Linux on the NSLU2

Linux on the NSLU2

+


Jim Buzbee
Last updated, Oct 10 2010

I'm using this page is to collect information on the Linksys NSLU2. It's a tiny Linux-based network storage device that can be had for less than $100. This device appears to have a lot more potential than the stock firmware allows. Let's see what we can do with it.

Update: This page has evolved quite a bit over the last couple of years. I started it to document hacks on the NSLU2, but nowadays, there are much better places to get info. Instead, I've been using this page to list devices that I've had the privlege to do reviews on. Many of the devices I review run Linux and often times, I still try to look at the "hackability" of the device, so if that's what brings you here, read on!

Jim Buzbee


Updates



Mar 13 2011

I've been spending some time playing with Android. Lots's of fun! And now I have my first app written and available. It follows along the line of my iPhone app I wrote a while back. Unfortunately, Apple yanked that one from the store as I was being bad by reading photo files from the camera directory instead of going through the approved API to get them one by one. Anyway, my new Android app greatly expands on the original concept by using all sorts of content instead of just photos. I get the photos, RSS feeds, Flickr photos, Facebook feeds, Twitter feeds, etc, etc, etc. Anyway, check it out at: SocialMediaTicker.com and let me know what you think.

Jan 12 2011

Over the holdays I checked out a new Network Cam by DLink

Oct 10 2010

Here's a presentation I put together to talk about the Shell Injection types of flaws I've found in NAS devices.



April 3 2009

Check out my review of the Thecus M3800 where I found it to be a high-performance NAS box. During the review, I uncovered an exploitable root hole that any user could take advantage of. I notified Thecus and they put out a quick pach. But I just had to try again and quickly found another exploit that was only accessible to the admin user.

Jan 17 2009

I've been a bit busy trying my hand at writing an iPhone and iPod touch application. It's a bit of a different endeavor for me, but I had a good time doing it. The application was inspired by the AppleTV that I reviewed a while back. It doesn't make rude noises or calculate your tips for you, but you can check it out here.

Here's a review of the Mvix MvixBOX. It was an interesting little box, but a bit slow. It came with a ssh server built-in so no hacking required!

23 Dec 2008

I've been a bit behind in updating this page with some of my later reviews, so here's a few.
  • Here's a review of the Sans Digital MNL4+. It had some interesting feaures such as firewire and VGA, and it had good performance, but it was a big buggy. This box came with SSH support built-in, so it was no challenge to get a command line :-(
  • In a review of the Iomega StorCenter ix2 I found a gapping security hole that allowed me to "get root" on the box from any box on the LAN. After notifying Iomega, they released a new firmware that patched the hole.
  • I just finished an article entited How To Install Debian on the QNAP TS-209 Pro using the new support for the Marvell Orion architecture in Debian.


3 Oct 2008

I recently reviewed an interesting little device. The ScreenPlay hooks up to an external USB drive and your TV, allowing play back of movies, pictures and music. Most of its capabilities were so-so, but the one nice thing it did do was allow you to play back ripped DVDs with complete functionality such as menus, extras, chapters, etc. And it was only $100 or so.

18 June 2008

This week I reviewed a D-Link DPG-1200 which was a remote-display type of device for Windows computers. Even though it was Windows-only, it ran Linux internally and I got root on it (no hard task on this one!). Read the review here

In other news, I gave a Slug presentation to the Boulder Linux Users group last week. The title of my presentation was Is That a LAMP in your Pocket?. If you're interested, the pdf version of the presentation is available here.

28 May 2008

Time for a new review. I just finished up checking out a Trendnet TS-S402. It was an OK little box, but it had some issues. But on the bright side, I was able to hack into it for a root shell. So if you're into that, maybe it's worth a look.

08 Mar 2008

I just reviewed the ZyXEL NSA-220 . I found it to be a nice little box with an attractive UI and built-in Bittorrent capabilities. In the time I had to do the review, I didn't get command-line access, but I did see that it's running a getty on a serial console. With a bit more time, I suspect that one could hook up a serial adaptor and get in.



22 Jan 2008

My brother Bill has taken up with the NSLU2 crowd. Check out his page, and read about his extreme hobby of building a computer from scratch. Really from scratch.

16 Jan 2008

My latest review is on the Promise SmartStor. It was a fairly inexpensive RAID 5 capable box. To explore it further, I exploited a cgi hole to get a shell with full root access.

I'm now playing around a bit with setting up a home weather station - driven by my Slug of course. You can see the page here, although I'll probably be bringing it up and down as I see what I can do with it.

And I have a couple of more reviews lined up. Stay tuned...

6 Oct 2007

I have a review up of the Qnap TS-209 Pro. I like this box quite a bit. It came with good performance and a lot of features including MySql, PHP, rsync, and an SSH server - no hacking required. You can read the review here.


If you're looking for something cheaper, I reviewed the Iomega 1 TB StorCenter. You can find this box on-line for well under $400. I also hacked a root shell on this one for a little bit more flexibility.

24 July 2007

My new review on Hacking the Apple TV is up. With a few simple hacks, this little box is playing about every file I have in my library. After I finished the review, an update to the nitoTV plugin was released that plays back ripped DVDs using the Apple DVD Framework. This means complete menu support and navigation from DVD images stored on NAS devices like the NSLU2. Very Cool, and an incentive for me to finally start ripping my entire DVD library.

22 July 2007

A few weeks back, I got a Father's-day present of a new Apple TV, and I've been having a lot of fun with it. I wrote a review of it last week in its off-the-shelf configuration. In a follow-up article, I'll be hacking it to add more functionality. The hacks for the Apple TV are quite nice and fit pretty seamlessly into the standard Apple TV structure. Out of the dozens of multimedia devices I've worked with, the Apple TV looks like the winner to me so far. And hacking new fuctionality into it, makes it even better. Stay tuned for my next Apple TV article.

Here's a review of Buffallo's new LinkTheater Wireless A&G Network Media Player. It didn't do much for me.


1 July 2007

Here are some more of my articles



28 October 2006

Here's some more of my articles

20 August 2006

Not much NSLU2 news from me, but I've been writing a bunch more reviews:

04 May 2006

My articles roll on. First up is a review of a Linux-based media-player, the Buffalo LinkTheater Mini. I think this device should be "hackable" because it boots a Linux image across the network. If a new image could be built for it, maybe additional functionality could be added. If something got messed up, you'd simply power-cycle to grab the old image. For less than $100 it could be an interesting device to play with. Next, I tried to build my own PVR based around the ADS Instant TV Deluxe.

