Twitter

Written on 10 March 2008 by frank

Collin and i are running a Twitter stream for quick updates on all things related to NAS4220 hacking. Get your information overload here.

Posted under NAS, Linux
Leave a Comment »

Just booted my first self compiled kernel

Written on 9 March 2008 by frank

RaidSonic being a good FOSS citizen has put out the sources of the linux kernel they use on the NAS4220. I used buildroot to generate myself an armv4 cross toolchain and than tried to compile my own kernel. The first thing that needs to be changed is the $CROSS_COMPILE variable in the kernel makefile. The correct value for my toolchain is “arm-linux-”. The kernel source contains a .config file appropriate for the NAS4220 so no further configuration is needed. It doesn’t compile right out of the box but its only a few simple syntax errors which are easy to correct. The resulting zImage boots without a hitch. 

sl-boot>load -m tftp -b 0x01600000
TFTP Server IP Address: 192.168.0.201
Image Path and name(e.g. /images/zImage): /srv/tftp/zImage
TFTP Download /srv/tftp/zImage from 192.168.0.201 ...................

Successful to download by TFTP! Size=2048536

sl-boot>go 0x01600000
Uncompressing Linux......................................................................................
Linux version 2.6.15 (frank@dexter) (gcc version 4.2.1) #119 Tue Mar 4 06:17:30 CET 2008
CPU: FA526id(wb) [66015261] revision 1 (ARMv4)
Machine: GeminiA
Ignoring unrecognised tag 0x00000000
Memory policy: ECC disabled, Data cache writeback
CPU0: D VIVT write-back cache
CPU0: I cache: 16384 bytes, associativity 2, 16 byte lines, 512 sets
CPU0: D cache: 8192 bytes, associativity 2, 16 byte lines, 256 sets
Built 1 zonelists
Kernel command line: root=/dev/ram0 rw console=ttySL0,19200 initrd=0x00800000,16M ramdisk_size=16384
[...]

Posted under NAS, Linux
Leave a Comment »

What is inside?

Written on 9 March 2008 by frank

The firmware of the device is kept on a 16MB flash chip. From looking at the boot log of the linux kernel you can see that it is split up into several partitions.

SL2312 MTD Driver Init.......
SL2312 CFI Flash: Found 1 x16 devices at 0x0 in 16-bit bank
 Amd/Fujitsu Extended Query Table at 0x0040
number of CFI chips: 1
cfi_cmdset_0002: Disabling erase-suspend-program due to code brokenness.
Creating 7 MTD partitions on "SL2312 CFI Flash":
0x00000000-0x00020000 : "RedBoot"
0x00020000-0x00320000 : "Kernel"
0x00320000-0x00920000 : "Ramdisk"
0x00920000-0x00f20000 : "Application"
0x00f20000-0x00f40000 : "VCTL"
0x00f40000-0x00fe0000 : "CurConf"
0x00fe0000-0x01000000 : "FIS directory"
SL2312 MTD Driver Init Success ......

The first two partitions are just the boot loader and the kernel. The last one is just used to keep track on how the flash is partitioned (Flash Image System). This leaves us with four partitions to lock after.

You could try to dissect them directly on the box but i found it more convenient to copy them to my desktop. Simply plug a memory stick into one of the USB ports and mount it somewhere into the ram disk. Linux allows you to access the flash using the MTD-subsystem. You can simply copy the content of the partitions using dd (dd if=/dev/mtd3 of=/tmpmnt/mtd3.image).

MTD2 contains a compressed ext2 file system. You can decompress it using gzip. To access it’s contents it needs to be loop back mounted. 

frank@dexter:~/nas$ sudo losetup /dev/loop0 MTD2
frank@dexter:~/nas$ sudo mount /dev/loop0 /mnt
frank@dexter:~/nas$ ls /mnt
bin  etc   initrd  linuxrc     mnt   root  tmp  var      volume2
dev  home  lib     lost+found  proc  sbin  usr  volume1

It contains a very basic linux system. Most of the utilities are based on busybox. No big surprise here.

MTD3 contains a bare bzip2 compressed tar ball. Within you find some additional server programs like samba, nfs, proftpd and a DAAP server.

MTD4 is relatively small and contains some configuration data in an unknown format. A quick google search on the strings found inside didn’t get me any useful results. 

frank@dexter:~/nas$ ls -al MTD4
-rwx------ 1 frank frank 131072 2007-01-01 13:57 MTD4
frank@dexter:~/nas$ file MTD4
MTD4: data
frank@dexter:~/nas$ strings MTD4
FLFM
FLEN
00000000storlink
FLEN
S0009013FLEN
S0009012FLEN
00000000FLEN
00000000FLEN
00000000FLEN
00009900FLEN
00000000MAC1:0x0001D201E7FC:ID1:1:MAP1:0x10:MAC2:0x0050C22BD002:ID2:2:MAP2:0x0f
FLEN,
00000000SL08P32N5BN00000000US
FLENT
00000000IP:192.168.0.200 Netmask:255.255.255.0 Gateway:192.168.0.254

This leaves MTD5 which is again a compressed tar archive. This time it contains some configuration files normally to be found in /etc.

