Hacking Consumer Devices for Fun and Profit
An Insider's View of the NSLU2-Linux Open-Source Project
Rod Whitby
1. The Linksys NSLU2 5. Official Kernel Support � Hardware Specs � NSLU2, NAS100D, Loft, … � Linksys Firmware 6. Official Debian Support � RedBoot Bootloader � Debian Etch Loves The Slug 2. Unslung Firmware 7. The Fun � NSLU2-Linux Exhibitions � Project Inception � NSLU2-Linux Community � Unslung 1.x � NSLU2-Linux Development � Unslung 2.x to 5.x � Project Infrastructure � Unslung 6.x 8. The Profit 3. Optware Packages � How to Make a Small Fortune � NSLU2, WL500g, … � Donations for Hardware � Distributed Development 9. The Future 4. SlugOS Firmware � What to do next � OpenSlug, “DebianSlug”
10 Feb 2007 Hacking Consumer Devices for Fun and Profit 2 Rod Whitby
� Network Attached Storage (NAS) Consumer Device � 27.5mm x 135mm x 96mm � 5V DC, Maximum 2 Amps � Intel XScale IXP420 � Big-endian ARM � 133MHz (under-clocked) � 10/100 Ethernet � 2 x USB 2.0 Host Ports � 32 MB RAM � 8 MB Flash � Serial, JTAG, I2C, … � NSLU2 -> NSLUG -> “Slug”
10 Feb 2007 Hacking Consumer Devices for Fun and Profit 3 Rod Whitby
� Designed to be a stand-alone Samba server for attached USB hard disks. � Ext3 filesystem with 3 partitions � Must be formatted on the device � Linux 2.4.22 Kernel � Major modifications to the USB and SCSI subsystems � Snapgear-based root filesystem � busybox, samba, thttpd, etc. � Linksys binary-only utilities � Set_Led, USB_Detect, Watchdog, CheckPowerButton, CheckResetButton � Source code available for kernel and root filesystem, but not for Linksys binaries
10 Feb 2007 Hacking Consumer Devices for Fun and Profit 4 Rod Whitby
� Loads kernel and initial ramdisk into memory, then executes kernel. � Kernel size is limited to 1MB � Ramdisk size is set at 10MB (can extend to 12MB if required) � MAC address for internal ethernet interface stored alongside Redboot � Significant modifications by Linksys � Addition of “move”, “boot”, and “upgrade” commands � Removal of FIS directory functions � Not intended to be user-accessible � … unless you solder on a connector for a serial port � Linksys left in a telnet 2 second window of opportunity � Upgrade mode is another exploit mechanism � “Good enough” for our purposes, so left alone.
10 Feb 2007 Hacking Consumer Devices for Fun and Profit 5 Rod Whitby
12 July 2004 18 Aug 2004 � Jim Buzbee finds the Telnet exploit. � Slug sacrificed to find JTAG traces. 31 July 2004 � Jim’s journal page is slashdotted, and � nslu2-linux mailing list is created. the mailing list feels the effect. 5 Aug 2004 19 Aug 2004 � Tom’s Hardware article published. � nslu2-linux.org domain registered. � Mailing list has 13 members. 22 Aug 2004 10 Aug 2004 � nslu2-general mailing list created. � First successfully modified image. 24 Aug 2004 11 Aug 2004 � First boot from external hard disk. � Serial port and Redboot TFTP. � Serial port mod published. � “Unslung” concept based on /linuxrc. 25 Aug 2005 � Jim’s journal links to the mailing list. � Linksys releases kernel source. 15 Aug 2004 30 Aug 2005 � iTunes server ported. � RedBoot telnet access found. 16 Aug 2004 � RedBoot upgrade mode found. � Busybox, dropbear and wget ported. 31 Aug 2005 � Donations requested ($240 on first day). � 700 members and 1000 list emails. 17 Aug 2004 13 Sep 2005 � Rod’s NSLU2 arrives in the post. � Wiki installed at www.nslu2-linux.org
10 Feb 2007 Hacking Consumer Devices for Fun and Profit 6 Rod Whitby
� Designed to be a minimal-changes firmware replacement � Retains all of the standard NSLU2 product functionality unchanged � Adds the capability to load the root filesystem from external storage and download and install packages onto that external storage to be used alongside the standard product functionality. � Also defines the package format for downloadable packages. � Unslung 1.7-alpha source code was released on 3 Sep 2004. � The goal was to free up 10MB of RAM by pivoting from an initial “switchbox” ramdisk to JFFS2 or an external disk or NFS root filesystem. � Built from a Makefile in a SourceForge CVS repository. � Used a binary sed to modify the Linksys kernel. � Unslung 1.11-beta binary image was released on 14 Sep 2004. � There were well over 1000 downloads of Unslung 1.x
10 Feb 2007 Hacking Consumer Devices for Fun and Profit 7 Rod Whitby
� Unslung 2.12-beta binary image was released on 6 Nov 2004. � The goal was to build the firmware from source. � Support for ext3 flash disks on Port 1 � Full downloadable package support � USB enclosure fixes (Genesys) � Kernel compiled from source (including some fixes) � Unslung 3.16-beta binary image was released on 25 Dec 2004. � The goal was to add a persistent JFFS2 root file system. � USB devfs support (driven by Topfield “puppy” development) � NFS kernel support � Recovery mode and Maintenance mode added.
