Just for info on QNAP firmware

Aigor · August 18, 2016

Hi, i don't know if is interesting or not, googoling around the web i found a way to decode qnap firmware, it seems it's similar to synology if anyone is intersted,

this is the link https://sites.google.com/site/nliaudat/nas/test2/qnap401t-decryptencryptfirmware

Aigor · August 23, 2016

Continuing investigation i have a problem, i can boot bzimage with initrd.boot as initramfs, but i'm running into some trouble.

here is how i did

First, download X86 firmware from Qnap site

unzip and you obtain a encrypted image file

you can decrypt using program posted on first post with this commandline

root@dev-linux:/opt/qnap#unzip SS-2479U_20160812-4.2.2.zip
Archive:  SS-2479U_20160812-4.2.2.zip
 inflating: SS-2479U_20160812-4.2.2.img

Now we can decrypt image file into tar.gz archive

root@dev-linux:/opt/qnap#pc1 d QNAPNASVERSION4 SS-2479U_20160812-4.2.2.img SS-2479U_20160812-4.2.2.tar.gz
Using 120-bit encryption - (QNAPNASVERSION4)
len=1048576
model name = SS-2479U
version = 4.2.2
root@dev-linux:/opt/qnap#file SS-2479U_20160812-4.2.2.tar.gz
SS-2479U_20160812-4.2.2.tar.gz: gzip compressed data, from Unix, last modified: Fri Aug 12 04:05:45 2016
root@dev-linux:/opt/qnap#

As you can see we have regular tar.gz archive.

Inside we can found all the stuff need to boot something.

root@dev-linux:/opt/qnap/appo#ls -l
totale 181900
-rw-r--r--. 1 root root       145 12 ago 04.05 bios_layout
drwxr-xr-x. 2 root root         6 12 ago 04.05 boot
-rw-r--r--. 1 root root   5075008 12 ago 04.05 bzImage
-rw-r--r--. 1 root root        70 12 ago 04.05 bzImage.cksum
drwxr-xr-x. 2 root root         6 12 ago 04.05 config
-rwxr-xr-x. 1 root root    278840 12 ago 04.05 flashrom
-rw-r--r--. 1 root root   8388608 12 ago 04.05 flashrom.img
-rw-r--r--. 1 root root        33 12 ago 04.05 fw_info
-rw-r--r--. 1 root root  12716367 12 ago 04.05 initrd.boot
-rw-r--r--. 1 root root        76 12 ago 04.05 initrd.boot.cksum
-rw-r--r--. 1 root root         0 12 ago 04.05 IS_STORAGE_V2
-rwxr-xr-x. 1 root root   1655372 12 ago 04.05 libcrypto.so.1.0.0
-rwxr-xr-x. 1 root root    384412 12 ago 04.05 libssl.so.1.0.0
-rw-r--r--. 1 root root 104058880 12 ago 04.05 qpkg.tar
-rw-r--r--. 1 root root        74 12 ago 04.05 qpkg.tar.cksum
-rw-r--r--. 1 root root  45950458 12 ago 04.05 rootfs2.bz
-rw-r--r--. 1 root root        75 12 ago 04.05 rootfs2.bz.cksum
-rw-r--r--. 1 root root   7660120 12 ago 04.05 rootfs_ext.tgz
-rw-r--r--. 1 root root        78 12 ago 04.05 rootfs_ext.tgz.cksum
drwxr-xr-x. 2 root root      4096 12 ago 04.05 sas_fw
drwxr-xr-x. 2 root root         6 12 ago 04.05 update
-rw-r--r--. 1 root root       108 12 ago 04.05 update_bios.conf
-rwxr-xr-x. 1 root root      3438 12 ago 04.05 update_bios.sh
-rwxr-xr-x. 1 root root     34017 12 ago 04.05 update_img.sh
root@dev-linux:/opt/qnap/appo#

You can see bzImage, initrd.boot and two rootfs file, i'm using VM and pxe to boot VM and my command line is

KERNEL images/qnap/bzImage
             APPEND initrd=images/qnap/initrd2.boot root=/dev/ram0 rw