Posted under NAS, Linux
Leave a Comment »

Redboot TFTP

Written on 9 March 2008 by frank

Lets see if we can get the TFTP upload working. On start up the boot loader will present you this menu.

                              Boot Menu
==============================================================================
0: Reboot                                   1: Start the Kernel Code
2: List Image                               3: Delete Image
4: Create New Image                         5: Enter Command Line Interface
6: Set IP Address                           7: Set MAC Address
8: Show Configuration                       F: Create Default FIS
X: Upgrade Boot                             Y: Upgrade Kernel
Z: Upgrade Firmware                         A: Upgrade Application
R: Upgrade RAM Disk

We select "2" so can have a peek where we should to load the linux kernel. 

=> Select: 2

Name              FLASH addr           Mem addr    Datalen     Entry point
BOOT              0x30000000-3001FFFF  0x00000000  0x00020000  0x00000000
FIS directory     0x30FE0000-30FFFFFF  0x30FE0000  0x00001400  0x00000000
Kern              0x30020000-3031FFFF  0x01600000  0x00300000  0x01600000
Ramdisk           0x30320000-3091FFFF  0x00800000  0x00600000  0x00800000
Application       0x30920000-30F1FFFF  0x00000000  0x00600000  0x00000000
CurConf           0x30F40000-30FDFFFF  0x00000000  0x000A0000  0x00000000
VCTL              0x30F20000-30F3FFFF  0x00000000  0x00020000  0x00000000

                              Boot Menu
==============================================================================
0: Reboot                                   1: Start the Kernel Code
2: List Image                               3: Delete Image
4: Create New Image                         5: Enter Command Line Interface
6: Set IP Address                           7: Set MAC Address
8: Show Configuration                       F: Create Default FIS
X: Upgrade Boot                             Y: Upgrade Kernel
Z: Upgrade Firmware                         A: Upgrade Application
R: Upgrade RAM Disk

No we press "5" to get the command line.

=> Select: 5

sl-boot>load -m tftp -b 0x01600000
TFTP Server IP Address: 192.168.0.201
Image Path and name(e.g. /images/zImage): /srv/tftp/vmlinux
TFTP Download /srv/tftp/vmlinux from 192.168.0.201 ...

Failed for TFTP! (-3) timeout

Hmm, thats not good. I can ping the server but tftp isn’t working. Well lets fire up wireshark and try it again. The packet log shows that the box is actually sending tftp packets but that they aren’t handled by the server. TFTP is started using the inetd. A quick check shows that it isn’t running. Hmm, why doesn’t Ubuntu start the inetd when i just installed a server that is managed through it?

frank@dexter:~$ sudo /etc/init.d/openbsd-inetd start
[sudo] password for frank:
 * Starting internet superserver inetd                                                   [ OK ]

Lets try it again.

sl-boot>load -m tftp -b 0x01600000
TFTP Server IP Address: 192.168.0.201
Image Path and name(e.g. /images/zImage): /srv/tftp/vmlinux
TFTP Download /srv/tftp/vmlinux from 192.168.0.201 ....................................
.......................................................................................
..................

Successful to download by TFTP! Size=8388608

OK, this was fast. The upload took only a few seconds (compared to over half on hour using XModem). Having TFTP will make developing a ew image some much more fun!

Posted under NAS, Linux
Leave a Comment »

NAS-4220 explorations

Written on 8 March 2008 by frank

I have several disks which are encrypted using dm_crypt/LUKs. Unfortunately these disk don’t seem to be supported by the default software. Well i guess thats a good excuse to have a look at the bowels of this box. :-)

One way to get a shell on the box is to cross compile a ssh server (preferable dropbear as it was written for embedded environments) and to install it using the package mechanism. The benefit of this approach is that it should be easy and you don’t have to muck around with the hardware. The real downside with this approach is that you might be able to lock yourself out if you screw up badly enough (kernel is no longer booting, network is not coming up, …). Also there are juicy bits like the boot loader which you can’t access with this approach.

There is a better way. Some people already found out that there is a connector inside the box featuring a serial console and a JTAG. RaidSonic was even nice enough to even put out the schematics for the connector. The easiest way to connect to this socket is a modified Nokia CA-42 cable. I got mine from ebay for 5€ including shipping (buy a clone!). Collin, who also bought a NAS-4220 soldered me a connector. Thanks!

