Buffalo NAS-Central Forums

Welcome to the Linkstation Wiki community
It is currently Sat Nov 29, 2014 7:16 am

All times are UTC [ DST ]




Post new topic Reply to topic  [ 158 posts ]  Go to page Previous  1 ... 7, 8, 9, 10, 11  Next
Author Message
PostPosted: Mon Jan 29, 2007 10:01 am 
Offline
Site Admin
User avatar

Joined: Tue Jul 12, 2005 11:26 am
Posts: 3701
Location: JAPAN
I'd imagine that ls_sonar is the same command set as ls_sonar on the LS HG/HS series. This was added for the LS to LS backup.

Regarding the locating the LS I thought it would just do a broadcast ping as with the LS boxes on the port? I will try mine tonight.

_________________
LS used as PVR and streaming source


Top
 Profile  
 
PostPosted: Mon Jan 29, 2007 6:18 pm 
Offline
Developer

Joined: Wed Oct 25, 2006 6:05 pm
Posts: 613
Location: Germany
It seems that ls_sonar uses TCP and clientServer_util UDP traffic. ls_sonar is called from the webinterface to get the necessary info about another LS for the backup process (share info, hdd-size ...). clientServer_util is used for the update process and has that "great" ACP_Command implemented, that gives telnet-like root access.
So far I only looked at the UDP-side. clientServer_util usually does not answer on packets that do not fit into its pattern. So I believe a simple ping on its UDP port would not be answered in any way.

_________________
acp_commander users note: from ver. 0.4 on the correct ACP authentication method is used, avoiding possible side effects.
Download: http://sourceforge.net/project/showfile ... _id=167037


Top
 Profile  
 
PostPosted: Thu Feb 15, 2007 8:13 pm 
Offline
Developer

Joined: Wed Oct 25, 2006 6:05 pm
Posts: 613
Location: Germany
Bad news ... updated the developer box twice this evening using LSUpdater.
The password remained unchanged "password". I give the encrypted hex string of the passwords sent to the LS:

Update #1
Code:
ACP_ENONECMD -> developer     c7 ae 73 15 f1 9b 2e 4b
ACP_AUTHENT -> developer                 d6 93 61 3e fd 86 3f 5a

Update #2
Code:
ACP_ENONECMD -> developer     a3 8f 28 41 05 df 7d 33
ACP_AUTHENT -> developer                  b2 b2 3a 6a 09 c2 6c 22

So a simple reply attack won't work. :down:

_________________
acp_commander users note: from ver. 0.4 on the correct ACP authentication method is used, avoiding possible side effects.
Download: http://sourceforge.net/project/showfile ... _id=167037


Top
 Profile  
 
PostPosted: Fri Apr 13, 2007 9:48 pm 
Offline
Developer

Joined: Wed Oct 25, 2006 6:05 pm
Posts: 613
Location: Germany
@developers (and of course everyone else who likes to get into trouble)
I put a new version (pre 0.3) into /Users/georg/ for you to test.

I've worked heavily over the whole ACP-code (though there is still some way to go) - so please look for strange results

New features:
repeat last packet up to 2 more times if timeout occurs.
worked over the handling of received packets, especially replace that "**no message**" the LS sends by "OK"

-d3 .. hex/ascii dump of receive buffer
-f ... search functionality
-b ... bind to local ip (e.g. if you've got several NIC's)

-blink ... blink LED and play some tones (ACPblinkLED)
-safe ... safe config into /boot/config_safe.tgz (ACPsaveConf)
-load ... load -"- (ACPloadConf)

other -more useful- ACP-commands (see way above) are in the code, but they have to be enabled by ACPENoneCmd. And I'm still struggling with the password encryption. I've learned that in the reply to ACPDiscover is a key that plays some role. For one LS this key seems to be only depend on the connectionID, unfortunately the same connectionID gives different key's for two different LS. So simple playback of packets will only work for one LS...

But at least one (tiny) step forward and a new trace to follow.

Regarding installation process: With all the uncertainties in the ACP-Protocoll and the possible side effects (damaged uboot) I will use a script that the acp_commander copies into /share together with the firmware file and run this script there, extracting the necessary files and copy them to /boot.