16 April 2006

I have reveiw of the DSM-G600 up on TomsNetworking. It was an interesting little box based on the same chipset as the NSLU2. As well as Gigabit support, it also had wireless capabilities. As a proof of concept, I created and loaded a new firmware for it.

05 Mar 2006

I haven't updated this it awhile, because I've been quite busy writing. Here's the second part of my Home Audio Video Network article. I also wrote a review of a VOIP service. I found that router supplied with the servive was running VxWorks and I got a login prompt, but I didn't get in. Finally, I have a new review of Iomega's StorCenter with gigabit support. This one, like most, was running Linux. I was able to make use of another cgi flaw to "hack" into it enough to browse through the OS filesystem. So many devices, so little time... I'm currently in the middle of a review of another NAS device. I think I'll be able to get into it far enough to create a custom firmware. We'll see...

8 Jan 2006

I had an article published this week dealing with my entertainment center and how I integrated it into my home network using my NSLU2, my Kurobox, etc. The first article dealt with music, a follow up article will show how I am handling movies and still pictures. I'm also wrapping up a review of a VoIP service that's kind of interesting. I've toyed with VoIP before, but this is the first service I really tried out.

10 Dec 2005

I just finished my review of the TRENDnet TS U200. The TS-U200 is a device similar to the NSLU2 with Ethernet and two USB 2.0 ports. And like the NSLU2, I was able to "get root" on it by using a flaw on one of the configuration web pages.

19 Nov 2005

My review of the Yellow Machine is now up at TomsNetworking. The Yellow Machine is a Linux-based NAS device that supports RAID.

I'm currently wrapping up a review of a NAS comparable to the NSLU2. It's a tiny device that's similar to the wrt54g as well in that it has the same type of security hole. That hole allowed me to "get root" on this new device so I can install and run my own code. I hope to have the review done this week.

4 Oct 2005

I have a new review up on TomsNetworking.com. It's for a ADS NAS Kit. The interesting thing about this NAS is that it includes a built-in bittorrent client.

I've started working on a review of a high-end NAS unit that runs Linux, supports RAID 5, and even comes with a compiler so you can add whatever else you need. Stay tuned.

16 Sep 2005

My review of the LaCie Ethernet Mini is now up on TomsNetworking. It's an interesting little device that can be either a NAS or a USB external drive. Since it keeps its root filesystem on disk, It was fairly easy to hack into. I was able to fire up an inetd that I copied over from my Kuro Box. I didn't have a chance to get much further, but it wouldn't be hard to fully customize it.

9 Sep 2005

Taking a break from NAS devices (I now have eight on my LAN!), I just reviewed the Slingbox from Sling Media. It's a device that lets you view TV or any other video source across the Internet. It only has a client for Microsoft Windows at the moment, but Macintosh, Linux and others are promised in the future.

14 Aug 2005

My review of a high-end NAS is now up. Check it out to see how it compares to our $85 NSLU2. My review of the NAS that can be either a NAS or a external USB drive is about done. Of course it runs Linux, and I've been able to execute my own code on it which also makes it interesting. I hope to finish the review soon.

6 Aug 2005

I just finished a review of a $3000 NAS device, and it should be on-line soon. Find out how it compares to the $85 NSLU2. I'm also starting a review of another Linux-based NAS devices that does double-duty as an external USB 2.0 drive. So you can either hook it on your lan, or into your USB port for fast access.

14 July 2005

My reviews of NAS Devices continue over at TomsNetworking.com. I'm also working on a new release of my Batbox wrt54g distribution. I hope to have it out in the next couple of days

6 July 2005

I've upgraded my Maxtor Shared Storage with a custom firmware so I can add new functionality. The firmware adds a telnet daemon, but that's about it. The processor is a 300 Mhz Broadcom MIPS and is compatible with executables from the Linksys WRT54G. I've installed the full-featured busybox executable from my batbox distribution on it to give me a few more tools. I suspect that the ipkg repository from openwrt might be compatible with this box because they are both based on the same processor.

There has also been a hack announced for the Synology DS-101. This box uses the same processor as the NSLU2 but has 64MB of ram vs. 32 for the NSLU2. If I had time, I suspect that I could set up my DS-101 to use the NSLU2 ipkg repository.

12 June 2005

I've updated my NSLU2 to run off a USB flash disk, so now I have a LAMP server that fits in the palm of my hand, has no moving parts and uses just a few watts of power. I also starting a review of a couple more NAS units including one that doesn't appear to be running Linux. That's a first for me, all of the other ones I've looked at ran Linux. I hope to have the reviews done in the next week or so.

3 June 2005

I have a new review on TomsNetworking.com. In this review, I take a look at the Maxtor Shared Storage. For the hackers in the audience, this is an interesting NAS device. There's already a development community forming and a telnet-enabling firmware has been released. Even though Maxtor didn't enable it, the device has hardware support for encryption and RAID, so this box has some potential beyond the features that Maxtor has delivered.

26 May 2005

My latest NSLU2 article is now up on TomsNetworking.com. In this article, I walk through the process of installing a UPnP server on my NSLU2, so that it can server audio, pictures and movies to client devices. I'm also finished with a review of a new NAS device which should be posted in the next week or so.

With all of my spare time, I've been updating my NSLU2 with some new packages. I now have MySql up and running along with a PHP and Perl enabled thttpd. It works surprisingly well for a device with only 32 megs of ram. I'm using some custom perl scripts to update and manage all of the urls for batbox.org so finally I'm using my NSLU2 for something other then just hacking around!

I also picked up a cheap thumb drive so I'm toying with the idea of removing the hard-drive from my NSLU2 and only using the flash drive for storage. It should be plenty of space for how I use it. Lower power and silent with no moving parts.

14 May 2005

I've finished my NSLU2 article, and it should be posted soon. Now I'm working on a review of another NAS device that runs Linux internally like seemingly all of the other ones out there. It has an easily accessible serial connection that at least one person has used to get root on it. Details TBD.

8 May 2005

I'm finally getting back to my NSLU2, working on a new chapter in my NSLU2 series on TomsNetworking. Stay tuned for details.

30 Apr 2005

My review of the Buffalo LinkTheater is now on-line at TomsNetworking. The Link Theater is a networked DVD player with the ability to get content via either a custom server or a UPnP server. I was able to feed it content via my NSLU2 by using the twonkvision server. I also came across a server, wizd, that implements the custom protocol that the Link Theater uses. Wizd supports a number of different media players and it comes with source so it can be built for various boxes. I used it on my iBook and my Kuro Box but it could also be used with the NSLU2.

