Buffalo Linkstation Install Optware Hvd
Even Easier Squeezecenter Install on Buffalo LinkStation Pro and LinkStation Live. Even Easier Squeezecenter Install on Buffalo LinkStation Pro/Live (v7.3.3).
Disassemble the HD-HLAN Unfortunately the LinkStation was not meant to be opened by customers, so Buffalo didn't make it easy. On the top and bottom of the case there is a small tab besides the grey frame, which you have to press down (e.g.
With a screwdriver) to be able to move the frame to the front. On the photo below the location is marked red. After a few millimeters the grey piece snaps free and comes up. You need quite some force to do that, because the shiny front bezel is secured by two hidden screws (one in the top and another in the bottom of the bezel). With enough force and skill you may be able to tear the screws out of the case (fortunately the screws are small). They remain in the shiny bezel. You may want to shorten the screws with a file now.
Before the case can be opened you have to remove a screw hidden under a sticker, below the fan (marked on the right side of the picture). Then press the four tabs on the top and bottom to remove the upper half of the case. Remove another four screws to be able to lift the board. Getting root access We need root access on the vendor's Linux installation to be able to flash a new firmware.
Without the original disk it will become much more difficult. You would either have to find a way to install the system onto a new disk with the help of a second machine, or use the JTAG port to flash the new firmware directly into the chip (in the last case you can skip all sections until ). For the KuroBox you can skip this section. The root password is known to be kuro. Also telnet access is enabled. The default IP of the KuroBox is 192.168.11.150.
Make a new user over the LinkStation's web interface. We can use it to log in over the serial port. Log in into the new account and create a CGI file under /www which makes /etc/passwd writeable for all users. Link Station series HD-HLAN (HIDETADA) BUFFALO login: Besucher Password: Linux (none) 2.4.17mvl21-sandpoint #990 2004xxxx 13:39:00 JST ppc unknown Besucher@BUFFALO:$ mkdir /www/cgi-bin3 Besucher@BUFFALO:$ vi /www/cgi-bin3/exploit.cgi exploit.cgi should look like this: #!/bin/sh chmod 666 /etc/passwd Then enter the URL into your browser.
When all went well, /etc/passwd is writeable now. Edit it with vi and copy your user password ( /Jg58Gq9427qY in this example) over the current root password. Now you can log in with the same password into the root account. Root:dwqa1LabM8BgA:0:0:root:/root:/bin/bash bin:.:1:1:bin:/bin: daemon:.:2:2:daemon:/usr/sbin: sys:.:3:3:sys:/dev: adm:.:4:4:adm:/var/adm: sync:.:6:8:sync:/bin:/bin/sync shutdown:.:7:9:shutdown:/sbin:/sbin/shutdown halt:.:8:10:halt:/sbin:/sbin/halt operator:.:12:0:operator:/root: ftp:.:15:14:ftp:/usr/sbin:/bin/false nobody:.:99:99:nobody:/home:/bin/sh Besucher:/Jg58Gq9427qY:101:1000::/home:/bin/bash The CGI exploit, which I described above, probably does not work with all Linkstation firmware releases.
It may fail with versions after 1.45. I was able to do it with 1.47 though. An alternative to this method would be to connect the hard disk to a second machine, which can mount the Linux file system, and replace the root password there. Transfer the firmware into the share folder on the LinkStation.
$ ftp mylinkstation Connected to 192.168.0.9. 220 BUFFALO FTP server ready Name (192.168.0.9:user): Besucher 331 Password required for Besucher. Password: 230 User Besucher logged in. Remote system type is UNIX.
Using binary mode to transfer files. Ftp cd share 250 CWD command successful. Ftp put u-boot-hd.flash.bin local: u-boot-hd.flash.bin remote: u-boot-hd.flash.bin 229 Entering Extended Passive Mode ( 1045 ) 150 Opening BINARY mode data connection for u-boot-hd.flash.bin 100%. 170 KiB 6.07 MiB/s 00:00 ETA 226 Transfer complete. 174640 bytes sent in 00:00 (4.86 MiB/s) ftp quit The next step is dangerous.
