I received my USB to TTL adapter today, so decided to have a look at the NAS and see if I could get root access to it.
The Serial console is actually under where the drive is, so I’ve gotten access to it from the bottom as there’s some plastic between where the drive goes and the port itself.
NAS Connected via Serial
As you can see from the picture, I’ve stuck some jumper cords into the serial console port. The Yellow wire is actually the white wire on my USB->TTL converter, the green is still green, and black is still black. With the jumper leads plugged in, I turned the NAS On with screen listening on /dev/ttyUSB0 with a baud rate of 38400.
When you turn the NAS on with the serial console plugged in, you will be presented with the boot messages.
U-Boot 1.1.4 (Mar 3 2008 - 16:51:36)
U-Boot code: 00000000 -> 0001A410 BSS: -> 0001F354
IRQ Stack: 00e6ff7c
FIQ Stack: 00e6ef7c
RAM Configuration:
Bank #0: 00000000 32 MB
Flash Manufacturer: MX
Flash: 4 MB
DataFlash: MX 25L32
Page Count: 16384
Page Size: 256
Size: 4194304 bytes
Logical Address: 0x30000000
Area 0: 30000000 to 3002FFFF
Area 1: 30030000 to 3003FFFF
Area 2: 30040000 to 3023FFFF
Area 3: 30240000 to 303FFFFF
*** Warning - bad CRC, using default environment
In: serial
Out: serial
Err: serial
PLL clock at 250MHz
CPU clock at 250MHz
AHB clock at 125MHz
APB clock at 62MHz
Hit any key to stop autoboot: 3
kernel:30060000-301e0000
0
Pressing a key will dump you into the Uboot. Otherwise, the NAS will boot and you’ll see the rest of the boot messages
## Starting application at 0x00600000 ...
Uncompressing Linux... done, booting the kernel.
Linux version 2.6.16-star (root@localhost.localdomain) (gcc version 3.4.6) #42 PREEMPT Tue Jul 6 10:18:58 CST 2010
CPU: FA526id(wb) [66015261] revision 1 (ARMv4)
Machine: STAR STR8131
Warning: bad configuration page, trying to continue
Ignoring unrecognised tag 0x00000000
Memory policy: ECC disabled, Data cache writeback
CPU0: D VIVT write-back cache
CPU0: I cache: 8192 bytes, associativity 2, 16 byte lines, 256 sets
CPU0: D cache: 8192 bytes, associativity 2, 16 byte lines, 256 sets
PLL clock at 250MHz
CPU clock at 250MHz
AHB clock at 125MHz
APB clock at 62MHz
Built 1 zonelists
Kernel command line: mtdparts=m25p80:256k(boot)ro,128k(config),960k(kernel)ro,2624k(initrd)ro,64k(web),4032k@0x0000(flash) root=31:03 ro rootfstype=jffs2
PID hash table entries: 256 (order: 8, 4096 bytes)
Dentry cache hash table entries: 8192 (order: 3, 32768 bytes)
Inode-cache hash table entries: 4096 (order: 2, 16384 bytes)
Memory: 32MB = 32MB total
Memory: 29872KB available (1832K code, 599K data, 88K init)
Mount-cache hash table entries: 512
CPU: Testing write buffer coherency: ok
NET: Registered protocol family 16
PCI clock at 33M
PCI: bus0: Fast back to back transfers disabled
PCI Bridge found
PCI map irq: 00:00.00 slot 0, pin 1, irq: 0
SCSI subsystem initialized
usbcore: registered new driver usbfs
usbcore: registered new driver hub
NetWinder Floating Point Emulator V0.97 (extended precision)
JFFS2 version 2.2. (NAND) (C) 2001-2003 Red Hat, Inc.
fuse init (API version 7.6)
io scheduler noop registered
io scheduler cfq registered (default)
str8131_rtc.o: rtc module version 1.0.0
str8131_wdt.o: watchdog module version 1.0.1
Serial: 8250/16550 driver $Revision: 1.1.1.1 $ 2 ports, IRQ sharing disabled
serial8250: ttyS0 at MMIO 0x78000000 (irq = 9) is a 16550A
serial8250: ttyS1 at MMIO 0x78800000 (irq = 10) is a 16550A
RAMDISK driver initialized: 16 RAM disks of 4096K size 1024 blocksize
reset FALSE!!!!
ROM VALUE 014f86ba1300001f
Star NIC Driver(for Linux Kernel 2.6) - Star Semiconductor
rxring.vir_addr=0xFFC00000 rxring.phy_addr=0x01C88000
txring.vir_addr=0xFFC01000 txring.phy_addr=0x01C89000
Star Internal PHY
MAC Addr: 08:00:50:b2:71:20
star_nic_enable: starting patch check.
star_nic_init_module: internal phy patch included.
star_nic_init_module: scatter/gather enabled.