10 Feb 2007 Hacking Consumer Devices for Fun and Profit 8 Rod Whitby
� Unslung 4.20-beta binary image was released on 15 May 2005. � The goal was to become self-hosting – being able to build Optware packages natively, and to free up another 1MB of RAM by booting directly to a /linuxrc in JFFS2 instead of using the “switchbox” initrd. � The internal JFFS2 partition became an initfs and recovery filesystem. � More kernel modules were enabled (and kernel module ipkg feed added) � RAID, USB Audio, USB Cameras, Traffic Shaping, Tape Drives, etc. � Quite a few people stuck with 3.18-beta until 5.5-beta was released. � Unslung 5.5-beta binary image was released on 14 June 2005. � Upgraded to be based on Linksys V2.3R29 firmware. � Changed from broken maintenance mode to stable upgrade mode. � Disabled the Linksys download daemon (in favor of upgrade mode). � There have been almost 18000 downloads of Unslung 5.5-beta.
10 Feb 2007 Hacking Consumer Devices for Fun and Profit 9 Rod Whitby
� Unslung 6.8-beta binary image was released on 12 April 2006. � Updated to Linksys R63 firmware, which includes the Paragon commercial NTFS kernel module with full write support. � Many usability improvements (to try and reduce the number of installation-related questions on the mailing list). � The new Unslung logo is now featured in the Web GUI ☺ � There have been over 28000 downloads of Unslung 6.8-beta.
10 Feb 2007 Hacking Consumer Devices for Fun and Profit 10 Rod Whitby
� Began as “Unslung Packages” – now over 750 packages strong. � The set of packages have been ported to many targets: � Linksys NSLU2 (armeb, glibc) � Asus WL500g/gx (mipsel, uclibc) � Synology DS-101 (armeb, glibc) � Freecom FSG-3 (armeb, glibc) � Maxtor Shared Storage (armeb, uclibc) � Iomega NAS 100d (armeb, glibc) � Synology DS-101g+ (powerpc, glibc) � Linksys WRT54G* (mipsel, uclibc) � Technologic Systems TS72xx (arm, glibc) � Diverse range of packages: � Apache, MySQL, Perl/PHP/Python, Squid � Email, IRC, CUPS, Torrent, CVS, SVN, Git, Monotone � Webcam, Network Sound, USB PVR, X10, Samba PDC, Topfield EPG � MediaWiki, Asterisk, Gallery, iTunes Server, CCXStream, TwonkyVision
10 Feb 2007 Hacking Consumer Devices for Fun and Profit 11 Rod Whitby
� More than 100 Optware package developers. � Send a new package.mk file to the nslu2-developers mailing list and you are granted CVS write access. � An identified package feed manager for each of the targets. � New and modified packages are built automatically every half hour, and the package feeds for all targets are updated upon successful builds. � Build logs are published on the web for NSLU2 Asterisk PBX package developers to peruse (and fix (on 512MB flash stick) any problems). Sipura SPA-3000 ATA/Gateway
10 Feb 2007 Hacking Consumer Devices for Fun and Profit 12 Rod Whitby
� SlugOS refers to our legacy-free distributions based on OpenEmbedded � Latest 2.6.x kernel (currently 2.6.20) � Support for the NSLU2 written from scratch and contributed to kernel.org � OpenEmbedded-based root filesystem � Draws on the 1500+ packages available in OpenEmbedded � No legacy Linksys proprietary source code or binaries � OpenSlug (SlugOS/BE) refers to slugos-bag (big-endian, arm, glibc), “DebianSlug” (SlugOS/LE) refers to slugos-lag (little-endian, arm, glibc) � UcSlugC refers to slugos-btu (big-endian, thumb, uClibc), but is no longer supported. � “DebianSlug” name has been deprecated, now that Debian/NSLU2 exists. � OpenSlug 1.12-beta binary image was released on 15 May 2005. � OpenSlug 2.7-beta binary image was released on 28 Sep 2005. � SlugOS 3.10-beta binary images (current release, both BE and LE) were released on 9 June 2006.
