Hacking the SmartStor NS4600 – Part 1

So it has been a while since my last post, but I feel like this post will be worth it.

I recently acquired a free Promise SmartStor NS4600 NAS box that I thought I could use at home. So in my sheer excitement (and lack of research) and turned the box on, got everything set up and decided to set it up how I wanted it (oh how stupid of me, to think it would be that simple).

To start off I reset the admin password, logged in, attached it to my subnet and recreated the RAID array to RAID-0 (because screw redundancy). All was working perfect and the array rebuilt so I rebooted the system and logged back in to remove the old users from the box, this is where things went tits up. Apparently early versions of the firmware for this system suffer from a serious bug where sometimes deleting users or changing file permissions can render the device inoperable, meaning I can’t access the web interface, SSH, Telnet or configure the device properly with the utility. The only thing I can do is ping the device, or access safe mode to reflash the firmware. Luckily for me, this means the device is still in a semi-operable state. It’s worth mentioning that the NAS is stupidly designed in the fact that there’s no button or option on the web interface to actually reset the whole device to factory defaults.

According to my trecks around the internet, the decryption key for plugins and firmware was discovered and the same across several of Promises NAS boxes, this gave me an idea. Why don’t I create a custom firmware that will A) run SSH as root so I can connect and see what’s going on, or B) Create a CFW that will force reset everything to default.

So I started off by installing Linux in a VM, downloading the smallest FW from their site, decrypting it, unpacking it and reversing the process to see if it will still flash. Apparently it’s not that easy, while the encryption key was correct, it would appear that the files are obfuscated further and I was unable to extract the resulting archive straight away.

It turned out that Promise thought that adding a long series of 0’s to the beginning of a .tbz archive would stop people breaking in to it, that’s not the case. Now I have a .tbz containing app_jfs2, fix_script, kernel, rev, rootfs and usr_jffs2. Now I need to readd those zeroes and see if I can re-encrypt the file to flash it.

After two days of trying, it look like the bcrypt that promise use, is a modified binary for their systems, unfortunately I don’t have a working system to be able to pull bcrypt from the system, so serial is the only other route. I have ordered this cable to use:

I will update with part 2 when it arrives.


Leave a Reply

Your email address will not be published. Required fields are marked *