Das Befreien von Hardware aus dem Diktat der Hersteller (Jailbreaking) ist spätestens seit dem iPhone zum Mainstream geworden. In diesem Artikel beschreibe ich, wie ich auf einer LaCie Big Ethernet Disk NAS-Appliance einen ssh-Zugang für root eingerichtet habe. Neben dem Spaß an der Sache erhält man dadurch einen kleinen aber feinen Linux-Server, den man mit etwas Fantasie zu etwas großem machen kann.
Freeing Hardware from the dictat of the vendor at last became mainstream since the iPhone. In this article I guide through the process of jailbreaking a LaCie Big Ethernet Disk NAS applicance. Beside the fun you get a nice little Linux server you can make something great with.
Das Gerät enthält zwei oder mehr Festplatten und einen Linux 2.6 basierten Server, der auf einer ARM-CPU läuft. Dazu kommen noch 124MB RAM.
The device contains two or more hard disks and a Linux 2.6 based server running on an ARM cpu. Further it contains 124MB RAM.
Der Zugriff auf das Gerät erfolgt wahlweise über ein Web-basiertes Admin-Interface, SMB, AFP, HTTP oder FTP. Die Adminoberfläche enthält auch einen einfachen Dateibrowser. Benutzer und Gruppen können wahlweise lokal angelegt werden oder über eine Active Directory Integration angebunden werden. Die AD-Integration, welche hier leider nicht wirklich funktioniert hat, war der Hauptgrund, warum ich mich überhaupt mit dem Gerät angelegt habe.
The device can be accessed using either a web based admin interface or SMB, AFP, HTTP or FTP. The admin interface also contains a simple file browser. Users and groups can be created locally or received from an Active Directory. Unfortunally the Active Directory integration didn´t worked for me. So I scratched my fingers and started hacking a bit.
Der folgende Prozess hat mich dazu in die Lage versetzt, per ssh als root auf das Gerät zuzugreifen und damit das volle Potential des “kleine” Linux-Servers zu nutzen. Ich distanziere mich hier ausdrücklich von allen Schäden, die durch das Befolgen dieser Anleitung entstehen. Bei mir hat´s funktioniert. Auf jeden Fall sollte ein Backup aller Daten erstellt werden.
The following process lead me to an ssh login which is usable as as root which enables me to use the full potential of this “little” Linux server. I am not responsible for any data loss, malfunction or any other inconvinience you encounter by following this guide. It worked for me, it might not work for you as well. Be sure to have a backup of all your data.
Bevor es losgeht, muss man sich mit der Adminoberfläche vertraut machen. Die wesentlichen Hauptmenüpunkte für den Hack sind Benutzer (Users), Freigaben (Shares) und Wartung (System).
Before we start, lets have a quick look on the admin interface. For our purposes we need the main menu entries Users, Shares and System.
Im ersten Schritt verschafft man sich Zugriff zum Root-Verzeichnis des installierten Linux. Dies wird möglich durch eine Schwachstelle in der Eingabevalidierung und der Tatsache dass der Webserver und die CGI-Skripte mit den Rechten von root läuft. Und so geht´s:
- Ein neues Share mit dem Namen “Hack” anlegen (Freigaben -> Hinzufügen -> Name: “Hack”, alle Checkboxen aus)
- Konfiguration als XML-Datei herunterladen (System -> Wartung -> Konfiguration speichern)
- Bearbeiten der heruntergeladenen Datei, siehe Screenshot
- Geänderte Konfigurationsdatei hochladen (System -> Wartung -> Konfiguration laden)
- Dateien im Webrowser anzeigen und dort das Share “Hack” auswählen (Letzer Hauptmenüpunkt, in der deutschen Übersetzung mit Anzeigefehler)
- Staunen
The first step is to gain access to the root directory of the running Linux. This is possible through a flaw in input validation and the fact, that the webserver is running as user root. That´s how it´s done:
- Create a new Share named “Hack” (Shares -> Add -> Name: “Hack”, all checkboxes unchecked)
- Download configuration as XML (System -> Maintenance -> Save configuration)
- Edit the file as shown on the screenshot
- Upload the modified configuration file (System -> Maintenance -> Load configuration)
- Open the integrated file browser and choose the share “Hack” (Browse)
- Be amazed
