Tuesday, 17 November 2015

Root / su recovery for Seagate Central

Many people have lost root access to their Seagate Centrals after a particular firmware upgrade. Here I attempt to provide a procedure to recover root access that is as painless as possible. Note that there are a few alternative procedures posted elsewhere on the internet however my procedure has the advantage over the others that it does NOT require access to an external linux system because it makes use of the linux software running on the Seagate Central itself. It also does NOT require you to crack open the Central and take out the hard drive.

I'm assuming that you have a little bit of pre-requisite knowledge before we begin. Namely …

  • You know how to establish an ssh session into your Seagate Central (If you don't then why do you want root access?)
  • You know how to transfer files between your external computer and your Seagate Central. (If you don't then what are you using a Seagate Central for??)
  • You understand a few basic computer file concepts like "files", "directories", "copying", "zipping" and "editing". (If you don't then, Hello there Grandma Jones! I'm thrilled that you're reading my blog!!)



Part 1 : Try to revert to the "old" firmware.


If you have a non blank root password, and if the previously running firmware on your Seagate Central did have sudo/root access enabled then first try the procedure in the previous blog post called "Revert to previous firmware on Seagate Central" and then proceed to "Part 3 : Make sure root access is enabled from now on". If reverting to the old firmware doesn't work then proceed to Part 2 below. 

Part 2 - Create then load a modified firmware image

In this part we are going to take a Seagate Central firmware image, modify it to remove the "su" disabling functionality, and then load it back onto the Central. Our friends at Seagate might be somewhat alarmed by this step but I hope they come to the conclusion that anyone who is technically literate enough to perform this procedure is probably trustworthy enough to deserve "su" access to their beloved Central. In addition I think the spirit of the GNU General Public Licences which Seagate uses extensively for software in the Central product means that the software should be able to be improved and modified which is what we're doing here.

Note this procedure involves running a number of linux/unix commands. I have developed this method on the assumption that we are going to perform this procedure using the linux system running on the Central itself. You can use an external linux box to perform these steps however I think that for many people who have a Seagate Central, the Central may be the only linux system they have easy access to!! That is why this technique makes use of the Central itself and not an external system.

Step 1 : ssh into the Seagate Central. In this procedure I use the "admin" account but you can use any existing username you've set up on the system.

Create a new directory to perform our procedure in and navigate to that directory. In this example we create a new directory called "firmware".

admin@Seagate-5A4B6C:~$ mkdir firmware
admin@Seagate-5A4B6C:~$ cd firmware
admin@Seagate-5A4B6C:~/firmware$

Step 2 : Obtain a copy of your desired version of Seagate Central Firmware and upload it to the new folder on the Central.

I got my firmware by navigating to the Seagate Download finder tool at https://apps1.seagate.com/downloads/request.html and entering the required details. You need to enter your Seagate Central's serial number and what country you live in and then you'll be given a download link.

In the example shown here I downloaded a file called Seagate-HS-update-201509160008F.zip . You have to decompress/unzip this file to get an "img" file. You can do this on the PC you downloaded the file to and then transfer the "img" file to the new "firmware" folder on the Seagate Central or you can upload the zip file to the new "firmware" folder on the Seagate Central and decompress it on the Central.

admin@Seagate-5A4B6C:~/firmware$ unzip Seagate-HS-update-201509160008F.zip
Archive:  Seagate-HS-update-201509160008F.zip
  inflating: ReadMe.pdf
  inflating: Seagate-HS-update-201509160008F.img

Confirm that the image is in the "firmware" folder.

admin@Seagate-5A4B6C:~/firmware3$ ls -l *.img
-rw-r--r-- 1 admin admin 130199138 Nov 17 21:52 Seagate-HS-update-201509160008F.img


Step 3 : Obtain a copy of the squashfs-tools for Seagate Central.

I have compiled binary versions of these tools (version 4.3) for the Seagate Central and made them available at the following links



If you don't trust my binaries (I swear I stopped spying for North Korea months ago) and want to make them yourself then you can obtain the source code from the squashfs-tools homepage at http://squashfs.sourceforge.net/ . You can also find instructions for compiling binaries for the Seagate Central using an external linux system at https://sites.google.com/site/modcentralnas/ .