STR8131 SPI: init
m25p80 spi1.0: m25p64 (8192 Kbytes)
6 cmdlinepart partitions found on MTD device m25p80
Creating 6 MTD partitions on "m25p80":
0x00000000-0x00040000 : "boot"
0x00040000-0x00060000 : "config"
0x00060000-0x00150000 : "kernel"
0x00150000-0x003e0000 : "initrd"
0x003e0000-0x003f0000 : "web"
0x00000000-0x003f0000 : "flash"
str8131-ehci str8131-ehci: str8131-ehci
str8131-ehci str8131-ehci: new USB bus registered, assigned bus number 1
str8131-ehci str8131-ehci: irq 24, io mem 0xcc000000
str8131-ehci str8131-ehci: USB 0.0 started, EHCI 1.00, driver 10 Dec 2004
usb usb1: configuration #1 chosen from 1 choice
hub 1-0:1.0: USB hub found
hub 1-0:1.0: 2 ports detected
ohci_hcd: 2005 April 22 USB 1.1 'Open' Host Controller (OHCI) Driver (STR8131)
str8131-ohci str8131-ohci: str8131-ohci
str8131-ohci str8131-ohci: new USB bus registered, assigned bus number 2
str8131-ohci str8131-ohci: irq 23, io mem 0xc4000000
usb usb2: configuration #1 chosen from 1 choice
hub 2-0:1.0: USB hub found
hub 2-0:1.0: 2 ports detected
usbcore: registered new driver usblp
drivers/usb/class/usblp.c: v0.13: USB Printer Device Class driver
Initializing USB Mass Storage driver...
usbcore: registered new driver usb-storage
USB Mass Storage support registered.
NET: Registered protocol family 2
IP route cache hash table entries: 512 (order: -1, 2048 bytes)
TCP established hash table entries: 2048 (order: 1, 8192 bytes)
TCP bind hash table entries: 2048 (order: 1, 8192 bytes)
TCP: Hash tables configured (established 2048 bind 2048)
TCP reno registered
TCP bic registered
NET: Registered protocol family 1
NET: Registered protocol family 17
jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found at 0x001f0000: 0x00ff instead
VFS: Mounted root (jffs2 filesystem) readonly.
Freeing init memory: 88K
serial console detected. Disabling virtual terminals.
console=/dev/ttyS0
init started: BusyBox v0.52 (2010.07.06-02:25+0000) multi-call binary
EXT2-fs warning: maximal mount count reached, running e2fsck is recommended
eth0:star_nic_lan_open
star_nic_enable: starting patch check.
info, udhcp client (v1.0.0) started
debug, Sending discover...
debug, Sending select for 10.0.0.14...
info, Lease of 10.0.0.14 obtained, lease time 7200
SIOCADDRT: Network is unreachable
adding dns 10.0.0.1
Let’s restart, and check out the Uboot.
Hit any key to stop autoboot: 3
kernel:30060000-301e0000 0
Star Equuleus #
I’m dumped into the Uboot prompt…Let’s ask for help and see what comes up
Star Equuleus # help
? - alias for 'help'
autoscr - run script from memory
base - print or set address offset
bdinfo - print Board Info structure
boot - boot default, i.e., run 'bootcmd'
bootd - boot default, i.e., run 'bootcmd'
bootm - boot application image from memory
bootp - boot image via network using BootP/TFTP protocol
cmp - memory compare
coninfo - print console devices and information
cp - memory copy
crc32 - checksum calculation
echo - echo args to console
erase - erase FLASH memory
flinfo - print FLASH memory information
go - start application at address 'addr'
help - print online help
iminfo - print header information for application image
imls - list all images found in flash
itest - return true/false on integer compare
loadb - load binary file over serial line (kermit mode)
loads - load S-Record file over serial line
loop - infinite loop on address range
md - memory display
mm - memory modify (auto-incrementing)
mtest - simple RAM test
mw - memory write (fill)
nfs - boot image via network using NFS protocol
nm - memory modify (constant address)
pci - list and access PCI Configuration Space
printenv- print environment variables
protect - enable or disable FLASH write protection
rarpboot- boot image via network using RARP/TFTP protocol
reset - Perform RESET of the CPU
run - run commands in an environment variable
saveenv - save environment variables to persistent storage
setenv - set environment variables
sleep - delay execution for some time
tftpboot- boot image via network using TFTP protocol
version - print monitor version
Let’s unprotect the flash and see what happens…
Star Equuleus # protect off all
Un-Protect Flash Bank # 1
Well that wasn’t very exciting.
I think I’ll have to do more research to see what I can do with this.
Stay tuned!