Any fault, like a wrong firmware or an interrupted flashing process, will turn your LinkStation into a brick. The boot loader firmware can be accessed from Linux through /dev/fl2. There is no dd so we will use cat. Log in as root on the serial console, go to the shared folder where we uploaded the new firmware and flash it. Root@BUFFALO:# cd /mnt/share root@BUFFALO:/mnt/share# ls -l total 176 -rw-rw-rw- 1 Besucher hdusers 174640 May 13 15:43 u-boot-hd.flash.bin root@BUFFALO:/mnt/share# cat u-boot-hd.flash.bin /dev/fl2 The Diag and Disk Full LEDs will flash red during this process.
This is normal. After a few seconds the LEDs are off again and the prompt returns. To make sure the process was successful, you should reread the firmware from the flash and compare it with the original. Therefore you have to download the new image, as this Linux installation also got no cmp. Root@BUFFALO:/mnt/share# cat /dev/fl2 /mnt/share/newfl2 Here the downloaded image differs at character 174641. But that is ok, because the firmware is only 174640 bytes large and we downloaded the whole flash contents. $ cmp -l newfl2 u-boot-hd.flash.bin cmp: EOF on u-boot-hd.flash.bin: char 174641, line 891 Reboot your LinkStation and cross fingers.
When all went well, the following lines will appear on your serial console: U-Boot 1.1.4 LiSt 2.1.0 (Sep 21 2006 - 00:22:56) LinkStation / KuroBox CPU: MPC8245 Revision 1.4 at 196.608 MHz: 16 kB I-Cache 16 kB D-Cache DRAM: 64 MB FLASH: 4 MB. Warning - bad CRC, using default environment 00 0b 1317 0985 0200 ff 00 0c 1095 0680 0101 ff 00 0e 1033 0035 0c03 ff 00 0e 1033 0035 0c03 ff 00 0e 1033 00e0 0c03 ff Net: COMET#0 This precompiled U-Boot defaults to the netcat console. So we have to wait about 20 seconds before an error is printed and the console returns to serial. Nextconschoice: Unexpected code: 0x33 stdin: serial stdout: serial stderr: serial IDE: Bus 0: OK Device 0: Model: SAMSUNG SP1604N Firm: TM100-30 Ser#: S013J20XC0xxxx Type: Hard Disk Supports 48-bit addressing Capacity: 152627.8 MB = 149.0 GB (312581808 x 512) Boot in 08 seconds ('s' to stop).
Here you should press s to stop booting and change some environment variables to make U-Boot default to serial. = run ser = setenv bootcmd = setenv bootdelay -1 = saveenv Enter reset to reboot into interactive mode with serial console. At this point we no longer need the original Linux installation and we are ready for NetBSD. The altboot bootloader The altboot(8) program functions as a bridge between the U-Boot firmware and the NetBSD kernel startup environment.
NAS firmware often provides no means to boot a kernel from disk or from the network and doesn't initialize all hardware correctly. We will also use it to pass a bootinfo list to the kernel. The altboot boot loader has to be loaded and started using U-Boot. For the first installation we have to load it over the network with TFTP protocol, using the command tftpboot. Later we can put altboot into the flash memory and copy it from there. When not already done, enable TFTP on your working system in /etc/inetd.conf and restart inetd.
Then copy altboot.bin from the sandpoint distribution into /tftpboot. On the LinkStation we have to tell U-Boot its client address and the tftpd server address.
Our working system's server address is 192.168.0.5 in this example, and the LinkStation is at 192.168.0.102. = setenv ipaddr 192.168.0.102 = setenv serverip 192.168.0.5 = saveenv Saving Environment to Flash. Un-Protected 1 sectors Erasing Flash. Flash erase: first = 54 @ 0xfff60000 last = 54 @ 0xfff60000 Flash erase: Done Erased 1 sectors Writing to Flash. Done Protected 1 sectors Load altboot.bin into memory.