_________________
acp_commander users note: from ver. 0.4 on the correct ACP authentication method is used, avoiding possible side effects.
Download: http://sourceforge.net/project/showfile ... _id=167037


Top
 Profile  
 
PostPosted: Sat Apr 14, 2007 10:54 am 
Offline
Developer

Joined: Wed Oct 25, 2006 6:05 pm
Posts: 613
Location: Germany
I'll do some more cleanup and testing before uploading to sourceforge-svn.

_________________
acp_commander users note: from ver. 0.4 on the correct ACP authentication method is used, avoiding possible side effects.
Download: http://sourceforge.net/project/showfile ... _id=167037


Top
 Profile  
 
PostPosted: Sat Apr 14, 2007 3:04 pm 
Offline
Site Admin
User avatar

Joined: Mon Jul 11, 2005 7:19 am
Posts: 7702
Location: Austria, Vienna
looks like that either the reply to your discovery-packet gets back twice or it is interpretated twice.

Code:
C:\Dokumente und Einstellungen\mak\Desktop>"C:\Programme\Java\jdk1.5.0_04\bin\ja
va.exe" -jar acp_commander.jar -t 192.168.1.11 -f
ACP_commander out of the linkstationwiki.net project.
Used to send ACP-commands to Buffalo linkstation(R) LS-PRO.
 
WARNING: This is experimental software that might brick your linkstation!
 
 
Using random connID value = 6BACD0797D0F
Using target:   LS-PRO/192.168.1.11
Sending ACP-Disover packet...
Found:  LS-PRO (/192.168.1.11)  LS-GL(IESADA) (ID=0009)         mac: 00:16:01:41
:2C:D1:00       Firmware=  1.30 Key=42CEFC7E
Found:  LS-PRO (/192.168.1.11)  LS-GL(IESADA) (ID=0009)         mac: 00:16:01:41
:2C:D1:00       Firmware=  1.30 Key=42CEFC7E
Found 2 linkstation(s).


i also tried the ascii stuff. that worked...now i also see the payload...

_________________
LS1 (2.6 kernel, foonas svn1062, 750 GB, UBoot 1.2) & LS Pro (FreeLink/jtymod/GenLink, changes all the time)
Thx to all donators!


Top
 Profile  
 
PostPosted: Sat Apr 14, 2007 3:44 pm 
Offline
Developer
User avatar

Joined: Sun Dec 31, 2006 10:40 am
Posts: 434
Location: Scotland
Only once per box for me:

Code:
F:\Linkstation Pro>java -jar acp_commander.jar -t 192.168.1.5 -f
ACP_commander out of the linkstationwiki.net project.
Used to send ACP-commands to Buffalo linkstation(R) LS-PRO.
 
WARNING: This is experimental software that might brick your linkstation!
 
 
Using random connID value = 70D3256322B5
Using target:   linkstationpro.localdomain/192.168.1.5
Sending ACP-Disover packet...
Found:  LS-GL500 (/192.168.1.5)         LS-GL(IESADA) (ID=0009)         mac: 00:16:01:41{  : }2A:22:00
Firmware=  1.30 Key=1EE39799
Found 1 linkstation(s).
 
F:\Linkstation Pro>java -jar acp_commander.jar -t 192.168.1.6 -f
ACP_commander out of the linkstationwiki.net project.
Used to send ACP-commands to Buffalo linkstation(R) LS-PRO.
 
WARNING: This is experimental software that might brick your linkstation!
 
 
Using random connID value = B78DFFDF187D
Using target:   ls250.localdomain/192.168.1.6
Sending ACP-Disover packet...
Found:  LS-GL250 (/192.168.1.6)         LS-GL(IESADA) (ID=0009)         mac: 00:16:01:41{  : }BD:84:00
Firmware=  1.30 Key=0F6315F0
Found 1 linkstation(s).

_________________
LS-500GL - Diskless
LS-250GL - Armel, U-Boot NC Enabled
HS-DH320GL - Stock 1.11_1a
LS-H120LAN(PPC) - Dev (foonas)
LS-H120LAN(PPC) - Freelink - 2.6.23.8
LS-H250LAN(MIPS) - Dev (foonas-em, foonas)
LS-HS400DGL(PPC) - Freelink
Thecus N1200 - Ubuntu 8.10


Last edited by Kaiten on Sat Apr 28, 2007 2:05 pm, edited 1 time in total.

