Monday, 23 December 2013

Installing Linux on ZyXel NSA-320 - Part 2 - Making a USB serial cable

You can fly blind with this project, but it's so much easier and faster to fly with your eyes open, so making a serial cable to connect to the serial interface on the ZyXel is a no-brainer; especially since you can make a cable for less than £5.  If you are willing to partake in some risky business, then skip the cable guide and proceed to part 3, where you can try installing Arch-Linux on your NSA-320.

The Cable

I used the NAS Central guide to using a Nokia serial cable for a Buffalo LinkStation to construct a USB serial cable from a Nokia CA-42 cable.  The guide describes how to attach/solder the cable to the motherboard of the Buffalo LinkStation, because the LinkStation doesn't have a serial connector attached to the board.  However, the NSA-320 does have a serial connector, in the form of a set of four jumper pins.  The reason for using this cable in particular, is it has a micro-controller built into the USB connector that acts as a transceiver for the high USB voltages, into the 3V signals present on serial interfaces.  This is important, since it will prevent you from sending 5 volts from your USB port into the serial interface of the SoC on your NSA-320, potentially frying it.  This is the cable I used, that I purchased from Amazon:

Nokia-CA-42-Connectivity-Adapter-Cable

The Connector

So following the guide, you cut the Nokia attachment off the end of the cable, since that is the bit you won't be needing.  In place of the connector, you need to attach four female jumper pins or jumper wires.  I used wires and just soldered the wires together, wrapping insulating table between each wire.  Be sure to use coloured wires that match the original Nokia wire colours.  This will help you make sense of the wires later on.  I used something like this:

Solderless-Flexible-Breadboard-Jumper-Cable

Obviously, you get a lot of wires and there are connectors at both ends.  You just need to pick the four most appropriate wires, by colour.  Then cut them in half and remove some of the insulation to expose the copper wire that you will solder to the wires on your Nokia cable.

Finding TX, RX and GND

This is supposed to be a fairly trivial task.  The guide above tells you to use a voltage meter to work out what wires are what, but this didn't help me at all, since I got a signal on only one wire and the ground.  Instead, I went for pot luck and used minicom to work out what my GND, TX, and RX wires were.  You will notice a spare wire, which is not required for a serial connection, so you just leave it disconnected from the NSA-320.  You can put a jumper on it or tape it off with insulation tape once you have worked out what it is.

So if like me, you aren't having much luck with the voltage meter, or you don't have a voltage meter.  Fear not, you can quite safely short out some pins on the connector to work out what's what.  Worst case scenario, you will short out the transceiver and need to buy another cable.  Good news, the transceiver will prevent you from shorting out your USB port, so will protect your PC from any such short comings.  Saying that, I've never managed to damage the transceiver, given that the serial connection end is only operating at 3 volts.  Before you get trigger happy shorting out wires though, think about the cable colours.  Even though cable colours are different for each cable (mine most certainly didn't match the guide on NAS central), they will definitely follow the basic wiring paradigm.  Usually reds/browns indicate positive charge, green is most certainly a receiver (RX) while black/blue is generally GND.  If you can establish that you have a black or blue wire with a green wire and two others your are not quite so sure of, you can find the TX wire by shorting each of the remaining wires with the RX wire one at a time, using minicom to check whether you have found the right one.

So hook up your USB cable to your PC/laptop and run minicom from a terminal, attaching it to the USB device your just connected.  If you're not sure, run dmesg to look for messages about a TTY device.  My device appeared as /dev/ttyUSB0.  Run it as root.  It's worth noting that this is just my really hacky, lazy, CBA method for finding the TX and RX connectors and does require a lot of guess work and a little common-sense.  However, you can be far more professional about it and use a voltage meter as I mentioned before.  The guide on NAS Central covers this already and will assist you, should you wish to do things properly.  If however, you want to take a more cowboy like approach, follow my lead :-)

The general idea is that by shorting out the TX/RX pins, your will create a loop-back serial cable.  This means that what you type will be echoed back to the terminal should you find the right TX wire and short it with your RX wire.  At this point you don't need GND.

You may find that you also get other characters printed out, mostly non-printable characters.  But as long as you get back the characters that your type as well, you can be sure you have found the right ones.  The extra characters are the result of interference coming from the lack of resistance between the RX and TX wires.  You can add a resistor if you like, but it really isn't that important, especially not for a £5 cable.

This is how mine looks, with the pin configuration and the coloured wires matching the original Nokia wiring.  The unlabelled red wire is not required and can be considered redundant.  You need only connect the GND, RX and TX connectors to the NSA-320.


Here is a video demonstration of the lazy approach to finding TX and RX on your connector, before you potentially fry the serial interface on your NSA-320.

You have every opportunity to do it properly, so you can still turn back.  If you're feeling lucky...



Connecting it all together

Once you know what wires are what, make a note of the colours and you can safely power off your NSA-320 and connect the serial cable to the serial interface.  Disconnect it from your PC first, then once everything is connected, connect it back up to your PC.  Here is the pin configuration on the NSA-320.  Note that the VCC connection is not required, since USB serial cables are powered by the USB port of the PC.  Also notice that there is a blank between the TX/RX pins and the GND.  This helps identify which is which.  Just remember that the GND is on its own.



Once you've hooked it up, run minicom as described above and power on your NSA-320; you should immediately see the boot sequence being output in the minicom terminal.  It should also now accept input from your terminal and respond to key-presses.

I will be following up soon with how to get ArchLinux installed and set up, and how to overcome some of the common issues with ArchLinux straight out of the box.

Sunday, 1 December 2013

Installing Linux on ZyXel NSA-320 - Part 1 - Telnet back door

My MK802 finally gave up on me.  It lasted a while, with the modifications I made to provide it with adequate cooling in order to operate around the clock.  But a few weeks ago it went down and never came back.  There seems to be some issue with power, where it will only last for about 10 or so seconds before it fills the syslog with spurious errors and then dies.  Booting the OS on another device shows there is nothing wrong with the OS or SD card image, so it must be hardware.  Anyway, on to matters at hand.  So now I have just picked up a brand new ZyXel NSA-320 for £60.  It is actually a very nice piece of kit on its own, with lots of features.  But I want NIS and NFS, with support for EXT journalling file systems, so will be going back down the path of my old Buffalo NAS and flashing it.

Here is the ZyXel NSA-320 in all its glory.  To give you a feel for its size, that's a 3.5 HDD with an external 2.5 HDD.  The ZyXel supports two internal 3.5 SATA HDD, has 512 MB ram, 128 MB of flash and a 1.2 GHz ARM926EJ-S CPU.  So only 300 MB less on RAM than the MK802, but makes up for it in lots of other ways.  For £60 this thing is a beast!



First off, in order to flash it, we need to get a root telnet session on the box.  This is actually really simple, taking advantage of the development telnet back door.  Typically, everything like this sort of device will have a back door of some description, since there needs to be a way of debugging devices in test harnesses when they go wrong.  Test harnesses typically have to run the releasable software/hardware, otherwise it's not really a valid test.  If something goes wrong and it's not reproducible and you have no way of logging on to investigate the failure, you have a potential PR disaster on your hands.  So, pave the way to the inevitable back doors!

The back door on this can be enabled by logging onto the device web interface in administrator mode.  Make a note of the path element I have highlighted with a red circle; you will need this to enable the telnet back door.



Having just logged in and using that part of the path, access the following URL (substituting accordingly):  http://10.42.0.48/r38571,/adv,/cgi-bin/remote_help-cgi?type=backdoor


After this, you will get a blank screen and the back door will be accessible for a limited time:


Now for the fun part.  The login is not simply the login you used for the web interface, it is a hash of the device's MAC address, but using a special ARM binary found on the NSA-320 itself.  So catch 22, you need to get access to the NSA-320 in order to get access to the NSA-320.  Fortunately, I have a work around, since you can download the utility and run it with qemu-arm.  You just need your device's MAC address, which is on the system status page of the administration web interface.  Ensure you use a capitalised MAC address, since anything else will result in a different hash.

Download the makekey utility here: makekey utility

Install qemu and libc6-dev-armel-cross, then ensure you have qemu-arm available at your disposal.  To get the "root" password, run the makekey like so:


Armed with your privileged user's password, you can log into the telnet back door.  Repeat the process above and get the telnet session open, then login with the user: NsaRescueAngel


And there you have it, a privileged BusyBox shell on your NSA320.  I will post a follow up demonstrating how to use the boot loader to boot your preferred ARM Linux distribution.