr a bit to pull down the check. Now it runs! Yes! Thanks.

Good point.

Mijzelf wrote:

When I connect to port 2300 now, I immediately get a shell with root rights. Is it easy to have to login instead? It's not really important for now, but it's a bit, well, uncomfortable. My childs aren't old enough to exploit this, but times they are achanging.

The open root shell is necessary on the DNS-323, because the root user is disabled - i.e. a proper root login doesn't work until you fix the password files. Here's some documentation about the issue: http://wiki.dns323.info/howto:ffp#the_root_user

For ssh to work, you need correctly configured user accounts. If they are broken in /etc, you can still copy /etc (instead of mount --bind) and fix the files (using pwconv, pwck, passwd, usermod, etc). On the DNS-323, the passwd.sh start script does some of this. In particular, it changes shells from /bin/sh to /ffp/bin/sh, and ensures that /etc/shadow is present and correct.

Offline

 

#7 2008-07-07 21:26:28

Mijzelf
Member / Developer
Registered: 2008-07-05
Posts: 678

Re: fun_plug on ZyXEL NSA-220.

Thanks for the link. I got a proper login. Without changing passwd it's opening /bin/sh, which is less powerfull then /ffp/bin/sh, and it doesn't have /ffp/* in it's PATH. With the earlier mentioned script it's solved.

I'll play around with passwd and shadow later. There is someting funny with it. grep sees a different content than cat does.

Now I'm trying to find out what check_key does. Loading it in an hexeditor show the next strings:

/mnt/usb_key_func.sh
cp -f -p %s %s
/mnt/ras.bin
cp -f -p  %s %s
cat %s %s %s | md5sum -c %s
/etc/Zy_Private
cat %s %s | md5sum -c %s
cmd = %s
-: OK
md5 check ok
md5 check error

It seems to catenate 2 or 3 files to md5sum, and check the result to some arbitrary file. It there a way to watch which external calls check_key makes? (If external calls are the right words). I was thinking about renaming 'echo' to 'cat'. But since busybox looks to the name of the command it will not work.

Offline

 

#8 2008-07-07 22:34:29

fonz
Member / Developer
From: Berlin
Registered: 2007-02-06
Posts: 1716
Website

Re: fun_plug on ZyXEL NSA-220.

Mijzelf wrote:

It there a way to watch which external calls check_key makes? (If external calls are the right words). I was thinking about renaming 'echo' to 'cat'. But since busybox looks to the name of the command it will not work.

Try strace.

Code:

strace -o /path/to/writeable/directory/strace.log /path/to/check_key

strace.log will contain all the systems calls made by check_key. Unfortunately, there's no way (that I know of) to track library calls on linux.

Offline

 

#9 2008-07-08 01:50:35

Mijzelf
Member / Developer
Registered: 2008-07-05
Posts: 678

Re: fun_plug on ZyXEL NSA-220.

Great! I found it. When a (text)file contains two lines, lineA and lineB, then '/sbin/check_key file' does:

cp lineA lineA
cat /etc/Zy_Private lineA | md5sum -c lineB

the returnvalue of md5sum is the important stuff. By creating file lineB in this way:
cat /etc/Zy_Private lineA | md5sum >lineB
check_file returns 0. Bingo.

btw, /etc/Zy_Private contains 52103jeenajevol8290i\n
in hex: 35323130336A65656E616A65766F6C38323930690A

I don't see the purpose of cp lineA lineA. Maybe I'm mistaken about the function. The output is
cp: 'lineA' and 'lineA' are the same file.