The binary is relocated at 0x1000000, so type: = tftpboot 1000000 altboot.bin Using COMET#0 device TFTP from server 192.168.0.5; our IP address is 192.168.0.102 Filename 'altboot.bin'. Load address: 0x1000000 Loading: ############## done Bytes transferred = 70844 (114bc hex). Post installation steps After a successful installation you want to make the system boot standalone when switched on, without the need for a serial console. So you have to modify the bootcmd in U-Boot's environment and write the altboot.bin binary to the Flash ROM. On the LinkStation and KuroBox the last 128K or the Flash ROM are known to be unused, so we can put altboot there. Load altboot.bin into memory at 0x1000000 again, as explained above, and execute the following commands to write it to Flash ROM: = protect off fffe0000 +20000 Un-Protected 9 sectors = erase fffe0000 +20000 Flash erase: first = 62 @ 0xfffe0000 last = 70 @ 0xffffe000 Flash erase: Done Erased 9 sectors = mw.b 1000000 ff 20000 = tftp 1000000 altboot.bin Using COMET#0 device TFTP from server 192.168.0.5; our IP address is 192.168.0.102 Filename 'altboot.bin'.
Load address: 0x1000000 Loading: ############## done Bytes transferred = 70844 (114bc hex) = cp.b 1000000 fffe0000 20000 Copy to Flash. Done = cmp.b 1000000 fffe0000 20000 Total of 131072 bytes were the same = protect on fffe0000 +20000 Protected 9 sectors = reset Finally adapt the bootcmd environment string to autoboot altboot and start the netbsd kernel (which is the default name) from wd0 on each reboot: = setenv bootcmd cp.b fffe00 20000; go 1000000 wd0:netbsd = setenv bootdelay 3 = saveenv The is important for setenv not to misinterpret the; as the end of the command. Have fun with your mini NetBSD server!
Disassemble the HD-HLAN Unfortunately the LinkStation was not meant to be opened by customers, so Buffalo didn't make it easy. On the top and bottom of the case there is a small tab besides the grey frame, which you have to press down (e.g. With a screwdriver) to be able to move the frame to the front. On the photo below the location is marked red. After a few millimeters the grey piece snaps free and comes up. You need quite some force to do that, because the shiny front bezel is secured by two hidden screws (one in the top and another in the bottom of the bezel).
With enough force and skill you may be able to tear the screws out of the case (fortunately the screws are small). They remain in the shiny bezel. You may want to shorten the screws with a file now. Before the case can be opened you have to remove a screw hidden under a sticker, below the fan (marked on the right side of the picture).
Documentation
Then press the four tabs on the top and bottom to remove the upper half of the case. Remove another four screws to be able to lift the board. Getting root access We need root access on the vendor's Linux installation to be able to flash a new firmware. Without the original disk it will become much more difficult. You would either have to find a way to install the system onto a new disk with the help of a second machine, or use the JTAG port to flash the new firmware directly into the chip (in the last case you can skip all sections until ). For the KuroBox you can skip this section. The root password is known to be kuro.
Downloads
Also telnet access is enabled. The default IP of the KuroBox is 192.168.11.150. Make a new user over the LinkStation's web interface. We can use it to log in over the serial port. Log in into the new account and create a CGI file under /www which makes /etc/passwd writeable for all users. Link Station series HD-HLAN (HIDETADA) BUFFALO login: Besucher Password: Linux (none) 2.4.17mvl21-sandpoint #990 2004xxxx 13:39:00 JST ppc unknown Besucher@BUFFALO:$ mkdir /www/cgi-bin3 Besucher@BUFFALO:$ vi /www/cgi-bin3/exploit.cgi exploit.cgi should look like this: #!/bin/sh chmod 666 /etc/passwd Then enter the URL into your browser. When all went well, /etc/passwd is writeable now.
