search

hn / seagate-blackarmor-nas

Technical data (reverse engineered) and an alternative firmware (Debian GNU/Linux) for the Seagate Blackarmor NAS
81 stars 21 forks source link

Seagate BlackArmor 220 flash u-boot from Linux (no pins to do it) #20

Closed GlitchedCod closed 2 years ago

GlitchedCod commented 2 years ago

Hello, I want to know if there is a possibilty to flash the u-boot from the Linux kernel directly ? I had an Seagate NAS 220 but no male pins to connect to the uboot serial and I want to flash the OpenWRT u-boot on it. Thanks for any kind of help or advise. (yes I've changed my message)

hn commented 2 years ago

Original topic: If you wipe the HDDs (remove partition tables) or simply use other (clean) HDDs, the Seagate NAS will reinstall from flash.

Current topic: It's possible (nandwrite is part of Seagate's firmware) but I would not recommend to do it, especially if these are your first steps with the device. If anything goes wrong, you're lost.

boltronics commented 1 year ago

A bit late to the party, but I recently found a NAS 220 in my building's e-waste bin so snagged it. Same deal, no header pins.

The soldiering to put a header on was incredibly hard because the ground pin required a crazy amount of heat to get the pre-existing solder out. I had to crank my iron up to its max of 480W, switch to a wider tip, and use a heat gun all at the same time just to get it to melt. Same with whatever the pin number is in the rear left (but that's unused). No other pins required anything like this and were a piece of cake by comparison.

In the end, I still couldn't get the solder completely out of ground because I didn't have a 3rd hand to hold the solder sucker, and the braid I had was probably a little too thick for the job. As such, those two pins stick out on the header since they are just resting against the pre-existing solder... but it still seems to work okay.

If you're like me and don't really care too much about this (now "ancient") hardware, and want to avoid soldering if possible, nandwrite is indeed a part of Seagate's firmware.

~ $ cat /etc/motd 
    __                                  _   _____   _____
   / /   ____ ______________  ____     / | / /   | / ___/
  / /   / __ `/ ___/ ___/ _ \/ __ \   /  |/ / /| | \__ \ 
 / /___/ /_/ (__  |__  )  __/ / / /  / /|  / ___ |___/ / 
/_____/\__,_/____/____/\___/_/ /_/  /_/ |_/_/  |_/____/  
==========================================================
                                                v2000.1331
~ $ ls -l /usr/sbin/nand*
-rwxrwxr-x    1 root     root         9788 Aug  1  2012 /usr/sbin/nanddump
-rwxrwxr-x    1 root     root         8300 Aug  1  2012 /usr/sbin/nandtest
-rwxrwxr-x    1 root     root        14492 Aug  1  2012 /usr/sbin/nandwrite
~ $ /usr/sbin/nandwrite --version
nandwrite $Revision: 1.32 $

Copyright (C) 2003 Thomas Gleixner 

nandwrite comes with NO WARRANTY
to the extent permitted by law.

You may redistribute copies of nandwrite
under the terms of the GNU General Public Licence.
See the file `COPYING' for more information.
~ $

First you need to get root, or you won't have access to /dev/mtd?.img. For that, I used instructions similar to this guide for setting up dropbear (which definitely does still work on the latest official 220 firmware BTW). However instead of just editing inetd.conf, I used qemu as described here to change the root password.

Actually, first I tried a dictionary attack using hashcat against the default root password, without success. Then I tried a brute force attack up to 7 characters and still had no luck. Going to 8 characters was going to take a few days for my GPU so I just gave up and changed it. It does seem to just be an 8 character password because when running passwd on the box you get:

/ $ passwd
Changing password for root
Enter the new password (minimum of 5, maximum of 8 characters)
Please use a combination of upper and lower case letters and numbers.
Enter new password:

Anyway, with the above, you should be able to achieve an SSH shell, root access, and access to the nand* tools (and note that they are not in root's PATH). Hopefully you can now avoid soldering!

The SSH included in the box is very old. My client would fail to connect unless I used something like:

ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 -o HostKeyAlgorithms=+ssh-rsa,ssh-dss -c aes128-cbc -l admin 192.168.0.10

Alternatively, you can put the following lines in your ~/.ssh/config file under a dedicated Host section for the box:

  KexAlgorithms +diffie-hellman-group1-sha1
  HostKeyAlgorithms +ssh-rsa,ssh-dss
  Ciphers aes128-cbc

There is no ssh, but there is rsync available so you can dump a backup of the original firmware and fetch it that way (or just dump it directly in a Samba share's path or something). I don't know why the instructions don't tell you to make a backup, which seems possible even from uboot AFAICT.

hn commented 1 year ago

Hi Adam, thanks for sharing!

Applying some solder paste makes soldering the serial pins much easier.

SSH can be easily activated by uploading a specialliy crafted service pack, see point 1. It also resets the root password.