So I created a script in the root of my usb stick:
usb_key_func.sh

Code:

#!/bin/sh

mkdir /tmp/usbstick
mount /dev/sdc1 /tmp/usbstick
cd /tmp/usbstick

mount -t proc proc proc
mount --bind /etc etc
mount --bind /dev dev
mount --bind /bin bin
mount --bind /sbin sbin
mount --bind /lib lib

chroot . /ffp/etc/rc

Then I run from this root
cat /etc/Zy_Private usb_key_func.sh | md5sum >checksum

and created a file nsa220_check_file

Code:

/mnt/usb_key_func.sh
/mnt/checksum

After rebooting the device it didn't pass boot anymore, the 'sys' led which indicates it's initializing kept on flashing. I powered down the device and removed the usb stick, and it booted again. Then I changed a little in usb_key_func.sh, so checksum didn't fit anymore, and restarted the device. Now it booted fine. So obviously the script is executed on start, but somehow it doesn't return, or the execution of the script causes some other script to not return.

For the connaiseurs: here is /etc/rcS, which executes /mnt/usb_key_func.sh

Code:

#!/bin/sh

## Enable Core dump
ulimit -c unlimited

##### Set the path
#PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
#export PATH
ECHO="/bin/echo"
RM="/bin/rm"

##### ZyInit

##### Check firmware upgrade

##### Setup Root File System

##### Read clock from RTC

##### Mount necessary file systems
${ECHO} "Mounting file systems..."
/bin/mount -a

rfs=`cat /proc/cmdline | sed 's/^.*rootfstype=//g' | sed 's/root=.*$//g' `
if [ "$rfs" != "" ] && [ $rfs = "squashfs" ]; then
        # Create Ramdisk and mount it to /tmp
        /sbin/mke2fs -m 0 /dev/ram0
        mount /dev/ram0 /tmp
        /bin/tar zxf /tmp.tar.gz -C /

        # The following directories need to be writable
        mkdir /tmp/var
        cp -R /var/* /tmp/var
        mount --bind /tmp/var /var

        mkdir /tmp/etc
        cp -R /etc/* /tmp/etc
        mount --bind /tmp/etc /etc

        mkdir /tmp/home
        mount --bind /tmp/home /home

        mkdir /tmp/usr_etc
        cp -R /usr/local/etc/* /tmp/usr_etc
        mount --bind /tmp/usr_etc /usr/local/etc

        mkdir /tmp/usr_var
        mount --bind /tmp/usr_var /usr/local/var

        mkdir /tmp/e-data
        mount --bind /tmp/e-data /e-data

        mkdir /tmp/i-data
        mount --bind /tmp/i-data /i-data
        ln -s /etc/zyxel/storage/sysvol /i-data/md0

        mkdir /tmp/dmsf
        cp -R /usr/local/dmsf/* /tmp/dmsf
        mount --bind /tmp/dmsf /usr/local/dmsf

        mkdir /tmp/dev
        cp /sbin/makedev.sh /tmp/dev
        cd /tmp/dev; ./makedev.sh; cd /
        mount --bind /tmp/dev /dev
fi

# Write firmware checksum and version from MMCT to files for query.
# This must run before accessing /etc/zyxel; otherwise, mmap() in mmct_get may get wrong mapping area
# and cause Segmentation Fault! (This could be JFFS2 problem)
/sbin/mmct_get -v FwVersion > /etc/fwversion
/sbin/mmct_get -v FwRevision > /etc/revision
/sbin/mmct_get -v CoreChecksum > /etc/core_checksum
/sbin/mmct_get -v ZldChecksum > /etc/zld_checksum
/sbin/mmct_get -v RomChecksum > /etc/romfile_checksum

### Specify core dump location
${ECHO} "/i-data/md0/.zyxel/core.%e.%u.%g.%s" > /proc/sys/kernel/core_pattern


## mount /etc/zyxel from flash
cp -rf /etc/zyxel /tmp/zyxel
mount -t jffs2 /dev/mtdblock2 /etc/zyxel

##### Check configuration restoration
if [ -f /etc/zyxel/zyconf.tgz ]; then
        /bin/tar -zxf /etc/zyxel/zyconf.tgz -C /etc/zyxel

        if [ $? != 0 ]; then
                /bin/echo "*** Fail to restore configuration ***"
        fi