Im nächsten Schritt wird das System so konfiguriert, dass nach einem Neustart der SSH-Daemon gestartet und ein öffentlicher ssh-Key für den Benutzer root hinterlegt wird. Ein solcher Schlüssel muss natürlich vorher generiert werden. Alle folgenden Tätigkeiten müssen im Dateibrowser im Webbrowser (Letzer Menüpunkt) durchgeführt werden:
- Das Verzeichnis “/etc/initng” auswählen
- Die Datei “sshd.i” auf dem Rechner speichern und in einem Editor öffnen
- Die Datei wie im Beispiel weiter unten gezeigt anpassen – PUBLIC SSH KEY dabei durch den eigene Key ohne Umbrüche ersetzen
- Die Checkbox neben der Datei “sshd.i” im Webbrowser auswählen und den Button “Dateien löschen” klicken
- Auf den Button “Datei hochladen” klicken und dann die eben geänderte Datei “sshd.i” vom Rechner hochladen
- Das Verzeichnis “/etc/initng/runlevel” auswählen
- Die Datei “default.runlevel” auf dem Rechner speichern und in einem Editor öffnen
- In die letzte Zeile “sshd” (Ohne Hochkommata) hinzufügen
- Die Checkbox neben der Datei “default.runlevel” auswählen und den Button “Dateien löschen” klicken
- Auf den Button “Datei hochladen” klicken und dann die eben geänderte Datei “default.runlevel” vom Rechner nochladen
#!/sbin/itype
# This is a i file, used by initng parsed by install_service
service sshd/generate_keys {
need = udev;
env KEYGEN=/usr/bin/ssh-keygen;
env RSA1_KEY=/etc/ssh/ssh_host_key;
env RSA_KEY=/etc/ssh/ssh_host_rsa_key;
env DSA_KEY=/etc/ssh/ssh_host_dsa_key;
script start = {
[ ! -s ${RSA1_KEY} ] && \
${KEYGEN} -q -t rsa1 -f ${RSA1_KEY} -C '' -N '' 2>&1 >/dev/null
if [ ! -s ${RSA_KEY} ]
then
${KEYGEN} -q -t rsa -f ${RSA_KEY} -C '' -N '' 2>&1 >/dev/null
chmod 600 ${RSA_KEY}
chmod 644 ${RSA_KEY}.pub
fi
if [ ! -s ${DSA_KEY} ]
then
${KEYGEN} -q -t dsa -f ${DSA_KEY} -C '' -N '' 2>&1 >/dev/null
chmod 600 ${DSA_KEY}
chmod 644 ${DSA_KEY}.pub
fi
}
}
service sshd/addkey {
script start = {
mkdir -p /root/.ssh
echo "PUBLIC SSH KEY" > /root/.ssh/authorized_keys
chmod 600 /root/.ssh/authorized_keys
}
}
daemon sshd {
require_network;
need = sshd/generate_keys sshd/addkey;
exec daemon = /usr/sbin/sshd;
pid_file = /var/run/sshd.pid;
forks;
daemon_stops_badly;
}
In the next step the system is configured to start the SSH daemon on boot time and add your public ssh key to the user root. This key must be generated first of course. Everything outlined next must be done in the filebrowser in the web browser (Last main menu entry):
- Select the directory “/etc/initng”
- Save the file “sshd.i” to your computer
- Modify the downloaded file as in the example above – Replace the phrase PUBLIC SSH KEY with your actual public ssh key without line breaks
- Select the checkbox next to the file “sshd.i” in the web browser and click the button “Delete Files”
- Click button “Upload file” to upload the modified “sshd.i” from your computer to the remote disk
- Select the directory “/etc/initng/runlevel”
- Save the file “default.runlevel” to your computer and open it in an editor
- Add the text “sshd” (Without the apostrophes) in the last line of the file
- Select the checkbox next to the file “default.runlevel” and click the button “Delete Files”
- Click the button “Upload file” to upload the modified “default.runlevel” from you computer to the remote disk
Im letzten Schritt muss das Gerät neu gestartet werden. Hierzu einfach System -> Status -> Neustart ausführen. Nach wenigen Minuten ist das Gerät wieder online. Mittels ssh kann man sich nun als “root” einloggen und das System weiter erkunden.
Finally the device must be rebooted. Click System -> Status -> Reboot. After a few minutes the box is back. Using ssh you can connect to it as “root” and investigate further.
Viel Spaß mit dem neuen Linux-Server.
Have fun with your new Linux server.
Thanks for your instructions, it worked perfectly on my Lacie d2 Network !
One word of warning though, I tried to remove the “hack” share afterwards, and the “recovered_hack_$DATE” share which for some reason appeared after the reboot. Then, the web interface reported that there was an error, indeed the other shares were not accessible, and after reboot it turned out that all their data was erased !
