Hacking NCB3AST: Day 1

I will consider yesterday as day 1 in hacking the the my NAS drive NCB3AST, since I just started concentrating on this. Chris Baird gave me some pointer to look at WRVS440N Linux kernel source code and also gave me some info about the boot loader and serial port (this will be useful in Day2). What I did on Day 1 was looking at several firmware files and comparing it to the /dev/mtd0-3. My conclusion was:

  1. The size of the binary file is always 8 mb
  2. The first 128 kb is the ARMBoot boot loader
  3. After the boot loader is the kernel image, which is init.o + bzImage + initrd.gz
  4. There is no special header
  5. There are some offsets where you need to put some "0101" and "Supercom" string  (It seems the location is constant)
  6. Looking at the source code of init.o (init).S I can know where to get and put the initrd to modify the firmware
  7. Unfortunately if I made init.gz that is larger than the original firmware, the device won’t boot.

So at the end of day one, my NAS was bricked. It is not completely bricked as I can still use it as a "harddisk casing". When it is bricked, I can still access my data in the harddrive, the USB mass storage device is recognized as JM20337 USB2.0 to SATA & PATA Bridge.

Just to share the information from http://www.lliures.org/2008/05/02/ft3563-bt-hacking/ this following devices have the same hardware:

Devices what seems identical or similars:
Coolmax CN-570 http://www.smallnetbuilder.com/content/view/29899/75/1/3/
NS-348S http://www.multicase.de/en/products/76/ns348s.html http://www.enclosureservice.com/
Emprex NSD-100 http://www.emprex.com/02_products_02.php?id=205
Agestar NCB3AHT http://www.agestar.com/english/products/ncb3aht.asp
http://shenztech.com/code/ui/product/product.aspx?prdid=NAS2&subcatid=9
revoltec rs049

They all use the STAR_STR9100.

Leave a Reply

Your email address will not be published.