Initrd.boot is a lzma cpio archive, inside in we can found a shell file called init

root@dev-linux:/opt/qnap/appo/init#ls -l
totale 54656
drwxr-xr-x.  2 root root     4096 23 ago 14.57 bin
drwxr-xr-x.  5 root root    16384 23 ago 14.57 dev
drwxr-xr-x. 27 root root     4096 23 ago 14.57 etc
-rwxr-xr-x.  1 root root      255 23 ago 14.57 init
-rw-r--r--.  1 root root 55877632 23 ago 14.55 initrd.boot
drwxr-xr-x.  4 root root     4096 23 ago 14.57 lib
drwxr-xr-x.  2 root root     4096 23 ago 14.57 lib64
lrwxrwxrwx.  1 root root       11 23 ago 14.57 linuxrc -> bin/busybox
drwx------.  2 root root        6 23 ago 14.57 lost+found
drwxr-xr-x.  4 root root       29 23 ago 14.57 mnt
drwxr-sr-x.  2 root root       33 23 ago 14.57 opt
lrwxrwxrwx.  1 root root       19 23 ago 14.57 php.ini -> /etc/config/php.ini
drwxr-sr-x.  2 root root        6 23 ago 14.57 proc
drwxr-xr-x.  3 root root     4096 23 ago 14.57 root
drwxr-xr-x.  2 root root    12288 23 ago 14.57 sbin
drwxrwxr-x. 29 root root     4096 23 ago 14.57 share
drwxrwxrwx.  4 root root       30 23 ago 14.57 tmp
drwxr-xr-x.  5 root root       39 23 ago 14.57 usr
drwxrwxrwx.  9 root root     4096 23 ago 14.57 var
root@dev-linux:/opt/qnap/appo/init#

it seems the first program executed after boot is completed

#!/bin/sh
mkdir new_root
mount -t tmpfs -o mode=0755,size=256000k none /new_root
/bin/busybox tar -cf - . | tar -xf - -C /new_root
/bin/rm -fr /new_root/init
/bin/mount -t devtmpfs devtmpfs /new_root/dev
exec /bin/busybox switch_root /new_root /sbin/init

This is what i discover, but i don't know howto use rootfs2.bz and rootfs_ext.tgz, that are not encrypted

onebigant · August 23, 2016

Not much love for QNAP on here apparently. Did you try posting this on another forum?

aigors · August 23, 2016

No,first try,as i saw no more follower ,no problem

Inviato dal mio Redmi Note 3 utilizzando Tapatalk

August 25, 2016

Extracting/Mounting the root FS appears to be handled by /etc/rcS.d/S30mountall

You can see where they have coded the expected device names

Upon correcting this, the libc errors will disappear and the system will bring up services when you run the init, however my network devices aren't present which is an issue :smile:

haydibe · August 25, 2016

not if you have access to the sources of the kernel they used... you could create you own set of drivers :smile:

Aigor · August 25, 2016

not if you have access to the sources of the kernel they used... you could create you own set of drivers

They publish their source kernel

Aigor · August 25, 2016

Extracting/Mounting the root FS appears to be handled by /etc/rcS.d/S30mountall

You can see where they have coded the expected device names

Upon correcting this, the libc errors will disappear and the system will bring up services when you run the init, however my network devices aren't present which is an issue

Hi, thanks for hint, but as you saw there are two file that seems to be rootfs

August 26, 2016

Extracting/Mounting the root FS appears to be handled by /etc/rcS.d/S30mountall

You can see where they have coded the expected device names

Upon correcting this, the libc errors will disappear and the system will bring up services when you run the init, however my network devices aren't present which is an issue

Hi, thanks for hint, but as you saw there are two file that seems to be rootfs

I'm not sure what you are asking here? If you look at the mount script, it shows the extraction of both rootfs files and their location.

mrx · December 24, 2016

I tried to run the QNAP System in a Virtual Machine.

My Problem is that the system assumes the boot drive is /dev/sdx . But my Virtual Harddisk gets recognized as /dev/sda.

I tried to find out why the DOM on a QNAP gets the name /dev/sdx but i havent found an udev rule which could do the renaming.

Has anybody an idea what could do the renaming of the DOM in the firmware ?

Sign In

Just for info on QNAP firmware

Recommended Posts

Aigor

Aigor

onebigant

aigors

1450

haydibe

Aigor

Aigor

1450

mrx

Forums

What's new

MUST READ

Members