        /bin/rm -rf /etc/zyxel/zyconf.tgz
fi

##### /etc/zyxel recovery
if [ -e /etc/zyxel/conf ]; then
        ${ECHO} "/etc/zyxel/conf exist.."
else
        ${ECHO} "/etc/zyxel/conf does not exist.. recoverying /etc/zyxel.."
        rm -rf /etc/zyxel/*
        /bin/cp -rf /tmp/zyxel /etc/
fi
rm -rf /tmp/zyxel
#end of /etc/zyxel recovery

chmod 777 /etc/zyxel

#### BOOTBASE: MRD READ/WRITE
${ECHO} "Creating file bbmtd2..."
cat /dev/mtd3 > /etc/bbmtd2

##### Setup Network settings for temporary use
ifconfig egiga0 hw ether `/sbin/mrd_mac`
ifconfig egiga0 192.168.1.3
ip route append default via 192.168.1.1 dev egiga0
ifconfig lo add 127.0.0.1 netmask 255.0.0.0
ifconfig lo up

##### IEEE1394 modules
#insmod /lib/modules/ieee1394.ko
#insmod /lib/modules/ohci1394.ko
#insmod /lib/modules/sbp2.ko

##### SATA modules
insmod /lib/modules/libata.ko
insmod /lib/modules/ahci.ko

###### file system modules
insmod /lib/modules/reiserfs.ko
insmod /lib/modules/fat.ko
insmod /lib/modules/msdos.ko
insmod /lib/modules/vfat.ko
insmod /lib/modules/ntfs.ko
insmod /lib/modules/udf.ko
insmod /lib/modules/isofs.ko
modprobe fuse

#### lm85 module
insmod /lib/modules/hwmon-vid.ko
insmod /lib/modules/lm85.ko

##### HW monitor
/etc/init.d/conf_ADT7463A.sh

##### HTP
#execute HTP forever
if [ -f /usr/local/htp/htp.lst.internal ] ; then
        echo "Start HTP internal test, check HTP pin!"
        /usr/local/htp/htp_main -d -l -f /usr/local/htp/htp.lst.internal
fi

/usr/local/htp/htp_main atwl0xf1082330,30c0964f
/usr/local/htp/htp_main atwl0xf1084330,30c0964f
/usr/local/htp/htp_main atwl0xf1050420,006127c4
/usr/local/htp/htp_main atwl0xf10a0420,006127c4

any_usb=`sg_map -x -i|grep -v " 0 0 0 0"|grep -v " 1 0 0 0"|awk '{print $7}'`
echo "${any_usb}"
if [ -n "${any_usb}" ]; then
        for usb in ${any_usb}
        do
                mount "${usb}"1 /mnt
                /sbin/check_key /mnt/nsa220_check_file
                if [ $? == 0 ] ; then
                        /mnt/usb_key_func.sh
                        test $? -eq 0 && exit 0
                fi
                umount /mnt
        done
fi

# /mnt need to be writable
mkdir /tmp/mnt
mount --bind /tmp/mnt /mnt

# HTP may umount /etc/zyxel if doing flash r/w test, need to mount /etc/zyxel back if neccesary
cat /proc/mounts | grep "/etc/zyxel" > /dev/null
if [ $? != 0 ] ; then
        echo "HTP finished, re-mount /etc/zyxel"
        mount -t jffs2 /dev/mtdblock2 /etc/zyxel
fi

# This will force the automatic test machine to reboot the device,
# Note the string sould be exactly the same with "Press ENTER to continue..."
echo "Press ENTER to continue..."