22 Apr 2005

I have a review of Simple Share, another Network Attached Storage device , up on TomsNetworking. This one was interesting in that it had hardware support for encryption and RAID. The unit ran Linux, (of course), and was based on a Broadcom reference design. I wasn't able to get root on it because once again, there was something non-standard about the (Reiser) filesystem. The Simple Share was also the first box I'd worked with that supported NFS, although it wasn't completely documented.

I just finished a review of a Networked DVD player that went fairly well. It supported UPnP, so I was able to use my NSLU2 as a source of content for it. I ripped several of my DVDs to DivX5 format and stored them on my NSLU2 for playback. This is a powerful combination. The video quality is good and the movies drop down in size to less than a gig and a half so you can store quite a few movies on a little box like the NSLU2. I just wish it were quicker to convert the movies. For me, a conversion was an overnight process. The review should be up fairly soon.

30 Mar 2005

I've finished my review of the Netgear MP-115 and it's now up at TomsNetworking. The MP-115 is a network-based multi media-player and is the follow-on to their MP-101 It uses the UPnP protocol, so I was able to run a Twonkyvision server on my NSLU2 to serve content to it. There were some incompatibilities between Twonky and the NSLU2, but hopefully these will get corrected either by Netgear or Twonkyvision. The Twonkyvision server running on my KuroBox fared better and was able to serve audio, video and pictures to the unit.

I've finished a review of another Network Attached Storage device that should be up on TomsNetworking shortly. It ran Linux of course, and had some interesting features such as hardware-based encryption, mirroring and RAID support. With that done, I'm starting to work on a review of a DVD player that has wired and wireless networking and also supports the UPnP protocol. There sure are a lot of interesting little devices around these days!

26 Feb 2005

My review of the DS-101 is now up at TomsNetworking. In the time I was playing with the unit I wasn't able to get root, although I still have some ideas when I get more time (Hah!). I'm currently working on a review of an Audio/Video unit that follows the UPNP protocol. I have it using my KuroBox as a server, but so far it doesn't recognize the server running on my NSLU2.

13 Feb 2005

I'm working on a review of another network storage box: The DS-100. It uses the same processor as the NSLU2 and I'll have some tests comparing the performance of the two. Stay tuned!

15 Jan 2005

I have a review of the Viewsonic WMG120 on TomsNetworking. It turns out to be a Linux box based on the same Intel IXDP425 processor as the NSLU2 and executables are compatible between the two boxes. While monitoring the network traffic between the WMG120 and its companion device, the Viewsonic WMA100, I learned enough to make the NSLU2 act as a server to the WMA100. And for good measure, I found a hack to turn the WMA100 into a web browser for your TV. It's all fun-and-games in the Buzbee house!

2 Jan 2005

The reviews roll on. This time I review the Viewsonic WMA100. It's a wireless media adaptor that can play music, videos and display pictures. I attempted to get it to work with the NSLU2, but I failed :-( But not to worry, I'm working on a follow-up article where I have better luck! Stay tuned.

24 Dec 2004

I'm continuing on with reviews. This time I took a look at the Keyspan Express Remote Control. I use it to control my Apple Airport Express that I'm using to play music from mt-daapd on my NSLU2. So the path to play a song is : IR remote sends play command to my Express Remote which is connected to my Airport Express via USB. The play command is then sent across my home network and then passed wirelessly via my Linksys wrt54g back to iTunes running on my iBook. Next iTunes sends a daap command wirelessly through my wrt54g and back to my wired network and on to mt-daapd on my NSLU2. Mt-daapd sends the requested music across my wired network and then wirelessly through my wrt54g back to iTunes on my iBook which encodes it. The encoded music is then sent wirelessly to my Airport Express via my wrt54g and my wired lan. The AirPort Express decodes the music and sends it through the audio output into my stereo. Got all that? Whew!

It's really a lot simpler than all of that. Most of it is auto-configuring, but it's interesting to think of all of the data paths that occur to play a simple song. I did a bit of network sniffing to see how commands are sent from the Airport Express to iTunes. From my limited understanding of the various protocols involved, the commands appear to be sent via the daap protocol from the Airport Express to iTunes. So I suppose that if someone were so inclined, it might be possible to write a remote-control program through a web interface and masquerade as an Express Remote to remotely control iTunes.

27 Nov 2004

I have a review of the Roku SoundBridge Network music player up on TomsNetworking. I discuss the issue of using the NSLU2 as a server for the SoundBridge. It's a killer combination. Using the two together, you can play your music library from the NSLU2 straight to your stereo without using your PC as a middleman.

3 Nov 2004

I have an article on the Kuro Box up on TomsNetworking. Now time to get back to the NSLU2!

10 Oct 2004

I have another article up on TomsNetworking regarding the Unslung firmware. I've also been playing around a bit with a Kuro Box which is a derivative of a LinkStation. So many toys, so little time...

26 Sep 2004

I'm continuing to explore the community developed Unslung firmware. It makes the addition of new packages easy. For example, it's a one-line command to download, install and configure a small ssh server. I've also acquired a Apple Airport Express to experiment with. Now I can play music from my NSLU2 to my stereo through the Airport Express using the previously ported mt-daapd iTunes server. I still have to use my iBook as a middle-man, but if the NSLU2 CPU can keep up, there's a program available that should allow a direct transfer from the NSLU2 to the Airport Express.

12 Sep 2004

I have another article up on TomsNetworking dealing with burning a custom firmware. I've also been experimenting with "Unslung", the community developed firmware that uses the hard drive as a root filesystem freeing up 10 meg of ram and providing an easy way to extend or modify the default behavior of the box. Yesterday I recieved a NSLU2 with a serial port. This will provide the ability to view boot-time messages from Linux making it easier to work with custom kernels. Thanks to the development community for providing me with this capability.

4 Sep 2004

Development continues at a furious pace on the NSLU2 making it hard to keep track of the progress. Watching the IRC channel devoted to the NSLU2, you can see development unfold in real time. The sun never sets on the NSLU2 development community. As it gets late (or early) in one part of the world, developers drop off only to be replaced by their counterparts in another time-zone. The power of open-source at its best.

One development in particular caught my eye last week. Using stock Linksys firmware you can now interrupt the boot process to boot (or burn) a user-defined kernel or ramdisk. No hardware modifications needed. There is apparently a window of a few seconds during the bootloader initialization where a telnet connection to the NSLU2 is possible on port 9000 of IP address 192.168.0.1. if you connect during this window, and then type a <cntrl> c, you'll get a RedBoot bootloader prompt. From the RedBoot prompt, you can load a new kernel/ramdisk from a tftp or a http server. You can then burn the new code to flash or boot it. This means that it is possbile to revive a box that had a bad flash load or it can be used just for experimenting with new kernels. Very powerful. For more details, check out the NSLU2 mailing list.