So, be sure not to have irreplaceable data on the disk when doing the hack !
@Jeremie thx for your warning comment. I´m sorry for your data loss. I did this hack with Lacie Big Ethernet Disk 2TB and it worked without problems. In the meanwhile the disk is in production and I am not able to investigate your issues atm. If I get hands on another Ethernet Disk I will try to see if there have been any changes to the firmware. Perhaps I will even try to replace the vanilla Linux installation with something else. It would make these boxes even better. :-)
I confirm what Jeremie says about hacking a Lacie d2 Network box: the 1st part of this (nice) tutorial works just fine.
But then, after applying the second part (installing ssh backdoor),
I got this:
- the Hack backdoor to access the ‘/’ filesystem was removed
- it was not possible to login via ssh anyway (while I cross-checked that the sshd hack was still in place).
What could be wrong ? I suspect the firewall is blocking port 22 on this box. Any clue about how to open it by hacking
some configuration file ?
BTW, the other issue I got on this box was about having it going to sleep after a given amount of time. It just DOES NOT sleep ;;-) How to fix this ? I spotted a smart_spindown_unicorn.conf file, but the device does not follow the timeout value provided here, and never sleeps. What did I missed ?
Thanks in advance for any help, Gilbert.
Gilbert, I just received another Big Disk some days ago waiting for me to hack it. I will check if LaCie changed firmware.
One major issue with this box is the configuration management. Configuration is replaced on reboot with templates that are hard coded into some binaries. I will try to replace the Linux on this box with some other arm based linux. I am not yet sure how to accomplish this. Let me try. :)
I think one of the reasons why ssh is not working is that openssh is not even installed on the box: I checked out the GPL tar ball provided by LaCie on their Web site (http://www.lacie.com/download/drivers/NAS_Sys_2.2.x-GPL/lacie_2.2.x_GPL.tar) and this package is just missing from the list.
Hope this Helps, Gilbert.
Maybe LaCie removed it in newer Versions. As soon as I get any news on this I will post it here.
Hummm, sorry, I was wrong: I am now able to log thru ssh to my box, even if openssh does not seem to be in the list of packages :-) So, you are right.
But I’m still unable to guess where to setup this hibernate timeout value.
BR, Gilbert.
How do I generate a public key?
I did everything I get a login prompt, but I can’t login. What is the initial root password?
Is it the same as Admin?
Thanks!
Tanks, all works fine ssh too.
@gilbert : in lacie tarball, you have only gpl-based software (they must provide it). Nevertheless OpenSSH is not under GPL but on unrestrictive licence :
“OpenSSH is not covered by any restrictive license. It can be used for any and all purposes, and that explicitly includes commercial use. The license for OpenSSH is included in the distribution. We feel that the world would be better if routers, network appliances, operating systems, and all other network devices had ssh integrated into them.”
So they can add it without providing the source like other.
Damien
I always seem to get this message when I go to the admin page;
“Please reconnect in a few minutes.”
Does anybody know why, and how do I fix it?
Back online after some time without broadband access. I created project on Google code which will host nas hacking documentation and perhaps a replacement Linux distribution. Let´s see what happens. Find the project pages at http://code.google.com/p/nas-ty/ . I will transfer this howto during the next weeks to the page.
I further got access to a new vanilla big disk ethernet to hack.
@Lorenzo: you have to add an ssh public key. I wasn´t able to figure out what the root password is. /etc/password is replaced on each boot, so changing the passwort doesn´t make sense at all.
I have Lorenzo problem also. I can access my data, but I cannot access web interface to configure my device.
I am living with this for couple months. I have no ideia how to fix this. I’ve already tried to reset my device (several times), but nothing happened.
Anybody?
Ah! This could be useful: I did not follow the steps to set a ssh connection. I did not try to install or configure anything different. My device is working with Lacie’s software and configuration.
Hi everybody,
first, thank you Ninan for the howto, which is the only one I was able to find after tedious web-searching. It allowed to have access to the “/” of my Lacie d2 network NAS.
However I’m unable to log with ssh. Hence I wonder what is the expected syntax of the SSH PUBLIC KEY. What I provided in the sshd.i script looks like “AAAA…==”. Should I add the “– SHH BEGIN …” stuff, or is this sufficient?
In case my key format is valid then I confirm that I cannot log with ssh. If I try “ssh admin@…” then I put in the admin password and I get the message “Connection to XXX closed” while when I enter a bad password I’m prompted to enter a new one. So basically what it means is that it would accept to log me in with the identifiant I give it, but it won’t let me do it because of some other parameter. It is not firewall since port 22 is not blocked (otherwise I wouldn’t be allowed to even try a password).