10 Feb 2007 Hacking Consumer Devices for Fun and Profit 13 Rod Whitby
� There were 484 downloads of the OpenSlug 1.12-beta binary image, 625 downloads of OpenSlug 2.0-beta (since 22 July 2005), 1032 downloads of OpenSlug 2.5-beta (since 9 Aug 2005), 2669 downloads of OpenSlug 2.7-beta (since 28 Sep 2005) and 9129 downloads of SlugOS 3.10-beta (since 9 Jun 2006). � SlugOS releases generally occur in response to major kernel version changes. � Quite a few SlugOS users build their own firmware from source. � “DebianSlug” (SlugOS/LE) is compatible with packages from the official Debian ARM port.
10 Feb 2007 Hacking Consumer Devices for Fun and Profit 14 Rod Whitby
� Kernel support (2.6.20) for the supported targets: � MACH_NSLU2 Linksys NSLU2 � MACH_NAS100D Iomega NAS 100d � MACH_LOFT GiantShoulderInc Loft � MACH_DS101 Synology DS101 � NSLU2-Linux team has contributed to other items: � Maclist support � RTC class � New LEDs class � Open Source IXP Ethernet driver � Many patches already pushed upstream � But many patches still to be pushed …
10 Feb 2007 Hacking Consumer Devices for Fun and Profit 15 Rod Whitby
� Debian Etch has full support for the NSLU2, including all the latest Kernel patches and the open source IXP ethernet driver. � debian-installer will read configuration from flash, bring up network and SSH. Installation done via SSH. � Normal Debian installation to external USB storage. � Full support for in-place kernel upgrades. � There have been over 4400 downloads of the Debian/NSLU2 installation image.
10 Feb 2007 Hacking Consumer Devices for Fun and Profit 16 Rod Whitby
Linux World Expo 2005 SCALE 4x 2006
10 Feb 2007 Hacking Consumer Devices for Fun and Profit 17 Rod Whitby
� Unslung, Optware and SlugOS are good examples of user- supported / user-developed software done right. � What makes it work so well? � Separate lists for users and developers. � Revision-control systems. We use monotone and subversion. � Wikis. We have a community rule that encourages users to add to and improve the wiki. � Freenode IRC. The core developers are available to help on a number of IRC channels e.g. #nslu2-linux. Community rules about bothering them. � Easy to become a developer. Publicly post a working package recipe and you get cvs write access. We have had no “rogue developers” yet, and if we did, any damage would be reverted. A wiki-like model of development.
10 Feb 2007 Hacking Consumer Devices for Fun and Profit 18 Rod Whitby
1. Never ever use the Linksys EraseAll tool - it will brick your slug permanently. The Development Rules 2. You will search the wiki first and read � NSLU2-Linux is run as a “meritocracy” the FAQ before asking questions on – those who contribute the most are the mailing lists or IRC channels. the ones who get to make the key 3. You must read and follow the steps in development decisions. the README file precisely when � Key contributors are invited to become flashing firmware. part of the Core Team, and are 4. Those who ask the questions, update assigned a role in line with their major the wiki when they get the answers. contribution, skill, or external influence. 5. Those who complain about the � “If it’s not in the source repository, then documentation, update the wiki to it doesn’t exist.” make it better. � “If it cannot be built automatically from 6. Friends don't let friends flash custom source, then it cannot be released.” firmware without confirmed RedBoot � “It either goes up (-stream) or it goes upgrade mode access. out.” 7. Friends don't let friends flash custom boot loaders without confirmed JTAG access.