24 Aug 2004

I have a new article up on TomsNetworking dealing with porting an iTunes server to the NSLU2. You can download my package here

21 Aug 2004

Just a quick note. I created and burned a custom flash last night. The only difference between it and the standard Linksys flash is that I start up telnet, nfs, mt_daapd and ntpclient. In addition, I remove the SMB daemons to free up some ram. This is really only a stop-gap solution until we are able to boot a custom kernel. I also tried out the Fedora core 2 distro this morning. It's a user-space only distribution but it works! You just un-tar the distro and then chroot into it. This means among other things, that we can compile on the box itself which may help those packages that aren't easily cross-compiled. There are a number of RPM's available for it that I have not tried yet.

19 Aug 2004

Wow. It's been hard to keep up with the progress on this little box. There are now more than 400 people signed up on the NSLU2 developers mailing list. There are a number of distribution developers working to port their entire distribution to this platform. A port of Fedora was made available today. I'm a bit stunned... This box has picked up a lot of interest. Pick up yours now :-) Read the NSLU2 mailing list for details on all of the latest developments.

A developer on the mailing list found another way to access the passwd file without the need for removing the disk drive as was necessary with my method. This will make it very easy for everyone to play along. Read his instructions here


12 Aug 2004

There has been a lot of progress from the community working on the NSLU2 this week. It's now possible to write a modified flash to the device. This means automatic initialization of telnet, NFS and other processes. It also holds promise for getting rid of the ram disk used in the device and going to a more traditional hard drive based root filesystem. This will free up precious memory for additional processes. The other big news this week, is ability to hook up a serial console. This means access to the boot loader and the ability to boot a new kernel off the network. For more information check out the NSLU2 mailing list.

I have a new article up on TomsNetworking and I'm also working on porting an iTunes server to the box. So far so good. I was able to stream my collection of MP3's to three iTunes users simultaneously without the box breaking a sweat. Stay tuned for more details.

08 Aug 2004

Linksys has released a new firmware for the box that purports to fix the problem of the box not keeping time very well. Their fix adds an entry to the crontab to sychronize the system clock with the hardware clock once an hour. This will keep the time very roughly correct, but in an hours time the box will still lose several minutes. Henry Culver has built ntpclient and adjtime binaries for the box. If you want to do a better job of keeping time and sychronize the clock to an ntpserver you can install his binaries after downloading them from here.

The new firmware does not remove the telnet.cgi program, so we are still able to telnet into the box.

A new Yahoo group has been setup for the purposes of discussing modifications to this box. If you are interested in hacking on this little box, read about the group here.

05 Aug 2004

I haven't had a whole lot of time to work on the box in the last few days, but I have a couple of things. Configuration items are stored in /dev/mtdblock1 which is a small flash partition. It is a simple format that is easy to modify. The first four bytes are the total size of the used area. Following the 4 bytes are ascii strings delimited by carriage returns. The configuration items appear to get copied to the file /etc/CGI_ds.conf at boot time, so you can look at that to see what configuration items are currently defined. I've written my own items into the flash partition successfully using a simple "dd" command. A utility program would be quite a bit easier and safer.

I've written an article on TomsHardware.com regarding the box. If it is no longer listed on the front page, it can be directly seen here

Amazon has dropped their price on the box. Buy one here.

30 July 2004

I've been working trying to find a hook that would allow me to start up my own processes at boot time so I don't have to manually configure things after a reboot. So far, I've only made a little progress. I can get the box to call my setup script when the SMB server is contacted, but that still requires external action. I've considered forwarding all SMB requests from the Internet into my nslu2. That way all of those pesky Microsoft viruses would be put to good use. They could initialize my box for me! But then I thought better of it :-( I've also convinced the nslu2 to create a crontab entry for me, but I haven't been able to adjust the time it will run to anything shorter than once a day. So unless I want to wait a day before my services start, it won't do much good...

26 July 2004

As many people have noticed, this box does not keep time very well. I saw one report that Linksys is advising people to reboot in order to get the time corrected. I think I have a better idea. I put the following line in my /etc/crontab :

3,33 * * * * root /usr/sbin/hwclock --hctosys &>/dev/null

This synchronizes the system clock with the hardware clock every 30 minutes. Unfortunately you have to add this line to the crontab each time you reboot the box. I have not yet found a way to insert my own commands into the boot sequence. Once I figure this out, I can automate the above as well as automatically start NFS, setup telnet etc.

25 July 2004

If you would like to experiment with NFS on your box, I've packaged up my binaries and startup scripts with a README file here

24 July 2004

I've cleaned up my NFS build and it is working fine. I transfered a 2GB directory tree of 12,000 files to it without issue. The transfer took around 45 minutes over a wireless link.

I have some additional information about the ourtelnetrescueuer account. At boot time, an executable TelnetPassword is run. I don't know what the program does, but running a "strings" on the binary produces this :
/tmp/telnet.XXXXXX
/etc/passwd
ourtelnetrescueuser
/share/hdd/conf/.dongle
/share/hdd/conf/tmp/telnet.XXXXXX
ourtelnetrescueuser:%s:%d:%d:%s:%s:%s
/bin/cp -f %s %s 2>/dev/null

It looks like the password may be generated at boot time. Based on what, I don't know, but the reference to the file ".dongle" is interesting. On my system, the file exists, but is empty. The "tmp" files do not appear on my system by the time I get in. If I put something in the ".dongle" file and reboot, it has no effect that I can tell. if I, uh, delete the file and reboot, the device comes up in a sort of a default mode without my normal disk partitions. At this point the "welcome" password works for me. If I restore the file (after mounting it in my OSX box) and reboot, the system comes back to normal (sigh of relief) and the "welcome" password no longer works.

23 July 2004

I've succeeded in getting NFS to work! Now I can use a more natural network filesystem for my OSX and Linux boxes. My build is still a bit shakey ( i.e. a hack) and I haven't had a chance to do any type of real analysis on performance or security but it works!

18 July 2004

The welcome password appears to work for at least some people, but since it is for a non-priviledged account, its use is limited. I've succeeded in building some more complicated binaries such as an extended busybox. I've also built a number of USB drivers such as a USB to Serial converter and a USB Webcam. They insmod successfully, but none seem to work. I'm not sure what the problem is. I just get system messages such as :
usb.c: USB device 6 (vend/prod 0x47d/0x5001) is not claimed by any active driver.

Stupid NSLU2 trick of the day : Make the box beep!

# /usr/bin/Set_Led beep1


17 July 2004

I've had a report of a password crack on the ourtelnetrescueuser user. Try a password of welcome. It doesn't work for me, but it may be due to a difference in firmware versions. If we can crack the passwords listed below, we can telnet into the box without having to edit the passwd file on another system. If welcome works for anyone let me know.
root:WeeOvKUvbQ6nI:0:0:root:/root:/bin/sh
ourtelnetrescueuser:scNn.3AteBFc.:100:100::/home/user:/bin/sh


15 July 2004

Toolchain : I've been able to build and execute "hello world" binaries both statically and dynamically linked using the toolchain provided with the Linksys wrv54g. It can be downloaded from Linksys here (102 meg!)

13 July 2004

Processor info :

# cat /proc/cpuinfo
Processor       : XScale-IXP425/IXC1100 rev 1 (v5b)
BogoMIPS        : 131.48
Features        : swp half thumb fastmult edsp 

Hardware        : Intel IXDP425 Development Platform
Revision        : 0000
Serial          : 0000000000000000


This page may be of use for hacking this board.

The Linux distribution on the box is Snap Gear.

More hardware info can be found in this Tom's Networking Article

12 July 2004

Enabling telnet

It's a mult-step process to enable telnet. I'm using firmware version V2.3R24 from Linksys, it may or may not work with other versions.

First, mount a NSLU2 initialized hard drive on a box that understands ext2/3 format. I use OSX, but obviously Linux would be easier. There are also drivers for windows boxes. I found that the OSX drivers only work well with firewire, not USB2.

Find the passwd file in the second ext3 partition.

Replace the encrypted password for root with the encrypted password from a know account e.g. admin. If you are not familar with the format, it's the second field delimited by colons.

Plug the drive back into the NSLU2 and fire it up.

execute the URL : http:// your NSLU2 ip /Management/telnet.cgi

Select the option to turn on telnet

telnet in as root using the password for the known account. The passwd change appears to hold over power-cycles, but the enabling of telnet does not.




Flash configuration items

Here's a list of configurations items stored in flash. I suspect many are not used or were just used during development.
[network]
version=2.3.21
telnet_enable=yes
hw_id=4f00c0000000-2003
domain_name=
w_d_name=NSLU2
zone_name=*
msn_enable=yes
apple_enable=yes
default_server_name=LKG0F9861
disk_server_name=NSLU2
disk_server_comment=
lan_interface=ixp0
languageversion=english
hw_addr=00:04:5A:0F:98:61
ip_addr=192.168.1.70
netmask=255.255.255.0
gateway=192.168.1.1
dns_server1=192.168.1.1
dns_server2=
dns_server3=
wins_enable=no
wins_server=
dhcp_server=no
dhcp_start_ip=192.168.1.100
dhcp_end_ip=192.168.1.254
allow_host_start_ip=
allow_host_end_ip=
browse_master=yes
bootproto=static
duration_time=5
code_page=437
time_zone=6
shut_action=2
shut_in_min=30
shut_weekdays=0:0
shut_sat=0:0
shut_sun=0:0
shut_week_action=0
shut_sat_action=0
shut_sun_action=0
shut_idle=30
ShutdownSch=
RestartSch=
HD1ScanSch=
HDTOHDBACKUP=
login=no
chk_passwd=no
upnp=no
guest_access=no
shut_satday=0:0
shut_sunday=0:0
port=80
log_ser_enable=yes
log_ser_ip=192.168.1.3
printer_name=LKG0F9861_p1
default_ip=
default_netmask=
default_time_delay=0

[harddisk]
validhd=1:0
invalidhd=0:0

[LOG]
fm=admin@192.168.1.70
1to=jbuzbee@nyx.net
2to=
3to=
sub=NSLU2 Report
log=0
not=2

11 July 2004

I'm in! I can now telnet into the running device. Here's some raw info :
# ps -ax
  PID TTY     Uid        Size State Command
    1         root       1212   S   init 
    2         root          0   S   [keventd]
    3         root          0   S   [ksoftirqd_CPU0]
    4         root          0   S   [kswapd]
    5         root          0   S   [bdflush]
    6         root          0   S   [kupdated]
    7         root          0   S   [cifsoplockd]
    8         root          0   S   [mtdblockd]
    9         root          0   S   [khubd]
   18         root          0   S   [usb-storage-1]
   19         root          0   S   [scsi_eh_1]
   22         root          0   D   [ixp425_csr]
   24         root          0   S   [ixp425 ixp1]
   26 ttyS0   root       1916   S   /bin/sh 
   27         root       1932   S   /sbin/syslogd -n 
   29         root       1924   S   /sbin/klogd -n 
  110         root          0   S   [kjournald]
  122         root          0   S   [kjournald]
  271         root       2132   S   /usr/sbin/thttpd -C /etc/thttpd.conf 
  293         root       3924   S   /usr/sbin/smbd -D 
  295         root       3128   S   /usr/sbin/nmbd -D 
  298         root       1240   S   /usr/sbin/download 
  316         root       1932   S   /usr/sbin/QuickSet 
  321         root       1880   S   /usr/sbin/USB_Detect 
  324         root       1876   S   /usr/sbin/USB_Detect 
  332         root       1296   S   /usr/sbin/crond 
  336         root       1908   S   /usr/sbin/CheckResetButton 
  338         root       1196   S   /usr/sbin/CheckPowerButton 
  340         root       1196   S   /usr/sbin/do_umount 
  374         root       2132   S   /usr/sbin/thttpd -C /etc/thttpd.conf 
  386         root       1276   S   /bin/inetd 
  387         root       1256   S   /usr/sbin/telnetd 
  388 ttyp0   root       1928   S   -sh 
  410 ttyp0   root       1988   R   ps -ax 