Top
 Profile  
 
PostPosted: Sun Apr 15, 2007 10:17 am 
Offline
Developer

Joined: Wed Oct 25, 2006 6:05 pm
Posts: 613
Location: Germany
Mindbender I get the same effect - if I start the clientUtil-Server several times (as on DEVELOPER):
Code:
D:\Eigene Dateien>java -jar acp_commander.jar -f -t 255.255.255.255
ACP_commander out of the nas-central.org project.
Used to send ACP-commands to Buffalo linkstation(R) LS-PRO.
 
WARNING: This is experimental software that might brick your linkstation!
 
 
Using random connID value = E7268AE21EB2
Using target:   255.255.255.255/255.255.255.255
Sending ACP-Disover packet...
Found:  LINKSTATION (/192.168.0.150)    LS-GL(IESADA) (ID=0009)         mac: 00:16:01:41{  : }85:18:00       Firmware=  1.30 Key=43150703
Found:  DEVELOPER (/192.168.0.152)      LS-GL(IESADA) (ID=0009)         mac: 00:16:01:41{  : }34:9C:00       Firmware=  1.30 Key=69A838C4
Found:  DEVELOPER (/192.168.0.152)      LS-GL(IESADA) (ID=0009)         mac: 00:16:01:41{  : }34:9C:00       Firmware=  1.30 Key=69A838C4
Found:  DEVELOPER (/192.168.0.152)      LS-GL(IESADA) (ID=0009)         mac: 00:16:01:41{  : }34:9C:00       Firmware=  1.30 Key=69A838C4
Found 4 linkstation(s).

If you use the -f options you can start several instances of clientUtil_server - seems that each one answers to the packets.

_________________
acp_commander users note: from ver. 0.4 on the correct ACP authentication method is used, avoiding possible side effects.
Download: http://sourceforge.net/project/showfile ... _id=167037


Top
 Profile  
 
PostPosted: Tue Apr 17, 2007 9:54 pm 
Offline
Developer

Joined: Wed Oct 25, 2006 6:05 pm
Posts: 613
Location: Germany
Changing the IP works now, too. It is password protected, and our "normal" authentication doesn't work. But if you delete the admin password it is sufficient to send an empty one.

Just brought the developer from 192.168.0.152 to 10.0.0.1 and back from a computer at 192.168.0.10 without any ip/route changes. For the way back I broadcasted the packet and set the correct mac in the packet. (BTW the mac output is one byte too long - see above). The box at 192.168.0.150 didn't change.

Also tried to bypass ENoneCMD with the same trick - without luck. So far!

_________________
acp_commander users note: from ver. 0.4 on the correct ACP authentication method is used, avoiding possible side effects.
Download: http://sourceforge.net/project/showfile ... _id=167037


Top
 Profile  
 
PostPosted: Tue Jul 31, 2007 1:53 am 
Offline
Site Admin
User avatar

Joined: Mon Jul 11, 2005 7:19 am
Posts: 7702
Location: Austria, Vienna
i just tried the interactive shell. works great. i ask myself why i never saw this feature? it was there since 0.2 i think?

its only drawback is that only allows paths with absolute commands.....so a simple
Code:
cd /etc
ls

won`t work. but i think that does not work by design of the acp_commands.

and i encountered this:
Code:
/root>ls /usr

bin
include
info
lib
libexec
local
man
sbin
share
var

>ls /usr/bin

Exception in thread "main" java.lang.ArrayIndexOutOfBoundsException: 1024
        at acpcommander.ACP.rcvACP(ACP.java:932)
        at acpcommander.ACP.doSendRcv(ACP.java:349)
        at acpcommander.ACP.Command(ACP.java:177)
        at acpcommander.acp_commander.main(acp_commander.java:765)

although "ls /etc/init.d" works.

but hey...no reason to change anything as it works so well. i just tested out the interactive shell :)

_________________
LS1 (2.6 kernel, foonas svn1062, 750 GB, UBoot 1.2) & LS Pro (FreeLink/jtymod/GenLink, changes all the time)
Thx to all donators!


