krausam » SSH/Shell access to iomega StorCenter ix2

June 27, 2009

SSH/Shell access to iomega StorCenter ix2

Filed under: Embeded, Spielzeug, Unix — micha @ 10:55 am

I recently got the “iomega StorCenter ix2″ it’s a little NAS for home or small office use.
Soon it was clear to me that it runs Linux, and a Linux device whithout shell access is hard to bear.
After googeling for a day, I found nothing on this subject which would work whith a recent firmware version (2.0.15.43099).
So here is what I did to get access:

I opened the case to get direct access to the S-ATA HDs, then I connected the HDs to my Linux PC.
After booting up, I could see how it is configured:

My PC detected the 2 HDs as /dev/sdb and /dev/sdc.
Each HD contains 2 Linux software-raid partitions.
The first raid partition (1GB) is always raid1 and contains the firmware.
The second raid partition is raid1 or linear-raid; this is configurable whith the web interface.

After assembling the first raid with
mdadm /dev/md0 /dev/sdb1 /dev/sdc1
I could mount /dev/md0 to /mnt
mount /dev/md0 /mnt/md0
(the filesystem is ext2).
The mounted filesystem contained:
# ls -lh drwxr-xr-x 2 root root 4.0k Mar 14 16:52 images drwx------ 2 root root 16.0k Mar 14 15:00 lost+found -rwx------ 1 root root 512.0M Mar 14 16:54 swapfile # ls -lh images/ -rw-r--r-- 1 root root 163.0M Jun 25 20:37 apps -rw-r--r-- 1 root root 5.0M Mar 14 15:03 config -rw-r--r-- 1 root root 416.0k Jun 25 20:37 oem
The files in images/ looked like they contained what I was searching for. To find out the filetype I used file:
# file images/* images/apps: Linux rev 0.0 ext2 filesystem data images/config: Linux rev 0.0 ext2 filesystem data images/oem: Linux Compressed ROM File System data, little endian size 425984 version #2 sorted_dirs CRC 0xd3a158e1, edition 0, 222 blocks, 34 files
That meant that I could simply mount the config and apps file, as they contained an ext2 filesystem.
mount -o loop /mnt/md0/images/config /mnt/config
This image file contained the /etc directory of the storage.
Now I could edit the configfiles and changed the following files:

Activate ssh:
init.d/S50ssh
There I changed:
start() { echo -n "Starting sshd: " #/usr/sbin/sshd #touch /var/lock/sshd echo "OK" } stop() { echo -n "Stopping sshd: " #killall sshd #rm -f /var/lock/sshd echo "OK" }
To:
start() { echo -n "Starting sshd: " /usr/sbin/sshd touch /var/lock/sshd echo "OK" } stop() { echo -n "Stopping sshd: " killall sshd rm -f /var/lock/sshd echo "OK" }

sshd_config
Changed:
Subsystem sftp /usr/sbin/sftp-server
To:
#Subsystem sftp /usr/sbin/sftp-server

To set a password I simply copied the hash from an account of my PC to the shadow file.
shadow root:Hash from my PCs account:10933:0:99999:7:::

After unmounting all disks, shutting down my PC, reconnecting the drives to the StorCenter and switching it on, I had access:
Starting Nmap 4.76 ( http://nmap.org ) at 2009-06-27 11:15 CEST Interesting ports on storage (192.168.2.11): PORT STATE SERVICE 22/tcp open ssh MAC Address: 00:D0:B8:03:0B:33 (Iomega)


Nmap done: 1 IP address (1 host up) scanned in 0.34 seconds
ssh root@storage

root@storage's password:
BusyBox v1.8.2 (2009-01-09 09:01:03 EST) built-in shell (ash)

Enter 'help' for a list of built-in commands.

#

Some impressions from the comandline:
# mount rootfs on / type rootfs (rw) /dev/root.old on /initrd type ext2 (rw) none on / type tmpfs (rw) /dev/md0 on /boot type ext2 (rw) /dev/loop0 on /mnt/apps type ext2 (ro) /dev/loop1 on /etc type ext2 (rw) /dev/loop2 on /oem type cramfs (ro) proc on /proc type proc (rw) none on /proc/bus/usb type usbfs (rw) none on /sys type sysfs (rw) devpts on /dev/pts type devpts (rw) /dev/md1 on /mnt/soho_storage type ext3 (rw,noatime,data=ordered) /dev/sdc1 on /mnt/soho_storage/samba/shares/conny type vfat (rw,fmask=0000,dmask=0000,codepage=cp437,iocharset=utf8) /dev/sdd1 on /mnt/soho_storage/samba/shares/micha type ext3 (rw,data=ordered)