You can use your external PC to obtain these binaries and then upload them to your Central or if your Seagate Central has internet access then you can download the files directly to the Central by running the "curl" commands as follows.

admin@Seagate-5A4B6C:~/firmware$ curl -L -O https://sites.google.com/site/seagatecentralenhancementclub/squashfs-tools/mksquashfs
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  343k  100  343k    0     0  60087      0  0:00:05  0:00:05 --:--:--  288k

admin@Seagate-5A4B6C:~/firmware$ curl -L -O https://sites.google.com/site/seagatecentralenhancementclub/squashfs-tools/unsquashfs
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  257k  100  257k    0     0  48704      0  0:00:05  0:00:05 --:--:--  299k

Now change the attributes of the files so that they are executable

admin@Seagate-5A4B6C:~/firmware$ chmod a+x mksquashfs
admin@Seagate-5A4B6C:~/firmware$ chmod a+x unsquashfs

Note : If you are performing this procedure on an external Linux system instead of on the Central then you'll have to get the version of the squashfs-tools for your particular linux distribution. You can't run the binaries seen above, they only work on the Seagate Central.

Step 4 : The Seagate firmware image is in gzipped tar format. Decompress the image with the following "tar" command. This takes about 30 seconds to complete.

admin@Seagate-5A4B6C:~/firmware$ tar -zxpvf Seagate-HS-update-201509160008F.img
rfs.squashfs
uImage
config.ser


Step 5 : Extract the new firmware's filesystem.

Here we use the unsquashfs tool you downloaded in Step 3 to extract the file system contained in the Seagate firmware image. Note that this can take about 500M of disk space! This takes about 2 minutes to complete.

admin@Seagate-5A4B6C:~/firmware$ ./unsquashfs rfs.squashfs

You may see some error messages similar to the following. Just ignore them.

create_inode: could not create character device squashfs-root/dev/apm_bios, because you're not superuser!

You should now have a new directory called "squashfs-root" in your firmware folder. This contains the new filesystem that we are going to modify.


Step 6 : On many linux systems, including the Seagate Central, access to the "su" command is governed by the "/etc/pam.d/su" configuration file.

In the new Seagate Central firmware there is a section in this file which disables "su" access for regular users as follows…


# Uncomment this if you want members of a specific group to not
# be allowed to use su at all.
auth       required   pam_wheel.so deny group=users


We need to re-enable root access for normal users by editing this file in the new firmware. Here we use the "nano" editor as follows.

admin@Seagate-5A4B6C:~/firmware$ nano squashfs-root/etc/pam.d/su

Once the editor is open scroll down about 20 lines to the text as seen above and add a "#" to the start of the "auth  required" line to comment it out and disable it. After making the change the section looks like this


# Uncomment this if you want members of a specific group to not
# be allowed to use su at all.
#auth       required   pam_wheel.so deny group=users


Save your changes by typing Control-X to exit, then answering "Y" when you're asked to "Save modified buffer" and pressing enter to confirm the "File Name to Write".


Step 7 : If you have a blank root password the new firmware will reset it to a secret value each time the system boots with the startup script  "/etc/init.d/finish"

Here we will change this behaviour so that instead of using a secret value, we use a known value. In this example we set the root password to "test123". Obviously change "test123" to something unique for your system. We edit the "finish" startup script as follows

admin@Seagate-5A4B6C:~/firmware$ nano squashfs-root/etc/init.d/finish

Once the editor is open scroll to the very bottom of the file and add the following lines to the end of the file.


# Is the root password set as blank?
if grep -q "^root:x:" /etc/passwd
then
# Change the root password to test123.
    echo "root:test123" | chpasswd
# Make sure the changes are in the Central's backup config folder.
    rsync -Rva /etc/passwd /usr/config/backupconfig
fi


Save your changes by typing Control-X to exit, then answering "Y" when you're asked to "Save modified buffer" and pressing enter to confirm the "File Name to Write".

N.B. You might think it's a bit insecure setting the root password to a value just specified in a script file. Well it is! That's why in Step 10 we change the root password again to something else.

Step 7.5Make sure that the "sudo" and "su" commands have the correct unix file attributes.

In some versions of Seagate Central firmware the "sudo" and "su" commands do not have the required "read" and "set userID" file attributes set.

