Opening Stock Firmware of LinkStation LS421DE


The purpose for opening a stock firmware is to gain root access to LinkStation. With root access, several additional softwares can be added to the firmware, e.g: using optware package. Furthermore, a custom operating system can be used to replace the Buffalo stock firmware such as Debian.

This process based on existing method on buffalo.nas-central.org, tested on LS421DE:

  1. Download the tools from https://github.com/tohenk/linkstation-mod/archive/master.zip.
    $ mkdir ~/lsmod
    $ cd ~/lsmod
    $ wget https://github.com/tohenk/linkstation-mod/archive/master.zip
    $ unzip master.zip
    $ cd linkstation-mod-master
    
  2. Get the Buffalo stock firmware from http://buffalo.jp/support_ap/support/products/ls400.html, the latest firmware as of this writing is 1.33.
    $ mkdir firmware
    $ cd firmware
    $ wget http://buffalo.jp/php/ldl_ap.php?to=secure%2Fnas%2Fwin%2Fls400-133en.zip%3Fkey%3DMzEyNzEwMDQzNzE0NTQ2OTEwMTAwMjJkcml2ZXIuYXNpYS5idWZmYWxvLmpwMDQwL2J1Zi1kcnYyL3NlY3VyZS9uYXMvd2luL2xzNDAwLTEzM2VuLnppcDEwMTAwMDJpZDExMTBya3BhdzAwMDAwMDA2MDAwMzcyNzY%3D%26ext%3D.zip
    $ unzip ls400-133en.zip
    

    After unzip process, the firmware can be found on the ~/lsmod/linkstation-mod-master/firmware/ls400-133en/ folder.

  3. Prepare SSH public key for login authentication.
    If you’re already using a linux box, simply copy id_dsa.pub or id_rsa.pub to data folder.

    $ cd ~/lsmod/linkstation-mod-master
    $ cp ~/.ssh/id_dsa.pub data/id_dsa.key
    

    On windows box, use puTTYgen to generate SSH private/public key pair. Refer to http://winscp.net/eng/docs/ui_puttygen for an example. After the key generation is complete, do not close the puTTYgen window, rather select all the text in the generated public key, press Ctrl+C to copy the content and paste it as text file in notepad and save the file with .key extension. You then can copy the file to linux box using WinSCP for example and put in the data folder.

  4. Execute the script to open the stock firmware.
    $ sudo ./scripts/open-ls-rootfs.sh firmware/ls400-133en/hddrootfs.img
    Opening stock firmware ROOTFS of firmware/ls400-133en/hddrootfs.img.
    > Preparing directories...
    > Unpacking ROOTFS image...
      Using password 1NIf_2yUOlRDpYZUVNqboRpMBoZwT4PzoUvOPUp6l.
    > Extracting ROOTFS...
    > Removing root password...
      Removing root password from initfile backup.
      Removing root password from shadow file.
    > Allowing root login via telnet and ssh...
      Enabling SSHD service.
    > Adding ssh key...
    > Creating emergency script service...
    > Package ROOTFS...
      Opened ROOTFS image saved in /home/toha/lsmod/linkstation-mod-master/out/hddrootfs.img.
    
    Done.
    
    

    Additionally, you can add features by editing data/nas_features and issue the following command:

    $ sudo ./scripts/open-ls-initrd-cpio.sh firmware/ls400-133en/initrd.img
    Opening stock firmware INITRD of firmware/ls400-133en/initrd.img.
    > Preparing directories...
    > Unpacking INITRD image...
      Using password 1NIf_2yUOlRDpYZUVNqboRpMBoZwT4PzoUvOPUp6l.
    > Extracting INITRD using cpio...
    > Enable SFTP in nas_features...
    > Patching nas_features...
      Applying patch from /home/toha/lsmod/linkstation-mod-master/data/nas_features.
    > Removing root password...
    > Create and package INITRD...
      Opened INITRD image saved in /home/toha/lsmod/linkstation-mod-master/out/initrd.img.
    
    Done.
    
    

    The opened firmware image can be found on ~/lsmod/linkstation-mod-master/out/ folder named as hddrootfs.img and initrd.img.

  5. Re-flash the modified firmware.
    You need a windows box (or Machintosh) to flash Buffalo firmware. Copy and replace original firmware with the opened firmware from previous step.
    Append the following lines to LSUpdater.ini

    [SpecialFlags]
    Debug = 1
    

    Execute LSUpdater.exe, activate debug mode by clicking in the upper left corner (see figure below).
    ls-updater-debug
    In the Debug Mode dialog, tick the following options:

    • Config: Do not check version
    • Config: Force update
    • Update: Update rootfs
    • Update: Update initrd (only if you add features to initrd image)

    ls-updater-debug-options
    Next, perform update process by clicking the Update button. After update process is done you can SSH-ing to the box using root.

Advertisements

, ,

  1. #1 by Brendan on December 14, 2014 - 6:24 am

    I’ve tried this a couple of times and all that ends up happening is the linkstation tries to boot, but the status light just flashes red and blue. Any thoughts?

  2. #2 by Slamet PS on January 8, 2015 - 12:30 am

    I have tried, and ssh is active but I can’t SSH using root. I logged in using user admin with password successfully. How can I logged in using user root?

    • #3 by Toha on January 9, 2015 - 7:49 am

      Have you try to use ssh public key authentication?

  3. #4 by Cris on March 27, 2015 - 6:51 pm

    In Firmware 1.80 the root account is locke, which means even public key authentication is not possible. So one cannot log in as stated as your last step.

    • #5 by Cris on March 27, 2015 - 7:11 pm

      The tool used with the link did the trick, since you can get root access using that tool: http://forum.nas-hilfe.de/buffalo-technology-nas-anleitungen/ssh-freischalten-auf-einer-ls421de-t2165.html

      Anyway, big thanks to you Toha. More people like you are needed on the net 😉

    • #6 by Dennis on December 1, 2015 - 6:14 am

      Hi, I had the same problem (can’t login with ssh key) on firmware 1.81. After I used Cris solution, I found the reason, why it wasn’t working. /var/log/messages shows the reason:
      Authentication refused: bad ownership or modes for directory /root

      /root /root/.ssh and /root/.ssh/authorized_keys have the wrong permission! Therefore I modified open-ls-rootfs.sh. Inside do_correct_permissions(), I added:
      chmod 0700 “$ROOTFS/root”
      chmod 0700 “$ROOTFS/root/.ssh”
      chmod 0600 “$ROOTFS/root/.ssh/authorized_keys ”

      Then I had to uncomment the do_correct_permssions inside the main method.
      With these modification, everything works now.

      • #7 by Toha on December 1, 2015 - 6:45 am

        Thanks for your feedback Dennis, will integrate it on Github.

  4. #8 by Kevin J. Black, M.D. on November 24, 2015 - 10:45 pm

    When I try running this, I get to this step:
    do_unpack_rootfs() {
    show_msg “Unpacking ROOTFS image”
    PASSWORD=`unpack_buffalo_image “$ORIGINAL” “$ROOTFS_IMG”`

    But my system can’t find an executable called unpack_buffalo_image .

    Where do I get it?

  5. #10 by Jackson on February 5, 2016 - 5:11 pm

    what changes do I need if I want to replace the root password instead of removing it completely?

    • #11 by Toha on February 5, 2016 - 8:15 pm

      It is easier if you change the root password after logging in using SSH.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: