Sunday 1 December 2013

Installing Linux on ZyXel NSA-320 - Part 1 - Telnet back door

My MK802 finally gave up on me.  It lasted a while, with the modifications I made to provide it with adequate cooling in order to operate around the clock.  But a few weeks ago it went down and never came back.  There seems to be some issue with power, where it will only last for about 10 or so seconds before it fills the syslog with spurious errors and then dies.  Booting the OS on another device shows there is nothing wrong with the OS or SD card image, so it must be hardware.  Anyway, on to matters at hand.  So now I have just picked up a brand new ZyXel NSA-320 for £60.  It is actually a very nice piece of kit on its own, with lots of features.  But I want NIS and NFS, with support for EXT journalling file systems, so will be going back down the path of my old Buffalo NAS and flashing it.

Here is the ZyXel NSA-320 in all its glory.  To give you a feel for its size, that's a 3.5 HDD with an external 2.5 HDD.  The ZyXel supports two internal 3.5 SATA HDD, has 512 MB ram, 128 MB of flash and a 1.2 GHz ARM926EJ-S CPU.  So only 300 MB less on RAM than the MK802, but makes up for it in lots of other ways.  For £60 this thing is a beast!



First off, in order to flash it, we need to get a root telnet session on the box.  This is actually really simple, taking advantage of the development telnet back door.  Typically, everything like this sort of device will have a back door of some description, since there needs to be a way of debugging devices in test harnesses when they go wrong.  Test harnesses typically have to run the releasable software/hardware, otherwise it's not really a valid test.  If something goes wrong and it's not reproducible and you have no way of logging on to investigate the failure, you have a potential PR disaster on your hands.  So, pave the way to the inevitable back doors!

The back door on this can be enabled by logging onto the device web interface in administrator mode.  Make a note of the path element I have highlighted with a red circle; you will need this to enable the telnet back door.



Having just logged in and using that part of the path, access the following URL (substituting accordingly):  http://10.42.0.48/r38571,/adv,/cgi-bin/remote_help-cgi?type=backdoor


After this, you will get a blank screen and the back door will be accessible for a limited time:


Now for the fun part.  The login is not simply the login you used for the web interface, it is a hash of the device's MAC address, but using a special ARM binary found on the NSA-320 itself.  So catch 22, you need to get access to the NSA-320 in order to get access to the NSA-320.  Fortunately, I have a work around, since you can download the utility and run it with qemu-arm.  You just need your device's MAC address, which is on the system status page of the administration web interface.  Ensure you use a capitalised MAC address, since anything else will result in a different hash.

Download the makekey utility here: makekey utility

Install qemu and libc6-dev-armel-cross, then ensure you have qemu-arm available at your disposal.  To get the "root" password, run the makekey like so:


Armed with your privileged user's password, you can log into the telnet back door.  Repeat the process above and get the telnet session open, then login with the user: NsaRescueAngel


And there you have it, a privileged BusyBox shell on your NSA320.  I will post a follow up demonstrating how to use the boot loader to boot your preferred ARM Linux distribution.

12 comments:

  1. Thanks! Do you have the follow up ready as yet ?

    ReplyDelete
  2. Not yet. It hasn't gone entirely to plan, since I've had to settle for an ArchLinux ARM distro, since the chipset is a Kirkwood chipset, not currently supported by any other distros. I will post details soon.

    ReplyDelete
  3. Hey Great info, did you manage to install Archlinux on this device?
    I am up to do it but I am not sure do I really need to buy USB/RS232 adapter?

    ReplyDelete
  4. You don't need a proper RS232. You can just use a Nokia cable and fit some jumpers to the end of the wires. There are lots of tutorials, but I may post my tutorial since my Nokia lead had different coloured wires. I had to do the short out test to create a simple loop back serial cable, to identify the RX/TX wires. The cable itself only cost about £5. Definitely worth while, otherwise you're driving in the dark.

    ReplyDelete
    Replies
    1. Hi, do you think that this cable will do the job?
      http://www.amazon.co.uk/StarTech-RS232-Serial-Adapter-Cable/dp/B000067SNB/ref=sr_1_2?ie=UTF8&qid=1387539688&sr=8-2&keywords=usb+rs232+usb

      Delete
    2. I used this cable:

      http://www.amazon.co.uk/Nokia-CA-42-Connectivity-Adapter-Cable/dp/B0006N2DJC/ref=sr_1_1?s=electronics&ie=UTF8&qid=1387540517&sr=1-1&keywords=Nokia+CA-42

      Delete
    3. How did you mange to connect it to NSA320? Can you post any clues ?

      Delete
    4. You need to cut the Nokia connector off and expose the wires. Then attach some PCB jumper pins to the wires. There is a serial connector on the PCB when you take the case apart. If you wait for my cable tutorial, I'll post pictures of how to know what wires to connect to each PIN.

      Take a look at:

      http://buffalo.nas-central.org/wiki/Use_a_Nokia_Serial_Cable_on_an_ARM9_Linkstation

      Delete
    5. Thanks a lot! I will wait for your tutorial before I take any actions. NSA320 seems to be low cost solution for home nas server but I would like to run archlinux on it to take full control and more fun with it.

      Delete
    6. The cable guide with links to other guides.

      http://mud-slide.blogspot.co.uk/2013/12/installing-linux-on-zyxel-nsa-320-part_722.html

      Delete
  5. Hi,
    In another forum thread the writer said that you use your administrator id and password to get root access as of firmware version 4.40. Is this not true?

    ReplyDelete
    Replies
    1. Here's the URL of the thread I mentioned. It looks like I wasn't entirely accurate -- you login as root, and use the "default" admin password. However, if you have changed the default admin password, it might not work -- read the forum post for details: http://zyxel.nas-central.org/wiki/Telnet_backdoor

      Delete