# dmesg        
Linux version 2.4.22-xfs (root@sure_linux) (gcc version 3.2.1) #377 Fri Jul 2 09:02:32 CST 2004
CPU: XScale-IXP425/IXC1100 revision 1
Machine: Intel IXDP425 Development Platform
Warning: bad configuration page, trying to continue
Security risk: creating user accessible mapping for 0x60000000 at 0xff00f000
Security risk: creating user accessible mapping for 0x51000000 at 0xf1000000
On node 0 totalpages: 8192
zone(0): 8192 pages.
zone(1): 0 pages.
zone(2): 0 pages.
Kernel command line: console=ttyS0,115200 root=/dev/ram0 initrd=0x01000000,10M mem=32M@0x00000000
Relocating machine vectors to 0xffff0000
Calibrating delay loop... 131.48 BogoMIPS
Memory: 32MB = 32MB total
Memory: 20204KB available (1454K code, 244K data, 236K init)
Dentry cache hash table entries: 4096 (order: 3, 32768 bytes)
Inode cache hash table entries: 2048 (order: 2, 16384 bytes)
Mount cache hash table entries: 512 (order: 0, 4096 bytes)
Buffer cache hash table entries: 1024 (order: 0, 4096 bytes)
Page-cache hash table entries: 8192 (order: 3, 32768 bytes)
POSIX conformance testing by UNIFIX
PCI Autoconfig: Found Bus 0, Device 1, Function 0
PCI Autoconfig: BAR 0, Mem, size=0x1000, address=0x4bfff000
PCI Autoconfig: Found Bus 0, Device 1, Function 1
PCI Autoconfig: BAR 0, Mem, size=0x1000, address=0x4bffe000
PCI Autoconfig: Found Bus 0, Device 1, Function 2
PCI Autoconfig: BAR 0, Mem, size=0x100, address=0x4bffdf00
PCI: bus0: Fast back to back transfers disabled
Linux NET4.0 for Linux 2.4
Based upon Swansea University Computer Society NET3.039
Initializing RT netlink socket
Starting kswapd
VFS: Disk quotas vdquot_6.5.1
Journalled Block Device driver loaded
i2c-core.o: i2c core module
i2c-dev.o: i2c /dev entries driver module
i2c-core.o: driver i2c-dev dummy driver registered.
i2c-algo-bit.o: i2c bit algorithm module version 2.6.1 (20010830)
pty: 256 Unix98 ptys configured
Serial driver version 5.05c (2001-07-08) with MANY_PORTS SHARE_IRQ SERIAL_PCI enabled
ttyS00 at 0xff000003 (irq = 15) is a XScale UART
ttyS01 at 0xff001003 (irq = 13) is a XScale UART
RAMDISK driver initialized: 16 RAM disks of 16384K size 1024 blocksize
SCSI subsystem driver Revision: 1.00
* host:
IXP425 Flash: Found an alias at 0x800000 for the chip at 0x0
cfi_cmdset_0001: Erase suspend on write enabled
0: offset=0x0,size=0x20000,blocks=64
Using buffer write method
Using static MTD partitions.
Creating 4 MTD partitions on "IXP425 Flash":
0x00000000-0x00040000 : "RedBoot "
0x00040000-0x00060000 : "System Configuration"
0x00060000-0x00160000 : "Kernel"
0x00160000-0x00800000 : "Ramdisk"
usb.c: registered new driver hub
pci probe begin
ehci_hcd 00:01.2: NEC Corporation USB 2.0
ehci_hcd 00:01.2: irq 26, pci mem c3801f00
usb.c: new USB bus registered, assigned bus number 1
PCI: 00:01.2 PCI cache line size set incorrectly (0 bytes) by BIOS/FW.
PCI: 00:01.2 PCI cache line size corrected to 32.
ehci_hcd 00:01.2: USB 2.0 enabled, EHCI 1.00, driver 2003-Jun-19/2.4
hub.c: USB hub found
hub.c: 5 ports detected
pci probe ok
host/usb-uhci.c: $Revision: 1.1 $ time 09:03:03 Jul  2 2004
host/usb-uhci.c: High bandwidth mode enabled
host/usb-uhci.c: v1.275:USB Universal Host Controller Interface driver
host/usb-ohci.c: USB OHCI at membase 0xc3809000, IRQ 28
host/usb-ohci.c: usb-00:01.0, NEC Corporation USB
usb.c: new USB bus registered, assigned bus number 2
hub.c: USB hub found
hub.c: 3 ports detected
host/usb-ohci.c: USB OHCI at membase 0xc380f000, IRQ 27
host/usb-ohci.c: usb-00:01.1, NEC Corporation USB (#2)
usb.c: new USB bus registered, assigned bus number 3
hub.c: USB hub found
hub.c: 2 ports detected
Initializing USB Mass Storage driver...
usb.c: registered new driver usb-storage
USB Mass Storage support registered.
i2c-dev.o: Registered 'IXP425 I2C Adapter' as minor 0
i2c-core.o: adapter IXP425 I2C Adapter registered as adapter 0.
NET4: Linux TCP/IP 1.0 for NET4.0
IP Protocols: ICMP, UDP, TCP, IGMP
IP: routing cache hash table of 512 buckets, 4Kbytes
TCP: Hash tables configured (established 2048 bind 4096)
IP-Config: No network devices available.
NET4: Unix domain sockets 1.0/SMP for Linux NET4.0.
NetWinder Floating Point Emulator V0.97 (double precision)
RAMDISK: Compressed image found at block 0
Freeing initrd memory: 10240K
VFS: Mounted root (ext2 filesystem) readonly.
Freeing init memory: 236K
hub.c: new USB device 00:01.2-1, assigned address 2
Protocol: Transparent SCSI
before kernel thread 
*** detect:usb-storage
* scsi_register: usb-storage-1, 
* scsi_reg, hostno:1 prot is 49
* scsi_reg, retval->host_no:1
scsi1 : SCSI emulation for USB Mass Storage devices
! scan_scsis
do read capacity!!!
 read capacity ok!!!
The capacity is 312581809
*** 49
31 port connect!!!!!
  Vendor: WDC WD16  Model: 00JB-00EVA0       Rev: 15.0
  Type:   Direct-Access                      ANSI SCSI revision: 02
the host no is 1
* sd_attach:0
Attached scsi disk sda at scsi1, channel 0, id 0, lun 0
Module init.
ixp425_eth: 
Initializing IXP425 NPE Ethernet driver software v. 1.1 
ixp425_eth: CPU clock speed (approx) = 0 MHz
SCSI device sda: 312581809 512-byte hdwr sectors (160042 MB)
Partition check:
 sda: sda1 sda2 sda3
WARNING: USB Mass Storage data integrity not assured
USB Mass Storage device found at 2
[error] ixEthMiiPhyScan : unexpected Mii PHY ID 00008201
ixp425_eth: ixp0 is using the PHY at address 0
ixp425_eth: ixp1 is using the PHY at address 1
ixp425_eth: ixEthMiiLinkStatus failed on PHY0.
        Can't determine
the auto negotiated parameters. Using default values.
enable_irq(22) unbalanced from c38b11bc
X1226: I2C based RTC driver.
i2c-core.o: driver X1226 registered.
X1226: found X1226 on IXP425 I2C Adapter
i2c-core.o: client [X1226] registered to adapter [IXP425 I2C Adapter](pos. 0).
atr is 0
kjournald starting.  Commit interval 5 seconds
EXT3 FS 2.4-0.9.19, 19 August 2002 on sd(8,1), internal journal
EXT3-fs: mounted filesystem with ordered data mode.
kjournald starting.  Commit interval 5 seconds
EXT3 FS 2.4-0.9.19, 19 August 2002 on sd(8,2), internal journal
EXT3-fs: mounted filesystem with ordered data mode.
kjournald starting.  Commit interval 5 seconds
EXT3 FS 2.4-0.9.19, 19 August 2002 on sd(8,2), internal journal
EXT3-fs: mounted filesystem with ordered data mode.
Adding Swap: 56220k swap-space (priority -1)
download uses obsolete (PF_INET,SOCK_PACKET)
ixp425_eth: ixp0: Entering promiscuous mode
device ixp0 entered promiscuous mode
EXT3 FS 2.4-0.9.19, 19 August 2002 on sd(8,1), internal journal
# 
# lsmod
Module                  Size  Used by    Tainted: P  
x1226-rtc               3664   0 
rbuttons                1304   0 (unused)
pbuttons                 800   0 (unused)
ixp425_eth             17116   1 
ixp400                608216   0 [ixp425_eth] 