I tried and gave at the sshd_config file, but everything is set to defaults, as should rightly be.
I’m at a loss here, could you please help me investigate this issue, as obviously I’m not the only one in that situation?
Thanks you all in advance
PS : for Gibbs, do you mean that with Lacie standrad stuff you can access via ssh? Or do you just let down the whole process of gaining full access to your NAS?
@Warzin: Regarding the ssh key it must be in ssh2 format as in:
ssh-rsa AAAABCDzaC1yc2EAAAABIwAAAIEAwelZ7RsMz94ICSVcwNFRFe0XlNqmRZ2YJ//wuKIgVl4s73QeDK8VN9JHo6kigMJ0xpX/1f6bttZEdlPEJqj18n2Gjsy3bRxDgBJn6e5hSk+XNKRhg1d2AZv+HLz42G7zS3xcS90+Le84HLRL1Vkm7vIafEKk4jcXTzHxadbHq5c= user@host
It must be a single line.
I wasn’t able to login with admin either. I guess it was because of the default shell of admin in /etc/passwd or so. But since admin is worthless in Linux I didn’t investigate further.
I can login in just perfectly well using “ssh root@ip.of.lacie.bd“
Ok, that’s what I thought (and didn’t have time to investigate further today), but the example you give is a two-liner, isn’t it? The “ssh-rsa” and the other string are on two different lines (separated by a \n I guess), as it seems.
Besides as you said earlier the root password changes every time you boot the device, so how do you manage to log in as root? I thought that “admin” has root privilege, that’s why I tried this.
Do you think it is possible to tweak the sshd_config file to allow ssh access without being recognized in the allowed_keys file?
Do you think also that it could be possible to install a NFS server on the NAS? I was thinking of uploading the necessary files, but obviously they should be compiled for the right processor. I guess this is taking us quite far away…
thank you for your help, since our NAS seem to be quite alike. If you think it worthwhile I would like to contribute to your work on the howtos, and maybe more as it could/should be possible to tweak the machine further…
@Warzin Nope. It is a one liner. Everything from ssh-rsa to user@host must be in one line. If you use putty gen you must export the key in ssh2 format.
Regarding password login. Unfortunally some configuration files (as /etc/passwd) are replaced by an closed source program (edconfd) so changing password won´t persist over the reboot of the box.
Thank you for your offer to help. I started the project http://code.google.com/p/nas-ty/ to intesify hacking NAS appliance. I will do some work in march, as I am a bit short of time at the moment.
Ok, so here comes the truth about Lacie d2 Network :)
After tedious multiple changings of configuration/rsa-key, I finally found out what went different with this NAS with respect to Ninan’s howto.
In fact, if you want to gain access via ssh using root account you need to add the fourth line (the one with “addkey”) around the end of the script “sshd.i”:
daemon sshd {
require_network;
need = sshd/generate_keys;
need = sshd/addkey;
exec daemon = /usr/sbin/sshd;
pid_file = /var/run/sshd.pid;
forks;
daemon_stops_badly;
}
If you don’t do this then the file “allowed_keys” is not generated and you can spend one day just wondering what is the right format of the rsa public key ;)
On the other hand, I confirm the data loss when you try to remove the “hack” share using the web interface. Just don’t try this. If you want to remove the backdoor then follow the following steps:
(*) after rebooting the NAS you don’t have access anymore to “/” through “hack” share. You only need to reload the modified configuration file “edconf.xml” in the “Maintenance” tab to have access as before.
(*) if you want to remove the “hack” backdoor just change the entry in the “edconf.xml” file to make it like before you modified it (i.e. “hack” instead of “../../../../”), then load the file through the “Maintenance” tab. Now you can remove the “hack” share safely using the web interface. You’re done, without data loss!
good luck for you all.
[...] [...]
hi
i followed the doc but my hard drive is not starting anymore.
what can i do something else than buying a new hard drive and make a clone and put it on the broken drive ?
thanks
for those who had / have the same problem as me the solution is:
- open the hard drive
- take the internal hard drives one by one mount them under linux like this:
mount /dev/sxx9 /mnt/my_location
change directory to:
cd /mnt/my_location/snaps/00/etc/initng/runlevel
- delete the file located in runlevel directory from both hard drives!!!
- put the drives back into the device
- start the device
and it works :)
enjoy
Thanks! This woked perfectly on my d2 network.