##### Application, Daemon

##### zylogd
/bin/rm -rf /var/run/zylogd.pid
if [ -x /usr/sbin/zylogd ]; then
        ${ECHO} "Starting zylogd..."
        /usr/sbin/zylogd
fi

##### syslog-ng
if [ -x /usr/sbin/syslog-ng ]; then
        ${ECHO} "Starting syslog..."
        /usr/sbin/syslog-ng
fi

#### UAM
/bin/rm -f /var/run/uamd.pid
if [ -x /usr/sbin/uamd ]; then
        ${ECHO} "Starting uamd..."
        /usr/sbin/uamd
fi

# Crontab daemon is not yet ready
#crontab

# telnet server - mark by emma
#if [ -x /sbin/telnetd ]; then
#       ${ECHO} "Starting telnet daemon..."
#       /sbin/telnetd
#fi

##### Restore to default password file and etc
/sbin/account.sh

#### CUPS must before zysh.sh
#/etc/init.d/cups start
/bin/nice -n 17 /usr/sbin/cupsd

##### ZySH daemon & client
${ECHO} "Starting ZySH daemon and client..."
/sbin/zysh.sh

##### Enable/Disable Default Shares on /i-data/md0
md0mounted=`readlink /etc/zyxel/storage/sysvol`
if [ "${md0mounted}" == "" ]; then
        /bin/echo "configure terminal ip smb internal disable \"/i-data/md0\""
        /sbin/zyshclient -p 150 -e "configure terminal ip smb internal disable \"/i-data/md0\""
else
        /bin/echo "configure terminal ip smb internal enable \"/i-data/md0\""
        /sbin/zyshclient -p 150 -e "configure terminal ip smb internal enable \"/i-data/md0\""
fi

##### Enable/Disable Default Shares on /i-data/md1
md1mounted=`readlink /i-data/md1`
if [ "${md1mounted}" == "" ]; then
        /bin/echo "configure terminal ip smb internal disable \"/i-data/md1\""
        /sbin/zyshclient -p 150 -e "configure terminal ip smb internal disable \"/i-data/md1\""
else
        /bin/echo "configure terminal ip smb internal enable \"/i-data/md1\""
        /sbin/zyshclient -p 150 -e "configure terminal ip smb internal enable \"/i-data/md1\""
fi

##### Enable Shares on internal volumes
mdmounted=`cat /proc/mounts|grep -v "/home/share"|grep "/i-data/"|awk '{print $2}'`
for internalMP in ${mdmounted}; do
        /bin/echo "configure terminal ip smb internal enable \"${internalMP}\""
        /sbin/zyshclient -p 150 -e "configure terminal ip smb internal enable \"${internalMP}\""
done

##### Auto repair degraded RAIDx
/sbin/storage_autoRepair.sh

##### Add PTP camera
/sbin/hotplug_add_PTP.sh

##### Turn on swap
swap1=`sg_map -x -i | grep " 0 0 0 0"|awk '{print $7}'`
swap2=`sg_map -x -i | grep " 1 0 0 0"|awk '{print $7}'`
if [ "${swap1}" != "" ]; then
        swapon ${swap1}1 > /dev/null 2>&1
fi
if [ "${swap2}" != "" ]; then
        swapon ${swap2}1 > /dev/null 2>&1
fi

##### Samba, this will be initialized in ZySH
##### Samba, smbd
if [ -x /usr/sbin/smbd ]; then
        ${ECHO} "Starting smbd..."
        /bin/nice -n 17 /usr/sbin/smbd -D
fi

##### Samba, nmbd
if [ -x /usr/sbin/nmbd ]; then
        ${ECHO} "Starting nmbd..."
        /bin/nice -n 17 /usr/sbin/nmbd -D
fi

#insmod for mount storage
#insmod /lib/modules/reiserfs.ko
#insmod /lib/modules/fat.ko
#insmod /lib/modules/msdos.ko
#insmod /lib/modules/vfat.ko


##### Hotplug, check if any storage device is already attached
# delete obsolete file
${RM} -f /etc/zyxel/storage/DiskInfo.map
${RM} -f /etc/zyxel/storage/DiscInfo.map
#${RM} -f /tmp/sd[a-z] > /dev/null 2>&1
#if [ -x /sbin/findnewattach.sh ]; then
#  /sbin/findnewattach.sh
#fi
/sbin/myhotplug > /dev/null 2>&1 &