# df

Filesystem                Size      Used Available Use% Mounted on

/dev/root.old             3.7M      1.1M      2.5M  30% /initrd

none                     61.8M      2.9M     58.9M   5% /

/dev/md0                980.4M    845.5M     85.1M  91% /boot

/dev/loop0              162.3M    135.7M     18.5M  88% /mnt/apps

/dev/loop1                4.8M    754.0k      3.9M  16% /etc

/dev/loop2              888.0k    888.0k         0 100% /oem

/dev/md1                922.2G    118.8G    794.1G  13% /mnt/soho_storage

/dev/sdc1               232.8G    201.3G     31.5G  86% /mnt/soho_storage/samba/shares/conny

/dev/sdd1               275.1G    549.0M    260.6G   0% /mnt/soho_storage/samba/shares/micha
# cat /proc/mdstat

Personalities : [raid1] [raid10] [linear]

md1 : active linear sda2[0] sdb2[1]

      974727680 blocks 0k rounding
md0 : active raid1 sda1[0] sdb1[1]

      1020032 blocks [2/2] [UU]
unused devices: 
# cat /proc/cpuinfo

Processor       : ARM926EJ-S rev 0 (v5l)

BogoMIPS        : 266.24

Features        : swp half thumb fastmult edsp

CPU implementer : 0×41

CPU architecture: 5TEJ

CPU variant     : 0×0

CPU part        : 0×926

CPU revision    : 0

Cache type      : write-back

Cache clean     : cp15 c7 ops

Cache lockdown  : format C

Cache format    : Harvard

I size          : 32768

I assoc         : 1

I line length   : 32

I sets          : 1024

D size          : 32768

D assoc         : 1

D line length   : 32

D sets          : 1024
Hardware        : Feroceon

Revision        : 0000

Serial          : 0000000000000000
# iostat

      sda             sdb             md0             md1             sdc             sdd             cpu

  kps tps svc_t   kps tps svc_t   kps tps svc_t   kps tps svc_t   kps tps svc_t   kps tps svc_t  us  sy  wt  id

   23   1   4.4   676  15   4.1    24   2   0.0   668 122   0.0     4   1   3.5     2   0   9.9  25  12  13  50
# sdparm -C stop /dev/sdc

    /dev/sdc: ST325082  0A                3.AA
# rsync -aPh mk@schreibtisch:/home/mk/Desktop/foodir /mnt/soho_storage/samba/shares/micha/Desktop

receiving file list …

4 files to consider

foodir/

foodir/foofile1

           0 100%    0.00kB/s    0:00:00 (xfer#1, to-check=2/4)

foodir/foofile2

           0 100%    0.00kB/s    0:00:00 (xfer#2, to-check=1/4)

foodir/foofile3

           0 100%    0.00kB/s    0:00:00 (xfer#3, to-check=0/4)
sent 92 bytes  received 247 bytes  678.00 bytes/sec

total size is 0  speedup is 0.00
# lv

lvchange     lvdisplay    lvm          lvmdiskscan  lvmsar       lvremove     lvresize     lvscan

lvcreate     lvextend     lvmchange    lvmsadc      lvreduce     lvrename     lvs

# pv

pvchange   pvcreate   pvdisplay  pvmove     pvremove   pvresize   pvs        pvscan

# vg

vgcfgbackup   vgchange      vgconvert     vgdisplay     vgextend      vgmerge       vgreduce      vgrename      vgscan

vgcfgrestore  vgck          vgcreate      vgexport      vgimport      vgmknodes     vgremove      vgs           vgsplit
# top

Mem: 124424K used, 2248K free, 0K shrd, 8588K buff, 89860K cached

CPU:  53% usr  30% sys   0% nice   7% idle   0% io   0% irq   7% softirq

Load average: 1.34 0.96 1.79

  PID  PPID USER     STAT   VSZ %MEM %CPU COMMAND

18683 18682 root     S     4916   4%  65% ssh krausam.de rsync –server –sender -vlogDtpr . /mnt/programme

   55     2 root     SW       0   0%  10% [pdflush]

 1338 31651 root     R     2820   2%   7% top

26256   740 root     S <   352m 284%   5% /usr/sbin/appweb -r /usr/local/appweb -f appweb.conf

18709 18682 root     S     6300   5%   5% rsync -aPh krausam.de:/mnt/programme ./