This isn't the case in all versions of firmware but just to make certain run the following commands.

admin@Seagate-5A4B6C:~/firmware$ chmod 4555 squashfs-root/usr/bin/sudo 
admin@Seagate-5A4B6C:~/firmware$ chmod 4555 squashfs-root/usr/bin/su         

To check that the changes have taken affect run the following "ls" commands and check that the "r" (readable) and "s" (set userID) bits as seen below are present for each file.

admin@Seagate-5A4B6C:~/firmware$ ls -l squashfs-root/usr/bin/su
-r-sr-xr-x 1 admin admin 23692 Sep 17 09:06 squashfs-root/usr/bin/su
admin@Seagate-5A4B6C:~/firmware$ ls -l squashfs-root/usr/bin/sudo
-r-sr-xr-x 1 admin admin 87316 Sep 17 09:06 squashfs-root/usr/bin/sudo


Step 8 : Run the following commands to create a new firmware image called Seagate-allow-root.img. Note that the first command (mksquashfs) takes about 5 minutes and the second (tar) takes about 3 minutes to complete. Also note that we are using the least powerful compression-level (1) in the mksquashfs command because this lets the command run most quickly. You can use any number up to the most powerful compression level "9" however the command could then potentially take hours to run for the sake of saving maybe only a few megabytes.

admin@Seagate-5A4B6C:~/firmware$ ./mksquashfs squashfs-root rfs.squashfs -all-root -noappend -Xcompression-level 1
admin@Seagate-5A4B6C:~/firmware$ tar -cvzf Seagate-allow-root.img rfs.squashfs uImage config.ser


Step 9 : Upgrade the Seagate Central with the new firmware.

First, and this bit is optional, I'd suggest copying your newly created firmware, "Seagate-allow-root.img", to your local PC harddrive. It will be about 140MB so if you don't want to use up the space then don't worry about it.

Next start the upgrade procedure by logging in as admin to the Seagate Central management web page in your web browser, and navigating to the "Settings" Tab, then the "Advanced "menu, then the "Firmware Update" page.

From here click on the "Browse" or "Choose file" button and in the file dialogue box that appears navigate to the new software you've created "Seagate-allow-root.img". Now click on the "Install" button and let the upgrade process commence. The management web page should show a progress bar as the upgrade proceeds.

If you like you can get a scrolling live log of the progress of the upgrade by running the command "tail -f /var/log/syslog" in an ssh session on the Central while the upgrade is occurring. Hit Control-C to stop viewing the log. Most of the output of the log is useless but if you see something that is obviously indicative of an error or a problem then perhaps you can cut and paste it and add it as a comment to this blog post so we can take a look.

It took the firmware upgrade on my test Central system about 30 minutes to complete. Also it seemed to be stuck at the "86%" mark for ages according to the progress meter on the management webpage.

Once the system has booted up your new firmware should be running and you should have root access again.


Part 3 : Make sure root access is enabled from now on


Step 10 : If your root password has been changed to "test123" as per "Step 7" then you should change your root password to something else because any user can look at that /etc/init.d/finish script and see that the root password could be changed to that. Do this by logging in as root and running the following commands. 

Seagate-5A4B6C:~$ su root
Password: test123
Seagate-5A4B6C:/Data/admin# passwd
Enter new UNIX password: I-love-my-Central
Retype new UNIX password: I-love-my-Central
passwd: password updated successfully
Seagate-5A4B6C:/Data/admin# cp /etc/passwd /usr/config/backupconfig/etc/
Seagate-5A4B6C:/Data/admin# cp /etc/shadow /usr/config/backupconfig/etc/

Step 11 : Make sure "su" is enabled from now on. Even after another firmware upgrade.

The Seagate Central stores a backup of all it's important configuration files in the "/usr/config/backupconfig" folder. Every time the central boots up it copies the contents of this folder to the root filesystem. If you want to see the details then have a look at the "/etc/init.d/firmware-init-1bay" startup script on the Seagate Central.

Incidentally this is why some people complain that when they set a root password on the Central it reverts to blank or the old password after a reboot. You have to make sure that your password changes are reflected in the "/usr/config/backupconfig" folder as well as the normal locations otherwise they'll be overwritten on a reboot.

The way the new Seagate Central firmware disables "su" access is by changing the "/etc/pam.d/su" file. (See Step 6 for details)

At this point, because we have root access now, we know that the system is using a version of the "/etc/pam.d/su" file that works properly.

What we want to do is copy this working version of "/etc/pam.d/su" to the "/usr/config/backupconfig" folder so that each time the Seagate Central boots up this "good" version of the file is restored even if a firmware upgrade tries to modify it.

As root run the following commands

Seagate-5A4B6C:~# mkdir -p /usr/config/backupconfig/etc/pam.d
Seagate-5A4B6C:~# cp /etc/pam.d/su /usr/config/backupconfig/etc/pam.d/

Note that from now on if you decide to modify the "/etc/pam.d/su" file for any reason, say to restrict "su" access to certain users, you'll have to remember to copy the changes to the "/usr/config/backupconfig/etc/pam.d/su" file as well otherwise your changes will be lost on reboot.