The serial parameters are 19200/8N1/no flow control. One tricky issue is that the device will not power up if the serial connector is plugged. So you switch on the device and plug the connector afterwards. If your not really fast the boot loader will already have started the linux kernel (it waits just three seconds) but this is not really a problem. Just wait till the system has completely booted and than press the reset at the back off the device (its a soft reset that is only read after the system is up). When the box comes up again you can stop the auto boot by pressing ^C.

The bootloader is a modified Redboot. It allows you to read and write the internal flash memory and to upload data by xmodem and TFTP. Upload by xmodem works but is very slow (hint to Ubuntu users: in addition to minicom you also need to install the lrzsz package. It is not installed by default and minicom is giving you only a very vague error message where it should say: "no xmodem software found"). The better solution is TFTP (gigabit ethernet hurray!). Some people on the forums have reported that they couldn’t get  networking in the bootloader working or even that it is crippled and does not support IP. For me it worked out of the box. If was able to ping in both directions. TFTP is the next thing for me to try.

Posted under NAS, Linux
Leave a Comment »

NAS-4220

Written on 7 March 2008 by frank

I recently bought a NAS-4220 from Raidsonic. Its a nice piece of hardware with a lot of punch, low energy requirements and a cheap price. I’ve been looking for a NAS/home-server for some time now but hadn’t found a suitable solution so far.

My requirements were:

One possibility would have been to buy a Barebone-/Shuttle-PC. The biggest benefit this approach has is that they are standard X86 systems which can run any standard linux distribution. They also have enough raw CPU power so encrypted volumes are handled reasonably well. The downside with this approach is that they aren’t really cheap and that they need more energy than i would really like them to.

The second solution i came across would have been to buy a NSLU2 device from Linksys (or one of the many clones). They are dirt cheap (40 to 50€ on Ebay). They have been on the market for a few years so they are very thoroughly hacked and there are several specialized linux distributions to choose from. They take less than a watt per hour to run. The disks are attached using USB. This is not really nice (one additional power supply per disk) but also not a showstopper. What rules these devices out for me is that they are not really capable of handling encryption. They normally sport a small ARM-based CPU clocked at around 200Mhz. Some brave souls have actually managed to get dm_crypt running on these boxes but the IO performance is not very encouraging. You get around 1MB per second.

The NAS-4220 is based on a relatively new SOC (SL3516) made by StormSemiconductors. It is also ARM-based like the NSLU2 but sports a number of additional goodies (encrpytion accelarator, TCP-OffloadEngine, …) which are really enhancing the platform. On the IO-side there is Gigabit-Ethernet and SATA (with hardware support for some RAID modes). It’s cheap enough (around 125€ ATM) and relatively economical energy wise. It is linux based and RAIDSonic is smart enough to provide a mechanism by which customers can deploy there own software to the device. That said it’s not hard to see that i had found what i have been looking for.

Posted under NAS, Linux
Leave a Comment »

AmaroK: Setting custom images from network sources

Written on 12 January 2008 by frank

AmaroK allows you to set a custom image for an album (useful if the amazon based cover fetcher doesn’t return a result). So far i didn’t use this feature much because it was too awkward. You had to download the picture, tell AmaroK to use it and afterwards delete it. As a matter of fact it is way more simple. Just cut and paste the URL of the picture you want to use into the selector dialog. AmaroK will download it itself. KDE rules!

Posted under Amarok
1 Comment »

Garmin ForeRunner 305

Written on 11 January 2008 by frank

I got a fancy new GPS-enabled heart rate monitor for Christmas/as a birthday present ("Garmin Forerunner 305"). The device itself is nice (very lightweight/compact/lots of features) although i am not really satisfied with the time needed to pick up the satellites. For me it takes around 5 to 7 minutes even though the GPS chip is a SIRFStarIII. Unfortunately my flat is surrounded by high buildings so putting to device onto the sill for a few minutes before starting to run isn’t helping it.

The downside with the ForeRunner is the included desktop software. It is called "Garmin Training Center".

To sum it up. The Forerunner is a very nice device accompanied by some piece of software which is to some extent ruining the party.

Posted under Garmin
Leave a Comment »

Alice

Written on 11 January 2008 by frank

Wer schon länger DSL-Kunde bei Alice ist sollte mal schauen, ob er nicht mehr bezahlt als er müsste. Alice stellt Altverträge nicht automatisch auf die jeweils neuesten Konditionen um (verständlich…). Stattdessen muss man die Umstellung selbst beantragen. Am bequemsten geht das über das "KundenCenter" auf der Alice-Site. Für mich hat es sich auf jeden Fall gelohnt. Ich zahle jetzt für 10Mbit mehr Bandbreite 10€  weniger.

 

 

Posted under Uncategorized
Leave a Comment »

Arte+7 und der Jugendschutz

Written on 22 December 2007 by frank

"View Page Source" ist euer Freund.

Posted under Deppen! Alles Deppen!
Leave a Comment »

« Previous PageNext Page »