#### disable POWER button interrupt
#if [ -x /sbin/btn.sh ]; then
#  ${ECHO} "disable POWER button interrupt..."
#  /sbin/btn.sh
#fi

### Copy Button
mknod /dev/btncpy c 254 0               # We will make device node here, not redundant code
/bin/nice -n 17 /usr/local/btn/do_btncpy # change nice value should also change BTNCPY_START.sh


##### Media server, this will be initialized in ZySH

##### Web Server
if [ -x /usr/sbin/httpd ]; then
        ${ECHO} "Starting Web Server..."
        /bin/nice -n -2 /usr/sbin/httpd -f /etc/service_conf/httpd.conf
fi


##### NDU Agent
${ECHO} "Starting NDU Agent..."
/bin/nice -n -3 /usr/sbin/nduagent

#### crond
${ECHO} "Starting crond..."
/bin/nice -n 17 /sbin/crond -L /dev/null

#### SYS Grean LED always on
# disable GPIO4 blinking
#/usr/local/htp/htp_main atwl0xf1010108,0x0000C000
/usr/local/htp/htp_test_items clearbit 0xf1010108 0x00000010
# set GPIO4 to always on
#/usr/local/htp/htp_main atwl0xf1010100,0x00820463
/usr/local/htp/htp_test_items clearbit 0xf1010100 0x00000010

####### CUPS
# Check printers already plug in NSA
/sbin/CheckPrinter
/usr/sbin/dsrv-mon.sh
/bin/nice -n 19 /usr/sbin/fadd

Last edited by Mijzelf (2009-10-07 13:58:34)

Offline

 

#10 2008-07-08 10:28:34

fonz
Member / Developer
From: Berlin
Registered: 2007-02-06
Posts: 1716
Website

Re: fun_plug on ZyXEL NSA-220.

Mijzelf wrote:

...
After rebooting the device it didn't pass boot anymore,
...

Code:

any_usb=`sg_map -x -i|grep -v " 0 0 0 0"|grep -v " 1 0 0 0"|awk '{print $7}'`
echo "${any_usb}"
if [ -n "${any_usb}" ]; then
        for usb in ${any_usb}
        do
                mount "${usb}"1 /mnt
                /sbin/check_key /mnt/nsa220_check_file
                if [ $? == 0 ] ; then
                        /mnt/usb_key_func.sh
                        test $? -eq 0 && exit 0

/ffp/etc/rc will likely return 0, and rcS exits.

If /mnt/usb_key_func.sh returns 0, the normal boot process stops. You might want to try 'exit 1' at the end of your usb_key_func.sh. To be sure, you might also want to start '/ffp/etc/rc' with an & at the end of the line to start it in the background.

Offline

 

#11 2008-07-08 21:57:03

Mijzelf
Member / Developer
Registered: 2008-07-05
Posts: 678

Re: fun_plug on ZyXEL NSA-220.

You are right, as always. I changed my usb_key_func.sh:

Code:

#!/bin/sh

mkdir /tmp/usbstick
mount /dev/sdc1 /tmp/usbstick
cd /tmp/usbstick

if [ -e /tmp/usbstick/usbstick_rc.sh ]; then
    echo "function plug enable"
    /tmp/usbstick/usbstick_rc.sh
fi

# make /etc/rcS continue
exit 1

Now it works. I can change usbstick_rc.sh without need to rebuild the checksum.

For people interested I'll attach a valid set of nsa220_check_file, usb_key_func.sh and checksum. Extract this in the root of an USB stick, write an  usbstick_rc.sh, and it will be executed when you reboot the NSA-220.

Edit: For some reason my tarfile isn't attached. If anybody is interested, tell me how to attach, or send me a PM.