Conclusion


If you have performed the procedures above but still can't get root access then please let me know at what point things seemed to fail and any relevant details. I'm keen to make this procedure work for everyone. In addition if you notice any errors, things that need correcting, or suggestions to improve this procedure then I'm keen to hear about that too.

Just to briefly mention, if things have failed there is yet another alternative. You can crack open the Central (goodbye warranty), take out the hard drive and mount it on an external system, manually modify the files we manipulated above (init.d/finish  pam.d/su) as per the steps above, then put the drive back into the Central. You can certainly do this with a linux system and possibly even a windows system (maybe). If there's anyone who needs a procedure to do that then let me know and I'll try to write one up.

Finally there is one rather clever alternative procedure for creating the modified firmware as we did in Part 2. It makes use of an automated script running on an external linux system. You can find that here


Good luck!


Edit 3-Aug-2017 : Modified Part 3 Step 10 to add copying the "/etc/shadow" file to /usr/config/backupconfig/etc  after you change your root password as well. SFAIC

Sunday, 30 August 2015

Revert to previous firmware on Seagate Central

Many people have upgraded their Seagate Central to the latest firmware and instantly regretted the decision. For some it was because root / su access has been taken away. For others they don't like the new Twonky media server.

Well fear not because there's a way (actually two ways) to revert to the old firmware.

The Seagate Central keeps a copy of 2 versions of firmware. The currently running firmware and the previously running "old" firmware.

We can program the Central's bootloader (U-boot) to revert to the previous firmware.
There are two ways to do this. You only need to do one of them.


METHOD 1 : Via ssh (no need for root access)

Ssh into the Seagate Central. If you don't know how to ssh or you don't know what ssh is, then just proceed to Method 2.

I only tested this procedure with the "admin" account but I think it should work with any valid userID.

Issue the following command

   admin@Seagate-4xxxx:~$ /sbin/fw_printenv | grep kernel
   current_kernel=kernel2

The output of the command will either say "kernel1" or "kernel2". This indicates which of the two copies of firmware the bootloader will run. We want to change this to the other one in order to run the previous firmware.

So if the output of your command said "kernel1" then we want to switch to "kernel2" by running  the following command

   admin@Seagate-4xxxx:~$ /sbin/fw_setenv current_kernel kernel2

If the output of your command said "kernel2" then we want to switch to "kernel1" as follows

   admin@Seagate-4xxxx:~$ /sbin/fw_setenv current_kernel kernel1

Finally check that your changes took effect by running the following command again.

   admin@Seagate-4xxxx:~$ /sbin/fw_printenv | grep kernel
   current_kernel=kernel1


Now reboot your Central either by power cycling it or using the Management Web Page
(Settings Tab -> Setup -> System -> Restart Button)

The unit should now be running the "old" firmware.

This method uses the fw_printenv and fw_setenv commands which view and set the environment variables that the U-boot bootloader use to determine how to boot up the Central. Seagate have kindly left them executable by normal non-root users. 


METHOD 2 : Power cycling 4 times while the LED light flashes green

If you don't want to ssh into your unit then use this method

Step 1 : Power down your central.

Step 2 : Power Up again and watch the little LED light on top of the unit.

Step 3 : When the LED changes from solid amber/green to flashing green let it blink about 2 times then quickly unplug the power.

Step 4 : Goto Step 2 and repeat at least 4 times.

Step 5 : Power on and let the unit fully boot up so that the LED light goes solid green. The unit should now be running the "old" firmware.

This method takes advantage of a custom Seagate feature in the U-Boot bootloader whereby if the unit fails to fully boot 4 times in a row it will switch to the backup firmware.


After completing Method 1 or Method 2 your Central is hopefully running the "old" firmware. You can confirm by using the Management Web Page (Settings Tab -> Setup -> About ) then look at the displayed Firmware Version.

Now a note for those of you reverting firmware because you lost root / su access. If you have previously set a non blank root password then at this point you should *hopefully* be able to use the "su" command to get root access again with your old password. 

However if you had a blank root password then you still won't have root access. This is because even though "su" access is technically enabled again, the "new" Seagate Central Firmware has changed your blank root password into a new secret password which no one knows.

I am going to put up another post about a method of modifying the Seagate Central firmware to get rid of the new root password in the near future.