Top
 Profile  
 
PostPosted: Tue Jul 31, 2007 8:55 am 
Offline
Developer

Joined: Wed Oct 25, 2006 6:05 pm
Posts: 613
Location: Germany
mindbender wrote:
its only drawback is that only allows paths with absolute commands.....so a simple
Code:
cd /etc
ls
won`t work. but i think that does not work by design of the acp_commands.

Yes, you have to think of each line you type as a own shell. However, what should work
Code:
cd /etc; ls

You're right, it's in since 0.2, but I implemented it more for fun, as it can be done. You've quite some limitations (like above) and little benefit - if at all (your commands don't go into any log as far as I can see).
Only reasonable reason to use it, would be if you don't have telnet/ssh on a system - but java and the acp_commander. But you wouldn't leave home without it, would you? ;)

With "ls /usr/bin", I guess that the lengthy listing causes an overflow of the receive buffer :oops: - going to look for it.

_________________
acp_commander users note: from ver. 0.4 on the correct ACP authentication method is used, avoiding possible side effects.
Download: http://sourceforge.net/project/showfile ... _id=167037


Top
 Profile  
 
PostPosted: Tue Jul 31, 2007 1:47 pm 
Offline
Site Admin
User avatar

Joined: Mon Jul 11, 2005 7:19 am
Posts: 7702
Location: Austria, Vienna
maybe?

Code:
   // TODO: danger - possible buffer overflow/data loss with fixed packet length
        DatagramPacket _receive = new DatagramPacket(new byte[1024],
            1024);

_________________
LS1 (2.6 kernel, foonas svn1062, 750 GB, UBoot 1.2) & LS Pro (FreeLink/jtymod/GenLink, changes all the time)
Thx to all donators!


Top
 Profile  
 
PostPosted: Tue Jul 31, 2007 8:18 pm 
Offline
Developer

Joined: Wed Oct 25, 2006 6:05 pm
Posts: 613
Location: Germany
Yes, that's exactly the part of code I was thinking about - though I didn't remember of adding the TODO tag with the (correct) fears. ;)
Hey, I'm a bit proud of that - yes it'd been better to do it right. But hey,
Georg wrote:
WARNING: This is experimental software...

_________________
acp_commander users note: from ver. 0.4 on the correct ACP authentication method is used, avoiding possible side effects.
Download: http://sourceforge.net/project/showfile ... _id=167037


Top
 Profile  
 
PostPosted: Sun Aug 05, 2007 5:04 am 
Offline
Developer

Joined: Wed Oct 25, 2006 6:05 pm
Posts: 613
Location: Germany
@java gurus!
Code:
DatagramSocket _socket;
// TODO: danger - possible buffer overflow/data loss with fixed packet length
DatagramPacket _receive = new DatagramPacket(new byte[1024], 1024);
...
_socket.receive(_receive);


All examples I've seen in the web work this (poor) way. You can increase the buffer size, but either you've a huge buffer, or (better anyway) you always run into danger of a buffer overflow. A dynamic sizing of the receive buffer is necessary.

_socket.getReceiveBufferSize,
_socket.setReceiveBufferSize

strike my mind.

Yes, the first version of the acp_commander was a "java in 10 days" prog. :D

_________________
acp_commander users note: from ver. 0.4 on the correct ACP authentication method is used, avoiding possible side effects.
Download: http://sourceforge.net/project/showfile ... _id=167037


Top
 Profile  
 
PostPosted: Tue Oct 09, 2007 7:55 pm 
Offline
Developer

Joined: Wed Oct 25, 2006 6:05 pm
Posts: 613
Location: Germany
The past days (evenings) I played with the debugger again. The password encryption in LSUpdater.exe seems to start at 0x0040170.
First part is easy, the core encryption loop starting at 0x0040175 is still puzzling me. Looks like password, connection ID and key are xored and multiplied a couple of times.

Can be done but takes some time. If someone wants to help I can provide IDA 4.3/OllyDbg files.

_________________
acp_commander users note: from ver. 0.4 on the correct ACP authentication method is used, avoiding possible side effects.
Download: http://sourceforge.net/project/showfile ... _id=167037


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 158 posts ]  Go to page Previous  1 ... 7, 8, 9, 10, 11  Next

All times are UTC [ DST ]


Who is online

Users browsing this forum: No registered users and 4 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:

Protected by Anti-Spam ACP
Protected by Anti-Spam ACP Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group