Last edited by Mijzelf (2008-07-08 21:59:40)

Offline

 

#12 2008-07-08 22:04:41

fonz
Member / Developer
From: Berlin
Registered: 2007-02-06
Posts: 1716
Website

Re: fun_plug on ZyXEL NSA-220.

Mijzelf wrote:

Now it works. I can change usbstick_rc.sh without need to rebuild the checksum.

For people interested I'll attach a valid set of nsa220_check_file, usb_key_func.sh and checksum. Extract this in the root of an USB stick, write an  usbstick_rc.sh, and it will be executed when you reboot the NSA-220.

Edit: For some reason my tarfile isn't attached. If anybody is interested, tell me how to attach, or send me a PM.

Good work!

Attachments should work. There's a size limit, but your script should be small enough.

Btw, where's that other nsa-220 forum you mentioned in your first post?

Offline

 

#13 2008-07-08 22:17:39

Mijzelf
Member / Developer
Registered: 2008-07-05
Posts: 678

Re: fun_plug on ZyXEL NSA-220.

The forum is http://forums.nas-central.org/viewforum.php?f=131

I'll retry the attach

Edit: This time the attachment arrived. Last time I attached it from my NAS. Maybe that is the problem.

Last edited by Mijzelf (2008-07-08 22:19:08)


Attachments:
Attachment Icon nsa220.tar, Size: 4,096 bytes, Downloads: 556

Offline

 

#14 2008-07-15 21:32:15

Mijzelf
Member / Developer
Registered: 2008-07-05
Posts: 678

Re: fun_plug on ZyXEL NSA-220.

There were some issues with the fileset I posted:
1) /etc/password, /etc/shadow and /etc/groups were rebuilded *after* the script was run. So you couldn't change them.
2) The harddisk was not yet mounted.
3) The /mnt directory could not be used.
4) For some reason the USB stick wasn't shared anymore, making it more difficult to maintain the filesystem on the stick.
5) For some reason the script is called more than once.
6) Insertion of another stick could change the devicename, which made the script fail.

So I wrote a new script to face this problems. This script checks for the existance of /tmp/usb_key_func.sh. If it already exists, the script has already run. If not it copies itself to /tmp/usb_key_func.sh. When stick/while_booting.sh exists and is executable it is called, while the stick is mounted at /mnt. When stick/after_booting.sh exists and is executable the copy in /tmp is started in the background. This copy waits until /etc/init.d/rcS is finished and /dev/md0 is mounted, then it calls after_booting.sh while the stick is mounted at /mnt/usbstick.
For reference I added my after_booting.sh. For some reason the stick is not shared by the samba server when while_booting.sh does something relevant.
When the NSA-220 has a raid1 configation the raid device is called /dev/md0. When you've got another configuration I suppose you have to change usb_key_func.sh, to reflect this. In that case you'll also have to update nsa220_checksum.


Attachments:
Attachment Icon files.tar.gz, Size: 906 bytes, Downloads: 512

Offline

 

#15 2008-07-17 12:37:59

Mijzelf
Member / Developer
Registered: 2008-07-05
Posts: 678

Re: fun_plug on ZyXEL NSA-220.

FYI, I've found some extra information on the function of /sbin/check_key, which I've described here.

Offline

 

#16 2008-07-17 13:01:22

fonz
Member / Developer
From: Berlin
Registered: 2007-02-06
Posts: 1716
Website

Re: fun_plug on ZyXEL NSA-220.

Mijzelf wrote:

...
After rebooting the device it didn't pass boot anymore,

I recently started a new experiment you might like to try: running ffp without firmware ( http://wiki.dns323.info/howto:ffp-reloaded ).
For this, I started to create packages with files that are needed to boot directly into ffp ( http://www.inreto.de/dns323/ffp-reloaded/packages/ ). It's probably still incomplete, but basics should work.

Using the 'exit' feature of the check_key script, you should be able to do this on your NAS, too, by simply returning zero, again - and running /ffp/etc/rc.sysinit instead of /ffp/etc/rc, or even exec'ing /ffp/sbin/init.

If network config is done after check_key is run, you'd need to add your own network config either to your usb_key script or /ffp/etc/rc.sysinit.

PS: You won't need the linux-kernel package, of course.

Last edited by fonz (2008-07-17 13:20:36)

Offline

 

#17 2008-07-17 13:59:04

Mijzelf
Member / Developer
Registered: 2008-07-05
Posts: 678

Re: fun_plug on ZyXEL NSA-220.

I'm afraid this goes far beyond my linux knowledge, for the moment. In my /etc/init.d/rcS script losts of stuff is done after  the usb_key_func script is called. Most of them I don't really know what it's doing. As far as I could investigate the harddisks are not yet mounted when the usb_key_func runs, but I can't find where and how it is done. The last program started is /sbin/fadd, but when I in a polling cycle wait for fadd running, /i-data/9fa0ddfe (the raid mountpoint) is still not mounted. Something does important stuff after rcS has completed.

From Howto:fun_plug I understand that fun_plug is called 30 seconds after /etc/rc.sh has completed. So why is it nice or important that I have a way to escape /etc/init.d/rcS halfway? And why don't I need the kernel package? Especially the 'of course' scares me, it points to an obvious difference between the NSA-220 and the DNS-323 which I'm missing.
Is my data in danger when I try this and the new kernel/rc.sysinit/whatever doesn't understand my raid1 array? (which has reiserfs, btw).
In howto:ffp-reloaded 'nohup' is used to boot into the new kernel. My firmware busybox doesn't support this. Is that important?

Edit: Is your website running on your DNS-323?

Last edited by Mijzelf (2008-07-17 14:06:40)

Offline

 

#18 2008-07-23 00:17:15

fonz
Member / Developer
From: Berlin
Registered: 2007-02-06
Posts: 1716
Website

Re: fun_plug on ZyXEL NSA-220.

Mijzelf wrote:

I'm afraid this goes far beyond my linux knowledge, for the moment.

We'll come back to that, later wink

Mijzelf wrote:

From Howto:fun_plug I understand that fun_plug is called 30 seconds after /etc/rc.sh has completed. So why is it nice or important that I have a way to escape /etc/init.d/rcS halfway?

That's specific to the DNS-323 and not relevant for you. The idea is to keep the current kernel, but don't start the rest of the firmware (i.e. stop it through a simple 'exit 0'), but instead boot ffp as some kind of custom firmware.

Mijzelf wrote:

Edit: Is your website running on your DNS-323?

No, it's not. It's running on a rental server. But it's also lighttpd.

Offline

 

#19 2008-08-13 22:35:42

Mijzelf
Member / Developer
Registered: 2008-07-05
Posts: 678

Re: fun_plug on ZyXEL NSA-220.

FFP on NSA-220 in 8 easy steps:

1) Plug an USB stick of at least 64MB in your NSA-220.
    (Bigger is better, I suppose an USB harddisk will work either, but I didn't test)
2) Use the Webinterface to login to your box as admin.
3) Goto Administration->Storage
4) Use the 'Create an External Volume' button to change the filesystem of the stick to EXT2. This step will destroy all data on the stick.
    Filesystems EXT3 or ReiserFS are OK too. Give the volume a nice name, FFP for instance.
5) The volume should be accessable via Samba. Extract the contents of ffp_for_NSA-220.zip (attached) to this share.
6) Download fun_plug.tgz here, and copy it to the share too.
    The share should contain 6 files now.
7) In the webinterface goto Shutdown->Restart.
8) Wait until the box has rebooted. Done!

The tgz files should be disappeared, and the directory /ffp should be filled with Fonz' wonderful stuff. And the box should run a telnet server now.