# cat /proc/filesystems
nodev   rootfs
nodev   bdev
nodev   proc
nodev   sockfs
nodev   tmpfs
nodev   shm
nodev   pipefs
        ext3
        ext2
nodev   ramfs
        vfat
nodev   smbfs
nodev   devpts
nodev   cifs

# ls -al /bin
drwxr-xr-x    2 root     root         1024 Jul  2 01:02 .
drwxr-xr-x   16 root     root         1024 Jul  2 01:02 ..
-rwxr-xr-x    1 root     root        11648 Jul  2 01:02 agetty
lrwxrwxrwx    1 root     root            7 Jul  2 01:02 ash -> busybox
-rwxr-xr-x    1 root     root       197292 Jul  2 01:02 busybox
lrwxrwxrwx    1 root     root            7 Jul  2 01:02 cat -> busybox
lrwxrwxrwx    1 root     root            7 Jul  2 01:02 chmod -> busybox
lrwxrwxrwx    1 root     root            7 Jul  2 01:02 chown -> busybox
lrwxrwxrwx    1 root     root            7 Jul  2 01:02 cp -> busybox
-rwxr-xr-x    1 root     root        12884 Jul  2 01:02 date
lrwxrwxrwx    1 root     root            7 Jul  2 01:02 dd -> busybox
lrwxrwxrwx    1 root     root            7 Jul  2 01:02 df -> busybox
lrwxrwxrwx    1 root     root            7 Jul  2 01:02 dmesg -> busybox
lrwxrwxrwx    1 root     root            7 Jul  2 01:02 echo -> busybox
-rwxr-xr-x    1 root     root        64780 Jul  2 01:02 ftp
lrwxrwxrwx    1 root     root            7 Jul  2 01:02 hostname -> busybox
-rwxr-xr-x    1 root     root         8148 Jul  2 01:02 inetd
-rwxr-xr-x    1 root     root        15796 Jul  2 01:02 init
lrwxrwxrwx    1 root     root            7 Jul  2 01:02 kill -> busybox
lrwxrwxrwx    1 root     root            7 Jul  2 01:02 killall -> busybox
lrwxrwxrwx    1 root     root            7 Jul  2 01:02 ln -> busybox
lrwxrwxrwx    1 root     root            9 Jul  2 01:02 login -> tinylogin
lrwxrwxrwx    1 root     root            7 Jul  2 01:02 ls -> busybox
lrwxrwxrwx    1 root     root            7 Jul  2 01:02 mkdir -> busybox
lrwxrwxrwx    1 root     root            7 Jul  2 01:02 mknod -> busybox
lrwxrwxrwx    1 root     root            7 Jul  2 01:02 mount -> busybox
lrwxrwxrwx    1 root     root            7 Jul  2 01:02 mv -> busybox
lrwxrwxrwx    1 root     root            7 Jul  2 01:02 pidof -> busybox
lrwxrwxrwx    1 root     root            7 Jul  2 01:02 ping -> busybox
lrwxrwxrwx    1 root     root            7 Jul  2 01:02 ps -> busybox
lrwxrwxrwx    1 root     root            7 Jul  2 01:02 pwd -> busybox
lrwxrwxrwx    1 root     root            7 Jul  2 01:02 rm -> busybox
lrwxrwxrwx    1 root     root            7 Jul  2 01:02 sh -> busybox
lrwxrwxrwx    1 root     root            7 Jul  2 01:02 sleep -> busybox
lrwxrwxrwx    1 root     root            9 Jul  2 01:02 su -> tinylogin
lrwxrwxrwx    1 root     root            7 Jul  2 01:02 sync -> busybox
lrwxrwxrwx    1 root     root            7 Jul  2 01:02 tar -> busybox
-rwsr-sr-x    1 root     root        45624 Jul  2 01:02 tinylogin
lrwxrwxrwx    1 root     root            7 Jul  2 01:02 touch -> busybox
lrwxrwxrwx    1 root     root            7 Jul  2 01:02 umount -> busybox
lrwxrwxrwx    1 root     root            7 Jul  2 01:02 vi -> busybox
# 

 -al /usr/bin
drwxr-xr-x    2 root     root         1024 Jul  2 01:02 .
drwxr-xr-x    6 root     root         1024 Jul  2 01:02 ..
-rwxr-xr-x    1 root     root        13587 Jul  2 01:02 Set_Led
lrwxrwxrwx    1 root     root           17 Jul  2 01:02 [ -> ../../bin/busybox
lrwxrwxrwx    1 root     root           17 Jul  2 01:02 basename -> ../../bin/busybox
-rwxr-xr-x    1 root     root        52000 Jul  2 01:02 edquota
lrwxrwxrwx    1 root     root           17 Jul  2 01:02 free -> ../../bin/busybox
lrwxrwxrwx    1 root     root           17 Jul  2 01:02 id -> ../../bin/busybox
lrwxrwxrwx    1 root     root           17 Jul  2 01:02 killall -> ../../bin/busybox
-rwxr-xr-x    1 root     root        26292 Jul  2 01:02 mke2fs
lrwxrwxrwx    1 root     root            6 Jul  2 01:02 mkfs.ext3 -> mke2fs
lrwxrwxrwx    1 root     root           19 Jul  2 01:02 passwd -> ../../bin/tinylogin
-rwxr-xr-x    1 root     root        61384 Jul  2 01:02 quotacheck
lrwxrwxrwx    1 root     root            7 Jul  2 01:02 quotaoff -> quotaon
-rwxr-xr-x    1 root     root        49928 Jul  2 01:02 quotaon
-rwxr-xr-x    1 root     root         8544 Jul  2 01:02 smbmnt
-rwxr-xr-x    1 root     root        31660 Jul  2 01:02 smbmount
lrwxrwxrwx    1 root     root           17 Jul  2 01:02 test -> ../../bin/busybox