  839   740 root     S    68312  54%   0% /usr/sbin/upnpd -webdir /etc/upnpd/web

  740     1 root     S    11100   9%   0% /sbin/executord -c /etc/sohoConfig.xml

 1790   740 root     S     8276   7%   0% /usr/local/samba/sbin/smbd -F

 1833  1790 root     S     8276   7%   0% /usr/local/samba/sbin/smbd -F

17127   672 root     S     7240   6%   0% sshd: root@pts/1

31634   672 root     S     7080   6%   0% sshd: root@pts/2




19 Comments	»




	
		This was a really helpful post!  I was hoping that something like this would work.  Thank you!
We bought one of these to do some backups for our photography folks, and in the process of getting NFS/AFP/Samba set up, some of the user/group ownership appears to have been mangled.  NFS must have some sort of root squash going on, because I couldn’t chown anything as root on a Linux box.
After enabling the SSH access, I was able to go in as root and re-chown the mangled permissions.
This makes me curious if I can get rsnapshot running on the box, and do automated backups without having to have a server.
	Comment by Tim — August 6, 2009 @ 8:30 pm 
	

	
		Really a nice post! Wonder if you could even find a way to speed up writes to the device… lightspeed reading but damn slow writing, too bad!
Good work anyway!
	Comment by Stefano — August 27, 2009 @ 2:48 pm 
	

	
		Is it possible to port applications to ubuntu? I would like to have the web interface on my ubuntu server to.

Thank you
	Comment by alex — October 22, 2009 @ 11:45 pm 
	

	
		Is it possible to run sabnzbd?
	Comment by MEl — December 1, 2009 @ 4:28 pm 
	

	
		Be aware that the page http:///support.html enables one to start and stop the ssh server.

The ssh server is supposed to be used by support iomega personell (or the NSA?), I have not figured out which account is used for this.
	Comment by etmmvdp — December 4, 2009 @ 6:19 pm 
	

	
		http:///support.html should read http://ip-of-nas/support.html
	Comment by etmmvdp — December 4, 2009 @ 6:24 pm 
	

	
		big thanks for comment #6
	Comment by john — December 11, 2009 @ 5:04 am 
	

	
		[...] I must.. I must increase my SSH ability! And while searching I came across not only this webpage SSH/Shell access to iomega StorCenter ix2 but that little gem of a webpage included this little link at the bottom! [...]
	Pingback by Iomega ix4-200d data reconstruction, ssh and more! | Christopher Kusek, Technology Evangelist — December 17, 2009 @ 6:09 am 
	

	
		has somebody found a valid user and password combo for the ssh server?
	Comment by etmmvdp — December 20, 2009 @ 4:12 pm 
	

	
		If someone managed to find the password for an account with ssh access (root ?), please post it here in the comments.

Thanks !
	Comment by Marc — December 20, 2009 @ 9:03 pm 
	

	
		Hello,

I tried the link http://ip-of-nas/support.html on my ix2, but got redirected to the main index.html. So it seems that this file now contains a redirection…

I am running 2.0.15.43099. Would anyone have an idea of how to get this ssh server access again?

Thanks!
	Comment by Patrick — December 29, 2009 @ 1:35 pm 
	

	
		You need to be logged in to see the page.
	Comment by etmmvdp — December 30, 2009 @ 6:29 pm 
	

	
		Thanks! Weird, I thought I had done that…. anyway. Now trying to guess user/password. Did anyone have a chance yet?
	Comment by Patrick — December 31, 2009 @ 3:50 pm 
	

	
		Thanks to Christopher Kusek: try soho as the ssh root password.

See also http://bit.ly/8IM9g6
	Comment by etmmvdp — January 8, 2010 @ 9:16 am 
	

	
		Thank you!

however, it seems they changed the password in the latest firmware (2.0.15.43099).

I found 2 shadow files in the support dump. One named “shadow” and one named “shadow-”. I could find the soho password in shadow-, but not in shadow. A “john the ripper” has been running for few hours now.
	Comment by Patrick — January 10, 2010 @ 9:34 am 
	

	
		Hi,
current firmware: Iomega StorCenter ix2-200 2.1.25.229

root password soho…
	Comment by Martin — January 16, 2010 @ 10:35 pm 
	

	
		I finally found the root password, thanks to http://bit.ly/8IM9g6 (which i had previously misread.

If you set yout admin password to , then root password is soho.

Cheers!
	Comment by Patrick — January 17, 2010 @ 6:06 pm 
	

	
		shoot, my previous post got garbled…

if admin password is myOwnPassword, then root password will be sohomyOwnPassword.
	Comment by Patrick — January 17, 2010 @ 6:07 pm 
	

	
		has any one experience to install ps3server on the storCenter? i prefer this one to the installed …

otta
	Comment by otta74 — January 29, 2010 @ 11:54 am 
	





RSS feed for comments on this post.	TrackBack URL


Leave a comment






Name (required)


Mail (will not be published) (required)


Website