Jun 112015
 

In my last post, I looked at the $5 NAS from MSY and poked around the interface to see what it can do out of the box.

Now lets see what I can make it do!

First thing I did was point the built in FTP server to /mnt/C/../.. – This allowed me to poke around on the root file system of the NAS. I went through all the normal Linux files that provide me information to see what this NAS was made of.

First up – /proc/cpuinfo

Processor : FA526id(wb) rev 1 (v4l)
BogoMIPS : 191.69
Features : swp half
CPU implementer : 0x66
CPU architecture: 4
CPU variant : 0x0
CPU part : 0x526
CPU revision : 1
Cache type : write-back
Cache clean : cp15 c7 ops
Cache lockdown : format B
Cache format : Harvard
I size : 8192
I assoc : 2
I line length : 16
I sets : 256
D size : 8192
D assoc : 2
D line length : 16
D sets : 256

Hardware : STAR STR8131
Revision : 0000
Serial : 0000000000000000

Looks like this uses some sort of ARM CPU. A quick Google seems to point to a Fortinet SOC.

/proc/meminfo shows that we have a tiny 32MB of RAM to play with.

MemTotal: 29980 kB
MemFree: 21016 kB
Buffers: 280 kB
Cached: 2224 kB
SwapCached: 0 kB
Active: 3452 kB
Inactive: 1272 kB
HighTotal: 0 kB
HighFree: 0 kB
LowTotal: 29980 kB
LowFree: 21016 kB
SwapTotal: 0 kB
SwapFree: 0 kB
Dirty: 0 kB
Writeback: 0 kB
Mapped: 3060 kB
Slab: 3012 kB
CommitLimit: 14988 kB
Committed_AS: 4120 kB
PageTables: 196 kB
VmallocTotal: 221184 kB
VmallocUsed: 416 kB
VmallocChunk: 220768 kB

/proc/mtd and /proc/partitions shows that we have a few flash partitions
/proc/mtd

dev: size erasesize name
mtd0: 00040000 00010000 "boot"
mtd1: 00020000 00010000 "config"
mtd2: 000f0000 00010000 "kernel"
mtd3: 00290000 00010000 "initrd"
mtd4: 00010000 00010000 "web"
mtd5: 003f0000 00010000 "flash"

/proc/partitions

major minor #blocks name
31 0 256 mtdblock0
31 1 128 mtdblock1
31 2 960 mtdblock2
31 3 2624 mtdblock3
31 4 64 mtdblock4
31 5 4032 mtdblock5

/proc/cmdline shows the kernel boot parameters.

mtdparts=m25p80:256k(boot)ro,128k(config),960k(kernel)ro,2624k(initrd)ro,64k(web),4032k@0x0000(flash) root=31:03 ro rootfstype=jffs2

/proc/devices shows that there is a console available. If we can get access to that then we will likely have root access to the NAS

Character devices:
1 mem
2 pty
3 ttyp
4 ttyS
5 /dev/tty
5 /dev/console
5 /dev/ptmx
10 misc
90 mtd
128 ptm
136 pts
180 usb
189 usb_device

Block devices:
1 ramdisk
8 sd
31 mtdblock
65 sd
66 sd
67 sd
68 sd
69 sd
70 sd
71 sd
128 sd
129 sd
130 sd
131 sd
132 sd
133 sd
134 sd
135 sd

/proc/version – Looks like it’s definitely running Linux with a custom kernel

Linux version 2.6.16-star (root@localhost.localdomain) (gcc version 3.4.6) #42 PREEMPT Tue Jul 6 10:18:58 CST 2010

The ftp server is run as the user root-nas, this allows me to modify a few files on the NAS root partition like /etc/resolv.conf. There is also a /etc/system.conf which is modifiable, this doesn’t seem to contain anything interesting though. Changing the “runmode” parameter stopped me from accessing the NAS over the network so not sure what that is for…perhaps USB mode ?

/var/www is the root of the web server. This will let me download the entire Web UI to poke around with, and it looks like it even has a webserver executable in there as httpd.cgi.

Seems like I can’t get access to much more than the /etc/ directory over FTP though. Looks like it’s time to go to the next level, getting console access. I’ll do another post once I’ve received a USB to TTL converter!

Share

 Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

(required)

(required)