# ls -al /sbin
drwxr-xr-x    2 root     root         1024 Jul  2 01:02 .
drwxr-xr-x   16 root     root         1024 Jul  2 01:02 ..
-rwxr-xr-x    1 root     root       119940 Jul  2 01:02 e2fsck
-rwxr-xr-x    1 root     root        64064 Jul  2 01:02 fdisk
lrwxrwxrwx    1 root     root            6 Jul  2 01:02 fsck.ext3 -> e2fsck
lrwxrwxrwx    1 root     root           16 Jul  2 01:02 getty -> ../bin/tinylogin
lrwxrwxrwx    1 root     root           14 Jul  2 01:02 halt -> ../bin/busybox
-rwxrwxr-x    1 root     root          412 Jul  2 01:02 halt-test
lrwxrwxrwx    1 root     root           14 Jul  2 01:02 ifconfig -> ../bin/busybox
-rwxr-xr-x    1 root     root          299 Jul  2 01:02 ifdown
-rwxr-xr-x    1 root     root         1219 Jul  2 01:02 ifup
lrwxrwxrwx    1 root     root           14 Jul  2 01:02 insmod -> ../bin/busybox
lrwxrwxrwx    1 root     root           14 Jul  2 01:02 klogd -> ../bin/busybox
lrwxrwxrwx    1 root     root           14 Jul  2 01:02 lsmod -> ../bin/busybox
lrwxrwxrwx    1 root     root           14 Jul  2 01:02 mkswap -> ../bin/busybox
-rwxr-xr-x    1 root     root        13760 Jul  2 01:02 mount.cifs
lrwxrwxrwx    1 root     root           14 Jul  2 01:02 reboot -> ../bin/busybox
lrwxrwxrwx    1 root     root           14 Jul  2 01:02 rmmod -> ../bin/busybox
lrwxrwxrwx    1 root     root           14 Jul  2 01:02 route -> ../bin/busybox
lrwxrwxrwx    1 root     root           14 Jul  2 01:02 swapoff -> ../bin/busybox
lrwxrwxrwx    1 root     root           14 Jul  2 01:02 swapon -> ../bin/busybox
lrwxrwxrwx    1 root     root           14 Jul  2 01:02 syslogd -> ../bin/busybox
-rwxr-xr-x    1 root     root        20728 Jul  2 01:02 udhcpc
# ls -al /usr/sbin
drwxr-xr-x    2 root     root         1024 Jul  2 01:02 .
drwxr-xr-x    6 root     root         1024 Jul  2 01:02 ..
-rwxr-xr-x    1 root     root         4496 Jul  2 01:02 CGI_chk_save_pass
-rwxr-xr-x    1 root     root         3644 Jul  2 01:02 CheckBackup
-rwxr-xr-x    1 root     root         4896 Jul  2 01:02 CheckDiskFull
-rwxr-xr-x    1 root     root         3316 Jul  2 01:02 CheckPowerButton
-rwxr-xr-x    1 root     root         6052 Jul  2 01:02 CheckResetButton
-rwxr-xr-x    1 root     root           80 Jul  2 01:02 DO_Reboot
-rwxr-xr-x    1 root     root         6244 Jul  2 01:02 DO_ScanDisk
-rwxr-xr-x    1 root     root           67 Jul  2 01:02 DO_Shutdown
-rwxr-xr-x    1 root     root        29132 Jul  2 01:02 QuickSet
-rwxr-xr-x    1 root     root        11776 Jul  2 01:02 SetConf
-rwxr-xr-x    1 root     root         5508 Jul  2 01:02 Set_TimeZone
-rwxr-xr-x    1 root     root         5840 Jul  2 01:02 TelnetPassword
-rwxr-xr-x    1 root     root        17612 Jul  2 01:02 USB_Detect
-rwxr-xr-x    1 root     root          555 Jul  2 01:02 WatchDog
-rwxr-xr-x    1 root     root        19732 Jul  2 01:02 backup
-rwxr-xr-x    1 root     root        13216 Jul  2 01:02 crond
-rwxr-xr-x    1 root     root        12884 Jul  2 01:02 date
-rwxr-xr-x    1 root     root         7891 Jul  2 01:02 do_umount
-rwxr-xr-x    1 root     root         8784 Jul  2 01:02 download
-rwxr-xr-x    1 root     root         8072 Jul  2 01:02 drive_backup
-rwxr-xr-x    1 root     root         1403 Jul  2 01:02 drivertodrivercp
-rwxr-xr-x    1 root     root         5964 Jul  2 01:02 find_ds
-rwxr-xr-x    1 root     root        28072 Jul  2 01:02 hwclock
-rwxr-xr-x    1 root     root       161672 Jul  2 01:02 nmbd
-rwxr-xr-x    1 root     root        16284 Jul  2 01:02 reset_ugs
-rwxr-xr-x    1 root     root         5172 Jul  2 01:02 set_log
-rwxr-xr-x    1 root     root         3860 Jul  2 01:02 set_status
-rwxr-xr-x    1 root     root       939520 Jul  2 01:02 smbd
-rwxr-xr-x    1 root     root        60588 Jul  2 01:02 smbpasswd
-rwxr-xr-x    1 root     root        13128 Jul  2 01:02 smtpclient
-rwxr-xr-x    1 root     root        40136 Jul  2 01:02 stop_smb
-rwxr-xr-x    1 root     root        18596 Jul  2 01:02 telnetd
-rwxr-xr-x    1 root     root        79152 Jul  2 01:02 thttpd
-rwxr-xr-x    1 root     root         8108 Jul  2 01:02 upnpd
# 



10 July 2004

I just received the NSLU2 yesterday and have not had a whole lot of time with it, but I've verified that it uses an ext3 formatted filesystem that I can mount under OSX. I've also found a couple of hidden options including the ability to enable telnet on it. So far, I have not cracked a password for any account with a shell. If anyone has a good password cracker, the accounts with shells on the box are :

root:WeeOvKUvbQ6nI:0:0:root:/root:/bin/sh
ourtelnetrescueuser:scNn.3AteBFc.:100:100::/home/user:/bin/sh



I've been hacking another Linksys device as well. Take a look at my wrt54g linux page


Jim Buzbee jbuzbee@nyx.net