Edit it with vi and copy your user password ( /Jg58Gq9427qY in this example) over the current root password. Now you can log in with the same password into the root account. Root:dwqa1LabM8BgA:0:0:root:/root:/bin/bash bin:.:1:1:bin:/bin: daemon:.:2:2:daemon:/usr/sbin: sys:.:3:3:sys:/dev: adm:.:4:4:adm:/var/adm: sync:.:6:8:sync:/bin:/bin/sync shutdown:.:7:9:shutdown:/sbin:/sbin/shutdown halt:.:8:10:halt:/sbin:/sbin/halt operator:.:12:0:operator:/root: ftp:.:15:14:ftp:/usr/sbin:/bin/false nobody:.:99:99:nobody:/home:/bin/sh Besucher:/Jg58Gq9427qY:101:1000::/home:/bin/bash The CGI exploit, which I described above, probably does not work with all Linkstation firmware releases.
It may fail with versions after 1.45. I was able to do it with 1.47 though. An alternative to this method would be to connect the hard disk to a second machine, which can mount the Linux file system, and replace the root password there. Transfer the firmware into the share folder on the LinkStation. $ ftp mylinkstation Connected to 192.168.0.9.
220 BUFFALO FTP server ready Name (192.168.0.9:user): Besucher 331 Password required for Besucher. Password: 230 User Besucher logged in. Remote system type is UNIX.
Using binary mode to transfer files. Ftp cd share 250 CWD command successful. Ftp put u-boot-hd.flash.bin local: u-boot-hd.flash.bin remote: u-boot-hd.flash.bin 229 Entering Extended Passive Mode ( 1045 ) 150 Opening BINARY mode data connection for u-boot-hd.flash.bin 100%. 170 KiB 6.07 MiB/s 00:00 ETA 226 Transfer complete. 174640 bytes sent in 00:00 (4.86 MiB/s) ftp quit The next step is dangerous. Any fault, like a wrong firmware or an interrupted flashing process, will turn your LinkStation into a brick. The boot loader firmware can be accessed from Linux through /dev/fl2.
There is no dd so we will use cat. Log in as root on the serial console, go to the shared folder where we uploaded the new firmware and flash it. Root@BUFFALO:# cd /mnt/share root@BUFFALO:/mnt/share# ls -l total 176 -rw-rw-rw- 1 Besucher hdusers 174640 May 13 15:43 u-boot-hd.flash.bin root@BUFFALO:/mnt/share# cat u-boot-hd.flash.bin /dev/fl2 The Diag and Disk Full LEDs will flash red during this process. This is normal. After a few seconds the LEDs are off again and the prompt returns. To make sure the process was successful, you should reread the firmware from the flash and compare it with the original.
Therefore you have to download the new image, as this Linux installation also got no cmp. Root@BUFFALO:/mnt/share# cat /dev/fl2 /mnt/share/newfl2 Here the downloaded image differs at character 174641. But that is ok, because the firmware is only 174640 bytes large and we downloaded the whole flash contents. $ cmp -l newfl2 u-boot-hd.flash.bin cmp: EOF on u-boot-hd.flash.bin: char 174641, line 891 Reboot your LinkStation and cross fingers. When all went well, the following lines will appear on your serial console: U-Boot 1.1.4 LiSt 2.1.0 (Sep 21 2006 - 00:22:56) LinkStation / KuroBox CPU: MPC8245 Revision 1.4 at 196.608 MHz: 16 kB I-Cache 16 kB D-Cache DRAM: 64 MB FLASH: 4 MB.