10 Feb 2007 Hacking Consumer Devices for Fun and Profit 19 Rod Whitby
� Over 12,000 mailing list subscribers. � Over 50,000 downloads of the Unslung firmware. NSLU2-Linux Community Growth � Over 10,000 downloads of the SlugOS firmware. � Over 10,000 downloads of the Debian/NSLU2 firmware. 25000 20000 � The www.nslu2-linux.org wiki serves over 12000 hits and 200MB of data 15000 10000 each day. 5000
� The ipkg.nslu2-linux.org package feeds 0 serve over 5GB of data per day (in total) Aug-04 Feb-05 Aug-05 Feb-06 Aug-06 Feb-07 from four world-wide mirror locations. MembersPosts � We maintain over 2.5GB of publicly accessible information, source code and executables.
10 Feb 2007 Hacking Consumer Devices for Fun and Profit 20 Rod Whitby
� 100 Optware package developers � 20 Core Team members � SlugTime covers the globe: � HST, PST, CST, EST, GMT, CET, ACST, NZST � 4 Firmware Distributions � Unslung, SlugOS/BE, SlugOS/LE, Debian/NSLU2
"While Linksys does not support any of the alternate firmware available for the NSLU2, we are always delighted to see a product gain such widespread acceptance. Like the similar community that emerged to enhance the WRT54G before it, the creativity and ingenuity of Linksys customers inspires us to continually improve our products." -- Mike Wagner, Director of Marketing, Linksys.
10 Feb 2007 Hacking Consumer Devices for Fun and Profit 21 Rod Whitby
� Unslung 1.x was developed using a simple Makefile in a CVS repository on SourceForge.net � It unpacked the Linksys firmware binary image, modified the kernel using a binary sed, added new files to the rootfs, and then packed it all back up again ready to be flashed. � Unslung 2.x was developed using the OpenEmbedded build system in a BitKeeper repository in bkbits.net � Kernel built from source, rootfs unpacked from Linksys firmware image. � Optware packages continue to be developed using a simple template-based Makefile build system in a Subversion repository at svn.nslu2-linux.org � This is designed to minimize the barrier to entry for new developers. � Unslung 3.x and later, and SlugOS, use the OpenEmbedded build system and a monotone repository at monotone.nslu2-linux.org
10 Feb 2007 Hacking Consumer Devices for Fun and Profit 22 Rod Whitby
� Web, Wiki, SVN, Monotone, Bug tracking � limax.nslu2-linux.org Limax maximus
� Automated Cross-compile Build Machine � nudi.nslu2-linux.org Nudibranch
� Automated Native Unslung Build Machine � gastro.nslu2-linux.org Gastropoda � Automated Native OpenSlug Build Machine � banana.nslu2-linux.org
� Four ipkg mirrors around the world Banana Slug � ipkg.nslu2-linux.org � Norway, Oregon, California, Illinois, Georgia.
10 Feb 2007 Hacking Consumer Devices for Fun and Profit 23 Rod Whitby
� How do you make a small fortune hacking Linux firmware for consumer devices?
� … Start with a large fortune!
10 Feb 2007 Hacking Consumer Devices for Fun and Profit 24 Rod Whitby
� The project has raised almost USD$10,000 since 16 Aug 2004 � All monies are spent on hardware or project expenses � Examples of purchases: � Intel/AMD Infrastructure Servers � Intel/AMD Development/Build Server � Native Build Hosts � Core Team Development Slugs � Notable Third Party Developer Slugs � Developer Bounty Hardware � Up to $50 hardware driver bounty � Domain fees � Exhibition expenses (LinuxWorld Expo 2005, SCALE 2006) � Donations to cia.navi.cx, irc.freenode.net, www.loglibrary.com, …
10 Feb 2007 Hacking Consumer Devices for Fun and Profit 25 Rod Whitby
� Complete the task of pushing all patches upstream � Push the open source IXP ethernet driver upstream � Track latest kernel versions � Debian support for NAS100d, DSM-G600, FSG-3, … � Add OpenWRT firmware support � Find the next new device to hack …
10 Feb 2007 Hacking Consumer Devices for Fun and Profit 26 Rod Whitby