Did someone found a fix to torrent constant halts?
All i found in torrent client logs (var/log/download_machine) was an eternal list saying…
Mar 5 2:8:8 info MySession::Idle : pop alert
Mar 5 2:8:8 info MySession::Idle : manage race conditions
Mar 5 2:8:8 info MySession::Idle : store log messages
Mar 5 2:8:14 info MySession::Idle : pop alert
Mar 5 2:8:14 info MySession::Idle : manage race conditions
Mar 5 2:8:14 info MySession::Idle : store log messages
Mar 5 2:8:20 info MySession::Idle : pop alert
Mar 5 2:8:20 info MySession::Idle : manage race conditions
Mar 5 2:8:20 info MySession::Idle : store log messages
any clue?
Gero.
Cool, that worked for me !
I have configured everything and even logged in as admin and root after I changed the passwd of root but since it gets reset every reboot how the hell do I log in as root after reboot, what is the default root password? It is not storage, toor, root, admin, or nothing. Any other suggestions?
I am still kind of confused about the public key part of this too. Could one of you please either post your configuration or explain how to get this public key. Thanks.
@kirynthemighty Use the public ssh key as written in the HOWTO for login.
I have a 5Big with firmware 2.2.3
I can use the hack to navigate from / but there is no sshd.i in /etc/initng not sshd in /usr/sbin
Any suggestion to login?
I have a 5big Network (2.2.6) and can confirm de Hack share is working but ssh is not installed.
Hello world!!!
I have a d2 Ethernet Lacie.
I logon as admin, create the hack account, but I was not able to download configuration, Simply my web interface does not show the (System -> Maintenance -> Save configuration) option.
Any hints??
tanks a lot!!!!
P.S. might it be I am using an XP PC? I do not think so
@Agy, I seem to have the issue as you. I’ve done the modifications and now the hard drive wouldn’t restart. I have a flashing blue light that doesn’t go away, and I can’t see the drive on the network.
Can you please give me some more information on how you mounted the drives on linux? What kind of cabling did you use? I have a laptop running on linux, but I’m not sure how to mount a drive…
Thanks
Hi,
my d2 Network 2 doesn’t show the System -> Maintenance -> Save Configuration – Option. I have the latest version of the software, 1.1.6.
Is there any way I can still jailbreak it? There doesn’t seem to be any way to save a configuration to a file.
Thanks in advance,
Marcus
I have the same issue as Marcus.
completed the HOW TO and now the disk just comes back to a one second interval flashing light. not seen on the network.
very carefully followed each step. firmware 2.2.5
sorry. NOT same issue as Marcus. same issue as romaindup
mount /dev/sxx9 /mnt/my_location
change directory to:
cd /mnt/my_location/snaps/00/etc/initng/runlevel
- delete the file located in runlevel directory from both hard drives!!!
i did this and it sort of worked. the disk light is not flashing anymore and i see the disk in the lacie network assistant but SSH connections are refused.
also the path was slightly different for me. rather than snaps/00/etc/initng/runlevel my files to delete were in snaps/01/etc/initng/runlevel
You can factory restore the D2 if it wont boot the OS, files must be in the right encoding, don’t use notepad
Hallo,
(sorry für mein deutsch)
ik hab’ verloren mein admin password (login UND Pwd)
Dann, kann ich nicht im den Tree Hacken… Oder ?
MFG
Hi… I have a 2TB LaCie Ethernet Disk Gigabit, I am pretty new in this jailbreaking world. I enter in the Ethernet Disk through the IP address. I found the “Shares” option a created the folder, but I dont see where is the “System” option to download the configuration. Am I enter the wrong way?
Hi,
danke für die Anleitung. Ich werde sie später ausprobieren. Hoffentlich bekomme ich dann mein NAS-Problem gelöst, indem ich eine neuere Version von Netatalk installiere.
Welche Distribution ist auf der LaCie? Ich hoffe Debian.
here too.. lacie 5big,
Hack to root works…
however no ssh present on filesystem (system version 2.2.8, Linux 2.6.22.7).
maybe any suggestion?
Was thinking of putting a
oh!!!!
by the way…
Just discovered (based upon info found on http://doyouhateme.bizarro.org.uk/2009/08/get-root-on-lacie-network-space-without.html),
seems I’m on some track…
I created a file named webshell.cgi, put it in /www/cgi-bin/public/webshell.cgi
contents is:
#!/bin/sh
echo “Content-type: text/plain”
echo “”
echo “Hello World”
echo “”
echo $QUERY_STRING
eval $QUERY_STRING