More NS4600 changes

The system was reporting FS errors because of the fact I never had any drives initially plugged in to the system, I’m now running version 02.01.4000.16 of the Patriot Javelin S4 firmware on my NS4600 NAS fully. I have set it up with a 4x1TB RAID-5 and have just transferred all my data to it, SMB works, AFP works, I haven’t had a single issue (although I’m still yet to try printer sharing).

I did however initially have an issue where with the Patriot firmware, SMB wouldn’t start up at all (because I tried to flash Patriot to the internal NAND) and I had to flash the internal NAND with the official NS4600 firmware, and then still boot from the USB with Patriot. But this is out of the scope of this blog post so I won’t touch on it today.

I had one problem last to solve, root access. There was a root plugin released for later firmwares (the .v2 BETA I’m running was the only version I was able to get hold of) that allowed you to get root access over Telnet, but refused to install on to my firmware due to it being “built” for a new FW. In order to get round this, I used my knowledge of the encryption keys used to disassemble the firmwares and pull apart the plugin in order to change its config files to match a lower firmware. For those interested, here it is:

Note this plugin will only run on the Patriot .V2 BETA firmware, and not any others, not even the NS4600 so don’t try it. If you need NS4600 plugins for root access, let me know and I’ll point you in the right direction.

Now it would seem I have finished customizing my NAS and done all I need to do… All that’s missing is a VPN plugin, and figuring out how to access the NAS from over the internet!

Anyway, hope this helps any of you with issues with your NAS, peace out!

Hacking the SmartStor NS4600 – Part 2

Here we go, my plan worked. I have been able to get some FW to boot from USB successfully.

I aim for this blog post to be more of a guide, than a “this is what I did” post.

So it turns out that the NAS I have is actually an NS4600P (the difference between the non-p variant and this one, is this one has a PowerPC processor) and there is another NAS which is just a rebranded NS4600P, the Patriot Javelin S4 which I noticed has a lot more… community support (in terms of repairs, hacking etc) so I used a lot of information gathered about that device and applied it to this one without many changes needed.

First off I grabbed myself a 2GB memory stick (formatted as FAT/16 not FAT32) and whacked on the firmware files for the Javelin S4 that had been extracted by a user that goes by the name of Senomoto on the Patriot forums on to the root of the stick. I then attached my serial cable, and booted up the system (completely spamming CTRL+C to get to the u-boot menu) and seeing what variables uboot was applying. This gave me all of the addresses I need to load the kernel/rootfs from elsewhere.

With the USB stick in the NAS, I ran the following commands to set up USB booting:
setenv load_ext_usb “run ramargs addtty mtdargs;usb start;fatload usb 0:1 1200000 kernel;fatload usb 0:1 1b00000 rootfs;fatload usb 0:1 1a00000 dtb; bootm 1200000 1b00000 1a00000”

setenv real_bootcmd “run load_ext_usb”


(Credits to Senomoto for these)

Once the variables had been saved I just went ahead and booted the system, watching closely to the serial output and noting any errors. To my surprise the FW had booted completely fine, meaning that the S4 firmware, is again just a rebranded NS4600 firmware, making my life hell of a lot easier.

Thanks to the USB boot, I am again able to access the web configuration pages for the NAS, so I went ahead and threw in a small hard drive and created a brand new array with it (just a single drive in RAID-0) but I noticed I was still getting “File System Errors” and I currently can’t tell if that’s because there was no drive in any of the bays or it’s checking the internal NAND. So my plan is to let the array rebuild and see if I get FS errors. If I do, it’s likely the system is completely screwed (as it won’t even let me flash a new FW with filesystem errors). But we will go from there.

Hacking the SmartStor NS4600 – Part 1

So it has been a while since my last post, but I feel like this post will be worth it.

I recently acquired a free Promise SmartStor NS4600 NAS box that I thought I could use at home. So in my sheer excitement (and lack of research) and turned the box on, got everything set up and decided to set it up how I wanted it (oh how stupid of me, to think it would be that simple).

To start off I reset the admin password, logged in, attached it to my subnet and recreated the RAID array to RAID-0 (because screw redundancy). All was working perfect and the array rebuilt so I rebooted the system and logged back in to remove the old users from the box, this is where things went tits up. Apparently early versions of the firmware for this system suffer from a serious bug where sometimes deleting users or changing file permissions can render the device inoperable, meaning I can’t access the web interface, SSH, Telnet or configure the device properly with the utility. The only thing I can do is ping the device, or access safe mode to reflash the firmware. Luckily for me, this means the device is still in a semi-operable state. It’s worth mentioning that the NAS is stupidly designed in the fact that there’s no button or option on the web interface to actually reset the whole device to factory defaults.

According to my trecks around the internet, the decryption key for plugins and firmware was discovered and the same across several of Promises NAS boxes, this gave me an idea. Why don’t I create a custom firmware that will A) run SSH as root so I can connect and see what’s going on, or B) Create a CFW that will force reset everything to default.

So I started off by installing Linux in a VM, downloading the smallest FW from their site, decrypting it, unpacking it and reversing the process to see if it will still flash. Apparently it’s not that easy, while the encryption key was correct, it would appear that the files are obfuscated further and I was unable to extract the resulting archive straight away.

It turned out that Promise thought that adding a long series of 0’s to the beginning of a .tbz archive would stop people breaking in to it, that’s not the case. Now I have a .tbz containing app_jfs2, fix_script, kernel, rev, rootfs and usr_jffs2. Now I need to readd those zeroes and see if I can re-encrypt the file to flash it.

After two days of trying, it look like the bcrypt that promise use, is a modified binary for their systems, unfortunately I don’t have a working system to be able to pull bcrypt from the system, so serial is the only other route. I have ordered this cable to use:

I will update with part 2 when it arrives.