To enable an ssh server:
telnet to the device
type
chmod a+x /ffp/start/sshd.sh
/ffp/start/sshd.sh start

After a while the ssh server should be started. Try if it works. You have got two logins: root password root and user password user.
If it works, login as root and type
/sbin/reboot

The box should reboot. If the ssh server is in the air again, you can disable the telnet server:
chmod a-x /ffp/start/telnetd.sh

A warning: some of Fonz' packages contain DNS-323 specific stuff. I think it's *not* a good idea to try them on your NSA-220, especially not the tools which deal with the flash memory, like store-passwd.sh


Attachments:
Attachment Icon ffp_for_NSA-220.zip, Size: 3,592 bytes, Downloads: 583

Offline

 

#20 2008-08-13 22:48:31

fonz
Member / Developer
From: Berlin
Registered: 2007-02-06
Posts: 1716
Website

Re: fun_plug on ZyXEL NSA-220.

Mijzelf wrote:

A warning: some of Fonz' packages contain DNS-323 specific stuff. I think it's *not* a good idea to try them on your NSA-220, especially not the tools which deal with the flash memory, like store-passwd.sh

Actually, I'm about to clean some of these up. In your after_boot.sh, you disable passwd.sh, rcS.sh and shells.sh - exactly these three will disappear soon wink

Did you post your progress in the other NSA-220 forum? I'm looking forward to feedback / success reports from other NSA-220 users.

Offline

 

#21 2008-08-13 23:00:56

Mijzelf
Member / Developer
Registered: 2008-07-05
Posts: 678

Re: fun_plug on ZyXEL NSA-220.

Yes I posted the same recipe in the other(?) forum. I hope they will be delighted, and write dozens of success stories.

Should it be possible to let those 'dangerous' scripts (I suppose you won't clean up store-passwd.sh, since it's very useful) check if they are running on a DNS-323, before continuing?

Last edited by Mijzelf (2008-08-14 16:08:25)

Offline

 

#22 2008-08-13 23:04:16

fonz
Member / Developer
From: Berlin
Registered: 2007-02-06
Posts: 1716
Website

Re: fun_plug on ZyXEL NSA-220.

Mijzelf wrote:

Should it be possible to let those 'dangerous' scripts (I suppose you won't clean up store-passwd.sh, since it's very useful) check if they are running on a DNS-323, before continuing?

I'll think about it. You could also add 'rm -f ffp/sbin/store-passwd.sh' to your boot script.

Offline

 

#23 2008-08-14 15:12:32

fonz
Member / Developer
From: Berlin
Registered: 2007-02-06
Posts: 1716
Website

Re: fun_plug on ZyXEL NSA-220.

From the other forum:

Maybe I've been a bit too enthousiastic in cleaning up (or not populating) /etc. The original non-chrooted /etc is bound to /etc/orig. You can find all files you're missing here.
Please let me know when you find more files which are indispensable. I'll face this in an update.

You'll also need /etc/protocols, /etc/services and /etc/hosts for proper networking.

I suggest you try a link /etc -> /ffp/etc, and install the iana-etc package from: http://www.inreto.de/dns323/ffp-reloaded/packages/
You can find an example /ffp/etc/hosts in the ffp-reloaded package take it from /etc of your firmware.

Offline

 

#24 2008-08-14 16:07:21

Mijzelf
Member / Developer
Registered: 2008-07-05
Posts: 678

Re: fun_plug on ZyXEL NSA-220.

Thanks. Is there any advantage on using the iana files above the firmware ones?

Offline

 

#25 2008-08-14 16:20:25

fonz
Member / Developer
From: Berlin
Registered: 2007-02-06
Posts: 1716
Website

Re: fun_plug on ZyXEL NSA-220.

Mijzelf wrote:

Thanks. Is there any advantage on using the iana files above the firmware ones?

The iana-etc files are complete. The files included in my DNS-323 firmware are, well, incomplete, and lack common service names like 'ntp'.
See also http://sethwklein.net/iana-etc

Offline

 

Board footer

Powered by PunBB
© Copyright 2002–2010 PunBB