Warning - bad CRC, using default environment 00 0b 1317 0985 0200 ff 00 0c 1095 0680 0101 ff 00 0e 1033 0035 0c03 ff 00 0e 1033 0035 0c03 ff 00 0e 1033 00e0 0c03 ff Net: COMET#0 This precompiled U-Boot defaults to the netcat console. So we have to wait about 20 seconds before an error is printed and the console returns to serial. Nextconschoice: Unexpected code: 0x33 stdin: serial stdout: serial stderr: serial IDE: Bus 0: OK Device 0: Model: SAMSUNG SP1604N Firm: TM100-30 Ser#: S013J20XC0xxxx Type: Hard Disk Supports 48-bit addressing Capacity: 152627.8 MB = 149.0 GB (312581808 x 512) Boot in 08 seconds ('s' to stop).
Here you should press s to stop booting and change some environment variables to make U-Boot default to serial. = run ser = setenv bootcmd = setenv bootdelay -1 = saveenv Enter reset to reboot into interactive mode with serial console.
At this point we no longer need the original Linux installation and we are ready for NetBSD. The altboot bootloader The altboot(8) program functions as a bridge between the U-Boot firmware and the NetBSD kernel startup environment. NAS firmware often provides no means to boot a kernel from disk or from the network and doesn't initialize all hardware correctly. We will also use it to pass a bootinfo list to the kernel. The altboot boot loader has to be loaded and started using U-Boot.
For the first installation we have to load it over the network with TFTP protocol, using the command tftpboot. Later we can put altboot into the flash memory and copy it from there.
When not already done, enable TFTP on your working system in /etc/inetd.conf and restart inetd. Then copy altboot.bin from the sandpoint distribution into /tftpboot. On the LinkStation we have to tell U-Boot its client address and the tftpd server address.
Our working system's server address is 192.168.0.5 in this example, and the LinkStation is at 192.168.0.102. = setenv ipaddr 192.168.0.102 = setenv serverip 192.168.0.5 = saveenv Saving Environment to Flash. Un-Protected 1 sectors Erasing Flash. Flash erase: first = 54 @ 0xfff60000 last = 54 @ 0xfff60000 Flash erase: Done Erased 1 sectors Writing to Flash. Done Protected 1 sectors Load altboot.bin into memory.
Buffalo Americas
The binary is relocated at 0x1000000, so type: = tftpboot 1000000 altboot.bin Using COMET#0 device TFTP from server 192.168.0.5; our IP address is 192.168.0.102 Filename 'altboot.bin'. Load address: 0x1000000 Loading: ############## done Bytes transferred = 70844 (114bc hex). Post installation steps After a successful installation you want to make the system boot standalone when switched on, without the need for a serial console. So you have to modify the bootcmd in U-Boot's environment and write the altboot.bin binary to the Flash ROM. On the LinkStation and KuroBox the last 128K or the Flash ROM are known to be unused, so we can put altboot there.
Load altboot.bin into memory at 0x1000000 again, as explained above, and execute the following commands to write it to Flash ROM: = protect off fffe0000 +20000 Un-Protected 9 sectors = erase fffe0000 +20000 Flash erase: first = 62 @ 0xfffe0000 last = 70 @ 0xffffe000 Flash erase: Done Erased 9 sectors = mw.b 1000000 ff 20000 = tftp 1000000 altboot.bin Using COMET#0 device TFTP from server 192.168.0.5; our IP address is 192.168.0.102 Filename 'altboot.bin'. Load address: 0x1000000 Loading: ############## done Bytes transferred = 70844 (114bc hex) = cp.b 1000000 fffe0000 20000 Copy to Flash. Done = cmp.b 1000000 fffe0000 20000 Total of 131072 bytes were the same = protect on fffe0000 +20000 Protected 9 sectors = reset Finally adapt the bootcmd environment string to autoboot altboot and start the netbsd kernel (which is the default name) from wd0 on each reboot: = setenv bootcmd cp.b fffe00 20000; go 1000000 wd0:netbsd = setenv bootdelay 3 = saveenv The is important for setenv not to misinterpret the; as the end of the command. Have fun with your mini NetBSD server!