hacking Synology DS-101

google
 >> Stay informed about: hacking Synology DS-101 

On Mon, 17 Jan 2005 13:50:49 +1100, Michael C wrote:

 > google

I wouldn't be asking if I hadn't already... Might hae been some stuff but
it was all in German. Not much good ya know.<!-- ~MESSAGE_AFTER~ -->
 >> Stay informed about: hacking Synology DS-101 

On Mon, 17 Jan 2005 01:48:33 GMT, kony wrote:

 > On Mon, 17 Jan 2005 10:51:29 +1100, Mike Hansford
 > <hanmjau DeleteThis @yahoo.com.au> wrote:
 >
  >>Has anyone managed to successfully hack the Synology DS-101 Disk Station (a
  >>barebones NAS) to obtain root console access?
  >>
  >>Any help would be appreciated.
  >>Thanks
  >>Mike
 >
 > Don't have one, looked on their website and saw a download
 > for the firmware,
<font color=purple> > <a style='text-decoration: underline;' href="http://www.synology.com/support1/dspat/synology_ixp420_1hd.pat</font" target="_blank">http://www.synology.com/support1/dspat/synology_ixp420_1hd.pat</font</a>>
 > suggest you rename it to *.tgz, start decompressing
 > everything and looking about in the files. That's about all
 > the help I have.

Sounds fair. Will give it a go. The item obviously isn't that popular.
Cheers<!-- ~MESSAGE_AFTER~ -->
 >> Stay informed about: hacking Synology DS-101 

"Mike Hansford" <hanmjau.TakeThisOut@yahoo.com.au> wrote in message
news:nbasivy50jq8$.tfgirszblyg5.dlg@40tude.net...
 > I wouldn't be asking if I hadn't already... Might hae been some stuff but
 > it was all in German. Not much good ya know.

Google language tools.<!-- ~MESSAGE_AFTER~ -->
 >> Stay informed about: hacking Synology DS-101 

NEW NEW NEW NEW NEW NEW NEW NEW NEW

GPL Source code out now !!!!! on DS-101

http://www.synology.com/enu/download/download.php

I LOVE IT !!!!!!!!!!!!
 >> Stay informed about: hacking Synology DS-101 

how can i gain access to the console with root access to install something?

thanks!
 >> Stay informed about: hacking Synology DS-101 

Nice, have downloaded it. But how can I "hack" it an insert new feateres to the ds-101?
It would be cool to add httpd to the box

Are the only way to access the konfig files in ds-101 to hack the frimware or is it possyible to see the config files in a special logon(have tried SSH and Telnet, but this is not supportet)

Hope somone can help
 >> Stay informed about: hacking Synology DS-101 

Quote:

how can i gain access to the console with root access to install something?

You have to compile your own software for it, and upload it to the box. Since they released the source just this month, I would expect it will take som time before somebody has an alternative firmware ready.

My wishlist for this box is
-ssh server
-larger file support. limit is now 2GB. Have some DVD iso's I can't put on it.
-torrent client

The 101g+ seems to have a quite cool picture album feature. Hope they release the source for that soon, so somebody could port it to 101.
 >> Stay informed about: hacking Synology DS-101 

I'd actually like to install SlimServer (http://www.slimp3.com/su_downloads.html) to the box. Is that possible?

A guy already did that with a Buffalo LinkStation NAS: http://fieldnetworks.com/slim/linkstation.html

As I am not the hacker or similar, i'm not sure what's possible with that source code and what not ... Thanks all of you!

rocka
 >> Stay informed about: hacking Synology DS-101 

Been playing with a DS101 for a few hours now. Downloaded and installed the latest firmware with built-in webserver - synology_ixp420_1hd.rar

Having looked through the firmware and the source, it appears that PHP is installed but config doesn't allow parsing of .php files. However it will parse php files with the extension .php3 and apache is running as root!!!

Using php to run system commands via exec allows you to run any command you need as root. After rummaging around for a bit, it looks like the DS-101 is running something called busybox but just doesn't start telnet at boot.

I wrote a script that backed up the old inetd.conf file and removed the '#' from the telnet line and then saved the file again. One reboot later I have telnet running.

So to get this far...
1) Download the latest firmware with webserver capability
2) Follow the instructions for setting up the webserver
3) Save the following as updateinetd.php3 in the web directory

Code:

<?php //Backup the file $command = "cp /writeable/configs/etc/inetd.conf /writeable/configs/etc/inetd.conf.bak"; $returnarray = array(); exec($command,$returnarray,$code); echo "<br/>Return Code:$code<br/><br/>"; //Write the line to start telnet $newinetdline =  "telnet stream tcp nowait root /usr/sbin/telnetd telnetd"; $fh = fopen("/etc/inetd.conf","w"); fwrite($fh,$newinetdline ); fclose($fh); ?>

4) Point your browser at the script updateinetd.php3 on the DS-101 web server
5) Reboot and telnet is now running.

This is as far as I've got so far - just need to get around the root password (but with access to /etc/password and /etc/shadow that shouldn't be too difficult).

I really want to get rsync running on this somehow so if someone who knows what they're doing can step in at this point...

Cheers,

WF
 >> Stay informed about: hacking Synology DS-101 

Hi!

That sounds great so far.
As apache is running as root, a new user (with root-rights) could be added to the system with a php3 script. Is that possible?

cheers,
rocka
 >> Stay informed about: hacking Synology DS-101 

Most of the files are owned by root and are readonly for all other users so I think that the /etc/passwd and /etc/shadow files need to be tweaked to allow a know root password - although I don't know the implications of doing this.

I can confirm that it appears to be possible to execute any command as root using the php 'exec' command from a php3 script.

I was hoping that somebody else would step in with the next part of the process now there appears to be a way to telnet into the DS-101 as root.

Cheers,

WF
 >> Stay informed about: hacking Synology DS-101 

Hey

Don't worry we don't need no one other (yet) ...

When logging on via telnet it first asks for a diskstation user/pw. standard "admin" user works. But after that "SynoPassword:" prompts ... do you think that's the root-pw?

Here's another php3-script to dump out /etc/passwd and /etc/shadow (which contains the password of root).

Code:

<?php  // get contents of a file into a string  $filename = "/etc/shadow";  $handle = fopen($filename, "r");  $contents = fread($handle, filesize($filename));  fclose($handle);  echo "<br/>/etc/shadow<br/><br/>";  echo "<br/>$contents<br/><br/>";    // get contents of a file into a string  $filename = "/etc/passwd";  $handle = fopen($filename, "r");  $contents = fread($handle, filesize($filename));  fclose($handle);  echo "<br/>/etc/passwd<br/><br/>";  echo "<br/>$contents<br/><br/>";  ?>

I would suggest to leave the root user as it is since some deamons/services might use it. Adding another user with root-permissions would be a clean (temporary) solution i guess.

After doing some research, i found out that root-access can be given to a user by changing his group in /etc/passwd to "O" (after the second ":").

Maybe it would be usefull to start an SSH deamon on the box (if possible somehow), so we could avoid fighting with "SynoPassword:" ...

Let me know if you have an idea ... need some sleep know!

bye
rocka
 >> Stay informed about: hacking Synology DS-101